Using a CD or DVD rather than USB

[RBell]

Hello all,

I might just be paranoid, but with the BadUSB exploit and the recent NSA firmware hacks, I was thinking of a way to use Armory offline without a USB.  Someone mentioned to me that it is possible to use a CD to transfer the signed transaction back to the online computer for broadcasting, and I was wondering if someone here could help explain that to me.

Thanks!

[Carlton Banks]

The rationale is that CD's can be burnt read-only, and therefore are not as dangerous as USB devices (the BadUSB is stored in the USB firmware and so could perhaps provide false reports of the contents of the USB storage to a request from file explorer software).

So you devise a transaction on your online machine, burn the unsigned transaction to a CD-ROM, open the unsigned transaction on your offline machine using Armory, sign it, burn the signed transaction to a CD-ROM, open the signed transaction on your online machine using Armory, broadcast.

[RBell]

The rationale is that CD's can be burnt read-only, and therefore are not as dangerous as USB devices (the BadUSB is stored in the USB firmware and so could perhaps provide false reports of the contents of the USB storage to a request from file explorer software).

So you devise a transaction on your online machine, burn the unsigned transaction to a CD-ROM, open the unsigned transaction on your offline machine using Armory, sign it, burn the signed transaction to a CD-ROM, open the signed transaction on your online machine using Armory, broadcast.

That's great, thank you!

Armory should include this tip on their website!

[Carlton Banks]

Bear in mind that this is not an infallible scheme. You're transferring information from a semi-trusted domain to a trusted domain, so if some malware can make a trojan out of an unsigned transaction file, then you're just as exposed to threats as when using USB storage. These transactions are tiny plaintext files, so it should be easy to spot an unsophisticated attack.

Also comprehensive disabling of Storage Autorun features is equally important to using CDs/DVDs for this purpose as it is for using USB Storage devices.

[RBell]

Bear in mind that this is not an infallible scheme. You're transferring information from a semi-trusted domain to a trusted domain, so if some malware can make a trojan out of an unsigned transaction file, then you're just as exposed to threats as when using USB storage. These transactions are tiny plaintext files, so it should be easy to spot an unsophisticated attack.

Also comprehensive disabling of Storage Autorun features is equally important to using CDs/DVDs for this purpose as it is for using USB Storage devices.

Thank you for the tip! How would I go about disabling Storage Autorun on Mac and Ubuntu machines?

[Carlton Banks]

For Ubuntu, the OS settings should have a sub-section labelled "Removable Devices" or somesuch. Just disable Autorun on all device types (CD/DVD, USB storage, etc)

It's been some time since I've used a Mac, although FWIW I do recall finding that option being very similar to what's described for Ubuntu. Also, your Mac is vulnerable to a recent root exploit if you do not have latest up to date OSX (no idea which version that is, I read this in the press last week). So don't use an unpatched Apple machine for the cold storage if you can avoid it at this stage.

[RBell]

For Ubuntu, the OS settings should have a sub-section labelled "Removable Devices" or somesuch. Just disable Autorun on all device types (CD/DVD, USB storage, etc)

It's been some time since I've used a Mac, although FWIW I do recall finding that option being very similar to what's described for Ubuntu. Also, your Mac is vulnerable to a recent root exploit if you do not have latest up to date OSX (no idea which version that is, I read this in the press last week). So don't use an unpatched Apple machine for the cold storage if you can avoid it at this stage.

Ok, great!

Once again, thanks for your help!