Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'One more update' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
One more update
Authored by: lincd0 on Sep 01, '09 06:41:00PM

Surprisingly, people are even now reading this two-year-old hint. So I'll offer one more update.

The question was raised in a comment as to how you can reduce false positives from known devices being moved around.

Below is part of the script I now use to check the USB buses. The value of the variable KNOWN is the path to a list of known USB devices that I use, identified by the vendor and device codes.

system_profiler SPUSBDataType | grep ID: | grep -v 'Location\|PCI' | cut -d: -f2 | paste -s -d '\t\n' - | sort | grep -v -f $KNOWN

The effect of this is that known devices are ignored. Only the presence of a previously unknown device will cause an alert. I create the $KNOWN file by running the above command with all devices plugged in and the last pipe omitted.

[ Reply to This | # ]

One more update
Authored by: lincd0 on Sep 01, '09 06:43:35PM

I'm still using 10.5. The script will probably have to changed slightly for 10.6.



[ Reply to This | # ]
every found a hardware keylogger
Authored by: alec kinnear on Jan 19, '10 06:21:38PM

This is a great technique for finding a hardware keylogger. Has anyone actually found such a device attached to their Mac via software inspection (or for that matter via hardware inspection).

I'd be a lot more worried about software keyloggers. I looked at all of them and there would be no issue in disguising the process name and running incognito at least in the case of the freeware and open source OS X keylogger logKext.

The only way to really secure a computer would appear to limit physical access to the machine. Still I'd love to hear some real life war stories.

---
Moving the world to freedom, one Typepad weblog to Wordpress at a time.


[ Reply to This | # ]
every found a hardware keylogger
Authored by: lincd0 on Feb 05, '10 11:25:57AM

You should have no expectation of privacy when using a computer of which you aren't the sole administrator. Never do any personal business on a public machine. Carry your own laptop or smart phone around.

For your own system, to be as secure as you can be from physical attack you have to use either whole-disk encryption or some sort of tripwire, with the ability to boot from a separate storage device such as a USB key to verify that the state of the device hasn't changed unexpectedly. Before PGP whole-disk encryption was available, I used mtree for this purpose, but it was awkward. Even PGP isn't completely safe, because of the Evil Maid attack (replacing the bootloader with a trojan.)

The real issue is not to defeat any possible attack, but to defeat the easy attacks. Hardware keyloggers are as easy as it gets, and not very easy to beat.



[ Reply to This | # ]
great advice
Authored by: alec kinnear on Feb 05, '10 11:36:33AM

but every time I've tried disk encryption I've ended up losing my data to disk corruption or some such thing.

physical security is important. i think the next step is to be careful what you write into a computer which ever touches the Internet or leaves home.

thanks for sharing your experiences though.

---
Moving the world to freedom, one Typepad weblog to Wordpress at a time.



[ Reply to This | # ]