From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 93B251396D9 for ; Wed, 8 Nov 2017 07:24:35 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B3540E0ECF; Wed, 8 Nov 2017 07:24:29 +0000 (UTC) Received: from mail-yw0-x241.google.com (mail-yw0-x241.google.com [IPv6:2607:f8b0:4002:c05::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 5CEF8E08DB for ; Wed, 8 Nov 2017 07:24:29 +0000 (UTC) Received: by mail-yw0-x241.google.com with SMTP id q126so1513968ywq.10 for ; Tue, 07 Nov 2017 23:24:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=pw86LFPingkWDK+ocZhCK/8MaDc/f8y96Ol4eYYPvEU=; b=Lbh311S+Yhy27jYufsPe79rlB0atCjjX9IUx0Prf3DcsumEAYPXoPSimvufoGFwaY9 fRo8rubmFgR5T0qvd/aJE/isxPyZOWh7IWzdXzcura/bxp/uYWDsHtLFBa2roqevQOCY 2ZmSfZGvsEAxJuefg63TUWlB/Tx8oASJjhp2yMRwhifZZl5TL4RxO+kxHq8t5Hi/CgT0 lQrhQ97YI24goU4sEHFAEhDxrdIMnDDlFfWYNtKZdCPCwruHwbafdrzly7E/mslfzZgM ZW8LfCM/6LJ+EXjjwbXJPanl7t+V4GXQls7mjX0OvZO7WHy8s8QAHv/m3Jju4P4HfFnw 5jRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=pw86LFPingkWDK+ocZhCK/8MaDc/f8y96Ol4eYYPvEU=; b=X8pRDptJVZH78dy6VhKPiL+sOYHGm65RvJAgfH3RsyFTdukpzKKavflasDTCl71OBJ mycz36wbGNSqcNaS5RwAFbF0A2DoczQyMW/rS2nA+QzckDcIiAvvUgSGbUzdxDc7BoEy rNMJWgipmYSOuULppdMOBSicE7yf3aB+08vpz3vsZWs9+ubnAapPohchnwPOsDAO1tE/ VWgRnFsBUFxH/ziaT2w96tvK6Xrw7zPAUdO3TKEq1NrgKW2lmNtLhMVHRaF3o4vqZjyZ pHlYNNDzN9CjbNP8aoL4deESRzbOFQscWpA92z1+1zWoYiWCqaf+dETrhhDGuzA7TbhE 0jDQ== X-Gm-Message-State: AJaThX4kh3NIhEOCTlHZsr/cb8nh7or+5/Ij2y79lsIZksgtZk3+T39D Kv6UfanF92EaAIeD9Eks1Rs= X-Google-Smtp-Source: ABhQp+Q2Z3w4dr4HMeGhG6rH2ZImxu03xnd0MVDn7isPWw+RgqazNfvcqRJT+MF2SHeqWikGJ3IHeg== X-Received: by 10.37.129.73 with SMTP id j9mr782272ybm.204.1510125868426; Tue, 07 Nov 2017 23:24:28 -0800 (PST) Received: from [192.168.2.5] (adsl-74-240-55-63.jan.bellsouth.net. [74.240.55.63]) by smtp.gmail.com with ESMTPSA id m2sm1675563ywe.14.2017.11.07.23.24.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 Nov 2017 23:24:27 -0800 (PST) Subject: Re: [gentoo-user] Linux USB security holes. To: gentoo-user@lists.gentoo.org References: <65c1af14-a224-4c9f-1ca8-eca4ccc71d0f@gmail.com> <3cd9d629-8be8-4b5d-b702-912f26a06bd5@gmail.com> From: Dale Message-ID: <1836dfed-0545-cdda-e9af-d12f143a6559@gmail.com> Date: Wed, 8 Nov 2017 01:24:25 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.4.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Archives-Salt: 58dc572d-3732-48ec-b0af-cd284e35ee15 X-Archives-Hash: 1bf9641d195f9114da6f47b440039efe R0b0t1 wrote: > On Wed, Nov 8, 2017 at 12:10 AM, R0b0t1 wrote: >> On Wed, Nov 8, 2017 at 12:02 AM, Dale wrote: >>> Dale wrote: >>>> Howdy, >>>> >>>> I ran up on this link. Is there any truth to it and should any of us >>>> Gentooers be worried about it? >>>> >>>> http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ >>>> >>>> Isn't Linux supposed to be more secure than this?? >>>> >>>> Dale >>>> >>>> :-) :-) >>>> >>> >>> To reply to all that posted so far. I did see that it requires physical >>> access, like a lot of other things. Once a person has physical access, >>> there are a number of things that can go wrong. >>> >>> It does seem to be one of those things that while possible, has anyone >>> been able to do it in the real world and even without physical access? >>> Odds are, no. >>> >> The most widely publicized example is STUXNET. There are also reports >> that malicious USB keys with driver-level exploits are sometimes used >> for industrial espionage. >> >> The key point being that in either case, someone is spending a lot of >> money to research and set up a plausible attack. >> >>> Still, all things considered, Linux is pretty secure. BSD is more >>> secure from what I've read but Linux is better than windoze. >>> >>> Dale >>> >>> :-) :-) >>> > I suppose I should add that once the basic work has been done for an > exploit like this it will have great reproducibility. But at that > level you are (usually) talking about very well funded actors, and one > should also be worried about controller-level exploits that would be > much harder to discover from an operating system. > > If you can't surround your computer with trustworthy armed guards, > assume you suffer from a serious vulnerability based on the > preliminary work the article is talking about. > > Rainbows and Sunshine, > R0b0t1 > > I've considered encrypting my stuff.  I'm talking locked down from power up all the way through.  Those who have been on this list a while and know me, they know that would be a disaster.  If anything could go wrong with it, it would.  While I try to be secure, I'm not going nuts over it.  I do lock my screen if I leave and sometimes even logout but I don't put hand grenades and other booby traps around it.  Heck, if I did, I'd likely trip up and hurt myself.  Ooops!! I guess I'll just kept my top secret stuff in my head.  ;-)  Dale :-)  :-)