Re: Meet PoisonTap, the $5 tool that ransacks password-protected computers
"George N. White III"writes: > I assume the OP's intent was for the system to ignore devices newly > connected when the screen is locked, so existing devices such as the > keyboard used to unlock the screen remain available for use. Apple > systems do something like this. If you connect a USB storage device > to a macOS box while the screen is locked, nothing happens. After the > screen is unlocked, the device must be unplugged and plugged in again > before it can be used. You can, however, connect a USB mouse or > keyboard to a macOS system that is locked and use the new USB device > to unlock the system. Delaying the discovery seems superior in another way too. Whitelisting certain classes of devices has another security problem. If usb keyboards are whitelisted (as they probably will need to be if the person uses a dock for their laptop) then someone could connect a small computer that imitates a keyboard. That phony usb keyboard can hammer the victim computer with rapid-fire password guesses. It makes breaking the lockscreen a lot less painful than the alternative of typing a large number of password guesses. -wolfgang ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Meet PoisonTap, the $5 tool that ransacks password-protected computers
On Tue, Nov 22, 2016 at 12:08 PM, Kevin Fenziwrote: > On Tue, 22 Nov 2016 13:00:19 +0100 > Jeandet Alexis wrote: > > > Le mardi 22 novembre 2016 à 10:43 +, jharb...@comcast.net a > > écrit : > > > I have opened a bug, 1396837, in the Red Hat Bugzilla. > > > My suggestion is for all USB port to not enumerate any devices > > > plugged in while the screen is locked, even if it is password > > > protected. I feel that the integrity of Linux has to be defended > > > against this hybrid attack. > > What about Yubikey and equivalents? > > You might want to take a look at the 'usbguard' package. > > I don't think everyone is likely to be happy to disable usb when > screens are locked, as there's a number of cases of things people might > want to keep going in that case. > I assume the OP's intent was for the system to ignore devices newly connected when the screen is locked, so existing devices such as the keyboard used to unlock the screen remain available for use. Apple systems do something like this. If you connect a USB storage device to a macOS box while the screen is locked, nothing happens. After the screen is unlocked, the device must be unplugged and plugged in again before it can be used. You can, however, connect a USB mouse or keyboard to a macOS system that is locked and use the new USB device to unlock the system. There is value to an approach that everyone can use with minimal effort/disruption even if it is only partly effective. > However, if you use usbguard you can just allow those specific devices > you want to have access. > Usbguard also supports policies of the form "only one keyboard can be connected to a system" and "storage devices can't also claim to be keyboards". -- George N. White III Head of St. Margarets Bay, Nova Scotia ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Meet PoisonTap, the $5 tool that ransacks password-protected computers
On Tue, 22 Nov 2016 13:00:19 +0100 Jeandet Alexiswrote: > Le mardi 22 novembre 2016 à 10:43 +, jharb...@comcast.net a > écrit : > > I have opened a bug, 1396837, in the Red Hat Bugzilla. > > My suggestion is for all USB port to not enumerate any devices > > plugged in while the screen is locked, even if it is password > > protected. I feel that the integrity of Linux has to be defended > > against this hybrid attack. > What about Yubikey and equivalents? You might want to take a look at the 'usbguard' package. I don't think everyone is likely to be happy to disable usb when screens are locked, as there's a number of cases of things people might want to keep going in that case. However, if you use usbguard you can just allow those specific devices you want to have access. kevin pgpnrDIwozvhg.pgp Description: OpenPGP digital signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Meet PoisonTap, the $5 tool that ransacks password-protected computers
Le mardi 22 novembre 2016 à 10:43 +, jharb...@comcast.net a écrit : > I have opened a bug, 1396837, in the Red Hat Bugzilla. > My suggestion is for all USB port to not enumerate any devices > plugged in while the screen is locked, even if it is password > protected. I feel that the integrity of Linux has to be defended > against this hybrid attack. What about Yubikey and equivalents? > ___ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Meet PoisonTap, the $5 tool that ransacks password-protected computers
I have opened a bug, 1396837, in the Red Hat Bugzilla. My suggestion is for all USB port to not enumerate any devices plugged in while the screen is locked, even if it is password protected. I feel that the integrity of Linux has to be defended against this hybrid attack. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Meet PoisonTap, the $5 tool that ransacks password-protected computers
http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/ wonder if fedora/linux is vulnerable? ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org