[mjg59]

And a thing you can do for machines that have built-in keyboards is refuse to enable new HID devices until the user provides affirmative consent. The people who have reason to care about these attacks have defenses, and research that demonstrates those defenses are incomplete is useful research.

[zinodaur]

Yeah thats a good point - I personally have the bad habit of clicking "yes" to that dialogue whenever I see it, since it does sometimes spuriously appear. I certainly wouldn't attempt a teardown of all of the equipment currently plugged into my machine when I saw a message like that. Do you know if HIDs can impersonate other HIDs? E.g., if you attached a dongle to a usb keyboard, could that dongle claim the identity of the keyboard and thereby avoid the prompt?

My favorite "security interface failure" is the fact that OSX apps frequently demand a user login and password in a popup window. E.g., Slack does this. It would be so easy for an app render this popup (even on a webpage!) and I would totally type my password into it. I feel like the only answer to this is to have a sacred corner of the screen that only the OS is allowed to write to

[erik_seaberg]

This is why NT had a "secure attention key" (ctrl-alt-del) that couldn't be intercepted by an app that might try to display a fake login screen.