Re: Another Snake Oil Candidate
Hagai Bar-El wrote: Hi, On 12/09/07 08:56, Aram Perez wrote: The IronKey appears to provide decent security while it is NOT plugged into a PC. But as soon as you plug it in and you have to enter a password to unlock it, the security level quickly drops. This would be the case even if they supported Mac OS or *nix. As I stated in my response to Jerry Leichter, in my opinion, their marketing department is selling snake oil. I think there is a difference between a product that is susceptible to an attack and the pure distilled 100% natural snake oil, as we usually define it. So, is snake oil: * a crap product? * a fine product with weaknesses? * a marketing campaign that goes OTT? * a term used to slander the opposing security model? * an adjective that applies to any of the above? iang OTT == over-the-top, excessive and dangerous. Derives from WW1 trench warfare. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Another Snake Oil Candidate
On 13 September 2007 04:18, Aram Perez wrote: to circumvent keylogging spyware - More on this later... The first time you plug it in, you initialize it with a password - Oh, wait until I disable my keylogging spyware. You enter that password to unlock your secure files - Did I disable my keyloggin spyware? Protected by a password that is entered on whatever PC you plug the IronKey into and that is somehow auto-magically protected against all keylogging spyware that may exist on that PC. Decrypting your files is then as easy as dragging and dropping them onto the desktop and by any malware that detects that the IronKey is present and has been unlocked and copies the files to a hidden folder. So by your exacting standards, PGP, gpg, openssh, in fact basically _everything_ is snake oil. Endpoint security is a real issue, but it's not within the remit of this product to address. I feel your complaint is overblown. Marketspeak alone doesn't make a product snakeoil, its security has to actually be bogus too. Encryption Keys The encryption keys used to protect your data are generated in hardware by a FIPS 140-2 compliant True Random Number As opposed to a FIPS 140-2 compliant False Random Number Generator. No, as opposed to a *Pseudo* Random Number Generator. This is a really silly thing to attempt to complain about; they're correctly using technical terminology that you should be perfectly familiar with. cheers, DaveK -- Can't think of a witty .sigline today - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Demonstration of Shor’s quantum factoring algorithm using photonic qubits
NewScientist's write-up (subscription required for full article): http://technology.newscientist.com/article.ns?id=mg19526216.700 You can find the full paper here: http://arxiv.org/pdf/0705.1684 -- Dustin D. Trammell Product Security Analyst TippingPoint, a division of 3Com signature.asc Description: This is a digitally signed message part
Experimental demonstration of Shor’s algorithm with quantum entanglement
Also from the NewScientist article that I just posted, another paper from completely different researchers arriving at the same result: http://arxiv.org/pdf/0705.1398 -- Dustin D. Trammell Product Security Analyst TippingPoint, a division of 3Com signature.asc Description: This is a digitally signed message part
Re: Another Snake Oil Candidate
Damien Miller wrote: It protects against the common threat model of lost/stolen USB keys. Why is this snake oil? Your criticism seems akin to calling a physical lock insecure because it doesn't protect you from burglars once you have unlocked it. Many many years ago an office that a startup I was working for was burglarized by picking the lock on the office door. They took a number of computers. The police recommended that we replace the locks with XYZ super lock that could not be picked and we did so at significant expense prior to replacing all of the computers. Three or four weeks later the office was burglarized again. They could not pick the lock so they took a sledgehammer to the wall next to the door, reached in unlocked the door from the inside and proceeded to go about their business. This wasn't a failure of the lock. The lock did its job. --- The product you are describing is not snake oil. You have a valid gripe that the product is not marketed along with a description of the attack vectors it protects against and those that it does not. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
RE: Another Snake Oil Candidate
I looked at the Ironkey website and, although there is obviously a little marketing-speak, my snake-oil and BS detectors do not go off. Some of the criticisms by Aram Perez appear to be somewhat unjustified. Perez states: Protected by a password that is entered on whatever PC you plug the IronKey into and that is somehow auto-magically protected against all keylogging spyware that may exist on that PC. Relevant Ironkey assertion in their FAQs: A word of caution: if your computer is infected with a keystroke logger before you purchase your IronKey, and if you initially enter your passwords into your IronKey on the computer that is already infected with a keystroke logger, then your passwords of course will be tracked by that keystroke logger. For this reason, we recommend that you setup your IronKey and initially enter your passwords into the Password Manager from a computer that you control and that has anti-spyware and anti-virus software installed. We recommend that you update your anti-spyware and anti-virus definitions and run a sweep of your PC before setting up your IronKey. Perez also states: They imply that you can use an IronKey with any PC and be completely safe. Relevant Ironkey assertion in their FAQs: If I get an IronKey, will I be 100% protected from malware? No. The IronKey does not replace the need good security practices, such as regular anti-virus and anti-spyware scans, not sharing passwords, and avoiding websites that you do not trust. The IronKey does equip you to further protect your data, identity, and privacy-an increasingly necessary tool for today's security-minded consumer. Additionally, new threats are constantly surfacing, so even today's best solutions cannot guarantee future-proof protection. But since you have the ability to securely update your IronKey, you can make sure you have the latest and most secure software and firmware for maximum protection today and tomorrow. Chuck Jackson - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: flavors of reptile lubricant, was Another Snake Oil Candidate
On 13 Sep 2007 13:45:42 -, John Levine [EMAIL PROTECTED] wrote: I always understood snake oil crypto to refer to products that were of no value to anyone, e.g., products that claim to have secret unbreakable encryption, million bit keys, or one time pads produced by PRNGs. hear hear! I think in the zeal for criticism of the IronDrive, folks have expanded the definition of Snake Oil to include All security products. I don't like the Military Grade AES Encryption phrase that IronDrive uses on their website, cause that implies they know what Military is using. Maybe somebody should notify DoD that these IronDrive folks know what Military uses to encrypt info ;-) But other then that I don't see any Snake Oil Crypto like techno-babble used by IronDrive Marketing. saqib http://security-basics.blogspot.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Another Snake Oil Candidate
Hi, On 13/09/07 15:14, Ian G wrote: Hagai Bar-El wrote: Hi, On 12/09/07 08:56, Aram Perez wrote: The IronKey appears to provide decent security while it is NOT plugged into a PC. But as soon as you plug it in and you have to enter a password to unlock it, the security level quickly drops. This would be the case even if they supported Mac OS or *nix. As I stated in my response to Jerry Leichter, in my opinion, their marketing department is selling snake oil. I think there is a difference between a product that is susceptible to an attack and the pure distilled 100% natural snake oil, as we usually define it. So, is snake oil: * a crap product? * a fine product with weaknesses? * a marketing campaign that goes OTT? * a term used to slander the opposing security model? * an adjective that applies to any of the above? Just like any term, it can have many interpretations. However, the most useful definition is the one that you can find at http://en.wikipedia.org/wiki/Snake_oil_(cryptography) and which quite accurately reflects what the people who first brought this term into use used it for. Hagai. -- Hagai Bar-El - Information Security Analyst T/F: 972-8-9354152 Web: www.hbarel.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: flavors of reptile lubricant, was Another Snake Oil Candidate
Hi Folks, My last comment on this. I've stated my own personal opinion and anyone is free to disagree. On Sep 13, 2007, at 9:33 AM, Ali, Saqib wrote: On 13 Sep 2007 13:45:42 -, John Levine [EMAIL PROTECTED] wrote: I always understood snake oil crypto to refer to products that were of no value to anyone, e.g., products that claim to have secret unbreakable encryption, million bit keys, or one time pads produced by PRNGs. hear hear! I think in the zeal for criticism of the IronDrive, folks have expanded the definition of Snake Oil to include All security products. I don't like the Military Grade AES Encryption phrase that IronDrive uses on their website, cause that implies they know what Military is using. Maybe somebody should notify DoD that these IronDrive folks know what Military uses to encrypt info ;-) But other then that I don't see any Snake Oil Crypto like techno-babble used by IronDrive Marketing. I don't know if a product has to meet m of n criteria as stated in http://www.interhack.net/people/cmcurtin/snake-oil-faq.html, but, IMO, IronKey meets the following criteria: Technobabble, Experienced Security Experts, Military Grade and to a certain extend Unbreakability (normally applied to software, but IronKey claims the epoxy prevents criminals from getting to the internal hardware components). Respectfully, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: flavors of reptile lubricant, was Another Snake Oil Candidate
The below USB drive manufacture claims FIPS 140-2 certification. Encryption is now required for USB thumb drives used on DoD computer. This one is being used by the Military. http://www.kanguru.com/kanguruusbflash.html Thomas On 9/13/07, Ali, Saqib [EMAIL PROTECTED] wrote: On 13 Sep 2007 13:45:42 -, John Levine [EMAIL PROTECTED] wrote: I always understood snake oil crypto to refer to products that were of no value to anyone, e.g., products that claim to have secret unbreakable encryption, million bit keys, or one time pads produced by PRNGs. hear hear! I think in the zeal for criticism of the IronDrive, folks have expanded the definition of Snake Oil to include All security products. I don't like the Military Grade AES Encryption phrase that IronDrive uses on their website, cause that implies they know what Military is using. Maybe somebody should notify DoD that these IronDrive folks know what Military uses to encrypt info ;-) But other then that I don't see any Snake Oil Crypto like techno-babble used by IronDrive Marketing. saqib http://security-basics.blogspot.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]