Interesting news for folks who think their encrypted data is safe:
SAN FRANCISCO — A group led by a Princeton University computer security researcher has developed a simple method to steal encrypted information stored on computer hard disks.
The technique, which could undermine security software protecting critical data on computers, is as easy as chilling a computer memory chip with a blast of frigid air from a can of dust remover. Encryption software is widely used by companies and government agencies, notably in portable computers that are especially susceptible to theft.
...
In a technical paper that was published Thursday on the Web site of Princeton’s Center for Information Technology Policy, the group demonstrated that standard memory chips actually retain their data for seconds or even minutes after power is cut off.
When the chips were chilled using an inexpensive can of air, the data was frozen in place, permitting the researchers to easily read the keys — long strings of ones and zeros — out of the chip’s memory.
“Cool the chips in liquid nitrogen (-196 °C) and they hold their state for hours at least, without any power,” Edward W. Felten, a Princeton computer scientist, wrote in a Web posting. “Just put the chips back into a machine and you can read out their contents.”
I'm waiting for the movie, when Tom Cruise can explain it to me.
I figure the only way I can stay on top of things is to open mup my house to a worthy teenaged boy.
Posted by: clarice | February 23, 2008 at 02:10 PM
I've already forgotten - am I supposed to embrace TM's views or reject them? 'Cause I wanna do what's right.
A JOM commenter manual would be helpful.
I found this sentence from the article rather enlightening: "The Princeton researchers acknowledged that in these advanced modes, BitLocker encrypted data could not be accessed using the vulnerability they discovered."
So, if you would like to actually protect your data you have to go through all the time and trouble to use an "advanced mode"?
Earthshattering news.
Posted by: Rick Ballard | February 23, 2008 at 02:20 PM
I'm waiting for the movie, when Tom Cruise can explain it to me.
I agree.
Posted by: Sue | February 23, 2008 at 02:29 PM
TM:
I'm waiting for the movie, when Tom Cruise can explain it to me.
Oh, I'll exlain it to you.
From the article:
This is yet another example of Chimpymchitlerburton and his master Cheney clearing the way in order to spy on every American in their push for their fascist takeover of this country.
Wake up people.
We need to speak truth to power! We need more outrage! We need to march and burn candles!
We can't sit back while this is happening.
Impeach Bush now!
Posted by: hit and run | February 23, 2008 at 02:39 PM
...in their push for their fascist takeover of this country.
Empty threat. When the military comes to grab us up and take us to the camps, they won't have any ammunition or guns.
Or training.
Hell, no camps either, most likely.
No pasaran, venceremos.
Posted by: SteveMG | February 23, 2008 at 02:51 PM
when Tom Cruise can explain it to me
I'm not Tom Cruise and I did not even stay in a Holiday Inn last night but ... years ago was a Strategic Air Command crypto tech and I have designed computer chips so I could explain it ... but then I'd have to ... well you know the rest.
Posted by: boris | February 23, 2008 at 02:55 PM
Some of you guys claim to have not gotten the memo, but I know you have been made aware of it. A cease and desist letter is being drawn up as I type by our crackerjack legal team. Ignorance of the law is not a defense, I might add. Until actual receipt of the C&D letter is received, I would caution you that others are watching, hardly ever, but that is not the point, and our percentages need to be above 99% next time. I refer you to the post at 2:29 PM as to proper response to a post by dear leader at JOM.
Posted by: Sue | February 23, 2008 at 03:05 PM
You want it run through the translation program developed by L Ron Hubbard? How will that make it clearer TM? I know I am required to stand and salute, but really there are a few things, cooked beets and scientology where I have to draw the line...
Posted by: GMax | February 23, 2008 at 03:28 PM
SteveMG:
Empty threat. When the military comes to grab us up and take us to the camps, they won't have any ammunition or guns.
Hah! No way. Bush has sent all the people who COULD stand up to his imperial march toward his fascist despotism and sent them overseas. Without bullets.
The bullets are currently being housed under fort knox -- until Rove has brainwashed enough mindless Bushie minions to do his bidding and suppress the will of all free people who would resist.
This blog is a target and judging by the posts I read here, Rove is probably 67% finished with his work.
Sheeple. You're all sheeple. Being led to slaughter.
Posted by: hit and run | February 23, 2008 at 03:39 PM
Mr. Ballard;
The advanced modes require additional hardware, which you have to not lose, so it's not quite as simple as clicking a checkbox.
TM;
I'm not Tom Cruise, but I would dare to provide an explanation. Modern computer memory works by putting electrons in boxes. The boxes, however, are leaky. In the standard way computer scientists solve problems, the solution implemented was to put some extra circuitry that checks the boxes and re-fills them as necessary, fast enough so that boxes never empty out. When you turn off the power, that extra circuitry gets turned off too, and the electrons all leak out, erasing the memory. These encryption schemes depend on this to destroy the encryption key when the computer is turned off, so if it gets stolen the data is safe.
What these guys have discovered is that
1) The electrons don't leak out as fast as people thought.
2) If you freeze the chips, the electrons leak even slower, so slowly that you can figure out which boxes were filled hours later.
Frankly, I am not sure how much of a problem this really is. You'd have to make the snatch within minutes of power off, and be able to pop open the computer and chill the chips basically immediately. And if you can do that, why not just snatch the laptop while it's still turned on?
Posted by: Annoying Old Guy | February 23, 2008 at 03:47 PM
Wait...I don't really see the big deal here.
they're talking about memory chips, no? Well, then, in order to get that data by freezing it in place, it has to BE in the memory chip.
Which also means someone would have to actually use those keys within a finite period of time just before the breath of cold air is blown over the chip.
Memory in your memory chip is overwritten constantly AS YOU USE your computer.
It's interesting that they've discovered freezing keeps the data around, but that in and of itself wouldn't raise eyebrows so they , like the NYTimes, envelop a factoid in a bit of scare mongering about data security.
Posted by: Syl | February 23, 2008 at 03:58 PM
X-posted with that Old Guy.
Posted by: Syl | February 23, 2008 at 04:00 PM
In an attempt to hide the fact that it wants to sell oil for people to burn, greedy & evil executives of Big Oil hatch a plan to steal the encyrpted data from everyone's computers by hiring illegal aliens to break into everyone's houses and freeze their chips, which mysteriously impels them to drive their cars long distances for no apparent reason. That is until a single man learns of their dastardly ways.
"See this movie..."--George Clooney
"It made me cry..."--Michael Moore
"Ya done good..."--L Ron Hubbard
Tom Cruise starring in Global Warming, Local Cooling
Posted by: Barry Dauphin | February 23, 2008 at 07:07 PM
There's really nothing here, for a PC owner to worry about. Why? Because there's one primary tenet of security that the articles on this failed to mention. And it's a pretty simple one.
"If the bad guy has physical access to your hardware, you have no or weak security."
On the other hand, this does pose a problem for people who want to keep some data secure but who can't keep the hardware under lock and key. For example, consumer electronics devices that are implementing digital rights management to keep people from stealing encrypted media. This just goes to show that that task is basically doomed no matter what.
Posted by: Skip | February 23, 2008 at 09:23 PM
First thing Tom Cruise will do is remind you how to spell 'chilling'.
Or is this another failure of the Bush administration to provide its loyal foot soldiers with enough consonants?
Posted by: bgates | February 23, 2008 at 09:37 PM
If you are a little more wary and you were depending on power off to save you from having your keys taken, you need to think about this —- but how much of a risk is it really?
I suggest not much. While it’s true that this could be used to get at encrypted data, let’s think about what it takes to do it. First of all, at normal operating temperatures according to the paper, data persists in DRAM for roughly between three and thirty seconds, and the fancier and more recent your computer is, the faster the data disappears. So long as you shut down your computer, within a minute or so, you’re safe from this attack. (You’re not, of course, safe from someone holding a gun to your head and saying “give me the key,” which would be a more common attack anyway.)
From an article on PJM by (ahem) me.
Posted by: Charlie (Colorado) | February 24, 2008 at 09:48 AM
Nice work Charlie! My sister once told me that the problem with computer experts is that the people who know enough to help you can no longer communicate in human terms. Don't know if the remark was original with her, but you're apparently the exception that proves the rule.
It does seem like such cryo crooks would be pretty easy to beat. Just don't leave the room for 60 seconds. I wouldn't think that most folks with a lot of valuable data would walk away from a computer in sleep mode, but I suppose once in a blue moon, nature calls. Any theft where you have to take physical possession of somebody's chips within a 30 second window is going to be pretty difficult to orchestrate without the equivalent of a gun in the first place, so why wait till they shut down?
The real risk such generally useless discoveries represent is that they stiimulate other ideas that do work. That, in fact, is one of the fundamental dynamics in creative problem solving.
Posted by: JM Hanes | February 24, 2008 at 11:34 AM
I wouldn't think that most folks with a lot of valuable data would walk away from a computer in sleep mode, ....
Oh, wouldn't it be pretty to think so. This happens to be very specifically what I do --- encryption of data at rest --- and I could tell you stories that would curl my hair if I didn't shave my head. But usually, it's nothing near as fancy as this attack: it's someone who copies a whole master data list onto his laptop to work at home, and loses it, or --- as happened to IBM recently --- a whole box of backup tapes that falls off a truck and is lost.
Posted by: Charlie (Colorado) | February 24, 2008 at 02:52 PM
By the weay, Tom, I've gotten way more referrals from JOM today than I have from PJM....
Posted by: Charlie (Colorado) | February 24, 2008 at 02:54 PM
Posted by: cathyf | February 24, 2008 at 07:04 PM
Your data is at greater risk from a Chinese trojan-infested digital picture frame you plug in to your PC to download pictures than from frozen chips.
And most of us have more to worry about the file of passwords we printed out and keep in the dresser drawer just in case.
Then there is the over-the-shoulder look at the key-in of the ATM PIN number.
And all your passwords are too short.
If security is a business issue for someone, leave it up to professionals to advise you. If it is a personal issue, just do the sensible things. Data loss is a greater threat than data theft.
Posted by: sbw | February 24, 2008 at 08:23 PM
Aw cathyf, thanks for the memories. I spent 18 of the best years of my life working for DEC. You DO remember what PDP stands for.....don't you? ;-)
Posted by: poodlemom | February 26, 2008 at 05:15 AM
I'm sorry, too young to know that... ;-)
I spent the first 5 years of my career as a VMS system manager -- which I learned by reading the manual and calling the Colorado Springs tech support people. I bet they moved the phone center to India even before they got bought out. The local Chicago FE's were some of my favorite people. I taught them to claim themselves as members of The Sacred Order of the Black Hand (the holy priesthood of laser printer & copy machine repair people.)
...ah, those were the days...
Posted by: cathyf | February 26, 2008 at 02:44 PM
Just shoot anyone you see carrying liquid nitrogen around.
Cathyf, HP (buyer of Compaq which previously bought DEC) did outsource their call center to India. As a customer, I was underwhelmed, to be kind. No, let me write the truth. I have never seen anything, ever, as poorly planned and executed in my life.
It may be working now, I don't know. We cannibalize surplus machines to keep the rest going.
The VMS and TRU64 UNIX and hardware pros they have left are first rate, but the customers are being stranded. Unfortunately for HP, there are other choices out there when you have to convert off of TRU64, and only one of them belongs to HP.
Posted by: MarkD | February 27, 2008 at 11:44 AM