[dm-crypt] Verbatim's crypto NAS - News Article
sven at whgl.uni-frankfurt.de
Tue Sep 13 04:53:04 CEST 2011
Just another brick in the wall of tech vendors not being able to design
any single working product.
Honestly, hardly any product I purchased in the last years ever lived up
to it's specifications. While in most cases the ASICs or SoCs were
adequate esp. SEA-Vendors tend to completely screw up firmwares/firmware
design, no matter if it's MP3-Players, DVD-Players, Cell Phones and what
So, this comes as no surprise at all (imho); but if we agree on this being
a 'backdoor' for recovery, what can be expected as quality of the entropy
used for this backdoor? And then take a look at the article - as little as
50,000 something iterations for PBKDF2. I would never accept such a low
value on a productive system.
On Tue, September 13, 2011 02:12, Arno Wagner wrote:
> On Tue, Sep 13, 2011 at 01:57:26AM +0200, Milan Broz wrote:
>> On 09/13/2011 01:15 AM, Jorge F?bregas wrote:
>> > I'd like to share this article that came up about a month ago
>> > Verbatim's NAS that uses LUKS:
>> > "Backdoor suspected in Verbatim's crypto NAS"
>> > http://www.h-online.com/security/news/item/Backdoor-suspected-in-Verbatim-s-crypto-NAS-1315921.html
>> Not the first time, similar (even worse) issue, different vendor,
> As I am a reader of c't, I have been on the lookout for a
> followup. I am not aware of any.
> I agree with Milan that this is not shocking or unexpected,
> commecial vendors often get security wrong or make unacceptable
> trade-offs in the name of simplifying customer support or product
> The CVE is a very good example.
> The bottom-line is that for secure storage the implementor
> has to know really what they are doing and must be honest.
> This typically means you have to find out and do it yourself.
> Even if you have the money and can buy consulting, you still
> need to find people that have these qualities. Unfortunately
> that is not easy.
> Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email:
> arno at wagner.name
> GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25
> Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
> If it's in the news, don't worry about it. The very definition of
> "news" is "something that hardly ever happens." -- Bruce Schneier
> dm-crypt mailing list
> dm-crypt at saout.de
More information about the dm-crypt