The paranoid answer: once. I’ve written about how you can make your own Tor-on-a-USB stick package by pieceing together the parts you need (Tor, Privoxy and a browser like Opera). But a minor detail didn’t even cross my mind until I read a short post about security at polysyncronism.com about the issue of can you trust .exe files?
Well, can you? You can trust what is on your Tor-USB keystick if you compiled the .exe files on it or downloaded them from trusted sources (like the software vendor’s site and verified the archives signatures), but for how long?
Consider this: I run a Internet caf’s, the adversary finds some way to get to me, he asks me to run a piece of software on all the café’s machines, you come by, this program installs something bad on the .exe files when a USB device is mounted, now you’re screwed.
Well, you’d be anyway if the attacker is running bad software on the Internet café you’re stopping by with your Tor on a USB stick, but the key point here is that now your Tor-USB keystick is compromized. So. You should only trust that the software is intact until you have used it at a untristed computer. Then you need to wipe it and reinstall your Tor-USB package.
Does it sound paranoid? Perhaps. But re-installing your USB package when you come home or get to a trusted computer is yet another one of the many better safe than sorry measures you should take if you’re using Tor when you’re at public places – I mean, if you have a reason to do that in the first place then you’ve also probably got a good reason to make sure it actually does what you think it does. And just another short related security tip: A computer can write to USB filesystems when they are connected, but they can’t write to CDs. A live-cd is bigger, less practical and slightly less accepted at libraries and café’s, but you can use those more than once without having to wonder if the computer you just used put something nasty in the .exe files on it.