The key to USB security

Moore's law, the idea that every 18 months computers double in capacity and halve in price, is one of the most often quoted "laws" of computing. It's also proved remarkably accurate, although there's a certain degree of self-selection here, as people seldom remember those "laws" that turned out to be false.

Indeed, on the high street, progress appears even faster. Over the years I've acquired an eclectic collection of USB storage devices of all shapes and sizes. Currently I have a tiny 2GB stick in my wallet that's jam-packed with patches, and a 2GB keyring model that includes a set of security tools and portable applications.

Noticeably absent from any of them is sensitive data. There seems to be an inverse relationship between the size (and therefore chance of accidental loss) of devices and their inherent security. Sure, there are all sorts of encryption options for USB devices, but many of them require administrator rights on the host PC and their security varies greatly.

In fact the USB device on my keyring includes "built-in" encryption, but any attempts to find technical details or evaluation from the Chinese vendor have been unsuccessful. Why is it so difficult to find portable hardware with decent encryption?

Late last year I received an Ironkey device for evaluation. Ironkey is a relatively new player in the market, and has a refreshingly paranoid attitude towards security. The Ironkey USB device comes in sizes up to 4GB and is built like a tank, both physically and logically.

Ironkey's encryption is built-in and unavoidable; everything on the device is encrypted with AES, implemented in hardware. Ten bad password attempts turn the device into a rather attractive paperweight.

On the physical side, the Ironkey is waterproof (genuinely; mine survived a trip through the weekly wash quite happily) and pretty much indestructible (it also makes a fairly entertaining toy for cats, although such use is probably not covered by the warranty).

Pre-installed is a software suite with a portable version of Firefox and an account with Ironkey's anonymising proxy for web access, plus a handy tool for storing website account details securely (in the custom hardware, not the USB file system). There's also the online "my Ironkey" account that allows password resets, backups and remote locking of lost devices.

The Ironkey will not be perfect for everyone. Windows XP is the minimum requirement, so Windows 2000 users are going to be disappointed. The "ten goes and you're out" security block is hardwired and cannot be reset, so there's a clear denial of service issue, although there are plans to introduce a corporate version with more conventional password reset channels.

The cost, while not excessive, is significantly higher than a standard device of the same capacity. However, on balance, for the security conscious user, it ticks all the right boxes.