The topic of the interview was what our blackhat presentation was going to be. We explained that we are going to demonstrate how a buffer overflow in a usb device driver can cause cause code to execute even though the workstation is locked. We would also demonstrate how you can spoof any usb device by sending the right identification numbers this allows a usb drive to imitate itself as a cd-rom or mouse for instance. We are also going to talk about the hardware based device that was created to fuzz USB protocol. We explained that during this research we identied several good areas of attack and are currently researching some overflows in a win32 default driver. We were working on determining if the flaws we have found are exploitable in which case we will be working with microsoft to solve those issues. I also clearly explained that these issues are void because we will not be demonstrating these issues during our talk. David Dewey's quote on the flaw being with USB is based on the issue of being able to imitate any usb device by sending that USB code. That quote had no relevance to the buffer overflow problem. Our goal at this presentation is to present the concept and demonstrate the reality of how easy it is and to just have fun with it. It's a shame that our main points did not seem to come across in the article. Just to note - Our company in no way sells or promotes any USB security product or token. This presentation was done strictly because it was fun:)
Slashdot Mirror
The topic of the interview was what our blackhat presentation was going to be. We explained that we are going to demonstrate how a buffer overflow in a usb device driver can cause cause code to execute even though the workstation is locked. We would also demonstrate how you can spoof any usb device by sending the right identification numbers this allows a usb drive to imitate itself as a cd-rom or mouse for instance. We are also going to talk about the hardware based device that was created to fuzz USB protocol. We explained that during this research we identied several good areas of attack and are currently researching some overflows in a win32 default driver. We were working on determining if the flaws we have found are exploitable in which case we will be working with microsoft to solve those issues. I also clearly explained that these issues are void because we will not be demonstrating these issues during our talk. David Dewey's quote on the flaw being with USB is based on the issue of being able to imitate any usb device by sending that USB code. That quote had no relevance to the buffer overflow problem. Our goal at this presentation is to present the concept and demonstrate the reality of how easy it is and to just have fun with it. It's a shame that our main points did not seem to come across in the article. Just to note - Our company in no way sells or promotes any USB security product or token. This presentation was done strictly because it was fun :)