BadUSB security flaw (massive undetectible USB reprogramming vulnerability)

On 2014-08-02, John Hasler wrote:
William Unruh writes:
But since the OS has no way of knowing this is a bugged device, why
would it refuse, eg to connect a keyboard?

I have often disconnected one keyboard and connected another because of
problems for example, or because my laptop's keyboard is useless and I
wanted to type on something useable.

And if both are already plugged in at boot, which one should it choose?


Because it already connected to one keyboard when it booted.

On 2014-08-02, J. P. Gilliver (John) wrote:
In message , bob mullen

"This flaw, dubbed BadUSB by Security Research Labs in Berlin, leverages

(I always rate less anything written by anyone who uses the word
"dubbed" [other than when describing a knighting!], but let's assume
that's just the journalist.)

Why? It is just an old form of "named" Why not have various words with
shades of difference (the use of dubbed carries the hint of the old
kingly renaming someone when making them a knight-- Ie a name give to
something in a formal ceremony with a distringly old fashioned air to
it. It is a way of taking the mikey out of whoever is doing the
naming)

"J. P. Gilliver (John)" writes:
writes:
"This flaw, dubbed BadUSB by Security Research Labs in Berlin, leverages

(I always rate less anything written by anyone who uses the word
"dubbed" [other than when describing a knighting!], but let's assume
that's just the journalist.)

Better avoid Shakespeare then...

--
http://www.greenend.org.uk/rjk/

In message , Gene E. Bloch
writes:
On Sat, 02 Aug 2014 17:10:03 -0500, John Hasler wrote:

Gene E. Bloch writes:
For debugging (and other) reasons I've connected more than one
keyboard to a computer with no ill effects and with no problems using
either keyboard.

I just meant that the OS should ask permission before connecting to a
second keyboard.

OK. I got it :-)

And I agree.

But it's only valid if the asking of permission prompts for a random
character, otherwise the badware (!) could just send whatever's
expected.
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

"Usenet is a way of being annoyed by people you otherwise never would have
met."
- John J. Kinyon

In message , Gene E. Bloch
writes:
On Sat, 2 Aug 2014 09:16:31 +0100, J. P. Gilliver (John) wrote:

"This flaw, dubbed BadUSB by Security Research Labs in Berlin, leverages

(I always rate less anything written by anyone who uses the word
"dubbed" [other than when describing a knighting!], but let's assume
that's just the journalist.)

Copied from http://dictionary.reference.com/

dub
1 [duhb] Show IPA
verb (used with object), dubbed, dub·bing.

(Not sure what that bit was about. Presumably there's some significance
to the "1" not having a "." after it as below.)

1. to invest with any name, character, dignity, or title; style; name;
call: He was dubbed a hero.

Have you ever heard anyone, other than in print or giving a speech or
something, actually use the word in that way?

2. to strike lightly with a sword in the ceremony of conferring
knighthood; make, or designate as, a knight: The king dubbed him a
knight.

[...]

--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

"Usenet is a way of being annoyed by people you otherwise never would have
met."
- John J. Kinyon

In message
wwvlhr681kn.fsf@l1AntVDjLrnP7Td3DQJ8ynzIq3lJMueXf 87AxnpFoA.invalid,
Richard Kettlewell writes:
"J. P. Gilliver (John)" writes:
writes:
"This flaw, dubbed BadUSB by Security Research Labs in Berlin, leverages

(I always rate less anything written by anyone who uses the word
"dubbed" [other than when describing a knighting!], but let's assume
that's just the journalist.)

Better avoid Shakespeare then...

I do try to, wherever I can; his Mafia held sway for sufficiently long
in the English Literature world that it's quite difficult to do so,
though.
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

"Usenet is a way of being annoyed by people you otherwise never would have
met."
- John J. Kinyon

On Sat, 02 Aug 2014 17:28:13 -0400, Paul wrote:

David W. Hodgins wrote:
On Sat, 02 Aug 2014 11:36:50 -0400, John Hasler
wrote:

David W. Hodgins writes:
A usb controller is a pci device, so has dma access.

A controller does. A device plugged into it does not, any more than
does a device at the other end of an ethernet cable.
According to Bruce Schneier, a well known security expert, they can
https://www.schneier.com/blog/archiv...g_compute.html

That is Autoruns, and not DMA.

Read it again ...

and the ability of peripherals to use something called direct memory access (DMA). ...
is the result of a design flaw that's likely to be with us for many years to come

If a usb device could not access dma, then usb external hard drives would
be painfully slow, since they would be suck in pio mode.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

William Unruh writes:
I have often disconnected one keyboard and connected another because
of problems for example, or because my laptop's keyboard is useless
and I wanted to type on something useable.

You should have to reboot, though I suppose it might be ok if the OS
just detected that you went from one keyboard to none and back to one
and therefor just replaced the keyboard. It should still require you to
log in again.

And if both are already plugged in at boot, which one should it choose?

Neither. The OS should print a message telling you to disconnect the
extra keyboard and reboot.

At the least the OS should not accept any commands from a new or second
keyboard until a user has logged in via that keyboard.
--
John Hasler

Dancing Horse Hill
Elmwood, WI USA

J. P. Gilliver writes:
But it's only valid if the asking of permission prompts for a random
character, otherwise the badware (!) could just send whatever's
expected.

The user's password is what should be expected.
--
John Hasler

Dancing Horse Hill
Elmwood, WI USA

I wrote:
The user's password is what should be expected.

When a second keyboard appears the OS should only connect to it after
having been given permission via the already-connected keyboard, of
course. Thus it doesn't matter what characters the second keyboard
attempts to send.
--
John Hasler

Dancing Horse Hill
Elmwood, WI USA