The safety of using USB sticks to transfer data from an offline machine

[behindtext]

Anyone know if the upcoming Trezor will fix this problem?

IF there are no hardware vulnerabilities which an attacker can exploit, it will fix the problem.

it's a big IF since usb always has firmware.

trezor is a great attempt at minimizing the attack surface by designing duty-built hardware. it's a shame that they chose usb instead of serial, imo.

[justusranvier]

it's a big IF since usb always has firmware.

trezor is a great attempt at minimizing the attack surface by designing duty-built hardware. it's a shame that they chose usb instead of serial, imo.

USB doesn't inherently need firmware, any more than a serial port does.

It's just easier to build programmable devices because you can fix bugs in software instead of hardware. The cost is that a general purpose computer is capable of any computation, and that's a giant attack surface.

I'd feel better about the hardware wallet projects if I saw the teams involved take this issue very seriously and go back to the roots of computing - custom-built electronic circuits that preform exactly one task, not general purpose programmable computers which can be repurposed by an attacker.

[oakpacific]

And how do you move the Armory installation itself to the offline machine? You can do all kinds of hash/signature check offline for sure, but when it's there for you to check the virus should already have settled down.

[justusranvier]

And how do you move the Armory installation itself to the offline machine?

Burn it to a CD.

There's probably a lower chance of malicious data on a burned CD having the ability to execute a hardware-level compromise. Probably.

[oakpacific]

And how do you move the Armory installation itself to the offline machine?

Burn it to a CD.

There's probably a lower chance of malicious data on a burned CD having the ability to execute a hardware-level compromise. Probably.

I am thinking of not putting a filesystem at all on the medium and moving everything with dd, raw blocks in, raw blocks out, then piping all data to sha256sum check first on the online machine(yes there will  probably be buffer overflows), for transaction data, I will be even more careful by read and check 64 -128 bytes a time to prevent buffer overflows.

[justusranvier]

I am thinking of not putting a filesystem at all on the medium and moving everything with dd, raw blocks in, raw blocks out, then piping all data to sha256sum check first on the online machine(yes there will  probably be buffer overflows), for transaction data, I will be even careful by read and check 64 -128 bytes a time to prevent buffer overflows.

That would probably be fine, as long as your medium isn't a USB drive.

Basically any data transfer medium that has circuitry embedded in it certainly isn't safe. Purely passive mediums like CDRs might be safe.

[hobbes]

SD cards often have "write protection" clips but they are not really safe: http://superuser.com/questions/354473/is-the-lock-mechanism-on-an-sd-card-hardware-firmware-or-software-driver-os

A computer with a read only cd drive would be great.
edit: Also it should not have wifi integrated.


How about this:
Boot from LiveCD on a computer with hard drive removed
put in usb stick with unsigned tx, copy to ramdisk and remove stick
(remove cd if on a system which can write to disk)
only then enter privkey / seed
create signature
transfer signature by hand / qr code
put together tx and signature on online system and broadcast


If you go through all that you might also consider to store half the key / seed in a bank locker.

[keystroke]

In what way does a write-protected USB stick prevent malware from spreading between the online and offline machines?

I was imaging an offline machine with a cold wallet and a client that doesn't need to be online to produce transactions from the cold wallet (not the best way to do it...) but at least if the online machine only has a write-protected USB key inserted (that is assuming it is hardware write protect which it probably can't be) it could reduce the attack surface somewhat.