Re: [p2p-hackers] Verifying Claims of Full-Disk Encryption in Hard ?Drive Firmware
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Misdirected a reply to Eugen instead of the list a week ago. I don't think this will correctly reply, because I wasn't subscribed to this list at the time.
Without wanting to sound too facetious, and mostly out of curiosity, what does FIPS 140 have to do with the threat modelling you've done? It doesn't address the vast majority of the stuff you've listed, so the threat-modelling is kind of a non-sequitur to "starting with FIPS 140". If you wanted to deal with this through a certification process you'd have to go with something like the CC (and an appropriate PP), assuming the sheer suckage of working with the CC doesn't tear a hole in the fabric of space-time in the process.
I used whatever documents I could find to get as much information about the drive as possible. That was the marketing material (which obviously didn't help much), and the FIPS-140 document (which did have some technical information). If I could use the Common Criteria or Protection Profile document, I'd love to - but I'm not sure how to get those or go about requesting them (besides just calling and asking.) I may be naive, having never dealt with FIPS validation, but I kind of hoped/assumed that things that were insecure wouldn't be approved. I'm using insecure casually, basically meaning "If I steal your laptop, can I recover your data for under a couple thousand dollars?' If that is possible, and within the reach of a hobbyist (or organized crime, minor government, etc) - I would expect it not to be approved. And if it was approved, I'd expect the approval to be in error. Maybe I'm wrong about the approval process - I've never been involved with it. I'm just approaching it from the perspective of 'Should I trust this?' and using the FIPS-140 approval to gain a little intel and make a good starting point for a hard drive to start with. - -tom -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAk7CZtIACgkQJZJIJEzU09tXGgCfWGpYlVM6ckNLHXWWTcb2iQ/m bB8An0Dou7yNwxoL4jbEX9iLVJd4FF/K =tZFi -----END PGP SIGNATURE-----
participants (1)
-
Tom Ritter