Patient Zero

Whenever I look up guides on how to securely download an OS and install it on a computer, the very first step is to extract it on a USB, and then forward. I find this to be the most overlooked part, as the flash drive could possibly contain a malware, and could infect my whole OS without me ever knowing about it, even if the chance of it is small, its still there.

Now the answer to my problem is simple, buy a new non-infected one. But how do I make sure it’s safe? There are so many brands out there, which one am I suppose to choose? And when I’ve narrowed down it, how do I make sure that it’s not a replica as is common with storage devices these days? And if a company pre-installs its software, which I’ll treat same as a malware, how do I format without it ever interacting with my computer?

The solution that I’m seeing right now is just ditch USB and use SD Card that camera people use, format it two time from computer and two times from a phone and use it through a card reader as the bootloader. But then how do I make sure the integrity of both of those, especially that of card reader?

I know that I’m overthinking this a lot, and that once I’ve formatted the flash drive, it should be safe to use. But this has been lingering in the back of mind for a while, to the point I’ve stopped owning any flash drives. Though, same could be argued for any storage devices, but the amount of malware that I’ve personally witnessed and have seen on the internet have mostly been on flash drives compared to other storage devices, which eases my mind a bit, and there is also the fact that there are way more established brands for say SSDs compared to a flash drives which are often counterfeit too. And now that I’m about to reinstall my OS which I haven’t done in years, I need to make sure that I install things as securely as possible. So if any of could guide me through this, I’d much appreciate it. (Sorry for the schizo/tinfoil fedora ramble)

That seems like a problem on the other end of the USB device especially the device driver on the PC side it is attached to. The driver shouldnt be able to connect to the internet for its business (the USB device) to work. If it does, its a vulnerable driver issue.

Back in the day, the issue is in the autorun.inf file and the executable/vb script it is associated to. Since then we’ve been able to do tricks with said file (like pointing the header of the file at the very last block so that it is functionally empty and read only). This is over at Windows land and we were able to do things to remedy it. Things are much more responsible and sane on the side of MacOS or Linux. Also AFAIK you can do raw write (to erase the content) on Linux without mounting the USB’s filesystem.

You are definitely overthinking it. The prevailing scam in flash based storage is overreporting the size making you pay for capacity it does not have.

A plausible attack is to under report the actual size of the flash drive and keep a shadow copy of the files. Best thing you can do is encrypt the entire USB with LUKS or Bitlocker or veracrypt. If you lose it or if someone stole it, all they have is encrypted data.

At any scenario, whole disk encryption is your friend and helps you with your sanity. It is more than enough to keep your stuff private and secure.

1 Like