Hackers at a security conference failed to break into Via Technologies’ StrongBox security application during a competition. The Taiwanese microprocessor vendor offered a $5000 (EUR 4157) prize to any hacker who could break into StrongBox, a secure virtual hard drive of up to 40GB designed to protect data from computer intruders. Announced on Tuesday, the application uses a combination of hardware-based SHA-1 and 256-bit AES encryption.
It’s not a question of money but rather a question of time. Give’m time and they’ll break it. If a human built another one can crack it.
Maybe true. But if it takes 100 years to break into the data most likely would be worthless then. It doesn’t have to be completely unbreakable, just take a very long to do so.
Except that to do this now might take 100 years, but in 5 years it could take 1 year or less… So you replace the encryption on your data every x years?
lol @ 100 years
chances are pretty good this technology will be almost laughable in 10-15 years.
Maybe with current technology it would take 100 years.
yeah. you hit the nail on the head (probably)
Too true, the security will be tested over a long period of testing and tinkering. Contests against new technology are obviously not going to yield any results, as no one has researched the targets yet.
I could see how this would be a good way of securing sensitive data. AES is the leader at the moment in symmetric encryption, so cracking it would be pretty hard; assuming a good key was picked. Picking a secure password these days is getting increasingly hard as computers can run through tests rapidly.
The choice of SHA-1 is a bit unnerving though, given that a flaw, rumoured in August of last year, was confirmed earlier this year. It’s “good enough” at the moment, but most people are moving up to SHA-256 and even SHA-512.
What’s really encouraging about this though is that a company opened their product to the public (albeit on a limited basis) and made no attempt to hide the flaws discovered. That’s the best way to move forward, now that data increasingly has significant monetary value.
Where is FORUM
I wander how VIA’s stongbox would hold up if they gave a few out to the crypto/security community for, lets say, 6 months.
Usually when a company offers a cash reward for breaking the security in one of their products it’s a publicity stunt.
do you think this is useless compare to quantum cryptology???? are we already using quantum cyptography???
-2501
The really good hackers will pass on the $5,000 prize. They’ll wait till they find one that’s loaded with credit card numbers.
Actually a lot of “hackers” have some sort of code of ethics, many of them find security holes and file bug reports before going public about the security holes a week or month later depending on what they think is fair warning time.
To me it sounds like you’re saying that “hackers” can’t be good at what they do and have a reasonable code of ethics at the same time. Sure, there’s probably some out there like that, but definately not all of them. I tend to think that the majority of “hacking” is done for practise, recreation, learning, or because of curiosity, not because of malicious intent. In my opinion people hear about cases of “hackers” being involved in vandalism and “cyber-crime” more often because that kind of stuff that makes it to the news.
BTW. I put quotation marks around hackers and hacking because that’s what you called them, not what I would call them. Originally hackers used to be people who were good on computers (usually programmers), it wasn’t until the news started calling “cyber-criminals” hackers that the term became used for people who circumvent security. I’m still somewhat unhappy that the term was hijacked.
Why not just break into it with an axe?
j/k
It’s a harddrive that hardware-AES-encrypts your data using a SHA1 hash as the key. They’re right, it’s as unhackable as it gets. Though the amount of credit they took for that bothers me.
Unhackable? Heh, If I wanted to get into StrongBox, I’d install a trojan that grabs the password. I mean, why bother cracking it when it’s so easy to just subvert it?
Anyway, in the real world that’s how a cracker would do it.
I agree. At shows and events like this the machines are set up to be as secure as possible, access to them both remotely and physically is limited far more than would be the case in real world use, and they have professionals to monitor, maintain, and operate the boxes unlike what sits behind many work and home computers.
The box might have held up in a completely controlled environment, but lets see how it survives out in the wild. Besides when companies spy on one another they usually get someone on the inside to compromise the computers at the source, and this is either going to be too complicated or too expensive for the average home user (who wouldn’t know how to protect/maintain it anyway).
hackers are over credited for strong encyrption. This kind of isolated systems are near-impossible to crack for the weak tools of the casual hackers. Basic distributed brute force attacks takes hundreds of years for even this basic 256bit cryptos. The only feasible attack is to steal the hard drive, and try to obtain the key using electronic measures. But this is not possible in this case either. posibly key is also inside the encryption ic.
Maybe one idea would be trying to guess the key using known input-output patterns but AFAIK AES do not have such weakneses.
whats a hacker?
i believe “cracker” was the word they were looking for….. but who’s watching.
Social engineering usually works in a few minutes if you ask the idiot nicely to reveal the PW, and if that option doesn’t work, then I’m afraid the nasty solution would follow if the data is known to be there and is very valuable.
In away, just using such crypto advertises that something of interest is there, surely best to hide the strong stuff inside of something known to be very weak to suggest nothing much there and put another decoy system infront marked AESinside.
Of course, this is only good as long as you never hook the drive up to a computer. There is of course, a mechanism to read the data on the drive, and that is to be logged in with the proper password to access the drive in the first place.
This won’t stop someone from driving a Mack truck through a hole in the operating system. Once the OS is compromised, it doesn’t take long to seperate a fool from his data.
But you have to really want it bad. So for most things this will work wonderfully.