silly password restrictions was:Re: [clug] secure remote access method

Robert Edwards bob at cs.anu.edu.au
Mon Jun 22 01:38:15 GMT 2009


Alex Satrapa wrote:
> On 20/06/2009, at 17:04 , Robert Edwards wrote:
> 
>> The problem is your system allowing anyone to plug in an arbitrary USB 
>> device in the first place. That USB device could masquerade as a USB
>> HID (ie. keyboard or mouse) and send arbitrary key sequences to your
>> system (eg. "Windows key"->open Internet Explorer->type in a bad
>> URL->Javascript downloads all your cookies or whatever->close IE...
>> system compromised - could happen when you aren't looking...). It also
>> wouldn't be _too_ hard to make such a device look like a Yubikey, but
>> even easier to make it look like an innocent USB memory stick that
>> someone accidentally left lying around...
> 
> Why go to all that effort when all you need to do is write a custom 
> program and an autorun.inf file that will do it all for you, and will 
> use the user's own USB memory stick?
> 
> http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/02/15/BU47V0VOH.DTL&type=printable 
> 
> http://blogs.msdn.com/e7/archive/2009/04/27/improvements-to-autoplay.aspx
> 
> Of course the "automatic keyboard macro" idea applies to other operating 
> systems too, but good luck getting them to work the same way for the 
> same keystrokes. Student project indeed!
> 
> Alex
> 

I guess my thinking is that, these days, it is more likely that someone
would disable the autorun facility for their proprietry OS than they
would be to disable alternate keyboards (which would be required for
the use of Yubikeys in any case).

Cheers,

Bob Edwards.


More information about the linux mailing list