IronKey Unveils Self-Destructing USB Flash Drive

fysdt writes to share that IronKey has released a USB flash drive with self-destruct capability. Specializing in "secure flash drives," IronKey has launched the S200 aimed at government and enterprise customers, "featuring hardened physical security, the latest Cryptochip technology, active anti-malware and enhanced management capabilities. It's the 'first and only USB storage device to achieve FIPS 140-2, Level 3 validation' and delivers advanced Cryptochip featuring AES-256, tamper-resistance and self-destruction circuitry."

Nerdgasm

[amateur6]

FTA: " Physical Security â" the IronKey cryptographic module includes the following physical security mechanisms that meet or exceed the Level 3 requirements:...Hard epoxy potting material (opaque to the visible spectrum) that encapsulates the multi-chip circuitry, thereby preventing removal/penetration attempts without causing serious damage to the chips "

I'm sorry, that's so straight-outta-Neuromancer-Gibsonesque I need to change my pants.

Re:Nerdgasm

[afidel]

You're impressed that they coated the circuit board with black epoxy? The only impressive thing about that is they use so little power that heat transfer isn't an issue.

Re:Nerdgasm

[idontgno]

Whadday mean, "heat transfer isn't an issue"? Of course it's an issue. How do you think they achieve "self-destruct"?

Re:Nerdgasm

[Jah-Wren+Ryel]

You're impressed that they coated the circuit board with black epoxy? The only impressive thing about that is they use so little power that heat transfer isn't an issue.

Indeed. Get back to us when they have a Level 4 product - that's what all the big boys use.

Re:Nerdgasm

[TooMuchToDo]

Is that where my USB key is embedded in a stick of dynamite for quick data wiping?

Re:Nerdgasm

[MarkvW]

Man! That reminds me of the scene from "This is Spinal Tap" where the musician is discussing why his amplifier is better because you can turn it up to level 11!

Re:Nerdgasm

[mrsteveman1]

Only Chuck Norris can do that, you can only try.

Re:Nerdgasm

Sorry, epoxy isn't security, it's annoyance. Epoxy might stop a certain percentage of console modders from modding their consoles and the like (discouraging wholesale unpotting by the public), but it is useless against a dedicated attacker with time. Potted circuits are damn annoying to unpot, but it's by no means impossible if you spend a couple afternoons on it. If you're careful you won't damage anything.

I'd have given them some credit if there were a wire mesh embedded in the potting and a coin cell battery inside which powers a SRAM chip which stores the keys, with the circuit rigged to destroy the data if any part of the wire mesh is broken (NOT just kill power - you want to deliberately overwrite it with zeroes), but that's not the case here.

Re:Nerdgasm

[RunsWithMatches]

There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.

Lamest. Sig. Ever.

Mainly because you're trying to be cute.

The lamest sig. ever? Really? Is this your first day on Slashdot? Actually, I thought the sig. was quite clever -- Now, if only I had mod points this week...

Re:Nerdgasm

Is that where my USB key is embedded in a stick of dynamite for quick data wiping?

"The only USB key to be banned by the TSA" -- product advertisement

Re:Nerdgasm

[afabbro]

The lamest sig. ever? Really? Is this your first day on Slashdot?

by afabbro (33948)

Apparently not.

Re:Nerdgasm

[bill_mcgonigle]

"The only USB key to be banned by the TSA" -- product advertisement

Come now, the Swiss Army Flash Knife is most certainly considered a WMD by the goon squad.

Re:Nerdgasm

Be honest, you bought it on ebay.

Re:Nerdgasm

[Lord+Kano]

Apparently not.

May as well be, because you're acting like it.

LK

Re:Nerdgasm

[ciderVisor]

I suspect that particular gizmo would be illegal to carry in the UK.

Re:Nerdgasm

[Phoghat]

Neuromancer

Re:Nerdgasm

[Malevolyn]

Er, why is this news? This exact item has been on sale at ThinkGeek for a couple years, now. Self-destruct capabilities and everything.

Spais

Here is your mission if you choose to accept it. This USB will self-destruct in twenty seconds.

Encryption is just as good as self destruction

[basementman]

What's the point of having it self destruct? Encrypt any old flash drive with True Crypt and you have accomplished the same thing at a much lower price. Want to destroy the data? Hit yourself on the head with a crowbar, making you forget the password. Problem solved.

Re:Encryption is just as good as self destruction

[ocularDeathRay]

didn't you just read the slashdot front page news that they can hack your brain now? god... pay attention. This is an anti brain hacking device.

Re:Encryption is just as good as self destruction

[CannonballHead]

Hit yourself on the head with a crowbar, making you forget the password. Problem solved.

Maybe the information-hiding-people don't want to potentially allow themselves to be subjected to information-gathering techniques (*ahem* torture) by knowing the password. It's easier to just have the data destroyed after a certain period of time. Once it's gone, you don't have to forget a password and you don't have any password to be persuaded to remember?

Re:Encryption is just as good as self destruction

[Cyberax]

Encryption can easily be beaten by thermorectal cryptoanalysis (http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis).

Re:Encryption is just as good as self destruction

Ever heard of a cryptographic erase? Basically, the point is that the password you have to remember only grants the drive access to the cryptographic key (stored on the device, but encrypted with the password). In a cryptographic erase, the old key is deleted and a new one saved (and encrypted, likely with the same password). Thus, all data is lost beyond what can be gathered from any amount of torture (except what could otherwise be gotten from asking what was on the drive, which self destruct wont help against either). The only way to get the data at that point is a brute force attack on cryptographic keys, which would take a goodly long time.

This of course wouldn't prevent people from thinking you knew the password that would unlock the data, so you might be tortured into providing it (which you couldn't), but like I said, they likely would use the same techniques to simply get the data out of you.

Re:Encryption is just as good as self destruction

[Paracelcus]

Will my brain emit a puff of smoke if it self-destructs?

Re:Encryption is just as good as self destruction

[fishbowl]

>didn't you just read the slashdot front page news that they can hack your brain now?

You're underestimating the amount of damage a crowbar can do.

Re:Encryption is just as good as self destruction

[fishbowl]

>Once it's gone, you don't have to forget a password and you don't have any password to be persuaded to remember?

And you don't have any value to your captors, so they can just kill you for sport (or to set an example for the next person in line for interrogation.)

Re:Encryption is just as good as self destruction

What's the point of having it self destruct? Encrypt any old flash drive with True Crypt and you have accomplished the same thing at a much lower price. Want to destroy the data? Hit yourself on the head with a crowbar, making you forget the password. Problem solved.

I've had flash drives (encrypted with TrueCrypt no less) stolen from me. While I took comfort in the fact that the data was secure, I was upset for having it lost, and the thief gaining an expensive flash drive. At least with this, if someone stole it I could take pleasure knowing that they managed to steal a brick.

Re:Encryption is just as good as self destruction

[Hurricane78]

So you think that will make the evil ones stop torturing the password out of you? They'll use that same crowbar to make you remember it! ^^

(Interlude: WTF. I have my adblocker disabled for the first time in months, and the first thing I see, is an Ironkey banner. Truly a slashvertisement.)

The point is, that the keyfile on your USB key is encrypted with your password. So if you destroy the keyfile, which would open your encrypted safe, your password gets useless. You could scream it to the whole world. It wouldn't matter. Nobody could open that thing now. Not even you.

And that is why you never let someone know that you want access to his system. ^^
Just use a keylogger, or a trojan horse, and be good. Become a cleaning person in that place. Or gain some trust otherwise.
If you need it: There are some internal CIA agent training manuals on the net, that can teach you this. Or if you can speak Russias, I recommend some Russian forums. ^^

Re:Encryption is just as good as self destruction

[GigaHurtsMyRobot]

Normal flash drives are cheap... This one isn't. I think you have your story backwards.

Re:Encryption is just as good as self destruction

[mlts]

The advantage of having it drop access to the data after a certain amount of tries is the same reason people use cryptographic tokens -- brute forcing a passphrase becomes a non issue.

There is another feature of the IronKey that isn't mentioned -- encryption on a machine, say at a student computer lab, but without requiring administrative rights to access the data. A lot of schools disallow admin access, and this is required to mount virtual volumes (TrueCrypt, BestCrypt, PGP, etc.) Having software to allow access to the drive that never needs to leave user space is a good thing in these cases.

IronKey does have a market. Especially for students at larger universities where there are people who lurk in the 24 hour computer labs just looking for a USB flash drive to steal. With a stolen USB flash drive, they can either sell the done homework, or if someone has a paper for a popular class that isn't turned in, actually take the word processing document and call it theirs. The downside is that the distinctive metal case does lure thieves, but the user has to figure out a balance. To the user, is the data on the drive worth the price premium, especially if the data can be used by a thief or extortionist? This applies to faculty too. I'm sure there are those who would be more than happy to sell any test or quiz data that was gleaned from a USB flash drive swiped from a faculty lab.

Another use for these USB flash drives is delivering to a customer something extremely confidental (such as TrueCrypt keyfiles or one time pads) that will be used for future communication of large volumes of data. For example, the customer gets the passphase from a rep, while a secure courier drops off the IronKey. This way, the data never crosses the Internet.

Re:Encryption is just as good as self destruction

[afabbro]

Especially for students at larger universities where there are people who lurk in the 24 hour computer labs just looking for a USB flash drive to steal. With a stolen USB flash drive, they can either sell the done homework, or if someone has a paper for a popular class that isn't turned in, actually take the word processing document and call it theirs.

Sorry, but I have to call nonsense on this. Sure, there are people who steal flash drives. They get the drive, and that's benefit enough - any electronic dividends are just icing.

But to posit that there are people who specifically look to steal USB drives so they can sell the done homework (do they take orders? is there a clearinghouse?) or by wild coincidence exploit the tiny window between a paper being due and a student writing it (which is no more than 24 hours most of the time!) coupled with the coincidence of being in the same class, is pretty unlikely.

I'm not saying it couldn't happen, or that perhaps it hasn't happened once in the past, but I am skeptical that there are organized rings of "lurkers" in every university's computer lab. I bet 99.99% of flash drives are stolen, looked over ("yawn, Art History notes - and dude, she listens to David Archuleta, LOL!") and formatted.

Re:Encryption is just as good as self destruction

And that is going to be different from what they'll do to you once they get(or discover they cannot) get what they want, how?

Re:Encryption is just as good as self destruction

[w0mprat]

You miss the obvious point. Keys can be stolen and copied, thus it's useful to destroy data, especially when it is no longer required buy still sensitive.

Keys have to be typed in by protein popsicles and they have to be stored in notoriously vulnerable meat-space neural processors which so far, nobody is interested in patching.

Re:Encryption is just as good as self destruction

[SixGunMojo]

Not even close my friend. I've been using one for >18 months and I'll just hit the high points. First there are 2 chips in the Ironkey. The first is a hardware based encryption chip and the second is the actual flash drive. The data on the drive is always encrypted. Also the first won't even mount the second without the proper password (mine is 17 nums, chars, and letters long). You have 10 tries to guess that or the drive destroys all the data. In addition the epoxy they seal them with insures that any attempt to get to the actual flash chips a) damages them heavily and b) also triggers the self-destruct. The second biggie is the on-board browser and identity manager. This gives you the ability to securely surf the web from any computer (I even use mine on my computer whenever I am doing anything financial) and if you are feeling really paranoid you can toggle tor with one click and/or configure Privoxy. The identity manger also allows you to log into sensitive sites without worrying about keystroke loggers. If you really want to see how hardcore this drive is I would suggest you visit their website. To paraphrase an OpenBSD motto: Ironkey the flash drive for the practical paranoid!

Re:Encryption is just as good as self destruction

[MillionthMonkey]

But not any old TrueCrypted flash drive has a brushed aluminum case. This is the kind of drive Jack Bauer would swing through the air to bludgeon a terrorist.

Re:Encryption is just as good as self destruction

[mgblst]

Oh yes, the huge multi-billion dollar industry of reselling average student work, and the resale of cheap and small USB drives. No doubt this is an organization run by terrorists.

Re:Encryption is just as good as self destruction

So sick and tired of that XKCD comic, is needs to die. http://en.wikipedia.org/wiki/Plausible_deniability#Use_in_cryptography

Re:Encryption is just as good as self destruction

Gordon Freeman? Is that you?!

Re:Encryption is just as good as self destruction

[L4t3r4lu5]

WTF. I have my adblocker disabled for the first time in months, and the first thing I see, is an Ironkey banner. Truly a slashvertisement.

You're commenting on it. Didn't you realise?

Re:Encryption is just as good as self destruction

Encryption can easily be beaten by thermorectal cryptoanalysis (http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis).

yes, because my aes-twofish-serpent encrypted volume, filled with 4096 bit rsa key encrypted files can be bruteforced before I die of old age.

Re:Encryption is just as good as self destruction

[Cyberax]

There are many different methods to 'brute force' a password :)

Re:Encryption is just as good as self destruction

[Hurricane78]

That is the very point of that sentence of mine. ^^
Didn't you realize?

Re:Encryption is just as good as self destruction

[marciot]

A tin-foil hat is a cheaper anti-brain-hacking device.

Re:Encryption is just as good as self destruction

[Maximum+Prophet]

Back in the day, people would dumpster dive for printouts of other student's code. So yes, if someone happened across a flash drive with completed homework on it, they might try to use or sell the information.

Re:Encryption is just as good as self destruction

[Maximum+Prophet]

The identity manger also allows you to log into sensitive sites without worrying about keystroke loggers.

If there is a hardware keystroke manager on a machine that you plug the ironkey into, or even a USB data monitor, your IronKey password is their's.

If a machine is compromised, and you plug this into that machine, your data is compromised as soon as you unlock it.

Re:Encryption is just as good as self destruction

[BuckoA51]

I am astounded that somebody actually had to explain this on Slashdot and that the above comment by basementman was actually rated "Informative".

Re:Encryption is just as good as self destruction

[hesaigo999ca]

Maybe anyone not wanting that the data be legally maneuvered in terms of company usage, like a court order forcing you to reveal the password might be useless in this case, as for TrueCrypt, there is a known backdoor in that industry, and such is used for counter measures to pedophiles right now in court cases, which is a sort of bug if you will with the way the drive is encrypted and the hashed password is saved somewhere on that same drive, or so I have heard.

Re:Encryption is just as good as self destruction

Flash drives weren't always as cheap as they are now.

Rip-off

why would i pay $199 for that when i could buy a cheap USB drive and a hammer to break it with for less than $10?

Re:Rip-off

[caerwyn]

If you can break it with a hammer remotely, you should really be selling that capability- pretty sure someone would want to buy it.

Until then, the self destruct does work remotely.

Re:Rip-off

[Starteck81]

I believe the self-destruct is triggered by unauthorized attempts to access. While your way is cheaper I suspect that rubber banding your usb drive to a hammer with a note that says "In case of theft please smash drive" is somewhat less effective due the lack of ethics most thieves posses.

Re:Rip-off

[Chabo]

Here's my idea:

Sell a USB drive that's approximately 2 feet by 2 feet by 4 feet in size. The drive will consist of a radiation-shielded box. Inside, there's a flask filled with poison, and a hammer connected to a Geiger counter. There's also a cat with a heart monitor. If the flask breaks and the cat dies, then the drive will self-destruct.

Would you be willing to buy my product?

Re:Rip-off

[RuBLed]

If you could assure its destruction in all dimensions, then Yes!...

Re:Rip-off

Only if I did not need a quantum computer to retrieve the data.

Re:Rip-off

[zippthorne]

No, the message should read, "no gold inside."

Re:Rip-off

Yes AND No.

Re:Rip-off

Yes. And no.

Re:Rip-off

You should be aware that you are violating at least 3 of my patents. Contact me for licensing details.

Re:Rip-off

[WoRLoKKeD]

If D&D has taught me anything, it's that thieves are not without ethics. They just have a great flexibility about them.

Re:Rip-off

i'd buy that shit!

Re:Rip-off

[syousef]

You forgot the part about politely asking data thieves not to look at the cat.

Re:Rip-off

Yes and no.

Re:Rip-off

[tmosley]

The answer is a definite maybe.

Re:Rip-off

[Taint+Bearer]

Would you be willing to buy my product?

Yes and no...

Re:Rip-off

Ladies and gentlemen, if we track this person's IP, we may have just found the real Jigsaw!

To the Internets Mobile, Robin!

Where's the market?

[religious+freak]

Funny, instead of paying extra, I'd just use a hammer, or a desk drawer, or if in a real pinch my two hands to break the thing apart. Unless you're James Bond, I don't see how most folks would need any more than this, and if they do need more, they already have it.

Re:Where's the market?

[hedwards]

But that's who this is geared towards. The people that are carrying around data that is incredibly sensitive. Why these people are carrying it around on a thumb drive is a much bigger question, really, if you don't want it cracked, you shouldn't be carrying it on a portable easily lost/stolen medium.

Re:Where's the market?

[CannonballHead]

Maybe if they lost it and thus can't reach it with a hammer? :)

Re:Where's the market?

[LWATCDR]

How would you transport a few gigabytes to a new location?
FTP?
External HD.
DVD?
And very large number of floppies?
I take my source code home with me on a USB drive. I currently encrypt it but I could see this being even better.

Re:Where's the market?

[LWATCDR]

Actually a hammer may not be good enough. There are some very strict rules for medical records and financial data that this could be useful for.

Re:Where's the market?

[DragonWriter]

Unless you're James Bond, I don't see how most folks would need any more than this

There are all kinds of legal environments, outside of national security, where you need better certainty of destruction of data than "it looked broken to me" (e.g., HIPAA).

and if they do need more, they already have it.

Maybe, maybe not. Places that are subject to rules that would require additional security sometimes simply don't do particular things that might be useful from an operational convenience perspective since the tools don't exist that let them work under the rules, and others bend (or break) the rules because they aren't willing to sacrifice the operational convenience. Anything that lets them meet requirements in the applicable mandates while promoting operational convenience is a big plus for them.

Additionally, the balance between operational convenience and available protective technology is usually a consideration in adopting new (e.g.) privacy regulations.

Re:Where's the market?

[pjt33]

Maybe there's some straightforward* way to hack your USB drivers so that the only devices they support are self-destructing drives, but if not then I'd prefer any computer with data sensitive enough to need this drive not to have the ability to mount any USB drive. You just need to look at the British civil service to see what happens when it's possible to dump your database to an unencrypted physical medium and then leave it on the train / lose it in the post.

For security-conscious home users it's great. For government / enterprise users you need methods of transfer which the sysadmin can lock down.

* Emphasised because I don't need to be told that if you use Linux you can obtain the source and break it to your heart's content.

Re:Where's the market?

[pete-classic]

Surely you don't write gigs of code daily. VPN + SCM and you don't have to carry any code with you. (You might need an RSA ID at home, though.)

-Peter

Re:Where's the market?

[0100010001010011]

SVN and do an update anytime you get to a new location. It's how I work on code across 6 computers. Why didn't someone teach me about this subversion stuff earlier?

Re:Where's the market?

[Abreu]

How would you transport a few gigabytes to a new location?
FTP?
External HD.
DVD?
And very large number of floppies?
I take my source code home with me on a USB drive. I currently encrypt it but I could see this being even better.

I am partial to the classic solution: Microfilm in a hollow tooth

Re:Where's the market?

How would you transport a few gigabytes to a new location?

I've undergone cybernetic surgery to have a data storage system implanted in my head.

How else could anyone securely transfer data too sensitive for the internet?

Re:Where's the market?

[shentino]

But I use git you insensitive clod!

Re:Where's the market?

[mlts]

This falls under the "never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway" category. With a lot of WAN Internet connections, it is a lot faster to carry a flash drive with your 8GB of data on it, than to download it from remote, especially if someone is often using different machines (student computer lab, for example.)

Re:Where's the market?

[mlts]

The closest solution for this on an enterprise basis would be Windows 7 and BitLocker To Go. Set a policy that USB flash drives are either not accessible, or read-only until they are encrypted with a passphrase. PGP Universal also has this functionality.

Re:Where's the market?

[TarrVetus]

Funny, instead of paying extra, I'd just use a hammer, or a desk drawer, or if in a real pinch my two hands to break the thing apart. Unless you're James Bond, I don't see how most folks would need any more than this, and if they do need more, they already have it.

I think using brute force to get into the IronKey drive would be a very bad idea. ThinkGeek sells an older version of the product the article covers, and even it had some pretty effective measures against breaking it apart.

Passwords can be hacked, but not the IronKey. It's built to withstand attacks both virtual and physical. 10 incorrect password attempts, and the encryption chip self-destructs, making the contents of the flash drive totally unreadable. The contents of the drive are filled with epoxy, so if a hacker tries to physically access the chips, he'd more likely damage them instead. Even if he did get access to the memory chips, they'd be worthless without the encryption chip. Electron-shielded, even a scanning electron microscope can't get inside.

So, use a hammer, desk drawer, or your hands, and it's still encrypted at best, and most likely just ruined and unreadable.

Re:Where's the market?

[modecx]

I am partial to the classic solution: Microfilm in a hollow tooth

Classic? That's some newfangled spy tech there, boy. Why, back in my day we scratched micro-cuneiform onto clay suppositories with spider hairs. Of course, anyone known to carry raw clay and spider hairs was shot on sight, so we had to mine the clay, build a kiln, and catch the spiders behind enemy lines, uphill both ways in the snow--and we liked it that way. Poor Johnson, couldn't find any fuel for his kiln. Yeah, the boys back at HQ never let that one go!

Re:Where's the market?

[zoloto]

upload it to ftp and let the world mirror it for you

Re:Where's the market?

[zoloto]

you kids. we used to take slaves and tattoo information on their shaven heads, then let the hair grow out over 4-5 months and sent them on their way across the country on foot. when they arrived, they were shaved and when they were done - killed and the bodies burned to keep the information secret!

Re:Where's the market?

How would you transport a few gigabytes to a new location?

A T1 transfers about 500MB/hr in one direction. More modern systems have even higher transfer rates (I get about 3.5Mbs from my cable modem).

The more secure method would be to simply use GPG/PGP to encrypt the file with a public key held by the destination. Then you could put it on any old medium (DVD-R, USB key) and simply not worry about it in transit at all. Or you could use a TrueCrypt volume with a file-based encryption key that is not stored on the USB card.

As for the specific case of working on source code remotely. Ugh. In a centralized version control system, you should simply be checking out the code over a secure method (SSH, HTTPS or VPN).

Re:Where's the market?

[LWATCDR]

I use the USB flash as backup. I like having it on my at all times to take home just in case. I work on the idea that you can never have too many backups.

Re:Where's the market?

[LWATCDR]

Plus lets be honest. The most secure machines are not on the internet!
Not every device is connected and not everybody is connected at all times.

Old feature

I thought all of their thumb drives would 'self destruct'?

Sony

[StellarFury]

I think Sony figured out the technology here 3 years ago.

http://www.engadget.com/2006/08/24/sony-ordered-by-japan-to-investigate-battery-problems/

24's Cloe O'Brian

[SolarStorm]

would have this cracked in no time (at least withing the timeframe of one episode) From what I have see her do, no encryption is safe for more than 41 minutes

Re:24's Cloe O'Brian

[DigiShaman]

You were actually expecting realism from a show that's about drama and suspense? I'm *shocked* I tell you!!!

Re:24's Cloe O'Brian

[maxume]

I wouldn't mind it. I have trouble seeing that show as much more than pro-torture propaganda though, so between that and the ludicrous durability of Jack Bauer, I don't watch it.

What a bad idea

[Reason58]

Flash drives are a big no-no in the federal government and military. If something is so sensitive that it needs this kind of encryption wrapped in dynamite, then it should not be walking around on a USB drive. Dumb dumb dumb.

Re:What a bad idea

[NecroPuppy]

Correct.

In many branches, they are currently banned, largely because of the viral vector issue.

Re:What a bad idea

[saintsfan]

I partially agree with you, although some people on the go may demand a compromise between usb storage convenience and security. More to your point though- this tool, solution, toy, -pick your reason- is not perfect. I am not an expert at anything, but I've learned over time that as long as there is a unique challenge and the barriers aren't too high, enthusiastic hackers around the world will take it on. The more services, conveniences what-have-yous built into this stick https://www.ironkey.com/compare , https://www.ironkey.com/ikdocs/datasheets/s200/IronKey_S200_Enterprise_Server.pdf; the more touted it is for being secure by the company "the world's most secure flash drive; the only level 3 FIPS 140-2 flash drive"; the more security professionals say they use it and how cool it is https://www.ironkey.com/sdkform; the more likely someone will find a vulnerability with it, one of its dependencies, or one of its features and break it. period.

Re:What a bad idea

[NecroPuppy]

We don't have a compromise where I work.

USB key drives are banned. There is even software loaded onto the machines, by default, that detects if you've inserted a key drive (and can tell the difference from a USB hard drive) and reports you to the IS guys.

If you do this, you get yelled at, your computer gets scanned and scrubbed, and it can even affect your clearance.

Re:What a bad idea

[ChaoticCoyote]

Flash drives are a big no-no in the federal government and military. If something is so sensitive that it needs this kind of encryption wrapped in dynamite, then it should not be walking around on a USB drive. Dumb dumb dumb.

True... but not everyone who requires security is a government spook. For most of us non-spooks, this thing has merit.

Re:What a bad idea

There is even software loaded onto the machines, by default, that detects if you've inserted a key drive (and can tell the difference from a USB hard drive) and reports you to the IS guys.

Can it tell the difference between a USB drive and one that has had it's HID changed to something innocuous, like a keyboard that records the scroll lock status to transmit data?

I'm that paranoid. It's relatively trivial to change the HID of many USB devices to something other than they are.

Re:What a bad idea

[merreborn]

USB key drives are banned. There is even software loaded onto the machines, by default, that detects if you've inserted a key drive (and can tell the difference from a USB hard drive) and reports you to the IS guys.

Why is this important?

Aren't a USB harddrive, USB key drive, and iPod all just as good for bringing in/taking home bad stuff?

Re:What a bad idea

[Proudrooster]

Yes you are correct.. for the virus vector, there is no difference. The best thing to do is turn off autorun on USB devices and run truecrypt to secure your data in the event of loss.

Re:What a bad idea

[mgblst]

So where the fuck do you work, Apple?

So secret that you can't even hint at the industry...

What!?!

[Starteck81]

No retina scan authentication? LAME

Re:What!?!

[auric_dude]

No, I think you will find it relies upon a self anal reader.

Re:What!?!

[canonymous]

That just puts you at risk of losing an eye as well as a USB drive.

Re:What!?!

[kamochan]

A much better option is a palm vein scanner. It needs a live hand for a 3-d image of warm veins.

Re:What!?!

[Abreu]

a torniqueted, recently severed hand wouldn't work?

Re:What!?!

[camperdave]

Bah! Just pump warm water through the thing. Same diff.

Smoke

[wjousts]

This better emit a puff of smoke when it self-destructs or I'm not buying it. It doesn't matter if the smoke is only for show.

Re:Smoke

[madcat2c]

Magic Blue Smoke at that.

Re:Smoke

[JoeCool1986]

Actually, only the "contains fully-featured genie" edition has that feature.

Re:Smoke

[Hurricane78]

Bonus points when you can either
A) kill an attacker because it also is a nerve gas
B) use it as an antidote against a truth serum
C) kill yourself when in risk of being captured
D) all of the above.

.
.
.

Sadly, in reality, a good attack would mean, that you did not even notice that your system is compromised, and never would.

Comment removed

[account_deleted]

Comment removed based on user account deletion

The Market

[NotQuiteReal]

Like most things, if you have to ask "who needs this?", the answer is not you.

Personally, there are a great number of wildly popular products for which I am not in the market.

Re:The Market

Slashdot, apparently. Ironkey has been an advertiser on /. for some time, and this product is a revision on an otherwise old product of theirs that also self-destructs.

Re:The Market

You will notice that personal hygiene product vendors do NOT advertise on Slashdot. However purveyors of kiddie-porn-concealment devices do.

Re:The Market

Additional support for the notion that one must find a market demand, not just a market need, to make money.

Re:The Market

[WuphonsReach]

Like most things, if you have to ask "who needs this?", the answer is not you.

The question is more "is this snakeoil" and "what attacks does it work against". In this particular case, the product does nothing to prevent key-logging attacks, and once the attacker has the password, your data is at their fingertips.

I would be much more interested to see an external product requiring the entry of a PIN before you could access the data. It would be a lot harder to hack the unit to intercept the PIN without the user noticing. (Keyboard sniffers are small and easily blend in with the PS/2 cable.)

Something in a 2.5" form factor, allowing you to insert any old 2.5" drive might be very useful.

Better spy flash drive

[FunPika]

Would be one that said "this flash drive well self-destruct in 5 seconds" the 2nd time you removed it from a computer (1st time to write the sensitive info to it, 2nd time for recipient to read it). :D

AES-256

It uses AES-256, which has already been broken. Not that it's actually possible to use the attack to recover data, but in the future, AES-256 will only get more broken.

Re:AES-256

It uses AES-256, which has already been broken.

citation needed

Oops...

[Monkeedude1212]

I misstyped my password and my USB key melted. Now I lost the company thousands of dollars worth of spreadsheets, Ruined a perfectly good USB port on my computer, and now it smells kinda funny...

Re:Oops...

Call IT support and tell them that you were not doing anything in particular when the computer did it by itself.

Then tell everyone else that IT support failed to fix the problem costing the company thousands of dollars of spreadsheets.

Ironkey also supports Linux!

[AMuse]

I'm using an Ironkey at work (have been for about 2 years now) and the thing has been rock solid. However, the main reason I selected it is that it's the only key that I've had the opportunity to trial which is both FIPS 140-2l2 compliant *AND* supports Linux.

I use it with WinXP and MacOSX daily and yes, they do ship with "alpha" Linux drivers. Not full support like Win* but enough to read and write the encrypted data, which is all I really use.

Although the company claims that you can now "initialize" a key on MacOS, all the versions I've used required an initial bootstrapping under Windows before being cross-platform usable.

Re:Ironkey also supports Linux!

[AberBeta]

I got a review piece of hardware from InfoSec and tried it out in Linux.
You can mount it once the key has been set-up, but you can't set it up under Linux with the software provided.
So this key *requires* Windows before it can be used under Linux, which is pretty bloody stupid.

Since I don't have any copies of that software, it pretty much doubles the cost of the drive.

Re:Ironkey also supports Linux!

[AMuse]

It practically doubles the cost of the drive if you're a standalone user with no job involving computers; for me, it was very easy to go over to my officemates' desk and initialize it on his Windows machine.

Also, I did a pretty good amount of work using the IronKey inside a VM. Using VMWare Fusion in MacOSX Leopard and a Windows XP VMWare image, I was able to mount the key inside the Windows image and do an initialization successfully. One thing I did notice was that when doing so, it would always unmount my ipod from the VM, which was a bit odd.

Re:Ironkey also supports Linux!

[CuriHP]

I bought one a couple months ago and was able to initialize it just fine on a Mac.

Re:Ironkey also supports Linux!

[Eternauta3k]

Since I don't have any copies of that software, it pretty much doubles the cost of the drive

Go to a cybercafe?

Re:Ironkey also supports Linux!

[BitZtream]

Still want to know why they require drivers. That scares me. Standard USB HID interface allows any USB device to receive arbitrary commands from an application.

I've made an Atmel AT90USBKey demo board do on chip AES using a key generated by a password supplied via a USB HID command. Works in Windows with the pretty gui app written for the task as well as Linux if you want to use some command line tools to manually send the data to the device to supply the key and get the device to make the encrypted area available. Neither Windows nor Linux are anything other than a default install. My prototype is utterly useless from a practical standpoint as the microcontroller involved is just FAR too slow to be useful as a disk device when you throw encryption at it, well hell, it was too slow for me before the encryption was in place, but the point is, there is no reason a driver should be required for any OS, just the app that can talk to it.

If they are requiring drivers then I'm sensing snake oil or lies. If the drivers are doing ANY part of the encryption chain other than sending off a password to the device then its practically pointless if you actually want security. My guess would be they aren't generating the key on chip, the host is doing it and passing it off to the chip, but again, no need for a driver to do that. Requiring drivers is very odd indeed.

Re:Ironkey also supports Linux!

[AMuse]

It's been a while since I spoke to their techies during my product evals, but as I understand it the drivers are loading and then encrypting the USB channel between the OS and the actual IronKey. They then accept your password and pass it to the key's cryptochip, which holds the keys that were generated during initialization, and decrypts/encrypts the data as it's leaving/entering the key (on the fly).

The drivers also, of course, have to power the key generation process since you can always nuke a key and regenerate its keys.

Finally, they do make a "Personal" and "Enterprise" product in addition to the Basic. In those models you get features like a hardened, privacy-tightened Firefox (for Win*) and, most important to me, remote management of the keys for your enterprise. Those kind of advanced features do require drivers.

You're on to something!

[SCPaPaJoe]

I vote for the floppies. How about 5.25" 360k. 3 to 9 thousand of them!
How many people can read those nowadays?

Re:You're on to something!

[imamac]

I have a working Apple ][GS...

Re:You're on to something!

[bertoelcon]

I vote for a punch card system, after its been encrypted and the unlabeled cards shuffled.

unvi

[kaoshin]

I understand thinkgeek and slashdot are sister companies, so this post is more of an ad, but is the only thing different here the revision or level of certification, or is there something else newsworthy on this from a tech standpoint? Ironkey has been on thinkgeek for like a year, and the self destruct and other features have all been in this product for a long time.

Re:unvi

[adona1]

That was my first thought when I saw this story on my RSS feed. Maybe this is a small update to the product, but still, unless it also gives electric shocks or sexual favours, hardly worth a /. story.

Re:unvi

New things are AES 256 CBC encryption, new CryptoChip, FIPS 140-2 LEVEL 3 security validation (the only flash drive in the world to achieve level 3), also speed improvements for small file writes, barcode on the devices linked to asset tracking and control on the service or server.

Re:unvi

[BitZtream]

(the only flash drive in the world to achieve level 3)

I assure it, it isn't the first or the only. It may be the only one the general public knows about or that is available to the general public, but it is in no way unique or original.

Wow

[webheaded]

This is such old news that it's ridiculous. Furthermore, this is a ridiculously overpriced toy that breaks itself. No thanks...if I have data that someone wants to hack by opening up my thumb drive, then I shouldn't be carrying it on a thumb drive in the first place. Everything else this is just ridiculous and expensive overkill.

Sell-out

So is Slashdot accepting paid posts now? At the bottom of this story my RSS reader displayed an ad for... wait for it... IronKey!

let me guess the code

Self destruct code: Code zero zero zero destruct zero

Mission Impossible

[Neanderthal+Ninny]

The new version of the Mission Impossible self-destructing tape player.
However, how many spoofs has been made to this "self-destruction" capability so I wonder what if your USB key self-destructs accidentally in your pants pocket will it fry your gonads.

Re: Nobody gives a shit!

all is said

Enterprise Mac Alternatives?

[GreenPickles]

I really like the IronKey Enterprise features -- remote destruction, management console, etc. It sounds like mac support is in it's infancy. Are there any enterprise level mac alternatives to IronKey?

Re:Enterprise Mac Alternatives?

[WoRLoKKeD]

Magic ink marker pens?

Circuitry?

[dandart]

So it blows out the circuitry, but what about the flash? Someone could just recover that.

Re:Circuitry?

[shentino]

It's still encrypted.

Re:Circuitry?

[dandart]

So, just one that's encrypted is good enough then. If people really want something, they WILL get the data.

Re:Circuitry?

[kylemonger]

From the IronKey website:

IronKey's patent-pending "flash-trash" methodology incorporates an exhaustive hardware erase of all flash and Cryptochip memory. This is not a simple clearing of file allocation tables, but a secure overwriting of data. This is done in hardware rather than via a software application for the ultimate protection. You, personally, should not be physically harmed when this happens.

Re:Circuitry?

[dandart]

Haha, "should not"... OK. Good good. My data is uber secure!

Thermite

[Dr_Barnowl]

I keep wanting to build a flash drive with a thermite filler and some kind of rip-strip fuse that you could just yank on hard to set it off.

No offence to IronKey, but how do you know that it's really, really, destroyed your data beyond recovery? Maybe it just locks out the disk controller. A small heap of smouldering slag is much more definitive.

Now, if you could combine the thermite with their remote wipe protocols......

Re:Thermite

[L4t3r4lu5]

Not possible.

The thermite reaction has an activation energy of 145 kJ/mol for 8Al-3Fe2O3 thermite. USB2 device charging spec (highest power output) provides a maximum 9 J/s

You might get it working with a series of exothermic reactions but it would become bulky, and with that low an energy input to work with you're more likely setting it off leaving it in a car on a hot day.

Re:Thermite

No offence to you, but how fucking stupid do you think they are?

Additionally, with your idea, what happens if your key drive is stolen? Do you expect the thief to destroy it for you before trying to access it?

What the hell is it about slashdot where everyone thinks that some idea they come up with in 30 seconds is better than those of the people who actually develop these things professionally?

Re:Thermite

[freedom_india]

Maybe it just locks out the disk controller.

This is a FLASH drive. There are NO movable parts in a Flash Drive.
All IronKey needs to do is to draw a sudden more power from USB port to fry the circuits. Of course a surge would cause a system reboot or probably crash a non-CoolerMaster PC.

Ha! Apple beat them to it...

[sponglish]

Apple Reportedly Recalls iPod Nanos in Korea

This is nothing new.

[joshtheitguy]

I've been administering and deploying these "self-destructing" IronKeys for over a year now. Yeesh... talk about a really fucking slow news day.

Re:This is nothing new.

[Joe+U]

I've been administering and deploying "self-destructing" USB drives for several years!

After about a year, the drive stops working and all the data is gone. It's always the one the boss was using and it's always some important file that he didn't have a copy of somewhere else, so it is very consistant in that one regard.

Re:This is nothing new.

[L4t3r4lu5]

You'd think that after one year that your boss would learn.

Oh, wait... He's a boss.

A hacker challenge

[RobertLTux]

what iron key should do is go to DEFCON with a bunch of these drives and then run a contest

If you can crack the drive you get some obscenely large amount of money
how to run the contest fairly

have the contents of the drive detail how to get to an offshore account with the prize money

So Ironkey how much you want to bet this key is "secure"

Re:A hacker challenge

[BitZtream]

Its not hard to make it secure actually, its just traditionally been too damn expensive to do it and make any money.

Strictly speaking, it doesn't self-destruct

[e9th]

From IronKey's blurb:

- Secure key management -encryption keys are born on the device in the Cryptochip and bound to the device
- Hard-wired encryption key self-destruct defenses and electromagnetic shielding of the Cryptochip

which I interpret as saying that only the key is wiped, while the actual data remains on the drive. If you've somehow managed to snarf the key before it was wiped, or if you're really cool and can break AES-256, you're good to go.

Brain

[PleaseFearMe]

Memorize the freaking 0's and 1's. If the brain gets lost or is stolen, it self-destructs by itself. 100% organic, too!

WOOPS!

[binaryseraph]

"no- wait ctrl-Z, ctrl-Z!!!- damnit!"

TSA Approval?

[Perf]

Ummm, what will the TSA say about self destructing thumbdrives?

Refer to my signature

[carp3_noct3m]

Old news is old. My company uses these and I have found them very useful, less because of how secure they are (even though they really are pretty good) but more for the "wow the customer" factor when some big wig sees me pull it out and I get to throw some ridiculous acronyms and make myself sound like james bond to him. Yeah, it's worth it. Now they need to catch up in the space department (space as in size, not space as in pew pew, chewbacca went that way)

Its a joke

Melts in your pocket, not in your hand.

self destruct

[confused+one]

if it doesn't burn like a magnesium flare and leave nothing behind but ash, then I'm not happy : )

So

[Jamamala]

This thing can nuke itself from orbit?

Impressive.

Teacher

[JumpDrive]

My USB burned my homework.

Why?

[brunes69]

Why wouldn't they just disable support for them in the OS? You can even do this in windows without much trouble/

Because they enjoy the power trip they get by yelling at you and "scrubbing" your machine?

Re:Why?

[gmhowell]

No. We hate scrubbing a machine. The paperwork is a hassle, and it's usually done for no reason other than CYA. The problem is, several levels above us are people who just can't quite understand why they can't plug in the USB picture frame they got for Father's Day. Or their iPod/iPhone. And those of us in the dungeon get tired of explaining things. So we give up and waste time reading slashdot until it's time to cleanup someone else's mess.

Again.

Could be snake oil

[efalk]

Bruce Schneier examined a similar device a few years ago. Turns out that all you needed to do was take it apart and cut the red wire. Voila, no more self destruct.

I hope this new device does a better job.

Re:Could be snake oil

[PPH]

No! NO!! The blue wire!!!!

Re:Could be snake oil

[BitZtream]

The first IronKeys could just have the flash removed and put onto a controller without encryption. They didn't actually encrypt the data, just made the controller require a password.

This has since been fixed. (Both of these stories were on slashdot over the past few years but I'm too lazy to look it up)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Shrodinger's USB Key?

> There's also a cat with a heart monitor. If the flask breaks and the cat dies, then the drive will self-destruct.

> Would you be willing to buy my product?

Maybe.

Old news

[PPH]

Wondows has had self destruct technology for years.

Re:Old news

[freedom_india]

True. But the technology is still in BETA.
That's why my Windows XP self-destructed on the day i was leaving for my vacation and [Win7] self-destructed once again just so to make my Kaspersky licenses quota fulfilled and i had to spend days waiting for kaspersky to reactivate them.

Iron Key broke in nano-seconds

The encryption used on these things can be broke in about 3 nano-seconds using a new NSA computer :)

That reminds me- my Ironkey looks like crap!

It's about 7 months old, and the key-ring attachment is worn out. Also, the printing is almost all worn off. Also the plate on the serial number side of the device is noticeably dinged from contact with my keys, and has pulled loose at the bottom, so the serial number is waving in the air.

I'm not that impressed.

This isn't new in any way

[BitZtream]

Just for reference, I'm holding in my hand a prototype device that does essentially the same thing except using your fingerprint instead of a password.

Too many wrong fingerprints, data gets destroyed.

Try to physically get to the chip, it self destructs.

The hardware and software involved would have been FIPS certified as well, if the certification company hadn't pointed out what everyone with a clue (i.e. not the marketing morons) already knew, the fingerprint pattern isn't really useful for a key until you make it so low resolution that its practically useless for as a key and too easy to duplicate. Make the pattern matching stuffs use a higher resolution and its too inconsistent to generate a reliable key, and you get false negatives. But replace the finger print pad with a software interface to enter a password/key and you've got the same thing.

Fortunately it never made it to market so no one depends on this thing, but considering that this device is several years old I doubt there aren't several models like the IronKey already in use by people who really need that sort of thing.

I'd give more, but I'm probably already breaking a NDA. Since they've long since went out of business its probably not an issue, but why find out otherwise and piss a bunch of people off.

They call this the "suicide stick" ?

[freaker_TuC]

These might get popular for suicide bombers in any starbucks now...

I thought it was Zune

[freedom_india]

...isn't it Zune?

SVN?

You mean GIT.... right?

What??

Why doesn't it explode? When at they going to make things that explode? This is sissy crap.

Nice Product

[zdickinson]

Our company bought 500 of them for a, now failed, project. I was really impressed. We got to play around with the Enterprise, Personal, and Basic. They work well with virtualized applications too. Virtualize that VPN client, put it on the stick, and you're good to go. By the way if anyone wants some for CHEAP, we've got a few :)

Cats on the keyboard

[BurzumNazgul]

Only 10 tries? "I'm on ur keyboard, melting ur filez" -Kitty

Made In?

[awpoopy]

Where is it manufactured? How long before it ships with the "goodies" (root kits) that seem to w0rm their way in direct from the factory?
I just love it when something for "enterprise and governments" is made in China.

...for now

[Kabuthunk]

True Crypt will work -for now-. Can you tell me that it won't be broken 5 years from now? 20? 50? What guarantee do you have that the encryption used today won't be utterly worthless decades from now? Because after all, we've all seen that encryption methods in the past haven't been defeated by new technology and such.

So the thumb drive containing whatever extraordinarily sensitive information sits in someone's "to be unencrypted" pile for a dozen years or so. If I had ridiculously sensitive information for some reason, I'd rather the lost/stolen thumb drive destroy itself, rather than just sit and collect dust, waiting for unencrypting technology to catch up to it.

Very useful

I use ironkeys and they are very good -- easy to use on linux, windows & mac, very fast, etc.

I can attest that the self-destruct does work. On the 5th attempt it says "are you sure?" very convincingly, and then when you again have the wrong passphrase, it stops working. As in plug the thing in to a USB port and the computer doesn't recognize anything is plugged in. And it's permanent -- not like you can re-initialize the thing.

The self-destruct feature could be useful:
The police/border patrol/soup nazi wants you to type in the password. You type it in wrong 5 times and the data is destroyed. This might be preferable to them getting your companies IP, your personal kiddie-porn collection, or whatever.

Someone steals it. They can't guess the password. It self-destructs. Resale value: $0.00