This message is from the T13 list server.
[EMAIL PROTECTED] wrote:
This message is from the T13 list server. Let's all stop wailing and moaning and griping: take action !!! Now, everybody back to work !
Now I must enter the discussion (I'm sure that will make some people very happy... NOT!)...
Everyone outside of T13 and probably a few people inside T13 realize that T13 has lost all concepts of "data integrity" and "data protection". Having data integrity and data protection in a product does not only mean implementing what is in the standards (because the standards are correct therefore there can not be a problem? ha ha) but it means taking steps to protect all data (because you don't know which data is valuable and which is not).
How has T13 achieved this state? Probably because for the most part the members of T13 live in the x86 PC world, a world were data integrity and data protection does not exist. For most of the x86 PC world, there are processors with no error detection or reporting, there are memory and I/O bus with little or no error detection or reporting, there are some I/O devices with little or no error detection or reporting. Then we have the major OS that also has virtually no error detection or error reporting - doesn't even have tools that can be used to find a failing component.
Can you see why data integrity and data protection can suffer?
There are other problems with T13 that contribute to this and several other problems.
But to the current problem of the Security feature... This feature was always a joke with serious data integrity problems. I really don't want to buy disk drives with this feature but most of the time I have no choice. Talk about the "nuclear option"? This is it. Forget a password, or let a virus set an unknown password, and your disk drive is toast and so is your data. I don't know anyone that has ever enabled this feature on their computer. The average computer user doesn't even know there is a BIOS or that there is such a feature in the BIOS. Even my newest major brand notebook has virtually no documentation on how to enter the BIOS setup and also offers no clues at power on either. Why do system vendors continue to require disk drives with this feature if they don't want to tell you what it is and how to use it?
[But the Security feature is just one way a virus can make a disk drive unusable. Another way is to corrupt the drive's firmware. Yes, many drives still ship with the DOWNLOAD MICROCODE command enabled, or ship with other vendor specific commands enabled that allow a virus to replace the drive's firmware or the firmware's data tables. And there are hackers that have disassembled the firmware of many disk drive models, they have decoded the vendor specific commands and they know how to issue those commands to corrupt a drive's firmware. Why do some disk drive vendors still ship drives with these commands enabled? The answer goes back to the general problem of T13 not understanding "data integrity" and "data protection".]
I receive many emails every year from people trying to unlock Security feature "locked drives". Many I assume are from people that may be trying to unlock a drive in a stolen system. But many are also from legitimate people. An example is the IT department of a major corporation that had several hundred relatively new notebook computers they wanted to donate to a local school system but the most of these notebooks had inoperable disk drives because no one knew the Security passwords for the drives... passwords hat had been put on the drives by the same IT department... OK... that is poor record keeping... or is it?
Saying that any problem with the Security feature is a system vendor or BIOS problem is short sighted. It is too easy to assign a random password (that is unknown the the human user of the computer) to a disk drive with no password and on a system without the BIOS protection of the Security Freeze Lock command. I don't know what to do about this but something needs to be done... of course I would just remove the stupid Security feature (yea, the nuclear option).
Responding specifically to JH's message (partially quoted above) asking that someone outside the disk drive industry to send a proposal to T13 to the Security feature problem(s) is unacceptable. Any solution to this problem, other than deleting the entire stupid feature, requires detailed knowledge of how disk drive hardware and firmware is implemented by numerous vendors. The Security feature problem(s) are most definitely a problem that only the disk drive vendors can address - and they should get the input of some real security experts when they do this. Saying that our drives implement the Security feature as required by the standard is not a very good response and it clearly shows the lack understanding and lack of desire to address "data integrity" and/or "data protection" issues that exist in T13.
Ten years ago when this feature was first proposed I talked to a virus expert and his comment was something like: this is the stupidest thing the disk drive vendors could put into their drives. But T13 never asked for input from any virus or security experts before adding the Security feature to the standard. Something is broken in the way T13 operates... Just look at all the other "security" features that are in I/O devices (various DRM for example) and how easy they are to break, misuse or bypass... and T13 is very happy to go down the same path and produce features that look good in marketing documents but do little to enhance "data integrity" or "data protection" or in some cases actually defeat "data integrity" and "data protection" in a system.
[My next message? Why it would talk about the lack of data integriy in the SATA interface. SATA must be costing the system vendors that are shipping it a huge amount of money in tech support costs. And this is another example of T13's failure (and/or the SATA secret society's failure) to address very serious problems with the SATA physical interface that result in data corruption, drives that "disappear", etc. I think it is time for T13 to stand up and address these issues or admit they can not and disband - producing more versions of ATA without addressing these problems is unacceptable.]
Hale
--
++ Hale Landis ++ www.ata-atapi.com ++
