From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-180711-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 4C1661396D9
	for <garchives@archives.gentoo.org>; Wed,  8 Nov 2017 06:10:52 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 2D675E0ED2;
	Wed,  8 Nov 2017 06:10:46 +0000 (UTC)
Received: from mail-yw0-x241.google.com (mail-yw0-x241.google.com [IPv6:2607:f8b0:4002:c05::241])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id C7CD3E0EC6
	for <gentoo-user@lists.gentoo.org>; Wed,  8 Nov 2017 06:10:45 +0000 (UTC)
Received: by mail-yw0-x241.google.com with SMTP id w2so1411811ywa.9
        for <gentoo-user@lists.gentoo.org>; Tue, 07 Nov 2017 22:10:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
        bh=cwb69Ownh+M6xncDcum+0GwgD+dk7ZV//SjzgasHPk8=;
        b=DA1Nub+KoQF+Dp4jbpwnFbqqgIIkA4nVz3w5oa+ejdhPy+/xLoo9Cv6LbwEODahhrx
         dbDHmnc5liJHStMNRUMXHOaLjmi9uZgJWLzbtQHeR+JqR++8ayDhWzHZRDJdLk51SDvj
         1H6D8BpgBQK77vDmCKncQPlyJjFZOgnObkSIJv1biWL0o0+xNb7CRknjTLiMkwPVf5Fy
         wEJryIJLeN9oGqVfpvNt0hJeypG4Th4YpqRYlKFd6A7/yZdz9wpAhpxzpmf5LJf9+0Iz
         B8VFtBtsx5yg8Z8bBhVs9Ikk06GRr+gtLE/3FuyLT6klOOpLi/aXhVA6FHUg2wwa9r4O
         7kxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to;
        bh=cwb69Ownh+M6xncDcum+0GwgD+dk7ZV//SjzgasHPk8=;
        b=Fhi5SsuYek0Lk0qr3bhOKTTOFlsZO1Uom7Fb00Xh21Ia5PvKOcGqjmx3Dh8FDXLCI3
         JkX5TH5bAjQ955dRJetD/mtaPeOpHNdf4bfc4MFlYrQdmKUlyZLrQHv28fVQIdHbxHT9
         y0bplSDKfqyqbaDw3A+ah+Z8J00bFwinbB6sJpl7tCRjPsg0ZjiV+fSv7RvzUk/4vdPO
         KZpXaO4MPou/2L9Lzmfe+UoHvN/60+pEw2C3tDXNzFiO1srKbYFH2JnBvjD3NsNI98CO
         KGrlxVcJF8i0kRXX8RGOdc6U5adtVAhlwgkYgQTPGy6IPH78U6kCsHNQ6YTn45Kbu860
         iY3w==
X-Gm-Message-State: AJaThX5FGs6niHszVG/8vjS2XYoMijUmbYyIfJGpkI2TTKHj6Q+YglX6
	LaXlJ4ib2Om6SG8UAYKo0v2Wbapnhulhf+pU2/o=
X-Google-Smtp-Source: ABhQp+SrKoT5g69WbdIGbU84gHbuCqEwfyXR5nndtWxGCD7h9uQGdv3s77kMPWffHyDRwPbKnpWOZmu8IdnGgfIZ5p4=
X-Received: by 10.129.52.194 with SMTP id b185mr770296ywa.265.1510121444583;
 Tue, 07 Nov 2017 22:10:44 -0800 (PST)
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.129.153.84 with HTTP; Tue, 7 Nov 2017 22:10:44 -0800 (PST)
In-Reply-To: <3cd9d629-8be8-4b5d-b702-912f26a06bd5@gmail.com>
References: <65c1af14-a224-4c9f-1ca8-eca4ccc71d0f@gmail.com> <3cd9d629-8be8-4b5d-b702-912f26a06bd5@gmail.com>
From: R0b0t1 <r030t1@gmail.com>
Date: Wed, 8 Nov 2017 00:10:44 -0600
Message-ID: <CAAD4mYjDGCUHn-ot65oqAtmmhZfhwZCfdsuZ8sZmZu3=9JrgjA@mail.gmail.com>
Subject: Re: [gentoo-user] Linux USB security holes.
To: gentoo-user@lists.gentoo.org
Content-Type: text/plain; charset="UTF-8"
X-Archives-Salt: 2f989299-0c3c-4f22-b6ec-e5cff66d6eaa
X-Archives-Hash: 13764f82db3cb9fb89b57910fa6ca62e

On Wed, Nov 8, 2017 at 12:02 AM, Dale <rdalek1967@gmail.com> wrote:
> Dale wrote:
>> Howdy,
>>
>> I ran up on this link.  Is there any truth to it and should any of us
>> Gentooers be worried about it?
>>
>> http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/
>>
>> Isn't Linux supposed to be more secure than this??
>>
>> Dale
>>
>> :-)  :-)
>>
>
>
> To reply to all that posted so far.  I did see that it requires physical
> access, like a lot of other things.  Once a person has physical access,
> there are a number of things that can go wrong.
>
> It does seem to be one of those things that while possible, has anyone
> been able to do it in the real world and even without physical access?
> Odds are, no.
>

The most widely publicized example is STUXNET. There are also reports
that malicious USB keys with driver-level exploits are sometimes used
for industrial espionage.

The key point being that in either case, someone is spending a lot of
money to research and set up a plausible attack.

> Still, all things considered, Linux is pretty secure.  BSD is more
> secure from what I've read but Linux is better than windoze.
>
> Dale
>
> :-)  :-)
>