Is there a secure way to transfer data outside the Internet?

It really depends upon the specific threats you may be facing, the direction of your data transfers, etc.

USB specific dangers

You mention the dangers of USB. The main one is indeed related to its firmware opening the possibility of a BadUSB type attack. When you need to transfer data in both directions, you may therefore prefer to use SD-Cards which are not sensitive to such threats (if you use an external USB SD-Card reader, it should be safe but dedicate it to a single computer, don't share it!).

I insist here that I'm mentioning SD-Cards as a viable solution against USB firmware attacks only. In such attacks, a USB flash drive firmware may be corrupted in order to simulate rogue devices (fake keyboard, network card, etc.), such attacks are not possible with SD-Cards. I think this is the reason why we see Edward Snowden relying on SD-Cards in Laura Poitras' Citizenfour film when exchanging files between his own computer and the reporter's ones.

SD-Cards are also equipped with a read-only switch. While such switches are very convenient to prevent accidental modification of the card's content, they cannot be relied upon to prevent malicious modifications since read-only access is not enforced by the card itself but delegated to the computer's operating system.

Enforce a one-way communication

You talk about a possible leak of information by some malware on Alan's computer storing data in some hidden channel. If your transfers are mostly in one direction only and this is your main threat, then I suggest you use read-only media like CDs or DVDs. I don't know if there are still CD/DVD readers on the market, it would be the best since it would physically remove all possibility for Alan's PC to store any data on them, but even without that it would be by far harder to store any data discretely on such disk.

With some digging, you may also find some other alternatives, for instance in the thread how to protect my USB stick from Viruses you will see a discussion pertaining to USB sticks containing a write blocking switch (which works in a more secure way than the SD-Card's equivalent), the use of write blockers which are equipment normally designed for forensic purposes, etc.

Long distance communication

Implemented as-is, the solutions provided above suppose that Alan and Bob are in direct contact, which may not always be true. However, data transfers outside of any computer networks remains possible even on long distance, mostly by using usual postal mails, aka snail mail.

This method may be wrongly perceived as insecure by some people, while when used correctly it can actually present a very high security level. Such method is used by the industry when it is required to move a very large amount of data securely. Amazon provides his Amazon snowball service for such operation, Wikipedia's page about sneakernet also lists some other real-life usage examples, including funny experiments inspired from an April Fool's day RFC using carrier pigeon to carry the storage medium.

In our current scenario, Alan and Bob will need to take a few precautions to ensure everything goes fine:

  • Alice and Bob will need to exchange their public keys. This may sound simple, but in the concrete world Alan and Bob may have no possibility to meet even once, may not know each other and may have no common trusted third party to vouch for each other's identity or provide escrow service. However, the whole security of this system relies on the fact that this operation must be done successfully. Fortunately, asymmetric encryption greatly helps, since the leak of these keys will have no deep impact, but it will be of no help against an impersonation or tampering occurring at this step.

  • The chosen data exchange medium may have some importance since each may present different characteristics:

    • Firmware based storage devices are the most frequent nowadays, ranging from the hard disks with higher data volume to micro SD cards which can be very easily concealed. One may prefer to buy it from some physical store to avoid any initial tampering, but as we will see later the device will in all case be not trustable anymore once the first shipment occurred.

    • Non-firmware based device present obviously no firmware related issue, but depending on the exact needs of Alan and Bob they may present other issues in particular pertaining to anonymity: burned disks and printed paper for instance may contain unique identifiers allowing to link them to their author (such identifier does not allow the author location though, but once his equipment has been seized they can be used to prove that this equipment produced them).

  • Of course the data will need to be properly encrypted and signed before being stored on the medium. I would tend to prefer an encrypted file which can be more easily manipulated than an using directly an encrypted partition on the medium.

  • I strongly suggest for the data to be properly backed up before being sent. While such transfer is secure in the way that a potential opponent will not be able to access or tamper with the data even if he manages to intercept it, the data may still get lost or disappear (it can be the result of either a voluntary or involuntary action: it happens that parcels get lost or seized without any intervention from Big Brother, Murphy is very good at that too!).

  • Methods to obfuscate the actual sender and recipient (from PO boxes to more advanced stuff), when combined with concealment of the storage device, can help to avoid interception.

  • At least on the recipient side, I strongly advise to not connect the received storage device directly to the main computer, but instead:

    1. Connect the received media to a specially hardened minimal system (aka a sheep dip, the host itself may have no hard-disk and boot from a LiveCD) where you will be able to quickly inspect media content and the encrypted file (do not decrypt it on this host!),

    2. You may possibly want to copy the encrypted file to a more trusted support (here one case where using an encrypted file instead of an encrypted partition can be useful). Moving the encrypted file to another support may be especially useful if using a firmware base storage device since, once it went through the postal service, you cannot guaranty the firmware integrity anymore (while the encrypted data is signed, there is no signature you can check for the rest of the storage device).

    3. Then you can connect this most trusted support on your main air gaped computer where you will be able to safely decrypt it, making this step the end of the story :).


It is not reasonable to ever assume data you receive (including your operating system, BTW) from an outside source can be made 100% secure.

The most secure way to transfer something and all-but-guarantee no side-effects (e.g. the OS mounting an external drive) is to type in all the data by hand while you be sure you understand it all. Even then you still have no guarantees.

Fundamentally, the only way to achieve perfect security is to never let your computer do anything with anything.


It is impossible to achieve what you are asking for. You've specified in your criteria that Alan's computer can be pre-infected with arbitrary and unknown malware. In other words, Alan's computer is free to do anything it likes, using any of the hardware under its control. You've also specified that you want a method which is "100%" secure, and you didn't specify what you mean by secure. Are you concerned with data destruction, theft, tampering, or all of the above? You didn't specify some level of security less than 100% as being an option, so my answer will only be in the context of 100% security.

You've attempted to make the system more secure by disconnecting it from the internet, and by banning USB drives. That will give you greater security against certain types of attacks that rely on those mediums in order to gain control of your machine. But you already have arbitrary malware so it is already too late to protect against that.

It's also too late to protect against data destruction. Your malware can decide to destroy all of Alan's data any time it likes.

So the remaining major source of concern that you want to protect is probably data leakage. It doesn't really matter how you get data in to Alan's computer. Internet, USB, carrier pigeon with manual data entry - Alan's system is completely compromised, so it has access to everything.

So that leave's data going out. Again, you cannot 100% prevent the computer from communicating with the outside world, without stopping it from functioning as a computer. It probably has some combination of: fans, electric circuits, mechanical drives, speakers, monitors, power supply. Some of those are compulsory, and all can emit controllable signals for your malware.

To address two of your specific points:

either Alan has to have complete control over the data being transfered(i.e. Alan knows 100% what he is importing)

This is a bit non specific. Do you mean that he 100% trusts the source? That he can see 100% of the data stream as it enters his computer? That he can 100% understand the meaning of every bit of that data stream?

You might be able to achieve the first two. The third is impossible. The malware could be using any kind of arbitrary encoding to hide it's communications.

or Alan must know exactly(and I mean it) how data is being handled by his computer system.

This is impossible, by the criteria you have set, due to the malware.