On Tue, Oct 10, 2017, at 05:39 PM, Whitey wrote: > Pete Stephenson wrote: > > On Mon, Oct 9, 2017, at 06:53 PM, Stefan Claas wrote: > >> I read once here on the Mailing List that one should only use > >> trusted USB devices, whatever that means, when using an USB > >> device. > > > > If you must use USB devices for some reason, take a look at the > > <https://www.kanguru.com/storage-accessories/kanguru-flashtrust-secure-firmware.shtml> > > flash drive. > > > > It's designed specifically to protect against "badUSB", where the > > controller and firmware can be compromised. The controller has the > > developer's public key baked in during manufacture. The firmware is > > signed and can only be loaded once (no provision is made for > > in-the-field firmware updates). The controller verifies the firmware and > > its signature at every power-on. If a malicious actor had physical > > access and re-flashed the firmware, the controller would notice and fail > > to load. > > > > It also has a physical write-protect switch that can prevent unwanted > > writes. > > Since a flash drive is a read/write device, when would writes be > unwanted? When should I use this?
Vague answer: that depends on your threat model. When interacting with an untrusted system, you may not want the untrusted system to be able to write data to the USB drive that might also be used on the trusted system. In my use case, I was more interested in the novelty and principle of having a signed, verified firmware running on the device that is not vulnerable to the badUSB attack. The write protect switch is actually a bit of a hassle for me, as the screen printing indicating which position is read-only has worn off with use, so I always accidentally set it to read-only when I want it in read/write mode (in much the same way that all USB plugs exist in a superposition of multiple states, all aligned the wrong way). :) -- Pete Stephenson _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
