SoylentNews is people
SoylentNews
from the would-you-like-the-good-or-bad-news? dept.
Update: Western Digital announced its acquisition of SanDisk on Wednesday for $86.50 per share, or about $19 billion.
Bloomberg reports that hard disk drive maker Western Digital (WD) is considering purchasing SanDisk Corp. for between $80 and $90 a share, or around $17-18 billion.
A merger would give WD access to SanDisk's NAND flash chip foundry deal with Toshiba and make WD an instant competitor in the solid-state drive market. As we reported last week, SanDisk is also partnering with Hewlett-Packard on Storage-Class Memory (SCM), a post-NAND competitor to Intel and Micron's 3D XPoint offering.
After three years of delay, Chinese trade regulator MOFCOM has approved WD's integration with HGST. The two businesses will be required to keep product brands and sales teams separate for two more years, but can begin "combining operations and sharing technology," such as HGST's helium-filled 7-platter hard drives. $400 million in annual operating expenses could be reduced by the integration.
WD can be expected to include helium-filled hard drives in its product lineup imminently. If WD merges with SanDisk, we may also see the inclusion of more large NAND flash caches in the form of hybrid hard drive (HHD/SSHD) products. The Xbox One Elite Bundle ships with a 1 terabyte SSHD, and Seagate recently released a 4 terabyte desktop SSHD.
It's not all good news for Western Digital this week. Security researchers have just disclosed multiple vulnerabilities in WD's "My Passport" and "My Book" self-encrypting hard drives that allow encryption to be bypassed.
mendax writes:
"Totally uselsss", the article from El Reg dubs it:
WD's My Passport boxes automatically encrypt data as it is written to disk and decrypt the data as it is read back to the computer. The devices use 256-bit AES encryption, and can be password-protected: giving the correct password enables the data to be successfully accessed.
Now, a trio of infosec folks – Gunnar Alendal, Christian Kison and "modg" – have tried out six models in the WD My Passport family, and found blunders in the designs.
For example, on some models, the drive's encryption key can be brute-forced, which is bad news if someone steals the drive: decrypting it is child's play. And the firmware on some devices can be easily altered, allowing an attacker to silently compromise the drive and its file systems. [...]
"In addition to this, other security threats are discovered, such as easy modification of firmware and on-board software that is executed on the user's PC, facilitating evil maid and badUSB attack scenarios, logging user credentials, and spreading of malicious code."
My Passport models using a JMicron JMS538S micro-controller have a pseudorandom number generator that is not cryptographically safe, and only cycles through a series of 255 32-bit values. This generator is used to create the data encryption key, and the drive firmware leaks enough information for this key to be recreated by brute-force, we're told.
"An attacker can regenerate any DEK [data encryption key] generated from this vulnerable setup with a worst-case complexity of close to 240,"....
The paper that describes their exploit can be found here.
(Score: 3, Interesting) by Rich on Wednesday October 21 2015, @08:03PM
As the resident nerd, I recently was asked to have a look at a dead external hard drive (return favours were negotiated). The device in question was some 3.5" external USB drive from WD. Probably something with "Passport". IIRC, I was told that the drive was dropped. When plugged in, it seemed to spin up and do a few seeks, which sounded very much like a successful startup routine and self test. But it didn't register at the desktop at all. A look into "dmesg" revealed an error: "Logical unit access not authorized".
Even an extensive search on the net left me none the wiser. If it was something possibly useful, WD should have it documented so it can be found. I suspect it might have something to with locking in the drive with its enclosure. Anyway, I handed the drive back and told them to throw it away or have it sorted with WD and/or their Windows-only maintenance software. I definitely wouldn't want to deal with such a situation myself. Because WD already had past sins booked on their account when they even refused to name the spindle speed of some new series, they're out of cred with me now.
Pity that we can expect SanDisk, which always was a "better safe than sorry" choice for solid storage, to pull stupid tricks like the above too.
PS: Just out of curiosity: Does anyone happen to know what this "authorization" logic is supposed to do and how it precisely works?
(Score: 3, Informative) by jmorris on Wednesday October 21 2015, @09:58PM
Have you looked into the ATA Security thing that all laptops/drives implement?
Man 8 hdparm and look for "ATA Security Feature Set"
Good luck figuring out what password they use though.