Do note that write-protect switches often only ask that software not write to the drive (Host protect), and are not sufficient to protect against a malicious entity.
Unless an examination revealed otherwise it is wise to assume that the write protection media is a software protection, not a hardware protection.
SD cards have a physical switch to write-protect them, but the logic & protection is done in software.
For example, there's a project that provides replacement firmware for Canon cameras - http://chdk.wikia.com/wiki/CHDK - stored on the SD card. The new firmware is selected by moving the write-protect switch on the card. In either configuration, the camera can still save new photos to the storage.
It would be nice if their bootloader "just" loaded the entire image into RAM and let the user continue booting and running without the USB drive attached. Optical drives are on their way out, USB drives with a trustworthy write switch are obscure (if they exist at all) and this seems quite secure. I'm using scare quotes because I don't know how difficult this is.
I agree that this seems like the best compromise: Have the bootloader load the squashfs (or whatever) to RAM, and then unmount and prompt you to remove the media before executing the kernel. In order to compromise that, you'd have to corrupt the process which creates the flash drive originally; if that's been achieved then it's game over regardless.
Unfortunately, many/most laptops do not support booting from SD cards. If you were to store the main image on an SD card, you'd still need a cd/dvd/usb drive to load the bootloader.
If you are going to use it on a DVD drive or otherwise then make sure your update it regularly (ie: download and burn a new DVD etc) to make sure your OS and various tools have the latest patches. Otherwise you are much more vulnerable. All the time people forget and end up using a very old version.
An adversary could modify your image.
It's possible that they could have your copy phone home through a non-anonymized route, revealing information about your identity.
They could also make it so that your route all information through their nodes, or eavesdrop through a built-in microphone or camera.
All sorts of nasty things, all with persistence between boots.
Interesting. Do you mean by physically accessing the USB drive and changing it, or software that waits to modify the USB drive once connected? Thank you!
I was talking about using a USB drive as the medium for your Tails Live"CD."
The point of Tails is that unless you explicitly take action to make changes or save files, nothing that you do will be persistent across restarts. The memory of the PC you were using is wiped, and the medium on which you store the Tails OS has not been modified. The next time you start Tails you will have a fresh copy. No personal information, no settings that could distinguish you from any other vanilla Tails user. You'll be presented with the same toolkit tailored to privacy and security every time.
If an attacker is able to compromise one session it is a problem, but maybe they didn't gather the intelligence they needed to de-anonymize you. Now, if they can make it so that your copy of Tails boots with their exploits already loaded, then there's a major problem.
Can't you get one of those U3 drives that appear as a USB DVD drive? It requires loads of time and special software to reflash, but I'm not sure if they're available any more.
Then again, a malicious actor may just go through the trouble of bypassing the protections.