More importantly, it puts you one hack away from arbitrary code execution. That device is a dedicated testing tool but there are tons of USB devices which have vulnerable firmware, and the OS vendor can’t know whether you’d pick up a USB key you find on the ground, buy a gadget off of Craigslist, or maybe you care about security but not enough to stop using Google Chrome and it turns out that one of your attached devices is exploitable via WebUSB/Bluetooth/MIDI/etc. but you won’t learn that until the next time you plug it in to charge it.
Apple does prompt their devices, and if memory serves that’s for the same reason: USB isn’t authenticated so they can’t easily tell that a device claiming to be an Apple keyboard actually is.
I'm aware the tools exist but how actively exploited is it? Prompting you doesn't help in scenarios like buying a compromised gadget off Craiglist or a finding a USB key on the ground. The user is going to accept the prompt anyways to use it to begin with.
Does it prompt you again if the USB devices firmware changes even while it's constantly plugged in?
The only scenario I can see this being helpful is if someone is able to sneak an extra USB device or compromised cable onto your dock/desktop without you noticing but also can't unlock the computer to click OK. I'd imagine for the vast majority of people, even those that leave their computer at work 100% of the time that this is something they'll never encounter except maybe as a prank where the guy in accounting plugs in an extra mouse to mess with you. Perhaps it's worth the option but should it be the default? Even then I'd imagine a lot of people blindly clicking OK anyways...
> The user is going to accept the prompt anyways to use it to begin with.
Some people will but some are going to ask why, changing this from a silent attack to one far more likely to be noticed and reported. That’s especially useful if you’re worried about widespread malware doing something like this to chain from a phone or some kind of IoT device to computers, or a factory in China being compromised but not noticing/caring until infected devices are all over Amazon.
Long term, the protocol needs hardening but things like this help make those kind of problems visible. Apple has a range of users from people who aren’t targeted to those worried about hostile corporations or governments, and as other attacks get harder things like this become more appealing so it’s not surprising to see it getting hardened.
It's difficult to say how common an attack is not having any visibility across other OSs and a hindrance (macOS) in the way. Same type of question with for example Secure Boot.
Objectively we'd be worse off without, OS-ignored.
It’s not foolproof but it gives people the opportunity to notice a problem and ask why something which isn’t a keyboard is trying to be one. The long-term fix is securing the USB protocol but when the deployed device count is measured in billions even a stopgap is useful.
Then don't use a fool picking up USB keys from the ground to argue for this act of a security theater!
> gives people the opportunity to notice a problem
But it doesn't do that because constant nagging dulls the senses. Also, how do you expect the users to learn that he needs to be on the alert for keyboard mimics? Is there an emphasis on this in the warning?
> long-term fix is securing the USB protocol but when the deployed device count is measured in billions even a stopgap is useful.
long-term has already arrived: USB protocol is ancient. Meanwhile the gap is still there post Ventura
> Then don't use a fool picking up USB keys from the ground to argue for this act of a security theater!
I didn't. Note the scenarios I gave included other things. Here's a good list to consider: one of your devices can be compromised in some other way (e.g. an IoT device which uses WiFi normally but charges or gets firmware updates over USB, a device which can be attacked via WebUSB & suborned), you have a friend / family member try to charge something unaware that their phone/tablet/etc. is compromised, or a device which you purchased unaware that it was compromised at the factory or while the previous owner had it.
Note that none of those require malice or targeting: harder variants of this problem would be things like someone dropping a USB drive with your company's logo on it in the parking lot. That's a relatively cheap attack but at least you presumably have professionals working to prevent it whereas most home users do not.
> But it doesn't do that because constant nagging dulls the senses.
Just how frequently do you connect new USB HIDs? The system doesn't re-prompt devices you've used before so it's less “constant nagging” than “a couple of times over the lifetime of the device”.
You appear to be having a very emotional reaction to this change – looking at your comment history shows a lot of anger and at least one time where you're angrily asking that Apple implement the current behaviour. I would suggest taking some time to cool down, think through what this actually does and some of the different scenarios other people have given you, and reconsider whether you really want to take such a strong position.
You did: "the OS vendor can’t know whether you’d pick up a USB key you find on the ground"
> Note the scenarios I gave included other things.
Sure, but also the thing I explicitly called out. Your other two examples fall into my second argument (though question re. the last one - are you certain the exploit necessarily triggers the prompt again for an already approved device?)
> Here's a good list to consider:
It's not a good list since it doesn't address the point that the popups for these would mostly be auto-accepted and even when read carefully would not convey the seriousness of the potential issue. What kind of family members do you imagine that would realize the device is compromised in your scenario of getting this prompt when plugging in for charging?
> Just how frequently do you connect new USB HIDs? The system doesn't re-prompt devices you've used before so it's less “constant nagging” than “a couple of times over the lifetime of the device”.
"Just how frequently do you get OS popups?" is the more relevant measure. Also, you've ignored the second point that is relevant regardless of frequency
> You appear to be having a very emotional reaction to this change – looking at your comment history shows a lot of anger and
Your ability to psychoanalyze is even worse that your ability to explain the supposed security benefits of this measure and...
> at least one time where you're angrily asking that Apple implement the current behaviour.
nope, you misunderstood that as well, didn't ask for it
So I'd suggest you get off the road of ad-hominems - it doesn't advance the argument (and also against HN guidelines)
The point is that most people have an incorrect threat model for USB devices _and_ that devices can be suborned in ways they don't expect. This policy is a compromise designed to deal with all of those problems, not just the one you deride, and if you want to rules lawyer I would suggest considering whether any “strongest plausible interpretation” requires trimming quotes like a creationist, not to mention whether a brusque and cursory dismissal of a security UI decision made by one of the top companies in both disciplines is a substantial contribution.
Here's a good example:
> What kind of family members do you imagine that would realize the device is compromised in your scenario of getting this prompt when plugging in for charging?
One scenario is certainly that the device is left logged in and unlocked and someone just hammers the Allow button without thinking about it but it's not the only one. Here are some obvious alternatives:
1. That friend or family member is just visiting and saw a USB-C port which they plugged their phone into. The device isn't unlocked so they get power but nothing else, and the device is never attacked.
2. That device is still connected but when the owner unlocks it, they see the prompt and deny access because they don't intend to connect their cousin's phone to their work computer, and perhaps tell them not to get them in trouble with their boss by using that port in the future.
3. You buy a USB-rechargeable light and plug it into your computer to charge while you're at your desk. It pops up the prompt and you reconsider what you know about this device because you know a light shouldn't need anything other power. Having seen one of the many movies or TV shows produced in the last 30 years which has a plot detail along these lines, you consider the possibility that it's something nefarious. People have read news stories about things arriving with malware for decades now, it's not especially unrealistic to think some fraction of users will pause when given the chance.
Yes, someone can make mistakes — this is true of every computer security measure, and it's why they're always layered rather than relying on a single check. An OS vendor has to design mechanisms which are suitable for a wide range of people and that's why the UI for this is configurable. Most people will be prompted very infrequently for this but if you have some unusual job where you plug in new USB devices all of the time you can follow the instructions given to turn off the prompt.
> So I'd suggest you get off the road of ad-hominems - it doesn't advance the argument (and also against HN guidelines)
It's not ad hominem to point out the problems with your argument. Multiple people in this thread have been trying to help you better understand the threat being countered and how the situation isn't as simple as your dismissals assume. I would strongly recommend trying to understand why you're not getting more positive reactions — it'll serve you far better than trying to bluster your way through or playing rules-lawyer.
> Now read the entire sentence for the context which you carefully removed for that quote:
There is no context to save it, the mistake remains: in the common situations you describe the poor user will not be helped with the prompt
> The point is that most people have an incorrect threat model for USB devices
Sure
> This policy is a compromise designed to deal with all of those problems
Except it does nothing of the sort. You've ignored this type of question a couple of times, maybe 3rd time is the charm: how would an ignorant user learn of the correct threat model from this prompt?
> if you want to rules lawyer I would suggest considering whether any “strongest plausible interpretation” requires trimming quotes like a creationist, not to mention whether a brusque and cursory dismissal of a security UI decision made by one of the top companies in both disciplines is a substantial contribution.
And I would suggest whether using more inflamatory terms about lawyering/creationist is repeating the same mistake. Also, there is no context to save your quote, so I don't understand which strongest interpretation would help you.
Argument from some company's authority is also rather weak
> One scenario is certainly that the device is left logged in and unlocked and someone just hammers the Allow button without thinking about it but it's not the only one.
Sure, but it's the most common scenario, so it's the one that matters most in evaluating this change!
> 1. The device isn't unlocked so they get power but nothing else, and the device is never attacked.
There is no prompt in this scenario, how is it relevant?
> 2. That device is still connected but when the owner unlocks it, they see the prompt and deny access
You know my response to this already since you referenced it earlier, but didn't understand it and also didn't bother to think about it when I pointed the misunderstanding out. Let me elucidate: this scenario doesn't justify prompts when a device is plugged into an unlocked laptop.
> 3. you know a light shouldn't need anything other power.
You know nothing of the sort, there is "Smart" written on the package, so of course it's expected for it to communicate with the computer! We're living in the future after all where even your toaster has a wi-fi!
> Having seen one of the many movies or TV shows produced in the last 30 years which has a plot detail along these lines, you consider the possibility that it's something nefarious.
Yeah, this is exactly the mythical consumer I argued against - learning about computer security from pc-illiterate TV shows!
> An OS vendor has to design mechanisms which are suitable for a wide range of people and that's why the UI for this is configurable.
This is not suitable for a wide range of people. It's suitable for the tiny minority knowledgable about these type of attacks (and you can't learn about them form the prompt itself, the OS vendor knows best!) while negatively impacting everyone else
> It's not ad hominem to point out the problems with your argument.
That's not what you did, instead you've made up an angry emotional state as the explanation
> Multiple people in this thread have been trying to help you better understand the threat being countered and how the situation isn't as simple as your dismissals assume.
Right after I'm convinced that multiple people can't repeat mistakes
https://shop.hak5.org/products/usb-rubber-ducky
More importantly, it puts you one hack away from arbitrary code execution. That device is a dedicated testing tool but there are tons of USB devices which have vulnerable firmware, and the OS vendor can’t know whether you’d pick up a USB key you find on the ground, buy a gadget off of Craigslist, or maybe you care about security but not enough to stop using Google Chrome and it turns out that one of your attached devices is exploitable via WebUSB/Bluetooth/MIDI/etc. but you won’t learn that until the next time you plug it in to charge it.
Apple does prompt their devices, and if memory serves that’s for the same reason: USB isn’t authenticated so they can’t easily tell that a device claiming to be an Apple keyboard actually is.