Reply to post: Re: Hard drives vs SD cards

Diss drive: Seagate and IBM bring blockchain sledgehammer to compliance nuts

DCFusor

Re: Hard drives vs SD cards

I used to own the proper tools to dump and program the uP in many hard drives, and as an excercise, my outfit looked into what was in a few of them software wise. It's like the saying about sausage. It in no way takes "a state level actor" to do that - any reasonably competent embedded engineer with the normal tools can do it in a day or few and make it "whatever you want". Not a lot of point in that as you say, though.

FWIW, some of that data is stored on normally inaccessible *to you* parts of the regular drive. Keyword "normally" as there are tools in open source that let you get to it as well.

As you say, there's not much point in doing that for a normal thief, it's NSA kind of thing, or someone who really thinks planting an unwipeable persistent virus is worth the hassle. No need, since most people who willingly give up all their data to various slurping entities in social media, who then sell that info on cheaper than it'd be to collect it oneself.

The issue I heard of was selling repackaged drives - they had the stated capacity, the issue was that in effect, what were sold as consumer drives with a factory warranty - and at the consumer prices - we actually drives originally bought in bulk by OEMs much cheaper that had no factory warranty associated with their serial numbers (the maker does keep track). Since basically no one checks, people only found out when they had an issue and were denied warranty service - which they'd effectively paid for from some vendor hidden opaquely behind Amazon (in this case) - so no recourse.

So to me, adding another thing no one checks isn't going to be any sort of real answer to the problems that do exist. Denying the problem is a mistake, and claiming this is the answer, another.

Rule one in security is that if the adversary has physical access, it's game over. Any scheme that depends on something the adversary has had access to reporting something is utterly flawed. It can always tell you it's all good. We've seen plenty of examples of stolen keys and certs, it's not the algo that's the issue as much as it is human malfeasance. Yes, you could have a whole batch of drives all claiming they were the same legit drive, for one example (that's easy to protect against if known, but there are so many possibilities, I'll believe it when I see it).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon