<article>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#article10_01_09_0416239</id>
	<title>NIST Investigating Mass Flash Drive Vulnerability</title>
	<author>Soulskill</author>
	<datestamp>1263031500000</datestamp>
	<htmltext>Lucas123 writes with a followup to news we <a href="http://it.slashdot.org/story/10/01/05/1734242/Encryption-Cracked-On-NIST-Certified-Flash-Drives">discussed earlier this week</a> that the encryption on NIST-certified flash drives was cracked.
<i>"A number of leading manufacturers of encrypted flash drives have warned their customers of a security flaw uncovered by a German company. The devices in question use the AES 256-bit encryption algorithm and have been certified using the FIPS 140-2, but the flaw appears to circumvent the certification process by uncovering the password authentication code on host systems. The National Institute of Standards and Technology <a href="http://www.computerworld.com/s/article/9143504/More\_flash\_drive\_firms\_warn\_of\_security\_flaw\_NIST\_investigates">said it's investigating whether it needs to modify</a> its standards to include password authentication software on host systems. Security specialist Bruce Schneier was blunt in his characterization of the flaw: 'It's a stupid crypto mistake and they screwed up and they should be rightfully embarrassed for making it.'"</i></htmltext>
<tokenext>Lucas123 writes with a followup to news we discussed earlier this week that the encryption on NIST-certified flash drives was cracked .
" A number of leading manufacturers of encrypted flash drives have warned their customers of a security flaw uncovered by a German company .
The devices in question use the AES 256-bit encryption algorithm and have been certified using the FIPS 140-2 , but the flaw appears to circumvent the certification process by uncovering the password authentication code on host systems .
The National Institute of Standards and Technology said it 's investigating whether it needs to modify its standards to include password authentication software on host systems .
Security specialist Bruce Schneier was blunt in his characterization of the flaw : 'It 's a stupid crypto mistake and they screwed up and they should be rightfully embarrassed for making it .
' "</tokentext>
<sentencetext>Lucas123 writes with a followup to news we discussed earlier this week that the encryption on NIST-certified flash drives was cracked.
"A number of leading manufacturers of encrypted flash drives have warned their customers of a security flaw uncovered by a German company.
The devices in question use the AES 256-bit encryption algorithm and have been certified using the FIPS 140-2, but the flaw appears to circumvent the certification process by uncovering the password authentication code on host systems.
The National Institute of Standards and Technology said it's investigating whether it needs to modify its standards to include password authentication software on host systems.
Security specialist Bruce Schneier was blunt in his characterization of the flaw: 'It's a stupid crypto mistake and they screwed up and they should be rightfully embarrassed for making it.
'"</sentencetext>
</article>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707774</id>
	<title>Re:Nope. How to do it right...</title>
	<author>Anonymous</author>
	<datestamp>1263058080000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>"A better device has a config setup. Press an extra recessed button, and the device appears as a USB netword device with a DHCP server and all. Go to the device's internal web page, just like setting up a home wireless router. There you could create multiple virtualized devices, each with a distinct password."... Great so we should just add more vulnrability ridden protocols to the device. Why don't we just leave the web access login / password as Admin / password and not enforce the user to change it, just like our "secure" home networks. I'm gonna have to agree with the comment that IronKey is the only people that got it right. IN EXTERNAL DEVICE SECURITY ALWAYS ASSUME THAT THE HOST SYSTEM IS COMPROMISED IT'S NOT THAT BLOODY HARD.</p></htmltext>
<tokenext>" A better device has a config setup .
Press an extra recessed button , and the device appears as a USB netword device with a DHCP server and all .
Go to the device 's internal web page , just like setting up a home wireless router .
There you could create multiple virtualized devices , each with a distinct password. " .. .
Great so we should just add more vulnrability ridden protocols to the device .
Why do n't we just leave the web access login / password as Admin / password and not enforce the user to change it , just like our " secure " home networks .
I 'm gon na have to agree with the comment that IronKey is the only people that got it right .
IN EXTERNAL DEVICE SECURITY ALWAYS ASSUME THAT THE HOST SYSTEM IS COMPROMISED IT 'S NOT THAT BLOODY HARD .</tokentext>
<sentencetext>"A better device has a config setup.
Press an extra recessed button, and the device appears as a USB netword device with a DHCP server and all.
Go to the device's internal web page, just like setting up a home wireless router.
There you could create multiple virtualized devices, each with a distinct password."...
Great so we should just add more vulnrability ridden protocols to the device.
Why don't we just leave the web access login / password as Admin / password and not enforce the user to change it, just like our "secure" home networks.
I'm gonna have to agree with the comment that IronKey is the only people that got it right.
IN EXTERNAL DEVICE SECURITY ALWAYS ASSUME THAT THE HOST SYSTEM IS COMPROMISED IT'S NOT THAT BLOODY HARD.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707504</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706878</id>
	<title>Is this a valid comparison?</title>
	<author>allseason radial</author>
	<datestamp>1263048300000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Back in the nineties there was a teapot tempest around an issue with Intuit's Quicken personal finance software. Users could "encrypt" their Quicken data files, but the password they created to access it was easily recoverable by simply looking at the plain text raw data stored on hard drive sectors. I had Norton Utilities which allowed me to examine drive sectors, and sure enough, there was my Quicken password (altho the actual data was encrypted). <br>  <br> 
That's what this reminds me of. Is this a valid -if perhaps incomplete- comparison?</htmltext>
<tokenext>Back in the nineties there was a teapot tempest around an issue with Intuit 's Quicken personal finance software .
Users could " encrypt " their Quicken data files , but the password they created to access it was easily recoverable by simply looking at the plain text raw data stored on hard drive sectors .
I had Norton Utilities which allowed me to examine drive sectors , and sure enough , there was my Quicken password ( altho the actual data was encrypted ) .
That 's what this reminds me of .
Is this a valid -if perhaps incomplete- comparison ?</tokentext>
<sentencetext>Back in the nineties there was a teapot tempest around an issue with Intuit's Quicken personal finance software.
Users could "encrypt" their Quicken data files, but the password they created to access it was easily recoverable by simply looking at the plain text raw data stored on hard drive sectors.
I had Norton Utilities which allowed me to examine drive sectors, and sure enough, there was my Quicken password (altho the actual data was encrypted).
That's what this reminds me of.
Is this a valid -if perhaps incomplete- comparison?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30709680</id>
	<title>Re:Significant flaw &amp; workaround</title>
	<author>TangoMargarine</author>
	<datestamp>1263031680000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>TC isn't really portable. I mean, yes, the program itself can be installed portably, but you still need admin permission to install the driver to make it actually work.</htmltext>
<tokenext>TC is n't really portable .
I mean , yes , the program itself can be installed portably , but you still need admin permission to install the driver to make it actually work .</tokentext>
<sentencetext>TC isn't really portable.
I mean, yes, the program itself can be installed portably, but you still need admin permission to install the driver to make it actually work.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706296</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707304</id>
	<title>Re:Encryption algorithm's aren't the weak link</title>
	<author>Anonymous</author>
	<datestamp>1263052980000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>What's more usually the case is that the implementation of the algorithm is just fine, but you fail at using it in the right way. Usually because then you've handed it off from the cryptography experts and to the general team that's building the rest of the system. Kinda like a door that has a great lock but is easy to take off its hinges, won't do you much good.</p></div><p>That's a problem with software in general, not just encryption.</p><p>Often once the coders have solved the "interesting" problems, they get bored with the mundane implementation details.  If your software does everything it is supposed to, but the user experience sucks, then you have still failed.   Coding isn't about creating great code.  The user doesn't care about your code.  They want to solve their problem.  Programs are only a tool to achieve that.</p></div>
	</htmltext>
<tokenext>What 's more usually the case is that the implementation of the algorithm is just fine , but you fail at using it in the right way .
Usually because then you 've handed it off from the cryptography experts and to the general team that 's building the rest of the system .
Kinda like a door that has a great lock but is easy to take off its hinges , wo n't do you much good.That 's a problem with software in general , not just encryption.Often once the coders have solved the " interesting " problems , they get bored with the mundane implementation details .
If your software does everything it is supposed to , but the user experience sucks , then you have still failed .
Coding is n't about creating great code .
The user does n't care about your code .
They want to solve their problem .
Programs are only a tool to achieve that .</tokentext>
<sentencetext>What's more usually the case is that the implementation of the algorithm is just fine, but you fail at using it in the right way.
Usually because then you've handed it off from the cryptography experts and to the general team that's building the rest of the system.
Kinda like a door that has a great lock but is easy to take off its hinges, won't do you much good.That's a problem with software in general, not just encryption.Often once the coders have solved the "interesting" problems, they get bored with the mundane implementation details.
If your software does everything it is supposed to, but the user experience sucks, then you have still failed.
Coding isn't about creating great code.
The user doesn't care about your code.
They want to solve their problem.
Programs are only a tool to achieve that.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706166</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706166</id>
	<title>Re:Encryption algorithm's aren't the weak link</title>
	<author>Anonymous</author>
	<datestamp>1263036600000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>4</modscore>
	<htmltext><p><div class="quote"><p>Encryption algorithm's aren't the weak link, its the implementation.</p></div><p>What's more usually the case is that the implementation of the algorithm is just fine, but you fail at using it in the right way. Usually because then you've handed it off from the cryptography experts and to the general team that's building the rest of the system. Kinda like a door that has a great lock but is easy to take off its hinges, won't do you much good.</p></div>
	</htmltext>
<tokenext>Encryption algorithm 's are n't the weak link , its the implementation.What 's more usually the case is that the implementation of the algorithm is just fine , but you fail at using it in the right way .
Usually because then you 've handed it off from the cryptography experts and to the general team that 's building the rest of the system .
Kinda like a door that has a great lock but is easy to take off its hinges , wo n't do you much good .</tokentext>
<sentencetext>Encryption algorithm's aren't the weak link, its the implementation.What's more usually the case is that the implementation of the algorithm is just fine, but you fail at using it in the right way.
Usually because then you've handed it off from the cryptography experts and to the general team that's building the rest of the system.
Kinda like a door that has a great lock but is easy to take off its hinges, won't do you much good.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706128</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30709438</id>
	<title>Yep.</title>
	<author>ScrewMaster</author>
	<datestamp>1263029280000</datestamp>
	<modclass>Funny</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p>Security specialist Bruce Schneier was blunt in his characterization of the flaw: 'It's a stupid crypto mistake and they screwed up and they should be rightfully embarrassed for making it.'"</p></div><p>That's our Bruce.</p></div>
	</htmltext>
<tokenext>Security specialist Bruce Schneier was blunt in his characterization of the flaw : 'It 's a stupid crypto mistake and they screwed up and they should be rightfully embarrassed for making it .
' " That 's our Bruce .</tokentext>
<sentencetext>Security specialist Bruce Schneier was blunt in his characterization of the flaw: 'It's a stupid crypto mistake and they screwed up and they should be rightfully embarrassed for making it.
'"That's our Bruce.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706534</id>
	<title>some vendors got it right... Trust no 1</title>
	<author>Anonymous</author>
	<datestamp>1263042540000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>4</modscore>
	<htmltext><blockquote><div><p>IronKey was among a number of companies to issue statements reassuring customers that their devices were safe from the same attacks. Jevans said that's because the password and authentication process is contained on the USB drive itself and has nothing to do with the host system.
<br>
"We don't trust the computer at all," he said. "The computer could have malware on it or have hackers accessing it. In our security design, we said we have to assume the computer is completely untrustworthy. That's where we started our threat modeling."</p></div></blockquote></div>
	</htmltext>
<tokenext>IronKey was among a number of companies to issue statements reassuring customers that their devices were safe from the same attacks .
Jevans said that 's because the password and authentication process is contained on the USB drive itself and has nothing to do with the host system .
" We do n't trust the computer at all , " he said .
" The computer could have malware on it or have hackers accessing it .
In our security design , we said we have to assume the computer is completely untrustworthy .
That 's where we started our threat modeling .
"</tokentext>
<sentencetext>IronKey was among a number of companies to issue statements reassuring customers that their devices were safe from the same attacks.
Jevans said that's because the password and authentication process is contained on the USB drive itself and has nothing to do with the host system.
"We don't trust the computer at all," he said.
"The computer could have malware on it or have hackers accessing it.
In our security design, we said we have to assume the computer is completely untrustworthy.
That's where we started our threat modeling.
"
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706746</id>
	<title>out in the cold</title>
	<author>Anonymous</author>
	<datestamp>1263046320000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>what if you spent a lot of money on one of these drives, too bad your out of luck, I doubt there will be a refund.</p></htmltext>
<tokenext>what if you spent a lot of money on one of these drives , too bad your out of luck , I doubt there will be a refund .</tokentext>
<sentencetext>what if you spent a lot of money on one of these drives, too bad your out of luck, I doubt there will be a refund.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707322</id>
	<title>Re:Doesn't NIST have a clue?</title>
	<author>Anonymous</author>
	<datestamp>1263053160000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>So why was this not discovered during the NIST certification process? And why do NIST state that they may need to approve the software too to protect against this?</p></div><p>Because the companies in question, the ones requesting certification, request certification for X, but not Y or Z (whether NIST can even certify Y or Z I don't know.) So they met the certification requirements for X. Now that there's such a big deal over this screw up, it'll probably make NIST fix their certification process, e.g. all requests for X certification must also be eligible for Y certification, or some such.</p></div>
	</htmltext>
<tokenext>So why was this not discovered during the NIST certification process ?
And why do NIST state that they may need to approve the software too to protect against this ? Because the companies in question , the ones requesting certification , request certification for X , but not Y or Z ( whether NIST can even certify Y or Z I do n't know .
) So they met the certification requirements for X. Now that there 's such a big deal over this screw up , it 'll probably make NIST fix their certification process , e.g .
all requests for X certification must also be eligible for Y certification , or some such .</tokentext>
<sentencetext>So why was this not discovered during the NIST certification process?
And why do NIST state that they may need to approve the software too to protect against this?Because the companies in question, the ones requesting certification, request certification for X, but not Y or Z (whether NIST can even certify Y or Z I don't know.
) So they met the certification requirements for X. Now that there's such a big deal over this screw up, it'll probably make NIST fix their certification process, e.g.
all requests for X certification must also be eligible for Y certification, or some such.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706898</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706296</id>
	<title>Significant flaw &amp; workaround</title>
	<author>Snotboble\_</author>
	<datestamp>1263039300000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>4</modscore>
	<htmltext>This is pretty major as so many vendors are affected by it. However, until there's an update or complete recall &amp; replacement, I'd recommend using <a href="http://www.truecrypt.org/" title="truecrypt.org" rel="nofollow">Truecrypt</a> [truecrypt.org]. Certified by NIST (see <a href="http://law2point0.com/wordpress/2009/08/18/nist-approved-xts-aes-for-secure-encryption-of-block-devices/" title="law2point0.com" rel="nofollow">HERE</a> [law2point0.com]. Cross platform. Free (as in spoken beer<nobr> <wbr></nobr>;o). Of course, one can only hope that its implementation is better than the devices currently uncovered<nobr> <wbr></nobr>:P</htmltext>
<tokenext>This is pretty major as so many vendors are affected by it .
However , until there 's an update or complete recall &amp; replacement , I 'd recommend using Truecrypt [ truecrypt.org ] .
Certified by NIST ( see HERE [ law2point0.com ] .
Cross platform .
Free ( as in spoken beer ; o ) .
Of course , one can only hope that its implementation is better than the devices currently uncovered : P</tokentext>
<sentencetext>This is pretty major as so many vendors are affected by it.
However, until there's an update or complete recall &amp; replacement, I'd recommend using Truecrypt [truecrypt.org].
Certified by NIST (see HERE [law2point0.com].
Cross platform.
Free (as in spoken beer ;o).
Of course, one can only hope that its implementation is better than the devices currently uncovered :P</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707618</id>
	<title>Re:Doesn't NIST have a clue?</title>
	<author>Jaime2</author>
	<datestamp>1263056520000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p><div class="quote"><p>So why was this not discovered during the NIST certification process?</p></div><p>Because the certification the hardware received only verifies that the algorithm strength is sufficient and that the device is hardened against physical tampering.</p><p><div class="quote"><p>It seems to me that NIST blames the software so they will not have to take blame for their faulty certification of the hardware.</p></div><p>Nope, it seems that the NIST has recognized that the certification, as currently written, isn't sufficient and is looking into making it more robust.  Had they audited the software, they would have discovered that the software-to-hardware interface is poorly designed and not granted the certification.</p></div>
	</htmltext>
<tokenext>So why was this not discovered during the NIST certification process ? Because the certification the hardware received only verifies that the algorithm strength is sufficient and that the device is hardened against physical tampering.It seems to me that NIST blames the software so they will not have to take blame for their faulty certification of the hardware.Nope , it seems that the NIST has recognized that the certification , as currently written , is n't sufficient and is looking into making it more robust .
Had they audited the software , they would have discovered that the software-to-hardware interface is poorly designed and not granted the certification .</tokentext>
<sentencetext>So why was this not discovered during the NIST certification process?Because the certification the hardware received only verifies that the algorithm strength is sufficient and that the device is hardened against physical tampering.It seems to me that NIST blames the software so they will not have to take blame for their faulty certification of the hardware.Nope, it seems that the NIST has recognized that the certification, as currently written, isn't sufficient and is looking into making it more robust.
Had they audited the software, they would have discovered that the software-to-hardware interface is poorly designed and not granted the certification.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706898</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706208</id>
	<title>they screwed up... OR</title>
	<author>Smegly</author>
	<datestamp>1263037680000</datestamp>
	<modclass>Troll</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>Security specialist Bruce Schneier was blunt in his characterization of the flaw: 'It's a stupid crypto mistake and they screwed up and they should be rightfully embarrassed for making it.'"</p></div><p>... OR it was a deliberate mistake.  Damn Germans for not playing ball.</p></div>
	</htmltext>
<tokenext>Security specialist Bruce Schneier was blunt in his characterization of the flaw : 'It 's a stupid crypto mistake and they screwed up and they should be rightfully embarrassed for making it. ' " .. .
OR it was a deliberate mistake .
Damn Germans for not playing ball .</tokentext>
<sentencetext>Security specialist Bruce Schneier was blunt in his characterization of the flaw: 'It's a stupid crypto mistake and they screwed up and they should be rightfully embarrassed for making it.'"...
OR it was a deliberate mistake.
Damn Germans for not playing ball.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706128</id>
	<title>Encryption algorithm's aren't the weak link</title>
	<author>Anonymous</author>
	<datestamp>1263035760000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>Encryption algorithm's aren't the weak link, its the implementation. But most people just look at how big the key is not who implemented it.</p></htmltext>
<tokenext>Encryption algorithm 's are n't the weak link , its the implementation .
But most people just look at how big the key is not who implemented it .</tokentext>
<sentencetext>Encryption algorithm's aren't the weak link, its the implementation.
But most people just look at how big the key is not who implemented it.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707038</id>
	<title>Best part of TFA</title>
	<author>dr2chase</author>
	<datestamp>1263050280000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext>is how everything is carefully run through the make-nice factory.  The memory chip makers ucked fup.  NIST ucked fup.  Yet, NIST cannot say, "whoa, we blew it, we have to fix that standard immediately" (else it will be completely worthless).  No, they're organizing a committee to appoint a task force to propose revisions to the standard, pending who-knows-what.  And even the guys who got it right, try to make nice with a handy excuse for how this came about -- "difficult to administer with all those different passwords".  You set two passwords for each device, duh, and let either access the bits.  Vendors provide them with a customer-specified admin password, or vendor supplies a chip initialization utility where customer may bake in an admin password.</htmltext>
<tokenext>is how everything is carefully run through the make-nice factory .
The memory chip makers ucked fup .
NIST ucked fup .
Yet , NIST can not say , " whoa , we blew it , we have to fix that standard immediately " ( else it will be completely worthless ) .
No , they 're organizing a committee to appoint a task force to propose revisions to the standard , pending who-knows-what .
And even the guys who got it right , try to make nice with a handy excuse for how this came about -- " difficult to administer with all those different passwords " .
You set two passwords for each device , duh , and let either access the bits .
Vendors provide them with a customer-specified admin password , or vendor supplies a chip initialization utility where customer may bake in an admin password .</tokentext>
<sentencetext>is how everything is carefully run through the make-nice factory.
The memory chip makers ucked fup.
NIST ucked fup.
Yet, NIST cannot say, "whoa, we blew it, we have to fix that standard immediately" (else it will be completely worthless).
No, they're organizing a committee to appoint a task force to propose revisions to the standard, pending who-knows-what.
And even the guys who got it right, try to make nice with a handy excuse for how this came about -- "difficult to administer with all those different passwords".
You set two passwords for each device, duh, and let either access the bits.
Vendors provide them with a customer-specified admin password, or vendor supplies a chip initialization utility where customer may bake in an admin password.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30715362</id>
	<title>Wrong drive?</title>
	<author>hicksw</author>
	<datestamp>1263148380000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>If all the drives have identical challenge response interchanges, why wasn't this noticed the first time someone using his own machine/software/password successfully accessed the wrong drive?</p></htmltext>
<tokenext>If all the drives have identical challenge response interchanges , why was n't this noticed the first time someone using his own machine/software/password successfully accessed the wrong drive ?</tokentext>
<sentencetext>If all the drives have identical challenge response interchanges, why wasn't this noticed the first time someone using his own machine/software/password successfully accessed the wrong drive?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706816</id>
	<title>Re:Encryption algorithm's aren't the weak link</title>
	<author>jd2112</author>
	<datestamp>1263047280000</datestamp>
	<modclass>Funny</modclass>
	<modscore>2</modscore>
	<htmltext>Just use Quantum Encryption, They'll never crack that.<br> <br>
Oh, nevermind. <a href="http://it.slashdot.org/story/09/12/30/2118250/Quantum-Encryption-Implementation-Broken?art\_pos=1" title="slashdot.org" rel="nofollow">http://it.slashdot.org/story/09/12/30/2118250/Quantum-Encryption-Implementation-Broken?art\_pos=1</a> [slashdot.org]</htmltext>
<tokenext>Just use Quantum Encryption , They 'll never crack that .
Oh , nevermind .
http : //it.slashdot.org/story/09/12/30/2118250/Quantum-Encryption-Implementation-Broken ? art \ _pos = 1 [ slashdot.org ]</tokentext>
<sentencetext>Just use Quantum Encryption, They'll never crack that.
Oh, nevermind.
http://it.slashdot.org/story/09/12/30/2118250/Quantum-Encryption-Implementation-Broken?art\_pos=1 [slashdot.org]</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706128</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706426</id>
	<title>Re:Encryption algorithm's aren't the weak link</title>
	<author>Joce640k</author>
	<datestamp>1263040740000</datestamp>
	<modclass>Funny</modclass>
	<modscore>4</modscore>
	<htmltext><p>The weak link is in the apostrophe.</p></htmltext>
<tokenext>The weak link is in the apostrophe .</tokentext>
<sentencetext>The weak link is in the apostrophe.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706128</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706898</id>
	<title>Doesn't NIST have a clue?</title>
	<author>Anonymous</author>
	<datestamp>1263048480000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>I really do not understand this part:<br>"The National Institute of Standards and Technology said it's investigating whether it needs to modify [CC] its standards to include password authentication software on host systems."</p><p>This has already been proven to be very unsafe hardware. The fact that you can access the data without using the original software and without knowing the user's password should leave no doubt. As long as you have some software which says "Open Sesame" in the same way as the original software, you will get access.</p><p>So why was this not discovered during the NIST certification process? And why do NIST state that they may need to approve the software too to protect against this?</p><p>It seems to me that NIST blames the software so they will not have to take blame for their faulty certification of the hardware.</p></htmltext>
<tokenext>I really do not understand this part : " The National Institute of Standards and Technology said it 's investigating whether it needs to modify [ CC ] its standards to include password authentication software on host systems .
" This has already been proven to be very unsafe hardware .
The fact that you can access the data without using the original software and without knowing the user 's password should leave no doubt .
As long as you have some software which says " Open Sesame " in the same way as the original software , you will get access.So why was this not discovered during the NIST certification process ?
And why do NIST state that they may need to approve the software too to protect against this ? It seems to me that NIST blames the software so they will not have to take blame for their faulty certification of the hardware .</tokentext>
<sentencetext>I really do not understand this part:"The National Institute of Standards and Technology said it's investigating whether it needs to modify [CC] its standards to include password authentication software on host systems.
"This has already been proven to be very unsafe hardware.
The fact that you can access the data without using the original software and without knowing the user's password should leave no doubt.
As long as you have some software which says "Open Sesame" in the same way as the original software, you will get access.So why was this not discovered during the NIST certification process?
And why do NIST state that they may need to approve the software too to protect against this?It seems to me that NIST blames the software so they will not have to take blame for their faulty certification of the hardware.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706202</id>
	<title>Re:If you want to encrypt your data</title>
	<author>snemarch</author>
	<datestamp>1263037620000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>4</modscore>
	<htmltext><p>Not really applicable to a hardware device.</p><p>Also, keep in mind that RSA by itself is much too slow to encrypt large amounts of data; thus, PGP and other solutions only use RSA to encrypt a symmetric cipher, which is then used for the bulk encryption.</p><p>Standard AES-256 is actually just fine, problem with these devices is that the manufacturers screwed up the implementation *majorly* (as I understand it, use the same key for every device and depend on a usermode app to say GOOD\_GUY/BAD\_GUY to the hardware) - but that's covered elsewhere.</p></htmltext>
<tokenext>Not really applicable to a hardware device.Also , keep in mind that RSA by itself is much too slow to encrypt large amounts of data ; thus , PGP and other solutions only use RSA to encrypt a symmetric cipher , which is then used for the bulk encryption.Standard AES-256 is actually just fine , problem with these devices is that the manufacturers screwed up the implementation * majorly * ( as I understand it , use the same key for every device and depend on a usermode app to say GOOD \ _GUY/BAD \ _GUY to the hardware ) - but that 's covered elsewhere .</tokentext>
<sentencetext>Not really applicable to a hardware device.Also, keep in mind that RSA by itself is much too slow to encrypt large amounts of data; thus, PGP and other solutions only use RSA to encrypt a symmetric cipher, which is then used for the bulk encryption.Standard AES-256 is actually just fine, problem with these devices is that the manufacturers screwed up the implementation *majorly* (as I understand it, use the same key for every device and depend on a usermode app to say GOOD\_GUY/BAD\_GUY to the hardware) - but that's covered elsewhere.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706124</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30708196</id>
	<title>Re:Encryption algorithm's aren't the weak link</title>
	<author>dayton967</author>
	<datestamp>1263061920000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>For the house you can go with many different locking systems, such as a kwikset deadbolt, they are vulnerable to bumping and picking  though for the average house, this is sufficient because they would go through the window instead.  Though many houses just have the knob locks, these have an added vulnerability, which is to use a jack to spread the door frame, the frame can often move more then the latch is deep.  High security locks can be vulnerable to being kicked in or being jacked open, even when they are very difficult if not impossible to bump or pick open.

So as with doors, encryption requires the implementation to be done properly.  AES256 would be a high security lock, but from what I can understand on what was written, someone left the key under the door mat.</htmltext>
<tokenext>For the house you can go with many different locking systems , such as a kwikset deadbolt , they are vulnerable to bumping and picking though for the average house , this is sufficient because they would go through the window instead .
Though many houses just have the knob locks , these have an added vulnerability , which is to use a jack to spread the door frame , the frame can often move more then the latch is deep .
High security locks can be vulnerable to being kicked in or being jacked open , even when they are very difficult if not impossible to bump or pick open .
So as with doors , encryption requires the implementation to be done properly .
AES256 would be a high security lock , but from what I can understand on what was written , someone left the key under the door mat .</tokentext>
<sentencetext>For the house you can go with many different locking systems, such as a kwikset deadbolt, they are vulnerable to bumping and picking  though for the average house, this is sufficient because they would go through the window instead.
Though many houses just have the knob locks, these have an added vulnerability, which is to use a jack to spread the door frame, the frame can often move more then the latch is deep.
High security locks can be vulnerable to being kicked in or being jacked open, even when they are very difficult if not impossible to bump or pick open.
So as with doors, encryption requires the implementation to be done properly.
AES256 would be a high security lock, but from what I can understand on what was written, someone left the key under the door mat.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706166</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706806</id>
	<title>Who talk/writes like that?</title>
	<author>kahn</author>
	<datestamp>1263047160000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><blockquote><div><p>by uncovering the password authentication code on host systems</p></div></blockquote><p>

See, this is why I can't watch movies anymore.</p></div>
	</htmltext>
<tokenext>by uncovering the password authentication code on host systems See , this is why I ca n't watch movies anymore .</tokentext>
<sentencetext>by uncovering the password authentication code on host systems

See, this is why I can't watch movies anymore.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30715988</id>
	<title>Why bother?</title>
	<author>spambucket235</author>
	<datestamp>1263153420000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I would never even bother to encrypt data on a flash drive.</p><p>1)  If your data is so important that other people shouldn't read it, why are you putting it on a flash drive which can be stolen?</p><p>2)  If, for some reason, you are storing your data on a flash drive, why are you leaving it where others can steal it?  You can have my flash drive when you pry it from my cold, dead hands!</p><p>3)  If you do put your data on a flash drive and somebody kills you to get it, it stands to reason that they will be able to work at their own leisure to decrypt the data on it.  I don't know any form of encryption that is 100\% bulletproof.  (Except, maybe a one-time pad. - Assuming they don't get your key.)  It's only a matter of time before your encrypted data is broken.  Your only hope is that the information will go stale before they can decrypt it.</p><p>Flash drives are ubiquitous, easily stolen and easily concealable.  They are, AFAIAC, the WORST place to store valuable data.</p><p>Encrypting data on a flash drive is like putting a padlock on a cardboard box.</p></htmltext>
<tokenext>I would never even bother to encrypt data on a flash drive.1 ) If your data is so important that other people should n't read it , why are you putting it on a flash drive which can be stolen ? 2 ) If , for some reason , you are storing your data on a flash drive , why are you leaving it where others can steal it ?
You can have my flash drive when you pry it from my cold , dead hands ! 3 ) If you do put your data on a flash drive and somebody kills you to get it , it stands to reason that they will be able to work at their own leisure to decrypt the data on it .
I do n't know any form of encryption that is 100 \ % bulletproof .
( Except , maybe a one-time pad .
- Assuming they do n't get your key .
) It 's only a matter of time before your encrypted data is broken .
Your only hope is that the information will go stale before they can decrypt it.Flash drives are ubiquitous , easily stolen and easily concealable .
They are , AFAIAC , the WORST place to store valuable data.Encrypting data on a flash drive is like putting a padlock on a cardboard box .</tokentext>
<sentencetext>I would never even bother to encrypt data on a flash drive.1)  If your data is so important that other people shouldn't read it, why are you putting it on a flash drive which can be stolen?2)  If, for some reason, you are storing your data on a flash drive, why are you leaving it where others can steal it?
You can have my flash drive when you pry it from my cold, dead hands!3)  If you do put your data on a flash drive and somebody kills you to get it, it stands to reason that they will be able to work at their own leisure to decrypt the data on it.
I don't know any form of encryption that is 100\% bulletproof.
(Except, maybe a one-time pad.
- Assuming they don't get your key.
)  It's only a matter of time before your encrypted data is broken.
Your only hope is that the information will go stale before they can decrypt it.Flash drives are ubiquitous, easily stolen and easily concealable.
They are, AFAIAC, the WORST place to store valuable data.Encrypting data on a flash drive is like putting a padlock on a cardboard box.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30709872</id>
	<title>Re:Nope. How to do it right...</title>
	<author>ascari</author>
	<datestamp>1263033600000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>And after all that, once your encrypted is duly decrypted by you it is displayed on the screen in cleartext. The hypothetical malware running on your untrustworthy PC simply swipes is out of the frame buffer and sends it to your enemy. (It might even encrypt it before sending it, sweet irony.<nobr> <wbr></nobr>;-) <p>Hypotehtical perhaps, but quite doable. Bottom line is if you ever look at your data in cleartext at any time on any device I've already pwned you. Sorry to be the bearer of bad news.</p></htmltext>
<tokenext>And after all that , once your encrypted is duly decrypted by you it is displayed on the screen in cleartext .
The hypothetical malware running on your untrustworthy PC simply swipes is out of the frame buffer and sends it to your enemy .
( It might even encrypt it before sending it , sweet irony .
; - ) Hypotehtical perhaps , but quite doable .
Bottom line is if you ever look at your data in cleartext at any time on any device I 've already pwned you .
Sorry to be the bearer of bad news .</tokentext>
<sentencetext>And after all that, once your encrypted is duly decrypted by you it is displayed on the screen in cleartext.
The hypothetical malware running on your untrustworthy PC simply swipes is out of the frame buffer and sends it to your enemy.
(It might even encrypt it before sending it, sweet irony.
;-) Hypotehtical perhaps, but quite doable.
Bottom line is if you ever look at your data in cleartext at any time on any device I've already pwned you.
Sorry to be the bearer of bad news.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707504</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30709182</id>
	<title>Re:Significant flaw &amp; workaround</title>
	<author>greenbird</author>
	<datestamp>1263070200000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>My one issue with Truecrypt is that it doesn't support multiply keys. That's almost essential in a real world environment. Why the hell don;t they add that?</p></htmltext>
<tokenext>My one issue with Truecrypt is that it does n't support multiply keys .
That 's almost essential in a real world environment .
Why the hell don ; t they add that ?</tokentext>
<sentencetext>My one issue with Truecrypt is that it doesn't support multiply keys.
That's almost essential in a real world environment.
Why the hell don;t they add that?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706296</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30709466</id>
	<title>Re:Significant flaw &amp; workaround</title>
	<author>ScrewMaster</author>
	<datestamp>1263029460000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>This is pretty major as so many vendors are affected by it. However, until there's an update or complete recall &amp; replacement, I'd recommend using <a href="http://www.truecrypt.org/" title="truecrypt.org">Truecrypt</a> [truecrypt.org]. Certified by NIST (see <a href="http://law2point0.com/wordpress/2009/08/18/nist-approved-xts-aes-for-secure-encryption-of-block-devices/" title="law2point0.com">HERE</a> [law2point0.com]. Cross platform. Free (as in spoken beer<nobr> <wbr></nobr>;o). Of course, one can only hope that its implementation is better than the devices currently uncovered<nobr> <wbr></nobr>:P</p></div><p>I remember a recent Slashdot article about a vulnerability in TrueCrypt. Don't remember much more than that. Does anyone else know what I'm talking about?</p></div>
	</htmltext>
<tokenext>This is pretty major as so many vendors are affected by it .
However , until there 's an update or complete recall &amp; replacement , I 'd recommend using Truecrypt [ truecrypt.org ] .
Certified by NIST ( see HERE [ law2point0.com ] .
Cross platform .
Free ( as in spoken beer ; o ) .
Of course , one can only hope that its implementation is better than the devices currently uncovered : PI remember a recent Slashdot article about a vulnerability in TrueCrypt .
Do n't remember much more than that .
Does anyone else know what I 'm talking about ?</tokentext>
<sentencetext>This is pretty major as so many vendors are affected by it.
However, until there's an update or complete recall &amp; replacement, I'd recommend using Truecrypt [truecrypt.org].
Certified by NIST (see HERE [law2point0.com].
Cross platform.
Free (as in spoken beer ;o).
Of course, one can only hope that its implementation is better than the devices currently uncovered :PI remember a recent Slashdot article about a vulnerability in TrueCrypt.
Don't remember much more than that.
Does anyone else know what I'm talking about?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706296</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706246</id>
	<title>was a good investment?</title>
	<author>harvey the nerd</author>
	<datestamp>1263038280000</datestamp>
	<modclass>Troll</modclass>
	<modscore>-1</modscore>
	<htmltext>Sounds like CIA, NSA or FSB spent an effective $25,000 spmewhere.</htmltext>
<tokenext>Sounds like CIA , NSA or FSB spent an effective $ 25,000 spmewhere .</tokentext>
<sentencetext>Sounds like CIA, NSA or FSB spent an effective $25,000 spmewhere.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706124</id>
	<title>If you want to encrypt your data</title>
	<author>MichaelSmith</author>
	<datestamp>1263035580000</datestamp>
	<modclass>Funny</modclass>
	<modscore>4</modscore>
	<htmltext><p>Use PGP. Create a really long key, like 4096 bits.</p></htmltext>
<tokenext>Use PGP .
Create a really long key , like 4096 bits .</tokentext>
<sentencetext>Use PGP.
Create a really long key, like 4096 bits.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706916</id>
	<title>Re:some vendors got it right... Trust no 1</title>
	<author>AHuxley</author>
	<datestamp>1263048660000</datestamp>
	<modclass>Funny</modclass>
	<modscore>2</modscore>
	<htmltext>Why not just say "Microsoft"?</htmltext>
<tokenext>Why not just say " Microsoft " ?</tokentext>
<sentencetext>Why not just say "Microsoft"?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706534</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30722782</id>
	<title>It's not NIST, it's FIPS and reality colliding</title>
	<author>Anonymous</author>
	<datestamp>1263223560000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Posting anonymously since I work at NIST (but not in crypto or infosec).  The problem isn't NIST or even really FIPS 140-2.  The problem is that FIPS 140-2 certifies something very specific -- the encryption module.  It doesn't certify the entire system or the hardware.</p><p>This was not a big deal when FIPS 140-2 was initially written or expanded.  However, now that full-disk encryption is mandated for federal computers and encrypted USB keys are something everyone buys, the reality is that FIPS 140-2 certification doesn't mean very much.  Encryption grew up and moved out of the house, and as usual federal standards take some time to catch up.</p></htmltext>
<tokenext>Posting anonymously since I work at NIST ( but not in crypto or infosec ) .
The problem is n't NIST or even really FIPS 140-2 .
The problem is that FIPS 140-2 certifies something very specific -- the encryption module .
It does n't certify the entire system or the hardware.This was not a big deal when FIPS 140-2 was initially written or expanded .
However , now that full-disk encryption is mandated for federal computers and encrypted USB keys are something everyone buys , the reality is that FIPS 140-2 certification does n't mean very much .
Encryption grew up and moved out of the house , and as usual federal standards take some time to catch up .</tokentext>
<sentencetext>Posting anonymously since I work at NIST (but not in crypto or infosec).
The problem isn't NIST or even really FIPS 140-2.
The problem is that FIPS 140-2 certifies something very specific -- the encryption module.
It doesn't certify the entire system or the hardware.This was not a big deal when FIPS 140-2 was initially written or expanded.
However, now that full-disk encryption is mandated for federal computers and encrypted USB keys are something everyone buys, the reality is that FIPS 140-2 certification doesn't mean very much.
Encryption grew up and moved out of the house, and as usual federal standards take some time to catch up.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30709698</id>
	<title>Re:Nope. How to do it right...</title>
	<author>TangoMargarine</author>
	<datestamp>1263031860000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>And this is "not trusting the computer" <i>how?</i></htmltext>
<tokenext>And this is " not trusting the computer " how ?</tokentext>
<sentencetext>And this is "not trusting the computer" how?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707504</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707066</id>
	<title>Re:Encryption algorithm's aren't the weak link</title>
	<author>complete loony</author>
	<datestamp>1263050580000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Or an expensive bike lock you can open with the end of a <a href="http://www.wired.com/culture/lifestyle/news/2004/09/64987" title="wired.com">BIC pen</a> [wired.com]...</htmltext>
<tokenext>Or an expensive bike lock you can open with the end of a BIC pen [ wired.com ] .. .</tokentext>
<sentencetext>Or an expensive bike lock you can open with the end of a BIC pen [wired.com]...</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706166</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30708456</id>
	<title>Doing file security the wrong way</title>
	<author>Old Man Kensey</author>
	<datestamp>1263064260000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext>Any flash drive whose "security" involves a required app running on the host system will not be suitable for cross-platform use even if the app is well-written.  The only right way to do it is to encrypt the data written to the drive, using well-known secure encryption algorithms run on the host.  And for that purpose a cheap, dumb drive works just as well as a super-expensive "secure, tamper-proof" drive.</htmltext>
<tokenext>Any flash drive whose " security " involves a required app running on the host system will not be suitable for cross-platform use even if the app is well-written .
The only right way to do it is to encrypt the data written to the drive , using well-known secure encryption algorithms run on the host .
And for that purpose a cheap , dumb drive works just as well as a super-expensive " secure , tamper-proof " drive .</tokentext>
<sentencetext>Any flash drive whose "security" involves a required app running on the host system will not be suitable for cross-platform use even if the app is well-written.
The only right way to do it is to encrypt the data written to the drive, using well-known secure encryption algorithms run on the host.
And for that purpose a cheap, dumb drive works just as well as a super-expensive "secure, tamper-proof" drive.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707200</id>
	<title>Re:Significant flaw &amp; workaround</title>
	<author>AmberBlackCat</author>
	<datestamp>1263052020000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Where's <a href="http://science.slashdot.org/comments.pl?sid=1504104&amp;cid=30705078" title="slashdot.org">this guy</a> [slashdot.org] when we need him?</p></htmltext>
<tokenext>Where 's this guy [ slashdot.org ] when we need him ?</tokentext>
<sentencetext>Where's this guy [slashdot.org] when we need him?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706296</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706300</id>
	<title>For those that don't RTFA...</title>
	<author>djupedal</author>
	<datestamp>1263039300000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>"Kingston Technology Inc. ----<nobr> <wbr></nobr>....is warning customers about a potential security threat posed by a flaw in the hardware-based AES 256-bit encryption on their USB flash drives."</htmltext>
<tokenext>" Kingston Technology Inc. ---- ....is warning customers about a potential security threat posed by a flaw in the hardware-based AES 256-bit encryption on their USB flash drives .
"</tokentext>
<sentencetext>"Kingston Technology Inc. ---- ....is warning customers about a potential security threat posed by a flaw in the hardware-based AES 256-bit encryption on their USB flash drives.
"</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707504</id>
	<title>Nope. How to do it right...</title>
	<author>Anonymous</author>
	<datestamp>1263054960000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>You need buttons on the device. Without that, your password could be swiped by PC malware.</p><p>A no-frills minimal device comes with 10 buttons. The password is a 10-digit number printed on a card hidden in the packaging. To avoid having the password revealed by button wear, none of the digits repeats. You put the device in, press buttons, and then it shows up to the OS.</p><p>A better device has a config setup. Press an extra recessed button, and the device appears as a USB netword device with a DHCP server and all. Go to the device's internal web page, just like setting up a home wireless router. There you could create multiple virtualized devices, each with a distinct password. (if you create more than one, then the device shows up as a hub with child devices) This also allows for data-losing recovery from password loss: you just delete the virtual device you can no longer access, then create an empty virtual device with a new password.</p></htmltext>
<tokenext>You need buttons on the device .
Without that , your password could be swiped by PC malware.A no-frills minimal device comes with 10 buttons .
The password is a 10-digit number printed on a card hidden in the packaging .
To avoid having the password revealed by button wear , none of the digits repeats .
You put the device in , press buttons , and then it shows up to the OS.A better device has a config setup .
Press an extra recessed button , and the device appears as a USB netword device with a DHCP server and all .
Go to the device 's internal web page , just like setting up a home wireless router .
There you could create multiple virtualized devices , each with a distinct password .
( if you create more than one , then the device shows up as a hub with child devices ) This also allows for data-losing recovery from password loss : you just delete the virtual device you can no longer access , then create an empty virtual device with a new password .</tokentext>
<sentencetext>You need buttons on the device.
Without that, your password could be swiped by PC malware.A no-frills minimal device comes with 10 buttons.
The password is a 10-digit number printed on a card hidden in the packaging.
To avoid having the password revealed by button wear, none of the digits repeats.
You put the device in, press buttons, and then it shows up to the OS.A better device has a config setup.
Press an extra recessed button, and the device appears as a USB netword device with a DHCP server and all.
Go to the device's internal web page, just like setting up a home wireless router.
There you could create multiple virtualized devices, each with a distinct password.
(if you create more than one, then the device shows up as a hub with child devices) This also allows for data-losing recovery from password loss: you just delete the virtual device you can no longer access, then create an empty virtual device with a new password.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706534</parent>
</comment>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_09_0416239_0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30708196
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706166
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706128
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_09_0416239_4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707322
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706898
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_09_0416239_11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706916
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706534
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_09_0416239_15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30709182
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706296
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_09_0416239_8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706426
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706128
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_09_0416239_7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30709466
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706296
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_09_0416239_1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707200
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706296
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_09_0416239_12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707774
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707504
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706534
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_09_0416239_13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707618
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706898
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_09_0416239_5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30709680
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706296
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_09_0416239_10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707066
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706166
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706128
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_09_0416239_9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30709698
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707504
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706534
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_09_0416239_14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706202
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706124
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_09_0416239_2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30709872
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707504
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706534
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_09_0416239_6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707304
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706166
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706128
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_01_09_0416239_3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706816
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706128
</commentlist>
</thread>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_09_0416239.6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706898
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707322
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707618
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_09_0416239.3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30708456
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_09_0416239.1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706300
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_09_0416239.4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706208
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_09_0416239.7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706296
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30709680
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707200
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30709182
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30709466
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_09_0416239.5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706124
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706202
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_09_0416239.2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706128
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706166
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707066
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30708196
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707304
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706426
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706816
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_09_0416239.9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706534
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707504
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30709872
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707774
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30709698
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706916
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_09_0416239.8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30707038
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_01_09_0416239.0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_01_09_0416239.30706246
</commentlist>
</conversation>
