On 6/17/07, Rony ronbillypop@yahoo.co.uk wrote:
Since the user is logged in as 'user', anyway the OS would ask for root privileges to load the auto-loading drivers. That security part if not existing today, can be added in the interpretors that are created for each OS and installed once.
True. But visualize the scenario in both cases:
For self-loading USB: You plug in the device and you get a message "Please enter your root password so that I can install the drivers for this device". That device could be your new MP3 player or your camera. Then again it could also be your friends USB memory stick that may have dirtied itself somewhere and is actually asking you for root password to get its dirt on you rather than just the driver. You will not know the difference.
A corollary to the above -- A virus is loaded into this friends USB memory stick that asks for root password every time the device is plugged in. The user will assume that the device wasn't installed 'properly' and hence unwittingly give away his password.
For the regular process: The driver installation takes place from a trusted media -- the manufacturers CD or from the OS's repository. So while installing the driver you get asked for your root password. The process of installing an external driver is hence distinctly different from the way in which the device would be used regularly. This more or less eliminates (or at least, makes difficult) another infection route.