Seagate Ships World's Most Secure Hard Drive

An anonymous reader writes to let us know that after two years Seagate is finally shipping its full-disk encryption product, and you can get your hands on it in a laptop from system vendor ASI.

Worlds most secure cipher meet ...

[tomstdenis]

worlds stupidest user with passwords like 'password' :-)

Also how are they using AES? I thought P1619 (XTS-AES) is still a draft. Are they betting it will get adopted unchanged? Or are they using some other thing? Please tell me it's not AES in ECB mode...

Tom

3gb/s sata on a 5400 rpm drive?

The article mentions how its on a 3GB/s SATA interface, but that the disk is 5400 RPM. Why bother with the high speed sata? Why not save $$ and put either a PATA or SATA 1 controller? You'll never get even close to 3GB/s- much like you can't get that fast with desktop drives either.

Re:3gb/s sata on a 5400 rpm drive?

[lukas84]

Because by now, a 3GB SATA controller is cheaper than a PATA controller.

Supply & Demand.

Re:3gb/s sata on a 5400 rpm drive?

[MightyYar]

Wild speculation here, but it could be one or more of the following:

• They sell a lot of drives with a lot of different speeds. It might be cheaper for them to standardize on a few chipsets then to buy different chips and have different designs based on the drive's capability.
• For marketing reasons, they may have decided to always have the latest-and-greatest buzzword on the box of all of their new products.
• A major customer asked them to use this interface.

In all, not the strangest decision I've come upon today.

Oh Goody!

[LibertineR]

According to Seagate, any US company that loses a laptop using the Seagate drive in conjunction with the launch security management system from Wave Systems, will not have to give public notification of the loss, even if the data is of a highly confidential nature. This alone guarantees that the technology will find a market given the increasingly costly and embarrassing repercussions of laptop thefts.

Who cares if this gets cracked by Tuesday, bitches?

The selling point is that the banks wont have to tell you when Bubba leaves his laptop on the CAL TRAIN with your credit card data in standby mode, cause its encrypted!

I feel so safe!

features (TPM), and fingerprint reader

"As well as on-the-fly encryption integrated into the drive itself using chip acceleration, the laptop also features a trusted platform module (TPM), and fingerprint reader...."

Super; they give it all the encryption it needs etc. etc. etc. then they use a key which will be marked in grease on all of the keys of the keyboard. Why not just provide stick on piece of paper for writing the password down on? That would be easier and lead to fewer cases of employees hands being stolen together with their laptops. Anyway, just goes to show that the important mistakes in encryption are always in the implementation.

real question

[Lord+Ender]

If I put one of these in a regular laptop--one which supports DriveLock, but nothing else--can this disk use the DriveLock password as the encryption key?

If that were the case, it would be a simple matter to retrofit existing laptops (which use DriveLock to protect the disks) with the improved security of full-blown encryption. And it could be done without any perceptible changes to the user!

This could be a great product if they just Keep It Simple so that it works seamlessly with the already widely-deployed ATA Security Mode (DriveLock) protocol.

Back Door For Big Brother ?

[Junior+Samples]

Seagate is an American Company. Is it possible for them to provide a secure product without providing a back door for Big Brother to access? Can they be trusted? I'm very skeptical.

No need to blame the user.

[twitter]

worlds stupidest user with passwords like 'password' :-)

That's a joke, but some people really think that way. Blaming "stupid users" makes them feel more secure or helps them pass the buck for choosing systems with poor security. When you think about it, it's not very funny.

Passive encryption might be a step in the right direction, but I won't trust it as long as the software doing has owners and secrets kept from users. They can point to specs and tell me what they are doing, but that does not mean they are doing that. The owners can break in at will, the keys can be padded with zeros and finally, the owners can make mistakes.

Hibernate

[Nom+du+Keyboard]

And how secure is it if you hibernate, rather than shut down, your system? Does all the crook have to do is keep it powered, or do you need to re-enter your password each time you raise the lid? If so, I suspect the password is going to be rather short, and easily guessable.

The real problem is not designing effective security, but getting people to use it properly. You can start on this by banning PostIt notes from the corporate environment -- or at least make them self-destruct.

Top 10 Most Secure Hard Drives

[malcomvetter]

The Top 10 Most Secure Hard Drives in Existence to date:

1. The world's most secure hard drive is the one not used to contain valuable confidential data (experts question its existence).
2. Doesn't exist.
3. Doesn't exist.
4. A hard drive that contains some valuable confidential data, but remains physically within a datacenter. The OS that accesses it does not share its data with other OSes, and runs the full gamut of controls (prevention, detection, correction).
5. Doesn't exist.
6. Doesn't exist.
7. Doesn't exist.
8. Doesn't exist.
9. A hard drive that contains some valuable confidential data, remains physically within a datacenter, but its OS shares data among other systems whose trust is "unknown" or "uncertain".

And tied for 10th place (by virtue of consolation):
10. An encrypted drive in a mobile device relying upon its user for security.
10. An unencrypted drive in a mobile device relying upon its user for security.

If the "laws of physics" of information security were known, we'd likely see a Newtonian-esque law that says something like (in a more scientific form): "any security system that relies upon a person to use the system correctly will fail [miserably]". What Seagate is trying to do is analogous to defying gravity or creating "information security perpetual motion". It just won't improve the situation for anyone (except perhaps the "checklist security" people who can tell their compliance regulation auditors that they can add a point to their useless overall score).

Re:And in next year's news...

[malcomvetter]

That makes a good laugh, but in all seriousness, we will likely read headlines like this in the next 5 years or so:

Financial fraud linked to stolen encrypted laptop
In the largest online fraud incident in history, experts linked the Personally Identifiable Information (PII) used in committing the fraudulent acts back to a laptop that was stolen over a year ago. Company X denies the experts' allegations saying "the laptop's hard drive was encrypted." Under this premise, Company X refrained from notifying affected consumers as directed by [insert State Law] because Company X believes disclosed encrypted PII is not the same thing as dislosed unencrypted PII. In a press release yesterday, CEO John Smith said: "We were not obligated to notify consumers of the stolen laptop incident because the sensitive information contained within it was not disclosed. We use state-of-the-art hard drive encryption on all of our laptops, therefore it is impossible that this fraud was related to the stolen laptop." Law Enforcement announced today that they have apprehended the suspect who stole the laptop in question and that the suspect has admitted to stealing the laptop's encryption password as well. Details are expected to follow after the crime ring is completely in custody.