Re: Concrete ideas for the December-March OPW?

From: Hans Petter Jansson <hpj copyleft no>
To: Tobias Mueller <muelli cryptobitch de>
Cc: Safety and Privacy Team <safety-list gnome org>
Subject: Re: Concrete ideas for the December-March OPW?
Date: Wed, 29 Oct 2014 20:46:17 +0100

On Wed, 2014-10-29 at 14:05 +0100, Tobias Mueller wrote:

On Tue, Oct 28, 2014 at 04:39:28PM +0100, Hans Petter Jansson wrote:

If so, how do we handle the case where the user tries to change
their keyboard while the lock screen is up?

We could unconditionally allow simple HID devices.

Would a device whitelist be
reliable, so he could at least re-plug his old keyboard and log back in
using that?

good idea!


To summarize, what I'm seeing is something like the following...

* Whenever a USB device is plugged in
  * If device is on whitelist OR is simple human interface device
    * [ALLOW]
  * Otherwise (device is not on whitelist and is not simple HID)
    * If in lock screen
      * Add to deferred decision list
    * Otherwise (not in lock screen)
      * [PROMPT] If user accepts device
        * Add device to whitelist
        * [ALLOW]
      * Otherwise (user rejected device)
        * [DENY]

* Whenever a USB device is removed
  * If in lock screen
    * If device is on deferred decision list
      * Remove device from deferred decision list

* Whenever exiting lock screen
  * For each device on deferred decision list
    * Remove device from deferred decision list
    * [PROMPT] If user accepts device
      * Add device to whitelist
      * [ALLOW]
    * Otherwise (user rejected device)
      * [DENY]

There are a couple of things I'm not quite sure about:

* Prompting. I think it's reasonable in this case, but not everyone
agrees.

* How broad is the "simple HID" category? Is it always safe to accept
these devices? How complex are the kernel drivers and how big is the
attack surface?

I added processing of a "deferred decision list" on exiting the lock
screen, since the user will expect those devices to be addressed and we
can only do so in an authenticated environment. Maybe there are better
ways to do this, though.

The lock screen could also show a list of devices that were plugged in
but are awaiting confirmation. On unlock, it'd be a bonus if the
subsequent popups said something along the lines of "This device was
plugged in while you were gone: ...". 

-- 
Hans Petter

Follow-Ups:
- Re: Concrete ideas for the December-March OPW?
  - From: Christian Hergert
- Re: Concrete ideas for the December-March OPW?
  - From: Michael Catanzaro

References:
- Concrete ideas for the December-March OPW?
  - From: Federico Mena Quintero
- Re: Concrete ideas for the December-March OPW?
  - From: Tobias Mueller
- Re: Concrete ideas for the December-March OPW?
  - From: Hans Petter Jansson
- Re: Concrete ideas for the December-March OPW?
  - From: Tobias Mueller

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]