On Mon, Aug 11, 2014 at 1:31 AM, Shane Ginnane <[email protected]> wrote: > On Sun, 10 Aug 2014 23:24:45 -0500, Mike Schwab <[email protected]> > wrote: > >>You have to have firmware to run the USB. And in their example they >>were able to create a malicious firmware that nothing checks for. > > It's worse than that - they masquerade as something *else* that *IS* known > about, and gets accepted. > USB masquerading has been known for a while - but I like their phone trick. > Shows imagination. > > And formatting the device is not going to get rid of it - outside of hardened > systems, this is not likely to be stopped. Although you could have your own > udev rules in Linux - nobody does that, they just use what Ubuntu sets up; > which is basically create a new device node for anything that's plugged in. > Whatever it happens to be pretending to be. > I can't imagine mickeymouse ware doing any different. > > Seems businesses are slowly realising they can't allow anyone to plug USB in > - but with BYOD now taking off, how's that going to be regulated ?.
I know it won't happen, but the "desktop" people could basically just "snip the wires" to the USB ports. Assuming that BYOD is forbidden at the installation. Of course, this means work for the desktop people. And that the PC likely can't be sold because it is damaged. It might be possible for MS to "enhance" Windows to have a registry entry to disallow USB to autoconnect a device. Perhaps this could be set to "YES", "NO" or "ASK". The Linux people could do something similar. I would bet the Linux people are more likely to do it and do it better. But I'm an known bigot on that. > > Shane ... -- There is nothing more pleasant than traveling and meeting new people! Genghis Khan Maranatha! <>< John McKown ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
