Hacker News new | past | comments | ask | show | jobs | submit login

> It would be nice of my OS had an option to disallow any and all USB devices

Any desktop computer would have to be redesigned to add a "allow new device" button since they have no other input.

Even on many laptops, the internal keyboard and mouse are USB devices, when you install a new OS, do you have to accept trust to those as well? Or how will you stop an external device from spoofing them with the same vendor/device ID?




How about, trusted peripherals should speak DTLS over their USB/Thunderbolt PHY, and the OS should keep a certificate store for recognizing them?

This sounds like something that creates a chicken-and-egg problem of there not already being any such DTLS-speaking USB devices... but how about if vendors just create a little USB dongle that wraps whatever's plugged into it in "authentication" using DTLS? Ship the dongle with the laptop; tell people that if they want to install a new OS, they have to plug a USB keyboard in through the dongle.


> This sounds like something that creates a chicken-and-egg problem of there not already being any such DTLS-speaking USB devices...

Or only allow completely unauthenticated devices as a fallback when there is no other available authenticated device.

A computer not having any keyboard is a rare case. Most of the time you have what is built-in (and should be authenticated) or what came with the computer (and should be authenticated).

Allowing unauthenticated keyboards only on detection of no authenticated ones probably covers 99.9% of all use cases and increases security dramatically.


Aren’t we trying to prevent an attacker with physical access? They could simply unplug everything first.


maybe not the exact correct solution (some of those MCUs are wayyyyy too tiny, slow, and stupid for something as complicated as DTLS), but this is not a horrid thought. The bootstrapping problem can be resolved via Microsoft's secureboot certificate and letting the firmware sort out the initial "trusted boot USB sticks" or however.

hell, simply through acquisition and acquiescence, the market already accepted locked-down platforms. at this point, we ought to have more benefits from this instead of just making these platforms hard to install Linux on.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: