Sunday, August 20, 2006
When soneone advertises "encryption"
I'll let you in on a bit of wisdom from the security world. When someone says their product supports "encryption", they are guilty until proven innocent. It takes a lot of care to use even good ciphers correctly, there are lots of bad ciphers out there, and there are a lot of people who do some trivial rearrangement of protected data and call it "encryption".
You know those small cigar-shaped USB storage devices called "flash drives", "jump drives", "pen drives" and who knows what else? I call them "nerdsticks", but that's beside the point. There's software called U3 that's supposed to make them more useful by making it easier to run programs from them, plus some other benefits. One of these beenfits is encrypting your data. Their web site says "these solutions include encrypted files and folders".
I haven't checked this myself, but one person has reported looking at a passowrd-protected U3 drive with some tools that look at the drive directly, no middlemen in between. He found all the data, all completely readable. All the password did was make it harder for Windows to show the drive on the desktop.
If he's right this could still be an honest mistake. Imagine, for example, a feature that got cut at the last minute after the marketing materials got typed up. But it does illustrate that you shouldn't expect advertising that says "encryption" to mean anything.
Crypto programs that are well regarded include TrueCrypt and the battle-hardened veteran PGP.
|
You know those small cigar-shaped USB storage devices called "flash drives", "jump drives", "pen drives" and who knows what else? I call them "nerdsticks", but that's beside the point. There's software called U3 that's supposed to make them more useful by making it easier to run programs from them, plus some other benefits. One of these beenfits is encrypting your data. Their web site says "these solutions include encrypted files and folders".
I haven't checked this myself, but one person has reported looking at a passowrd-protected U3 drive with some tools that look at the drive directly, no middlemen in between. He found all the data, all completely readable. All the password did was make it harder for Windows to show the drive on the desktop.
If he's right this could still be an honest mistake. Imagine, for example, a feature that got cut at the last minute after the marketing materials got typed up. But it does illustrate that you shouldn't expect advertising that says "encryption" to mean anything.
Crypto programs that are well regarded include TrueCrypt and the battle-hardened veteran PGP.
# posted by Frederick @ 8:59 AM Email to a friend:
Haloscan: they provide trackback