From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 96C5E1396D9 for ; Wed, 8 Nov 2017 15:27:57 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E1EC2E0EC0; Wed, 8 Nov 2017 15:27:49 +0000 (UTC) Received: from sonic313-37.consmr.mail.ne1.yahoo.com (sonic313-37.consmr.mail.ne1.yahoo.com [66.163.185.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 8A5C3E0E9B for ; Wed, 8 Nov 2017 15:27:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1510154869; bh=Sm08VXtCOYL2H8Y+oxehA69OMBJNOuS9DmilpP2A0h0=; h=Date:From:To:In-Reply-To:References:Subject:From:Subject; b=ZdLUL84sUWOb8N87Icg3/J/tNpEad8MkBypW7I/YbTVqbFOV4d0TcXZ55pAm4PX4kiJExm8o4Zk8XjwEZeYVVBJwh2pyefJV9dmMN4rchz6Z/ScdYL1nNkRhBpOCmg3OElBW/52YQK1l6FGQUi0LndtDdZ04k30tPIe2JrV6IdSurqjTNEww7yoL+gHKxYnG7/9WMneq4ym7zGYnXFLNrNrZicI473tSIkA4bvU2qSDJi76Ow2+ZUPhslwV2/gVpKcYywMFC9bIXaDr+FrFTf3L2apAnXSgdZpeNY121vlk6xbSm+ff+LGtLtdQQ7hzV8T22SRpnEb7R+aLI0YQD8w== X-YMail-OSG: wYpmJFsVM1n7nSiIXFE5vf8EXNujmRxJMEwvM.RCVqjA9hw3Fvm7XAY_TfJAp2B pfZIsxpv3xD2vErl5yjvGKyofPGEz.LTMBpUGE1zE.OC5mGMZaw_ivrCy3H4Ek66LuBujaWcazHU XZ2SYkpuIVPLI4MAwvDQp5MrcaKSOCkqSWULQyktzVlhSOUsMdDfcE3ApebeCBeEsm9RKE4Ccrim Mq1Fp42RkWoXCFccMSPkJhFR512yB6lt7GsQTIwySKdqPV5n7XpYC_AXYxxInEa2AWg4K7GQVsni dRuZZvXEgmSDilRZXkOerXfiOZcdoNCKOK4vcJhNJyYFi.Qezaoxd.n1Gm.lJONQvDBkHEH7XrWi t6nFbnV3DI5DSsi7SgXdJxzk.v01HWKgPwVOOubpkit_XDq2C7IvlczaAV_nvnSe.hTQFrb1UKP_ IYfMLmxKubaPL7iVcuWXlAGPsSFr38Ns.IPcX08CjMmX9.AV.QDDFtU6S2LSy0F08bpkq01Ef3Qj 8r87.g_Xb_qnibwoNc8C5JvOzhjDEwjxQbQXsPMC4Lsm8ekZDjaa4W_ZFzN0KDtY- Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Wed, 8 Nov 2017 15:27:49 +0000 Date: Wed, 8 Nov 2017 15:23:48 +0000 (UTC) From: Martin DiViaio To: Message-ID: <984040145.374855.1510154628117@mail.yahoo.com> In-Reply-To: References: <65c1af14-a224-4c9f-1ca8-eca4ccc71d0f@gmail.com> <3cd9d629-8be8-4b5d-b702-912f26a06bd5@gmail.com> Subject: Re: [gentoo-user] Linux USB security holes. Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_374854_1751415804.1510154628116" X-Mailer: WebService/1.1.10849 YMailNorrin Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 X-Archives-Salt: a4692199-7cc1-42cf-9388-653b6c5270a3 X-Archives-Hash: b13980893bb7dac080e4a5c7ebc74297 ------=_Part_374854_1751415804.1510154628116 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable There's an old saying: The only secure computer is one that is locked in a= room, unplugged. Then again, that computer is only as secure as the lock o= n the door. On Wednesday, November 8, 2017, 1:48:43 AM EST, R0b0t1 wrote: =20 =20 On Wed, Nov 8, 2017 at 12:10 AM, R0b0t1 wrote: > On Wed, Nov 8, 2017 at 12:02 AM, Dale wrote: >> Dale wrote: >>> Howdy, >>> >>> I ran up on this link.=C2=A0 Is there any truth to it and should any of= us >>> Gentooers be worried about it? >>> >>> http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ >>> >>> Isn't Linux supposed to be more secure than this?? >>> >>> Dale >>> >>> :-)=C2=A0 :-) >>> >> >> >> To reply to all that posted so far.=C2=A0 I did see that it requires phy= sical >> access, like a lot of other things.=C2=A0 Once a person has physical acc= ess, >> there are a number of things that can go wrong. >> >> It does seem to be one of those things that while possible, has anyone >> been able to do it in the real world and even without physical access? >> Odds are, no. >> > > The most widely publicized example is STUXNET. There are also reports > that malicious USB keys with driver-level exploits are sometimes used > for industrial espionage. > > The key point being that in either case, someone is spending a lot of > money to research and set up a plausible attack. > >> Still, all things considered, Linux is pretty secure.=C2=A0 BSD is more >> secure from what I've read but Linux is better than windoze. >> >> Dale >> >> :-)=C2=A0 :-) >> I suppose I should add that once the basic work has been done for an exploit like this it will have great reproducibility. But at that level you are (usually) talking about very well funded actors, and one should also be worried about controller-level exploits that would be much harder to discover from an operating system. If you can't surround your computer with trustworthy armed guards, assume you suffer from a serious vulnerability based on the preliminary work the article is talking about. Rainbows and Sunshine, =C2=A0 =C2=A0 R0b0t1 =20 ------=_Part_374854_1751415804.1510154628116 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
There's an old saying: The on= ly secure computer is one that is locked in a room, unplugged. Then again, = that computer is only as secure as the lock on the door.



=20
=20
On Wednesday, November 8, 2017, 1:48:43 AM EST, R0b= 0t1 <r030t1@gmail.com> wrote:


On Wed, Nov 8, 2017 at 12:10 AM, = R0b0t1 <r030t1@gmail.com> wrote:

> On Wed, Nov 8, 2017 at 12= :02 AM, Dale <rdalek1967@gmail.com> wrote:>> Dale wrote:
>>> Howdy,<= br clear=3D"none">>>>
>>> I ran up on t= his link.  Is there any truth to it and should any of us
>>> Gentooers be worried about it?
>>= >
>>> http= ://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/
>>>
>>> Isn't Linux supposed = to be more secure than this??
>>>
>>> Dale
>>>
>= >> :-)  :-)
>>>
>= ;>
>>
>> To reply to all= that posted so far.  I did see that it requires physical
>> access, like a lot of other things.  Once a person has = physical access,
>> there are a number of things th= at can go wrong.
>>
>> It d= oes seem to be one of those things that while possible, has anyone
>> been able to do it in the real world and even without ph= ysical access?
>> Odds are, no.
&= gt;>
>
> The most widely publi= cized example is STUXNET. There are also reports
> tha= t malicious USB keys with driver-level exploits are sometimes used
> for industrial espionage.
>
> The key point being that in either case, someone is spending a = lot of
> money to research and set up a plausible atta= ck.
>
>> Still, all things con= sidered, Linux is pretty secure.  BSD is more
>&g= t; secure from what I've read but Linux is better than windoze.
>>
>> Dale

>= ;>
>> :-)  :-)
>>
I suppose I should add that once the ba= sic work has been done for an
exploit like this it will h= ave great reproducibility. But at that
level you are (usu= ally) talking about very well funded actors, and one
shou= ld also be worried about controller-level exploits that would be
much harder to discover from an operating system.

If you can't surround your computer with trustworthy = armed guards,
assume you suffer from a serious vulnerabil= ity based on the
preliminary work the article is talking = about.

Rainbows and Sunshine,
    R0b0t1


------=_Part_374854_1751415804.1510154628116--