mhoyeInfosec Lazyweb, a real question: is it actually safe to plug a random usb peripheral into a win10 machine, assuming I’m not interesting to a nation-state? Or is that (still) the fast path to bad pain, even assuming zero user interaction.
cubeos@mhoye Random USB devices can pretend to be keyboards and Win10 by default accepts e.g. keypresses or mouse movements from new USB devices. Win-R invokes the Run command, so it's trivial to run some shell code.
Violet/Multi
Cassandrich@multisn8 @cubeos @mhoye This problem is trivially fixable, without breaking UX, by
(1) assuming if you're logged in you already have working input devices attached, and requiring confirmation of any newly-attached ones before they get used, and
(2) on login screen, warning if multiple keyboards are attached, and by default only leaving the one that was used to enter the login password enabled after login.
It's ridiculous that nobody is fixing it.
@dalias @multisn8 @mhoye It's actually fixed, enterprise admins can set a group policy controlling usb device instrallation. See https://learn.microsoft.com/en-us/windows/client-management/client-tools/manage-device-installation-with-group-policy I suspect somebody decided that the additional confirmation steps would confuse users and decided against shipping a confirmation step as a default.
@cubeos @dalias (let's maybe remove mhoye from the mentions since this is not exactly what mhoye asked for)
Beyond UX, there's an additional factor why this is not trivial: Backward compatibility. Not all machines running Windows have input devices, a screen or even a "user".
Scenario A: A hospital or display sign, which may need to deal with many files at once, having a machine that is solely there for file ingestion to the local network
Scenario B: Authorization boxes for doors and gates. Many authorization keys (such as the Yubikey) simulate a keyboard for the exact sake of entering cryptic characters