Hacker News new | past | comments | ask | show | jobs | submit login

It would be nice of my OS had an option to disallow any and all USB devices. Plug something in? Ask whether I want to allow it. I guess this would get annoying after a bit. But still, I only use a couple of USB devices on a daily basis, but I click on boatloads of cookie warnings every day.



> It would be nice of my OS had an option to disallow any and all USB devices

Any desktop computer would have to be redesigned to add a "allow new device" button since they have no other input.

Even on many laptops, the internal keyboard and mouse are USB devices, when you install a new OS, do you have to accept trust to those as well? Or how will you stop an external device from spoofing them with the same vendor/device ID?


How about, trusted peripherals should speak DTLS over their USB/Thunderbolt PHY, and the OS should keep a certificate store for recognizing them?

This sounds like something that creates a chicken-and-egg problem of there not already being any such DTLS-speaking USB devices... but how about if vendors just create a little USB dongle that wraps whatever's plugged into it in "authentication" using DTLS? Ship the dongle with the laptop; tell people that if they want to install a new OS, they have to plug a USB keyboard in through the dongle.


> This sounds like something that creates a chicken-and-egg problem of there not already being any such DTLS-speaking USB devices...

Or only allow completely unauthenticated devices as a fallback when there is no other available authenticated device.

A computer not having any keyboard is a rare case. Most of the time you have what is built-in (and should be authenticated) or what came with the computer (and should be authenticated).

Allowing unauthenticated keyboards only on detection of no authenticated ones probably covers 99.9% of all use cases and increases security dramatically.


Aren’t we trying to prevent an attacker with physical access? They could simply unplug everything first.


maybe not the exact correct solution (some of those MCUs are wayyyyy too tiny, slow, and stupid for something as complicated as DTLS), but this is not a horrid thought. The bootstrapping problem can be resolved via Microsoft's secureboot certificate and letting the firmware sort out the initial "trusted boot USB sticks" or however.

hell, simply through acquisition and acquiescence, the market already accepted locked-down platforms. at this point, we ought to have more benefits from this instead of just making these platforms hard to install Linux on.


I use USBGuard on Linux to this effect.


It looked quite promising when I took a look two years ago. There was no support for properly filtering devices that contain multiple endpoints though, like a mouse with mass storage. You could either allow both our none. It was on their roadmap but kept getting postponed iirc. Should take a look again I guess. :-)




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: