[Gllug] U3 drive with Linux etc - unexpected defects and security problems

Christopher Currie ccurrie at usa.net
Fri Jan 13 21:45:41 UTC 2006 

I recently acquired a 1 Gig USB pen drive, and when I got it home I found it 
had a CleverStuff U3 system preinstalled. To a Windows XP user, this looks 
like two drives (one for the U3 system, and one for the storage area). 

I could not find any information on the Web about Linux users' experience with 
these things, so thought the following might be of interest.

My SUSE 9.3 system (and for that matter Puppy Linux 1.0.7) also saw the U3 
device as two drives-  a CD /dev/sd<nn> drive and a VFAT hard 
drive /dev/hd<xnn>. That was fine. Could read the Windows folders (/documents 
and /system)  on the storage drive,  and save and load data without trouble.

Could not boot a Linux system from the drive without removing the U3 stuff, 
though. But usable.

When I attached it to a Windows XP system and enabled the security with a 
password, then re-tested it under Linux and other systems, I found:

SUSE 9.3 and Puppy saw the 'CD' system drive but didn't see the storage area 
at all.

Windows 98 said there was no media on the drive.

Kanotix 2005-04 Lite did not see the device at all.

SimplyMepis (version downloaded Nov. 2005) spotted that there was an sda 
device, but when I tried to mount it, it thought it contained no media.

Return to XP and disable the security, re-test under Linux, and hey presto! 
Mepis, Puppy, and SuSE could all see it and read it.

After downloading and installing U3 software under XP, the system folder 
disappeared. It reappeared when I mounted the drive under Mepis...

Tried it on another box under Windows 2000 PRO, This at first didn't load the 
U3 system automatically (as XP had set the drive to do); but it worked ok 
when i ran it. But then found that I could bypass the password security by 
rebooting the computer with the device plugged in  (it should have asked for 
the password again but instead displayed the files open to public 
inspection..)

After trying Skype on the system under XP, and then trying to eject the pen 
drive, I get a chronic error message, asking me if I still want to eject the 
drive anyway. If I say yes, all seems OK afterwards. But it would disturb a 
naive user.

I concluded that :

i) there could be security problems for LAN administrators relying on Linux to 
access Windows PCs on the LAN, if someone was plugging in a 
password-protected U3 drive on one of the boxes, since Linux might not see it 
at all;

(ii) There is a security/access problem for people wanting to transfer data 
between Linux and Windows XP PCs (they have to leave the unit unlocked except 
when attached to the Windows PC). They would have to rely on file-level 
encryption;

(iii) there could be access problems for naive users wanting to use U3 drives 
with Windoze 98/ME, even if the PC thinks it has the drivers;

(iv) there is a security problem for people using these drives with Windows 
2000.

(v) the system is a bit buggy anyway...

Christopher Currie
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list