USB shared among students: set a password just for writing

I'm a school teacher and I'd like to share files in a USB stick among students and so among different OS.

In particular I would like to set a password for writing/changing, while the content of USB can be readable from everyone. This is for preventing the diffusion of malware.

Is it possible?


Solution 1:

Because this drive is going to be used on systems you do not control, or that are not Linux and don't otherwise support the Linux permissions scheme, you're a bit out of luck here.

There's no real way to do the password protection you're looking for on a disk without specialized equipment, though, and that's usually not cost-effective as a solution (as detailed below).

Note that I am an IT Security Professional, so if I seem demeaning or berating in my message and response here, I don't mean it that way, I'm just hypercritical when it comes to security, as it's my job to be that way.

(Scroll down to the "If you really want a secure method for sharing a flash drive around..." section below if you don't want to hear my rant about all the security risks you're introducing.)


System Security Rule 0: NEVER share around USB drives if you want to limit the risk of malware!

I say this is Rule 0, but this is really Rule 0B - Rule 0A is about physical access to systems.

But to put it simply, this is a MAJOR security risk. By attempting to use a USB to distribute data around, you immediately run the risk of not being able to control whether malware is put on the stick or not. This is partially circumvented by USB sticks with a read-only lock switch on them, such as the Kanguru FlashTrust 3.0, but they can easily be turned to read/write by flipping the switch.

As a security professional I strongly suggest you provide a non-USB-stick alternative method for access to the items for your class, such as a Box account or files served from a site within your educational institution's web space.

Another alternative is a fully-written-to, fully-locked CD/DVD, which would work just as well, and because it'd be fully written to and have no extra open space on it when you fully lock down the device, the disk would already be considered 'read-only'. Unless you need to share huge files, though, in which case the DVD option might not work well. More and more devices, however, are being released into the market without CD/DVD drives, however, which means this is not the most ideal solution either.

I'll also bet that by distributing this flash drive around, you break a few rules about "authorized devices" on your school's computer systems, but I can't speak to that.


If you really want a secure method for sharing a flash drive around...

... you start going into the world of very expensive equipment, such as the Apricorn Aegis SecureKey 3 which is a hardware encrypted thumb drive which permits you to set a passcode for admin mode but also provide read-only user passcodes as secondary codes on the device. That way, the disk is locked into read-only mode for non-admins, and read/write mode for the admin code user.

The problem with this, is it's expensive - $129US for just a 16GB secured stick - this is mostly due to the cost of hardware encrypted devices (but devices such as these are designed for a very special set of potential use cases and as such the availability of cheaper products is zero due to the lack of industry demand). So this is usually not a cost-effective option especially if you don't trust your students.


Ultimately, though, there's really no easy no-cost or cost-effective way to achieve what you want with just a plain USB stick, while maintaining OS cross-compatibility, and even then you can't guarantee the security.

The problem is that many different OSes are used and at play. Even if OSes weren't a factor, any user with root power would be able to give themselves access if it were a Linux formatted stick with Linux permissions even set. There's just no way to achieve USB stick security with no-cost or low-cost solutions.

This is one of the few times in the earth, though, that sharing via the cloud (Dropbox, Google Docs, Box, even an OwnCloud instance) is the proper solution, because there's no risk of malware infection just by downloading the file (unless the file itself is malware). (And the likelihood of one of the aforementioned cloud services being infected by such malware that you're trying to shield against is extraordinarily low)

Solution 2:

Share a CD or DVD disk.

Writable disks are really cheap. Drives are cheap too. Buy an external USB DVD writer for less than 30 USD, it will work on any modern computer, and you can lend it to students that don't have their own drive.

All but expensive disks are write-once, so the data you write onto the disk can't be rewritten. You have to make sure you write the disk to its full capacity though, or else the file system on the disk can be modified or replaced by writing more data in the empty regions. Even if you do leave empty space, there's fewer malware that will spread on an optical disk than on a flash drive.

The drawback of this is that if you want to share data that's larger than what fits on a few disks (a writable DVD has about 4 gigabytes of capacity), then a large capacity flash drive is much more convenient than lots of disks. I don't expect that would apply in your case though.

Solution 3:

Sharing a physical media is a terrible idea security-wise. Even if you share a read-only CD, your students could simply buy a blank CD of the same brand and write the original content + malware on it. You'd have to sign, stamp or otherwise make your media unique to prevent this, and ideally your students should only accept it from your hands, not from each other. Otherwise the original media could circulate among one group of students (and you), while a fake media would be given to another group.

A similar trick could be played on encrypted drives with read-only passcode: one of the students could save a drive image, write an infected image with the same read-only passcode and circulate the drive among the rest. The original image could then be restored before the drive is given back to you.

To prevent such threats, your students would have to obtain a digital signature of the original data from somewhere else, like a school server, and know how to verify it. Indeed it would be much simpler to store the files you want to share on the server where you'd store the signature, making the sharing process as simple as giving your students a download link.

Solution 4:

People have already answered your literal question. Let me try to take a stab at the real issue.

I'm assuming you have internet constraints that prevent you from having them download the files.

What you can do in this case is to provide an image (.iso file) on the USB, then tell students to run sha256sum on the file and check its hash against one that you provide via other means before they open the file.

Those who cooperate and don't do anything else should not get a virus.