Quoting David Brownell <[EMAIL PROTECTED]>: > > > Well for starters, the notion that those two characteristics are enough > > > to address the problem. Consider that I might have two USB disk drives > > > (or cameras) of the same make/model, and they might get connected in any > > > order. > > > > If the two devices have same VendorId:ProductID it should not matter. > > They will get their sequence numbers in the order they were plugged-in. > > But as I said, that's not enough. It makes a huge difference which > device is which.
An external USB HDD (as an example) is like a floppy. If you permit the user to access the floppy drive then you have no control over what floppies he inserts. Since the contents of the floppy is not under your control (as well as serial numbers of the USB HDDs - they can be forged) then essentially there is no security, and no access rights can be based on the insecure authentication. So the problem here is that access right can not be controlled by anything that user plugs in, short of PKI in both device and the host. [This might be even a usable proposal!] The software that sets access rights based on some user-provided hints may be considered a convenience tool only, not a security enforcement tool. If so, it does not make much of a difference if any local user can access any locally connected USB device. That user already has full control over the hardware. Dmitri -- "...very few phenomena can pull someone out of Deep Hack Mode, with two noted exceptions: being struck by lightning, or worse, your *computer* being struck by lightning." (By Matt Welsh)
msg03174/pgp00000.pgp
Description: PGP signature
