A Neat Linux Kernel Feature You Will Never Use
Рет қаралды 27,987
Күн бұрынIt's easy to forget that the main use for Linux is in the business world as such a bunch of changes get made that don't really matter for the desktop user but in some cases they may actually be useful
==========Support The Channel==========
► Patreon: brodierobertso...
► Paypal: brodierobertso...
► Liberapay: brodierobertso...
► Amazon USA: brodierobertso...
==========Resources==========
Mailing List: patchew.org/li...
USB Authorization: www.phoronix.c...
=========Video Platforms==========
🎥 Odysee: brodierobertso...
🎥 Podcast: techovertea.xy...
🎮 Gaming: brodierobertso...
==========Social Media==========
🎤 Discord: brodierobertso...
🐦 Twitter: brodierobertso...
🌐 Mastodon: brodierobertso...
🖥️ GitHub: brodierobertso...
==========Credits==========
🎨 Channel Art:
Profile Picture:
/ supercozman_draws
🎵 Ending music
Track: Debris & Jonth - Game Time [NCS Release]
Music provided by NoCopyrightSounds.
Watch: • Debris & Jonth - Game ...
Free Download / Stream: ncs.io/GameTime
#Linux #OpenSource #FOSS #Kernel #LinuxKernel
DISCLOSURE: Wherever possible I use referral links, which means if you click one of the links in this video or description and make a purchase I may receive a small commission or other compensation.
@Beryesa. 6 ай бұрын
Press space to authorise keyboard:
@FunctionGermany 6 ай бұрын
@thingsiplay 6 ай бұрын
With a Virtual Keyboard on a Touch Screen.
@GSBarlev 6 ай бұрын
PS/2 users: "My my my, how the turns have tabled." (just make sure your mobo has a *real* PS/2 port and not a hidden USB adapter)
@angelcaru 6 ай бұрын
@andynn6691 6 ай бұрын
Is that the user space referred to? :-D
@min3craftpolska514 6 ай бұрын
Press space to authorize device "USB Killer"
@patchon25 6 ай бұрын
This also applies to charging "cables" with built-in keyboard and bluetooth, you wouldn't want your phone to just start accepting random keypresses from that.
@Sqwert-g6h 6 ай бұрын
Mr. Robot was the most accurate hacker show I've ever seen. Still some Hollwood hocus pocus in there, but is still by far the best one.
@orbatos 6 ай бұрын
Sure, but none of the characters were likable. Fun is more important than accuracy in storytelling.
@BrodieRobertson 6 ай бұрын
Even Mr Robot started cutting corners after the first season
@LaLLi80 6 ай бұрын
@@BrodieRobertsonIm pretty sure the screen writers got tired of the nerds pointing out errors in the script facts and grammar.
@themroc8231 6 ай бұрын
Michael Mann's movie Blakhat was pretty accurate, but that movie went quite unnoticed at the time of its release.
@Sqwert-g6h 6 ай бұрын
@@BrodieRobertson Yeah. The first season was good bait to get people hooked. Lol
@sativagirl1885 6 ай бұрын
Free Beers for all who would hire Brodie Robertson as acting *Chief with Big Thunderstick.*
@Megalomaniakaal 6 ай бұрын
Best I can do is double barrel boomstick, take it or leave it.
@mateusrodcosta 6 ай бұрын
I actually use that feature on GNOME on my laptop. You need to install the dbus version of usbguard and enable the dbus service. To enable and disablie the feature there's an option inside the Privacy -> Lockscreen menu in Gnome Settings. One thing to note is that by default it will always block stuff while on the lock screen, this might include even before the initial login, so you might need to do the steps to create the allowlist before hand. So note that if you lose the keyboard/mouse and don't have one of the same model (due to the allow list using ids) and no buiilt-in keyboard and mouse/touchpad or other ways of logging in, then you might get locked out.
@yaroslavpanych2067 6 ай бұрын
Boot into runlevel 1 and unlock yourself?
@rogo7330 6 ай бұрын
Can you by default allow no mpre that one keyboard always authorized on the lock screen? That way an attacker must proxy your keyboard through their badusb to stay undetected, but that is just like modifying your keyboard and nothing can be done here except from checking keyboard before interacting with it. At least no new keyboards would sudennly appear in your system and you will see them or find out that your main keyboard stopped working.
@mateusrodcosta 6 ай бұрын
@@rogo7330 Basically there's a config file for usbguard that says: "I want to always allow these". GNOME uses usbguard in "lockscreen" mode, this mean that by default when screen is locked usbguard will be enabled (and only the allowed devices will be useable) but when the screen is unlocked it will disable usguard and only re-enable on next screen lock. You basically generate the policy for the connected devices with `usbguard generate-policy > /etc/usbguard/rules.conf` as mentioned on the Arch wiki. I don't know much more except that the system will ignore the devices and a notification will appear when you unlock saying that a new USB device tried to connect but wasn't allowed and you should reconnect. There's also a different message for when the device is allowed in the policy but was reconected when the system was locked (so at the very least you can know if someone tried to impersonate it if they didn't dismiss the notification)
@hanelyp1 6 ай бұрын
I recently had a case of wireless mice, any wireless mouse, no longer worked. The wireless keyboard I'd been using began failing randomly. Once I tracked down a wired mouse and keyboard my linux desktop was again usable. Locked down USB would have made that resolution much harder.
@jamesphillips2285 6 ай бұрын
Some of my machines are old enough to still have PS/2 ports. They got replaced by USB because you are not supposed to hot-plug PS/2 ports.
@isofruitfruit9357 6 ай бұрын
Honestly it would make sense to not allow **new** devices to be authorized on the lock screen. Devices you previously trusted and that are on a whitelist should get a pass. Like an external keyboard you plug into your laptop and that was authorized before.
@absalomdraconis 6 ай бұрын
USB lacks end-to-end encryption, so it could be spoofed, especially if a hub between the computer and another authorized device gets hacked.
@alexstone691 6 ай бұрын
With my timezone i really thought this was an april fools joke
@soulstenance 6 ай бұрын
He already did one about Wayland. Australia runs almost a day ahead of most of us so it came early. 😁
@iFlxy 6 ай бұрын
Watch out for my PS/2 BadUsb
@GSBarlev 6 ай бұрын
In all seriousness, this isn't designed to prevent you from plugging in a HID-it's to prevent you from plugging in an HID that has a _hidden_ storage drive, spycam, etc., which is not something that will be able to run over PS/2.
@qlx-i 6 ай бұрын
@@manitoba-op4jxwooosh
@EwanMarshall 6 ай бұрын
just BadUSB is enough, you just emulate the real HID device.
@EwanMarshall 6 ай бұрын
@@manitoba-op4jxit might be, that doesn't mean I can't pop a terminal, type and execute something and shut the terminal automatically.
@ザウアークラウトマン 6 ай бұрын
I use PS/2 btw, for my keyboard.
@blenderpanzi 6 ай бұрын
But I guess mice and keyboards need to be automatically authorized? Or how would you authorize a new keyboard when your old breaks? But then a fake keyboard can be used to brute force things or to open a terminal at a random time and paste commands.
@hanelyp1 6 ай бұрын
Suggested in another comment, require the password to enable a new device. Which can be rate limited to prevent brute force.
@Waitwhat469 6 ай бұрын
Any way to have white list or block list for USB devices? I'd kind of love to able to just block huge swaths of devices down to just a few manufactures I trust.
@Dosenwerfer 6 ай бұрын
What if my keyboard breaks while the device is locked and the rejection policy is in place? Do I own a bricked system now?
@hanelyp1 6 ай бұрын
Needs to be bypassed at the boot level. Which depending on configuration may be restricted.
@hanelyp1 6 ай бұрын
Needs to be bypassed at the boot level. Which depending on configuration may be restricted.
@Lampe2020 6 ай бұрын
It would be necessary for me though to make it only instantly reject new USB devices on the lock screen when I'm actually on the TTY the lock screen is in, so when I go onto another TTY, start doing stuff there and the timeout of no interaction with the desktop locks it on its TTY and I then try to plug something in while on another TTY it would be inconvenient to need to unlock the desktop on TTY2 if I don't intend to use it right now.
@rogo7330 6 ай бұрын
You can have a server that authorizes usb devices based on a TTY of the process that requested a device to be authorized, and when that "TTY session" "dies" you reset authorization for those devices.
@andersjjensen 6 ай бұрын
I haven't used secondary TTYs since tabbed pull-down terminal emulators became a thing.
@marsovac 6 ай бұрын
If I wanted to mess with your computer, I would never think of an USB stick as first idea, but an URL.
@ineverknowdoyou 6 ай бұрын
Really? the browser is pretty sandboxed. i would think of putting malware on places like the AUR.
@_a_x_s_ 6 ай бұрын
Actually, this is where BadUSB is used for cracking to emulate keyboard (keystroke attack Rubber Ducky), Ethernet port, Network Card, etc. For a computer portal with a USB port, it would be the case where such USB guarding softwares are used.
@LaLLi80 6 ай бұрын
USB is the easiest way past the corporate firewall.
@discocat2500 6 ай бұрын
That's pretty neat!
@linuxguy1199 6 ай бұрын
Am already using this on some of my RPis.
@mustangrt8866 6 ай бұрын
does it allow changing it at any time? like disabling usb when on standby and enable at poweron?
@laughingvampire7555 6 ай бұрын
This can easily become an extremely annoying experience driving users to avoid it at all costs. Not everyone is a paranoid snowden-wannabe, or an actual snowden with a security threat model that requires this.
@GSBarlev 6 ай бұрын
It's going to be a config setting, and if it annoys you, you can disable it, the same way you probably disable TPM. But having it as an option will mean that it's a viable option for enterprise and government.
@AndersHass 6 ай бұрын
If internal USB also means the USB header on the motherboard for a cable to USB port on a case, then it could also be used for desktop, though people can just plug into the case ports instead of the ones on the motherboard.
@szaszm_ 6 ай бұрын
I think it actually means integrated USB devices on the motherboard that connect to the root hub, but are not using any USB port, since they are hardwired. Not sure how an OS can differenciate between them, maybe it depends on preexisting udev rules.
@fanshaw 6 ай бұрын
As a desktop (rather than laptop) linux user, I'm not sure what an "internal" device is or how its distinguished by the kernel. What happens if your keyboard cable breaks? Can you plug in a new one?
@eDoc2020 5 ай бұрын
On a desktop the most likely internal USB device would be a Bluetooth adapter if so equipped. On a laptop the webcam is almost always USB. Fingerprint readers and smart card readers (common on business laptops) are usually also USB based. The kernel knows which devices are internal because the system firmware (supposedly) says so.
@insu_na 6 ай бұрын
It's a cool feature that can have annoying consequences: before I switched to KDE and was still on Gnome, while my screen was locked for some reason my keyboard got reset. Now whether that reset was triggered by the keyboard itself or by the computer I don't know, either way it meant that I could no longer log into Gnome until I did a reboot...
@szaszm_ 6 ай бұрын
They should definitely add a GUI that lets you trust your keyboard and mouse, so on reconnection, they are always trusted, but any untrusted device needs explicit authorization while unlocked.
@mx338 6 ай бұрын
I hope this will be used in another step towards Linux desktop security reaching the same level of macOS, where you do have to authorise every USB device you plug in.
@GSBarlev 6 ай бұрын
On the one hand, yeah-this is one step towards a future where corporate and government laptops run Linux. On the other, I'll be *very happy* to disable this feature on my 50kg battlestation that lives in my basement and has zero information on it more sensitive than my wedding photos.
@rogo7330 6 ай бұрын
It's by default authorizes everything and you can change that through udev or some script that writes to default_authorized in sysfs.
@TheExileFox 5 ай бұрын
setting the value to "2" is still not going to work. How do you wanna hook up a keyboard over an internal port? this is kinda dumb. Also auto-reject when the device is locked also doesn't work for keyboards.
@Bruno_Haible 5 ай бұрын
Mode 2 is a requirement for laptops that are handed to prison inmates in Germany (so that can they read their 2000 pages long indictment). Law enforcement does not want them to do anything else with these laptops than reading their indictment.
@TheHippo-or5wi 6 ай бұрын
Its sad i have to use windows in work. because this feature is really awesome.
@brunekxxx91 3 ай бұрын
DISCLAMER: If in your city in Poland it isn't like this, please let me know Linux is everywhere, welll...Apparently not...My city has a stupid relationship with Windows Server 2008 😂 Everywhere i look (because machines break all the time lol) there is always windows server 2008...WHY????
@Capiosus 6 ай бұрын
check the date
@GSBarlev 6 ай бұрын
Now set your timezone to Melbourne (Sydney? Idk where Brodie lives).
@guss77 6 ай бұрын
This is actually how Thunderbolt works - you have to trust devices that you connect before they can work, and that is the purpose of the boltctl utility. I would actually love to have that feature for USB on my desktop as well, and I wasn't aware that it existed - so thanks for pointing it out.
@itsthesola10 6 ай бұрын
GNOME automatically sets up usbguard to auto-deny USB devices while your session is locked
@guss77 6 ай бұрын
@@itsthesola10 which version and which OS?
@orbatos 6 ай бұрын
@@guss77for some years now, so likely any current version you install. As for the OS... You mean distro as we're talking about Linux here and again, all of them unless it's disabled for some reason.
@Megalomaniakaal 6 ай бұрын
@@orbatos Some older LTS releases might not, but most new enough should yes.
@orbatos 6 ай бұрын
@@Megalomaniakaal I think support may have started some time around Ubuntu 20? So yeah most people should have it.
@Lars-ce4rd 6 ай бұрын
Brodie: A Neat Linux Kernel Feature You Will Never Use Me: Challenge accepted.
@blinking_dodo 6 ай бұрын
Principle of least privilege for USB, it's a good first defender against bad actors that have USB sticks...
@iFlxy 6 ай бұрын
Kernel 6.9 is the best thing after kernel 6.6.6
@meskes4059 6 ай бұрын
Nice
@thingsiplay 6 ай бұрын
I actually played DOOM on that day of 6.6.6. Guess what I will play on 6.9. :D
@Eirnix 6 ай бұрын
@@thingsiplay Day Of Defeat?
@MrSnivvel 6 ай бұрын
@@thingsiplay Yourself.
@GSBarlev 6 ай бұрын
@@thingsiplayHate to break it to you, but _Magical Catgirl Adventure Society_ is probably going to be delayed to 2025. (please let this not be a real title)
@DjVortex-w 5 ай бұрын
GNU/Linux might not be the most used operating system out there, but the Linux kernel is, BY FAR, by a HUGE margin, the most used OS kernel out there. One of the biggest reasons for this is that Android OS uses it as its kernel. The proliferation of Android devices has sky-rocketed the marketshare of the Linux kernel itself. (Android OS is technically not "Linux" in the sense of an operating system. In fact, Android OS doesn't use a single piece of GNU software. Not a single line. However, it does use the Linux kernel (which, perhaps a bit surprisingly, is not GNU software), making it the most widely used OS kernel.)
@Beryesa. 6 ай бұрын
What if you accidentally unplug your keyboard on a desktop pc, while in the lock screen 🙈
@kreuner11 6 ай бұрын
Reboot
@TheFerdi265 6 ай бұрын
in that case there should be a system for whitelisting devices by serial number. Maybe something like "new mouse or keyboard detected. [Allow Once] [Allow Forever] [Disallow]" or something similar
@DMSBrian24 6 ай бұрын
@@TheFerdi265 technically that's now an attack factor as a device can spoof that data
@GSBarlev 6 ай бұрын
@@DMSBrian24if device IDs are unique, then the malicious actor would have to "clone" the allowed device. Which is obviously a risk, but it's less of a risk than the "charging cable" you bought from Andy's Web Services (& Tchotchky Emporium) installing spyware.
@rogo7330 6 ай бұрын
Allow one usb keyboard and no more by default. That way if attacker plugs in a rubberducky on a lock screen there is not much that it can do except from guessing your password, and when you come back and see that your main keyboard does not work when it should, you just know that something else is plugged. This would not prevent from attacker pluggin your keyboard through a badusb that will proxy your keyboard through itself though, so yeah - unplug keyboard and bring it with you, lol.
@tutacat 6 ай бұрын
Spoofing the USB ID
@DePhoegonIsle 6 ай бұрын
can barely wait for tighter security to become the normal. Where plugging in a keyboard after the OS is booted up, isn't blindly accepted, or where plugging a new USB/device into the system when it's shut down is rejected, or maybe stronger permissions defaults where it's deny first than accept after. Maybe Non KB/Mouse inputs for USB are disabled when the system locks, preventing an abuse of autorun all together. (with a setting of allowed ones to set ports, and lockouts enabled if a device gets removed or shut off while the system is running)
@bluephreakr 6 ай бұрын
Incorporation of mobile authorisation would be a great thing to have. Make it so whoever is at their computer needs to authorise a USB device by accepting it, and have this part of a solution that replaces GVFS PolKit / Kauth.
@sleepib 6 ай бұрын
I think if you plug a keyboard in, you should get sent to a lock screen with a password prompt to enable the keyboard, all other devices will just have the password prompt. This way you can't get permanently locked out if the keyboard dies.
@hanelyp1 6 ай бұрын
Good solution.
@emanuellandeholm5657 6 ай бұрын
What if my malicious "not a keyboard" device advertises itself as a keyboard when it feels like it? At minimum, I can now lock your computer without access to your keyboard/mouse/laptop lid. I'm sure someone else could figure something even more evil.
@sleepib 6 ай бұрын
@@emanuellandeholm5657 You unplug the "not a keyboard", or select "don't authorize", at which point the new device is ignored. The "lock" screen is only a sandbox to allow you to authorize the keyboard without a separate input device, and without allowing unrecognized keyboard inputs to do anything but enter the password(with appropriate rate limiting). Your malicious device can only trigger the lock screen by revealing itself as something you don't expect it to be.
@emanuellandeholm5657 5 ай бұрын
@@sleepib Admittedly my attack is kind of contrived. This is computer that, for some reason, exposes USB HID to the public, which is a crazy thing to do. :D
@knghtbrd 6 ай бұрын
Um, real pentesting (and real penetrations) involve someone just walking in somewhere and plugging in a USB stick that does things and they just copy data. Because people don't use stuff like this. But you're right, they should. I have an idea what I want to see for the UX, too, since I want the option to handle multiple devices inserted at once together, but have the prompt also give me the option to be more selective or get more information about the device before I approve it. More interesting would be a lightweight way to pretend to trust a device and see what it tries to do. Obviously this is something VMs get used for, but I wonder if something fairly lightweight and purpose-driven could "test" USB devices. That could be interesting!
@JessicaFEREM 6 ай бұрын
One of my teachers would copy and paste a whole bunch of pictures of barney to the desktop and change the wallpaper if they didn't log out when they left the classroom.
@tutacat 6 ай бұрын
You still need physical security more importantly in data centres.
@Amipotsophspond 5 ай бұрын
if any one has physical access to the side of the monitor they have full root access by the Sticky Note.
@0x5c 5 ай бұрын
Best data centre security is security that relies on a service running in that very same data center 😉.
@ThePlayerOfGames 6 ай бұрын
7:06 an example is any touch screen device a customer/consumer interacts with. Sometimes the lock on a self-POS cabinet fails and you're left with access to the Dell/HP low power computer that's running the touchscreen, menu, and customer order. Those USB ports are just hanging out there, centimetres behind your little fingers tapping on falafels for supper, just in public
@mx338 6 ай бұрын
This is very useful against mallicous USB cable attacks, where a USB cable might emulate a keyboard for mallicous attacks or if you are connectiong to a USB dock with yoir laptop, but you just want to charge your device and not plug into you a corporate network.
@mercuriete 6 ай бұрын
My keyboard is PS/2. 😢 PS/2 interrupts the cpu instead of pooling. Input lag should be less than usb in theory. BTW, I use Gentoo because is faster than the others in theory. 😢
@FaithyJo 6 ай бұрын
I use a PS2 keyboard. *Checkmate*
@SteinGauslaaStrindhaug 6 ай бұрын
Hmmm... If you knew the target system and the security was bad; _could_ you rig a USB device so that when the OS starts to communicate with the USB device it automatically fires off commands to copy files to it? I guess you could do it with the old insecure auto-run function in Windows... Hmmm... what if the USB device first pretends to be a USB hub with a keyboard attached, and once it's set up it automatically fires off keyboard shortcuts to open a new terminal and it logs in with a weak password or the shell doesn't require login somehow (since the security is presumed to be shit in this scenario); and then it pretends that a USB storage device was plugged into the hub and then it fires off commands to copy files to this storage device.
@nanopi 6 ай бұрын
Good luck getting the correct drive letter or mount path, and autorun is off.
@eDoc2020 5 ай бұрын
That's how most BadUSB devices work.
@user-kt0jl90sfwj8cb 5 ай бұрын
So since this is a build option we'll not be able to switch it? That's a bad thing.
@luketurner314 6 ай бұрын
0:39 even while watching this video (because it is hosted on a server that is most likely running Linux)
@James2210 20 күн бұрын
Could be FreeBSD too
@dylanstoesz1324 6 ай бұрын
watching this on arch running on a chromebook
@6iaZkMagW7EFs 3 ай бұрын
based.
@cameronbosch1213 6 ай бұрын
6:11 *WhAt'S a CoMpUtEr?*
@nomisunrider7851 6 ай бұрын
Most people use Linux before they're finished wiping the morning goop out of their eyes when they turn on their TV.
@thingsiplay 6 ай бұрын
Keyboard and mouse with PS/2 connection would still work, right? They saved my once in the past, where I could not use USB anymore. For the Kernel option, it should be possible to set option 0 if you have a keyboard, otherwise how do you want edit it? So in that case the keyboard is already authorized, isn't it? And Bluetooth and SSH should also still work, right? I have no experience with these Kernel options, so maybe I'm talking nonsense.
6 ай бұрын
I'd imagine it'd be something like devices being allowed in GRUB, and then a command line option to override the setting, so you can just add the boot parameter to bypass it. You'd need the keyboard at the GRUB stage anyway, for typing in encryption passphrase and things like that.
@thingsiplay 6 ай бұрын
@ Also the USB keyboard and mouse are still functioning at boot time, when PC performs checks and you can enter the BIOS/UEFI with a click. At that time, Linux is not booted. There is a BIOS/UEFI setting to disable USB at boot time (this was how I ended up using PS/2, how foolish I was, but new devices don't have that connection anymore).
@eDoc2020 5 ай бұрын
Bluetooth adapters are usually connected over USB so they wouldn't be authorized if you use option 0. But keep in mind this means the _kernel_ won't automatically authorize the device, you would likely have a daemon that would auto-authorize your main keyboard and other devices.
@thingsiplay 5 ай бұрын
@@eDoc2020 Many motherboards have bluetooth builtin in, as well as laptops and other portable devices. This does not require USB.
@eDoc2020 5 ай бұрын
@@thingsiplay The vast majority of Bluetooth adapters used in PCs are _electrically_ connected over USB. I'm not talking about rectangular type A connectors but special internal connectors. These are the internal ports option 2 will automatically authorize. One example is the A/E key M.2 slot used in laptops for Wi-Fi/BT.
@yaroslavpanych2067 6 ай бұрын
Ehm, dude misreading. 0 - EXCEPT ROOT HUB, 2 - EXCEPT INTERNAL. So lets define wtf are those terms mean first, and them discuss everything else!
@eDoc2020 5 ай бұрын
Root hub is a virtual construct that contains all of the physical ports. If you disable the root hub _all_ of the ports are disabled. Internal is pretty obvious, anything inside the computer. Things like webcams, fingerprint readers, smart card readers, and Bluetooth adapters connect through USB.
@s0litaire2k 6 ай бұрын
PS2 Keyboard and mouse for the win! :D
@ceebee 5 ай бұрын
The browser marketshare stats are indeed unreliable. What that says is that the Linux usage numbers reported are going to be on the low side. But even using those numbers and then applying a VERY conservative number to the number of systems out there, that still puts Linux at over 50 million active users. If you look at the stats for India only, the Linux usage is over 15%. And the stats change depending who you survey. The latest SO survey puts Linux at over 50% (edit: amongst devs) for home usage (over 75% if you include WSL).
@MeriaDuck 6 ай бұрын
Talking about niches: QubesOS will not even let you enter the disk decryption key via the laptop keyboard if anything is plugged in any usb port. I experimented with Qubes when giving lectures about linux 😂. It was interesting.
@fuseteam 6 ай бұрын
2 April fools videos!? Brodie you sly penguin!
@KevinVeroneau 5 ай бұрын
This is as really cool new feature, especially for mobile devices, like laptops and cellphones. Does Windows or Mac have such features yet? As I can see a feature like this being extremely popular in both the enterprise and in governments.
@gusvanwes6192 6 ай бұрын
What is tiling???
@thingsiplay 6 ай бұрын
Tiling is a synonym for Love.
@vilian9185 6 ай бұрын
@@thingsiplayno
@elmariachi5133 5 ай бұрын
Yes, I actively dislike Windows. Crappel and their products through.. are way beyond just 'disliking'. ;)
@adjbutler 6 ай бұрын
Yes, but NixOS video when??? WHEN!!!
@Linuxdirk 6 ай бұрын
Another step on making it as uncomfortable for the everyday user as possible.
@hummel6364 6 ай бұрын
Why would I use this? I do leave my laptop "unattended" at university, but I always reboot it just as I leave, that way it boots into the LUKS unlock screen, so basically no danger of anything happening to it, except for maybe someone stealing it.
@georgeindestructible 6 ай бұрын
Another feature i wish people used a lot more is this one: en.wikipedia.org/wiki/ATA_over_Ethernet Simply because it's superior in many ways than most if not all the network data sharing methods.
@eDoc2020 5 ай бұрын
I also like AoE but iSCSI has more features and is probably faster in most cases.
@MonochromeWench 6 ай бұрын
The problem with Authorizing the keyboard and mouse could be worked around by the keyboard and mouse get automatically authorized if there are no other keyboards or pointing devices installed. It should also be harder to Authorize a second keyboard or mouse to guard against BadUSB attacks.
@Adiee5Priv 6 ай бұрын
is this april fools joke?
@linuxguy1199 6 ай бұрын
No
@szaszm_ 6 ай бұрын
It's already Apr 2 in Australia, and by now, even in most of Europe.
@BrodieRobertson 6 ай бұрын
I should swap them one year and see what happens
@danielrhouck 5 ай бұрын
For non-business computers, *yes* there is absolutely a reason to authorize a device if you plug it in at the lock screen. Suppose your keyboard dies and you need to get a new keyboard. This takes more than 10 minutes so your computer has locked itself by the time you get back. Now you need to enter your password to unlock it. Do you use the broken keyboard, or the new keyboard you just plugged in while the device was locked?
@Dragon_Slayer_Ornstein 6 ай бұрын
7:37 - Maybe the data centre set their system up to mount USB drive on insert then rsync everything to the USB mount... I could actually see someone doing that if they back things up all the time and they are too lazy to run the commands manually 😐 I would set it up to copy cat pictures to the device.
@mega_gamer93 6 ай бұрын
So is this just like the kernel.deny_new_usb sysctl in linux-hardened?
@Semmelstulle 5 ай бұрын
I would love to see USB Guard used in home user distros. I started to love the macOS/iOS aproach that simply denies every new USB connection when the device is locked. I want this on my Linux desktop, too!
@xenaretos 6 ай бұрын
Lock your screen, get a new keyboard, lose the old keyboard... oops.
@supercellex4D 2 ай бұрын
WOOOO LINUX HAS USB CONSENT MANAGEMENT LIKE MACOS
@tmvkrpxl0135 6 ай бұрын
This feels similar to android devices, It's charge only by default and requires user input to actually interface with it.
@KaiHenningsen 6 ай бұрын
I'm no longer authroeized to watch this video? OK, I'll stop. Done.
@setoman1 6 ай бұрын
Qubes had this feature since 2014.
@WoodyJohnson-r3v 5 ай бұрын
come on now Mr.Robot was alright
@Aoitori365 6 ай бұрын
I actively dislike windows and mac os
@randomu53r 6 ай бұрын
May prevent rubber ducky usb
@jamesphillips2285 6 ай бұрын
I JUST set up a secure computer (with a PS/2 port) in the last week!
@fnamelname9077 5 ай бұрын
PS2-port Master Race
@anon_y_mousse 6 ай бұрын
I was going to ask you what tiling was, but oops.
@reality_hurtz 6 ай бұрын
USB safely ejected
@lorenzo42p 6 ай бұрын
I'm not authorized to see this video? you know what.. I'll watch it a second time, and there's nothing you can do to stop me.
@bleack8701 6 ай бұрын
I can think of one use case for plugging in a USB device into a locked desktop. Charging. But that...should work anyway?
@eDoc2020 5 ай бұрын
Yes, standard charging would still work.
@jeremyandrews3292 5 ай бұрын
Well, if we just used PS/2 keyboards while reserving USB for optional devices, this option actually wouldn't be so bad... you could still use your system with the PS/2 keyboard until you get authorization set up, then authorize only the devices you want. PS/2 ports are less likely to be a big danger in and of themselves, because they are limited to the function of local input devices and can't be used for much else, like storage or anything like that.
@autohmae 5 ай бұрын
pretty certain a badusb device with PS/2 connector could do all the bad things it would normally do
@Amipotsophspond 5 ай бұрын
before the kernel can be loaded to stop my USB my USB "keyboard" will enable the bios to boot from USB into my OS that will rewrite the boot-loader to disable your OS that would have stopped the USB, so basically all you need is any kind of power failure after you plug in the USB. Evil maid Attacks are really hard to stop, the name comes from maids in hotels plugging in USB while the laptop is "safe" in the room. this channel has a guide on how to keep your laptop safe in a hotel safe ---> www.youtube.com/@lockpickinglawyer but I also wonder if someone did manage to compromise a system by some backdoor like .xz, this disable all USB feature could be used to disable all keyboards and mice so the compromised system only accepts remote commands while the person physically sitting at computer can't do anything because it refuses all USB. maybe it was just made to sell PS/2 port keyboards.
@eDoc2020 5 ай бұрын
That's why you lock down the BIOS and use disk encryption if you are concerned about physical attacks.
@kronusexodues7283 5 ай бұрын
When all devices get rejected by default, how do I autherize a device. I don't mean that as a joke. Is the expectation simply that all devices using this feature still have the old mouse and keyboard ports from back when USB wasn't invented yet? Or that the keyboard and mouse plugged in during installation never ever get unplugged?
@eDoc2020 5 ай бұрын
It's authorized by a userspace daemon which can be programmed with whatever mechanism desired. I would expect that setups used for desktop systems would always allow at least one keyboard so you could always login.
@cgarzs 5 ай бұрын
So is it like whitelisted mac addresses or something? If so, couldn't you just look at their computer and (for a bunch of devices at least) take 2 seconds to search the device and vendor id, to spoof it, making the security pointless?
@eDoc2020 5 ай бұрын
Yes, it's a weakness if used like that. But the authorization of pluggable devices is done in userspace and can be more advanced. For example maybe only authorize devices if a smart card is inserted.
@Ph42oN 6 ай бұрын
This sounds kinda pointless, just dont use automount or autorun and require password to mount. Unless there is some vulnerability that does not require mounting usb.
@jamesphillips2285 6 ай бұрын
BadUSB emulates a keyboard, opens a terminal and just TYPES the malicious payload.
@Blaineworld 6 ай бұрын
that’s a neat feature
@laughingvampire7555 6 ай бұрын
This is why I have always recommended BSD for servers and Linux for Desktop.
@beargiles4062 6 ай бұрын
I can think of a few other good things to check. 1) an extra HID (keyboard or mouse) - could be legitimate, could be a rubber ducky or modified USB cable. 2) a mass storage device (data infiltration/exfiltration - I assume auto-run is disabled).
@trashbag5512 6 ай бұрын
🤔
@soulstenance 6 ай бұрын
Forgive me, I'm not as much of a hardware nerd as a software nerd, but, what the heck is an internal USB? Like what's an example of a USB connection that would be considered internal?
@skidnik 5 ай бұрын
For example chances are high the webcam in you laptop (if you have one) is connected via USB bus.
@soulstenance 5 ай бұрын
@@skidnik Wow, that's wild. Shows how little I know about hardware. I just assumed anything connected internally would use internal standards such as SATA or PCIe. Thanks for the response!
@eDoc2020 5 ай бұрын
@@soulstenance I should add that it has the electrical USB D+/D- lines but you're not going to find a regular rectangular USB connector inside the laptop. It will use a proprietary connector and power is usually a minimally-protected 3.3v instead of the standard well-protected 5v.
@soulstenance 5 ай бұрын
@@eDoc2020 Gotcha. That makes sense!
@thatscrazy4487 6 ай бұрын
I wish so much Linux gets the same level of hardware and software security as GrapheneOS on a Pixel 8 phone. Hopefully Fedora does it first.
@jamesphillips2285 6 ай бұрын
Well the Pixel 8 phone ships with Android/Linux so...
@happygofishing 6 ай бұрын
Smartphone oses are technological slavery
@GSBarlev 6 ай бұрын
*Excuse me,* I use Linux for fun _and_ I actively dislike Windows and macOS¹ Also, nothing makes my day quite like seeing a public terminal with a stack trace on a TTY or GRUB boot screen instead of a BSOD. It's still the minority, but it's definitely not as much of a rarity as it was 20 years ago. ¹OSX was 🔥 though² ²I use Pantheon, btw
Learn Linux shell and Bash scripting in 2 Hours! | FULL CRASH COURSE FOR BEGINNERS | Frissco Academy
Tech Fortitude
Рет қаралды 1,6 М.
SQUAD NYEMIL
Рет қаралды 13 МЛН