That's all my home directory gone if I happen to have focus in a terminal window, which I do a lot, especially when dicking around with new hardware. Even if I have a good back up policy in place that is still possibly the days work and quit a long time wasted restoring everything.
What, a Linux text editor can execute system commands?
The card is obviously emulating a HID and so it probably has no awareness of where it's sending its output. It goes to whatever application has keyboard focus. It could probably send a key command to switch focus but it would have no way to know what it had switched focus to.
Hi guys, I'm glad you like my card. I'm a 2nd year EE student applying to several co-op jobs so I made these to hand out to potential employers during job interviews, I wouldn't dare make them malicious. The worst this thing can do is probably output some offensive ASCII art.
Apparently Linux does not synchronize the CAPLOCK status across separate keyboards, although it seems to synchronize the NUMLOCK status, I found this out on my friend's computer running Ubuntu.
What, a Linux text editor can execute system commands?
I'm sure EMACS can do a lot of damage if so inclined:)
But what I'm worrying about is this:
1) I have a command terminal open. That terminal window has keyboard focus. This is normal, I always have a command shell up and use it a lot.
2) I plug in this card which shows up as a keyboard and starts typing stuff into my terminal window. BOOM.
If this really happens I'm not sure, I have to find a second keyboard and see what happens when I just plug it in.
frank26080115,
I do like your card. It's very neat and imaginatively executed. Good luck with you interviews, I'm sure it will help a lot.
I was not suggesting that you would make your card malicious. It's just that neat ideas like this have a habit to be copied by others. Then they are all over the place, then...well you see what I mean.
It's just another reminder that computer users should be aware of what risks they are taking with their machines and their data at all times.
Plug a second USB keyboard into my Debian Linux box and if I happen to have a terminal window in focus at the time whatever commands that "keyboard" sends will be dutifully executed.
This has horrible security repercussions. What if someone were to put such a spoof keyboard into a USB memory stick enclosure? You can't trust anything nowadays.
I think I'm going to have some fun around the office with this:)
So what are you actually connecting to with that socket in the wall?
That seems to be one of the most stupid ideas ever...
It's compared to Geocaching, but there the rule is to NEVER destroy anything when hiding a cache. Here he has hacked holes in concrete/brick walls to mount his drives.
Urban Geocaching requires stealth. Messing with a laptop that you'e holding against the wall... yeah... Plugging an USB extension cable into a wall... not exactly unconspicious...
Unprotected USB connctors outdoors? Rust'R Us?
'anonymous file sharing' ...
Actually, ANYONE can witness you conncting.
The computer security issues I won'teven start on...
I just tried it on a temp setup on Fedora 12 . It did nothing to my HD . just said resource fork not available .
--
speaking of Biz cards I did a very similar thing with a BS2 last year . I had it ASCII Art Tux with the debug command .
just run a serial terminal and press reset on the HW board .
and volla Tux . it was a gag to my Robotics Proff.
I just tried it on a temp setup on Fedora 12 . It did nothing to my HD . just said resource fork not available .
Most distributions are not protected from fork bombs. Fedora/Red Hat have limits set in place. I know that Ubuntu does not as I have just tried it. At the university I go to one was set off and shut down most of the school.
Vern .. I did mention it was a test OS ,Its being wiped for CentOS this week so it was on death row anyways .
I would never put random stuff On My real Linux systems .
."The systems"
I haven't seen the USB business card, but I do have a few rectangular mini CDs from a trade show that are done up like a business card with product brochure PDFs.
The USB drive dead-drop is a novel idea, but gets a big fat zero for implementation. A better idea would be to use an outdoor style outlet box and an IP-67 USB connector housing.
jdolecki
Posts: 726
Comments
So I plug a mystery somebodies card into my Linux box and it "types" out the commands:
That's all my home directory gone if I happen to have focus in a terminal window, which I do a lot, especially when dicking around with new hardware. Even if I have a good back up policy in place that is still possibly the days work and quit a long time wasted restoring everything.
The card is obviously emulating a HID and so it probably has no awareness of where it's sending its output. It goes to whatever application has keyboard focus. It could probably send a key command to switch focus but it would have no way to know what it had switched focus to.
Apparently Linux does not synchronize the CAPLOCK status across separate keyboards, although it seems to synchronize the NUMLOCK status, I found this out on my friend's computer running Ubuntu.
I'm sure EMACS can do a lot of damage if so inclined:)
But what I'm worrying about is this:
1) I have a command terminal open. That terminal window has keyboard focus. This is normal, I always have a command shell up and use it a lot.
2) I plug in this card which shows up as a keyboard and starts typing stuff into my terminal window. BOOM.
If this really happens I'm not sure, I have to find a second keyboard and see what happens when I just plug it in.
frank26080115,
I do like your card. It's very neat and imaginatively executed. Good luck with you interviews, I'm sure it will help a lot.
I was not suggesting that you would make your card malicious. It's just that neat ideas like this have a habit to be copied by others. Then they are all over the place, then...well you see what I mean.
It's just another reminder that computer users should be aware of what risks they are taking with their machines and their data at all times.
Plug a second USB keyboard into my Debian Linux box and if I happen to have a terminal window in focus at the time whatever commands that "keyboard" sends will be dutifully executed.
This has horrible security repercussions. What if someone were to put such a spoof keyboard into a USB memory stick enclosure? You can't trust anything nowadays.
I think I'm going to have some fun around the office with this:)
Take a look at this little project for distributing data via USB drives cemented into the walls of buildings.
http://datenform.de/blog/dead-drops-preview/
So what are you actually connecting to with that socket in the wall?
That seems to be one of the most stupid ideas ever...
It's compared to Geocaching, but there the rule is to NEVER destroy anything when hiding a cache. Here he has hacked holes in concrete/brick walls to mount his drives.
Urban Geocaching requires stealth. Messing with a laptop that you'e holding against the wall... yeah... Plugging an USB extension cable into a wall... not exactly unconspicious...
Unprotected USB connctors outdoors? Rust'R Us?
'anonymous file sharing' ...
Actually, ANYONE can witness you conncting.
The computer security issues I won'teven start on...
And watch your linux die. No need to be root.
Die how ?
I just tried it on a temp setup on Fedora 12 . It did nothing to my HD . just said resource fork not available .
--
speaking of Biz cards I did a very similar thing with a BS2 last year . I had it ASCII Art Tux with the debug command .
just run a serial terminal and press reset on the HW board .
and volla Tux . it was a gag to my Robotics Proff.
Most distributions are not protected from fork bombs. Fedora/Red Hat have limits set in place. I know that Ubuntu does not as I have just tried it. At the university I go to one was set off and shut down most of the school.
Jesse
See what do you need a usb business card for when you can just tell peple to not type stuff and they will type it.
I would never put random stuff On My real Linux systems .
."The systems"
The USB drive dead-drop is a novel idea, but gets a big fat zero for implementation. A better idea would be to use an outdoor style outlet box and an IP-67 USB connector housing.