Follow

I wish we had more dumb storage media.

These days, most storage devices - USB sticks, HDDs, SD cards - have a builtin controller and firmware. If it gets pwned, you can't trust any data on the device, and there's no easy way to verify the firmware.

Back in the day, we used to use Floppies, tapes and CDs. In case of these, the controller was part of the computer, and you only removed the raw medium.

Tapes are still around, but they're pretty niche...

· · Web · 8 · 9 · 16

@wolf480pl I still save snapshots of my data on CDs. I bought a stack of 1000 CDs about 3 years ago for $10 and decided that was a good idea. 😃

CDs don't go bad unless you use them too much. So they are a great medium for long term storage. :jrbd:

@herag
>CDs don't go bad unless you use them too much

and keep them away from sunlight.
And they'll probably still go bad after a few decades.

@wolf480pl oh... now you see?my info may be out of date... hehehe... well in 10 years I'll see if my docs and pics and music can still be accessed... hahaha

@wolf480pl CD-R is still the only medium which approaches truly long term data storage. Others degrade quicker. It’s a shame upon this society’s priorities.

@Shufei
I think Microsoft's holocrons^W Project Silica can survive longer than that, or at least it's meant do do so.

@wolf480pl Sorry, I should have qualified that as “available to mortals”. Thanks for the head’s up. I’ll look into it. I was hoping Norsam Discs would become widespread back in the day...

@xj9 @wolf480pl Jolly good. Do they match CD-R for half-life now? Last I dived into it, they didn’t.

@wolf480pl never thought about that. Is there any way to check or now whether there is some firmware on it?

Do USB sticks always need their own firmware?

And are they save if you own them? Or could they be compromised if you attach them to a foreign device?

@daniels
>Is there any way to check or now whether there is some firmware on it

If it doesn't contain any transistors, then there is no firmware on it. Otherwise, there's no way to be sure, unless you like decapping chips...

USB sticks translate the USB protocol to raw flash reads and writes, which requires a significant amount of logic. You probably could do it all in hardware, but that'd be a stretch, and more expensive. So my guess is they all have some firmware.

1/

@daniels
>could they be compromised if you attach them to a foreign device?

It depends how well the vendor protected them from flashing custom firmware. And I'd expect the vendors to be lazy and fuck this up...

USB also is extra dangerous in that not only can a malicious device lie about files stored there, but it can also pretend to be a mouse or keyboard...

@wolf480pl @daniels

Pretty safe assumption about the vendors there.

@wolf480pl @daniels my work Mac has total lockdown of USB devices, but my adafruit devices show up as mass storage, audio, and something else.
So even security vendors aren't doing that great a job?
I think it's using crowd strike lockdown software.

@wolf480pl @daniels 99% of USB flash drives if not more have a small microcontroller between the USB interface itself and the flash chips, and in many drives you can flash whatever firmware you want onto these

@wolf480pl We live in a world where even some cables have CPUs now.

@wolf480pl t.i.l. this new security nightmare

and here i was just missing the good old days when you could just pop in a floppy and navigate to a:\ instead of waiting for the drivers to install and mounting stuff and whatever

@wolf480pl Pretty much the first thing I do is format my storage media and get rid of the built in data management tools. That maybe doesn't help with the firmware, though. I'm not knowledgeable enough to know.

@ink_slinger it doesn't.
The firmware is what makes eg. the USB drive capable of speaking USB.

@wolf480pl There are many other areas where we can't trust data, including most all data transferred over a network.

You can sign the data, encrypt with a public key, use authenticated encryption, and various other methods to store and transfer data on untrusted media. It won't prevent DOS, but that's no different than hardware failure.

Your statement is true, and most users won't mitigate, but the risk is also not part of most users' threat models.

@mikegerwitz
Where do you keep the public key though?

Also, it's not just about untrusted data. It's also that the firmware may try to exploit bugs in host's implementation of USB, etc.

Maybe not in most users' threat models, but having dumb storage media would be useful in some threat models (I forgot which).

@wolf480pl Same problem with tape drives, floppies, just moved up a level. And even more difficult to test/trust!

@amrowsell not really, because the drive is part of your computer, and it can fool only that one computer. If you move the media to another computer, that computer will have a different drive with a different firmware.

@amrowsell
Consider the following scenario:

You have N computers, C_1...C_N. One of them is safe, all the others ar e infected by malware.
You bought a new computer D.
D has no malware, but it has no operating system either.

You know the sha256 of the authentic ISO image of the system you want to install.

What do you do?

@amrowsell
What you could do is:

1. Download the ISO on C1, save it on a USB stick, check sha256.

2. Move the stick to all the other computers C2...Cn and check sha256 on them.

3. If the sha256 is correct on all of the computers, and at least one of them is not infected, then the image on the usb stick is also correct. You can safely boot the new computer D from it.

@amrowsell
Now this doesn't work if the USB stick firmware gets infected from one of the computers, detects if you're reading the stick from an OS, or trying to boot from it, and shows you different ISOs depending on that.

It also doesn't work if it's possible to write to the USB stick.

So CDs would be best here.

Sign in to participate in the conversation
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!