[dm-crypt] Verbatim's crypto NAS - News Article

Sven Eschenberg sven at whgl.uni-frankfurt.de
Tue Sep 13 04:53:04 CEST 2011


Just another brick in the wall of tech vendors not being able to design
any single working product.

Honestly, hardly any product I purchased in the last years ever lived up
to it's specifications. While in most cases the ASICs or SoCs were
adequate esp. SEA-Vendors tend to completely screw up firmwares/firmware
design, no matter if it's MP3-Players, DVD-Players, Cell Phones and what
not.

So, this comes as no surprise at all (imho); but if we agree on this being
a 'backdoor' for recovery, what can be expected as quality of the entropy
used for this backdoor? And then take a look at the article - as little as
50,000 something iterations for PBKDF2. I would never accept such a low
value on a productive system.

-Sven

On Tue, September 13, 2011 02:12, Arno Wagner wrote:
> On Tue, Sep 13, 2011 at 01:57:26AM +0200, Milan Broz wrote:
>> On 09/13/2011 01:15 AM, Jorge F?bregas wrote:
>> > I'd like to share this article that came up about a month ago
>> regarding
>> > Verbatim's NAS that uses LUKS:
>> >
>> > "Backdoor suspected in Verbatim's crypto NAS"
>> >
>> > http://www.h-online.com/security/news/item/Backdoor-suspected-in-Verbatim-s-crypto-NAS-1315921.html
>>
>> *shrug*
>>
>> Not the first time, similar (even worse) issue, different vendor,
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3200
>>
>> Milan
>
> As I am a reader of c't, I have been on the lookout for a
> followup. I am not aware of any.
>
> I agree with Milan that this is not shocking or unexpected,
> commecial vendors often get security wrong or make unacceptable
> trade-offs in the name of simplifying customer support or product
> design.
>
> The CVE is a very good example.
>
> The bottom-line is that for secure storage the implementor
> has to know really what they are doing and must be honest.
> This typically means you have to find out and do it yourself.
> Even if you have the money and can buy consulting, you still
> need to find people that have these qualities. Unfortunately
> that is not easy.
>
> Arno
> --
> Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email:
> arno at wagner.name
> GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25
> 338F
> ----
> Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
>
> If it's in the news, don't worry about it.  The very definition of
> "news" is "something that hardly ever happens." -- Bruce Schneier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>




More information about the dm-crypt mailing list