Security risks of removable media (was: Offline Search?)

Thomas Charron twaffle at gmail.com
Fri Jun 6 16:19:36 EDT 2008 

On Fri, Jun 6, 2008 at 12:27 AM, Ben Scott <dragonhawk at gmail.com> wrote:
> On Thu, Jun 5, 2008 at 4:52 PM, Thomas Charron <twaffle at gmail.com> wrote:
>>  Google Desktop isn't an online service.
>  Um... so what?  That doesn't explain what good it would do to have
> Google Desktop index data without Google Desktop software.

  offline != run standalone.  I admit I misunderstood what you
grasped, that he wanted a stand alone application.  :-D

>>>  Because I'm a software engineer.
>  Again, so what?
>  The point I was and am trying to establish is that carrying software
> around on a removable medium puts one at significant security risk.

  You're point is totally valid.  MY point is it's no MORE so then
transferring those same files over a network.  In some ways, it's less
of a threat, as there is limited time availability to those files, but
in others, MORE of a threat as a network can at least provide SOME
policing of security, which a typical thumb drive cannot.

> You're exposing any data on the medium when it is mounted on the
> untrustworthy host.  It might be copied or modified by malware.
> You're exposing any software on the medium.  It might be "infected" by
> malware.  Any hosts you mount the medium on in the future are then
> exposed to that malware.

  What would be the secure way to transfer these files amongst
machines in a heterogeneous network environment, with additional
machines offline not connected to the network at all?

>  Yes, using untrustworthy hosts is dangerous.  But using
> untrustworthy hosts is part of carrying software around on a removable
> medium and using it on whatever computer is handy.  If the host was
> under control, why wouldn't it already have the software you use on
> it?  And if the host is not under control, it is presumably untrusted.
>  Did you have any actual response to this, or did you just want to
> dance around it?  :)

  And how did an end user get the stuff on the machine in the first
place?  In the end we're talking about multiple hosts under
potentially no control.  But yet, the files still need to get there.

>  I'm starting to feel like I'm talking to ELIZA -- that you're
> sending phrases that only sound like they have something to with the
> conversation, but are really just context-free text extraction.  Are
> you sure you're not just an AI program gone awry?   ;-)

  Ben, do you OWN a USB drive?  :-D  Have you ever used it to give
someone a file?

-- 
-- Thomas

More information about the gnhlug-discuss mailing list