> On Oct 2, 2025, at 6:04 PM, JOSEPH WILLIAM BAKER® via Tails-dev <tails-dev@???> wrote:
>
> I could not find anything on the internet about SAP making the discovery public. I was told by the official that "The only reason I can tell you this is because SAP made it public." Then he proceeded to tell me about the wireless back door of the usb flash memory sticks. I can infer that the back door tech was a secret that could not be told... i.e. classified. But that he was saying the only reason he could tell me is because SAP had made it public. Let's search archive.org maybe? I have searched many times on the Internet and have not been able to find this. It's like a black hole on this information. Still, it might be interesting to ask SAP what their policies are regarding the use of USB memory sticks.
Requiring the use of DVDs for computer storage is pointless; they're rarely available & going away. Systems are only useful if they can be used.
If you're arguing that it'd be good to also make it easy to install Tails on a fixed media (internal HDD or SDD), I can see that argument. I suspect it wouldn't even be that difficult. That would be a more fruitful discussion I suspect.
> David, what is your standard of evidence? I'll do the best I can to assert this claim because it basically shows us that what we thought were air gapped systems are vulnerable somehow through the memory stick.
My standard is irrelevant. I don't make decisions for Tails.
I will note that there are many *known* attacks involving malicious USB sticks:
1. Most common: USB sticks with malicious software stored on them that is auto-run. That still works sometimes :-(.
2. BadUSB: USB stick controllers can be reprogrammed.
3. USB rubber ducky, which looks like a stick but inserts keyboard commands, e.g.:
https://shop.hak5.org/products/usb-rubber-ducky and
https://www.reddit.com/r/hacking/comments/1i55xrv/i_made_the_worlds_smallest_usb_rubber_ducky/
4. It's really cheap to create a malicious USB, like <$5:
https://www.youtube.com/watch?v=MMwDBquDESE
5. USB form-factor Wifi is easy, e.g.:
https://shop.hak5.org/collections/omg-row2/products/omg-plug - just put that with a stick form-factor.
However, attacks even today typically involve distributing normal USB sticks with malicious software on it, and tricking the user into running it:
https://www.wired.com/story/china-usb-sogu-malware/
https://cloud.google.com/blog/topics/threat-intelligence/infected-usb-steal-secrets/
It's possible that all flash drives have an embedded vulnerability that enables them all to be controlled remotely. Sure. But believing that claim requires evidence. So far, what we see are organizations creating specially-subverted sticks or putting malicious code in its storage, which if anything suggests this is not true. I welcome someone who has the time & expertise to investigate.
--- David A. Wheeler
