* [dm-crypt] Verbatim's crypto NAS - News Article @ 2011-09-12 23:15 Jorge Fábregas 2011-09-12 23:57 ` Milan Broz 0 siblings, 1 reply; 4+ messages in thread From: Jorge Fábregas @ 2011-09-12 23:15 UTC (permalink / raw) To: dm-crypt Hi everyone, I'd like to share this article that came up about a month ago regarding Verbatim's NAS that uses LUKS: "Backdoor suspected in Verbatim's crypto NAS" http://www.h-online.com/security/news/item/Backdoor-suspected-in-Verbatim-s-crypto-NAS-1315921.html I'm still wondering what was Verbatim's response to this (if there has been any). I can't find anything on Google. Regards, Jorge ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] Verbatim's crypto NAS - News Article 2011-09-12 23:15 [dm-crypt] Verbatim's crypto NAS - News Article Jorge Fábregas @ 2011-09-12 23:57 ` Milan Broz 2011-09-13 0:12 ` Arno Wagner 0 siblings, 1 reply; 4+ messages in thread From: Milan Broz @ 2011-09-12 23:57 UTC (permalink / raw) To: Jorge Fábregas; +Cc: dm-crypt On 09/13/2011 01:15 AM, Jorge Fábregas wrote: > I'd like to share this article that came up about a month ago regarding > Verbatim's NAS that uses LUKS: > > "Backdoor suspected in Verbatim's crypto NAS" > > http://www.h-online.com/security/news/item/Backdoor-suspected-in-Verbatim-s-crypto-NAS-1315921.html *shrug* Not the first time, similar (even worse) issue, different vendor, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3200 Milan ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] Verbatim's crypto NAS - News Article 2011-09-12 23:57 ` Milan Broz @ 2011-09-13 0:12 ` Arno Wagner 2011-09-13 2:53 ` Sven Eschenberg 0 siblings, 1 reply; 4+ messages in thread From: Arno Wagner @ 2011-09-13 0:12 UTC (permalink / raw) To: dm-crypt On Tue, Sep 13, 2011 at 01:57:26AM +0200, Milan Broz wrote: > On 09/13/2011 01:15 AM, Jorge F?bregas wrote: > > I'd like to share this article that came up about a month ago regarding > > Verbatim's NAS that uses LUKS: > > > > "Backdoor suspected in Verbatim's crypto NAS" > > > > http://www.h-online.com/security/news/item/Backdoor-suspected-in-Verbatim-s-crypto-NAS-1315921.html > > *shrug* > > Not the first time, similar (even worse) issue, different vendor, > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3200 > > Milan As I am a reader of c't, I have been on the lookout for a followup. I am not aware of any. I agree with Milan that this is not shocking or unexpected, commecial vendors often get security wrong or make unacceptable trade-offs in the name of simplifying customer support or product design. The CVE is a very good example. The bottom-line is that for secure storage the implementor has to know really what they are doing and must be honest. This typically means you have to find out and do it yourself. Even if you have the money and can buy consulting, you still need to find people that have these qualities. Unfortunately that is not easy. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] Verbatim's crypto NAS - News Article 2011-09-13 0:12 ` Arno Wagner @ 2011-09-13 2:53 ` Sven Eschenberg 0 siblings, 0 replies; 4+ messages in thread From: Sven Eschenberg @ 2011-09-13 2:53 UTC (permalink / raw) To: dm-crypt Just another brick in the wall of tech vendors not being able to design any single working product. Honestly, hardly any product I purchased in the last years ever lived up to it's specifications. While in most cases the ASICs or SoCs were adequate esp. SEA-Vendors tend to completely screw up firmwares/firmware design, no matter if it's MP3-Players, DVD-Players, Cell Phones and what not. So, this comes as no surprise at all (imho); but if we agree on this being a 'backdoor' for recovery, what can be expected as quality of the entropy used for this backdoor? And then take a look at the article - as little as 50,000 something iterations for PBKDF2. I would never accept such a low value on a productive system. -Sven On Tue, September 13, 2011 02:12, Arno Wagner wrote: > On Tue, Sep 13, 2011 at 01:57:26AM +0200, Milan Broz wrote: >> On 09/13/2011 01:15 AM, Jorge F?bregas wrote: >> > I'd like to share this article that came up about a month ago >> regarding >> > Verbatim's NAS that uses LUKS: >> > >> > "Backdoor suspected in Verbatim's crypto NAS" >> > >> > http://www.h-online.com/security/news/item/Backdoor-suspected-in-Verbatim-s-crypto-NAS-1315921.html >> >> *shrug* >> >> Not the first time, similar (even worse) issue, different vendor, >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3200 >> >> Milan > > As I am a reader of c't, I have been on the lookout for a > followup. I am not aware of any. > > I agree with Milan that this is not shocking or unexpected, > commecial vendors often get security wrong or make unacceptable > trade-offs in the name of simplifying customer support or product > design. > > The CVE is a very good example. > > The bottom-line is that for secure storage the implementor > has to know really what they are doing and must be honest. > This typically means you have to find out and do it yourself. > Even if you have the money and can buy consulting, you still > need to find people that have these qualities. Unfortunately > that is not easy. > > Arno > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: > arno@wagner.name > GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 > 338F > ---- > Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans > > If it's in the news, don't worry about it. The very definition of > "news" is "something that hardly ever happens." -- Bruce Schneier > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt > ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-09-13 3:23 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-09-12 23:15 [dm-crypt] Verbatim's crypto NAS - News Article Jorge Fábregas 2011-09-12 23:57 ` Milan Broz 2011-09-13 0:12 ` Arno Wagner 2011-09-13 2:53 ` Sven Eschenberg
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.