Is the U3 Smart Drive Encryption Any Good? 61
Carlos asks: "I was searching encryption software for USB pen drives, and came across the U3 Smart Drive platform which offers portability and privacy through software and hardware. There are already several well-known hardware manufacturers offering U3 Smart Drives. Do they are really better than a plain USB drive plus encryption software such as TrueCrypt or it's just marketing hype?"
PC Magazine Review (Score:5, Informative)
u3 just doesn't work (Score:5, Informative)
Re:u3 just doesn't work (Score:5, Informative)
I totally agree, in many Corporate environments these are going to be functionally useless. A recent helpdesk case I worked on involved one of these U3 drives. Because U3 basically creates a partition that tells Windows that it is a read only CDROM format, CD burning software would not function at all and Windows (Win2000 in this instance with limited user rights applied) totally locked up until the U3 drive was removed.
Management gave me a 1GB version to use on the job. I was annoyed with the auto-launch feature it provided and promptly searched for and downloaded the U3 removal utility. I gained the space that U3 occupied on the drive and can use it on any computer in our environment w/o problems.
Re: (Score:1)
It would work on some other PCs, but I basically wanted it for storage, so ended up removing the U3 stuff rather than going through an extended debug process to get it working on my PC. Works fine now as a straight storage drive without the U3.
great timing! (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
I promptly ran the un-intaller and never looked back.
Re: (Score:1)
U3 sucks infinitely (Score:1)
Re: (Score:3, Informative)
Re: (Score:2, Informative)
Re: (Score:2)
Re: (Score:3, Interesting)
While personally I feel this is the way to go (I would use dd_rescue, but that does not matter), it seems the level of insight needed to understand and do this simple and clear operation is not available to the general public.
It seems people do not want to do things that can be understood easily. They want to do things that look easy, i.e. click some button or run a programm that does a single, highly speciaalised operation and takes no parameters.
"dd" vs. the button (Score:3, Insightful)
Easy with the generalizations. For what it's worth, "dd if=/dev/zero of=/dev/dsX" takes up some amount of mental storage, be it rote memory or full-out understanding. That little piece of knowledge itself is a fairly highly specialized operation. OTOH, a well designed UI with a button
Re: (Score:2)
Well, yes. B
Re: (Score:2)
It may well happen that a basic understanding of a computer's permanent vs. volatile storage choices go down in history alongside reading, writing, and math. I could get on board with that. And, believe me, I truly appreciate 'dd' being present for the power-geeks to get to. The big limitation that a lot of people have is not a lack of access to information (as was more the case in the middle ages where the skills of reading and writing w
Re: (Score:1, Informative)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
U3 Pro's and cons (Score:5, Informative)
Pro - Portable Apps, including firefox and thunderbird so your cookies aren't left behind when you do online banking at a public computer.
Con - Only works on WinXP
Pro - password protect your data so that confidential information is not easily accessable.
Con - a script could continue to try passwords from a list in an attempt to login.
Basically, the password protection stops the U3 drive from showing the volume. But multiple attempts to login do not result in time delays, or lockouts. Basically a script could keep the autorun going and sending different words or key presses until it gains access. Brute force kind of behaviour.
But the drive will say "insert a disk into drive X:" if the password is not entered.
So, not bad, never tried hacking it, but it could potentially be brute forced.
Re:U3 Pro's and cons (Score:4, Informative)
But there's certainly nothing stopping you from using Portable Firefox or Portable Thunderbird or Portable OpenOffice on a regular flash drive, and "U3 Technology" only works with certain U3-aware applications so it's not like you can encapsulate any program and make it U3-aware. I figured right away this was a completely useless feature and blew it away using the uninstaller [u3.com]. Unfortunately you seem to need a Windows box to run the uninstaller so I had to go hunt one down to remove this garbage since I use Macs 99% of the time.
Re: (Score:2)
Remember, if it's a standard USB drive, then as I understand it, any software mechanism to force things like time delays would be easily circumvented by simply not using that software. But then, I hear things like "doesn't work on Mac/Linux", so that makes me think it's not quite standard, so maybe they could force something like this in hardware?
Re:U3 Pro's and cons (Score:4, Informative)
Wrong. 500 characters wouldn't secure a piece of crap like that. It is software only encryption, written by people who almost certainly don't understand the concept, and sold to people who don't understand that putting a flash drive in some random PC at an Internet cafe is unsafe.
Don't you people understand what that means? Odds are the password gets XORed with something lame and stored on the flash drive. Only a matter of time before somebody gets around to disassembling the crapware Win32 executable and writing a point and shoot password extraction program. Yes they COULD have done the crypto right but we know they didn't... or should know by now. After all they need a back way in themselves so they can unlock drives when somebody forgets their password and whines long enough on the support lines or when some LEO is looking for kiddie porn.
Re: (Score:2)
U3 'encryption' is a joke (Score:5, Informative)
I didn't bother testing the drive on my mac before I just blew the U3 partition away.
Re: (Score:3, Informative)
That concerns me, encryption is far eaiser to get wrong then right. On the TrueCrypt forums they are pretty good at telling you how bad there dog food is, and how to to lessen these risks. I'll stick w
Re: (Score:2)
Well, that does not make it a joke, but a lie. I believe this should a) get them fined b) make them liable if somebody trusts the thing and gets burned.
I don't think that bad crypto should make them liable, but claiming crypto and then having none should.
Maybe bad products like these are the source of the common
Re:U3 'encryption' is a joke (Score:4, Informative)
You know there is always a better or faster or cheaper way. With this program it is the same as with a car. There is no 100% protection, but it help's a lot to lock it.
</sarcasm>
Actually, the WebSafe [websafe-acs.com] "Website Encryption" is much better for keeping away "prying ices" than U3. At least WebSafe actually does some kind of encryption, even if the decryption algorithm and the keys are right there in the source code for everyone to see. U3, on the other hand, at least appears to claim encryption where there is none. I'll direct you to their website [u3.com], where they claim:
Oh, I get it. They "support the creation" of encryption, when actually, if you look at their smart drive page [u3.com], the word "encryption" is nowhere to be found. Instead, it's all about "Password Management" -- so they keep themselves clean, but it's obviously confusing enough to fool customers, especially when others [verbatim.com.au] claim "Secure data encryption" on what they call a "U3 Smart Drive", although I can't figure out whether Verbatim is wrong/lying or whether they've simply taken the existing U3 software and actually added encryption.
Or maybe there's some other loophole. But even if I wasn't planning on using the encryption, I wouldn't do business with these jokers. (U3, not necessarily Verbatim.) It's clearly designed to fool people into thinking they're getting something they're not, which really makes them no better than the WebSafe moron -- and perhaps significantly worse, as the WebSafe guy may actually still believe his product is worth something.
Read this thread from last night. (Score:1)
Funny how the timing works out. One of the U3 techs stopped in here, and responded to comments and questions. Interesting answers.. (And yes, I made a fool of myself at the beginning.)
TrueCrypt is not for USB sticks (Score:5, Informative)
It is not the USB protocol which is a problem, but rather the fact that a USB stick store the data in flash using a wear leveling algorithm. That means that even though from TrueCrypt's point of view it is writing to the same sector number, it is physically writing to different flash cells. This again means, that for some time both the old and the new version may physically exist in the storage. This means anybody who are able to read the physical flash cells without going through the wear leveling code will have access to the necesary data to exploit this weakness.
I don't know anything about U3, so I cannot tell you for sure if it is better or worse than TrueCrypt. But with the number of weaknesses which have been seen in storage encryptions, I'd expect anything new to have a few of its own. In spite of the minor weakness in TrueCrypt, I'd still perefer that over something with weaknesses I don't know about.
My advice for encryption on USB sticks is to not rely on transparent encryption and rather use something like GPG. Of course combining TrueCrypt and GPG is not going to harm security. GPG encrypted files on a TrueCrypt encrypted storage should be pretty safe.
Re: (Score:2)
You can add one more step to improve security on USB drives in your scenerio, but it comes out of the USB drives life expectancy.
Get a program like Eraser [heidi.ie] (free, but for MS operating systems). Choose erease free space after installing. This will fill the remaining space on the drive with files, then overwrite them to the security level you choose. I would recommend only doing a single pass psudeorandom free space wipe, but do it every time before you remove the drive from the computer.
Is there any spec
Re: (Score:3, Informative)
I agree this will add a little bit of security. But as this happens on a higher layer than the wear leveling, there is no guarantee that it will actually overwrite the physical locations you are interested in overwriting. Of course if you do multiple passes, I'd expect the wear leveling to spread them evenly over all locations including the ones you need
Re: (Score:2)
If it fills
Re: (Score:2)
The point is, that the size of the media depends on what level you are looking at. The wear leveling requires some extra physical space (I don't know how much), so the logical size which the USB unit reports to the system is smaller than the physical flash size. This means if you overwrite all sectors on the logical layer seen by the computer, you have not overwritten all of the phy
Re: (Score:2)
Re: (Score:2)
Good point. I assume this is actually aa problem of tweakable block ciphers? Since ordinary ciphers need to be secure when you get different data encrypted with the same key. Otherwise the simple attack on any sector-based encryption would be to read the raw data at different times....
Re: (Score:3, Informative)
Not really. If you just used an ordinary cipher instead of a tweakable cipher, the problem would be much worse. However using an ordinary cipher in CBC mode does not have this problem. CBC is a probabilistic encryption, which means same data encrypted more than once will produce different data. But this also means data grows, which is inconvenient for a transparent storage encryption.
Tweakable block ciphers is an elegant solution for this pro
Re: (Score:2)
Ok, now I see what you mean. For example CBC with fixed IV leaks more, possibly even a file fingerprint. In comparison EME or ABL mode only leak whether a sector is the same as before. There was quite an interesting discussion about this on the dm-crypt mailing list. (Interesting t
Re: (Score:2)
Indeed, it is easy to construct a file which is easilly recognized after being encrypted with such a scheme. In fact I constructed one a long time ago, it is here [brics.dk]. (OK this file only applies to some of the weakest IVs, but you get the point). However LRW also allows fingerprinting, but only if you can get two versions of the encrypted sectors, one version with the file, and another version with zeros.
Re: (Score:2)
Might be acceptable for most users, but as I pointed out earlier, the algorithms I know for this have a significant CPU overhead. If you know a solution for this without the performance penalty, I'd very much like to hear about it.
I don't think there is one. But here is something else: Harddisk speed is increasing significantly slower than CPU speed (or harddisk size). Using double encryption (CBC twice,
Re: (Score:3, Informative)
Mod up (Score:2)
no text
no text dam it!
Re: (Score:3, Informative)
I compared the encryption used by TrueCrypt to CBC, that is very different from saying TrueCrypt uses CBC. In fact what TrueCrypt used to use is the not quite CBC mode you get by replacing the random IV with the sector number. The new mode did eliminate the very easy fingerprinting, but introduced a different kind of fingerprinting possible as long as you could get multiple v
Why not use TrueCrypt? (Score:2)
I use it every day, and it just works. Can't recommend it highly enough
n-Tegrity (Score:1)
U3 from the trenches (Score:1, Interesting)
While I don't know of any U3-specific security problems, the com
Is Encryption Any Good? (Score:2)
I wouldn't use any "secure" flash drive ever again (Score:3, Informative)
Now, they're not terribly expensive... but they're no more secure than an encrypted file system in a regular file on the drive. You're paying more money for no better security than you can set up yourself, and dealing with the hidden costs of lost data... both directly, and because the guy in the field can't initialise a trashed file system himself so he doesn't have a device handy to get a copy of the customer's data when he needs it.
The whole technology seems to be implemented in the wrong place to me.
Dont use U3 (Score:1)
Asking for trouble (Score:1)
Nothing magical about U3 (Score:1)
Re: (Score:1)