Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Self-Destructing USB Stick

samzenpus posted more than 4 years ago | from the secure-the-bits dept.

Security 223

Hugh Pickens writes "PC World reports that Victorinox, maker of the legendary Swiss Army Knife, has launched a new super-secure memory stick that sounds like something out of Mission: Impossible. The Secure Pro USB comes in 8GB, 16GB, and 32GB sizes, and provides a variety of security measures including fingerprint identification, a thermal sensor, and even a self-destruct mechanism. Victorinox says the Secure is 'the most secure [device] of its kind available to the public.' The Secure features a fingerprint scanner and a thermal sensor 'so that the finger alone, detached from the body, will still not give access to the memory stick's contents.' While offering no explanation how the self-destruct mechanism works, Victorinox says that if someone tries to forcibly open the memory stick it triggers a self-destruct mechanism that 'irrevocably burns [the Secure's] CPU and memory chip.' At a contest held in London, Victorinox put its money where its mouth was and put the Secure Pro to the test offering a £100,000 cash prize ($149,000) to a team of professional hackers if they could break into the USB drive within two hours. They failed."

cancel ×

223 comments

Sorry! There are no comments related to the filter you selected.

What if they cut the finger and heat it (5, Insightful)

unity100 (970058) | more than 4 years ago | (#31668664)

to 37 degrees celsius ?

Re:What if they cut the finger and heat it (2, Insightful)

boef (452862) | more than 4 years ago | (#31668678)

maybe next time they will have a team of professional cannibals have a go...

Re:What if they cut the finger and heat it (1, Funny)

Anonymous Coward | more than 4 years ago | (#31668688)

Oh common, you're ruining the movie!

Don't Need One... (1, Offtopic)

happy_place (632005) | more than 4 years ago | (#31668750)

I'm doing fine destroying USB sticks on my own... why would I ever want to do so deliberately... can't count how many have gone through the wash. I've run a couple over with my car... My kids who think they can be jammed into the airconditioning slots in the car... sigh...

Re:Don't Need One... (2, Interesting)

datapharmer (1099455) | more than 4 years ago | (#31668846)

You must have one crazy washing machine. I find them in the bottom of the wash all the time and as long as I let them dry out first I haven't had one fail yet. Not that I would recommend running them through the wash intentionally, but....

Not sure about being run over by cars through; a titanium cased one perhaps?

Re:What if they cut the finger and heat it (5, Insightful)

jamesh (87723) | more than 4 years ago | (#31668772)

Or alternatively, find someone the owner of the USB stick cares about and threaten to cut off that persons finger if the owner doesn't cooperate.

Re:What if they cut the finger and heat it (2, Insightful)

Shadow of Eternity (795165) | more than 4 years ago | (#31668862)

Mod parent up.

In fantasy land people think that the reaction to biometric security and encryption is somebody giving up or resorting to hollywood methods of getting around it.

In reality the reaction is to just start killing or maiming people until you cooperate.

Re:What if they cut the finger and heat it (0)

Anonymous Coward | more than 4 years ago | (#31668978)

In fantasy land people think that the reaction to biometric security and encryption is somebody giving up or resorting to hollywood methods of getting around it.

In reality the reaction is to just start killing or maiming people until you cooperate.


How often do you come across data that's so important that you're willing to kill somebody over it? So who exactly is living in fantasy land?

You're naive. (3, Insightful)

Suzuran (163234) | more than 4 years ago | (#31669072)

Last week in Texas, three men with assault rifles attempted to ambush and execute a family of four to steal the rims from their SUV. Human life is worthless to criminals.

Re:You're naive. (5, Informative)

Anonymous Coward | more than 4 years ago | (#31669234)

Human life is worthless to criminals.

Human life is worthless to murderers. The term criminals covers a wide variety of law-breakers from litterers to mass-murderers.

Re:What if they cut the finger and heat it (5, Funny)

Anonymous Coward | more than 4 years ago | (#31669058)

wrench it up a notch (1)

nottheusualsuspect (1681134) | more than 4 years ago | (#31669060)

In reality the reaction is to just start killing or maiming people until you cooperate.

Truly I tell you, Randall knows of your problems [xkcd.com] , and he maketh them amusing.

Re:What if they cut the finger and heat it (4, Insightful)

John Hasler (414242) | more than 4 years ago | (#31669184)

Some guy who finds your USB stick on the train isn't going to hunt you down and beat the password out of you. If he had motive and opportunity to do that he would already have done it.

What if they just breathe at the sensor? (2, Informative)

Ihlosi (895663) | more than 4 years ago | (#31668822)

No detached fingers necessary. Many scanners can be fooled by "reactivating" the most recent fingerprint with the moisture in the exhaled air.

And _really_ professional fingerprint scanners don't check temperature, they check blood oxygen saturation and pulse. That makes cutting of any appendages pretty much a non-issue - it's easier to fool the thing with a dummy finger (or the actual finger that's still attached to the unconscious or otherwise compliant owner) than trying to simulate blood oxygen saturation and pulse with a detached finger.

Re:What if they just breathe at the sensor? (3, Informative)

jridley (9305) | more than 4 years ago | (#31668866)

Not this one, it's a linear sensor, you have to swipe your finger over it, and it reads sequentially.

Re:What if they just breathe at the sensor? (4, Interesting)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#31668988)

Just for curiosity's sake, I'm trying to think of how difficult that would actually be....

Exposing blood to air gives your pretty decent oxygen saturation. Doing that for any great length of time is likely to cause clotting or other nastiness, so it isn't exactly an alternative to the "lung" side of "heart lung machine"; but this isn't medicine we are talking about, just fooling a sensor. In the same vein, the sensor isn't going to care about blood type, immune matching, or anything like that. Also, a finger doesn't have that much volume to in. A few CCs of fresh blood(from say, yourself, or the same guy you took the finger from), exposed to air for a few seconds, would be fine.

Pulse could presumably be simulated with a low power pump(perhaps a small peristaltic unit), with its power supply being turned on and off at roughly the right frequency. I can't imagine that huge exactness is required, since the pulse rates of humans vary fairly widely with conditions, and people would be pissed if their fingerprint scanner doesn't work if they've just run up a flight of stairs, or are freaking out about the big presentation in 20 minutes.

The real difficulty, or lack thereof, would really come down to the artery/vein structure of the finger. If you can get away with just connecting to a couple of big blood vessels and ignoring some minor leakage(since this is all temporary and nonmedical), an amateur willing to just shove a few little tubes in there should do fine. If the sensor can detect(and is tuned to care about) the details of the vascalature, you'd pretty much need a cooperative microsurgeon, a fancy microscope, and real surgical kit. That would probably be problematic for most applications.

Obviously, the above would be a huge pain in the ass, even under good conditions, and is highly unlikely to be worth it(probably easier just to show the owner of the finger your pair of bolt cutters, and let him operate the scanner for you, unless you are in an environment where the cameras would pick up on that, in which case the above described apparatus could, quite plausibly, be fit down the sleeve of a not-too-suspicious garment).

Perhaps more practical, I wonder how difficult it would be to produce a variant of the classic "gelatin finger with correct fingerprint" that reads as having oxygen sat and a pulse? Would one made of blood agar [wikipedia.org] return plausible results under optical oxygen saturation tests? If so, that's raise the bar from "supermarket" to "laboratory supply house"; but that wouldn't be too bad. For pulse, the question is "how complex does your simulated vasculature have to be?" Any decently competent modeler can probably mould a simple circulatory loop into a gel finger; but achieving an actual capillary structure is sci-fi self-assembling nanomaterials stuff...

Re:What if they just breathe at the sensor? (2, Insightful)

mcgrew (92797) | more than 4 years ago | (#31669280)

But why bother with all that Rube Goldberg crap when you can put a gun to his head and a knife at his crotch? "Put your finger on the scanner or we cut your balls off" would pretty much do it for anybody.

Re:What if they just breathe at the sensor? (1)

muckracer (1204794) | more than 4 years ago | (#31669366)

> when you can put a gun to his head and a knife at his crotch?
> "Put your finger on the scanner or we cut your balls off"
> would pretty much do it for anybody.

Well, for roughly 50% of 'anybody' anyway... Just sayin'.

Re:What if they just breathe at the sensor? (1)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#31669418)

In the case of a device like this, no reason at all. "Just for curiosity's sake". Any attacker is either going to have basically zero access to the owner(the "found it 30 minutes after you dropped it somewhere public" case. Though, in that case, it would be hilariously ironic if the nice shiny plastic of which this device is made happens to store useful fingerprints much better than a slightly rougher finish that would have cost no more to produce...) or more or less root access(the "Mugging/abduction/you can give use the access or give us your finger" case).

In the case of something like a building access control system, where the fingerprint scanner is under the watchful eye of the CCTV camera, and the slightly less watchful eye of Bud the rentacop, though, physical intimidation is much less of an option. Having Bob, faithful employee, closely shadowed by Mallory, sinister trenchcoated stranger and followed into the building is going to be pretty suspicious. In such a case, the question of whether you can build a finger analog that fools the more sophisticated sensors with relatively-low-cost apparatus that will fit up your sleeve becomes more interesting.

Re:What if they cut the finger and heat it (0)

Anonymous Coward | more than 4 years ago | (#31668904)

Then the owner of the finger wouldn't feel the heat.

Re:What if they cut the finger and heat it (1)

period3 (94751) | more than 4 years ago | (#31668908)

Then you'd win the contest, but all your winnings would be needed for your legal defense.

Two hours? (5, Insightful)

mog007 (677810) | more than 4 years ago | (#31668668)

Presumably, if you had physical access to the drive, wouldn't you have more time to crack it than two hours?

Re:Two hours? (1, Insightful)

bcmm (768152) | more than 4 years ago | (#31668682)

Thank you!

Also, it seems inevitable that the actual data will not be encrypted. For some reason, people who claim to make secure USB sticks never, ever use real encryption on them.

Re:Two hours? (2, Informative)

quantumplacet (1195335) | more than 4 years ago | (#31668740)

from TFA:

Victorinox says the device uses the Advanced Encryption Standard 256 to protect your data as well as its own proprietary security chip.

Re:Two hours? (2, Insightful)

jridley (9305) | more than 4 years ago | (#31668906)

Yeah, but that could mean anything. Does it specifically say that your data is encrypted to AES 256, or just that AES 256 is "used to protect your data"? The latter could mean that the key is encrypted with AES 256, but then the key is just an XOR key for the data. Or that AES 256 is only used in the driver software it loads (if there is any, I don't know).

There have been cases before of "secure" thumb drives that just had bits on the controller that had to be unlocked with keys to allow access to the data, and simply shorting/lifting those pins on the controller defeated the security.

A 2 hour test is pointless. The real test would be to give the devices to some guys who had the ability to put logic analyzers and scopes on the pins, and reverse engineer the entire system over the course of weeks. THEN see if they could generate a relatively simple way to break into the data.

Re:Two hours? (1, Troll)

sonic_assault (1194739) | more than 4 years ago | (#31669064)

A two hour test is pointless to anyone with any knowledge of computing. A two-hour test is a mighty fine advertisment for a bunch of know-nothing DoD jerks.

Re:Two hours? (3, Insightful)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#31669026)

Even if they aren't lying, the question is "did they use AES 256 correctly?"

There are a number of ways, some of them non-obvious, to produce a system that does, in fact, use AES 256 in some capacity; but doesn't actually achieve reasonably security against anybody who wouldn't also be stopped by XOR and a scary looking autorun program(particularly since, as this is a small USB drive, the attacker can probably make some plausible assumptions about some of the plaintext, based on what is known about what fat32 volumes look like).

Re:Two hours? (4, Interesting)

TheRaven64 (641858) | more than 4 years ago | (#31669134)

Mod parent up. Apple's File Vault, for example, stores the key in a silly way, which reduces the effective key length of their 128-bit AES implementation to something closer to 112 bits. Given that the recent attacks on AES reduce the complexity further, so File Vault with AES-128 is creeping closer to being feasible to crack. Hardware AES is potentially vulnerable to side-channel attacks.

If the drive is secure, you don't give attackers 2 hours to break it, you publish the implementation details and give a prize to the first person to demonstrate a feasible attack with this knowledge.

Re:Two hours? (2, Interesting)

Andy Dodd (701) | more than 4 years ago | (#31669370)

See, for example, the Kingston DataTraveler BlackBox scenario. It and two drives (one from Verbatim, one from... I forget who...) that used the same crypto chip had FIPS 140-2 validated AES implementations, but they completely screwed up key management. All of the drives apparently used the same AES key...

Re:Two hours? (1, Insightful)

HungryHobo (1314109) | more than 4 years ago | (#31668760)

it's because they want to be able to sell data recovery services.

That and it's a genuine concern in business- apparently when they ask "what if I forget my password" the answer "then you try to remember it or your data is gone" isn't acceptable.

Re:Two hours? (0, Troll)

jonwil (467024) | more than 4 years ago | (#31668814)

Except that anyone using a secure USB stick as the only copy of important data deserves to loose it if they loose the password.

Re:Two hours? (0, Troll)

FiveLights (1012605) | more than 4 years ago | (#31668832)

Someone who looses their passwords is liable to loose a lot more than just their data.

Re:Two hours? (0)

Anonymous Coward | more than 4 years ago | (#31668880)

I once had a loose password on the run...but I didn't lose it in the end...it came back to me...and we are again reunited...grammatically also... - grammar nazi

Re:Two hours? (4, Funny)

somersault (912633) | more than 4 years ago | (#31668876)

Except that anyone using a secure USB stick as the only copy of important data deserves to loose it if they loose the password.

Dear gods man, twice in the same sentence? WHAT HAVE YOU DONE?!! Run, before the most foul ranks from the deepest depths of nether spelling nazi hell are unleashed and rain their fiery vengeance upon you!

Re:Two hours? (1)

Vectormatic (1759674) | more than 4 years ago | (#31669350)

at least he is consistent..

Re:Two hours? (2, Insightful)

Jurily (900488) | more than 4 years ago | (#31668956)

That and it's a genuine concern in business- apparently when they ask "what if I forget my password" the answer "then you try to remember it or your data is gone" isn't acceptable.

Isn't that the whole point, that people without the password won't get the data? I know business can be retarded, but come on.

I believe the proper procedure would be to ask the boss to open the vault and get the only written copy of said password out, followed by paperwork.

Re:Two hours? (2, Insightful)

stupid_is (716292) | more than 4 years ago | (#31668708)

But then you wouldn't be able to have a snazzy Press Release stating that professional hackers couldn't get into it.

Re:Two hours? (3, Interesting)

warGod3 (198094) | more than 4 years ago | (#31668720)

The article didn't mention two things:

* Was the "team of professional hackers" paid for NOT cracking this?
* Was the "team of professional hackers" able to beat the security at all?

PICS! (2, Funny)

leuk_he (194174) | more than 4 years ago | (#31668758)

Here is a picture of the launch event. [realwire.com] (safe for work. Really!) Surely a hacker who looks like that must be a expert in hacking USB sticks. ;)

Im going to lunch (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31668752)

Does anyone want anything?

Re:Two hours? (1, Funny)

ark1 (873448) | more than 4 years ago | (#31668792)

The article fails to say that you have to press the fingerprint identification every 108 minutes or else it will self-destruct.

Re:Two hours? (1)

IBBoard (1128019) | more than 4 years ago | (#31668974)

That'll be a real PITA for anyone who wants to go to sleep at any point after they buy it!

Re:Two hours? (1)

Vectormatic (1759674) | more than 4 years ago | (#31669398)

well, the most convenient way to tackle this would be to first place the device in some sort of explosion proof container, one might consider a bunker, or a hatch, and then introduce a rotating schedule for manning this 'hatch' container to prevent any sort of unwelcome effect

Re:Two hours? (1)

syousef (465911) | more than 4 years ago | (#31668952)

Presumably, if you had physical access to the drive, wouldn't you have more time to crack it than two hours?

Would you believe this much? Okay chief, this is top secret. Let's use the cone of silence.

Re:Two hours? (4, Insightful)

spacerog (692065) | more than 4 years ago | (#31668966)

"At a contest held in London, Victorinox was offering a £100,000 cash prize ($149,000) to a team of professional hackers if they could break into the USB drive within two hours. They failed."

Umm, they weren't Pros. The contest was open to anyone who preregistered and you got to keep the knife after the contest. Not only that there were several restrictions on the contest. First you have to live in the UK, preregister and you only get two hours. Because ya know the bad guys always tell you who they are and always give up after two hours. Oh, and you have to be present to win, no Internet based attacks, you can only use Windows 64bit or whatever Linux flavor they are providing and of course you have to give up your exploit if you win. All that and more for a measly hundred thousand pounds? Yeah, no thanks, but hey it makes for great publicity and it is a cool knife.

So called "Hacker Challenges" are not a valid security assessment.

- Space Rogue

Re:Two hours? (1)

Andy Dodd (701) | more than 4 years ago | (#31669390)

No logic analyzers? Scopes? Only two hours?

Without a doubt, a stupid press stunt.

Re:Two hours? (2, Funny)

sorak (246725) | more than 4 years ago | (#31669238)

Presumably, if you had physical access to the drive, wouldn't you have more time to crack it than two hours?

Exactly. You have 24 before Keifer Southerland kicks your ass.

Professional hackers? 2 hours? (3, Insightful)

alexandre (53) | more than 4 years ago | (#31668684)

I thought that we had stopped 10 years ago to consider such scam contest as serious security proof?

Re:Professional hackers? 2 hours? (1)

HungryHobo (1314109) | more than 4 years ago | (#31668874)

Nah, it still makes for a nice spectacle and PR piece.
In reality the only use for pen testing is as a metric.

Re:Professional hackers? 2 hours? (3, Interesting)

bluefoxlucid (723572) | more than 4 years ago | (#31669292)

Seeing as I used to pen test; and we regularly raped the shit out of banks and utilities and gave them volumes to explain their complete and utter security failure AND methods to correct their gross incompetence; AND they had competent security teams that thanked us both for pounding issues they had found into their managers head AS WELL AS finding issues they had no prior knowledge of; AND we regularly got called back after a year for another pen test and found less, some of the same (not fixed), and some new issues; I have got to say that penetration testing is the only real way to test a system's real-world security.

Seriously, you have the people sitting around coming up with all kinds of policies trying to secure a system. These are just theory. IIS is configured correctly, MySQL is configured correctly, we did a lot of ridiculous useless shit to lock down Windows and Linux (like deleting the swap file at shutdown, woo!). Everything's compliant, so it must be secure.

Then you have people like me, sitting down, squinting, poking, prod--*FOOM!* .... oh shit o_o it asplode....

Thermal sensor? (5, Insightful)

zmotula (663798) | more than 4 years ago | (#31668686)

The Secure features a fingerprint scanner and a thermal sensor 'so that the finger alone, detached from the body, will still not give access to the memory stick's contents.'

Surely if somebody can chop off your finger he can also warm it up?

Re:Thermal sensor? (1, Funny)

Anonymous Coward | more than 4 years ago | (#31668780)

Surely if somebody can chop off your finger he can also warm it up?

sexist.

Re:Thermal sensor? (0, Offtopic)

Shadow of Eternity (795165) | more than 4 years ago | (#31668838)

While I'm sure a woman could do so just as well, if not better, I'm also fairly sure that the fuck it.

Just fuck it. I can't make a detached-finger-in-vagina joke about a KNIFE company with a straight face.

Re:Thermal sensor? (1)

Vectormatic (1759674) | more than 4 years ago | (#31669422)

reading your post, i'd say 'fuck it' might also be a probable solution for a woman wanting to obtain data from this kind of secure usb stick, especially if the stick is owned by some basement-dweller

Re:Thermal sensor? (0)

Anonymous Coward | more than 4 years ago | (#31668918)

What I want to know is how many people are seriously in danger of someone cutting off their finger just to get access to their family photos, perhaps bank details, personal documents, and maybe even corporate documents? Just because that kind of thing can help regularly in the movies doesn't mean the average individual is in any danger of such a thing.

Re:Thermal sensor? (1)

athlon02 (201713) | more than 4 years ago | (#31668938)

I should spell/grammar check before I submit :-/ ...

Just because that kind of thing can happen regularly in the movies doesn't mean the average individual is in any danger of such a thing.

Re:Thermal sensor? (0)

Anonymous Coward | more than 4 years ago | (#31669208)

Well said, Anonymous Coward!

Re:Thermal sensor? (0)

Anonymous Coward | more than 4 years ago | (#31669116)

>bank details

You know, some IT people work at a bank and if someone wants to rob it, best do it digitally by "finding" the IT guy and taking his finger. Easier than having to take him hostage.

Re:Thermal sensor? (1)

Errol backfiring (1280012) | more than 4 years ago | (#31668946)

I experienced something opposite many years ago: Just holding your hand over a recently used finger print scanner was enough to log you in as the previous user. The previous login had left enough sweat for the device to recognise as a real finger. Holding your hand above it was just to trigger the temperature sensor to activate the reading. The finger print scanners have hopefully improved much since then...

Re:Thermal sensor? (1)

Vectormatic (1759674) | more than 4 years ago | (#31669436)

this is a swipe-type scanner, you dont just press down on it, so no pattern is left behind, no usable pattern anyway

Re:Thermal sensor? (0)

Anonymous Coward | more than 4 years ago | (#31669258)

Surely if somebody can chop off your finger he can also warm it up?

Actually, the device won't recognized the fingerprint of a chopped off finger after about 10 min. due to the blood loss (according to my computer and network security courses).

[overanalyzing obvious marketing ploy]

Inspector Gadget?? (0, Offtopic)

BinaryBobbie (1714694) | more than 4 years ago | (#31668690)

This message will self destruct in 30 seconds...

Shame it has a knife on it (2, Interesting)

solevita (967690) | more than 4 years ago | (#31668694)

From TFA:

Anyone stateside wanting one of these bad boys will have to wait patiently or hop on a transatlantic flight.

Just remember to take it out of your pocket before getting back on that plane.

I'd be interested in one without the knife as something to play with, but I'm not sure I want to carry all the rest of it around with me (I'm not some knife freak, but I want a USB stick to be just a USB stick).

Re:Shame it has a knife on it (4, Funny)

boef (452862) | more than 4 years ago | (#31668726)

Indeed.
Not only do you have to let it out of your sight/control if you fly, it also comes with a built in way for someone to threaten you or cut off your finger (and use it quickly.. they are not nice to touch once they go cold)

Re:Shame it has a knife on it (1)

bds1986 (1268378) | more than 4 years ago | (#31668984)

Given the fuss about laptop batteries igniting a while back, I can't see the TSA being too pleased with a device with an inbuilt (presumably incendiary) self-destruct mechanism, even without the knife.

Re:Shame it has a knife on it (4, Informative)

jweller (926629) | more than 4 years ago | (#31669174)

I doubt very seriously that it's incendiary. I would guess that it is electrical in nature. I built an anti tamper device before and used a 300v photo flash cap run down the ground rail. VERY effective. Actually blew some SMB components off of the board and set several tantalum capacitors on fire.

Although I guess that could be considered incendiary....

Re:Shame it has a knife on it (2, Interesting)

Andy Dodd (701) | more than 4 years ago | (#31669424)

If I recall correctly, there were a few classic arcade games that were copy protected by a battery-backed encryption key. Mess with the device the wrong way and the key would be lost.

Re:Shame it has a knife on it (1)

kgo (1741558) | more than 4 years ago | (#31669150)

They offered their original non-encrypted drive in a 'without-a-knife' option.

But if you really want a USB stick that's just a USB stick with some encryption, I'd go with a IronKey. http://www.ironkey.com./ [www.ironkey.com]

easy (2, Funny)

Anonymous Coward | more than 4 years ago | (#31668714)

Cut off the finger stick in mouth then use.

Won't help you (4, Funny)

Lorens (597774) | more than 4 years ago | (#31668718)

Against the trojan on the computer you hook it up to.

The knife might be useful for cutting off your finger though.

Excuses, Excuses (4, Funny)

kiehlster (844523) | more than 4 years ago | (#31668746)

Teacher, I swear I wrote up the entire 40 page paper, but I burned my thumb really bad the other day and when I went to retrieve my paper, it exploded.

Re:Excuses, Excuses (1)

muckracer (1204794) | more than 4 years ago | (#31669410)

The dog ate my finger!!

2 Hours? (2, Informative)

complete loony (663508) | more than 4 years ago | (#31668748)

Only 2 hours? What are they scared that this thing will be crackable in 3? Seriously, if you are buying one of these to keep something secret on, and you lose it. It will have to remain resistant to attacks for way longer than that.

This is (of course) just a cheap publicity stunt.

Does it have a physical read/write switch? (1)

schwit1 (797399) | more than 4 years ago | (#31668754)

Does it have a physical read/write switch?

Good luck getting this on a plane. (1)

OneMadMuppet (1329291) | more than 4 years ago | (#31668766)

Srsly.

No secure USB Stick (1)

Manip (656104) | more than 4 years ago | (#31668768)

I'm yet to see any USB stick or memory card which I consider "secure." Most of them just use poor software tricks and hacks to secure data, and often do so far worse than off the shelf security software like TrueCrypt. To be honest the best security mechanism you could put on a USB stick would be a physical lock to slow someone down who DOESN'T want you to know they're accessing your drive (e.g. Wife, Coworker, Friends, etc). Just a little rolling combination lock with three digits would slow someone down by at least an hour.

Re:No secure USB Stick (1)

raymansean (1115689) | more than 4 years ago | (#31669222)

Here is the best that I have found. As the story goes nothing is 100% secure as long as it exists. https://www.ironkey.com/ [ironkey.com]

Calling Hollywood... (0)

Anonymous Coward | more than 4 years ago | (#31668802)

Watch them try to push this as the next anti-piracy technology.

My wife has cold fingers 90% of the time. (2, Funny)

BrentRJones (68067) | more than 4 years ago | (#31668804)

So she could not use the device. Security should have fingerprint, strong password, challenge question and voice recognition.

Re:My wife has cold fingers 90% of the time. (0)

Anonymous Coward | more than 4 years ago | (#31668954)

So she could not use the device. Security should have fingerprint, strong password, challenge question and voice recognition.

What could happen if your wife has fever and is hoarse?

A small flaw in the test plan... (5, Funny)

WWWWolf (2428) | more than 4 years ago | (#31668824)

"...if they could break into the USB drive within two hours. They failed."

Am I completely deluded if I think that if crackers have a physical access to a USB drive, they just may be able to withhold it for more than two hours? Maybe I'm proposing a completely implausible scenario here, but suppose the USB drive has been "stolen" (a term which means "physically removed from the possession of the legitimate owner" for those who don't grok this high-tech security lingo) - in such case, the legitimate owner may, theoretically, need more than 2 hours to recover the USB drive, and the attacker can use a longer period of time to their advantage. I remember reading in the literature that "stolen" USB drives may, in some cases, be recovered days, weeks, months later - and in many cases, they may never be recovered. Whether that qualifies as significantly longer than 2 hours, I don't know. I'm not an expert.

In case you're wondering, no, I don't put much faith in hacking contests, especially if the scenarios they test have small obvious flaws like this. =)

Re:A small flaw in the test plan... (1)

TheRaven64 (641858) | more than 4 years ago | (#31669204)

I'd imagine that an attacker would steal the drive and then return it shortly after so you wouldn't notice it was missing. It's feasible that they might only have 2 hours (or less) to dump the data. It's far less feasible that they would only have two hours to think of the attack that they were going to use.

Re:A small flaw in the test plan... (0)

Anonymous Coward | more than 4 years ago | (#31669290)

No, two hours is a perfectly reasonable time frame to test against.

The movie would be over before the crackers could gain access!

Extreme cooling (3, Interesting)

Henk Poley (308046) | more than 4 years ago | (#31668898)

It burns the inside when opened? Let's see what happens when you pry it open while pouring liquid helium over it.

This reminds me of the IBM Secure Cryptoprocessors, which are *pretty much* physically secure. But still people get in now and then usually through software or neat stasis tricks so the device can't respond to your intrusion.

Re:Extreme cooling (1)

rossdee (243626) | more than 4 years ago | (#31669000)

The whole thing shatters into a million tiny shards, since it would be so brittle. Remember the T1000 in Terminator 2 (and he was just frozen by liquid nitrogen.

Re:Extreme cooling (1)

jonatha (204526) | more than 4 years ago | (#31669282)

>

This reminds me of the IBM Secure Cryptoprocessors, which are *pretty much* physically secure. But still people get in now and then usually through software or neat stasis tricks so the device can't respond to your intrusion.

I know Markus Kuhn et al have published some software-based attacks against CCA (the standard software IBM ships with the coprocessor), all of which have been fixed. I have not seen anything about a successful attack against the secure hardware enclosure. Got a link?

hehehe! (0)

Anonymous Coward | more than 4 years ago | (#31668902)

coool! now people can steal company secrets securely :-D

Bourne Again (1)

codeButcher (223668) | more than 4 years ago | (#31668914)

Now Jason can keep one of these around to keep his Swiss bank account number on. No need for invasive butch^H^H^H^H^Hsurgery or fancy projection systems. He just needs to try to keep his fingers out of frigid sea water.

self destructing 'civilization'/dear mr. president (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31668944)

it sure appears like there's more trouble than can be cyphered/resolved.

so, being as most of us have done nothing wrong, would you be so kind as to turn off those fauxking 'cloud' sprayers for a day or 2. getting a little warm would be great, & might help with our (lack of) attention span.

thanks for all of your hard work so far. you're really up against **it. continued God's speed to you.

Safe for two hours? (1)

Arancaytar (966377) | more than 4 years ago | (#31668962)

That's barely enough time to even read the specifications. To be taken seriously, the challenge should have given them at least a week, possibly several.

For keeping my secrets safe for two hours, I wouldn't need to shell out that much money...

Offtopic - (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31669036)

Who the hell gave the douche that modded 3/4 of the comments to start this thread Mod points? all they did is mod everything as Troll.

I predict (5, Insightful)

Anonymous Coward | more than 4 years ago | (#31669084)

that within 1-2 months we will find out that:

1) the finger print scanner is not actually linked to the encryption key, but is just to "power on" the device.

2) the encryption key is processed in host (windoze) based software and that a usb control packet (the exact same packet for all devices) is simply sent to the onboard controller to tell it to "allow access".

3) the encryption, while purporting to be aes256, is so poorly implimented that it in effect becomes a 16-bit key, thereby becoming brute-forcable on an old C-64 in only 2 days.

2 hours? (2, Insightful)

Lord Bitman (95493) | more than 4 years ago | (#31669086)

Some mornings I can't get into my own e-mail account in under two hours, why so low? Why not.. three?

Here's guessing a blogger will get into one by next month.

Article is exaggerating things just a tad... (4, Interesting)

AllynM (600515) | more than 4 years ago | (#31669094)

I saw a self-destructed sample of this unit at CES in January. It did not self destruct from an opening attempt, as opening those is quite easy. The drive is enclosed by a simple clear plastic shell (not epoxy filled). The 'destruction' was caused by presumably supplying voltage in excess of the USB spec. You could literally pry the plastic off of the USB drive with the included knife, and it would work just fine (sans enclosure).

Also, it would be nice if PCWorld at would at least get the name of these things correct:
http://www.swissarmy.com/multitools/Pages/Category.aspx?category=presentation+pro& [swissarmy.com]

Perhaps the USB-only part is dubbed 'Secure', but you won't ask for that name when you want to buy one.

Allyn Malventano
Storage Editor, PC Perspective

WTF!? (2, Interesting)

kpainter (901021) | more than 4 years ago | (#31669166)

The self destruct mechanism link in TFA is a link to a review of Ironkey's self destruct. I was going to say, this isn't anything new. I had a Sandisk brick itself when it could not be ejected. We switched to Ironkey. We havn't had any problems with these and the encryption is hardware based so it is pretty fast. There is an option to have the drive be capable of being reformatted if you can't enter the password within 10 attempts.

I have not had a lot of love for fingerprint scanners readers. I think I will stay with Ironkey.

Where oh where.... (1)

vikingpower (768921) | more than 4 years ago | (#31669228)

...can I get one ? I mean: my tax eviction records should be backed up somewhere, some day...

Variety of other features? (0)

Anonymous Coward | more than 4 years ago | (#31669362)

Is it just me thinking this or are the "other features" such as a knife blade, etc. going to cause me more security problems than this thing is worth?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>