[dm-crypt] Verbatim's crypto NAS - News Article

[dm-crypt] Verbatim's crypto NAS - News Article

[Jorge Fábregas]

Hi everyone,

I'd like to share this article that came up about a month ago regarding
Verbatim's NAS that uses LUKS:

"Backdoor suspected in Verbatim's crypto NAS"

http://www.h-online.com/security/news/item/Backdoor-suspected-in-Verbatim-s-crypto-NAS-1315921.html

I'm still wondering what was Verbatim's response to this (if there has
been any). I can't find anything on Google.

Regards,
Jorge

Re: [dm-crypt] Verbatim's crypto NAS - News Article

[Milan Broz]

On 09/13/2011 01:15 AM, Jorge Fábregas wrote:
> I'd like to share this article that came up about a month ago regarding
> Verbatim's NAS that uses LUKS:
> 
> "Backdoor suspected in Verbatim's crypto NAS"
> 
> http://www.h-online.com/security/news/item/Backdoor-suspected-in-Verbatim-s-crypto-NAS-1315921.html

*shrug*

Not the first time, similar (even worse) issue, different vendor,
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3200

Milan

Re: [dm-crypt] Verbatim's crypto NAS - News Article

[Arno Wagner]

On Tue, Sep 13, 2011 at 01:57:26AM +0200, Milan Broz wrote:
> On 09/13/2011 01:15 AM, Jorge F?bregas wrote:
> > I'd like to share this article that came up about a month ago regarding
> > Verbatim's NAS that uses LUKS:
> > 
> > "Backdoor suspected in Verbatim's crypto NAS"
> > 
> > http://www.h-online.com/security/news/item/Backdoor-suspected-in-Verbatim-s-crypto-NAS-1315921.html
> 
> *shrug*
> 
> Not the first time, similar (even worse) issue, different vendor,
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3200
> 
> Milan

As I am a reader of c't, I have been on the lookout for a 
followup. I am not aware of any. 

I agree with Milan that this is not shocking or unexpected, 
commecial vendors often get security wrong or make unacceptable 
trade-offs in the name of simplifying customer support or product 
design.

The CVE is a very good example.

The bottom-line is that for secure storage the implementor
has to know really what they are doing and must be honest. 
This typically means you have to find out and do it yourself. 
Even if you have the money and can buy consulting, you still
need to find people that have these qualities. Unfortunately 
that is not easy.

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] Verbatim's crypto NAS - News Article

[Sven Eschenberg]

Just another brick in the wall of tech vendors not being able to design
any single working product.

Honestly, hardly any product I purchased in the last years ever lived up
to it's specifications. While in most cases the ASICs or SoCs were
adequate esp. SEA-Vendors tend to completely screw up firmwares/firmware
design, no matter if it's MP3-Players, DVD-Players, Cell Phones and what
not.

So, this comes as no surprise at all (imho); but if we agree on this being
a 'backdoor' for recovery, what can be expected as quality of the entropy
used for this backdoor? And then take a look at the article - as little as
50,000 something iterations for PBKDF2. I would never accept such a low
value on a productive system.

-Sven

On Tue, September 13, 2011 02:12, Arno Wagner wrote:
> On Tue, Sep 13, 2011 at 01:57:26AM +0200, Milan Broz wrote:
>> On 09/13/2011 01:15 AM, Jorge F?bregas wrote:
>> > I'd like to share this article that came up about a month ago
>> regarding
>> > Verbatim's NAS that uses LUKS:
>> >
>> > "Backdoor suspected in Verbatim's crypto NAS"
>> >
>> > http://www.h-online.com/security/news/item/Backdoor-suspected-in-Verbatim-s-crypto-NAS-1315921.html
>>
>> *shrug*
>>
>> Not the first time, similar (even worse) issue, different vendor,
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3200
>>
>> Milan
>
> As I am a reader of c't, I have been on the lookout for a
> followup. I am not aware of any.
>
> I agree with Milan that this is not shocking or unexpected,
> commecial vendors often get security wrong or make unacceptable
> trade-offs in the name of simplifying customer support or product
> design.
>
> The CVE is a very good example.
>
> The bottom-line is that for secure storage the implementor
> has to know really what they are doing and must be honest.
> This typically means you have to find out and do it yourself.
> Even if you have the money and can buy consulting, you still
> need to find people that have these qualities. Unfortunately
> that is not easy.
>
> Arno
> --
> Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email:
> arno@wagner.name
> GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25
> 338F
> ----
> Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
>
> If it's in the news, don't worry about it.  The very definition of
> "news" is "something that hardly ever happens." -- Bruce Schneier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>