On Sul, 2005-01-23 at 05:43, Greg KH wrote: > But as you already have physical access to the machine, it's quite easy > to comprimise it in other ways, so "hostile" USB devices aren't really a > pressing issue.
This is becoming the most worn out security myth on the planet. Physical access in many environments is very different to the ability to do harm. In many office environments you can't take the PC apart without people noticing while nobody would consider a USB key hostile. The university threat model is also based on my experience on physical access being non-compromising because the systems are locked shut and fastened to alarm cables. They have BIOS passwords and forced boot orders. Hostile USB devices are a threat, the rest is just sloppy Windows world excuses. That said everyone (not just Greg) needs to be looking for USB driver code that does trust the messages from the driver and *fixing* it. The big danger is probably not so much DoS cases which are a nuisance certainly but stuff that trusts device provided information for things like buffer sizes or "knows" devices won't provide too much data. Any kiddie with a cheap USB dev kit can knock out an attack tool nowdays. Alan (Be glad you don't have firewire... 8)) ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ linux-usb-devel@lists.sourceforge.net To unsubscribe, use the last form field at: https://lists.sourceforge.net/lists/listinfo/linux-usb-devel
