Hack as flex can

Depending on network bandwidth, it may be preferrable to transfer data physically, for example in the form of a USB stick or the harddrive of a notebook. Since the transfer potentially exposes the data to the public, they should be encrypted. Personally, I use ecryptfs for the home partition of my netbook and encfs for sticks. Alas, mine is a lone voice in the wilderness: none of my colleagues and friends would even think about this subject. They'll never lose their stick!

Until they do. And then, of course, they come running and wailing and expect that I get it back for them right away or delete the data remotely immediately.

At least the last of this incidents raised the awareness for the need of appropriate measures when carrying sensitive data from A to B. After much discussion, the management finally came to the conclusion that USB safes would be the one and only solution.

At that time, I didn't know much about USB safes, other than that they are sticks with a built-in hardware encryption. Well, that, and their costliness: while a Kingston DataTraveler G3 with 8 GB can be obtained for €14, a Kingston DataTraveler Vault, again with 8 GB, has a price tag of €74.

For this price, I'd of course expect unquestionable und uncompromising security. Well, just a minute of further research led me to this page. The above mentioned 'Vault' is not affected, but that is of little consolation.

Back then, I didn't brood over the ways with which an unauthorized intruder could possibly gain access to these allegedly impenetrable devices. An article in c't 22/10 clarified that now, and surprised me with an archaic attack scenario which I would have not believed to be possible.

Entitled Panzerknacker, the article details the specific weaknesses of commercially available solutions: "Das wichtigste Angriffsszenario ist das Auslöten und Auslesen der Flash-Chips."


Wait a second...the most important attack is hardware related? But what about encryption?

"Verguß hin oder her: Physische Sicherungsmechanismen lassen sich letztlich irgendwie umgehen. Daher bleibt als letzte Bastion die Verschlüsselung."

The last one? Shouldn't encryption stand for itself? Well:

"Ich würde mir ein sorgfältig konstruiertes System nebst vollständigen Konstruktionsplänen und unabhängig geprüftem, offenem Quellcode [..] wünschen, doch solch ein Produkt kenne ich bislang nicht. Diesen Zustand erreicht man derzeit nur mit quelloffenen Software-Lösungen wie TrueCrypt in Kombination mit gewöhnlichen USB-Sticks. [...] In Sachen Komfort und Systemunabhängigkeit kann eine solche Lösung mit einem USB-Safe aber nicht mithalten." -- Peter Franck (Attingo, a data restoration specialist)

Wie komfortabel hätten wir's denn gerne? Soll der Stick das Passwort von den Lippen lesen und dazu einen Kaffee kredenzen? *kopfschüttel*

But wait: an open source solution in combination with an ordinary stick, that's just what I'm using. Hey! I've put the commands for mounting and unmounting the stick in scripts called 'ms' and 'us' for greater convenience. It's still very inconvenient, of course: you have to type the name of the script and the passphrase. Ah, why is life so hard?