I don't know about the phone you're using, but if I need to I can power down without unlocking at which point only the pin will unlock it again. Yes if an officer was quick and grabbed the phone before I was able to do so and physically forced my finger on the sensor then they could unlock the phone, but if they are so desperate to unlock my phone it's unlikely a PIN would stop them either.
I've been using laptops with numeric keypads for years and honestly not had any trouble with it, when using it my hands are just centered on the keyboard / trackpad.
I mean, it is more than theoretical now though as there is readily available hardware and several working proof of concepts. Certainly one to keep an eye on.
Well that's a really silly thing to say isn't? That there hasn't been any known attacks but now cheap powerful usb dev boards are available and people are releasing proof of concept code, there still won't be any attacks? Dear me, next you'll be saying KRACK attack is nothing because it's been sitting in plain sight in the wpa2 spec for 10 years!
You're still completely missing the point of this -
A malicious USB device can bypass restrictions on autorun by using keyboard shortcuts to execute commands (eg. via win-r) that a storage-only attack can't.
A malicious USB device can execute an attack too quick to stop, and possibly before the user has even looked up at the screen again.
Computers can't realistically have their usb keyboard and mouse drivers disabled.
It's not making a mountain out of a mole hill, it's noting an interesting attack vector that the ubiquity and multi-function nature of USB makes possible.
USB adds nothing that an an otherwise equivalently capable device could not do with another appropriate port.
No other port has nearly the range of possible attacks or the ubiquity of use as USB.
The places I've been it's rare to send data on a flash drive as it does not prevent modification in transit. We use optical discs, CD-R, DVD-R, or BD-R, depending on the size. If the stack of polycarbon discs starts to look a bit think then its sent on a SAS drive in a pelican case. Each end will have the appropriate drive array for the caddy the drive is in. Many files are simply sent over the network through a number of data storage services, if the file cannot simply be e-mailed.
In niche / high security organizations sure, but most companies would be fine to receive files that way.
That's frowned upon. Depending on the time and place this is a breach of protocol, merely inconsiderate, and may involve a verbal reprimand. Such drives are to be handed to the person, placed in their mail box, or left with a neighboring coworker.
We're talking about hacking here, not colleagues playing pranks on each other. A disgruntled employee or even guest of the building could slip a small USB stick into a computer much more discreetly than even hooking a (much more limited capability) PS2 keylogger onto a system and easily go unnoticed.
There's enough distrust that I'm not sure this would go over well. They'd be examined or must come from a trusted party
Yeah you can tell employees not to bring USB drives in from outside all you like, but unless you work in a niche high security organization where everyone is savvy enough or the building is locked down enough, you know it's going to happen.
I mean, I worked for a web company and when we had an agency security audit us there were still a few members of staff who fell for the obvious phishing email they sent and entered their domain credentials.
People typically aren't in the mood to plug them into work computers. There's enough lost drives that they are just given to IT to deal with.
As above, there's still a good chance someone will get caught out by it.
You are correct, I don't need a special device. I'd want it there so that I'm not leaving so many tracks as group policies or spending so much time at each computer. If I wanted a special device then having something much larger and capable would make installing quicker. Also to point out the lack of a need to be discreet. If I call something a drive then in the minds of everyone that I talk with this thing is a drive.
You're still only covering having overt physical access to machines. The above examples cover more possible scenarios.
It may in fact be a fully functioning computer capable of running scripts against the PCs. among other things.
You can buy a programmable USB dev board in stick form factor with a 180mhz ARM CPU and multi-gigabyte microSD storage for $30, it is 2017 after all:)
You're ignoring all the additional scenarios this opens up that wouldn't be possible otherwise -
Any company that deals with large digital documents where it's normal to receive files on usb sticks / drives.
Plugging a miniature USB stick into an unattended computer quickly and walking off.
Giving branded USB sticks away.
Leaving USB sticks lying around.
Your examples mostly revolve around already having social engineered a position of trust (if you're already doing maintenance on a user's machine what do you need a special device for?). Devices disguised as regular USB sticks/devices lowers the amount of social engineering required considerably. A user might notice a screen flicker up, but it's unlikely they'll see enough to know what was happening before it disappeared, at which point an exploit could already be installed on the machine.
The other claim was that this was not common knowledge, but I'm pretty sure it's common knowledge that USB keyboards exist and drivers for them are standard install on most any operating system.
That's not the claim being made.
If someone wants to claim that it's not common knowledge that keyboard emulators can fit in a device that can be disguised as a flash drive then that might be something that could stand up.
That is the claim, and I would say it's a very safe claim to make.
But then someone would have to be engineered to plug in a flash drive and for some reason allow the device to "drive" the computer until the payload was delivered. If the person doing this was aware that the device would do this, such as being a party to the crack attempt, then this is still not something unique to USB. Such a person could easily be engineered to plug a device into a PS/2 port.
I disagree; Giving someone files on a USB stick is such a common and natural thing to do that the vast majority of people wouldn't think twice about it. Just leaving one lying around might be enough, and it may be possible to install a hack on a user's own USB stick if you can get brief access to it.
Giving someone a dongle to plug into a port that they may have never used on their computer (and increasingly isn't even present) would already be more suspicious, and only give you keyboard access with nothing else.
If the crack needed access to files then include a CD-ROM as part of the attack, or floppy disk because now we're going back in time to old school cracks that predate USB. Again such things can be addressed with things like controlling access to storage devices at the driver level.
With a USB device you can emulate a keyboard, mouse, multiple storage devices and a network device all on a single stick. It's both a lot more powerful and a lot more discreet.
I don't see this as something that cannot be fixed at the driver level. Keeping out network and storage devices is trivial at the driver level, just disable the drivers.
The only one most people don't routinely use is USB networking device, disabling USB storage for most people isn't going to be practical, and disabling USB Keyboard and Mouse drivers is pretty much out of the question these days.
but then the person with the device must almost certainly be in on the attack,
Again I disagree, USB sticks are too commonly used.
especially if there is a need at any time to enter a password such as changing important settings or installing software.
Passwords should stop it, but there are many things an attacker could do with just user level access with a command prompt, and if they have access to any unpatched privilege escalation bugs then that sidesteps the password issue.
Yes these USB "vulnerabilities" don't offer anything you technically couldn't do by sitting down in front of the machine with your own keyboard, mouse, network and storage devices, but the unique thing is they can do it much quicker, much more discreetly, and it's much easier to trick someone else into running the exploit for you.
I think you're falling in to the same trap as some other posters with "physical access = already pwned".
USB is somewhat more dangerous because they are also ubiquitous inconspicuous storage devices and computers often have multiple easy to access USB ports.
PS/2 ports are used exclusively for keyboard and mice and the ports are generally at the back of the computer, so you're not going to be able to trick someone into inserting a device like you could with something that looks like a USB stick and to do it yourself requires you to access the back of the computer rather than just quickly sticking something in the front. Also PS/2 ports are single function while a USB stick can emulate a keyboard and mouse at the same time which allows for certain attacks that aren't possible with keyboard alone (see the OSX example previously).
With networking again you've got to get to the back of the computer, unplug the existing network connection, put a bridging device between them, plug it back in. All much more conspicuous than just slipping a USB-stick looking device into the machine somewhere. Plus I couldn't find any instructions for disabling USB networking on Windows or OSX, and even with Linux I'm not sure how you do it without disabling all USB devices.
You obviously haven't looked at that site beyond the colors you see when you land on the home page have you? If you drill down the specific figures you'll see that there are actually large differences between the US and Scandinavian countries; Scandinavian countries have higher tax, higher government spending, better fiscal health and lower "labor freedom".
That matches exactly what I've been saying, the fact the site averages all those out to the same arbitrary "overall score" is irrelevant.
You've obviously never tried to run a business before if you think the US is AT ALL laissez-faire.
Not in the US no, but given what large companies over there are able to get away with compared to most other western countries there's clearly a lack of oversight.
1. Cost of housing [inflationdata.com].
This doesn't tell you much. The cost of housing has always varied depending on what incomes look like in any given region. What matters, depending on how you look at it, is either the housing opportunity index or the housing affordability index.
That is not in "lock-step" by a long shot, US spending has increased considerably more than the 2 next nearest countries.
I found the Bernie fan!
Found the trickle down believer!
In reality, when you increase your income, you've increased somebody else's wealth. How? Well, people pay you for something they want or need, and when you create what they want or provide a service that they want or need, you are creating wealth from thin air (or from raw materials,) and then giving the wealth to them in exchange for money. When the rich become richer, they increase the wealth of those who gave them more money.
Trickle-down economics has provably failed to make the majority of people better off. The only people who actually put money back into the economy via spending is the middle class, when the rich get a larger share of the bigger pie they just keep it to themselves.
Now, for the hard numbers: The fact is, capitalist economies encourage the creation of wealth
The Nordic model is pro free-market capitalism, so what's your point?
Furthermore, the data more or less debunks the notion that income inequality is getting worse
Interesting that you're only linking to videos talking about statistically improv
But you can't deny it's a lot more laissez-faire than the Nordic model.
Second off, these problems have little to do with economics, in fact we've already tried throwing lots of money at these kinds of people, and it didn't work.
What's that? Just throwing money at a problem without actually changing the underlying socioeconomic model that caused the issue in the first place doesn't fix the problem? Who could have predicted??
It's interesting that you say this, because things have only been improving. Pick any metric you want:
I can pick 5 things straight off the bat that haven't been improving:
3. Income inequality. The majority of wages have stagnated while only those at the top have seen their wages increase. Stagnant wages combined with increasing the living costs above is leaving far more lower and middle income families in a precarious position.
So if we follow your assertion, then a more unrestricted economic model is improving life for Americans. The reality is much more nuanced than that, but you're the idiot who made this statement.
Your assertion that things have been improving across the board is demonstrably wrong and there is clearly plenty of room for improvement.
How much does that status symbol car decrease in value as soon as you drive it out of the lot? How much extra in fuel do you pay compared to a more economical car? How much does it cost to maintain every year? How long does it last before it's no longer economical to maintain? How much waste and environmental damage does it cause? How many years of 2-yearly smartphone upgrades does that equate to?
I mean, I'd hope the Razer came with a free USB-C to 3.5mm adapter like other jackless phones do, so they should still work it's just a bit of extra inconvenience.
Slashdot Mirror
Psst, kid, want an ARM desktop?
OK, but why do I care, exactly?
Artificial limitations, planned obsolescence, shitty business practices etc.
every 24 hours you have to reauthenticate with your PIN on Android.
Mine does it less than that, maybe once a week or so. Reboot always needs it due to encryption.
I'd rather have Qi charging than the fingerprint reader... as convenient as the fingerprint reader may be.
Why not both? Many Android handsets do :)
Android seems to periodically ask for the unlock PIN/pattern when using fingerprint unlock, probably to make sure you don't forget it :)
I don't know about the phone you're using, but if I need to I can power down without unlocking at which point only the pin will unlock it again. Yes if an officer was quick and grabbed the phone before I was able to do so and physically forced my finger on the sensor then they could unlock the phone, but if they are so desperate to unlock my phone it's unlikely a PIN would stop them either.
That's why I qualified it with safe enough - for me it's the right balance between convenience and difficultly to break.
The fingerprint reader on my $250 dollar Android phone keeps it safe enough and makes it quick to unlock.
I've been using laptops with numeric keypads for years and honestly not had any trouble with it, when using it my hands are just centered on the keyboard / trackpad.
I mean, it is more than theoretical now though as there is readily available hardware and several working proof of concepts. Certainly one to keep an eye on.
Well that's a really silly thing to say isn't? That there hasn't been any known attacks but now cheap powerful usb dev boards are available and people are releasing proof of concept code, there still won't be any attacks? Dear me, next you'll be saying KRACK attack is nothing because it's been sitting in plain sight in the wpa2 spec for 10 years!
You're still completely missing the point of this -
A malicious USB device can bypass restrictions on autorun by using keyboard shortcuts to execute commands (eg. via win-r) that a storage-only attack can't.
A malicious USB device can execute an attack too quick to stop, and possibly before the user has even looked up at the screen again.
Computers can't realistically have their usb keyboard and mouse drivers disabled.
It's not making a mountain out of a mole hill, it's noting an interesting attack vector that the ubiquity and multi-function nature of USB makes possible.
USB adds nothing that an an otherwise equivalently capable device could not do with another appropriate port.
No other port has nearly the range of possible attacks or the ubiquity of use as USB.
The places I've been it's rare to send data on a flash drive as it does not prevent modification in transit. We use optical discs, CD-R, DVD-R, or BD-R, depending on the size. If the stack of polycarbon discs starts to look a bit think then its sent on a SAS drive in a pelican case. Each end will have the appropriate drive array for the caddy the drive is in. Many files are simply sent over the network through a number of data storage services, if the file cannot simply be e-mailed.
In niche / high security organizations sure, but most companies would be fine to receive files that way.
That's frowned upon. Depending on the time and place this is a breach of protocol, merely inconsiderate, and may involve a verbal reprimand. Such drives are to be handed to the person, placed in their mail box, or left with a neighboring coworker.
We're talking about hacking here, not colleagues playing pranks on each other. A disgruntled employee or even guest of the building could slip a small USB stick into a computer much more discreetly than even hooking a (much more limited capability) PS2 keylogger onto a system and easily go unnoticed.
There's enough distrust that I'm not sure this would go over well. They'd be examined or must come from a trusted party
Yeah you can tell employees not to bring USB drives in from outside all you like, but unless you work in a niche high security organization where everyone is savvy enough or the building is locked down enough, you know it's going to happen.
I mean, I worked for a web company and when we had an agency security audit us there were still a few members of staff who fell for the obvious phishing email they sent and entered their domain credentials.
People typically aren't in the mood to plug them into work computers. There's enough lost drives that they are just given to IT to deal with.
As above, there's still a good chance someone will get caught out by it.
You are correct, I don't need a special device. I'd want it there so that I'm not leaving so many tracks as group policies or spending so much time at each computer. If I wanted a special device then having something much larger and capable would make installing quicker. Also to point out the lack of a need to be discreet. If I call something a drive then in the minds of everyone that I talk with this thing is a drive.
You're still only covering having overt physical access to machines. The above examples cover more possible scenarios.
It may in fact be a fully functioning computer capable of running scripts against the PCs. among other things.
You can buy a programmable USB dev board in stick form factor with a 180mhz ARM CPU and multi-gigabyte microSD storage for $30, it is 2017 after all :)
You're ignoring all the additional scenarios this opens up that wouldn't be possible otherwise -
Any company that deals with large digital documents where it's normal to receive files on usb sticks / drives.
Plugging a miniature USB stick into an unattended computer quickly and walking off.
Giving branded USB sticks away.
Leaving USB sticks lying around.
Your examples mostly revolve around already having social engineered a position of trust (if you're already doing maintenance on a user's machine what do you need a special device for?). Devices disguised as regular USB sticks/devices lowers the amount of social engineering required considerably. A user might notice a screen flicker up, but it's unlikely they'll see enough to know what was happening before it disappeared, at which point an exploit could already be installed on the machine.
The other claim was that this was not common knowledge, but I'm pretty sure it's common knowledge that USB keyboards exist and drivers for them are standard install on most any operating system.
That's not the claim being made.
If someone wants to claim that it's not common knowledge that keyboard emulators can fit in a device that can be disguised as a flash drive then that might be something that could stand up.
That is the claim, and I would say it's a very safe claim to make.
But then someone would have to be engineered to plug in a flash drive and for some reason allow the device to "drive" the computer until the payload was delivered. If the person doing this was aware that the device would do this, such as being a party to the crack attempt, then this is still not something unique to USB. Such a person could easily be engineered to plug a device into a PS/2 port.
I disagree; Giving someone files on a USB stick is such a common and natural thing to do that the vast majority of people wouldn't think twice about it. Just leaving one lying around might be enough, and it may be possible to install a hack on a user's own USB stick if you can get brief access to it.
Giving someone a dongle to plug into a port that they may have never used on their computer (and increasingly isn't even present) would already be more suspicious, and only give you keyboard access with nothing else.
If the crack needed access to files then include a CD-ROM as part of the attack, or floppy disk because now we're going back in time to old school cracks that predate USB. Again such things can be addressed with things like controlling access to storage devices at the driver level.
With a USB device you can emulate a keyboard, mouse, multiple storage devices and a network device all on a single stick. It's both a lot more powerful and a lot more discreet.
I don't see this as something that cannot be fixed at the driver level. Keeping out network and storage devices is trivial at the driver level, just disable the drivers.
The only one most people don't routinely use is USB networking device, disabling USB storage for most people isn't going to be practical, and disabling USB Keyboard and Mouse drivers is pretty much out of the question these days.
but then the person with the device must almost certainly be in on the attack,
Again I disagree, USB sticks are too commonly used.
especially if there is a need at any time to enter a password such as changing important settings or installing software.
Passwords should stop it, but there are many things an attacker could do with just user level access with a command prompt, and if they have access to any unpatched privilege escalation bugs then that sidesteps the password issue.
Yes these USB "vulnerabilities" don't offer anything you technically couldn't do by sitting down in front of the machine with your own keyboard, mouse, network and storage devices, but the unique thing is they can do it much quicker, much more discreetly, and it's much easier to trick someone else into running the exploit for you.
I think you're falling in to the same trap as some other posters with "physical access = already pwned".
USB is somewhat more dangerous because they are also ubiquitous inconspicuous storage devices and computers often have multiple easy to access USB ports.
PS/2 ports are used exclusively for keyboard and mice and the ports are generally at the back of the computer, so you're not going to be able to trick someone into inserting a device like you could with something that looks like a USB stick and to do it yourself requires you to access the back of the computer rather than just quickly sticking something in the front. Also PS/2 ports are single function while a USB stick can emulate a keyboard and mouse at the same time which allows for certain attacks that aren't possible with keyboard alone (see the OSX example previously).
With networking again you've got to get to the back of the computer, unplug the existing network connection, put a bridging device between them, plug it back in. All much more conspicuous than just slipping a USB-stick looking device into the machine somewhere. Plus I couldn't find any instructions for disabling USB networking on Windows or OSX, and even with Linux I'm not sure how you do it without disabling all USB devices.
What USB hardware vulnerabilities do you know about?
One exploit I remember from a few years back is a custom USB device emulating a keyboard and mouse can issue commands via keyboard shortcuts and mouse clicks.
Another one is emulating a network adapter to intercept and alter network traffic.
Embedded USB developer boards already exist and are just as cheap/easy to use as Arduinos.
Meanwhile at Linus tech tips...
It's not even the first digital camera with dual lenses
How little you know.... http://www.heritage.org/index/...
You obviously haven't looked at that site beyond the colors you see when you land on the home page have you? If you drill down the specific figures you'll see that there are actually large differences between the US and Scandinavian countries; Scandinavian countries have higher tax, higher government spending, better fiscal health and lower "labor freedom".
That matches exactly what I've been saying, the fact the site averages all those out to the same arbitrary "overall score" is irrelevant.
You've obviously never tried to run a business before if you think the US is AT ALL laissez-faire.
Not in the US no, but given what large companies over there are able to get away with compared to most other western countries there's clearly a lack of oversight.
1. Cost of housing [inflationdata.com].
This doesn't tell you much. The cost of housing has always varied depending on what incomes look like in any given region. What matters, depending on how you look at it, is either the housing opportunity index or the housing affordability index.
So in terms of *buying*, using a certain methodology shows house affordability has been stable since the 90s (well after the policies I'm criticizing had been enacted). On the other hand rent has increased dramatically, especially for those in the lower 3rd of incomes. And no, wages haven't grown to fill that gap.
/facepalm That's not health care costs, that's health care spending.
Lol, there's no magic money tree, that money is coming from somewhere.
And if you bother to pay attention, you'll notice that it's increasing globally, practically in lock-step.
1980: Sweden: $942 / Switzerland: $1013 / USA: $1091
2008: Sweden: $3470 / Switzerland: $4627/ USA: $7538
That is not in "lock-step" by a long shot, US spending has increased considerably more than the 2 next nearest countries.
I found the Bernie fan!
Found the trickle down believer!
In reality, when you increase your income, you've increased somebody else's wealth. How? Well, people pay you for something they want or need, and when you create what they want or provide a service that they want or need, you are creating wealth from thin air (or from raw materials,) and then giving the wealth to them in exchange for money. When the rich become richer, they increase the wealth of those who gave them more money.
LOL, people like you have been saying that since the 80s yet the income of 90% of Americans has not risen in real terms since the 70s (and if you're interested in wealth the bottom 50% of families have not see their wealth rise 1989-2007).
Trickle-down economics has provably failed to make the majority of people better off. The only people who actually put money back into the economy via spending is the middle class, when the rich get a larger share of the bigger pie they just keep it to themselves.
Now, for the hard numbers: The fact is, capitalist economies encourage the creation of wealth
The Nordic model is pro free-market capitalism, so what's your point?
Furthermore, the data more or less debunks the notion that income inequality is getting worse
Interesting that you're only linking to videos talking about statistically improv
But we already got a Twilight Zone reboot...
First off, we don't have laissez-faire capitalism
But you can't deny it's a lot more laissez-faire than the Nordic model.
Second off, these problems have little to do with economics, in fact we've already tried throwing lots of money at these kinds of people, and it didn't work.
What's that? Just throwing money at a problem without actually changing the underlying socioeconomic model that caused the issue in the first place doesn't fix the problem? Who could have predicted??
It's interesting that you say this, because things have only been improving. Pick any metric you want:
I can pick 5 things straight off the bat that haven't been improving:
1. Cost of housing.
2. Healthcare costs.
3. Income inequality. The majority of wages have stagnated while only those at the top have seen their wages increase. Stagnant wages combined with increasing the living costs above is leaving far more lower and middle income families in a precarious position.
4. Incarceration rate.
5. Maternal mortality rate.
So if we follow your assertion, then a more unrestricted economic model is improving life for Americans. The reality is much more nuanced than that, but you're the idiot who made this statement.
Your assertion that things have been improving across the board is demonstrably wrong and there is clearly plenty of room for improvement.
How much does that status symbol car decrease in value as soon as you drive it out of the lot? How much extra in fuel do you pay compared to a more economical car? How much does it cost to maintain every year? How long does it last before it's no longer economical to maintain? How much waste and environmental damage does it cause? How many years of 2-yearly smartphone upgrades does that equate to?
Sorry, but I'm not giving my biometric information to Apple, an app developer, or pretty much anybody else unless it's fucking required by law
Ever sent a photo of yourself to anyone via any app or online service?
Price.
I mean, I'd hope the Razer came with a free USB-C to 3.5mm adapter like other jackless phones do, so they should still work it's just a bit of extra inconvenience.