Another Snake Oil Candidate

Aram Perez aramperez at
Wed Sep 12 23:18:22 EDT 2007

Hi Jerry,

I accidently sent this response in HTML last night which was bounced.  
So here it is again.

On Sep 11, 2007, at 2:18 PM, Leichter, Jerry wrote:

> | The world's most secure USB Flash Drive: < 
> demo>.
> What makes you call it snake oil?  At least the URL you point to says
> very reasonable things:  It uses AES, not some home-brew  
> encryption; the
> keys are stored internally; the case is physically protected, and has
> some kind of tampering sensor that wipes the stored keys when  
> attacked.

I don't about you, but when I hear terms like (please pardon my  

	"with today's most advanced security technology"
	"advanced Internet protection for securing your passwords and browsing"
	"with military grade AES encryption" - Hum, I'll have to ask NIST  
about that.
	"it initiates a self-destruct sequence" - Begin auto-destruct  
sequence, authorization Picard-four-seven-alpha-tango...
	"a harden version of Mozilla's Firefox browser" - Where can I  
download that version?
	"to circumvent keylogging spyware" - More on this later...
	"you can enable high speed, stealth browsing technology"
	"for the ultimate data protection"
	"to prevent criminals from getting to the internal hardware  
components" - But not PhD graduate students...
	"this makes the IronKey not only tamper-proof but waterproof far  
beyond military standards" - Well I'm glad a Navy Seal can't break it.
	"this gives you online and off-line protection for today and tomorrow"
	"While the underlying security technologies are complex" - Joe  
Customer is just too dumb to understand it.
	"The first time you plug it in, you initialize it with a password" -  
Oh, wait until I disable my keylogging spyware.
	"You enter that password to unlock your secure files" - Did I  
disable my keyloggin spyware?
	"The result of years of research and development by leading security  
and industry experts" - But not by marketing department...
	"With unparalleled security in the palm of your hand" - Imagine all  
that security in the palm of my hand!

Yes, the term "snake oil" comes to mind. And it's only $79 with "1  
Year of Internet Protection"!

> In fact, they make some of the same points:
> 	Your IronKey is literally packed with the latest and most
> 	secure encryption technologies, all enabled by the powerful
> 	onboard Cryptochip. Rather than employing "homegrown"
> 	cryptographic algorithms that have not undergone rigorous
> 	cryptoanalysis, IronKey follows industry best practices and
> 	uses only well-established and thoroughly tested
> 	cryptographic algorithms.
> 	All of your data on the IronKey drive is encrypted in
> 	hardware using AES CBC-mode encryption.
> 	   1. Encryption Keys
> 	   2. Always-On Encryption
> 	   3. Two-Factor Authentication
> 	Encryption Keys
> 	The encryption keys used to protect your data are generated
> 	in hardware by a FIPS 140-2 compliant True Random Number

As opposed to a FIPS 140-2 compliant False Random Number Generator.

> 	Generator on the IronKey Cryptochip.  This ensures maximum
> 	protection via the encryption ciphers. The keys are
> 	generated in the Cryptochip when you initialize your
> 	IronKey, and they never leave the secure hardware to be
> 	placed in flash memory or on your computer.

Protected by a password that is entered on whatever PC you plug the  
IronKey into and that is somehow auto-magically protected against all  
keylogging spyware that may exist on that PC.

> 	Always-On Encryption
> 	Because your IronKey implements data encryption in the
> 	hardware Cryptochip, all data written to your drive is
> 	always encrypted. There is no way to accidentally turn it
> 	off or for malware or criminals to disable it. Also, it runs
> 	many times faster than software encryption, especially when
> 	storing large files or using the on-board portable Firefox
> 	browser.

"Decrypting your files is then as easy as dragging and dropping them  
onto the desktop" and by any malware that detects that the IronKey is  
present and has been unlocked and copies the files to a hidden folder.

> 	Two-Factor Authentication
> 	Beyond simply protecting the privacy of your data on the
> 	IronKey flash drive, the IronKey Cryptochip incorporates
> 	advanced Public Key Cryptography ciphers that allow you to
> 	lock down your online IronKey account. That way you must
> 	have your IronKey device, in addition to your password, to
> 	access your online account. This highly complex process runs
> 	behind the scenes, giving you state-of-the-art protection
> 	from phishers, hackers and other online threats.
> The management team lists some people who should know what they are
> doing.  They have a FAQ which gives a fair amount of detail about
> what they do.

Well they are letting the marketing department sell snake oil.

> I have nothing at all to do with this company - this is the first I've
> heard of them - but it's hardly advancing the state of security if
> even those who seem to be trying to do the right thing get tarred as
> delivering snake-oil.

I do not have anything to do with them nor with any of their  
competitors. I'm sure many of the other organizations previously  
mentioned as selling snake oil had many hard working engineers that  
were trying to do the right thing also.

> If you know something beyond the publicly-available information about
> the company, let's hear it.  Otherwise, you owe them an apology -
> whether they actually do live up to their own web site or not.

I ran across the company because they had an ad on a web page I had  
visited. Their ad raise my curiosity and I looked at their web site.  
I stand by my opinion that they are selling security snake oil. They  
imply that you can use an IronKey with any PC and be completely safe.  
That is false. You are free to disagree.

Aram Perez

P.S. I did give them feedback about keylogging spyware and passwords.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list