Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×

Is the U3 Smart Drive Encryption Any Good? 61

Carlos asks: "I was searching encryption software for USB pen drives, and came across the U3 Smart Drive platform which offers portability and privacy through software and hardware. There are already several well-known hardware manufacturers offering U3 Smart Drives. Do they are really better than a plain USB drive plus encryption software such as TrueCrypt or it's just marketing hype?"
This discussion has been archived. No new comments can be posted.

Is the U3 Smart Drive Encryption Any Good?

Comments Filter:
  • PC Magazine Review (Score:5, Informative)

    by tgtanman ( 728257 ) on Sunday August 20, 2006 @12:01AM (#15942888)
    PCMag did a review [pcmag.com] of the U3 technology (though the review is almost a year old)
  • u3 just doesn't work (Score:5, Informative)

    by cliffhanger407 ( 974949 ) on Sunday August 20, 2006 @12:05AM (#15942899)
    U3 doesn't work any better than any other encryption. in fact, if anything, a corporate level encryption is always going to have better product quality control than U3. Plus, U3 doesn't work on probably 50% of the machines i have to put it into (tech support=putting in jump drive 50+ times a day), which means that if it doesn't work then there's no way to get it unencrypted. Basically any computer system which doesn't permit access to the AppData folder means it doesn't load the U3 software. (It claims it doesn't install anything, but it's definitely there). The other thing is that there are a lot of programs which just don't like U3 and will crash it even if you have the right permissions. Plus, it doesn't work on mac or linux.
    • by tropicdog ( 811766 ) on Sunday August 20, 2006 @12:38AM (#15942977)
      "Plus, U3 doesn't work on probably 50% of the machines"

      I totally agree, in many Corporate environments these are going to be functionally useless. A recent helpdesk case I worked on involved one of these U3 drives. Because U3 basically creates a partition that tells Windows that it is a read only CDROM format, CD burning software would not function at all and Windows (Win2000 in this instance with limited user rights applied) totally locked up until the U3 drive was removed.
      Management gave me a 1GB version to use on the job. I was annoyed with the auto-launch feature it provided and promptly searched for and downloaded the U3 removal utility. I gained the space that U3 occupied on the drive and can use it on any computer in our environment w/o problems.
      • by Wilk4 ( 632760 )
        I had a similar experience. Just plugging a new thumb drive with U3 s/w on it into my home PC would cause it to completely lock up. (winxp-pro, updated).

        It would work on some other PCs, but I basically wanted it for storage, so ended up removing the U3 stuff rather than going through an extended debug process to get it working on my PC. Works fine now as a straight storage drive without the U3.

  • I am thinking about purchasing some of these for my team members at work, but I couldn't figure out what the differences are between U3 and Migo. I also can't find any 4GB U3 thumbdrives - the largest I could find was 2. Anyone know what the pros and cons of the two formats are?
    • don't know much about migo, but i've got a 4gb sandisk cruzer micro in my hand with u3 on it. i don't recommend u3 at all and maybe migo's different, but the first thing i ever do on these drives is uninstall the preinstalled software.
    • by Goggi ( 2124 )
      I got the Sandisk 4GB Cruzer Micro with U3 but got rid of the U3 part as it was mostly annoying. Other than that it's a convenient, spacey usb-stick with ok speed. For the current price (~110 in Sweden) I'd recommend it.
    • by pyrote ( 151588 )
      Actually Migo is a subset program of U3... it's a desktop sync program. AFAIK it has a non u3 counterpart. also, to be honest, I wasn't impressed with the combo as I had it all setup perfectly, then a stupid glitch made the U3 drive useless on my main machine.

      I promptly ran the un-intaller and never looked back.
    • by chabo29 ( 996978 )
      U3 is a platform and Migo is a standaolne application. I have a U3 Drive and I also tried Migo with it and some other applications. I needed an application to sync my Outlook between different PCs since I don't have an exchange server and the only application that allowed me to do that on a U3 Drive was Carry it Easy +Plus http://software.u3.com/Product_Details.aspx?Produc tId=179&Selection=1&Lang=en-US&Position=ENHPFS2F [u3.com] The software also has 128 bit AES encryption and makes your data sufficien
  • Go look for the Geek Squad U3 Remover immediately.
    • Re: (Score:3, Informative)

      by NMThor ( 949485 )
      To uninstall, check out FAQ #6 @ http://www.u3.com/support/default.aspx [u3.com]
      • Re: (Score:2, Informative)

        Oh, didn't know about that. When I was trying to remove that crap I did a Google search and ended up on an Ars page which told me to use the Geek Squad's remover.
    • by stuuf ( 587464 )
      You really need a remover program for that? what's wrong with a simple dd if=/dev/zero of=/dev/sdX ?
      • Re: (Score:3, Interesting)

        by gweihir ( 88907 )
        What's wrong with a simple dd if=/dev/zero of=/dev/sdX

        While personally I feel this is the way to go (I would use dd_rescue, but that does not matter), it seems the level of insight needed to understand and do this simple and clear operation is not available to the general public.

        It seems people do not want to do things that can be understood easily. They want to do things that look easy, i.e. click some button or run a programm that does a single, highly speciaalised operation and takes no parameters.
        • It seems people do not want to do things that can be understood easily. They want to do things that look easy, i.e. click some button or run a programm that does a single, highly speciaalised operation and takes no parameters.

          Easy with the generalizations. For what it's worth, "dd if=/dev/zero of=/dev/dsX" takes up some amount of mental storage, be it rote memory or full-out understanding. That little piece of knowledge itself is a fairly highly specialized operation. OTOH, a well designed UI with a button

          • by gweihir ( 88907 )

            Easy with the generalizations. For what it's worth, "dd if=/dev/zero of=/dev/dsX" takes up some amount of mental storage, be it rote memory or full-out understanding. That little piece of knowledge itself is a fairly highly specialized operation. OTOH, a well designed UI with a button that says "click me, and I'll fix your problem" saves the average joe from the necessary year (or so) of learning required to have the contextual foundation to appreciate what "dd" even is, let alone how to use it.

            Well, yes. B

            • The [button] is convenient, but leads to incompetence and dependency.

              It may well happen that a basic understanding of a computer's permanent vs. volatile storage choices go down in history alongside reading, writing, and math. I could get on board with that. And, believe me, I truly appreciate 'dd' being present for the power-geeks to get to. The big limitation that a lot of people have is not a lack of access to information (as was more the case in the middle ages where the skills of reading and writing w

        • Re: (Score:1, Informative)

          by Anonymous Coward
          FYI, I tried this on my U3 drive and it didn't work. Only the removal utility seemed to get rid of it. My guess is that U3 is more than just software - there must be some firmware-level thing that reserves its disk space and emulates a CD-ROM drive...
      • A U3 drive is two partitions by default. One of them, the one with U3 itself on it, is read-only.
        • by stuuf ( 587464 )
          AFAIK, there is no such thing as a read-only partition. The U3 partition is just a partition formatted with ISO9660; and Windows can only read (not write) that filesystem since it was designed for read-only CD media. I assume all the remover tool does is erase the partition table and add one partition covering the entire device and format it with FAT. I don't get why slashdot users seem to have been completely lost and confused before they found the remover tool.
          • When you try to erase things in that way, it'll pop right back up next time you install Windows. Why is it so hard to understand that even slashdotters don't always like to use 1337 7r1ck5 to just GET THE FUCKING THING OFF THE DRIVE?
  • U3 Pro's and cons (Score:5, Informative)

    by DarkMantle ( 784415 ) on Sunday August 20, 2006 @12:12AM (#15942916) Homepage
    Lets cover some U3 Pro's and cons (I have a U3 USB Drive from Geek Squad)

    Pro - Portable Apps, including firefox and thunderbird so your cookies aren't left behind when you do online banking at a public computer.
    Con - Only works on WinXP

    Pro - password protect your data so that confidential information is not easily accessable.
    Con - a script could continue to try passwords from a list in an attempt to login.

    Basically, the password protection stops the U3 drive from showing the volume. But multiple attempts to login do not result in time delays, or lockouts. Basically a script could keep the autorun going and sending different words or key presses until it gains access. Brute force kind of behaviour.

    But the drive will say "insert a disk into drive X:" if the password is not entered.

    So, not bad, never tried hacking it, but it could potentially be brute forced.
    • Re:U3 Pro's and cons (Score:4, Informative)

      by Professor_UNIX ( 867045 ) on Sunday August 20, 2006 @03:26AM (#15943272)

      Pro - Portable Apps, including firefox and thunderbird so your cookies aren't left behind when you do online banking at a public computer.
      Con - Only works on WinXP

      But there's certainly nothing stopping you from using Portable Firefox or Portable Thunderbird or Portable OpenOffice on a regular flash drive, and "U3 Technology" only works with certain U3-aware applications so it's not like you can encapsulate any program and make it U3-aware. I figured right away this was a completely useless feature and blew it away using the uninstaller [u3.com]. Unfortunately you seem to need a Windows box to run the uninstaller so I had to go hunt one down to remove this garbage since I use Macs 99% of the time.
    • Unless I'm very wrong, brute-forcing can be pretty easily averted by simply using a long enough password. Last I checked, 8 chars is secure.

      Remember, if it's a standard USB drive, then as I understand it, any software mechanism to force things like time delays would be easily circumvented by simply not using that software. But then, I hear things like "doesn't work on Mac/Linux", so that makes me think it's not quite standard, so maybe they could force something like this in hardware?
      • Re:U3 Pro's and cons (Score:4, Informative)

        by jmorris42 ( 1458 ) * <{gro.uaeb} {ta} {sirromj}> on Sunday August 20, 2006 @09:59AM (#15943915)
        > Unless I'm very wrong, brute-forcing can be pretty easily averted by simply using a long enough password. Last I checked, 8 chars is secure.

        Wrong. 500 characters wouldn't secure a piece of crap like that. It is software only encryption, written by people who almost certainly don't understand the concept, and sold to people who don't understand that putting a flash drive in some random PC at an Internet cafe is unsafe.

        Don't you people understand what that means? Odds are the password gets XORed with something lame and stored on the flash drive. Only a matter of time before somebody gets around to disassembling the crapware Win32 executable and writing a point and shoot password extraction program. Yes they COULD have done the crypto right but we know they didn't... or should know by now. After all they need a back way in themselves so they can unlock drives when somebody forgets their password and whines long enough on the support lines or when some LEO is looking for kiddie porn.
        • You just prove my point. There's no point in brute-forcing, and you haven't convinced me that it would be possible to brute force it.
  • by HaloZero ( 610207 ) <protodeka&gmail,com> on Sunday August 20, 2006 @12:34AM (#15942964) Homepage
    All of ten minutes and a copy of Acronis yielded the sum of the data on an 'encrypted' U3 Cruzer disk. All the password protection thing does is prevent the drive from mounting correctly in Windows.

    I didn't bother testing the drive on my mac before I just blew the U3 partition away.
    • Re: (Score:3, Informative)

      I'm beginning to agree with you that U3 security is a joke. After googling for about 10 minutes here I've not been able to find much 'real' information on the security of U3. Its all press releases loaded with buzzwords, and no whitepapers telling how the drives work and which encryption standards are present.

      That concerns me, encryption is far eaiser to get wrong then right. On the TrueCrypt forums they are pretty good at telling you how bad there dog food is, and how to to lessen these risks. I'll stick w
    • by gweihir ( 88907 )
      All of ten minutes and a copy of Acronis yielded the sum of the data on an 'encrypted' U3 Cruzer disk. All the password protection thing does is prevent the drive from mounting correctly in Windows.

      Well, that does not make it a joke, but a lie. I believe this should a) get them fined b) make them liable if somebody trusts the thing and gets burned.

      I don't think that bad crypto should make them liable, but claiming crypto and then having none should.

      Maybe bad products like these are the source of the common
      • by SanityInAnarchy ( 655584 ) <ninja@slaphack.com> on Sunday August 20, 2006 @08:15AM (#15943713) Journal

        You know there is always a better or faster or cheaper way. With this program it is the same as with a car. There is no 100% protection, but it help's a lot to lock it.

        </sarcasm>

        Actually, the WebSafe [websafe-acs.com] "Website Encryption" is much better for keeping away "prying ices" than U3. At least WebSafe actually does some kind of encryption, even if the decryption algorithm and the keys are right there in the source code for everyone to see. U3, on the other hand, at least appears to claim encryption where there is none. I'll direct you to their website [u3.com], where they claim:

        The U3 platform is designed to leave no trace of the user's data or application usage on the host computer after the smart drive is removed. The U3 platform also supports the creation of security solutions to protect the privacy and security of user data and applications. These solutions include encrypted files and folders, and sign-on and password protection and management.

        Oh, I get it. They "support the creation" of encryption, when actually, if you look at their smart drive page [u3.com], the word "encryption" is nowhere to be found. Instead, it's all about "Password Management" -- so they keep themselves clean, but it's obviously confusing enough to fool customers, especially when others [verbatim.com.au] claim "Secure data encryption" on what they call a "U3 Smart Drive", although I can't figure out whether Verbatim is wrong/lying or whether they've simply taken the existing U3 software and actually added encryption.

        Or maybe there's some other loophole. But even if I wasn't planning on using the encryption, I wouldn't do business with these jokers. (U3, not necessarily Verbatim.) It's clearly designed to fool people into thinking they're getting something they're not, which really makes them no better than the WebSafe moron -- and perhaps significantly worse, as the WebSafe guy may actually still believe his product is worth something.

  • Read this thread. [slashdot.org]

    Funny how the timing works out. One of the U3 techs stopped in here, and responded to comments and questions. Interesting answers.. (And yes, I made a fool of myself at the beginning.)
  • by kasperd ( 592156 ) on Sunday August 20, 2006 @02:30AM (#15943188) Homepage Journal
    TrueCrypt makes use of tweakable block ciphers. The idea with tweakable block ciphers is good, but it is no magic bullet. And unfortunately TrueCrypt reuse the tweaks every time the same sector is overwritten, which means the proofs for security of tweakable block ciphers does not apply to TrueCrypt. Depending on the attack scenario this may a threat. Using a USB stick is going to make this problem worse.

    It is not the USB protocol which is a problem, but rather the fact that a USB stick store the data in flash using a wear leveling algorithm. That means that even though from TrueCrypt's point of view it is writing to the same sector number, it is physically writing to different flash cells. This again means, that for some time both the old and the new version may physically exist in the storage. This means anybody who are able to read the physical flash cells without going through the wear leveling code will have access to the necesary data to exploit this weakness.

    I don't know anything about U3, so I cannot tell you for sure if it is better or worse than TrueCrypt. But with the number of weaknesses which have been seen in storage encryptions, I'd expect anything new to have a few of its own. In spite of the minor weakness in TrueCrypt, I'd still perefer that over something with weaknesses I don't know about.

    My advice for encryption on USB sticks is to not rely on transparent encryption and rather use something like GPG. Of course combining TrueCrypt and GPG is not going to harm security. GPG encrypted files on a TrueCrypt encrypted storage should be pretty safe.
    • You can add one more step to improve security on USB drives in your scenerio, but it comes out of the USB drives life expectancy.

      Get a program like Eraser [heidi.ie] (free, but for MS operating systems). Choose erease free space after installing. This will fill the remaining space on the drive with files, then overwrite them to the security level you choose. I would recommend only doing a single pass psudeorandom free space wipe, but do it every time before you remove the drive from the computer.

      Is there any spec

      • Re: (Score:3, Informative)

        by kasperd ( 592156 )

        Choose erease free space after installing. This will fill the remaining space on the drive with files, then overwrite them to the security level you choose.

        I agree this will add a little bit of security. But as this happens on a higher layer than the wear leveling, there is no guarantee that it will actually overwrite the physical locations you are interested in overwriting. Of course if you do multiple passes, I'd expect the wear leveling to spread them evenly over all locations including the ones you need

        • I agree this will add a little bit of security. But as this happens on a higher layer than the wear leveling, there is no guarantee that it will actually overwrite the physical locations you are interested in overwriting. Of course if you do multiple passes, I'd expect the wear leveling to spread them evenly over all locations including the ones you needed wiped. And BTW you don't need any unfree software to do it, you can just create a file filling all free space and then use the wipe command.

          If it fills

          • by kasperd ( 592156 )

            If it fills ALL the free space on the drive, then pigeonhole principle says the cells you wanted to overwrite were overwritten.

            The point is, that the size of the media depends on what level you are looking at. The wear leveling requires some extra physical space (I don't know how much), so the logical size which the USB unit reports to the system is smaller than the physical flash size. This means if you overwrite all sectors on the logical layer seen by the computer, you have not overwritten all of the phy

    • by gweihir ( 88907 )
      This means anybody who are able to read the physical flash cells without going through the wear leveling code will have access to the necesary data to exploit this weakness.

      Good point. I assume this is actually aa problem of tweakable block ciphers? Since ordinary ciphers need to be secure when you get different data encrypted with the same key. Otherwise the simple attack on any sector-based encryption would be to read the raw data at different times....
      • Re: (Score:3, Informative)

        by kasperd ( 592156 )

        I assume this is actually aa problem of tweakable block ciphers?

        Not really. If you just used an ordinary cipher instead of a tweakable cipher, the problem would be much worse. However using an ordinary cipher in CBC mode does not have this problem. CBC is a probabilistic encryption, which means same data encrypted more than once will produce different data. But this also means data grows, which is inconvenient for a transparent storage encryption.

        Tweakable block ciphers is an elegant solution for this pro

        • by gweihir ( 88907 )
          The impact of the weakness may differ from the worst encryption leaking everything to the best encryption leaking only the sector number of writes and when a write is identical to something that earlier existed in the same sector.

          Ok, now I see what you mean. For example CBC with fixed IV leaks more, possibly even a file fingerprint. In comparison EME or ABL mode only leak whether a sector is the same as before. There was quite an interesting discussion about this on the dm-crypt mailing list. (Interesting t
          • by kasperd ( 592156 )

            For example CBC with fixed IV leaks more, possibly even a file fingerprint.

            Indeed, it is easy to construct a file which is easilly recognized after being encrypted with such a scheme. In fact I constructed one a long time ago, it is here [brics.dk]. (OK this file only applies to some of the weakest IVs, but you get the point). However LRW also allows fingerprinting, but only if you can get two versions of the encrypted sectors, one version with the file, and another version with zeros.

            Personally I would be content w

            • by gweihir ( 88907 )

              Personally I would be content with only having leak out when a sector holds identical data as before.


              Might be acceptable for most users, but as I pointed out earlier, the algorithms I know for this have a significant CPU overhead. If you know a solution for this without the performance penalty, I'd very much like to hear about it.


              I don't think there is one. But here is something else: Harddisk speed is increasing significantly slower than CPU speed (or harddisk size). Using double encryption (CBC twice,

        • Re: (Score:3, Informative)

          TrueCrypt no longer uses CBC in the latest versions, LRW mode [wikipedia.org] has been the default mode since some time in the 4.1 version and beyond.
          • by bogie ( 31020 )
            nt
            no text
            no text dam it! ;-)
          • Re: (Score:3, Informative)

            by kasperd ( 592156 )

            TrueCrypt no longer uses CBC in the latest versions, LRW mode has been the default mode since some time in the 4.1 version and beyond.

            I compared the encryption used by TrueCrypt to CBC, that is very different from saying TrueCrypt uses CBC. In fact what TrueCrypt used to use is the not quite CBC mode you get by replacing the random IV with the sector number. The new mode did eliminate the very easy fingerprinting, but introduced a different kind of fingerprinting possible as long as you could get multiple v

  • Free, runs on Windows & Linux, lets you load a filesystem into a single file.

    I use it every day, and it just works. Can't recommend it highly enough
  • A much safer and better (and more functioning solution in the corporate environment) is the http://www.n-trance.biz/products/biometrics/bufd.h tml [n-trance.biz]n-Tegrity device from http://www.n-trance.biz/ [n-trance.biz]n-Trance Security. Not only it supports very strong (AES256) encryption, it also uses your fingerprint instead of a password, so it's much more convinient. And (suprisingly) the fingerprint sensor works really well. I use one every day.
  • U3 from the trenches (Score:1, Interesting)

    by Anonymous Coward
    I've worked on a couple of commercial programs for U3. It works, but except for the cool graphics it's sort of a senior project-type thing: clunky, very buggy, very quirky and tricky to get right. In particular, avoid the Sandisk Cruzer: the vast majority of problems we've had (randomly refusing to mount, refusing to load software that other brands have no trouble with, and repeatedly corrupted files, both ours and theirs) came from that brand.

    While I don't know of any U3-specific security problems, the com
  • There is only one way to find out whether or not an encryption scheme is any good: READ AND UNDERSTAND THE SOURCE CODE. As a second best, show the source code to a competent programmer whom you trust and who has some expertise in the field in question. If they won't show you the source code, the most likely reason why not is because the encryption is no good and you should walk away.
  • We bought a bunch of "secure" drives (unintentionally, I might add, we had no interest in the "security" features), and found that unlike regular flash drives anything that damaged the file system on the drive meant you had a dead device... because you couldn't reformat it without a special program... and getting a copy of that program was basically impossible. Oh, they claimed you could do it by sending a letter from the CEO on corporate letterhead requesting a copy... and jumping through additional hoops after that... but there was never a response from this "initial handshake".

    Now, they're not terribly expensive... but they're no more secure than an encrypted file system in a regular file on the drive. You're paying more money for no better security than you can set up yourself, and dealing with the hidden costs of lost data... both directly, and because the guy in the field can't initialise a trashed file system himself so he doesn't have a device handy to get a copy of the customer's data when he needs it.

    The whole technology seems to be implemented in the wrong place to me.
  • Dont use U3 its a proprietary peice of software that doesnt allow certain software to be installled on it. i find i clunky and a bear to use.
  • Anything that needs to install extra software (from the device) is just asking for trouble. Unless you are carrying national secrets with you maybe a password protected ZIP would suffice to stop casual snooping. That's all a device like this can do, it's never going to stand up against determined attempts to access the data.
  • There is nothing magical about U3. For my encryption, I use Portable Vault [stompsoft.com]. It retails for less than $20 dollars and works with every flash USB drive that I have. I use this to encrypt my pictures and password information for all of my financial accounts. It uses a strong 256 bit Blowfish encryption algorithm, and only you could access the data.
    • by p911 ( 999648 )
      what about the U3 extra data removal software to buy? This feature is not included?

Life is a healthy respect for mother nature laced with greed.

Working...