DHS wants to fund R&D to crack hard drive security repost

[David Farber <dave () farber net>]

Begin forwarded message:

From: Ross Stapleton-Gray <ross () stapleton-gray com>
Date: October 31, 2008 5:58:33 PM EDT
To: Bruce Schneier <schneier () schneier com>
Cc: David Farber <dave () farber net>
Subject: Re: DHS wants to fund R&D to crack hard drive security

Wow... that's rather strange, as that's the DHS public SBIR site, and  
there was no password on it this morning.

I've attached the whole PDF of the forthcoming SBIR solicitation,  
which had, until recently, been accessible on the site.

Ross

At 02:51 PM 10/31/2008, you wrote:
> I can't get that like to work; it requires a password.
>
> At 12:22 PM 10/31/2008, you wrote:
>
> > From the now-in-presolicitation DHS SBIR topics... wouldn't you  
> > think that DHS would say, "Hmmmmm, if *we* could do this, to  
> > support law enforcement interests, then we've greatly failed in our  
> > other job, of ensuring that the nation's IT assets are protected  
> > against all the other bright people who'd want to do it?"  On the  
> > one hand, I don't think the odds are good of their getting the  
> > outlined results; on the other, if they do, then we're all even  
> > less secure than we thought.  (Another thought... this is a topic  
> > from the pre-solicitation... if there's a lot of feedback to detail  
> > how it might be an ill-advised avenue of research, they might swap  
> > in a different topic for the actual solicitation... this is the  
> > only IT security topic in this round.)
> >
> > https://www.sbir.dhs.gov/SolicitationDownload.asp
> >
> > 8.5 SBIR TOPIC NUMBER: H-SB09.1-005
> > TITLE: Hard Drive Unlocking
> > TECHNOLOGY AREAS: Computer Technology
> >
> > OBJECTIVE: A system is sought to accomplish the unlocking of hard  
> > disk platters to access
> > data. With the addition of hard disk passwords that lock the  
> > mechanism to read data off of the
> > hard drive, it is becoming even harder to access the criminal's data.
> >
> > DESCRIPTION:
> > A device is needed that can be hooked up to the drive (both laptop  
> > and desktop drives) and
> > remove the password that is (keeping  removed) preventing access to  
> > the data. This device
> > cannot alter the data on the drive in any way for evidence purposes  
> > and should be able to provide
> > the password used. Once the information is obtained from the disk  
> > the device should have the
> > capability to relock the drive for covert operations so that the  
> > owner will not know that the data
> > on the drive has been accessed.
> >
> > Different hard drive manufacturers allow the hard drives platters  
> > to be locked through the bios
> > thus making the data unrecoverable unless the password is correct.  
> > This is not encryption but is
> > an algorithm stored in either a hidden track on the drive or in a  
> > memory chip on the drive. Since
> > the password is built into the drive itself, there is no way of  
> > simply erasing the memory and
> > clearing it. Different manufacturers also store this information  
> > differently amongst their
> > different models. The device would first be required to recognize  
> > the drive model then access
> > the password from the hidden or maintenance area.
> >
> > PHASE I: (a) Identify an efficient hardware and software  
> > architecture solution capable of
> > "unlocking" all current hard drives on the market, hard drives sold  
> > in the past 10 years and the
> > feasibility of "unlocking" hard drives sold for the next three  
> > years. (b) Create a project plan
> > that will map out the execution of the project. The project plan  
> > will identify areas of technical
> > challenge and propose mitigation strategies.
> >
> > PHASE II: A minimum of three (3) hard drive "unlocking" units are  
> > expected to be delivered
> > and demonstrated. Each unit shall be capable of "unlocking" all  
> > current hard drives on the
> > market, hard drives sold in the past 10 years and potentially  
> > "unlocking" hard drives sold for the
> > next three years.
> >
> > PHASE III: COMMERCIAL APPLICATION
> > Commercial applications of the units will be utilized by DHS Law  
> > Enforcement Agencies
> > (LEAs) and can potentially be used by the entire Federal, State,  
> > and Local LEA community.
> > Another commercial application of the units could be used by  
> > companies that provide a service
> > for end-user support to individuals who forget their password and  
> > need to access the data.
> >
> > REFERENCES:
> > http://www.vogon-investigation.com/evidential_systems-03.htm
> > http://www.pcstats.com/articleview.cfm?articleid=1501&page=5
> >
> > KEYWORDS: Hard Drive, Unlocking, Password, Logon, Open, Decrypt,  
> > Computer, Laptop
> >
> > TECHNICAL POINT OF CONTACT: Kai-Dee Chu, 202-254-2315, Kai-dee.chu () dhs gov

Attachment: SBIR_RFP_29OCT09_final.pdf
Description:

-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com