Researchers uncover fundamental USB security flaw, no fix in sight

[Guest]

Yes it's true, the NSA invented USB.

In fact, the NSA also house The Invisible Man, Abominable Snowman, Yeti, Little Green Men and more.

If your car keys go missing, blame the NSA!

If you forget something important, the NSA probably nuked your brain!

If anything goes wrong in your life, the NSA did it while you were sleeping!

Edward Snowden for President! What's that? He may not be trustworthy enough? Why? Because he is a traitor? durrrr.

 

[Guest]

Welcome to the start of the 6th World chummers.

 

[Guest]

@ trolling guest: Joking aside, little do you know, what you're saying the NSA has done is not so far fetched.

 

[cliffordcooley]

Edward Snowden for President! What's that? He may not be trustworthy enough? Why? Because he is a traitor? durrrr.

And with that said; Edward Snowden is as trustworthy as any other president we have ever had!

 

[Jad Chaar]

The flaw that security researchers Karsten Nohl and Jakob Lell plan to present next week at the Black Hat security conference in Las Vegas runs deeper than simply loading a USB drive with malware.

Oh good... maybe they can include instructions on how to use it so everyone can be a crook.

Why is the first thing these security guys do when they find a flaw is show everyone how it works. Shouldn't they quietly go to the USB commission or whatever and tell them about it so it can be fixed in the future?

Oh, right... then we'd have never heard of Karsten and Jakob and they wouldn't get to stand on a stage and tell everyone how smart they are....

It sucks man, but some people just want fame and don't care about what issues they are opening up.

 

[WoodyOnLinux]

The flaw that security researchers Karsten Nohl and Jakob Lell plan to present next week at the Black Hat security conference in Las Vegas runs deeper than simply loading a USB drive with malware.

Oh good... maybe they can include instructions on how to use it so everyone can be a crook.

Why is the first thing these security guys do when they find a flaw is show everyone how it works. Shouldn't they quietly go to the USB commission or whatever and tell them about it so it can be fixed in the future?

Oh, right... then we'd have never heard of Karsten and Jakob and they wouldn't get to stand on a stage and tell everyone how smart they are....

If they did that things like the recent heart-bleed bug would be known only to hackers which generally means the average user suffers. This way multiple people can work at fixing the security flaws instead of forcing the issue to be solved by a single regulatory agency that's run as an inefficient bureaucracy. Notifying the public also informs people of the security flaws so they can take steps to increase their own security. In all likeliness this has already been discovered and exploited beforehand as most other flaws are. For the same reasons above, the 'bad-guys' don't publish their exploits.

Yes, people like to be recognized for their discoveries, last I checked most people don't get payed to do this; it might be related to their jobs, but it's usually done as a hobby on their own time, then they take even more time to formally document, publish, and demonstrate their discoveries so someone else can come along, donate THEIR time so that YOU can reap the benefits. But please, do tell how horrible these people are for wanting recognition instead of money.

 

[Guest]

Well, that essentially invalidates all computer evidence. Right now, there is reasonable doubt for everyone in the world.

 

[Guest]

The only thing keeping data from being read only or not is one bit. It's easy enough to change that bit to enable write access. Overwriting the complete firmware with a malicious version isn't out of the question. It doesn't matter if the firmware is read only or not if you overwrite the whole thing. Also with it being read only you could just read the firmware, make a copy of it, modify that copy, and then overwrite the whole original firmware. This would effect every phone regardless as they support firmware upgrades. A lot of people just use their phone instead of a USB stick now anyway.

 

[Guest]

"It affects every single USB device out there"... im not so sure about that,
most USB firmware is read-only. this only affects USB devices that can receive firmware updates.

Wrong. The only thing keeping data from being read only or not is one bit. It's easy enough to change that bit to enable write access. Overwriting the complete firmware with a malicious version isn't out of the question. It doesn't matter if the firmware is read only or not if you overwrite the whole thing. Also with it being read only you could just read the firmware, make a copy of it, modify that copy, and then overwrite the whole original firmware. This would effect every phone regardless as they support firmware upgrades. A lot of people just use their phone instead of a USB stick now anyway.

 

[DrKrypton]

This will only work If you have the USB drivers installed. which almost every machine does. how it works is, the hacker plugs the USB device into their machine and "flashes" the ROM with the virus. when the USB device is plugged into the victims machine the computer reads the ROM to find out what type of device it is. when it does this it then becomes infected. similar to a hardware hack I discovered years ago for the 3.5" floppy. only mine wasn't malicious. it just shut the machine down.

 

[SMA]

Posting the code was the right thing. We live in the day of nicely parsed hegemonic power between government and big business which has the concentrated capital to develop all kinds of technology which they may share with the public for profit or keep to themselves for control. In-Q-Tel is a government -private secret "public-private relationship" which uses private companies to develop spying technology used by the CIA.

I am just a small independent blogger but the only voice that I know about that actually reads and reports on what is in the economic development legislation passed by the Maine legislature. For years my blog and social media functions appear to be being hacked. I know that the forces I expose have access to more cutting edge technology than I have because its all about big money merged with public-private relationships- in other words big government and big business.

So I became aware of this USB vulnerability because I felt that an external party was inside my mouse so to speak. I am actually amazed that I have been able to write this much of a post without my mouse freezing and hearing all those beeping -processing sounds coming from my computer. Perhaps that is because I am using the keyboard and not the mouse. Frequently I have to switch out my mouse ports a couple of times a minute but its calm for now.>>>>>>- BUT just came back.

I have restored my computer to factory default but that only gives a brief relief as does switching out my mouse. I could buy a stock of 25 or so mice to keep the attackers confused- but wouldn't it be much greater to buy only one mouse that has this problem technically worked out. I am seeing flash drives that have greater security on the market but not mice.

So I think it was a service to the public to reveal the code and get this out into the open because the way I see it , there is nucg technology that the hegemony of "public-private relationships" will keep to themselves to use for their own purposes such as controlling social media. This is election season and I get it. The political class that controls Maine wants to control all political talking points and I am a spanner in their works- just one lone individual with one voice that needs to be "contained" to their point of view.

Since the code is now public and more people know about it, it is far more likely that the market will produce security solutions for the public. BRAVO! My mouse is only one part of the problem- but get with tech developers- come up with a mouse that has added security! PLEASE!