On Sat, May 16, 2026 at 10:32:20PM -0500, David Wright wrote: > On Fri 15 May 2026 at 21:52:36 (+0200), [email protected] wrote:
[...] > > https://en.wikipedia.org/wiki/BadUSB > > > > Who needs automount? > > OK, I see now that you're extending the discussion from charging ports > to inserting random USB sticks into your computer when you don't know > their provenance. I guess the techies that are likely to encounter > these devices are employed way above my paygrade. I'd be flattered > to be targeted by the people who make these devices. > (Likewise if I was sent a white powder in the mail—I don't have > the means to distinguish flour from anthrax.) Not necessarily, see below. > I don't work for a company where they block your USB ports or harden > their machines to that extent. Whether hardened versions of Debian > can determine if an attached keyboard is genuine before accepting its > keystrokes, IDK. USB devices identify themselves with a couple of numbers: the device class, the vendor ID and the product ID [1],as defined by the vendor. The device can do whatever it wants, it's just firmware pushing bits, so no -- it can tell your computer whatever it wants. The operating system then uses these IDs to decide what to do (e.g. load a kernel driver, whatnot). Udev is the one responsible for that in our countries. But Stefan's approach went another way: ask the user (they are, after all, those sticking the thing into the port). If you stick your device to a charger and it asks you "is connecting to this keyboard OK?", it's on you to say "HELL, NO!" :-) Having that as an option makes sense. Cheers [1] http://www.linux-usb.org/usb-ids.html -- t
signature.asc
Description: PGP signature
