On Mon, Sep 9, 2013 at 11:39 PM, Robert J. Hansen <r...@sixdemonbag.org> wrote: > On 9/9/2013 4:52 PM, Jan wrote: >> Imagine an intact offline PC without "auto play" enabled for USB drives. > > Can't. > > USB is a peer protocol. There's an astonishing amount of computational > power on both sides of that USB cable. Protocol negotiation is complex. > Put it all together and you get a peer-to-peer protocol which you > *cannot* secure because (a) there are too many computational resources > available to an attacker and (b) the protocol itself is too complicated > and there are many ways a malicious token could compromise the remote > system even without autoplay installed.
I'm sure we've all seen serial-to-USB adapters. Now I wonder if it'd be possible to do something in reverse: USB-to-serial. Serial connections are pretty well-understood, well-documented, and (hopefully) less likely/able to be an attack vector. It'd be interesting to see if one could have a USB hub or something to which one could connect a USB flash drive or other device, have the hub negotiate the connection with the device, and then send serial data to the computer where a relatively simple (and presumably easier-to-secure) program could interpret it. Sure, speeds wouldn't be anywhere near the same as with USB and one would have to do some hackery to mount volumes (perhaps a USB-to-serial-to-FUSE interface for common file systems?) but it might work for relatively small file transfers (or for those willing to wait). Is such a thing even possible? -- Pete Stephenson _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users