Self destructing USB drive.
 

Not sure it's useful to me, but I think it's cool. :)

http://www.thinkgeek.com/computing/drives/99f1/

That's pretty cool.

I don't have any state secrets worthy of such high tech security though. :)

Even better, use Write Only Memory (WOM).

http://en.wikipedia.org/wiki/Write_Only_Memory

Then you never have to worry about somebody getting your data. :D

Eons ago, the second computer class I ever took. There was an article on the wall of the classroom about a write-only memory device. Unlike the examples in the Wikipedia article this wasn't truly write-only, it was a device that was fast to write and slow to read. It was used to store information that was unlikely to be needed but had to be kept just in case. (Such as the information to undo a failed operation.)

Jack Bauer had a self destructing one. He "programmed" it to burn itself up if used in any other PDA than his.

I don't think the TSA would allow any USB drives with detonators through security. Or maybe since it isn't a liquid, it is OK.

Corsair also do a "Padlocked" pendrive at http://www.corsair.com/products/padlock.aspx

Its a case of entering the PIN in before using it ....

*Good Morning Mr Phelps....Your mission, should you decide to accept it....... .... this pendrive will self destruct in 5 seconds* :D

So I bought a 4GB IronKey a couple of weeks ago. I really love this device.

Like most of us, I have dozens of accounts on-line, each with a unique ID/Password combination. Many of these accounts I access only rarely. Since I never write down passwords anywhere, and don't duplicate passwords, I often find myself in a lengthy password recovery process each time I need to access the account.

I now have access to all my password protected accounts from a device that lives in my pocket.

The IK comes with a password manager and a portable version of FireFox to allow portable sessions to be created from any system with a USB connection. Remove the IK and you remove your presence from that machine.

Access to the IK is via a single user-settable password. Data on the IK is protected by AES 256 encryption (Son of DES). Enter the password incorrectly 10 times and the data on the drive is physically, albeit silently, destroyed.

I know there are freeware programs like KeePass that can be loaded on conventional thumb drives, but they don't satisfy my sense of paranoia like the IK does. :D

It's not perfect, by any means, and I don't have 4GB of data that I need to protect, but it really suits my needs.

From painful experience, but not as painful as yours will be if .....
 

For your sake, back it up often.

(Speaking from experience, but not a fail ten times and it dies in front of your eyes painful experience. :eek: )

SC

I'm seriously thinking of buying a 1GB IK for backup, though backing up to an unmarked DVD would also work.

Even if it died and I had no backups I could use the site password recovery tools like I always have.

I'm afraid I don't see the point - if the encryption is any good (e.g. truecrypt) then it doesn't matter if they get your USB disk. It is secure against any number of password attempts.

Chuck Norris already hacked it.

That is true for today, but it is statistical security. The key might be broken on the first try. The key to security is to make it cost more to get the goods than the goods are worth.

If someone stole my laptop, and my laptop had an encrypted file with all my passwords. I would still feel compelled to go change all those passwords.

The IK also has a password generator, so my individual account passwords are now secure as well.

My firm handed out tens of thousands of devices like these - the Kingston DTE - about three years ago. Everything is encrypted and 10 failed attempts at the password re-formats the drive. We are required to use if for managing all client- and firm-related data. I don't know if it's physically secure (potted with epoxy), but the encryption should be as good on the bare chip as it is through the USB port.

I suppose throwing super-computer-class processing power at breaking the 256-bit AES hardware-based encryption is a possibility, but I'm not too worried

chuck norris doesn't need to hack things. he just stares at them until they give him the data.

This part doesn't seem very secure:

- If your Ironkey is lost, you can restore from a secure backup to a new Ironkey in minutes

(because I bet the backup machine doesn't self-destruct if someone tries to hack into it... not to mention all the people that have legitimate access to it)

I just had a weird thought - how do people who are concerned about security at such an extreme level account for the case where they are hit by the proverbial truck?

Does someone else have a copy of the key? How secure is it? Hidden under a stone in the fence by the big tree? In a safe deposit box? None of these are any more secure than the 256-bit key is.

I guess a trusted friend could keep an encrypted copy of the key on his/her computer - but how is it protected?

Strange game. The only winning strategy is to not play.

I like to have my private data secured, but not sure self-destruct storage is the way to go. I use the simple but controversial (in corporate world) Microsoft Private Folder 1.0. Works OK.

Bigger Concerns
 

If perchance happens ...... then they really don't care do they. They would be dead or in so much pain that they won't give a hoot. (Now their boss, wanting to access the final copy of their presentation, THEY WILL CARE .....)

Snicker,
SC

If the key is broken on the first try then it was a pretty stupid key and of course the self destruct mechanism on the USB key would also fail as 1 try is definitely less than 10 tries.

AES and its ilk have been extensively analysed by the best cryptographers in the world. Nobody (assuming they really want your data) is going to attempt to break your encryption by brute force; they will extract your password from you by fair means or fowl and in those circumstances your 10 attempt limit is irrelevant.

Do I hear booze and hookers in my future

they want be robbin me if I duck fast enough...

The device is marketed as allowing you to use untrusted machines, but it seems to me that it has significant limitations on them:

(1) You still have to enter your IronKey password in the clear. Allows for keyloggers to get your password, with which they have full access to your data.

(2) Once the device is plugged in and decrypted, the machine will have full access to your data - it can just make a copy of it.

(3) [for all machines] Is the backup to IronKey's computers optional or mandatory? How is the data secured in transit? Is it just HTTPS?

(4) [regarding the device] Has anyone independent verified the security of the device? Is the code open source?

10 attempts, 10 fingers. Ohhh I can think of ways to get the password.

You need the IronKey and the password to get access to the data on the drive. If a typical keylogger gets the password, it will have no idea what to do with it. Stored passwords are also a special case.

The password data remains encrypted. It is not possible to obtain the passwords by simply copying the files on the device. The passwords are not stored in the filesystem.

The password manager enters passwords directly into web pages, bypassing keystroke loggers.

As far as I can tell, if you store an unencrypted document on the IronKey, plug it into a compromised machine, and unlock the drive, malware could indeed copy the file somewhere else.

In any event, owning an IronKey does not absolve the user from practicing safe computing. It just makes it easier.

It is optional. I don't know the transport mechanism, but it is SSL and only encrypted data is sent, so the transport probably doesn't matter.

Personally, I'm annoyed that the only way to backup passwords is to use the "quick backup" option which -does- use the Ironkey server. They are fixing that, but still. :mad:

The device is being evaluated by DISA(?) I need to log in to check. The code has just been made open source.

https://learn.ironkey.com/faqs/

I'm quite pleased with mine. It has already logged quite a few miles with me. I can't see traveling without it.

Reminds me of a modern day Da Vinci cylinder.

Not if it both captures your keystrokes and copies the data off the device.

So you can't just make a copy to your computer? That seems like a major negative. When is that going to be fixed?

Have you tried the included Tor application? How well does that work?

It doesn't need to do both. A standalone keylogger is useless because the device the password uses is still (hopefully) on your person.

If is a data copying malware thing, then you have already unlocked the device by entering the password yourself.

Edit to say, the IronKey password is not part of the decryption process, so if you mean you could copy the encrypted data off the device, then use the keylogged password to read it later, that would not work. The password is only used to verify that you can access the real decryption key which is stored off the filesystem.

Yeah. I -really- don't like it. You can back everything up to your local drive, except for the passwords. However, in for a penny, in for a pound.

There is supposed to be a new software release this month and that is on the enhancement list. We don't yet know what will actually be addressed in the next release.

Pretty transparently. It slows things down a smidge, but not bad. I do not usually enable it since I see no need to obfuscate my location at the moment.

Since the major search engines base some of their results on your location, Tor can generate some interesting results.

I'm heavily leaning towards one of these, but I was a bit miffed when I found out that they chose to go with AES 128 instead of 256.

AES 128 is only certified by the NSA for SECRET, whereas I consider my FlyerTalk password to be TOP SECRET. :( (Of course, since FT doesn't provide a secure login, this may be moot.)

While brute forcing AES 256 would require more energy than is available in the universe, brute forcing AES 128 would not. :(

I use a secure solid metal cryptex to hold copies of all of my and Mr Falconea's important passwords.

It sits on the mantlepiece. If it goes missing I will change all the passwords. If I travel it goes into my bank's vault.

It's a pretty nifty device. It can of course be cut open, but this would be kind of noticeable since I physically see it every day. It can't be easily opened without the password for it - the combination has many false notches to prevent any attempt to just feel where the notches are.

Audrey

Duplicate, sorry!

that's cool. could be usefull to put copies of all your passport, DL, visa's, cc's, etc on it and take it when traveling.

It's a few pounds of solid metal. Would probably upset security enormously.

Audrey

falcone, That's very cool! Since I studiously ignored all things Da Vinci Code, I'm really glad you provided the link! ^

I know just the person who would like this as a present.

Still, as you say, not exactly a portable password memory device.

iCorpRoadie, That is a great idea! I'm going to scan in my passport, DL, medical insurance card, and, heck, birth certificate, and keep them on my IronKey when I travel.

Ah, the link! http://www.cryptex.org/h_home.htm

Justin also makes cheaper "replicas" which can be found here: http://www.cryptex.org.

Here is a picture of my good cryptex: http://www.bluering.org.au/leon/cryptex7935.jpg

I also popped them on my kitchen scale last night - my good one is just under 4 lb, and my replica is just under 3 lb.

Be warned - they aren't cheap!

Audrey

Very pretty!

Aka James bond usb drive.