33 replies to this topic

[Ankur.k1991]

how to make write protected pen drive for every system & every time.?????

[MedEvil]

Buy one with a write protect switch. Imation Swivel for instance.

[doveman]

I think I've got a better idea, considering how hard it is to find a write protected stick these days (and the extra cost if you can).

 

1. Get a normal stick and boot encrypt it with Truecrypt. Then no-one will be able to mess with the files, as they won't be able to access them.

 

2. Use grub4dos to load read-only ISO's (such as Tails with --mem to load them fully into RAM.

 

That's pretty much it. When booting, you can test Truecrypt by entering an invalid password once or twice before the correct one, so that if anyone has replaced the Truecrypt bootloader with a fake one to make you think it was still encrypted and untampered with, it will be obvious. If that checks out, you can be sure that the ISO you then boot with grub4dos is the one you put on the stick originally.

[Wonko the Sane]

I think I've got a better idea, considering how hard it is to find a write protected stick these days (and the extra cost if you can).

Maybe it's a "better" idea, but doesn't fulfill most of the needs why one would want a read only stick, which mainly is "be sure that nothing, included virii/malware or manual intervention can alter the contents".

If you MD5 the stick and/or .iso files on it (example) you will also know if something has been modified, but that only allows knowing that it has been modified, not preventing it from being modified.

 

Wonko

[doveman]

Maybe it's a "better" idea, but doesn't fulfill most of the needs why one would want a read only stick, which mainly is "be sure that nothing, included virii/malware or manual intervention can alter the contents".

If you MD5 the stick and/or .iso files on it (example) you will also know if something has been modified, but that only allows knowing that it has been modified, not preventing it from being modified.

 

Wonko

Ah but my "better idea" does prevent the contents being modified more than just MD5'ing it, as someone would have to either crack Truecrypt to get to the files to modify them (which is rather more tricky (probably impossible) than simply editing/replacing a file on an unencrypted stick).or just format the stick (which obviously does modify all the contents but doesn't serve much purpose other than to annoy someone). Unless the enemy somehow knew exactly what files you had in your TC container, it's going to be rather obvious to the user if they replace the boot loader with a fake one (tested using wrong password or just put something unique in the g4d menu that will be noticeable if missing) and then once decrypted it doesn't contain the right files, so that's a non-starter 

 

An MD5'd stick wouldn't prevent access to or modifying the files at all, although it would make it obvious if they had been modified but it's a lot more effort for the user to keep checking it as compared to just using Truecrypt.

 

Don't write-protect sticks just have a slide-switch on them to enable/disable it anyway, which isn't much protection, in which case I upgrade my suggestion to a "much better idea" 

 

EDIT: Although if we're worried about virii/malware altering files, rather than a hacker, then sure, if the user puts his stick in random computers and then decrypts the TC container, anything on that PC could then mess with those files. If he boots from the stick though and knows that the ISO he's booting is clean, then it would be quite unlikely that anything would do so. Obviously it's not impossible to boot into a non-persistent Linux or Tails ISO and then open a webpage that edits/replaces that or another ISO on the stick but I'm not aware that this is a real-world threat.

[Wonko the Sane]

No. we are still far from reaching a common meaning of the common utility of a Read Only device.

 

To me something that is Read Only is read only, and that cannot be modified (by malicious people/programs) but that CANNOT ALSO be corrupted (by the same malicious people/programs or by a demented user, or by mistake, or by a malfunctioning of the OS or of a "rightful" program).

 

You are about something that cannot be tampered with, adding or modifying or deleting files by someone which is maliciously willing to without you knowing,

What I see as an issue is more data corruption (that most often happens by mistake and not because of a malicious hacker/whatever).

 

If you prefer, if you give me your Truecrypted stick, I can maliciously modify it in less than 1 second in such a way that you will never be able to retrieve any data from it, AND the same exact effect can be done by *any* program that has direct disk access by mistake and all you know after is that the data has been corrupted.

Exactly the same can happen without using Truecrypt by hashing the files or filesystem.

On a Read Only stick this CANNOT happen (because it is Read Only).

 

Wonko

[doveman]

No. we are still far from reaching a common meaning of the common utility of a Read Only device.

 

To me something that is Read Only is read only, and that cannot be modified (by malicious people/programs) but that CANNOT ALSO be corrupted (by the same malicious people/programs or by a demented user, or by mistake, or by a malfunctioning of the OS or of a "rightful" program).

 

You are about something that cannot be tampered with, adding or modifying or deleting files by someone which is maliciously willing to without you knowing,

What I see as an issue is more data corruption (that most often happens by mistake and not because of a malicious hacker/whatever).

 

If you prefer, if you give me your Truecrypted stick, I can maliciously modify it in less than 1 second in such a way that you will never be able to retrieve any data from it, AND the same exact effect can be done by *any* program that has direct disk access by mistake and all you know after is that the data has been corrupted.

Exactly the same can happen without using Truecrypt by hashing the files or filesystem.

On a Read Only stick this CANNOT happen (because it is Read Only).

 

Wonko

OK but if you give me your write-protected stick I can maliciously modify it just as quickly (maybe 1 extra second to move the read-only switch).

 

Now I appreciate that if the user keeps control of the stick and doesn't disable the write-protection, then malicious programs or accidental operations can't do any damage to the files. However, couldn't the user also prevent this by booting an OS ISO that doesn't permit write-access to the device?

 

I guess it's possible that a malicious program could possibly toggle whatever OS-level switch prevents write-access but depending on the OS and how it's configured, perhaps this risk can effectively be eliminated (either by requiring root privileges or by modifying the OS files to make it impossible to enable write-access).

[Wonko the Sane]

OK but if you give me your write-protected stick I can maliciously modify it just as quickly (maybe 1 extra second to move the read-only switch).

No, you cannot.

Mainly because to have a (partially) Read Only stick I don't use switch protected sticks but rather use the two Lun's approach to make one of the two devices Read Only through the Manufaturer's Tool.

 

Wonko

[doveman]

No, you cannot.

Mainly because to have a (partially) Read Only stick I don't use switch protected sticks but rather use the two Lun's approach to make one of the two devices Read Only through the Manufaturer's Tool.

 

Wonko

OK but I was suggesting an alternative to MedEvil's suggestion to buy a stick with a write-protect switch.

 

So your stick might take me a few more seconds to make it write-enabled (by undoing whatever you did with the manufacturer's tool) but it's still no more write-proof (from a malicious person) than a Truecrypt encrypted stick.

[MedEvil]

OK but if you give me your write-protected stick I can maliciously modify it just as quickly (maybe 1 extra second to move the read-only switch).

Aside from Wonkos Lun trick, which i use too. If i wanted to give you a stick, which is temper proof, it would for sure no longer have a working switch to disable write protection.

I guess it's possible that a malicious program could possibly toggle whatever OS-level switch prevents write-access but depending on the OS and how it's configured, perhaps this risk can effectively be eliminated (either by requiring root privileges or by modifying the OS files to make it impossible to enable write-access).

So you would rather rewrite an OS than to use a simple hardware switch?

btw. And just for the record, ALL USB-Sticks can be write protected. The necessary hardware exists in all. Manufacturers just stopped including an accessible switch, because too many moron users enabled write protection by accident, and then claimed their stick was broken.

[MedEvil]

So your stick might take me a few more seconds to make it write-enabled (by undoing whatever you did with the manufacturer's tool) but it's still no more write-proof (from a malicious person) than a Truecrypt encrypted stick.

Damn! There are just non so blind, as those who just don't want to see.
Every moron can kill your true crypt container. No biggy!
Finding the right - and properly using the manufacturers tool on the other hand, is so complicated, that we have to give support to even seasoned technicians here.

[doveman]

Aside from Wonkos Lun trick, which i use too. If i wanted to give you a stick, which is temper proof, it would for sure no longer have a working switch to disable write protection.

So you would rather rewrite an OS than to use a simple hardware switch?

btw. And just for the record, ALL USB-Sticks can be write protected. The necessary hardware exists in all. Manufacturers just stopped including an accessible switch, because too many moron users enabled write protection by accident, and then claimed their stick was broken.

Sure, if you never ever want to be able to modify the files yourself and will just throw away the stick and buy a new one if you need to change something, then you can break the switch.

 

I was looking at it from a different point of view though, where I want to be sure of the integrity of the files (i.e. someone hasn't got hold of my stick and tampered with them and/or preventing malware from being able to modify them whilst I'm running an OS booted from the stick) but still able to modify them if I wish.

 

No I wouldn't rather rewrite an OS (which is not what I said anyway, I said maybe write-access can be disabled and require root privileges to re-enable, or some file could be modified, neither of which amounts to rewriting an OS) than use a switch, I'd rather use Truecrypt as that suits my purposes adequately.

 

It obviously depends on what one's trying to achieve (and Ankur hasn't come back to clarify) so there isn't one "right" answer, just possibilities

[doveman]

Damn! There are just non so blind, as those who just don't want to see.
Every moron can kill your true crypt container. No biggy!
Finding the right - and properly using the manufacturers tool on the other hand, is so complicated, that we have to give support to even seasoned technicians here.

This from the guy who can't "see" that using Truecrypt is a lot simpler than manually MD5 hashing and verifying the files everytime to check the integrity of the stick. Where do you store the hash and MD5 program anyway? They can't be on the stick as they could have been tampered with, so you'd have to verify the hash on another secure system before booting from the stick every time, which is hardly practical. Using Truecrypt, you'll know just from booting the stick on any system whether it's been tampered with or not.

 

As for whether it's as difficult to write-enable your stick as you make out or not, considering that your claim was that "I can maliciously modify it in less than 1 second in such a way that you will never be able to retrieve any data from it" I (and any "moron") can achieve the same thing by throwing your stick away somewhere or breaking it into pieces, so there's actually no way to protect the data on any stick from being lost.

[Wonko the Sane]

I might add that *any* stick can be made Read Only by adding a switch to it.

It is not like those with the actual switch have a "special" chip/controller.

Most (if not all) controllers do have a line on which (very few) stick manufacturers put the little switch, it's just a matter of open the stick, find the line on the schematics/docs of the controller and put a switch on it.

Sorry  just noticed that Medevil already posted this info , please ignore the above.

 

@doveman

For the record, I patented the SH-1 degaussing device quite a lot of time ago, JFYI :

http://reboot.pro/to...e-7#entry123099

 

Wonko

[MedEvil]

This from the guy who can't "see" that using Truecrypt is a lot simpler than manually MD5 hashing and verifying the files everytime to check the integrity of the stick.

Please don't confuse Wonko and me. I don't use hash checking.

As for whether it's as difficult to write-enable your stick as you make out or not, considering that your claim was that "I can maliciously modify it in less than 1 second in such a way that you will never be able to retrieve any data from it" I (and any "moron") can achieve the same thing by throwing your stick away somewhere or breaking it into pieces, so there's actually no way to protect the data on any stick from being lost.

Now you're just being ridiculous.
No, write protection does not protect against theft or destruction, but i thought that goes without saying.

As for your truecrypt container solution.
I would rather loose just some files, than all, in case of a virus.
So using any container is imo actually worst, than doing nothing.

On protection in general:
- Encrypting is used for data, which should rather be lost, than read by the wrong person.
- Write protection is used, to protect data from being altered.
- Backup is used for Data, which shall never be lost.

One can combine them, but never ever replace one with the other.

[Wonko the Sane]

Please don't confuse Wonko and me. I don't use hash checking.

And not even Wonko uses it (it was just an example).

 

About protection/encryption, I agree 100% with you, I may add some notes or  "tree of decisions":

http://reboot.pro/to...bartpe/?p=80938

 

Wonko

[llbranco]

you can fill all unused space with a dummy file

or put a truecrypt portalbe and make a ~truecrypt file~ with the exact size of your free space!
 

i was search for "how to make a hard switched stick" but no sucess with it

 

or if your stick is bootable (only for sticks) you can put all your boot files on the 2nd partition and enable PBR on it, so your 2nd partition can`t be used by windows systems (without modified\hacked "usb mass storage driver")

its a kinda easy to do with grub or grub4dos, but remember you need to defrag your ISO/IMG files so you need to modify your "usb mass storage driver" and it is a little hard to do

 

 

 

good luck!

[GoFigure]

 

Mainly because to have a (partially) Read Only stick I don't use switch protected sticks but rather use the two Lun's approach to make one of the two devices Read Only through the Manufaturer's Tool.

 

Wonko

 

 

I did a google search and can't find info on how to setup a drive as you have described.  Can you provide instructions or point me to a page that explains how to setup two luns on a flash drive.   Thank you.

[MedEvil]

i was search for "how to make a hard switched stick" but no sucess with it

1. - Figure out what kind of controller your stick uses. (search the net / open the stick)
2. - Get the pinout for the controller and check which pin controls write protect.
3. - Attach / solder a tiny switch to the PCB of the stick.

Hope this helps.

[Wonko the Sane]

Get Chipgenius AND the other similar "ID tools" from here:

http://www.usbdev.ru/files/

Find the controller in your stick.

 

@libranco

Find the actual chipset schematics AND compare it to the actual layout of your stick

 

@Gofigure

Find the actual Manuifacturer Tool suitable for your stick controller (though not *all* controllers can provide two LUN's *most* will) and use it to create a first LUN a CD device (to which you "dd" with the tool itself your Read Only .iso image) and the rest of the stick (second LUN) as "normal" device.

Follow this thread as an example:

http://www.911cd.net...showtopic=24742

 

@both

Please do understand that BOTH your wishes represent VERY ADVANCED topics and are NOT something "safe", "suitable for newbies" or "easy", your mileage may well vary depending on your current knowledge, respectively, of hardware and software, besides some abilities to translate from Russian or Chinese, which are the languages in which most of the relevant info is written.

 

Wonko

[doveman]

Please don't confuse Wonko and me. I don't use hash checking.

Now you're just being ridiculous.
No, write protection does not protect against theft or destruction, but i thought that goes without saying.

As for your truecrypt container solution.
I would rather loose just some files, than all, in case of a virus.
So using any container is imo actually worst, than doing nothing.

On protection in general:
- Encrypting is used for data, which should rather be lost, than read by the wrong person.
- Write protection is used, to protect data from being altered.
- Backup is used for Data, which shall never be lost.

One can combine them, but never ever replace one with the other.

Sorry about that, I thought I was replying to Wonko there  , partly because you quoted my earlier reply to him, challenging his suggestion that my truecrypt stick is vulnerable to data destruction whilst his read-only stick isn't.

 

Why makes you think that a non-truecrypt stick affected by a virus would only destroy some of your files? Do you think viruses look at the stick and go "oh, it's not a truecrypt-encrypted stick, we'll just erase a few files"? Sure, a virus might only need to alter a single block of data to make a truecrypt container unusable but it could equally destroy all your unencrypted files before you noticed. That's why we have backups

[doveman]

On protection in general:
- Encrypting is used for data, which should rather be lost, than read by the wrong person.
- Write protection is used, to protect data from being altered.
- Backup is used for Data, which shall never be lost.

One can combine them, but never ever replace one with the other.

I might add that, as I've already explained, encryption can also be used to protect data from being altered, at least not without alerting the user, so it's not just for preventing it being read by the wrong person but also from being altered (not completely destroyed) by the wrong person as well.

[Wonko the Sane]

Why makes you think that a non-truecrypt stick affected by a virus would only destroy some of your files? Do you think viruses look at the stick and go "oh, it's not a truecrypt-encrypted stick, we'll just erase a few files"? Sure, a virus might only need to alter a single block of data to make a truecrypt container unusable but it could equally destroy all your unencrypted files before you noticed. That's why we have backups 

Well, here you are not much logical, allow me.

As Medevil stated a "container" (let's set aside if crypted or not) is evidently (IF changing a single byte or a single sector of it is enough to corrupt it beyond recovery) a "larger" (and "easier") target for *anything*, including a hardware or software failure of any kind. 

On the exact opposite a zillion plain text files are obviously the best thing, in the sense that even if partially corrupted they can usually be rebuilt.

 

Wonko

[MedEvil]

I might add ...

I give up!

[doveman]

Well, here you are not much logical, allow me.

As Medevil stated a "container" (let's set aside if crypted or not) is evidently (IF changing a single byte or a single sector of it is enough to corrupt it beyond recovery) a "larger" (and "easier") target for *anything*, including a hardware or software failure of any kind. 

On the exact opposite a zillion plain text files are obviously the best thing, in the sense that even if partially corrupted they can usually be rebuilt.

 

Wonko

I don't thing you're being very logical there actually, besides the fact that I was specifically addressing the possibility of a virus, which is what MedEvil raised, not "hardware or software failure of any kind" which you've added to confuse the issue.

 

With a virus, there's no reason why it would restrict itself to partially corrupting your zillion plain text files, rather than erasing them beyond recovery. Sure, it would take less time for a virus to change a single byte/sector of a container file, assuming that is enough to corrupt it beyond recovery, which it probably is unless it's only the header and the user has been sensible enough to back that up (talking about Truecrypt here) but virus' generally don't show a popup saying "I'm erasing all your files", so there's every chance that it could do so without you noticing until it's too late.