On Wed, Sep 11, 2013 at 11:01 AM, Jan <takethe...@gmx.de> wrote: > On 10/09/2013 15:18, NdK wrote: > >>>> You'd be exposed nearly to the same attack vectors. Plus some more (the >>>> ones that handle the extra layer), so you'd have to check more code. >>> >>> So what about using that free USB stack for AVR's to implement a flash >>> device? You would be able to audit about everything; flylogic even has >>> these nice pictures of the ATmega88 masks... >> >> Sorry, I don't follow your reasoning here. >> Pete proposed to use an USB-to-Serial interface to avoid attacks against >> the USB stack on the PC. Why should an AVR be used to implement a flash >> device? > > > Maybe Pete meant such an USB-to-Serial interface > http://www.robotsimple.com/Computer_Interface/USB_to_Serial_Adapter ?
Actually, I was thinking of something that was the exact opposite: some device (which I don't think exists) that would allow one to connect a USB flash drive to the device, and have the device convert that into RS232 serial data for the computer, thus avoiding any USB interaction with the computer itself. The computer would then need to process the serial data to read or write files on the drive. As far as I know, nothing like that exists and I'm not sure if it'd be possible to do. Even if it was possible, it'd be immensely slower than normal USB connections. My thought was that since serial is older and simpler than USB that it would be possible to better audit and secure the connection between the flash drive and the computer using such a method. My idea was derived from one of the ways CAcert keeps their root certificate secure: the signing system is kept offline, but is connected via a serial cable to an online computer (e.g. the web server). The simple daemon that listens on the serial port of the signing system will only respond to requests for signing things but they did not implement any file-transfer-over-serial functionality so it would (presumably) be impossible to compromise the root certificate remotely. My idea would be for something similar, but with file-transfer capability over serial. The device you linked to, which is quite common, is the opposite: one can connect a serial device (say a microcontroller, a UPS, etc.) to the device, which converts it to USB and transmits that data to the computer. The device appears as a serial port on the computer. In brief, the device you linked to tunnels serial-over-USB. My thought was to do filesystem-access-over-serial. Mine is probably a very silly idea and I was basically throwing the idea at the wall to see if it'd stick. :) -- Pete Stephenson _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
