How long can you trust your Tor-on-a-USB-stick package?

Thursday, April 5th, 2007 at 11:23 pm.

The paranoid answer: once. I’ve written about how you can make your own Tor-on-a-USB stick package by pieceing together the parts you need (Tor, Privoxy and a browser like Opera). But a minor detail didn’t even cross my mind until I read a short post about security at polysyncronism.com about the issue of can you trust .exe files?

Well, can you? You can trust what is on your Tor-USB keystick if you compiled the .exe files on it or downloaded them from trusted sources (like the software vendor’s site and verified the archives signatures), but for how long?

Consider this: I run a Internet caf’s, the adversary finds some way to get to me, he asks me to run a piece of software on all the café’s machines, you come by, this program installs something bad on the .exe files when a USB device is mounted, now you’re screwed.

Well, you’d be anyway if the attacker is running bad software on the Internet café you’re stopping by with your Tor on a USB stick, but the key point here is that now your Tor-USB keystick is compromized. So. You should only trust that the software is intact until you have used it at a untristed computer. Then you need to wipe it and reinstall your Tor-USB package.

Does it sound paranoid? Perhaps. But re-installing your USB package when you come home or get to a trusted computer is yet another one of the many better safe than sorry measures you should take if you’re using Tor when you’re at public places – I mean, if you have a reason to do that in the first place then you’ve also probably got a good reason to make sure it actually does what you think it does. And just another short related security tip: A computer can write to USB filesystems when they are connected, but they can’t write to CDs. A live-cd is bigger, less practical and slightly less accepted at libraries and café’s, but you can use those more than once without having to wonder if the computer you just used put something nasty in the .exe files on it.

5 Responses to How long can you trust your Tor-on-a-USB-stick package?

  1. I’m impressed, I have to admit. Rarely do I come across a blog that’s equally educative and interesting, and without
    a doubt, you’ve hit the nail on the head. The problem is something not enough men and women are speaking intelligently about.
    Now i’m very happy that I stumbled across this during my search for something concerning this.

  2. I hardly comment, but i did a few searching and wound up here How long can you trust your Tor-on-a-USB-stick package?.
    And I actually do have a few questions for you if it’s allright.
    Could it be just me or does it give the impression like some of the remarks look as if
    they are written by brain dead folks? :-P And, if you are posting on other
    online sites, I would like to follow anything fresh you have to post.
    Would you list of all of your shared pages like your linkedin profile,
    Facebook page or twitter feed?

    Feel free to visit my weblog: bed bug encasement

  3. Addium says:

    Good post but I was wanting to know if you could write a litte more on this topic?
    I’d be very grateful if you could elaborate a little bit further.

    Thank you!

  4. A person essentially assist to make significantly posts I’d state.

    That is the first time I frequented your web page
    and to this point? I surprised with the research you made to make this actual post extraordinary.
    Magnificent process!

    Feel free to visit my webpage :: air mattress beds

  5. I simply want to say I am just new to weblog and actually savored this website. More than likely I’m planning to bookmark your site . You amazingly come with good writings. Thanks a lot for sharing your website page.

Leave a Reply

Your email address will not be published. Fields marked * are required.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

livelyblog.com | Random blog | Login | Get your own blog | ^^^