From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id BF3321396D9 for ; Wed, 8 Nov 2017 21:07:26 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 466CDE0EB6; Wed, 8 Nov 2017 21:07:20 +0000 (UTC) Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C89A9E0D5E for ; Wed, 8 Nov 2017 21:07:19 +0000 (UTC) Received: by mail-wm0-x22d.google.com with SMTP id b189so13009454wmd.4 for ; Wed, 08 Nov 2017 13:07:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=sccXO5bSd1XOXlGyb2ZE3w5sGoUSNLDoDJP5Idlo+EA=; b=oKQm/Tnzw24+Au5Vyl9hy7VX22CcpARdcyvcFBqLvB7C/S+x95O1qrpb+brPLkf/rF WFPXrEZIyHVfIOllmdd9vfiOxPfXggwMu/2jQrSVKxr8sQ1pymRRv1MwMCb/AF3ICqNp ZGBj5p4LCST42SR1s9ahkw/dR470Fg1JKpjzfQqMewc2xoCX2ceXXM0pDk0ooqpFKGh7 SikIYHVOzAJxI/lg6MOP5em3A4zufnDAZ7ub/qsQbg3ncN7VK5AM6Vl6XMXuu72cd2Kz k/Uck3m/2jPZlYZ89P31VQ9AvsO7rDzzAwKScYHq2SB3cqaroTy5k2BYwkxqENtQZKjj 87Kw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=sccXO5bSd1XOXlGyb2ZE3w5sGoUSNLDoDJP5Idlo+EA=; b=ueOCmQMfadjb+UF0RY3HmZRug4/+xDrRgYal/lQmJXNaRobbonayx6V1HozM6Orsep TzW72vkGnlm7y8LBXUrpyromwEoqKZMF0DKUfxsulFldAum6ZtmVW1UeyY6Gf2VGjDwx udDYcyO8Hfruke76+6z3RLK5qwXlDUaBxZ0jIv0+TPFO9lFcyURIqnn5tCKpKSE4xA1H kgjI7LJSbjXJg1ZxFa1Q/aKZf8ObZGlAVJx57GRk0yHmoGyINErej7g9vs2T820v84/H 6pG5dlzLOPrLTfbFb/LCDFdPNr0nO2TNbUpRSktFoUOHqJNwmz6wxqYmsPSj2MfHa5LA Y+Dg== X-Gm-Message-State: AJaThX5vYgD+wu8HAZe3MzNKRLB32ioGtGkGFh/q3D4F4mY24xoC52Ik 44+0QCaOWa8yO3vJ8eHLo52EuQ== X-Google-Smtp-Source: ABhQp+QYreuKqmMuxJJ4f8kLKVpB4EX0VYyKV0cSPUKar9ONjfX/Ukq/KdsBcJnMqmvoQBfAwvBA7g== X-Received: by 10.28.15.141 with SMTP id 135mr1434068wmp.74.1510175238144; Wed, 08 Nov 2017 13:07:18 -0800 (PST) Received: from [192.168.253.111] ([209.212.109.4]) by smtp.googlemail.com with ESMTPSA id l7sm3064874wrg.69.2017.11.08.13.07.16 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Nov 2017 13:07:17 -0800 (PST) Subject: Re: [gentoo-user] Linux USB security holes. To: gentoo-user@lists.gentoo.org References: <65c1af14-a224-4c9f-1ca8-eca4ccc71d0f@gmail.com> From: Alan McKinnon Message-ID: <0965810d-d2bb-56d6-04f1-6806de88eee2@gmail.com> Date: Wed, 8 Nov 2017 23:02:03 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <65c1af14-a224-4c9f-1ca8-eca4ccc71d0f@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 8bit X-Archives-Salt: f4750df0-83d5-4116-901a-63e4a6c1b749 X-Archives-Hash: 18d107f5fb34a112d4c539b6be5f6b3f On 08/11/2017 07:08, Dale wrote: > Howdy, > > I ran up on this link.  Is there any truth to it and should any of us > Gentooers be worried about it? > > http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/  > > Isn't Linux supposed to be more secure than this?? I would say the real problem is USB itself. What is USB after all? It's a way of sticking any old random thing into a socket and getting the computer to magically do stuff. So if the system software then goes ahead and does stuff, it's only really operating as designed and as spec'ed right? Yes, those 40 holes are probably all true and quite possibly all exploitable, and they should also be fixed. But the real problem is that USB even exists at all. btw, when you say "Isn't Linux supposed to be more secure than this??" the answer is a resounding NO The Linux=safe, Windows=notsafe delusion comes from the 90s when Windows had no real security features at all, or even any realistic ways to limit and control access. Linux had a Unix-style userland and kernel, so you automatically got multi-user/multi-process with per-user permissions. That alone, by itself, is probably the largest single security advance in all of computing history. Everything else is icing. There is nothing in Unix really that is "secure by design", and all von Neumann machines are actually insecure by design -- Alan McKinnon alan.mckinnon@gmail.com