Helping people with computers... one answer at a time.

Write protected USB and other devices will prevent certain types of malicious behaviour, but they will not keep you safe at a public computer.

I came across a USB flash drive with a write-protect switch on a website and placed an order. How does write protect in a flash drive work anyway? Does this not solve the problem of spyware on public computers, especially if you could run Roboform and portable Firefox off the flash drive? However because I have not yet received the thumb drive, I tried running portable Firefox off my hard disk with the folder's attributes changed to read only, and it doesn't seem to work.

No, it won't keep you safe. Not at all.

I'll explain just what that "write protect" means, why it's useful, and why it still doesn't help you at public computers at all.

Write Protect

To be honest, I'm surprised that more USB devices don't have this switch.

The concept is very simple: if the switch is set you are prevented from writing ANY data to the device; not one bit.

"Since you had to enter that information somehow ... you've made it visible and available to any and all malware that's installed on that machine."

Typically, this works at the hardware level - the switch actually disables the electronic circuitry that is used to perform writes. Without that circuitry working you simply cannot write data to the device - you can only read.

When Write Protect Protects

If you cannot write to the device then you know, beyond a shadow of a doubt, that it cannot be tampered with. What that means is that it cannot be infected with a virus, for example.

That's a good thing.

It also means that if some software you're running from the device saves settings or somehow updates its own status on files kept on the device, it cannot make those changes or updates.

That could be a good thing - you know your application settings are never tampered with, and anything it might normally keep like history cannot be updated on the device. It could also be a bad thing - the application may fail to run at all.

Typically, what you want to look for when choosing applications to run from a read-only USB drive are "portable" applications which do not require installation, and even then, portable applications that do not require the ability to write or save data. Some may call that out as a feature, others you may have to experiment with.

What Write Protect Doesn't Protect

If the public machine you're using has malware on it - say a key, screen or activity logger - your read-only device doesn't protect you at all. If you login to some service, even using your USB key as the source of your login information, it can still be captured.

Your account can still be stolen.

Since you had to enter that information somehow, i.e. it had to pass through this un-trusted public computer, you've made it visible and available to any and all malware that's installed on that machine.

Write protected or not.

You may not walk away with malware on your device, but it doesn't matter. You may have already given your information to malware on the public computer you used.

Don't.

Just ... don't.

Public computers simply cannot be trusted. Period.

Article C4481 - October 7, 2010 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

11 Comments
Ken B
October 8, 2010 7:06 AM

Write-protectable USB sticks have been around for a while, but they used to be very expensive. I remember a few years ago, they were in the $100+ range for 128MB(!) sticks.

We recently found a great solution --- SD cards (the kind used in many cameras nowadays) all come with write-protect switches, and you can get SD-to-USB adapters (basically, a USB stick w/o any built-in memory, and an SD slot) for under $1 on eBay, including shipping. True, you get what you pay for, and they break if you abuse them, but they do the job. But for only a few dollars, you can get sturdy ones.

Bob
October 11, 2010 1:06 AM

I've seen a new 'security' feature on some USB sticks nowadays - a fingerprint reader (or more accurately, 'thumbprint', as that's usually where the reader is placed).
I've not bought one, but I'm guessing the USB stick requires the right fingerprint as you plug it in? Or can you set it to require the fingerprint on read/write?

You'd have to check the specific models, but I believe the general idea is that the USB device isn't "active" until you've provided a valid fingerprint - meaning no reads or writes.
Leo
11-Oct-2010

Robert
October 12, 2010 1:15 PM

We use many of the fingerprint USB flash drives in order to store sensitive information (rather than putting it on a regular flash drive). The contents on the drive are encrypted and you need the correct fingerprint to make the drive usable. The advantage of some of these drives (over ones that encrypt with a password) is that they are self contained so they will work on a PC and a Mac (the password versions require a program be executed which usually only is available on a PC).

Mahesh
October 12, 2010 1:35 PM

Ken B, I read somewhere (don't remember where) that SD cards do not have true write-protection, that they simply ask the OS to disallow any attempts to write onto the card.

Alejandro
October 12, 2010 2:01 PM

Sorry, Ken B., actually SD cards are not secure devices. I used to think the opposite, but I got disappointed since my SD card was infected once, even with write protect switch in locked position. You will find the explanation here:
http://www.fencepost.net/2010/03/usb-flash-drives-with-hardware-write-protection/?wpmp_switcher=mobile
Read paragraph titled "SD cards - Not recommended".

johnpro2
October 12, 2010 4:58 PM

I have a non writable DVD with a Linux based operating system installed with all esential apps available.
This would be safe on a public computer,however the administrator might have settings which prevent booting from your own supplied DVD. I guess a non writable USB drive would be the same as a non writable DVD ..the essential thing is that you are not using the operating system of the public computer which may be booby trapped..everything is loaded into RAM.

This is still not safe. There are indeed hardware keylogger that can be surreptitiously installed on computers - they'll steal no matter what you boot into.
Leo
13-Oct-2010

Ron Nosack
October 12, 2010 8:45 PM

SD cards are safe. We technicians plug our SD devices into heavily infected computers daily, and no one has ever reported anything jumping aboard. I do have PQI stick, but donít use it because it is dreadfully slow. Stay away.

We do check into technician related websites all the time, and if anything infected a SD, it would be all over our news.

What I use is a Rosewill USB/SD converter. These are available for about 6 dollars at newegg. These are SDHC aware too.

Packrat1947

Glenn P.
October 12, 2010 10:37 PM

None of these comments -- absolutely none of them -- addresses the central problem, which is that in order to log on to any service using a public computer, you somehow have to send your login information into that service via the public computer. Like... "Duh!"

<Shakes head sadly...>

Bob
October 13, 2010 12:59 AM

To Glenn P.:
You seem to (accidentally or deliberately) miss the comment about using a DVD with your own, safe, operating system.
That does bring up other issues, I do admit - like whether you would be allowed to do it in the first place, and how to get onto the internet if you did - but it would protect you from software on the public PC because you wouldn't be running any of it...

I think I mentioned this in response to another comment: bringing your own OS is no guarantee of safety. Hardware compromises could easily still capture the data you type or send.
Leo
14-Oct-2010

johnpro2
October 14, 2010 3:45 AM

Hardware key-loggers ...I just checked out a web site that actually markets them and gives advice on how to install surreptitiously ....not nice.
Also the BIOS can be compromised with firmware key-loggers as well apparently, although possibly much rarer.
In spite of the Pharaohs' of Egypt best efforts, grave robbers still found ways in to rob the pyramids. Nothing much has changed in 5000 years it would seem.

Mick
December 7, 2010 8:57 AM

I downloaded .pdf and Xcel catalogues to client's computers from a USB memory stick.
When I got home after visiting about 8 clients, my stick was infected.
Feel like a Typhoid Mary or an AIDS lover. Keeping a VERY low profile now.
To get the required protection for me and my clients I will have to step outside the box and switch to CD's so I know I am safe. Damn!

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.