They must be working with the BBC and have Bill Gates and Satan as investors... :-)

Does the Firefox install accept updates? And will it let you install add-ons? I was looking for exactly this sort of thing the other day when I was hot-desking. I still don't have access to all my saved forms and my lovely lovely add-ons.

The important question is when will we get it in the UK??

Unlike some "secure" memories I've seen, this one actually looks like a good thing. Too bad it is only sold in the USA ... and might stay that way because of their export restrictions; so either we get a crippled version, or nothing at all.

Look here - Install firefox on your cheapo USB stick. No need for the ironkey, if you're not worried about the encryption thingie.

http://portableapps.com/apps/internet/firefox_portable

...were largely dropped years ago. Where have you been?

I fail to see how the thing can actually work.

Okay, I can run FF from the IronKey. To run FF, parts of the program are copied into the computer's main memory... to which the untrusted O/S has complete control. In fact, how can I be assured that the program is even copied into memory? The untrusted O/S may do something completely different.

``the very-difficult-to-crack encryption algorithms not only to protected the data stored on the device itself but also to scramble the data the drive sends back and forth over the host PC's USB connection should anyone be snooping it."

Erm.... what? TheReg seems to claim that the data is encrypted between the stick and the inside of the PC. But what does this give you? The operating system can still access everything!

I bought an IK a few days ago, I'm pretty impressed so far. The review is basically on par with my own conclusions, except that you *don't* need to install any software on the host PC as suggested on page 2 of the review. Mac and Linux support is supposedly in the pipeline - if you visit their forums (registration required) they're pretty open the new features they're planning.

@Quinn Fidler: yes, you can install add-ons, and they're all saved onto the IronKey. I'm not sure about updates to FF itself but it should work fine - when you first use the IronKey FireFox is copied from the read-only partition onto the writable one, from where it runs. The version on mine is currently 2.0.0.6 which is the latest release.

@IanKRolfe: indeed, I've installed PortableApps (excluding the FireFox app) on my IronKey and it works great.

PassPack offers secure storage for passwords with 1 Click login to your favorite websites. The service available 24/7 via internet - nothing to install, nothing to carry around or to forget at home.

http://www.passpack.com

It's a free, valid alternative for folks who travel often and don't want to be bothered with passwords, yet can't do without them.

@skeptic: you're right, there are always going to be weaknesses in the security chain. I don't think anyone's claiming that products like the IronKey are a panacea for secure surfing but, when used properly, can minimize certain risks. If you want to access the internet from an untrusted computer then you are exposing yourself to a myriad of potential attacks, IronKey or not. However, if you are using a trusted computer on an untrusted network then services such as Tor, auto-password logins, etc. can help protect you against snooping and man-in-the-middle attacks. You can always use a boot CD with a trusted OS of your choice in companion with an IronKey if you wish to minimize your internet vulnerability.

mutt~

Did I read it right that it self-destructs after 10 incorrect password attempts, or does it just erase the memory?

I know what I'll be doing if I ever see one of these lying round the office - put the wrong password in 10 times and kill it.

Oh how we all laughed...

Dave @ IronKey here.

We are working on being able to use it as a secure flash drive on Linux. Current version is for Windows XP and Vista.

International customers can buy at ThinkGeek.com.

Or you can call eCost at +1 972-265-4147, then press 1 for international sales. 5am to 9pm Pacific time Monday through Friday.

Dave

@ Skeptic

``the very-difficult-to-crack encryption algorithms not only to protected the data stored on the device itself but also to scramble the data the drive sends back and forth over the host PC's USB connection should anyone be snooping it."

We do encrypt communications between our control panel and the device hardware. This is the channel over which unlock passwords and numerous control commands pass. This prevents USB sniffers from snooping the traffic.

Yes you are right, if your computer is hopelessly infected with malware, then it could potentially affect the Firefox image which is loaded into memory from the IronKey.

Dave @ IronKey

Hi Dave, I think you miss Skeptic's very valid point. Your site makes various claims - "Surf privately", "Protect your identity", etc. There is a technical market which will understand the claims made and some of the pitfalls involved. However you are clearly marketing the IronKey at non-technical users who have heard about all these Internet demons - identity theft, password snooping, and so on.

A typical user might buy your product and then think "well that's me sorted, I'm all safe now". They'll take it with them on holiday and use it in an Internet cafe and believe that they're 100% safe. They'd be wrong to make that assumption, and your marketing is a bit misleading in this respect.

For example you strongly imply that using a non-IronKey results in using inferior encryption algorithms. Techies will know that's not true and know of other ways to achieve the same results anyway, while non-techies will likely have some other aspect of the overall usage as a critical weak point, if one exists.

Your computer doesn't have to be "hopelessly infected with malware" to validate Skeptic's point. It simply has to be one over which you a) have no overall control or b) don't keep secured and up to date by conventional means (antivirus, patches, current application releases, etc). That said, many computers *are* hopelessly infected with malware, and the users will still buy your device and look to you to somehow now be protecting them. They won't be any the wiser. Your device cannot offer a technical solution to what is really a social problem, one of a lack of basic computer maintenance know-how or Internet awareness.

If the computer IS secure (in terms of a) and b) above) then there are existing products which can perform many of the IronKey's functions, for free. For example I use a normal USB stick with a copy of TrueCrypt (http://www.truecrypt.org/), and a TrueCrypt container installed on it, all set up for two factor authentication. I use XeroBank to browse from the container via the Tor network (http://xerobank.com/xB_browser.html).

The main benefits I see to the IronKey are its physical characteristics - it looks solidly built and is coffee proof (handy) - and for use in specific areas in controlled environments.

Chris, thank you for your input, and in particular for mentioning TrueCrypt (zero cost, open source, if I remember rightly).

What a shame that the main article didn't do some kind of feature/benefit compare and contrast between (things like) TrueCrypt and the IronKey product.

I cannot find any more information on the "self-destruct" feature, but every review has seemingly picked up on this phrase. One review states that the entire contents are overwritten internally, while another states that the on-board chip is "destroyed".

I'd be really grateful if Dave could clarify please?

o Is the "self-destruct" a process which trashes the data and keys, leaving the device 'as new' ready for re-initialisation? I suspect this is the case, which would mean it works in the same way as the likes of the iKey hardware crypto tokens.

o Or does it really render the device inoperable, requiring a new one?

o If the former, what happens if the device is removed from the USB port during the trashing process? It will lose power. Can it store enough residual power to compete the process, or does it redo the trashing when it's next plugged in, or something else?

o is the 'control panel' application, and message passing system, open-source?

o Are there any plans for an 8GB one?

To clarify my longer response (above), I think the device is very neat and I'm probably going to get on to replace TrueCrypt and xB. I was really pointing out that most environments aren't well controlled and no device can compensate for that, but the way its marketed people may end up with a false sense of security, leaving them in a worse position still. Eg they may now feel completely safe and start recording all their passwords in a text file on the device, unaware that they are submitting every keystroke to keylogging malware.

El Reg, thanks for the review, nice product, and thanks to Dave for popping in with some more info.

found a way to stop the cover getting lost.

Um, is it just me ... surely having an XP/Vista 'version' another Mac 'version' and yet another Linux 'version' blow away most of the point of having a USB flash memory module in the first place ...

Looks like a lovely bit of kit, but if I can't use it to store data accessable from any machine with a USB port, its little more than a high-tech key ring adornment I'm afraid.

Maybe I missed something in the article - please feel free to correct me if thats the case.

TrueCrypt is a wonderful piece of software. A number of our users run TrueCrypt from their IronKeys for double encryption. Here are the benefits of an IronKey over TrueCrypt

1. No software or drivers to install. Even the portable version of TrueCrypt installs drivers. This is not a problem if you have administrator rights, but....

2. IronKey does not require Administrator rights on Windows XP. This is super-critical in enterprise and government environments.

3. Brute force password guessing prevention. IronKey limits, in hardware, your password guessing attacks to 10 tries. With any software product like Truecrypt, you cannot prevent someone from trying millions or billions of passwords.

4. Hardware erasing of encrypted data. IronKey will trash not only the encryption keys but also the encrypted data. The benefit of doing this in hardware includes the fact that hardware erase can clear out flash blocks that are marked bad, as well as wear-leveling areas. Software removal cannot totally remove all data due to bad block mapping inside a flash drive.

5. Speed. Because IronKey crypto is in hardware, it is usually faster than software encryption implementations. YMMV.

So, by running TrueCrypt from an IronKey, you get the benefits of brute force password guessing prevention, tamper resistance, waterproofing, and double encryption. If running TrueCrypt is not an option (eg. using Windows XP non-Admin mode) then an IronKey is a great option IMHO.

Chris,

Sorry if you feel our marketing is misleading to naive users. We do our best to disclose exactly what we protect and how we do it, and we are pretty open about what we do not protect against (see learn.ironkey.com and forum.ironkey.com). We take your comments seriously, and we are trying to improve our messaging and marketing. However, I do think that we do at least as well, if not better, than our competitors in being open about how our products work, what the design goals were, what the threat models were, etc.

We also value the feedback of security experts and users alike, as we want to make our products better.

We have also found that naive users don't buy our products. It's almost all security folks and enterprise IT folks buying for their employees.

Chris,

Self-destruct kills the keys and the data. It does render the device inoperative (think of it as theft prevention... no point in stealing one!). We require the device to be unplugged and re-plugged in after 3 bad tries, to prevent accidental disabling.

Keys are locked out and killed instantly. We resume trashing of the encrypted data when power is re-supplied.

Control panel is not open source.

We will have 8GB devices shortly, once the memory supplier delivers them to us. We use only the highest quality SLC flash (10-20 times more reliable than MLC flash which is used in most flash drives), but this is in short supply.

@ Sean,

We are working to have Mac and Linux and Windows *on the same device*. No need for multiple IronKeys. The latest build has the ability to unlock and use as a secure flash drive on Mac (x86 and Intel) without any drivers or kext!!!! We will be adding Linux once we have fully QAed it.

"You can buy it from Thinkgeek.com, which will ship internationally"

Not according to the last line of the ThinkGeek product description: "Sorry - due to export restrictions, we cannot ship outside the US and Canada."

Has anyone successfully ordered one from the UK? I'm tempted, but don't particularly want it impounding en-route.

Cheers, Mark.

ThinkGeek has told us that they can no longer ship internationally as they cannot manage the export restrictions.

IronKey has received export approval from the Department of Commerce.

For International Orders -   please call eCost at +1 972-265-4147, then press 1 for international sales. 5am to 9pm PST Monday through Friday.