Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Developers Create API For Direct USB Access Via Web Pages (softpedia.com)

Posted by msmash on from the improved-connectivity dept.

An anonymous reader writes: Two Google developers have uploaded an unofficial (for now) draft to the World Wide Web Consortium's Web Incubator Community Group (W3C WICG) that describes a method of interconnecting USB-capable devices to Web pages. The API, called WebUSB, allows device manufacturers to provide special "registry and landing pages" where they can host JavaScript SDKs for their USB-capable devices. Site owners can load these SDKs as iframes inside their websites, and allow a site to access and relay commands (via the iframe to the browser's WebUSB API) to the actual device. To protect privacy and security, the WebUSB API also comes with a CORS-like system that prompts users for access to their devices to avoid abuse and Web-based fingerprinting. The system is also backward compatible with devices created before the standard's approval (if it gets approved).

131 comments

  1. That doesn't sound like it could ever be abused... by Anonymous Coward · · Score: 5, Funny

    That doesn't sound like it could ever be abused...

  2. W3C API for Google products by Anonymous Coward · · Score: 5, Insightful

    Remember when Pale Moon devs wrote:

    This is sort of an open letter to the community, because we're facing some difficult times in the medium-to-long future with the way the web is developing away from actual standards, and "standards" being currently mostly dictated by the same people who run the biggest browsers (Google, Microsoft) and web services (Google again, media sites, Facebook) -- including the W3C being heavily influenced and/or strong-armed into accepting standards that rather describe the way "the big three" are behaving than what is logical or should actually be part of clear, separated domains for different technologies involved in creating the Web.

    This API is for ChromeOS 100%

    1. Re: W3C API for Google products by Anonymous Coward · · Score: 0

      It did not have to be this way. Mozilla didn't have to alienate nearly all of Firefox's user base with the awful changes they made to Firefox. Mozilla had real influence when Firefox held 30% or more of the browser market. Now Firefox is down to maybe 5%, and none of the other players have to care what Mozilla thinks or wants.

    2. Re: W3C API for Google products by Anonymous Coward · · Score: 0

      Mozilla is not down to 5%.... lol ... It is at around 30%

    3. Re: W3C API for Google products by Anonymous Coward · · Score: 0

      Firefox is nowhere near 30% today. It was only around that mark during its peak, several years ago. A lot of Firefox users have jumped ship to Chrome since. Maybe your web sites are different, but globally Firefox is in the 5% to 10% range. Realistically, it's likely closer to 5% than 10%.

    4. Re: W3C API for Google products by Anonymous Coward · · Score: 0

      Mozilla had real influence when Firefox held 30% or more of the browser market.

      With 95% of Mozilla revenues coming from Google since 2005, and Firefox developers being employed by Google to develop Chrome...?

      I think not.

      Since Firefox 1.0, at the end of 2004 (two years after the first release of Phoenix), Mozilla has been progressively corrupted by big money from Google. Then at the start of 2010, a little more than five years later, and as Chrome was beginning to take off, Firefox 4.0 was released with a new UI, and it was the beginning of the end.

      Today, Firefox developers are still arguing telemetry to remove more features... apparently they missed the line about having lost two-thirds of users since Firefox 4.0... They're adding BS non-features with grave security and privacy problems without a care too...

      They became what they fought against, like so many others.

    5. Re: W3C API for Google products by Anonymous Coward · · Score: 0

      2010 called, it wants its stats back ;) Firefox is around 5 -18%, depending on which stats you believe. It hasn't been relevant for years and it will soon die if they don't catch up.

    6. Re: W3C API for Google products by Anonymous Coward · · Score: 0

      Mozilla hasn't suckled on Google's money teet for some time now. It now uses Yahoo's. Please try to stay relevant.

    7. Re:W3C API for Google products by Anonymous Coward · · Score: 0

      Umm, then Pale Moon devs are worse than I though. Another group of devs that don't understand their own field and its history. Standards don't pop out of thin air. Companies create a bunch of protocols or formats, compete in the market, then the last one standing becomes the standard. Standard bodies take what's already out there and shown to be useful, fix a few things, and then slap a specific label on it. The logically best or clear way to do something has never been the primary concern. This is how its always been. Standards bodies polish the exist standards to work with each other, they almost never make them.

    8. Re:W3C API for Google products by Anonymous Coward · · Score: 0

      These people are like the Bernie Sanders supporters of programming.

    9. Re:W3C API for Google products by KGIII · · Score: 1

      Spelling and grammar issues aside, the AC's post is more salient than one might think. More often than not, in this area, standards are made from things that have demonstrated value and have been incorporated already. They just formalize what exists.

      --
      "So long and thanks for all the fish."
  3. Reasons why I don't like the Internet of Things. by Anonymous Coward · · Score: 0, Troll

    Here's a list of reasons why I don't like the Internet of Things:

    1) Internet of Things devices could watch me while I sleep.

    2) Internet of Things devices could watch me while I pee.

    3) Internet of Things devices could watch me while I make kaka.

    4) Internet of Things devices could watch me while I pleasure myself.

    5) Internet of Things devices could watch me while I wash my body in the shower.

    6) Internet of Things devices could watch me while I relax in the tub.

    7) Internet of Things devices could watch me while I brush my teeth.

    8) Internet of Things devices could watch me while I make passionate love to my wife.

    9) Internet of Things devices could watch me while I brush my hair.

    10) Internet of Things devices could watch me while I read a book.

    11) Internet of Things devices could watch me while I read Slashdot.

    12) Internet of Things devices could watch me while I bake cake.

    13) Internet of Things devices could watch me while I put in my contact lenses.

    14) Internet of Things devices could watch me while I get ready to play golf.

    15) Internet of Things devices could watch me while I do my laundry.

    16) Internet of Things devices could watch me while I think about rugby.

    17) Internet of Things devices could watch me while I tie my shoes.

    18) Internet of Things devices could watch me while I celebrate the 4th of July.

    19) Internet of Things devices could watch me while I water my flowers.

    20) Internet of Things devices could watch me while I eat ham.

    21) Internet of Things devices could watch me while I use my stapler to staple documents.

    22) Internet of Things devices could watch me while I chew bubble gum.

    23) Internet of Things devices could watch me while I check the oil in my car.

    24) Internet of Things devices could watch me while I look for my TV remote.

    25) Internet of Things devices could watch me while I blow my nose.

    26) Internet of Things devices could watch me while I rearrange my stamp collection.

    27) Internet of Things devices could watch me while I listen to the Backstreet Boys.

    28) Internet of Things devices could watch me while I do my calisthenics.

    29) Internet of Things devices could watch me while I search for a paper clip.

    30) Internet of Things devices could send information about me to advertisers.

    31) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I sleep.

    32) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I pee.

    33) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I make kaka.

    34) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I pleasure myself.

    35) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I wash my body in the shower.

    36) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I relax in the tub.

    37) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I brush my teeth.

    38) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I make passionate love to my wife.

    39) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I brush my hair.

    40) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I read a book.

    41) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I read Slashdot.

    42) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I bake cake.

    43) Internet of Things devices could let advertisers use the data unsuspectingly coll

  4. What could possibly go wrong? by Anonymous Coward · · Score: 2, Interesting

    How long until the "security" is bypassed and websites can arbitrarily access any and all USB devices on the system?

    1. Re:What could possibly go wrong? by softnewsit · · Score: 3, Insightful

      3 days

      --
      Go away!
    2. Re:What could POSSIBLY go wrong? by Anonymous Coward · · Score: 1

      If it's a sandboxed kernel that doesn't sound so bad except for the silent part.

      Web APIs are the future. I only do GPU coding in WebGL because it is the most cross-platform, and I only bother writing applications in Javascript for the same reason.

    3. Re:What could possibly go wrong? by DavidRawling · · Score: 1

      Wow, you're optimistic. I figured about 3 minutes.

  5. ChromeOS by Anonymous Coward · · Score: 0

    Why do I feel this was done for ChromeOS, to avoid driver bloat?

    1. Re: ChromeOS by Anonymous Coward · · Score: 0

      But remember all those times you've tried to get your parents off Windows onto an OS you can actually help them use, but been stymied by some USB doohickey that they just can't give up.

  6. Re: That doesn't sound like it could ever be abuse by Ukab+the+Great · · Score: 5, Funny

    It's just JavaScript. What could go wrong?

  7. FirsT! by Anonymous Coward · · Score: 0

    Ha yes!

  8. Re:That doesn't sound like it could ever be abused by Anonymous Coward · · Score: 0

    Needs whatcouldpossiblygowrong tag

  9. What could POSSIBLY go wrong? by Anonymous Coward · · Score: 1

    You might as well make a Web API that silently installs a kernel driver at this point.

  10. Um. Hell No. by zenlessyank · · Score: 1

    Keep your dirty JavaScript off my USB devices.

    1. Re:Um. Hell No. by U2xhc2hkb3QgU3Vja3M · · Score: 1

      Take your stinking javascript off my USB devices, you damned dirty Google! - George Taylor

    2. Re:Um. Hell No. by Aighearach · · Score: 1

      I don't care if it is javascript or some other language, the problem is the part where it runs in a web browser, which is capable (designed primarily for, even) loading code provided by the server.

      People talk about using it for authentication, but that can already be done with existing authentication protocols. Sure, it needs a client-side helper app, but places that are too strict to have the auth helper are going to be disabling any USB ports if this is going to be enabled in the browser; and maybe preemptively, just in case.

      I wouldn't mind the client helper being written in javascript. But I wouldn't want it to be able to load code, I'd just want it to get requests from the browser/plugin, and respond in a predefined way.

    3. Re: Um. Hell No. by Anonymous Coward · · Score: 0

      What about drivers for obscure architecture computers, Arm for instance doesn't generally get drivers %for devices.

      A user can still use their shit even if the vendor hasn't written a driver for that platform.

  11. Re:Reasons why I don't like the Internet of Things by Anonymous Coward · · Score: 0

    Can someone explain this post to me ? Is it a meme or something ?

  12. Re: That doesn't sound like it could ever be abuse by i.r.id10t · · Score: 0

    Indeed. But what other technology would be good for something server side to interact with something on the user's local machine via web browser?

    Assuming the security bugaboos can be worked out, I can see this being good for things like authentication

    --
    Don't blame me, I voted for Kodos
  13. Coming soon to a web browser near you: by Anonymous Coward · · Score: 0

    USB-connected webpage-enabled buttplugs. That way nosy governments and nosy corporations can be literally up your ass 24/7/365! The ultimate in sharing! Post your bowel habits automatically on Facebook (soon to be renamed Faecesbook, which is a little too close to reality to start with). Just think how convenient it will be to not have to stop to tell your 'freinds' on social media you're taking a dump! Also, the value-added Amazon OneDump feature will automatically re-order the bathroom tissue of your preference based on your usage patterns!

    Yeah, I'm shitposting (pun not intended), but seriously, folks: Hasn't it started to seem like the Internet and everyone involved in it really is all 'up in our business' for quite some time now? When is this shit going to stop, already? 'App' for this, 'IoT' device for that, 'Fitbit' to literally track your every move, provide data to profile your minute-to-minute activity, so-called 'social media' encouraging you to literally jack your brain in to the Internet so everyone can see everything you're doing/thinking/feeling 24/7/365.. People are starting to get sick of at least some of it now and are backing off, which is an encouraging sign, but then we get more, more, more gadgets and apps and crap piled on top of us, overwhelming our senses, keeping us awake at night, keeping our eyes glued to screens instead of the person across the table from us.. honestly, seriously, this shit needs to stop.

    1. Re:Coming soon to a web browser near you: by Anonymous Coward · · Score: 0

      USB-connected webpage-enabled buttplugs.

      That's USB-connected webpage-enabled buttplugs (patent pending) to you, Mr AC! No one ever bet wrong on sex and the internet.

  14. ActiveX again? by Imazalil · · Score: 5, Funny

    Did all the Active X developers end up at Google?

    1. Re:ActiveX again? by Anonymous Coward · · Score: 1

      Yeah, after spending 5 years in a nut house.

  15. Re:That doesn't sound like it could ever be abused by lgw · · Score: 4, Insightful

    That doesn't sound like it could ever be abused...

    There have been some eye-opening kernel exploits found using the USB bus, but if that's limited to direct physical access it sound less scary. With this change? Eesh.

    This is like a remote control for a chainsaw: it sounds handy, but you know it will end in tears.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  16. Just wait for the ad's to abuse this / DMCA bs by Joe_Dragon · · Score: 1

    Just wait for the ad's to abuse this or even some DMCA bs.

    No you can't run our app in a VM as that VM let's you bypass our usb dongle

  17. Re: That doesn't sound like it could ever be abuse by DarkOx · · Score: 4, Insightful

    Yes, give remote code the ability to talk directly to a DMA capable device. No problems there. This and webGL could literal be a disaster if someone slips up.

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  18. config gui held random by Anonymous Coward · · Score: 2, Insightful

    If this is widely supported, vendors will use it to build configuration GUIs for their USB devices.

    No internet connection? Device doesn't work.

    Vendor's website down? Device doesn't work.

    Vendor out of business? Device doesn't work.

    Vendor sold to EvilCorp? Pay $10/mo for a support contract to EvilCorp so your device that worked fine for years will continue to work.

    1. Re:config gui held random by James+Carnley · · Score: 1

      I don't see how this is any different than driver packages today. If you have no internet or the company goes out of business then you can't download the drivers. If you have drivers on a CD then they still work. The configuration webpage/app that uses these JavaScript APIs on that CD will still work too.

    2. Re:config gui held random by ilsaloving · · Score: 1

      The point the GP is trying to make is that this opens the door to vendors requiring an active internet connection to their servers just to be able to configure (or possibly even just use) your widget. If anything happens to that company, you could lose meaningful use of said widget.

      We already have stuff like this. Look at the Logitech Harmony Remote. You have to connect to their online service to be able to configure your remote. If their service ever died, you lose the ability to configure your remote. (I'm having to go by memory... I used to own one but I can't remember what I did with it)

  19. Re:Reasons why I don't like the Internet of Things by Anonymous Coward · · Score: 0

    I don't have a problem with any of those things except Internet of Things devices watching me while I use my stapler to staple documents.

  20. Re:Reasons why I don't like the Internet of Things by Anonymous Coward · · Score: 0

    it's just a rant produced by an idiot.

  21. Not all that new. by LWATCDR · · Score: 1

    Chrome could talk to HID devices for a while. That is how Fido USB keys worked.
    I hate Javascript....

    --
    See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
  22. We all know this is unwise. by Anonymous Coward · · Score: 0

    Even Mozilla is against this. One of the things keeping them from adopting U2F has been making sure they didn't expose USB insecurely to exploits (or at least their best effort to do so). But then, this is Google. I'm sure they realize how terribly fragile and insecure USB drivers are, right? Right?

    1. Re:We all know this is unwise. by Progman3K · · Score: 2, Informative

      On linux, Google Chrome requires you to enable the ability in your kernel that permits arbitrary processes to read the memory of other processes.

      Originally intended for debuggers, apparently Google's web-browser won't run unless it can spy on any process in the system.

      Nice work Google. Change your motto to "Do evil", please

      --
      I don't know the meaning of the word 'don't' - J
    2. Re:We all know this is unwise. by Vairon · · Score: 3, Interesting

      Can you site a source to validate this claim?

    3. Re:We all know this is unwise. by Vairon · · Score: 1

      And by 'site' I mean 'cite'. :)

    4. Re:We all know this is unwise. by Anonymous Coward · · Score: 1

      Yeah, that's not true. There was a zero-day about 2 years ago which allowed RCE, but that was patched quickly.

      To get U2F to work requires some additions to udev rules, but that's about it.

    5. Re:We all know this is unwise. by Progman3K · · Score: 1

      Only myself.

      I'm running Gentoo and I remember a few years ago, when installing Chrome, it required that I enable a config option in my kernel that would give it the access I mentioned.

      At the time I thought "? Why would a web browser need that?"

      My memory is a bit cloudy on the details, I admit.

      It may have been in relation to the V8 thingie that Chrome apparently needs, I believe that may have been the module in question.

      --
      I don't know the meaning of the word 'don't' - J
  23. Re:That doesn't sound like it could ever be abused by Aighearach · · Score: 1

    That doesn't sound like it could ever be abused...

    I'll install it right before I fire myself out a cannon without any safety equipment.

    My goodness, this is hilariously awful as a use case concept.

    If I trust software enough to let it talk to USB, I want to also trust that it is under its own control. Here, even if you thought you could trust it before, it can be changed server-side without notification, so you wouldn't be able to continue trusting it while using it. You wouldn't need to get infected with a virus or malware to lose control of your USB device; only the server would need to be cracked! And the trustiness would just pass right through to the user.

  24. Skeptical... by Junta · · Score: 3, Interesting

    It seems the goal is to empower developers to skip the pesky wait for actually standardizing around 'novel' device types by giving the browser pretty open ended access to USB devices...

    As a rule, I do not believe OSes themselves allow open ended access to any device by an unprivileged user process (e.g. a browser process), USB or otherwise. So it would seem the OS model for hardware would be in the way. Incidentally, this problem should be taken as a huge red flag as why this may be an ill-conceived idea.

    I would worry that should this strategy be encouraged, we would see devices that *only* are usable within a web browser. This is the first time I can recall any managed runtime environment trying to implement an independent driver model of the underlying OS. This strikes me as particularly bad form.

    In general, Javascript can't even access arbitrary files owned by the user. This is a good thing. This is flying pretty firmly in the face of Javascript in browser being a domain specific language that has *some* security by virtue of explicitly not being allowed to do everything to a system.

    --
    XML is like violence. If it doesn't solve the problem, use more.
    1. Re:Skeptical... by dgatwood · · Score: 1

      As a rule, I do not believe OSes themselves allow open ended access to any device by an unprivileged user process (e.g. a browser process), USB or otherwise. So it would seem the OS model for hardware would be in the way. Incidentally, this problem should be taken as a huge red flag as why this may be an ill-conceived idea.

      Actually, allowing unprivileged code to control most USB devices has actually been the norm for the better part of two decades. For example, OS X requires code to be privileged if it wants to control a keyboard HID device, and it won't allow user-space control of or access to mounted mass storage devices, but beyond that, it allows any random app to take over any random USB device. IIRC, sandboxed apps (e.g. anything in the MAS) require apps to declare what devices they can control, but they're still allowed to control them (within the aforementioned limitations).

      BTW, if I skimmed the whitepaper correctly, only code from a specific domain would be allowed to directly access a given device model. I'm assuming that the JS code in question would then present some sort of interface that would allow arbitrary pages to control the device in a limited manner, e.g. via postMessage calls into the driver. Maybe somebody working on that team could clarify the intended usage model?

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    2. Re:Skeptical... by Anonymous Coward · · Score: 0

      only code from a specific domain would be allowed to directly access a given device model

      Sounds like they're trying to stuff some DRM down our necks. The device will accept dynamic code only from the a company's server? Or did I misunderstand and you need to whitelist the domains that can talk to a device (that'll be quickly cut out as to unfriendly to the user).

      I guess I could read the article...

    3. Re:Skeptical... by dgatwood · · Score: 1

      I just skimmed the article, so I'm not sure who is in control over the lists or whatever—just that a list would exist. :-)

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  25. End times by Anonymous Coward · · Score: 0

    Mozilla warned us about clouds of vengeance and the end of days and now it looks like it might actually happen.

  26. Here's one good use case by Anonymous Coward · · Score: 0

    I have a smartwatch that can only sync with an XP system. It would be great if there was a web page/online service without some stupid native app that isn't available for Linux. Same with my FitBit. I have to start a Windows VM every few days in order to sync my FitBit. All their closed-source, proprietary app does is upload data to a web service. It would be nice to cut-out the unreliable mostly broken crap in the middle.

  27. Re:That doesn't sound like it could ever be abused by iCEBaLM · · Score: 1

    Is there a possibility that this new standard can get my PIN number to my ATM machine card from accessing the USB bus?

  28. Just make a JavaScript operating system. by Anonymous Coward · · Score: 0

    From top to bottom, in fact start with a CPU architecture designed to read JavaScript as assembly.

  29. Re: That doesn't sound like it could ever be abuse by mlts · · Score: 4, Insightful

    Not if; when. I can see this code being used as a vector to flash rogue firmware to devices. DMA access? We already have a problem with hardware slurping keys out of RAM with DMA... now imagine websites that can get this ability. I can see ransomware using this ability to bypass many different things to ensure a computer is unusable, perhaps even firmware flashes so the computer's BIOS runs the ransomware on that level.

  30. If the driver doesn't exist for your PC's OS by tepples · · Score: 1

    Say you have been given a particular USB device as a gift, but the program to make the USB device work is available only for Windows, and your computer runs GNU/LInux. Would you prefer to buy and install a copy of Windows or refuse the gift?

    Or if you happen to be a Windows user, I will reword:
    Say you have been given a particular USB device as a gift, but the program to make the USB device work is available only for OS X, and your computer runs Windows. Would you prefer to buy a Mac or refuse the gift?

    Or are you willing to pay more for all USB devices so that they can come with drivers for Windows, OS X, and GNU/Linux?

    1. Re:If the driver doesn't exist for your PC's OS by Junta · · Score: 3, Insightful

      I'd rather not bind USB devices to only work under a web browser.

      It's the job of the OS to manage the hardware. To codify a bypass to let a particular application do whatever it wants seems unreasonable.

      Note for USB devices, this is relatively more rare, as the USB forum codifies standards so that different vendors of common devices all look the same. A usb mass storage device has the same abstraction regardless of underlying technology. A usb network device is implementing one of a handful of network protocols (there have been some revisions on that setup). A usb camera looks the same regardless of vendor.

      So if you have some wacky precious snowflake of a device that is so cutting edge that no driver model has been established for it, this lets a hypothetical web app skip a few months of hand wringing waiting for a standard. In exchange for this modest benefit, you are discouraging pursuit of standards, empowering javascript to do more insidious things, and discouraging device support for non-browser access (there are more applications on a system than a web browser, and encouraging device vendors to target the browser *instead* of the OS driver model is just nasty).

      --
      XML is like violence. If it doesn't solve the problem, use more.
    2. Re:If the driver doesn't exist for your PC's OS by Anonymous Coward · · Score: 0

      The use case you describe is pretty narrow.

      Generic drivers for input devices, mass storage devices and even sound cards already exist for various platforms. The good thing about USB is that a vendor of a certain class of devices is unlikely to reinvent the wheel - with regards to driver implementation - if a pretty usable and generic driver already exists. Generic USB drivers probably cover 90% of USB devices (number, obviously pulled out of my arse, but probably accurate, based on my experience with Linux and Windows).

      Secondly, devices that would require a specific driver or software are already probably tied to a particular API or OS functionality. I am thinking about devices such as sound cards (ALSA on Linux, Universal Audio Architecture or WDM on Windows), printers (CUPS on Linux, and whatever they call their printing API on Windows) and video capture devices (V4L on Linux, directshow on Windows). It is unlikely that Google (or anyone) could create an abstraction layer that accommodates all use cases, and even if they try, it will be a Frankenstein of epic proportions.

    3. Re: If the driver doesn't exist for your PC's OS by qbast · · Score: 1

      Compared to giving open-ended access to USB bus to the browser? Yes, I would rather use a VM.

    4. Re:If the driver doesn't exist for your PC's OS by mattventura · · Score: 1

      99% of USB devices work with completely generic drivers. The whole "I need a vendor-specific driver for a device that uses completely standard protocols" is mostly a Windows-only thing. Plus there's USB passthrough for virtualization anyway, so worst case you can jus fire up a Windows VM.

    5. Re: If the driver doesn't exist for your PC's OS by Anonymous Coward · · Score: 0

      Lol, Devs won't reimplement the wheel in their own shitty driver?

      Now who's living in a fantasy land.

  31. It's a reminder about the dangers of the IoT. by Anonymous Coward · · Score: 2, Informative

    It's a reminder to us all about how invasive the IoT is and will be. It reminds us that even the most mundane activities, the ones we do even without really thinking about doing, will be monitored by IoT devices. This information will be collected and sent to various corporations for them to analyze and mine as they see fit.

    It isn't mundane activities that will be tracked, either. Activities that one wishes to remain private will be tracked, too. Even urination and defecation won't be spared from the invasive reach of IoT.

    Web browsers have no legitimate reason to ever access USB devices. It's bad enough that they already support accessing microphones and webcams. But arbitrary USB devices? There really is no reason for that!

    Web browsers accessing arbitrary USB devices is just another step in the IoT being used to watch and data mine your most private and intimate moments.

    1. Re: It's a reminder about the dangers of the IoT. by Anonymous Coward · · Score: 0

      I agree we are well on our way to a panopticon. Whether it will be dystopian or utopian or somewhere in between remains to be seen. No putting the genie back in the bottle.

  32. Difference between ActiveX and web APIs by tepples · · Score: 1

    The key difference is that ActiveX controls ran as native code with full permissions to everything in your user profile, while these web APIs run as managed code with finer-grained permissions. How common are JavaScript sandbox escapes lately?

    1. Re:Difference between ActiveX and web APIs by Junta · · Score: 1

      But how much do you put within reach of the sandbox? Given the open ended nature of the beast, what are the hopes that a browser can competently present a user with a specific enough warning about what's about to happen to allow them to make an informed decision?

      --
      XML is like violence. If it doesn't solve the problem, use more.
    2. Re:Difference between ActiveX and web APIs by Dwedit · · Score: 1

      Well-known use-after-free bugs in webkit hacked the 3DS and PS4.

  33. Re:That doesn't sound like it could ever be abused by fahrbot-bot · · Score: 1

    That doesn't sound like it could ever be abused...

    I'll install it right before I fire myself out a cannon without any safety equipment.

    A USB connected cannon?

    --
    It must have been something you assimilated. . . .
  34. Very soon by Anonymous Coward · · Score: 0

    we'll be back to the age of USB infestation

  35. Browsers need LESS access not more! by Anonymous Coward · · Score: 0

    A browser should do 1 thing and 1 thing only. Show web pages and their associated content.
    They are not instant messaging software. They are not video conferencing software. They are not IoT middle-men.

    They should be constantly ran in a sandbox with read/write access to their own config files and a download folder only. Anything they invoke should run in that sandbox and not under any circumstances be allowed to exit it.

    Browsers are 'the internet' to most of the population and each and every single time something gets added to a browser it is another attack surface for malware & viruses.
    Browsers are for displaying web pages. You want a USB control hub? Download one. You want an instant massager with video? Download one.

    Stop making our browsers insecure by adding things which will ALWAYS be exploited by people far smarter, more resourceful and more determined than your engineers.

    1. Re:Browsers need LESS access not more! by Junta · · Score: 1

      I'd probably say something a little less severe. A browser environment should be able to do more, but it should be presumed *not* to be able to do any particular new thing until carefully considered and planned.

      For example, I'm all fine with a browser being able to access a camera, with browser requiring a very clear and specific prompt for allowing that site to use a camera. It's something handy and specific enough that a user can make an informed decision based on pretty simply wording.

      Basically, specific use cases should be evaluated and given a mechanism for use with clear capability to have specific security controls if it has widely perceived value.

      However, nothing should be enabling the browser to be an open-ended execution environment, as it makes it pretty much impossible for a standard user to understand the possibilities they just granted a remote site.

      --
      XML is like violence. If it doesn't solve the problem, use more.
  36. Re:That doesn't sound like it could ever be abused by PopeRatzo · · Score: 2

    This is like a remote control for a chainsaw: it sounds handy, but you know it will end in tears.

    Well put.

    --
    You are welcome on my lawn.
  37. Google staaahp by Anonymous Coward · · Score: 0

    You're going full retard. Never go full retard.

  38. Re:Reasons why I don't like the Internet of Things by Anonymous Coward · · Score: 1

    Who says anybody has to use this IOT? Just don't buy things that are IOT enabled. May be difficult to avoid, or not. I guess we will find out.

  39. Re: That doesn't sound like it could ever be abuse by Anonymous Coward · · Score: 3, Funny

    Indeed. Now you can plug in a USB drive you found in the parking lot and infect the entire web with Cryptolocker.

    This could be the most productive thing to happen to humanity since evolving the ability to make tools.

  40. Demand more from the vendors... by Junta · · Score: 1

    When the vendors are doing such lazy crappy things, trying to enable them is not the answer.

    Those vendors doing sloppy things lead to very unstable and insecure things. These vendors are actually largely to blame for the poor security/reliability of Windows ecosystem in practice, despite MS actually having done an adequate job of making a decently sound security infrastructure. If you avoid the shovelware, Windows tends to run OK. This would enable OS destabilizing/security problems from a browser.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  41. So, kinda libusb for JavaScript? by DdJ · · Score: 1

    My first thought was that they were basically doing libusb bindings for JavaScript (and then exposing those bindings within a web browser).

    But, no, those bindings already existed: https://github.com/schakko/nod...

    I must be missing something. I'll go dig for technical details to try and figure out what.

    1. Re:So, kinda libusb for JavaScript? by headbulb · · Score: 1

      Bindings for nodejs doesn't mean those bindings are in the browser.

      I am not sure what the purpose of binding libusb if you can run your own code on the computer. Just run native code.

  42. Re: That doesn't sound like it could ever be abuse by JustAnotherOldGuy · · Score: 5, Insightful

    It's just JavaScript. What could go wrong?

    Nothing. Nothing could possibly go wrong with this idea.

    As we've seen, the Internet Of Random Things has had a unblemished, stellar record of security and privacy practices. This is because the developers and manufacturers that make Random Things Connected To The Internet are experienced, careful, and spare no expense when it comes to securing these wonderful, life-enhancing gadgets. Your privacy and safety are their first concerns.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  43. Virtualization EUC by grilled-cheese · · Score: 1

    Seems like the major virtualization vendors (VMware, Citrix, Microsoft) should have been all over this already with their end-user computing portfolios.

  44. USB designed for semi-permanent peripherals by edtice1559 · · Score: 1

    The design of USB was for connecting trusted peripherals semi-permanently to a machine. In that capacity, it works really well. The original design did not account for attaching things that don't trust each other. Whether it's a USB stick you pick up off the street and connect to your machine or one of those "USB charging" plugs in the airport, it's not a situation for which USB was envisioned which means we're going to be seeing security holes in this area for years even as the devices and OSes get better. The starting point is just so poor.

    1. Re:USB designed for semi-permanent peripherals by amorsen · · Score: 1

      On the upside, traditional USB is so simple that it can be made reasonably secure, if anyone cares to do so. Devices can't really initiate anything, they can just wait for the host computer to get around to listening to them or assert a flag that they need servicing, hoping that the host computer cares. It is also slow enough that you can play microkernel and sandbox the USB device drivers, preventing them from messing up too badly. Once that is done, you "just" have to audit your USB host controller driver and make sure that you do not use native file systems on USB devices (instead going through FUSE or similar, with sandboxing).

      This is a great situation compared to e.g. FireWire where you are owned by anything, even if you don't have a device driver for it.

      Alas, with USB 3 comes DMA, and that means you need the same defences as FireWire -- IOMMU and such. Good luck getting that right.

      --
      Finally! A year of moderation! Ready for 2019?
  45. Re: That doesn't sound like it could ever be abuse by JustAnotherOldGuy · · Score: 3, Funny

    Assuming the security bugaboos can be worked out,

    Okay, I admit- that made me laugh. I mean, how hard could it be to work out all the security bugaboos? I see no problem with this plan, none whatsoever, especially based on the phenomenally secure state of the interweb right now. Why, I can hardly wait to plug some of these goodies into my PC to see what happens!

    --
    Just cruising through this digital world at 33 1/3 rpm...
  46. Re:That doesn't sound like it could ever be abused by cdsparrow · · Score: 1

    Seems perfectly safe to me... https://www.youtube.com/watch?...

  47. Re:That doesn't sound like it could ever be abused by Anonymous Coward · · Score: 0

    Only if you use it to buy a SCUBA apparatus.

  48. Not far enough by qbast · · Score: 1

    How about going the whole hog and proving web API for PCI bus, interrupt handling and DMA? Think about it - drivers written in glorious JavaScript! It will be great.

    1. Re:Not far enough by Anonymous Coward · · Score: 0

      I think I'll jump ahead of the curve and implement a full OS in JavaScript. Just think of it. Each webpage can be its own OS dedicated to your personalized session.

  49. Re:Reasons why I don't like the Internet of Things by JustAnotherOldGuy · · Score: 1

    42) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I bake cake.

    THIS is the one that really rustles mah jimmies. Those thievin'' bastards from Sarah Lee would sell me down the river in a heartbeat to get their dirty, secret-stealin' hands on mah special Chocolate Praline Cheesecake recipe!!

    --
    Just cruising through this digital world at 33 1/3 rpm...
  50. April 1st was two weeks ago by neo-mkrey · · Score: 1

    Wait. What?!? This is for real?
    Shit!

  51. Cheap Hardware Appliance, No OS Required by CrashNBrn · · Score: 1

    Sounds Interesting - like being able to have a USB appliance without the need of running an OS on it; piggyback on the standards compliant Host OS which would have a browser for accessing and controlling the appliance.

  52. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  53. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  54. All my traceroutes showing stars!11 by Anonymous Coward · · Score: 0

    dude, imagine the amount of TFLOPS you would be able to.. borrow, by having a bunch of morons playing some stupid browser game with that API... *falls down on the floor, starts convulsing and foaming at the mouth*

    Oooh yeah, that's the good stuff.

  55. We can guess why Google developed this by Anonymous Coward · · Score: 0

    thanks a lot, google

  56. Re:That doesn't sound like it could ever be abused by slew · · Score: 1

    That doesn't sound like it could ever be abused...

    I'll install it right before I fire myself out a cannon without any safety equipment.

    A USB connected cannon?

    On the internet, just ask and you shall receive...

  57. Firefox by Anonymous Coward · · Score: 0

    Mozilla will put this in Firefox, with direct access for the social API to any USB device that identifies as a camera or microphone enabled by default.
    Options to switch things off will be hidden in about:config

    At the same time they will likely eliminate the URL bar completely because it just confuses users and they never use it anyway. Instead Mozilla will use the Social API to connect you to their own private instance of Tay who will assist you in your browsing.

  58. Re: Reasons why I don't like the Internet of Thing by Anonymous Coward · · Score: 1

    Almost all TVs are IoT now. It won't be long until the same is true about smoke detectors, light bulbs, toasters, washers, driers, surround sound systems, doorbells, door locks, garage door openers, toilets, and computers in general.

  59. I read the spec. USB device controls (cookies) by raymorris · · Score: 5, Informative

    I just read the spec. It might be more accurate to say this API allows USB devices to offer data of their choosing to whitelisted web scripts. The USB device decides what data it gives to whom; web sites can't do anything with random USB devices that don't explicitly offer web endpoints. At the end of the day, it actually doesn't effect security in a fundamental way at all - USB devices can ALREADY send arbitrary data to web pages, just in an ad-hoc way rather than a well-defined , standardized way.

    In a way, it's a lot like first- party cookies , with the data on the usb device rather than on the hard drive.

    The USB device defines:
    https://login.ebay.com/ may ask me for "username".

    No other web site can get anything from the USB device, and the whitelisted URL can only request the specified data item.

    Security considerations are of course important. At the same time, JavaScript can ALREADY read your most important USB devices - it can see your keyboard presses and mouse movements. If a USB device wants to send data to a web page, it can already declare itself to be a keyboard and start sending keypresses. (Credit card readers have done exactly this for decades, pretending to be keyboards .) This API defines a standardized way for the USB device to send data in a more secure way than by pretending to be a keyboard.

    Yes, one should consider security. With this, primary the security of the USB device- it's one other way for a malicious USB device to do bad things. But USB devices can ALREADY pretend to be a keyboard, use a hotkey sequence to fire up cmd.exe, and run any commands they want. Malicious USB devices are really bad with or without this new API, so the API doesn't increase risk by much.

    1. Re:I read the spec. USB device controls (cookies) by Anonymous Coward · · Score: 1

      JavaScript can't be used to implement a logger... unless you give it access to USB. If this "protocol" is really the way you describe it, then it have absolutely nothing to do with USB. If it's actually allowing JavaScript to access the USB protocol, then it will be a horrible nightmare.

      Nothing to see here. Yet.

    2. Re:I read the spec. USB device controls (cookies) by Anonymous Coward · · Score: 0

      ...At the same time, JavaScript can ALREADY read your most important USB devices - it can see your keyboard presses and mouse movements.

      I use PS/2, you insensitive clod.

    3. Re:I read the spec. USB device controls (cookies) by e432776 · · Score: 1

      The security risk of this spec needs to be weighed against benefit. From your description, the benefit seems lower than I first assumed (my mind jumped to websites being able to access USB devices directly). The security concerns might be mitigated, but the benefit is also. Looks like a wash to me, but I may lack imagination...

    4. Re:I read the spec. USB device controls (cookies) by Saint+Fnordius · · Score: 1

      It does seem as if the intended usage of this protocol is to bring back dongles: want to use the website? You need a "key" to plug in to your USB port. Hooking up a dongled speaker will grant you access to exclusive content, and so on. It seems the proposed protocol intends to make this easier than it now is, getting rid of the workarounds you mentioned.

      In a way, it is a return to physical security, locking the key into hardware. But it also runs counter to what Apple and Google are also pushing for, namely that their mobile devices replace all physical cards, fobs and so on. I think the intended use of this is less for banking and more for granting USB devices like speakers and collectibles a simple way to transmit access keys.

    5. Re:I read the spec. USB device controls (cookies) by Tom · · Score: 1

      it actually doesn't effect security in a fundamental way at all

      Famous last words.

      This API defines a standardized way for the USB device to send data in a more secure way than by pretending to be a keyboard.

      Pretending to be a keyboard has the advantage of having a very small exposed section. Most importantly, the part that interacts with the browser has gone through the whole OS stack and it is highly unlikely that the browser can do anything with it that is outside the "receive a key code" area.

      --
      Assorted stuff I do sometimes: Lemuria.org
  60. I can see it now by Anonymous Coward · · Score: 0

    That awkward moment when your browser asks if irs.gov can use your "Thrustmaster USB Device".

  61. Is this something new? by AndyKron · · Score: 1

    Is this something new? I've plugged things in using USB, and got software updates from webpages before.

  62. Re:That doesn't sound like it could ever be abused by grimr · · Score: 1

    Did someone say remote controlled chainsaw?

    https://www.youtube.com/watch?...

  63. Nobody read the spec by shellster_dude · · Score: 1

    I see that literally no one read the spec (yes, I realize this is Slashdot). To the creator's credit, they have thought about security from the point of malicious Javascript accessing USB. They spec makes that highly unlikely as the USB device has complete control over who can talk to it. The problem is that as far as I can tell, they have given a malicious USB device yet another way to talk to a command-and-control server and get code execution (albeit in a sandboxed browser, using Javascript). Of course I can already do that by emulating a keyboard, but why add to the list of ways a USB device can screw you?

  64. Re:That doesn't sound like it could ever be abused by lgw · · Score: 1

    "USB" by itself is ambiguous - there are USB devices, USB controllers, USB hubs, and, yes, the USB bus itself.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  65. how is this news? by Anonymous Coward · · Score: 0

    create an api to anything is really just a matter of doing it this days. hardly nerdy.

  66. privacy by Anonymous Coward · · Score: 0

    This is going to be nothing like that unfixed webrtc debacle where a website can slurp your local machine ips and tell your real ip address if you are using a vpn. Nah uh! This will be a real guyfawks cracker

  67. Re: That doesn't sound like it could ever be abuse by dullertap · · Score: 1

    Would you care to share a few of those (ab)use cases?

  68. user power by Anonymous Coward · · Score: 0

    It doesn't matter if this can be abused, it gives us more power, blame the programmer for not writing secure code, not the user for being attacked.

    What's with all the victim blaming /.

  69. XMLHttpRequest.send(logmsg) by raymorris · · Score: 2

    > JavaScript can't be used to implement a logger.

    It can already log anything to a remote server via:
    XMLHttpRequest.send(logmsg)

    It can already store logs locally:
    Document.Cookie('logline1', logmsg);

    Now, if and only if a USB device offers to store the log, JavaScript can provide for storage there.

  70. W3C to next approve WebSystemd by MrData · · Score: 2

    WebSystemd, you know its coming !!!!

  71. Re: That doesn't sound like it could ever be abuse by Anonymous Coward · · Score: 0

    Looks like others have already covered that ground with server side misuse, etc. There were some enlightened comments posted after mine that pretty much spells out why this is such a wacky idea.

  72. What Could Go Wrong? by Anonymous Coward · · Score: 2, Insightful

    How the bloody hell did these two morons (this idea really confirms this) get a job as Google developers? There is no such thing as perfect software. It is virtually guaranteed this will be exploited. This "idea" is why JavaScript isn't supposed to have access to anything outside the browser. And the internet is so much safer now then when JavaScript was developed. And also it isn't like i-frames haven't been abused in the past. Yep, perfectly safe.

  73. Re: That doesn't sound like it could ever be abuse by Anonymous Coward · · Score: 0

    I'm waiting for Flash support, you insensitive clod!

  74. Intended for cross-platform drivers (html/JS app) by raymorris · · Score: 1

    The proposed benefit is cross-platform drivers. Given a USB device that isn't one of the device types with generic drivers built into the OS, a JavaScript driver could be provided that will run on any OS - Windows, Linux, Mac, FreeBSD, Android - anything with a web browser.

    Consider as an example a USB-connected sensor board or relay board . The USB device declares that it will accept input only locally stored JavaScript, from file:// URLs. The software can then be an html file with an html GUI and JavaScript logic, reading sensors or sending commands with the endpoints defined by the USB device.

  75. Re: That doesn't sound like it could ever be abuse by Anonymous Coward · · Score: 0

    I thought USB didn't do DMA. Unless USB3 has changed that?

    Firewire did. Which kind of made FW ports a target for three-letter agencies' widgets. But it also provided much better performance...

  76. Re: That doesn't sound like it could ever be abuse by arglebargle_xiv · · Score: 1

    Assuming the security bugaboos can be worked out

    You can "work out the security bugaboos" by not allowing fscking remote access to your USB devices (this has to be one of the most braindamaged ideas since ActiveX). This means removing WebUSB, which is a bit of a catch-22.

  77. point of sale hardware by dominux · · Score: 1

    This enables you to write a till or cash register screen and get it to talk to an attached ESC/POS receipt printer and cash drawer and chip and pin terminal and have that run in a browser process with no locally installed proxy process to get access to it. It isn't for your mouse and webcam.

  78. Re:That doesn't sound like it could ever be abused by jellomizer · · Score: 1

    Yes it could be abused. However Google tried to put in safeguards in their specs that is a bit more useful then Microsoft did with activeX which is still the bane of Internet security.
    However the web is no longer a content delivery engine but a cross system application platform. Sure you may not like it, but it turned out it be that.
    But as an application platform it will need to grow and change with the times. If not then you will get less planned out 3rd party crap again on your browser like ActiveX, Java Applets, Flash, etc... For your standard browsing and such apps will have a limit on what OS they will run on or have different upgrade scheduled.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  79. What's the big deal ? by OneSmartFellow · · Score: 1

    A fairly trivial cgi can already do this with the user-space USB API.

  80. what ? by Tom · · Score: 1

    "What could possibly go wrong?" was rarely written in such big and bright letters.

    You're already (IMHO) grossly negligent if your browser doesn't run in a sandbox. But sure, give it USB access. That's only where your keyboard and mouse are also connected. And maybe your external harddrive. The one with the backups.

    And for what? Solution looking for a problem?

    --
    Assorted stuff I do sometimes: Lemuria.org
  81. Re:That doesn't sound like it could ever be abused by iCEBaLM · · Score: 1

    Except it isn't ambiguous when you're talking about the bus. "Universal Serial Bus bus" is just retarded, and I'm surprised you're trying to defend using it.

  82. Re: That doesn't sound like it could ever be abuse by Anonymous Coward · · Score: 0

    USB host controllers can usually do DMA, some with scatter/gather, directed by the host's driver. The devices behind them can't (and shouldn't).

  83. You need to buy Windows to virtualize Windows by tepples · · Score: 1

    99% of USB devices work with completely generic drivers.

    True only because keyboards, mice, and flash drives are produced in mass quantities. I was referring to more specialized devices that do not "use[] completely standard protocols", such as printers, webcams, and fitness trackers.

    Plus there's USB passthrough for virtualization anyway, so worst case you can jus fire up a Windows VM.

    Virtualizing Windows requires purchasing and installing a genuine copy of sufficiently recent Windows for a given machine.

    In addition, running a second OS alongside your primary one also requires purchasing data transfer allowance from your Internet service provider to keep that OS updated. Windows nowadays automatically downloads and installs a 3 GB update every few months. This 3 GB update is far larger and more frequent than that of (say) Ubuntu LTS, which this hurts people who are stuck on satellite or fixed cellular at home because they can't get FTTH, DOCSIS, or DSL service.

  84. Intentionally leaving a game console unpatched by tepples · · Score: 1

    But there's a big difference between video game consoles and PCs in this respect. The owner of a PC is more likely to allow these defects to be automatically patched as they are discovered and fixed because the user has a legitimate way to install homemade software. On a console, on the other hand, the user is more likely to leave them unpatched because they are the only way that a user can run homemade (that is, unapproved) software.

  85. Re:That doesn't sound like it could ever be abused by lgw · · Score: 1

    Your penerdantry is interfering with your daily life.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  86. Re:That doesn't sound like it could ever be abused by iCEBaLM · · Score: 1

    Pretty sure I don't have a "penerdantry", so, no, it isn't.