Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> If a USB device identifies itself as a keyboard, the system shouldn't accept its keystrokes until that keyboard has typed the user's login password.

Wireless presenters often identify themselves as keyboards so that they can "press" the arrow keys to move forward or backward. How are you going to type your password using such a device?



Yes, there are corner cases (another commenter mentioned a temperature sensor, and I this is also common among barcode scanners). These corner cases are not hard to work out; just prompt the user and require them to confirm that the device is, in fact, allowed to act like a keyboard.

(Which would mean you can still have malware-download-command-typers pretending to be barcode-scanners pretending to be keyboards, but you can't have malware-download-command-typers pretending to be storage devices pretending to be keyboards, because the "Allow typing with this keyboard?" dialog will give it away.)


I would guess that 99% of users would click ok for "Allow typing with this keyboard?" when they plug in a USB storage device.


I'd hope the Secret Service is in the 1%.


You would only need the password-auth to bootstrap your primary keyboard. If you already have a keyboard you can just accept the prompt.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: