Slashdot Mirror
Protected Memory Stick Easily Cracked
Martin_Sturm writes "A $175 1GB USB stick designed to protect your data turns out to be a very insecure. According to the distributer of the Secustick, the safety of the data is ensured: 'Due to its unique technology it has the ability to destroy itself once an incorrect password is entered.' The Secustick is used by various European governments and organizations to secure data on USB sticks. Tweakers.net shows how easy it is to break the protection of the stick. Quoting: 'It should be clear that the stick's security is quite useless: a simple program can be used to fool the Secustick into sending its unlock command without knowing the password. Besides, the password.exe application can be adapted so that it accepts arbitrary passwords.' The manufacturer got the message and took the Secustick website offline. The site give a message (translated from Dutch): 'Dear visitor, this site is currently unavailable due to security issues of the Secustick. We are currently working on an improved version of the Secustick.'"
At least they had the balls to admit that something was wrong and try to take steps to fix it. It will be intresting to see if they recall the ones already sold.
I feel the bad for the people that bought one. $175 for a memory stick? Ouch.
At least the manufacturer is doing the right thing and eating crow over this. Here in the US the company would probably have just sued the hackers under DMCA while continuing to sell the defective product.
I would hope so.
Yay!
I was the first one who said it.
See you space cowboy
TrueCrypt on a memory stick with an encrypted volume file with a good passphrase and your data will be secure from pretty much anything. I have not heard of TrueCrypt being cracked yet.
password.exe seems to me that it would be a Win32 application. So, what if I put this in a Linux PC? Surely it's encrypted somehow? Maybe I need to read the article again, but I didn't see any mention of encryption.
Starmen.net
Doesn't truecrypt have a traveller mode. This seems a bit useless as well as the insecurity.
Most Slashdotters know you should not trust the built in security on these devices.
The solution for real security on these devices is to use TrueCrypt.
It's not hard to use, though the more technical among us may need to help out the less technically inclined to get things rolling. Once it's setup, though, it's secure and easy to use.
It's great to be grown up and still believe that in security aspects "unique technology" buzz does not simply smell bad. Real crypto is widely known. All can read how it works. But it still remains solid. Before you get hired by "European governments", ensure you won't get fooled. Ordinary USB stick and real, free crypto tools as TrueCrypt - that's what you shall consider using, instead of paying almost $200 for "unique technology".
Marcin
...... Since there are a ton of these products out there. Does any third party verifiy that they are secure as they are claimed to be? Or are we truly at the mercy of the marketing spin that these companies put out?
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
No self-destruct, but hard enough enryption for all but the most sensitive secret data.
Even if it had great security, why pay that much when software encryption is Free (and apparently a whole lot more reliable)?
Paleotechnologist and connoisseur of pretty shiny things.
The whole thing is just stupid. Oh where to start ...
....
- self destruct, great, so if you want to destroy someones data, just grab their memory stick and intentional use bogus passwords. Now that's brilliant. A MS with a builtin self DOS.
- No security support in hardware, just desolder the actual memory and stick it into your favourite $15 MS. Brilliant.
- So smug in their design they don't even encrypt the data. Outstanding.
- Software designed apparently by a 12 yo. Oh wait, a 12yo probably wouldn't have made it so dumb. Maybe it was a 6yo, were there identifiers named after Spongebob characters?
Actually, the bigger problem is that so many govt agencies approved of this thing, apparently, without it going through any type of remotely rigorous testing and verification. As much as our US govt agencies get ripped for doing stupid stuff, it's clear that they don't have the market cornered on such activity.
Hey, I have a secure self destructing bridge to sell to
All your encrypted data are belong to us.
America, Home of the Brave.
...where N could be set on first initializing the stick. And I assume you could change this later provided you had already given the correct password, but the article doesn't go into that.
:)
So it's not a case of typing it wrong once and *poof* goes the data (note that they didn't find any physical evidence of things in there capable of physical destruction either). If you set it to 3 times, and you get it wrong 3 times yourself - oh well. Maybe you *could* set it to only once, though.. but if you do that, you're an idiot anyway
http://begthequestion.info/
http://www.glasswings.com/
The developers of the Secustick are looking into the problem and they think that the issue is with their algorithm that encrypts the data into ASCII.
... as far as the article details.
The password.exe does, however, address a controller chip. Without the correct password, the controller chip will simply refuse to provide further access to the flash memory.
So if you're really wondering - I would imagine that the entire thing won't work with Linux, period.
Is the DRM built into SD/SDIO ("Secure Digital") HW already cracked?
--
make install -not war
Instead of low level commands such as SendToStick(), we could see routines such as GetWriteProtectState(), RefreshFileBrowser(), and the most significant one, VerifyPassWord().
Screenshot of debugging windows
Obviously, this routine caught most of our attention. We used the debugger to study it, and found that its result was passed to the main program using an EAX register. The debugger allowed us to place a breakpoint immediately after the call to VerifyPassWord(), upon which we entered a fictional password and changed the return value 0 in the register to 1.
Tell me again why we as Software Engineers are supposed to use descriptive method and variable names? Sure, it may be useful during testing/building/debugging/etc; nobody will argue that. However, if your "secure" product can be easily hacked due to the fact that you use descriptive class/variable/method names, maybe the practice should be reviewed.
Now in this particular case, there were other flaws with the design (all verification happening on the pc?!?) What happened here though is that the hackers were looking for a place to start by looking through a debugger. During that exploration they discovered a gaping security hole. I'm not saying that they wouldn't have found the design flaw to begin with -- I have no doubt that they would have. But maybe we should look to the security through obscurity methodology as an additional layer of protection.
Your sig(k) has been stolen. There is a puff of smoke!
No surprise that the security is non-existant, but a nice surprise that tweakers.net[0] have people skilled enough to do a thorough technical review. Tip-of-the-Hat to the reviewers and keep the good work up. Anyone can run 3D benchmarks and make graphs against the previous generation, but this requires a different level of technical know-how. It's always been my hope that the future would feature this type of review, using reverse-engineering techniques for indepth technical reviews, as a norm not an exception.
[0] No disrespect to the people of tweakers.net, I mean in the sense of 'any popular review site'.
Belief is the currency of delusion.
I used the same method on ZX81 or C64 or Amiga or PC to "crack" hundreds of apps/games...
In general it is always as easy as to change a "compare" to a "move" or change a "jump" to a "nop" etc, one or two bytes change and that's it.
(maybe there is also a CRC check but it can be defeated in the same way, changing a 0 by a 1, or just by recalculating it, etc)
I trust exactly one encryption product: GnuPG. It's had it's pucker moments, such as the El Gamal signing key problem (IIRC - and I'm too lazy to look it up right now), but those problems get fixed and we move on. Given the choice of whether to trust a little hardware gimmick or a piece of Free Software that millions of people use, even if they don't realize it, I'll stick with the code. If/when problems arise, I believe that it's developers will look out for my interests and not their bottom line.
Having said that, I do respect this company's acknowledgment of the issue. If I had to trust something like this, I'd seriously consider their products because of it. Still, one smallish company isn't going to have the resources of the Open Source community when it comes to development and testing.
Dewey, what part of this looks like authorities should be involved?
So French intelligence really IS an oxymoron. Go figure.
Funny and insightfull.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
to not trust closed-source software for anything security-related. And the EU as well.
"The stick was commissioned by the French government and - according to the company's press release - the result is revolutionary, ultra safe and approved by the French intelligence service."
French, the country which is famous for being so technologically advanced.
mod -5 absent-the-day-they-covered-fallacies
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
The only way this could possibly work would be to plug it into the SecuBus, which would quickly drain all data and render it useless.
When they are harping on the device's unique technology.
Unique and secure are mutually exclusive.
It is not possible, through a feat of sheer genius, to make something that is both novel and demonstrably secure. It turns out that genius isn't a particularly rare commodity. With 6.5 billion people in the world, there are 6,500 people who are walking around with one-in-a-million levels of intellect. Any one of those people, on a good day, can beat any other person on earth in a battle of wits. Any one of of the millions of people with one-in-a-thousand intellects probably can, too.
Security is the one aspect of technology where state of the art is better than something which advances state of the art. State of the art means nobody has yet, even on the best day they've ever had, been able to beat it. We've seen some recent examples where very narrow vulnerabilities have been found in hashing algorithms, which has forced the state of the art to change slightly to favor drop in replacements. But by in large the state of the art has been remarkably stable over a long, long time. Anybody who claims to have something nobody else has probably has something worthless, if he has anything at all.
This is why product security is so bad. It's not possible to differentiate yourself based on security, without affecting other areas such as usability. There is considerable irony in this fact: a product that is carefully thought out and implemented using widely known techniques would have a good chance of being unique. The problem is selling the product. Lotus Notes is a good example. It has its strengths and weaknesses, but as of the early 90s it was the most secure email system in the world. In fact it still would be. But it wasn't the easiest to use or administer. Unfortunately their attempts to make the system more attractive were failures. It's never been more attractive than Exchange. But it's always been more secure.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Sorry, I don't have the time to research the device, but what kind of testing/validation of this product was done? If this was for a government originally, shouldn't it have to have demonstrated some kind of hacker proof level of security? What was on the package was it marketing hype ("Protects your data from targeted attacks" which means nothing) or an indication that some kind of testing was done (ie "Meets MIL-1234 requirements for data security")?
It looks like that for $175, you get a 1GByte USB key, with a Windows access program on the Flash in a non-protected partition and a pretty box.
From the description it sounds like the product was just marketing razzamatazz with no real substance to back up marketing claims - so why would somebody have bought it in the first place?
myke
Mimetics Inc. Twitter
Write protect on an USB stick is much more useful that just another proprietary crypto software solution.
Too bad that only few current usb sticks have it.
It's absolutely necessary if you have to insert it into untrusted computers (especially Windows PCs).
Due to its unique technology it has the ability to destroy itself once an incorrect password is entered
Powered by Sony, then?
Life needs more saving throws.
The password wasn't even used as the base for the crypt key, it was just matched against the stored passphrase and the result set a bit, then checked and depending on the outcome the program decrypted the content by a predefined algo. Hello? That was outdated before I started learning Assembler! All it takes to break that is a kid with Olly lying 'round on his HD. Soldering? Why the hassle when you can rip the data far easier.
Whether they fix that stick or not, after showing just how much clue they got about security, I wouldn't trust them to do a ROT13 reliably. I mean, what base do they sell their crap on? Hope that the customer is even more clueless, buying into your spin as long as you stamp a huge "secure and self destructive" on the box?
God, I'm angry. It's hypecrap like that that makes the whole industry look bad.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Lexar Discussion: http://www.securityfocus.com/bid/11162/discuss3 2
This was also on slashdot: http://slashdot.org/article.pl?sid=04/09/14/18552
I wouldn't trust USB stick security unless there was a 3rd party assessment of the security from a reputable security firm and that assessment was published. Customers need to start demanding this. What track record do these companies have on security?
The bad thing about hardware is how do you patch the security hole? All hardware these days should have the ability to do a USB firmware upgrade. These devices have a USB port build in already but can't be upgraded.
I am also curious. . . What does the law in the Netherlands say regarding corporate mandates? Are Dutch corps allowed to put other things ahead of generating profit for shareholders?
-FL
http://www.secustick.nl/engels/
the result is revolutionary, ultra safe and approved by the French intelligence service.
I think that says quite a lot for the French intelligence service. Unless they wanted an insecure device to be marketed as secure.... black helicopters at the ready.
Well this is unfortunate, but there are alternatives. The two that come to mind are the Lexar Secure II JumpDrive and the Kanguru MicroDrive. Both use AES for their encryption algorithm, but the Kanguru one has been FIPS 140-2 certified. I believe this was previously mentioned here on Slashdot (too lazy to look it up). Either one of these would probably be more than enough to replace the aforementioned drive.
Someone also referenced above about @stake finding an issue with the way passwords were stored on a Lexar drive. The link is ~3 years old and I believe they have definetely remedied that issue.
Like other posters, I am at a loss at where to start.
(1) If you don't have encryption, GOOD ENCRYPTION, you can't protect squat.
(2) "Self Destruct" is interesting, but unless you have a custom micro-controller on the ram stick, AND an independent power supply, AND the device potted in epoxy, it is all just a made for TV gimmick.
(3) Password.exe? I didn't see this in the article, but what happens if one plugs it into a Mac, Linux, FreeBSD, etc? Does it just work or does it self destruct?
(4) With reference to #2, since the article showed that one could make the device read-only, would self-destruct no longer work? If so, it MUST be potted in epoxy.
(5) Does the "self destruct" operate on the PC or th ram stick? We all know if it runs on the PC, it is doomed to fail.
If they want to REALLY do this:
(1) before everything, encrypt the data. This buys the device time to operate and basic security.
(2) Install a PIC or something that MUST have an encoded heart beat with some sort of hard to reproduce calculated byte pattern.
(3) Without a valid heart beat, the PIC will simply not enable the flash device.
(4) With a valid heart beat, the system must pass a valid password hash string within a reasonable amount of time to the PIC, or the data will be destroyed.
(5) After a number of failed attempts, the PIC will destroy the data.
(6) When the heart beat stops, the PIC disables the flash. (It is presumed that the software clears he file system cache as well.)
(7) Pot the damned device in epoxy.
Very simply, no. It increases the bar, but it doesn't make it any less readable. I spend my days with assembler code written by someone else, figuring out how it works and how it does what it does. You get an 'eye' for certain things. You start seeing certain things, how functions run, what functions do what, not by reading the code, just by looking at it. You start being able to interpret the return values of functions, you can 'feel' the code.
And those guys rarely leave any clues left in the code, often every single bit of string is encrypted layer after layer. There ain't much you get out of the code. And still it's not really 'hard' to read, despite runtime encryption of code and data.
I doubt that people who display this lack of skill could develop something similar to some of the gems of obfuscation software I had crawling over my desk the last few months. Functions give their meaning away by the way they look, especially when a stock compiler created the assembly. Certain things simply 'look' a certain way when a standard compiler assembled them. You don't need to know that this is going to compare strings, read files, mess with the registry or start a connection to somewhere, when a standard compiler created the code, glancing at it is usually enough to 'feel its vibes' (I'm lacking better words, it's really a matter of experience, IMO).
So no, stripping the symbols is hardly enough to make it any more difficult for experienced disassembly readers. It will certainly throw a few people who just started learning, but it won't matter much to a professional.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
...that the product is being renamed to "SUCSTICK"?
As for the French Intelligence Service, isn't that an oxymoron?
Chaeron Corporation
The answer is simple:
If you want a safe, don't start with a greenhouse. Start with a metal box. Adding a layer of security ontop of something insecure doesn't work well, as people can peel back layers. If you want something to REALLY be secure, start with something inherantly secure. If you constantly need to patch something for security holes your method was flawed from the start.
If the flash chip can be removed on it's own, it can be put in something insecure. If you must use this scheme, make sure the information on the chip is secure on it's own. The BEST way that I can think of for a "self destruct" in this case would be a fragile flash chip casing and PCB and encasing the PCA into the enclosure. If you make it so the act of opening the device destroys the device, then you just reduced a large method for retrieving the data. The epoxy should hold it well enough for daily use.
If you think education is expensive, you should try ignorance -- Derek Bok, president of Harvard
Which just points out more bizareness in our language, as in the correct usage there is no begging or question involved.
Good article, good comments, (buy a normal stick & use Truecrypt etc.) The question that the article raises is interesting - don't vendors and/or agencies check these things out? Apparantly not. "Secustick importer Walter Preij has responded with surprise to our findings. 'The manufacturer assured me that the system is completely secure', he said." Ahem. Against who? Have they never heard of CCT (CSIA Claims Tested) "A Government quality mark initiative for information security products and services. The CCT Mark Scheme offers accredited independent testing of commercial off-the-shelf products and services to help public sector organisations achieve a basic level of assurance for the products and services they use" and NIST?
signature pending slashdot approval
Right, except that :
i)Language evolves, and does so from the bottom up, not handed down from on high by the OED.
Example : It's a gay day, but I'm feeling a little queer.
ii)The majority (I would guess 90%) of people use it that way, and real-world usage is what defines what words truly mean.
Your time is coming, "begs the question" purists! Soon the OED will be revised and we'll have been right along! MUHAHAHAHA!
I think only the main page is down. You can get to the English page by copying and pasting the following link. http://www.secustick.nl/engels/index.html
Elsewhere in this thread, it's pointed out that you shouldn't have to be an expert in crash testing to be able to buy a car that's safe. I tend to agree. While I see your point about PHBs and throwing money at problems, I've also reached the stage in life where I have (some) money and little enough time to futz around with doing everything from scratch. When I was a kid, I personally, carefully, expertly assembled every round of ammunition I shot; nowadays I'm likely to grab a box off 9's at the sporting goods store and go have some fun. So what about the instant case?
I have the same attitude about crypto. I recognize I need an encrypted USB device but I also have a life. So I studied a bit, enough to make an informed decision, and bought one of these.
Does that mark me as totally clueless?
"the result is revolutionary, ultra safe and approved by the French intelligence service"
Well, this is coming from the country whose idea of unbreakable security was the Maginot Line...
This is the post I'll reply to.
... *against Average Joe!*.
On other days, we discuss things like "Linux may be too hard for Average Joe". That's because we use a statistical example of {Total Users}*{Skill Level of 68% of Users}.
This stick WILL be secure
There's only one problem: That's the wrong audience. When you label something "Top Secret"... you are thundering a challenge for the whole world to take their best shot. The rules change.
Maybe "The Best Hackers Money Can Buy" will always win. Fine.
But at a minimum, protect against the Best That *PIZZA* Can Buy.
(College/20-somethings).
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
No, because you did your homework.
Duh.
Does that remind anyone else of "Most people don't even know what a rootkit is, so why should they care?"
Oh my god, some people are really projecting their own dumbness at their customers. Such marketroids should really be sacrificed to the war against terror. Or cluebatted.
open (SIG, "</dev/zero"); $sig = <SIG>; close SIG;
The program shipped with a USB20.dll file.
::LoadLibrary("USB20.dll"); // Memory stick is now unprotected
When you build Dynamic Link Libraries, you need to export the function names in order to be able to call them. This way you can call something like GetProcAddress(), which takes as parameters a handle to a DLL and a string representing the name of the function you're interested in calling.
Here, have some sample code.
typedef ULONG (WINAPI * External_Function)(/* parameter list goes here */);
HMODULE targetDll =
External_Function H4X0R = (External_Function)::GetProcAddress(targetDll, "GiveAccess");
H4X0R();
:(){
how many copies can one make of the contents of the USB drive in order to try different passwords on each copy?
Distributor, not distributer.
If I had super-secret data I needed to transport, I might do it something like this:
data->strong encryption->split data into 2 files using a secret algorithm. The second step doesn't add a lot of security but it does make the adversary work harder if he wants to intercept the message in-transit.
or
data->strong encryption->one-time pad encryption
The strong encryption is just in case the one-time pad is discovered.
In either case, you have 4 things you must transport:
Passphrase to encryption keys
Encryption keys
part 1 of encrypted data OR doubly-encrypted data
part 2 of encrypted data OR one-time pad
It's up to you to get these from point A to point B. In the case of public-key encryption, the passphrase and encryption keys will already be at the destination.
To bolster security, the last two items can be further encrypted, possibly using a thumb-print.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
And even then, the safest car imaginable won't protect you if you or someone else uses it improperly, so you need a license to operate one, ostensibly proving that you have learned the basics.
On the other hand, any fool can grab a Secure-o-Crypt-o-Matic 3000 from a shelf because they like what's written on the box, and trust said gadget with all their sensitive data. Your decision was smarter than that because as the above AC said, you did do your homework.
Slashdot Burying Stories About Slashdot Media Owned
Really? Secustick? They really named their product that? :P
-Shippy
It seems to me that putting a logo on the product gives the attacker the advantage of being able to prepare an attack before even connecting the device. If the basis for the claim to a secure device is that the logo looks impressive enough to prevent theft, then the world would be a secure place, wouldn't it?
Now, if the stick were unmarked and the guy who stole it connected it, was challenged for a password in a manner consistent with other lightly protected devices, and then was surprised when it went up in smoke, then that would add a level of complexity, wouldn't it? At least you would have security by obscurity enough to foil the attacks by circumstance (you know, random theft drops the device into the hands of the curious).
Say, this product does go up in smoke, doesn't it? I mean, real thick Peter-Graves-class white smoke, not the greasy stinkbomb smoke typical of burnt electronics.
Well, anyway, I suppose if someone were intent on stealing from a government agency, they'd already know the type of products that agency had purchased, and would have the attack prepared before even stealing the items.
It's all for naught! Governments should delete all of their data every day, before going home.
Is it wise to use that password ascii values to figure in to the encryption key (but not store the password anywhere)?
This way if the entire encryption key is (for instance) 99342183588345923458 + AsciiSum (userpass) you could hack EAX to always return the password is verified, but upon decrypting the data, the AsciiSum () routine would not add up to what was used to encrypt it in the first place; eg you get decrypted gibberish. I'm not a crypto geek, so just asking..
boycott slashdot February 10th - 17th check out: altSlashdot.org
This was a well done article. The one area I thought they didn't thoroughly test was the self destruct feature. They state at the end that there doesn't seem to be any hardware on the stick that would be capable of actually destroying the memory chip. Well, if you're so sure why not test that out? Exceed the maximum number of password attempts and see if you can still recover data from the drive, that would really be the final nail in the coffin.
... The false sense of Security..
I trust exactly one encryption product: GnuPG.
What about OpenSSL? It's the base for SSH and dozens of web servers and clients. I would bet it's the second most used encryption product after the crypto that ships with Windows.
It is a joke. I find no refenrence of a such product on google nor proof that is that aprouved by french gouvenement...
Well, true - and I'd venture that it's probably handled more bits than any other single crypto product. However, it's more of an infrastructure component and not something that end users are ever likely to touch. In that vein, I probably should have included TrueCrypt, although I haven't personally used it.
Dewey, what part of this looks like authorities should be involved?
My friend bought a 1gb thumb drive. He brings it over here from time to time so I can put some program updates on it for him as he is VERY internet unsavvy.
Well, I don't remember what the brand of the thumb drive is but when I plug it into my Linux box it is automounted and shows up as "Secure II" (the volume label).. I wondered what this was supposed to mean because the thumb drive was 100% read/write accessable to me on Suse 10.0
I put his program update on the drive, he took it back to his place, plugged it in to his windows box and updated his programs via a batch files I wrote. I have plugged that thumb drive into several different machines I have here including my Mac OS X box and he's plugged it into several of his windows PC's and it's never behaved as anything other than a normal drive, the full 1 gig of it always has been available.
What the hell? How is that secure?
Secustick, huh? Sounds like some kind of horrible sexual implement.
Ceci n'est pas une sig.
http://en.wikipedia.org/wiki/Begging_the_question
It mentions the common usage which the site you linked says is incorrect as a side note, but I'd be willing to bet most people would be quite confused if you used the phrase to describe a logical fallacy...
"I like systems, their application excepted", George Sand (French)
$20 USB key + Truecrypt = secure data.
I now realize that it's high time I got myself into the business of bullshit security. And here I was, wracking my brain trying to figure out what the new good-paying industry was.
People these days are so shit-scared about security that they'll buy anything with the word "secure" in it. I'm surprised DRM isn't marketed (to consumers) as "keeping your music secure". Maybe now I get why Bush is still in office. His work in keeping Americans scared to death is driving a whole new industry of consumer paranoia products.
Terrorists can attack freedom, but only Congress can destroy it.
So maybe they should rename it to the Suckustick?
Have fun: Join D.N.A. (National Dyslexics Association)
Why were they relying on an unlock code anyhow? on-the-fly encryption isn't exactly new and isn't exactly hard to do; it *is* damned hard to break into though, without having access to the password somehow (so you can write a trojan to break in, but you can't start with a stick and break the password unless you get really lucky or its an easy password to guess)
-=DaveHowe=-
Give it up, seriously. This is a fight that you cannot win and your objections are pointless. "Begs the question", in spite of being technically incorrect usage, has long been used in every day conversation. The wordinistas have already started conceding this point, and it won't be long until they recognize it as a correct usage. Language is dynamic.
I think the PP should have been modded insighful instead of funny.
IIRC, a few years ago the laws regarding cryptography in France were even worse than the ones in the US (crypto = munitions, remember?). Strong crypto was forbidden, unless you got a license to use it (think banks and such). I don't know the current situation, but I wouldn't be surprised if the sticks were functioning as designed.
Then again, people make stupid design mistakes and this could just be an example.
GPG 0x1B479C78
Its probably just like all the MS Word crashes.
Just a feature (see the other post on MS Word)
Where can one buy a Flagstone HDD? Looks like they're only selling through Toshiba and Dell and you have to explicitly ask for one of their drives while you're ordering the system. Any links to any online shops that sell Flagstones?
Also, the characteristics of the different kinds of Flagstone make me wonder what exactly the difference between them might be...
They could have been like other 'companies' like U3 that have their malware on all the thumb drives that get themselves sold here. These abortions cannot be used in windows' computers inasmuch as they contain some uneraseable malware that self installs on any windows' pc. This malware trojan monitors all the files on its victims pc's and probably send serreptitious reports to some shadowy agency, possibly the RIAA or the NSA or HSA...maybe even the MPAA or the British MI6 that to this day denies whackin Princess Diana so an Arab would not come to the British throne. The 'valuable utilities' on these 'thumb drives' are not deletable by windows. As a surprise, neither are they deletable by Linux, leaving one to suspect that some hardware devices are in it protecting memory on a second chip. In any case, these things are unusable. Shame for such a potentially useful toy to be totally perverted by a corrupt and excessively greedy industry that appears to know no bounds.
I assume by "modern cyphers" you mean public key cryptography with large keys.
If I want to keep a secret, I'm going to assume those will be breakable in a few years or less using quantum computing or something else.
Therefore, if my message must remain secret for more than a few years, I am going to do something to make it impossible to know when the correct key is guessed. Splitting the message itself is one way to do this.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Frankly, I haven't a clue about getting one pre-installed. I tried to do that, but none of the computer companies whose logos appear in the Flagstone datasheets were in any way responsive to me. After searching their support knowledgebases, I came to the conclusion that laptops with pre-installed encrypted drives aren't really a product in the U.S. If you do a bunch of searching, you'll find that some laptops are available in the U.K. for use by folks in their National Health Service where data protection requirements are tough and have been for a while. That's not really an available option for us in the U.S.
Understand that if you poke around in the .mil domain, you'll find lots of requests for proposals that specify these drives. It's my impression that military and govt sales pretty much keep them busy and they aren't very interested in selling single drives to individuals. I got mine for testing for a major government agency using my own funds. I was trying to do an end-run around our usual testing procedures and be viewed as the "encrypted hardware golden boy" in my org for a particular project. It didn't work out and I wound up with a nice piece of hardware in my personal collection.
Before I get started, please keep in mind that my experience is over a year old. YMMV and I hope things go much better for you.
Flagstone has two North American distributors who sell bare drives. I'm not even going to mention their names. As of a year ago (or a little more) when I bought mine, the Canadian distributor couldn't find its butt with both hands, couldn't answer email timely or appropriately, and was a complete turnoff to me. The U.S. distributor never would get down to brass tacks. They wanted to talk about sales, do demos, and other high-level stuff that they should have realized wasn't appropriate after the first contact. I just wanted to know "What do you have in stock?", "How much does it cost?", and "Where do I send the check?" They never could get around to just taking an order.
The French distributor isn't interested in doing business outside of France. There is one vendor in England who has what we expect: an online storefront where you just add the item to a cart and proceed to checkout. At that point, distressingly, they want to email you and set up a "relationship". Nobody just wants to take your money and send you a drive.
Except for the U.K. reseller I talked to (who seemed genuinely interested in helping me once he understood my needs) the entire business, post-manufacturer, seems to be set up by people still stuck in the bad old reseller days where nothing got bought without going out for drinks with a sales rep. Bleh.
Thankfully, there is an out. Go to the website contact page and fill it out. Specify that you wish to place a direct order with them (not one of their resellers) for a drive and ask for a current price list for their Corporate/Freedom drives. They'll take your information, make up a drive for you, and send it promptly upon receipt of payment. Their distribution chain, in my (admittedly outdated) experience may be clueless and frustrating, but the home office has been superbly competent and professional in every way.
Before you do all that, though, understand that you'll be spending about 10 times the retail price of a similar-capacity drive to get a Flagstone. If you're not willing to do that (in fact, if you're not willing to place an immediate order), don't bother them. This isn't a business that is geared to individuals and they *really* don't need our business.
You asked about the difference between drives. The Corporate and Freedom (usb) drives employ 128-bit encryption and are sold to businesses and individuals. The bit count goes up for the baseline and enhanced products. Full information and certifications data is clearly presented in the datasheets that can be downloaded from their web site. Most of that information is pr