back to article Diss drive: Seagate and IBM bring blockchain sledgehammer to compliance nuts

Seagate and IBM are using IBM's blockchain tech to verify a disk drive's authenticity using its electronic fingerprint. The blockchain drive, er, drive is apparently a way for the firm to deal with the problem of fake or counterfeit HDDs. These may be sold online and are typically relabelled old drive units with apparently …

Paris Hilton

Wow!

This does the same as a normal signature, but is so much cooler in advertisement! :-P

Silver badge

Not that blockchain is the answer

But yes, pullouts are commonly sold - there is a long comment thread right now on Amazon about people getting warranty-free drives originally sold to OEMs. I just happened to notice as this is a drive I have a few of, have had good luck with, and was considering getting more of. Not now, after that thread. Seems a lot of people have gotten drives that are not even re labeled as retail.

Counterfeits are also common for SD cards, as you know if you've bought many for raspberry pies and then measured their speed and capacity before putting them in use. Easy to find two that look identical, in identical packaging, that have a 3x speed difference and 5% capacity difference (or half or less).

And these are brands like Sandisk and Samsung....at least someone put that on the package. See this article on how commonplace that is in that world:

https://www.bunniestudios.com/blog/?p=3554

There's an entertaining video at that link as well. But the counterfeit issue is why Bunnie and Xobs got into hacking the internals of SD cards in the first place.

Blockchain is still dumb, though. Humans are going to cheat - they'll just move to another part of the transaction chain if you make it hard in one place - they'll just pop up somewhere else.

Silver badge

Hard drives vs SD cards

I understand there is a trade in SD cards (and USB memory sticks) where the real memory is far less than the badge. I also understand that the software in the controller is written to falsely report the capacity.

Unless the HDD has the controller software modified to falsely report the capacity, I'm not sure what this utility gives you. If you buy a drive, plug it in and the OS reports that it is 2 Gig not 4 Gig (for example) then you know that you have been duped without asking about a blockchain entry. Your recourse is surely the same if it just shows the wrong capacity when mounted, or when mounted and a blockchain query issued.

The SMART data may also give some clues, unless you can reset this to look like a new drive.

If, of course, all the controller data can be rewritten (as with SD cards) to make the HDD present as a different drive when mounted then having a cryptographic verification of the drive ID would make sense. As long as the blockchain ID couldn't be cloned. If someone is deep in the firmware and rewriting the controller software then presumably anything is possible. Including virus infections (IIRC you can mess around with the controller software on USB sticks to infect devices. Not the same interface, though.).

Silver badge

Re: Hard drives vs SD cards

I used to own the proper tools to dump and program the uP in many hard drives, and as an excercise, my outfit looked into what was in a few of them software wise. It's like the saying about sausage. It in no way takes "a state level actor" to do that - any reasonably competent embedded engineer with the normal tools can do it in a day or few and make it "whatever you want". Not a lot of point in that as you say, though.

FWIW, some of that data is stored on normally inaccessible *to you* parts of the regular drive. Keyword "normally" as there are tools in open source that let you get to it as well.

As you say, there's not much point in doing that for a normal thief, it's NSA kind of thing, or someone who really thinks planting an unwipeable persistent virus is worth the hassle. No need, since most people who willingly give up all their data to various slurping entities in social media, who then sell that info on cheaper than it'd be to collect it oneself.

The issue I heard of was selling repackaged drives - they had the stated capacity, the issue was that in effect, what were sold as consumer drives with a factory warranty - and at the consumer prices - we actually drives originally bought in bulk by OEMs much cheaper that had no factory warranty associated with their serial numbers (the maker does keep track). Since basically no one checks, people only found out when they had an issue and were denied warranty service - which they'd effectively paid for from some vendor hidden opaquely behind Amazon (in this case) - so no recourse.

So to me, adding another thing no one checks isn't going to be any sort of real answer to the problems that do exist. Denying the problem is a mistake, and claiming this is the answer, another.

Rule one in security is that if the adversary has physical access, it's game over. Any scheme that depends on something the adversary has had access to reporting something is utterly flawed. It can always tell you it's all good. We've seen plenty of examples of stolen keys and certs, it's not the algo that's the issue as much as it is human malfeasance. Yes, you could have a whole batch of drives all claiming they were the same legit drive, for one example (that's easy to protect against if known, but there are so many possibilities, I'll believe it when I see it).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018