Re: Poisontap security issue of NetworkManager?

["Stuart D. Gathman" <stuart gathman org>]

On Mon, 21 Nov 2016, Claudius Heine wrote:

> On 21.11.2016 13:07, Lubomir Rintel wrote:
> > On Thu, 2016-11-17 at 12:10 +0100, Claudius Heine wrote:
>
> > > I think the main issue is, that the network device is automatically
> > > setup via dhcp by tools like NetworkManager & co.
> >
> > That is a feature. You generally want network connectivity when you
> > plugin a network adapter with a cable in it.
>
> Yes. And a nice one ;)

It's a nice feature when working at the computer.  What poisontap
is complaining about, however, is that USB ports should not do anything
automatically while the screen is locked.

Now, for a workstation, yes you pretty much want "Lock Screen" to lock
everything down, including USB ports.

However, for a server, you might want an end user to plug in a USB
device during your remote support session without logging in to the
console.

In any case, if there is anything done to lock more than the screen
and keyboard, I think it should be at the udev level - not in
NetworkManager.  The lockscreen/screensaver app needs to tell udev
to stop activating things until unlocked.

Meanwhile, I have to keep taking my laptop into the restroom...

--
              Stuart D. Gathman <stuart gathman org>
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.