How long can you trust your Tor-on-a-USB-stick package?

Thursday, April 5th, 2007 at 11:23 pm.

The paranoid answer: once. I’ve written about how you can make your own Tor-on-a-USB stick package by pieceing together the parts you need (Tor, Privoxy and a browser like Opera). But a minor detail didn’t even cross my mind until I read a short post about security at polysyncronism.com about the issue of can you trust .exe files?

Well, can you? You can trust what is on your Tor-USB keystick if you compiled the .exe files on it or downloaded them from trusted sources (like the software vendor’s site and verified the archives signatures), but for how long?

Consider this: I run a Internet caf’s, the adversary finds some way to get to me, he asks me to run a piece of software on all the café’s machines, you come by, this program installs something bad on the .exe files when a USB device is mounted, now you’re screwed.

Well, you’d be anyway if the attacker is running bad software on the Internet café you’re stopping by with your Tor on a USB stick, but the key point here is that now your Tor-USB keystick is compromized. So. You should only trust that the software is intact until you have used it at a untristed computer. Then you need to wipe it and reinstall your Tor-USB package.

Does it sound paranoid? Perhaps. But re-installing your USB package when you come home or get to a trusted computer is yet another one of the many better safe than sorry measures you should take if you’re using Tor when you’re at public places – I mean, if you have a reason to do that in the first place then you’ve also probably got a good reason to make sure it actually does what you think it does. And just another short related security tip: A computer can write to USB filesystems when they are connected, but they can’t write to CDs. A live-cd is bigger, less practical and slightly less accepted at libraries and café’s, but you can use those more than once without having to wonder if the computer you just used put something nasty in the .exe files on it.

Leave a Reply

Your email address will not be published. Fields marked * are required.

To prove you're a person (not a spam script), type the security text shown in the picture. Click here to regenerate some new text.
Anti-spam image

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

livelyblog.com | Random blog | Login | Get your own blog | ^^^