> On Sep 30, 2025, at 9:35 AM, JOSEPH WILLIAM BAKERĀ® via Tails-dev > <[email protected]> wrote: > > Two department heads within a reclamation department of the US Department of > Defense told me circa 2013 that SAP had discovered a wireless vulnerability > in USB memory sticks. > > I know you guys lean heavily on using USB memory sticks to boot your live > linux distribution, thinking it's safe from spying, but nothing could be > further from the truth. > > I recommend instead using a live DVD with the kernel option TORAM used to > load your OS. Then figure out a way to mount your storage over the network > from somewhere else. Perhaps with a ram drive overlay.
Requiring the use of a DVD makes no sense, because very few people could use the result. "There are no brand-new mainstream laptops with CD-DVD drives" per <https://www.laptopmag.com/articles/laptops-with-cd-dvd-drives>. This has been true for years. The same page recommends getting an external DVD drive to pair with a laptop. There are *some* options, as listed on that page. But since DVDs are often considered obsolete for storage, DVDs readers/writers are specialty items not available to many. > The DOD does not allow usb Flash Drives on it's networks. It might be > advisable to follow their policies for data management. The *primary* reason they did that in 2008 was to prevent running malware on removable devices: https://www.hill.af.mil/News/Article-Display/Article/398063/violating-usb-ban-racks-up-risks/ https://www.washingtonpost.com/wp-dyn/content/article/2010/08/24/AR2010082406154.html?hpid%3Dtopnews&sub=AR https://spectrum.ieee.org/dod-confirms-flash-drive-breached-its-it-security-in-2008 https://www.washingtontechnology.com/2010/02/dod-details-strict-flash-drive-rules/348331/ Note that *anything* insertable late, including DVDs, was cause for worry. I believe DVDs had the same restrictions, though DVDs were much less common in 2008 than USB sticks, & so that wasn't noted as much. The ban is less strict as of 2010 because they're configured their OSes to restrict running code on them: https://www.washingtontechnology.com/2010/02/dod-details-strict-flash-drive-rules/348331/ They also worry about data being exfiltrated on the USB stick (as noted above). A Tails user is *trying* to run the software on the stick, so it's a completely different situation than what the DoD is doing. It's true that something that *looks* like a normal USB stick can be malicious (via a hardware supply chain attack where the user is given a malicious device). I think the Tails developers are presuming that the Tails user is *trying* to be secure, and thus will try to choose USB sticks that are unlikely to be subverted hardware. There *is* a risk that if you order online, a well-resourced adversary could swap the device en route & give you a malicious device. However, if you're buying USB sticks in a way that make it hard to create a targeted attack (to give you a "special" USB stick), that's not a huge theat. There's an easy solution if you're targeted: walk in to a reputable store, pick one off the rack, and buy it right there. It doesn't cost much & it's hard to target. This also deals with many counterfeit problems. A bad USB stick will give any user a bad experience, so it might be a good idea for the Tails front page to more clearly provide guidance on getting good USB sticks. If *all* USB sticks can be remotely controlled, there are bigger security issues. --- David A. Wheeler _______________________________________________ Tails-dev mailing list [email protected] https://www.autistici.org/mailman/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
