> On Sep 30, 2025, at 9:35 AM, JOSEPH WILLIAM BAKER® via Tails-dev <tails-dev@???> wrote:
>
> Two department heads within a reclamation department of the US Department of Defense told me circa 2013 that SAP had discovered a wireless vulnerability in USB memory sticks.
>
> I know you guys lean heavily on using USB memory sticks to boot your live linux distribution, thinking it's safe from spying, but nothing could be further from the truth.
>
> I recommend instead using a live DVD with the kernel option TORAM used to load your OS. Then figure out a way to mount your storage over the network from somewhere else. Perhaps with a ram drive overlay.
Requiring the use of a DVD makes no sense, because very few people could use the result. "There are no brand-new mainstream laptops with CD-DVD drives" per <
https://www.laptopmag.com/articles/laptops-with-cd-dvd-drives>. This has been true for years. The same page recommends getting an external DVD drive to pair with a laptop. There are *some* options, as listed on that page. But since DVDs are often considered obsolete for storage, DVDs readers/writers are specialty items not available to many.
> The DOD does not allow usb Flash Drives on it's networks. It might be advisable to follow their policies for data management.
The *primary* reason they did that in 2008 was to prevent running malware on removable devices:
https://www.hill.af.mil/News/Article-Display/Article/398063/violating-usb-ban-racks-up-risks/
https://www.washingtonpost.com/wp-dyn/content/article/2010/08/24/AR2010082406154.html?hpid%3Dtopnews&sub=AR
https://spectrum.ieee.org/dod-confirms-flash-drive-breached-its-it-security-in-2008
https://www.washingtontechnology.com/2010/02/dod-details-strict-flash-drive-rules/348331/
Note that *anything* insertable late, including DVDs, was cause for worry. I believe DVDs had the same restrictions, though DVDs were much less common in 2008 than USB sticks, & so that wasn't noted as much.
The ban is less strict as of 2010 because they're configured their OSes to restrict running code on them:
https://www.washingtontechnology.com/2010/02/dod-details-strict-flash-drive-rules/348331/
They also worry about data being exfiltrated on the USB stick (as noted above).
A Tails user is *trying* to run the software on the stick, so it's a completely different situation than what the DoD is doing.
It's true that something that *looks* like a normal USB stick can be malicious (via a hardware supply chain attack where the user is given a malicious device). I think the Tails developers are presuming that the Tails user is *trying* to be secure, and thus will try to choose USB sticks that are unlikely to be subverted hardware. There *is* a risk that if you order online, a well-resourced adversary could swap the device en route & give you a malicious device.
However, if you're buying USB sticks in a way that make it hard to create a targeted attack (to give you a "special" USB stick), that's not a huge theat. There's an easy solution if you're targeted: walk in to a reputable store, pick one off the rack, and buy it right there. It doesn't cost much & it's hard to target. This also deals with many counterfeit problems. A bad USB stick will give any user a bad experience, so it might be a good idea for the Tails front page to more clearly provide guidance on getting good USB sticks. If *all* USB sticks can be remotely controlled, there are bigger security issues.
--- David A. Wheeler
