More secure products that aren’t

Think that cool USB thumb drive you just bought with the word of ‘encryption’ written in big letters all over the package is really secure? Think again. ComputerWorld recently reviewed seven ‘secure’ USB drives and basically found that they are all crap. Either they have no security or all or they use AES in ECB mode (which is worthless) or they claim their security is ‘proprietary’ (i.e. snake oil).

Once again I have to ask how is the end user consumer supposed to know this? Why do we (consumers) have to wait for some third party to review a product before we know that the product will not do as it claims? When I go to the hardware store and buy a lamp I know it has been tested and meets certain requirements. I know that it won’t catch fire and burn down my house. Why can’t I have those same assurances when I buy a security product? I should be able to look at the product packaging and see that the product meets some sort of security standard or has been tested by some agency and meets certain criteria. If it can be done for electric pencil sharpeners it can be done for ‘secure’ USB thumb drives.
 



This entry was posted in Commentary, Snake Oil by Space Rogue. Bookmark the permalink.

About Space Rogue

Space Rogue is widely sought after by journalists and industry analysts for his unique views and perceptions of the information security industry. He has been called to testify before the Senate Committee on Governmental Affairs and has been quoted in numerous magazine and newspaper articles as well as appeared on such TV shows as News Hour with Jim Lehrer, CNN Nightly News, ABC News Online with Sam Donaldson, and others. A recognized name within the industry, Space Rogue has written articles that are often quoted or refered to by other major media outlets. He has spoken before numerous audiances including the Digital Messageing Association, Defcon, Pumpcon, HOPE, H2K, and others. As a former member of L0pht Heavy Industries, Space Rogue ran the widely popular Hacker News Network which quickly became a major resource on the Internet for daily information security news. Before HNN he ran the The Whacked Mac Archives, which at the time, was the largest and the most popular Macintosh security site on the net. Currently Space Rogue does consulting for various companies.

3 thoughts on “More secure products that aren’t

  1. $$$$$$$ money is the answer my friend! Big companies don’t care if it is sercure, they
    have dead lines and need to make it so that the man /woman above them gets their check
    at the end of the month/week/day … that’s how it is and it’s always been that way….

    i work for a telecomunications company and just recently discovered that we are not giving
    the clients what they are paying…. if the client was 512 line the only getting 350….
    so they are getting ripped off but i don’t do anything about it….so if they pay for 4 meg
    then they can get 512 the wanted….the world is just full of rip offs…

    i just wanna fly away from it all …

  2. amen. we have disclaimers for most everything that can have unadvertised/undisclosed risks. when you look at a pack of smokes, the surgeon general does not say “These shits are delicious!” No, the surgeon general says “The tobacco company wont tell you, but these shits will fuck your world up!” then it’s up to the consumer to continue their purchase or not.

    same thing should apply to misrepresentation of an implied cryptographic standard to unsuspecting consumers.

  3. YOu hav a point neco…we are not really affected by this anyway…i make sure my stuff
    is all sercure and i’m sure you do the same!!! in our world we look for holes to get thru for more info :-P what do you think rogue???

Leave a Reply