Just another brick in the wall of tech vendors not being able to design any single working product. Honestly, hardly any product I purchased in the last years ever lived up to it's specifications. While in most cases the ASICs or SoCs were adequate esp. SEA-Vendors tend to completely screw up firmwares/firmware design, no matter if it's MP3-Players, DVD-Players, Cell Phones and what not. So, this comes as no surprise at all (imho); but if we agree on this being a 'backdoor' for recovery, what can be expected as quality of the entropy used for this backdoor? And then take a look at the article - as little as 50,000 something iterations for PBKDF2. I would never accept such a low value on a productive system. -Sven On Tue, September 13, 2011 02:12, Arno Wagner wrote: > On Tue, Sep 13, 2011 at 01:57:26AM +0200, Milan Broz wrote: >> On 09/13/2011 01:15 AM, Jorge F?bregas wrote: >> > I'd like to share this article that came up about a month ago >> regarding >> > Verbatim's NAS that uses LUKS: >> > >> > "Backdoor suspected in Verbatim's crypto NAS" >> > >> > http://www.h-online.com/security/news/item/Backdoor-suspected-in-Verbatim-s-crypto-NAS-1315921.html >> >> *shrug* >> >> Not the first time, similar (even worse) issue, different vendor, >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3200 >> >> Milan > > As I am a reader of c't, I have been on the lookout for a > followup. I am not aware of any. > > I agree with Milan that this is not shocking or unexpected, > commecial vendors often get security wrong or make unacceptable > trade-offs in the name of simplifying customer support or product > design. > > The CVE is a very good example. > > The bottom-line is that for secure storage the implementor > has to know really what they are doing and must be honest. > This typically means you have to find out and do it yourself. > Even if you have the money and can buy consulting, you still > need to find people that have these qualities. Unfortunately > that is not easy. > > Arno > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: > arno@xxxxxxxxxxx > GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 > 338F > ---- > Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans > > If it's in the news, don't worry about it. The very definition of > "news" is "something that hardly ever happens." -- Bruce Schneier > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt > _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
