Slashdot Mirror
Is the U3 Smart Drive Encryption Any Good?
Carlos asks: "I was searching encryption software for USB pen drives, and came across the U3 Smart Drive platform which offers portability and privacy through software and hardware. There are already several well-known hardware manufacturers offering U3 Smart Drives. Do they are really better than a plain USB drive plus encryption software such as TrueCrypt or it's just marketing hype?"
PCMag did a review of the U3 technology (though the review is almost a year old)
U3 doesn't work any better than any other encryption. in fact, if anything, a corporate level encryption is always going to have better product quality control than U3. Plus, U3 doesn't work on probably 50% of the machines i have to put it into (tech support=putting in jump drive 50+ times a day), which means that if it doesn't work then there's no way to get it unencrypted. Basically any computer system which doesn't permit access to the AppData folder means it doesn't load the U3 software. (It claims it doesn't install anything, but it's definitely there). The other thing is that there are a lot of programs which just don't like U3 and will crash it even if you have the right permissions. Plus, it doesn't work on mac or linux.
I am thinking about purchasing some of these for my team members at work, but I couldn't figure out what the differences are between U3 and Migo. I also can't find any 4GB U3 thumbdrives - the largest I could find was 2. Anyone know what the pros and cons of the two formats are?
Go look for the Geek Squad U3 Remover immediately.
Please, for the good of Humanity, vote Obama.
Lets cover some U3 Pro's and cons (I have a U3 USB Drive from Geek Squad)
Pro - Portable Apps, including firefox and thunderbird so your cookies aren't left behind when you do online banking at a public computer.
Con - Only works on WinXP
Pro - password protect your data so that confidential information is not easily accessable.
Con - a script could continue to try passwords from a list in an attempt to login.
Basically, the password protection stops the U3 drive from showing the volume. But multiple attempts to login do not result in time delays, or lockouts. Basically a script could keep the autorun going and sending different words or key presses until it gains access. Brute force kind of behaviour.
But the drive will say "insert a disk into drive X:" if the password is not entered.
So, not bad, never tried hacking it, but it could potentially be brute forced.
DarkMantle I been bored, so I started a blog.
All of ten minutes and a copy of Acronis yielded the sum of the data on an 'encrypted' U3 Cruzer disk. All the password protection thing does is prevent the drive from mounting correctly in Windows.
I didn't bother testing the drive on my mac before I just blew the U3 partition away.
Informatus Technologicus
Read this thread.
Funny how the timing works out. One of the U3 techs stopped in here, and responded to comments and questions. Interesting answers.. (And yes, I made a fool of myself at the beginning.)
tasks(723) drafts(105) languages(484) examples(29106)
TrueCrypt makes use of tweakable block ciphers. The idea with tweakable block ciphers is good, but it is no magic bullet. And unfortunately TrueCrypt reuse the tweaks every time the same sector is overwritten, which means the proofs for security of tweakable block ciphers does not apply to TrueCrypt. Depending on the attack scenario this may a threat. Using a USB stick is going to make this problem worse.
It is not the USB protocol which is a problem, but rather the fact that a USB stick store the data in flash using a wear leveling algorithm. That means that even though from TrueCrypt's point of view it is writing to the same sector number, it is physically writing to different flash cells. This again means, that for some time both the old and the new version may physically exist in the storage. This means anybody who are able to read the physical flash cells without going through the wear leveling code will have access to the necesary data to exploit this weakness.
I don't know anything about U3, so I cannot tell you for sure if it is better or worse than TrueCrypt. But with the number of weaknesses which have been seen in storage encryptions, I'd expect anything new to have a few of its own. In spite of the minor weakness in TrueCrypt, I'd still perefer that over something with weaknesses I don't know about.
My advice for encryption on USB sticks is to not rely on transparent encryption and rather use something like GPG. Of course combining TrueCrypt and GPG is not going to harm security. GPG encrypted files on a TrueCrypt encrypted storage should be pretty safe.
Do you care about the security of your wireless mouse?
Free, runs on Windows & Linux, lets you load a filesystem into a single file.
I use it every day, and it just works. Can't recommend it highly enough
A much safer and better (and more functioning solution in the corporate environment) is the http://www.n-trance.biz/products/biometrics/bufd.h tmln-Tegrity device from http://www.n-trance.biz/n-Trance Security. Not only it supports very strong (AES256) encryption, it also uses your fingerprint instead of a password, so it's much more convinient. And (suprisingly) the fingerprint sensor works really well. I use one every day.
-- Hiroshima '45... Chernobyl '86... Windows '95...
I've worked on a couple of commercial programs for U3. It works, but except for the cool graphics it's sort of a senior project-type thing: clunky, very buggy, very quirky and tricky to get right. In particular, avoid the Sandisk Cruzer: the vast majority of problems we've had (randomly refusing to mount, refusing to load software that other brands have no trouble with, and repeatedly corrupted files, both ours and theirs) came from that brand.
While I don't know of any U3-specific security problems, the combination of an immature proprietary platform, software hurriedly ported to it to grab market share, and USB-drive hackery by multiple makers to make it work practically guarantees they're there. From experience, it can take some pretty weird tricks to make a converted program work, and a lot of such "tricks" don't get tested as well as the original system was, either.
Easy with the generalizations. For what it's worth, "dd if=/dev/zero of=/dev/dsX" takes up some amount of mental storage, be it rote memory or full-out understanding. That little piece of knowledge itself is a fairly highly specialized operation. OTOH, a well designed UI with a button that says "click me, and I'll fix your problem" saves the average joe from the necessary year (or so) of learning required to have the contextual foundation to appreciate what "dd" even is, let alone how to use it.
Beyond that, Apple has done one better with their Automator tool... click-n-drag together UI representations of common user operations into a sequence chain -- kind of like piping UNIX command output together, except the UI lets the person actually specify parameters. (And they can be saved for future use every bit as much as creatng a shell script.)
There is only one way to find out whether or not an encryption scheme is any good: READ AND UNDERSTAND THE SOURCE CODE. As a second best, show the source code to a competent programmer whom you trust and who has some expertise in the field in question. If they won't show you the source code, the most likely reason why not is because the encryption is no good and you should walk away.
Je fume. Tu fumes. Nous fûmes!
nt ;-)
no text
no text dam it!
If you wanna get rich, you know that payback is a bitch
We bought a bunch of "secure" drives (unintentionally, I might add, we had no interest in the "security" features), and found that unlike regular flash drives anything that damaged the file system on the drive meant you had a dead device... because you couldn't reformat it without a special program... and getting a copy of that program was basically impossible. Oh, they claimed you could do it by sending a letter from the CEO on corporate letterhead requesting a copy... and jumping through additional hoops after that... but there was never a response from this "initial handshake".
Now, they're not terribly expensive... but they're no more secure than an encrypted file system in a regular file on the drive. You're paying more money for no better security than you can set up yourself, and dealing with the hidden costs of lost data... both directly, and because the guy in the field can't initialise a trashed file system himself so he doesn't have a device handy to get a copy of the customer's data when he needs it.
The whole technology seems to be implemented in the wrong place to me.
Dont use U3 its a proprietary peice of software that doesnt allow certain software to be installled on it. i find i clunky and a bear to use.
godlike
Anything that needs to install extra software (from the device) is just asking for trouble. Unless you are carrying national secrets with you maybe a password protected ZIP would suffice to stop casual snooping. That's all a device like this can do, it's never going to stand up against determined attempts to access the data.
There is nothing magical about U3. For my encryption, I use Portable Vault. It retails for less than $20 dollars and works with every flash USB drive that I have. I use this to encrypt my pictures and password information for all of my financial accounts. It uses a strong 256 bit Blowfish encryption algorithm, and only you could access the data.