In the past, software was often sold on physical discs. You could buy physical copies of Windows up until around I think Windows 8, and many places offered OEM installers for various GNU/Linux distributions.
These physical media were beneficial because the software on the drive couldn’t be altered, but could still be verified using tools like GPG. This provided peace of mind for IT professionals who needed to distribute discs to multiple users, as well as for end users seeking protection against malware or wanting reliable live media.
However, I’m having difficulty finding many modern organizations that still sell GNU/Linux write protected live installation media. Is anyone aware of any groups that still offer write-protected live media? Why is write-protected installation media no longer the norm?
I would love to see PureOS available on a write-protected USB or another medium.
Apple. Thin is sexy and light. Thin precludes an optical media drive. So optical media is out.
You don’t need it. All you need is the ability to download an ISO and verify the integrity of the ISO and then you can put the ISO on either optical media or a write-protected USB.
If memory serves, history has taught that the files in any medium need to be checked - the CD or DVD was not always secure: there were examples of batches of those being targeted and malware included in the media at some point in the supply chain. So, just because it’s on a WORM, that alone would not make it safe. And there were plenty of authentic looking bootlegs going around of various Windows versions and it’s tools.
So, @irvinewade’s process of “verify yourself and then write the unchangeable copy” is a better option. Use an external usb DVD or BR player (look into M-Disc types for longevity).
It’s also easier to verify the integrity of a single ISO file that you just downloaded than it is to verify the result after it is written to optical media (where it could have become 70,000 files on an ISO9660 file system, which offers a fair amount of functionality i.e. scope for nefarious activity).
I guess in principle you can take optical media of unknown provenance (potentially dodgy) and reconstitute the ISO file from that, one way or another, and then verify it but that starts to seem less convenient and less certain than doing it the way I suggested.
And it is near certain that I would not trust this approach with a USB flash drive of unknown provenance (as the flash drive contains active electronics and runs firmware …).
The SD standard includes both temporary and permanent write protection, but you need special hardware like this to use it. (This is different from the physical “tab” on full size SD cards, which does not provide true write protection.) Of course you still have to trust that the manufacturer implemented the firmware properly and there is no bug/bugdoor to allow for unlocking the card. But it’s better than nothing.
There is also at least one manufacturer who makes USB drives with a physical write protection switch, designed for (for instance) running antivirus software on compromised machines without risking infection of the USB stick. I forget the brand but Amazon carries them. You can also get special drives from iODD that allow selecting and mounting ISOs as readonly virtual disks.
But in general WORM media isn’t needed for installer disks for the many reasons pointed out above. It can be useful for servers or firewalls though.
Indeed. Following the link in my first post above and then following the link to the discussion that it forked off … was all about how the SD card write-protect switch is a) security theatre and b) doesn’t even always work properly.
My primary concern was that organizations are selling installers without write protection. It seems unusual that there aren’t more GNU/Linux retailers offering write-protected options or WORM drives.
You can verify the contents of a USB or DVD for security purposes. Are there any relevant use cases for physical GNU/Linux media if they lack write protection?
This is the product I was referring to though: USB Flash Drive – Purism
I just found it odd that it was not available in a WORM format and did not include any guidance on how to authenticate the image.
a lot of computers don’t even have an optical media drive any more (mine included), and
the price per GB for a write-protected (or better) USB flash drive is quite a bit higher than the corresponding price for a regular USB flash drive.
So for mainstream vendors, I understand it.
How though would a write-protected USB flash drive solve the problem? It can be interdicted, the write-protect disabled, the content compromised, and then write-protect re-enabled.
A write-protected USB flash drive is mainly good for use with a known infected computer (as you wrote in the OP) or when you have custody of the flash drive at all times.
If your threat model is such that you need more than that with a USB flash drive then cost goes up considerably e.g. a PIN lockable drive where Purism shares the PIN with you via a secure mechanism at the time of purchase (and encourages you to change the PIN on receipt).
For sure Purism would be the kind of security-focused company that should be looking into that and, yes, as you say, telling people how to authenticate the contents of the USB flash drive (regardless of whether it is write-protected in any way at all).
Also, bear in mind that the Librem 5 can’t directly boot from storage connected to the USB port at all anyway. So this discussion, for now, would relate only to the other hardware platforms.
I have been meaning to get me a PIN lockable drive to play around with. (As noted in the linked topic, the fingerprint ones are a dead loss in the Linux world.)