Open jaseg opened 7 years ago
Hi @jaseg,
Thanks for submitting an issue, I am currently re-writing the documentation as you suggested. This should be posted within the next couple of days.
I have added a disclaimer as suggested, once I get more time I will be able to thoroughly document what is monitored, under which conditions. As an added bonus I have removed any reference to this being a security tool.
The
README
sais aboutusb-canary
that its function is to "monitor USB devices", just as its name suggests. However, as far as I can tell it is only monitoring mounted physical partitions.Possible Solution
Clearly document what is monitored, under which conditions alerts will happen and what use this is applied to common threat models.
I would also highly suggest a note pointing out that usb-canary is experimental, early stage software and should absolutely not be relied upon in critical situations.
Context
usb-canary at least on first glance looks like a security tool. For any security tool, clear and precise communication as to its threat model and scope are necessary for it to be used correctly.
An important omission is that currently, usb-canary will not detect one of the most common classes of usb-based attacks, available to anyone: Fake HID-Class keyboard devices. In contrast, properly implemented even a change such as inserting a keylogger could be detected.