On Wed, Nov 8, 2017 at 12:10 AM, R0b0t1 <r03...@gmail.com> wrote: > On Wed, Nov 8, 2017 at 12:02 AM, Dale <rdalek1...@gmail.com> wrote: >> Dale wrote: >>> Howdy, >>> >>> I ran up on this link. Is there any truth to it and should any of us >>> Gentooers be worried about it? >>> >>> http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ >>> >>> Isn't Linux supposed to be more secure than this?? >>> >>> Dale >>> >>> :-) :-) >>> >> >> >> To reply to all that posted so far. I did see that it requires physical >> access, like a lot of other things. Once a person has physical access, >> there are a number of things that can go wrong. >> >> It does seem to be one of those things that while possible, has anyone >> been able to do it in the real world and even without physical access? >> Odds are, no. >> > > The most widely publicized example is STUXNET. There are also reports > that malicious USB keys with driver-level exploits are sometimes used > for industrial espionage. > > The key point being that in either case, someone is spending a lot of > money to research and set up a plausible attack. > >> Still, all things considered, Linux is pretty secure. BSD is more >> secure from what I've read but Linux is better than windoze. >> >> Dale >> >> :-) :-) >>
I suppose I should add that once the basic work has been done for an exploit like this it will have great reproducibility. But at that level you are (usually) talking about very well funded actors, and one should also be worried about controller-level exploits that would be much harder to discover from an operating system. If you can't surround your computer with trustworthy armed guards, assume you suffer from a serious vulnerability based on the preliminary work the article is talking about. Rainbows and Sunshine, R0b0t1