USB FlashDrives The New PC? 305
olddotter writes "Yahoo has an article about how large capacity USB drives might be redefining the concept of the personal computer. The article is windows specific, but think knopix on a flash drive." From the article: "When you check into an average hotel room and find -- alongside the alarm clock, hair dryer and DVD player that once were bring-your-own items but now are as standard as the furniture -- a cheap PC for guests to plug into, as our truly personal computing environment travels with us."
Well, that's great (Score:4, Insightful)
Oh? (Score:5, Insightful)
The key issue (Score:5, Insightful)
The key issue isn't that the data is on a USB disk, but that it is easy enough for you to carry around all your data (including OS and apps). E.g. compact flash would suffice. Or serial flash.
Furthermore, just having secure access to the data (perhaps over the internet) would suffice. Imagine a system where to boot up, the PC fetches your data off the web. Perhaps you use a kind of use-once key to access some of the data, with which the PC computes.
The thing I've not been satisfied with yet is the idea that the PC itself would engage in a man-in-the-middle attack. E.g. it stores a copy of whatever data you've accessed (off your USB, compact flash or network storage) -- and the bad guy gets that stuff later. There's no defense against this attack, because the PC is doing the processing.
E.g. imagine a compromised PC running something like bochs. It emulates a real PC, but gives away your secrets.
Trust? (Score:5, Insightful)
Granted, I'm sure protection mechanisms would be built in to address this, but I think I'd still be a bit skeptical.
Re:Or you can go one better... (Score:5, Insightful)
Re:Oh? (Score:5, Insightful)
Having a whole operating system on a flash drive isn't that unusual. I have been using Knoppix for years, like a million other people. The flashdrive would just be faster and smaller, and you could write to it and save some files if you chose to.
Re:Oh? (Score:5, Insightful)
USB would need a security layer. (Score:5, Insightful)
Perhaps this would work if the client machine were truly memory-less (no HD, no NVRAM, no flash ROM, etc.). Then the machine could be a secure blank slate for whatever the USB user needed to do. Given the prevalence of flashable firmware on everything (and the need for persistent machine configuration data), I doubt this is very feasible.
Re:The key issue (Score:3, Insightful)
Or if your USB key is your computer (I presume some of these can be offline), why not just copy the entire USB drive? At 512mb each, you'd fit 500 on a 250gb drive (actually you wouldn't since 2^10 != 10^3), then just search... any interesting jpgs? videos? license keys? confidential data? certificates? Take your pick.
Re:I like this concept (Score:2, Insightful)
You boot an os off of a flash drive and then run those programs off of the bootable os.
Or you boot an "oe" (operating environment) off a flash drive. An oe is an os plus some bundled applications. If you load an oe advertised as containing OpenOffice.org Suite, Mozilla Firefox, and Nvu, then it doesn't matter whether it's running a FreeBSD or Linux os; what matters is that your apps run.
Re:Oh? (Score:3, Insightful)
Some keyboards themselves are keyloggers.
Sometimes keyboards are attached to keylogger adapters or dongles.
KeyGhost.Com [keyghost.com]
So, remember, either bring your own keyboard or just bring a laptop.
Re:Flash drives don't last forever (Score:2, Insightful)
Even the BIOS is emulated (Score:2, Insightful)
Because virtual machines still have to boot. Lemme put it this way - reboot and in the BIOS, make sure that flash drives boot before hard drives.
Forgot about Europe? (Score:4, Insightful)
Where the heck are you finding... (Score:3, Insightful)
Where the heck are you finding hotels that provide a DVD player when in-room PPV movies are $10-$15 each? None of the hotels I've ever stayed in provide that; the TV's don't even have accessible A/V inputs and the cable hookups are protected with a user-proof collar.
Re:vmware with no HD image perhaps? (Score:3, Insightful)
If you can find a way to easily make sure that the thing has no power left inside, and it looks like commodity hardware, then it's probably ok. But even then, what if it doesn't have a normal BIOS, but instead boots straight into an emulator?
The possibilities are endless...
Re:Flash drives don't last forever (Score:3, Insightful)
Isn't that equivalent to saying "Your house isn't very secure. Somebody with a bulldozer could easily get in."
No no, I'm not trying to use the time dis-honored method of using faulty metaphores to shoot your point down. Rather, I really am asking a question here. Wouldn't it take somebody with a snazzy computer mind and the right tools to actually go in and retrieve useful information? Wouldn't they have to know precisely what they're looking for to actually obtain that data? In that case, would it really be all that likely you'd fall victim to something like that?
Whether I'm right or wrong, seems to me the best solution to this problem is to not rely on a computer you're not in control of to be secure. I have a hard time imagining students in school, for example, lots of students in school keeping dangerous info on these drives. The simple fact that they could lose the drive, in most cases, would be enough to keep these people in line.
Re:Oh? (Score:4, Insightful)
Re:Oh? (Score:3, Insightful)
In short, Knoppix is a good solution for plain vanilla commodity hardware, as long as you know what it is. But if you have some sensitive data that someone wants, perhaps the hotel you're staying in provides some black-market services you're not aware of?
Re:USB would need a security layer. (Score:3, Insightful)
I'm pretty sure Holiday Inn won't, and the FBI could get the info using an easier method. I mean, if I'm trying to screw you over and get your data, this would be the most expensive and difficult way to do it.
What am i going to do, install keyloggers on all hotel rooms? Normally, you don't get your room number until you show up, so how can I install it in advance to just screw you over, if I was going after you individually? If I just install it to catch ANYONE, there is a record that I was there, so it could be traced back to me.
Or the maid could install it perhaps? There are much easier ways to rip people off than CREATING this hardware, test it, get the job, find the time to get in and install it, and hope like hell you don't get caught because you have to show your drivers license and social security card to get hired. So whenever they find it out, you WILL be a suspect. It is not that it is impossible, it is just that it is the least likely of the security concerns.
This is a theoretical problem that has no bearing in reality short of the FBI, and if they want your data, they will get your data. Possible, yes, but you and I have a much larger chance of getting hit by lightening, but you aren't fretting about that.
The REAL potential is at the hotel's proxy server / router, where the vendor's IT guy could be recording all nonencrypted traffic, which would include most webmail. This is in software, and would be easier to cover up. Then you have access to the email, and can go from there. This could be secured, but would require users are not dumb. THIS is the main security issue. This is a concern NOW, not in the future, and not theoretical.
Re:Oh? (Score:3, Insightful)
Does that mean whoever owns the machine in the cybercafe or hotel couldn't trick you? No. But it means a patron of one of these establishments probably could not, which is good enough.
It's like asking "before entering your PIN, how do you know that's a real ATM?" The answer is, you don't, really, but exploints of this extent are too exotic to worry much about.
Re:Oh? (Score:3, Insightful)
Re:vmware with no HD image perhaps? (Score:4, Insightful)
Cause we all know they do that with the phones and TVs.
Oh, wait, no they don't. They build them into things or at the very least have the cables non-detachable.
Gee, if they do that with a 30 dollar phone and a two dollar cable on it, I wonder if they'll do it with a 300 dollar computer and a two dollar cable on it. Not to mention the 15 dollar keyboard and 5 dollar mouse they don't want people making off with.
I'm sure they'll leave all that accessable where we can just unplug it at will, instead of putting in those computer cases that are sold exactly for the purpose of blocking access to the cabling while leaving the front accessable.
Just for laughs, at the next hotel you stay in that has an internet connection, try unplugging the TV. See how far you get. You can unplug them at cheap places that just buy a TV and put it on a table, but those are not the places that will be offering computers.
Re:Even the BIOS is emulated (Score:3, Insightful)
Granted if someone really really wanted to, they could have figured out a way to crack the BIOS or something. But at that point I'd be more concerned about a hardware keylogger or hidden camera.
Re:Oh? (Score:3, Insightful)
The image was made after a clean windows install and uses parted to restore. It's stored on a partition that is hidden by grub at system boot. About the only thing that can be messed up (with a lot of effort) is finding the hidden grub files on the fat partition, and all that means is a manual boot into linux.
Obviously system updates can't be applied so I refresh the image once a month or so.
Re:Oh? (Score:2, Insightful)
Re:Oh? (Score:3, Insightful)
Amazing how security conscience people are on Slashdot, when in reality their wireless hubs are not password protected, their AV is 2 months out of date, and they go to questionable websites regularly, and their pirated copy of XP is out of date, thus more vulnerable.
This could have been a great group of threads about a this very interesting idea of diskless hotel access. Instead it was filled with paranoid wankers who don't have a pot to piss in, and couldn't afford to go to a hotel that would have this system. Most of the security related "concerns" clearly demonstrate that the average slashdot poster is NOT as nerdy as some would believe, worring about the wrong things, and ignorant of the current risks. Totally fucking amazing.
On a more positive note, I finally figured out what the hell your sig means.