On 6/18/07, Anant Narayanan anant@kix.in wrote:
...which is no different than a driver CD faking a trojan install. You could easily develop a protocol to instruct the OS to only listen to what the program on the ROM says, probably with a checksum to verify its integrity.
You're spot on in case of a new device you'll install. Consider a situation where you're using a device for which you already have a driver installed, has been used elsewhere and has been infected. The device is plugged in and the user gets a pop-up saying that it needs to install the driver for the device to work. The user will simply assume that the driver somehow got corrupt and will gladly put in the password to get the pop-up off his face.
In case of drivers separate on CD, the driver installation procedure is completely different from normal usage procedure, hence it is difficult (impossible?) to mix the two. Also, if you have a trojan'ed CD then you've not used the original manufacturers CD.
The bottom-line is that you have to trust the manufacturer of your product.
Best, use a Free (mukt) driver or device that uses a mukt driver.