Many people assume that if they're seeing something that's more expensive than they're used to that they're being ripped off for some reason. Ripping people off with high prices is actually very rare nowadays, mostly thanks to the big online marketplaces.
These large price differentials are purely due to the insane economies of scale we're able to create. It's not a wonder that there's a 128GB USB stick as expensive as $1675, it's a wonder there's a 128GB USB stick as cheap as $27.
Imagine it took 1 million dollars to develop the tech and implement the manufacturing process of a 128GB stick. Assume they cost $5 to manufacture, and $20 to market and ship. Then when you sell a million you've recuperated your R&D and made a million profit that warrants the 6 million upfront investment you had to do.
Same story but now with the expensive 128GB sticks, of which you're only going to sell 1000. Even though the stick is 1675, you only make 1.650.000, so your effective budget to develop the fancy encryption scheme and make a profit is 650.000.
> Ripping people off with high prices is actually very rare nowadays, mostly thanks to the big online marketplaces.
This is so absolutely untrue that this reads like a joke.
> Many people assume that if they're seeing something that's more expensive than they're used to that they're being ripped off for some reason.
Yes, because it's so absurdly common. "High price ripoffs" are so common that it's the default mode of operation for nearly every company in America. "High price ripoffs" are so common, that it's literally taught in school as a fundamental part of all marketing. (Price anchoring, premium pricing, skimming pricing, are all just 'high-price rip-offs' applied practically).
Yes, it still occasionally happens, but the days of "a high price probably means better time/materials/quality" are long gone. 9 times out of 10, the high price product is identical to the cheap price one, and the higher price is explicitly just a ripoff.
> Ripping people off with high prices is actually very rare nowadays
Given how many dropshippers exist for goods straight from China at 10-15x the price (if not more), this is untrue to such a degree that the original sentence almost reads like satire.
> Ripping people off with high prices is actually very rare nowadays
Apparently you have no idea of the audiophile market. I have someone swear that music doesn’t sound as nice when converted losslessly from WAV to AIFF/FLAC on whatever $$$$ gear he uses.
I keep telling this to friends who complained that hard disk manufacturers are plotting against them by not lowering hard disk prices long after floods have damaged hard disk factories. You have to consider how absolutely incredibly cheap this stuff actually is. Take a high-quality wooden shelf. It's just a couple of wood boards, right? Yet it may cost ten times more than a USB stick or even an embedded development board. It's crazy.
I see you've never tried to shop online outside of the US.
Let's take an example; my daughter has an Easy Bake Oven - it's a little plastic oven with essentially a 100W heater inside, with a little tiny baking tray about the size of your cell phone. There's an optional "cupcake tray", which is again a tiny metal pan about the size of your phone, only Walmart up here in Canada sells the oven, but doesn't sell the cupcake pan.
Amazon.ca today has a cupcake pan for $52 [0] which a) is lower than I've seen it on Amazon.ca before and b) this isn't even the "real" one from the manufacturer, it's an after-market knock off. There's another one listed for $89. It's actually cheaper for me to buy the cupcake tray from Amazon.com [1] even with the $9 shipping and the currency conversion, and I get the cupcake tray and a second regular tray and a bunch of cupcake liners.
This is not the most egregious example I've seen by a long ways. I assume a lot of this isn't actually malice but instead robots trying to sell products and setting prices that are just clearly insane. I've seen products with 1000% markup over MSRP before, and sometimes it's stuff that's easy to buy locally. There's just a lot fewer sellers on amazon.ca, so it's easier for a robot to climb it's price to infinity with no competition.
(And that's not to say everything is like this in Canada - most common stuff is priced reasonably. But if you want something a little out of the ordinary or sometimes if the "main" seller of something goes out of stock, suddenly it costs you a kidney to get a kid's basketball hoop.)
I fondly recall an article in APC magazine from 2003, a review of Lindows OS, with a Live CD of it attached. “Combine it with a cheap-as-chips 128MB USB disk for $70” [that’s AUD], it said—
Now here we are, 17 years later, selling a thousand times the capacity at half the price.
(I also wondered, then and now, where the author sourced their fish and chips. This incongruity is why the phrase stuck in my head.)
> For rack-mounted servers, I've seen things like the entire motherboard and hard drive submerged in 5 kg of heat-conductive epoxy resin so that it's nearly impossible to remove the RAM sticks or hard drive without destroying them.
I find it absolutely hilarious that there are some organisations going to such lengths to protect their data but other organisations with just as sensitive data keep it in unpatched datastores and leaky S3 buckets...
Having worked with some financial institutions, I can assure you it's often the same orgs that spend bazillions on extra-super-secure hardware etc and then leave security holes large enough to drive trucks through elsewhere. In short, if you make the process to do things the Right Way hard enough, people will just circumvent the process.
It's even more hilarious that there is typically a disconnect between hardware and software management, so that you could have one dept buying this sort of war-resistant servers and then handing them off to a different, averagely-incompetent dept who will use them to run ancient exploit-ridden software with default passwords.
They are not going to such lengths to protect their data. They are going to such lengths to conform to regulations. Other organizations don't need to conform to regulations, so they put a fair price for their security (you might not agree with that price, of course).
> I'm impressed that they got a USB stick past Level 3 testing. Guess: maybe there are tiny wires in the casing and an "intrusion detection" chip with its own battery that is never powered off so that it can monitor for breakage of the wires and trigger a wipe?
I've seen a level 3 SSD teardown before. They had a humidity sensor and a photovoltaic sensor oonboard. Cease was sealed, and any change detected by these sensors would initiate a key wipe from a battery and then a data wipe once the drive received power. Interesting stuff
I can imagine this... two extremely thin foils separated by an insulating layer, one connected to a supercap charged at 100V at every time the stick is plugged in, the other layer connected to all pins of the flash memory via diodes. Then, encase the whole thing in epoxy. When someone attempts to cut it open now, the short between the foils will discharge the supercap to fry the memory.
Couldn't that be defeated by draining the battery, for example with low temperatures? Programming it to wipe itself when low on charge might cause other issues.
I think links like this are really helpful. Too offer I suffer from the (common on HN) mindset of, "I know nothing about this field, but I'm intelligent enough to know this is stupid". Posts like this are not only interesting, but give me a small dose of humility.
Reminds me of the first time I saw that stackoverflow page comparing hash algorithms (from crc32 md5 xxhash to sha) thru patterns it generated onto an image. Also answers by the zlib guy, the nagle algorithm guy. Explanations like those just blow my mind.
I don't know, this is my field and the post is pretty stupid. Hardware encryption is trivial to do, even in a small form-factor, low-power device like USB storage. A 60x price differential is completely unreasonable.
This is rent-seeking on market segmentation. Certain government agencies and contractors are prohibited by law from using a bog standard USB storage device, and require this FIPS certified thing instead. The manufacturers know this. They also have budget to pay, when they are forced to.
I'm not sure what the answerer is trying to imply, but it seems like it's more a question of willingness to pay being very different between government and private individuals than real differences in quality.
Sure, there has to be some sort of hoop to jump through with certification, but it doesn't sound like it actually makes a laptop's worth of price difference.
Businesses do this all the time, they make an item and sell it at different prices to different entities. Put a small wrinkle on the expensive version so it's not too embarassing for the guy who buys the expensive one. That way you get what the cheap guy is willing to pay and the rich guy. Even universities do this with tuition fees. I have friends who write code for the government, and they also raise their prices for the same thing, they've even been told they were too cheap to seem credible.
Something to consider in these kinds of cases is that you're not just paying for a more complex physical product, but the the cost of actually designing and certifying the device.
The market for the basic stick is massive, so the cost of design and product development is spread across many, many units.
The market for the FIPS stick will be tiny in comparison. That means that the cost of design and development will be both higher (more complex product) and spread across many fewer units. Now add on the cost of going through the certification, which will involve massive amoounts of paperwork, box-ticking and bureaucracy and the cost of development really shoots up compared with slapping some memory cells and an interface into a plastic box.
I used to work on safety critical software, and the amount of time that was actually spent writing code was really quite small compared to the effort required to demonstrate both to ourselve, but also to the certifying authorities that the software was safe. The Verifcation and Validation teams would often be far larger than the original development teams.
Having said that, I am absolutely sure there will also be some price gouging going on because there will be only a small number of companies that make FIPS certified devices and so competition is lower.
This thread seems to involve many people who have taken ECON 101 and think it corresponds with reality. For example:
"If you got to a gas station near me, you can get a CR2032 battery for say 2 USD. If you got to a certain home decor/equipment store a mile away, you'll get 4 of these batteries for 1 USD. That's what, 8x more expensive for a relatively common product?"
This isn't a difference between .25¢ for 1 and $2 for one. It is the difference between $4 and a bit of a search for 1 plus three more to stuff in a drawer and $2 for one here now where you are. And $2 is the cost of, what, a couple ounces of coffee?
So I can give a real life example of the type of customer that uses these exclusively. My previous employment was leading development on a media scanning station, a bit like an ATM, but with a lot of ports in front to accept USBs, CDROM, etc. We provided this product to the energy, defense, pharmaceutical, etc sectors. Essentially critical infrastructure. Many of our customers utilize air-gaps to isolate their critical systems. So to get files into those systems you basically have to sneaker net it, usually using portable media of some kind.
The basic procedure using our product was to take an "unknown" piece of media with the files you wanna move over. Slot it into our station, then grab a "known" piece of media and put it into the other port on the station. The station would scan all of the files using several commercial AVs, then files deemed to be clean would be copied to the "known" piece of media. The important thing about the "known" piece of media is that its generally one of these expensive USBs with FIPS encryption, and crucially the FIPS epoxy and digitally signed firmware on the controller. Often these facilities are like onions with several layers of security, and this procedure must be done several times to get to the truly sensitive equipment, along with guards checking receipts and unlocking media from lockboxes, etc.
Having everyone at the facility using the same drive, especially if you can purchase in known serial numbers, is good practice. That way anyone using a different model drive is easily spotted and programmatically you can lockdown to those known serials before mounting. Similarly if someone tries to take it apart the FIPS epoxy should destroy the internals of the microcontroller. They drill through the epoxy and flash the firmware, the microcontroller in these drives will reject cause it is not signed. Finally, if they do manage to build an exact replica, with the correct serials but some nasty internals, it wont matter since they are forced to use a "known" drive before stepping up to the next security level (the bad drives gets left at the low security gap).
Its not perfect, but it does build defense in depth, especially with more mundane things added into the mix like FBI background checks, etc. You quickly get into mission impossible scenarios requiring physical agents gaining access to reach the inner layers of these critical systems.
The difference is that if you encrypt a file with a strong, industry standard algorithm, with proper key derivation, enough entropy on your passphrase, and stick it on a $27 USB key, you can be personally certain (by most reasonable standards) that your data is secure at rest.
However, if you put a file on a $1657 IronKey, you have to trust the certification (the Infineon ROCA snafu has proven beyond a shadow of a doubt that FIPS certification is no guarantee when it comes to the crypto algorithms - and look at stuff like that CVE that affected only the FIPS version of the YubiKey due to extra complexity the certification stuff required!), and have no guarantee that your data is indeed encrypted with your passphrase. Indeed, it's quite common for these "secure" devices to merely encrypt your data with a fixed or variable but not passphrase-derived encryption key, and then merely check the passphrase against a hash (with attempt limits). They are hardened against attacks to bypass this, but they do not offer pure cryptographic protection for your data, unlike the $27 + software solution.
Put another way: use a long enough passphrase, and the $27 solution is superior. Use a short passphrase or PIN, and the $1657 solution is hopefully superior (though you have no true guarantee or way to know for sure).
You are paying >$1k for the convenience of using a short passphrase, and in exchange you have to trust the manufacturer.
Give me a megabuck or two and I bet I have a good chance of getting your files out of an IronKey. Give me a megabuck or two and I can do nothing against software encryption with a 32-character passphrase.
If I'm lucky I might even find an IronKey exploit that can be performed for much cheaper. Finding physical exploits (e.g. power, EMI, or even optical glitching attacks, nevermind stuff like pure firmware exploits) is much easier than breaking proper crypto.
By the way, the same trade-off exists with Android (in old school FDE mode) vs iPhone secure enclave stuff. The iPhone solution has many advantages for many use cases, but if we're talking strictly about security of data at rest (i.e. from
a powered off state) I trust my rooted Android with a long FDE passphrase over any iPhone. The latter only entangles a subset of user data with the lockscreen code, and does not allow you to set a separate longer boot-time passphrase from the normal unlock code (nor does regular Android, but you can do it with root).
(disclaimer: it's been years since I looked at IronKeys and had this thought experiment; at the time they definitely made no claims of deriving the encryption key from your passphrase and I seem to recall reading somewhere that they don't, but I haven't checked their marketing these days)
> if we're talking strictly about security of data at rest (i.e. from a powered off state) I trust my rooted Android with a long FDE passphrase over any iPhone.
If you never power-up your phone maybe. But in any realistic usage scenario you're way insecure with a rooted Android phone. Check this link, it's a quick read.
You are not the customer. The customer is someone who needs to roll this out to parts of their organization, they cannot depend on their users being able to setup secure crypto on their own or together with IT. They need something ready to use.
The is also a cover your ass perspective. If their homerolled solution had issues they had the problem, if this usbkey have the issue they can point to that they bought certified parts.
Can tell you from experience in healthcare, the difference between a regular usb stick and one that has a verifiable security level is that if you lose track of a stick with a research data set on it, it's the difference between doing local incident response, and individually notifying 1m+ people their health information has been breached.
If it's on a USB stick, you've already lost control, but there was a case at a hospital where they avoided that cost because the lost device was encrypted.
From my PoV, FIPS is bureaucratic nonsense and people trusting in it deserve what they are getting.
It might have had sense a long time ago, to ensure that vendors don't do something ridiculous and call it a day. It does mandate certain thing that are common sense and good practice, yes. But you can't really mandate security via a checklists from 10 years ago. Government can't keep up with cryptography, software bugs being discovered, new threats and so on. It's just too slow, and requires more than just going through a checklist.
The exact details of how things are done at the lower level are simply insane. It's very common that the FIPS-certified product has security strictly lower than non certified one, e.g. because the certified FIPS base had bugs, that are known, trivial to get fixed (3-liners, etc) but can't because that would take months/years and hundreds of thousands of dollars to re-certify the whole codebase being patched.
The whole thing was probably created by lobbyists to create another corrupted channel to monopolize and overcharge government and related institutions, just like many other nonsensical laws in the US.
When I see topics like this one, I allways wonder, why there is not an univeral standard for USB-Stick encryption. I would not matter what OS, just ask for the passphrase when you insert the stick.
I get that level 3 means that the device is able to detect physical tampering. But why would I need this if anyone can just plug the USB stick into any PC?
It's hardware encrypted so the only 2 solutions to get the data are to either brute force it (impossible) or to get the crypto key from the chip inside.
If I understand correctly this drive is supposed to detect tampering and erase the key if you attempt to open the encasing.
Even without FIPS, encrypted USB drives are about an order of magnitude more expensive than non-encrypred ones.
I actually want an encrypted one to set me free from having to use VeraCrypt so I could enjoy the convenience of the plug-and-play experience while being sure a random person to find my drive if I loose it won't get the data.
Perhaps I could just use BitLocker but it's not available in Windows 10 Home (like if home PCs didn't contain any sensitive data).
The cheap one can’t be used as a harddrive since the write speed is 30 times slower. For reading the difference is 4x. So they are pretty different products.
The submitted title ("Why pay $1657 for a $27 USB stick?") broke the site guidelines by editorializing. Please review https://news.ycombinator.com/newsguidelines.html, which includes: "Please use the original title, unless it is misleading or linkbait; don't editorialize."
The most important part of the pricing is the intended consumer. It is expected to be used by government officials and employees of big companies, for whom, the price is not a big factor.
Then comes the competition. Not a lot of companies are making these.
The next one is volume. They're not going to sell as many of these so they produce them at a much lower scale, driving the cost per unit up.
There is a great detailed answer on the page but for me it boils down to "so I never have to think about it ever again".
I'm sure veracrypt on the cheap drive works very well, but I dont want to think about usb drives ever again so if I can make the problem go away (and its the customer/company paying for it) i'll buy the product with off the shelf capabilities.
The never having to think about it, in this context is don't use them. A significant amount of government and businesses have blanket bans on USB pendrives and disable USB mass-storage in the mobile devices themselves.
Making solutions that do not require carrying of sensitive material on portable devices is a much safer approach.
[+] [-] tinco|5 years ago|reply
These large price differentials are purely due to the insane economies of scale we're able to create. It's not a wonder that there's a 128GB USB stick as expensive as $1675, it's a wonder there's a 128GB USB stick as cheap as $27.
Imagine it took 1 million dollars to develop the tech and implement the manufacturing process of a 128GB stick. Assume they cost $5 to manufacture, and $20 to market and ship. Then when you sell a million you've recuperated your R&D and made a million profit that warrants the 6 million upfront investment you had to do.
Same story but now with the expensive 128GB sticks, of which you're only going to sell 1000. Even though the stick is 1675, you only make 1.650.000, so your effective budget to develop the fancy encryption scheme and make a profit is 650.000.
[+] [-] maxsilver|5 years ago|reply
This is so absolutely untrue that this reads like a joke.
> Many people assume that if they're seeing something that's more expensive than they're used to that they're being ripped off for some reason.
Yes, because it's so absurdly common. "High price ripoffs" are so common that it's the default mode of operation for nearly every company in America. "High price ripoffs" are so common, that it's literally taught in school as a fundamental part of all marketing. (Price anchoring, premium pricing, skimming pricing, are all just 'high-price rip-offs' applied practically).
Yes, it still occasionally happens, but the days of "a high price probably means better time/materials/quality" are long gone. 9 times out of 10, the high price product is identical to the cheap price one, and the higher price is explicitly just a ripoff.
[+] [-] krageon|5 years ago|reply
Given how many dropshippers exist for goods straight from China at 10-15x the price (if not more), this is untrue to such a degree that the original sentence almost reads like satire.
[+] [-] oefrha|5 years ago|reply
Apparently you have no idea of the audiophile market. I have someone swear that music doesn’t sound as nice when converted losslessly from WAV to AIFF/FLAC on whatever $$$$ gear he uses.
[+] [-] TonyTrapp|5 years ago|reply
[+] [-] saagarjha|5 years ago|reply
[+] [-] jwalton|5 years ago|reply
I see you've never tried to shop online outside of the US.
Let's take an example; my daughter has an Easy Bake Oven - it's a little plastic oven with essentially a 100W heater inside, with a little tiny baking tray about the size of your cell phone. There's an optional "cupcake tray", which is again a tiny metal pan about the size of your phone, only Walmart up here in Canada sells the oven, but doesn't sell the cupcake pan.
Amazon.ca today has a cupcake pan for $52 [0] which a) is lower than I've seen it on Amazon.ca before and b) this isn't even the "real" one from the manufacturer, it's an after-market knock off. There's another one listed for $89. It's actually cheaper for me to buy the cupcake tray from Amazon.com [1] even with the $9 shipping and the currency conversion, and I get the cupcake tray and a second regular tray and a bunch of cupcake liners.
This is not the most egregious example I've seen by a long ways. I assume a lot of this isn't actually malice but instead robots trying to sell products and setting prices that are just clearly insane. I've seen products with 1000% markup over MSRP before, and sometimes it's stuff that's easy to buy locally. There's just a lot fewer sellers on amazon.ca, so it's easier for a robot to climb it's price to infinity with no competition.
(And that's not to say everything is like this in Canada - most common stuff is priced reasonably. But if you want something a little out of the ordinary or sometimes if the "main" seller of something goes out of stock, suddenly it costs you a kidney to get a kid's basketball hoop.)
[0](https://www.amazon.ca/Replacement-Cupcake-Muffin-Easy-Bake-U...) [1](https://www.amazon.com/Easy-Bake-Ultimate-Replacement-Cupcak...)
[+] [-] chrismorgan|5 years ago|reply
Now here we are, 17 years later, selling a thousand times the capacity at half the price.
(I also wondered, then and now, where the author sourced their fish and chips. This incongruity is why the phrase stuck in my head.)
[+] [-] rakamotog|5 years ago|reply
[+] [-] olau|5 years ago|reply
[+] [-] franga2000|5 years ago|reply
I find it absolutely hilarious that there are some organisations going to such lengths to protect their data but other organisations with just as sensitive data keep it in unpatched datastores and leaky S3 buckets...
[+] [-] howlgarnish|5 years ago|reply
[+] [-] toyg|5 years ago|reply
[+] [-] vbezhenar|5 years ago|reply
[+] [-] doublerabbit|5 years ago|reply
[+] [-] cblconfederate|5 years ago|reply
[+] [-] haunter|5 years ago|reply
Now I want to see a teardown of this USB stick
[+] [-] hunter-gatherer|5 years ago|reply
[+] [-] saagarjha|5 years ago|reply
[+] [-] mschuster91|5 years ago|reply
[+] [-] frostburg|5 years ago|reply
[+] [-] jphoward|5 years ago|reply
[+] [-] joshxyz|5 years ago|reply
[+] [-] sarthakjshetty|5 years ago|reply
[+] [-] garmaine|5 years ago|reply
This is rent-seeking on market segmentation. Certain government agencies and contractors are prohibited by law from using a bog standard USB storage device, and require this FIPS certified thing instead. The manufacturers know this. They also have budget to pay, when they are forced to.
[+] [-] lordnacho|5 years ago|reply
Sure, there has to be some sort of hoop to jump through with certification, but it doesn't sound like it actually makes a laptop's worth of price difference.
Businesses do this all the time, they make an item and sell it at different prices to different entities. Put a small wrinkle on the expensive version so it's not too embarassing for the guy who buys the expensive one. That way you get what the cheap guy is willing to pay and the rich guy. Even universities do this with tuition fees. I have friends who write code for the government, and they also raise their prices for the same thing, they've even been told they were too cheap to seem credible.
[+] [-] noneeeed|5 years ago|reply
The market for the basic stick is massive, so the cost of design and product development is spread across many, many units.
The market for the FIPS stick will be tiny in comparison. That means that the cost of design and development will be both higher (more complex product) and spread across many fewer units. Now add on the cost of going through the certification, which will involve massive amoounts of paperwork, box-ticking and bureaucracy and the cost of development really shoots up compared with slapping some memory cells and an interface into a plastic box.
I used to work on safety critical software, and the amount of time that was actually spent writing code was really quite small compared to the effort required to demonstrate both to ourselve, but also to the certifying authorities that the software was safe. The Verifcation and Validation teams would often be far larger than the original development teams.
Having said that, I am absolutely sure there will also be some price gouging going on because there will be only a small number of companies that make FIPS certified devices and so competition is lower.
[+] [-] mcguire|5 years ago|reply
"If you got to a gas station near me, you can get a CR2032 battery for say 2 USD. If you got to a certain home decor/equipment store a mile away, you'll get 4 of these batteries for 1 USD. That's what, 8x more expensive for a relatively common product?"
This isn't a difference between .25¢ for 1 and $2 for one. It is the difference between $4 and a bit of a search for 1 plus three more to stuff in a drawer and $2 for one here now where you are. And $2 is the cost of, what, a couple ounces of coffee?
This is what ECON 101 calls irrationality.
[+] [-] Bayart|5 years ago|reply
[+] [-] fdye|5 years ago|reply
The basic procedure using our product was to take an "unknown" piece of media with the files you wanna move over. Slot it into our station, then grab a "known" piece of media and put it into the other port on the station. The station would scan all of the files using several commercial AVs, then files deemed to be clean would be copied to the "known" piece of media. The important thing about the "known" piece of media is that its generally one of these expensive USBs with FIPS encryption, and crucially the FIPS epoxy and digitally signed firmware on the controller. Often these facilities are like onions with several layers of security, and this procedure must be done several times to get to the truly sensitive equipment, along with guards checking receipts and unlocking media from lockboxes, etc.
Having everyone at the facility using the same drive, especially if you can purchase in known serial numbers, is good practice. That way anyone using a different model drive is easily spotted and programmatically you can lockdown to those known serials before mounting. Similarly if someone tries to take it apart the FIPS epoxy should destroy the internals of the microcontroller. They drill through the epoxy and flash the firmware, the microcontroller in these drives will reject cause it is not signed. Finally, if they do manage to build an exact replica, with the correct serials but some nasty internals, it wont matter since they are forced to use a "known" drive before stepping up to the next security level (the bad drives gets left at the low security gap).
Its not perfect, but it does build defense in depth, especially with more mundane things added into the mix like FBI background checks, etc. You quickly get into mission impossible scenarios requiring physical agents gaining access to reach the inner layers of these critical systems.
[+] [-] marcan_42|5 years ago|reply
The difference is that if you encrypt a file with a strong, industry standard algorithm, with proper key derivation, enough entropy on your passphrase, and stick it on a $27 USB key, you can be personally certain (by most reasonable standards) that your data is secure at rest.
However, if you put a file on a $1657 IronKey, you have to trust the certification (the Infineon ROCA snafu has proven beyond a shadow of a doubt that FIPS certification is no guarantee when it comes to the crypto algorithms - and look at stuff like that CVE that affected only the FIPS version of the YubiKey due to extra complexity the certification stuff required!), and have no guarantee that your data is indeed encrypted with your passphrase. Indeed, it's quite common for these "secure" devices to merely encrypt your data with a fixed or variable but not passphrase-derived encryption key, and then merely check the passphrase against a hash (with attempt limits). They are hardened against attacks to bypass this, but they do not offer pure cryptographic protection for your data, unlike the $27 + software solution.
Put another way: use a long enough passphrase, and the $27 solution is superior. Use a short passphrase or PIN, and the $1657 solution is hopefully superior (though you have no true guarantee or way to know for sure).
You are paying >$1k for the convenience of using a short passphrase, and in exchange you have to trust the manufacturer.
Give me a megabuck or two and I bet I have a good chance of getting your files out of an IronKey. Give me a megabuck or two and I can do nothing against software encryption with a 32-character passphrase.
If I'm lucky I might even find an IronKey exploit that can be performed for much cheaper. Finding physical exploits (e.g. power, EMI, or even optical glitching attacks, nevermind stuff like pure firmware exploits) is much easier than breaking proper crypto.
By the way, the same trade-off exists with Android (in old school FDE mode) vs iPhone secure enclave stuff. The iPhone solution has many advantages for many use cases, but if we're talking strictly about security of data at rest (i.e. from a powered off state) I trust my rooted Android with a long FDE passphrase over any iPhone. The latter only entangles a subset of user data with the lockscreen code, and does not allow you to set a separate longer boot-time passphrase from the normal unlock code (nor does regular Android, but you can do it with root).
(disclaimer: it's been years since I looked at IronKeys and had this thought experiment; at the time they definitely made no claims of deriving the encryption key from your passphrase and I seem to recall reading somewhere that they don't, but I haven't checked their marketing these days)
[+] [-] jmnicolas|5 years ago|reply
If you never power-up your phone maybe. But in any realistic usage scenario you're way insecure with a rooted Android phone. Check this link, it's a quick read.
https://madaidans-insecurities.github.io/android.html
[+] [-] msh|5 years ago|reply
The is also a cover your ass perspective. If their homerolled solution had issues they had the problem, if this usbkey have the issue they can point to that they bought certified parts.
[+] [-] motohagiography|5 years ago|reply
If it's on a USB stick, you've already lost control, but there was a case at a hospital where they avoided that cost because the lost device was encrypted.
[+] [-] dpc_pw|5 years ago|reply
It might have had sense a long time ago, to ensure that vendors don't do something ridiculous and call it a day. It does mandate certain thing that are common sense and good practice, yes. But you can't really mandate security via a checklists from 10 years ago. Government can't keep up with cryptography, software bugs being discovered, new threats and so on. It's just too slow, and requires more than just going through a checklist.
The exact details of how things are done at the lower level are simply insane. It's very common that the FIPS-certified product has security strictly lower than non certified one, e.g. because the certified FIPS base had bugs, that are known, trivial to get fixed (3-liners, etc) but can't because that would take months/years and hundreds of thousands of dollars to re-certify the whole codebase being patched.
The whole thing was probably created by lobbyists to create another corrupted channel to monopolize and overcharge government and related institutions, just like many other nonsensical laws in the US.
[+] [-] 1vuio0pswjnm7|5 years ago|reply
[+] [-] _trampeltier|5 years ago|reply
[+] [-] pedroaraujo|5 years ago|reply
I get that level 3 means that the device is able to detect physical tampering. But why would I need this if anyone can just plug the USB stick into any PC?
[+] [-] jmnicolas|5 years ago|reply
If I understand correctly this drive is supposed to detect tampering and erase the key if you attempt to open the encasing.
[+] [-] qwerty456127|5 years ago|reply
I actually want an encrypted one to set me free from having to use VeraCrypt so I could enjoy the convenience of the plug-and-play experience while being sure a random person to find my drive if I loose it won't get the data.
Perhaps I could just use BitLocker but it's not available in Windows 10 Home (like if home PCs didn't contain any sensitive data).
[+] [-] Grustaf|5 years ago|reply
[+] [-] dang|5 years ago|reply
[+] [-] AntiImperialist|5 years ago|reply
Then comes the competition. Not a lot of companies are making these.
The next one is volume. They're not going to sell as many of these so they produce them at a much lower scale, driving the cost per unit up.
Then comes everything else.
[+] [-] elliotpage|5 years ago|reply
I'm sure veracrypt on the cheap drive works very well, but I dont want to think about usb drives ever again so if I can make the problem go away (and its the customer/company paying for it) i'll buy the product with off the shelf capabilities.
[+] [-] Daviey|5 years ago|reply
Making solutions that do not require carrying of sensitive material on portable devices is a much safer approach.
[+] [-] vngzs|5 years ago|reply
[0]: https://www.cdw.com/product/kingston-datatraveler-4000-g2-ma...