Letter Re: COMSEC, Bitcoin, and Ironkey Thumb Drives

I took notice of the malware warning in your blog regarding  Bitcoin and some of the suggestions to thwart it. I’d like to throw my 2 cents in and suggest your readers check out  ironkey.com Ironkey makes a thumb drive that is like no other device on the market. I just bought one and I love it. I will describe what it does and why your readers may want to consider getting one as part of their COMSEC arsenal. I purchased the 16 GB model and the cost including delivery was $228. Yes, that is expensive, but wait until I describe what it can do.

A little history on this device is in order. It was designed by U.S. Naval Intelligence and the largest purchasers of this product is the U.S. Government. I know what you’re thinking, if the Government knows about it, I don’t want one. The hardware and software for this device is devoid of a back door and the mathematical algorithms that trigger the cryptochip are totally random, not even Ironkey can unlock them once they are initiated. They warn you that if you forget your password you’re on your own.

1.    When you insert the 2.0 USB device for the first time you’ll be taken through a process to get it going. I takes about 20 minutes and that includes setting up your Ironkey account. You’ll be given the option to “back-up” your data on Ironkey’s servers. I chose not to exercise that option for obvious reasons. The web site has great tutorials for first time users (highly recommended)

2.    The set up process has you create a password for the device.

3.    Now the fun begins. The next time you plug it in, a menu pops up and you have to enter your password. If you enter the password wrong more than 10 times, the memory of the device will be permanently bleached (erased) and it cannot be recovered. Worried about key loggers? Key loggers are a real threat to your privacy. Hackers can actually log what keys you are using and identify all your passwords as you type. You can type in your password if you wish but I don’t recommend it for that reason. There is a little icon on the start up menu and when you click on it a visual QWERTY board pops up on the computer screen. You simply “click” your password with your mouse instead. Even this method can be hacked if the hackers are really sophisticated so Ironkey answers that problem as well. Within the QWERTY board there is a command that allows the QWERTY board to be “shuffled” Basically all the letters and numbers get scrambled and will not be located where they would normally be so you can click your password in and if anyone was actually trying to decipher it they would not be able to.

4.    The entire device is water proof. It is made of steel and you can drive over it with your car or throw it against a wall and it won’t damage it. The entire system is encased in a hard resin epoxy so that if you tried to break it open it would destroy the cryptochip beyond any hope of recovery. You can kind of get the picture of where this is going, this company takes privacy seriously.

5.    Here is where this thing gets really interesting. In the control panel there is an application called “identity manager” It works in a couple of different ways, and here is the first example. You click on it, then click on “add” and type in the web address where you want to go and the passwords that go along with it such as your bank accounts. Once you’ve done that you simply open the “identity manager” and click on that account. The system will launch the web browser, fill in your passwords and log you in all by itself so that key loggers have no chance in tracking your key strokes. The second way is to go to your web sites yourself and enter your own passwords. After you’re done, you’ll notice a brief pause and wonder what is going on. The system will pop up a screen and ask you if you want the “identity manager” to remember this and do you want to add it to the “identity manager”  If you say yes then you have essentially done what I described in step #1 above.

6.    So you’re saying to yourself: “So what, I’m still on the net and therefore I’m still vulnerable” Well that’s where you’d be wrong. You see, the Ironkey has it’s own built in Mozilla Firefox web browser and this particular version has an integrated feature called “Secure Sessions” that can be toggled on and off mine is always set to the “ON” position. You can also import other applications into it such as Internet Explorer and Outlook just to name a few. During “Secure Sessions” you are invisible on the net. You don’t exist at all. The signals “tunnel” through existing traffic without anyone knowing you’re there and it gets even more intense than that. Let’s say I’m writing you an e-mail like I’m doing right now and I’m operating in “Secure Session Mode” I can actually choose what part of the world I want to appear from. That’s right! If I want my e-mail to originate from an IP address in Africa then I can do that. I can bounce it around the globe to multiple countries or continents if I choose. If I don’t choose to do so, it’ll randomly do it on it’s own anyway. For true anonymity you do need to have an e-mail account that was not set up from your computer. Yahoo, GMail and others log the original computer that the e-mail account was first set up on. The public library or some other random computer that can’t be associated with you comes to mind when doing this. [JWR Adds: I concur on the need to use tunneling. Even for those that don’t opt to use Ironkey, I recommend the web-based Strong VPN tunneling service for both e-mail and web browsing.]

7.    Anything you do on the Ironkey will not leave a trace on the computer it is plugged into. Period. We don’t ever want to end up on some “undesirables list” so should your computer ever fall into the wrong hands there will never be a trace of your activity on the net or any application that is on the computer while using the Ironkey. The files extracted will show up on your “Recent Files” menu but when you click on them to open the application you get a message telling you that you need to plug a computer in. That’s operating under the assumption that you get sloppy and forget to clear the “Recent Files” on a daily basis. So why do you get a message telling you you need to plug a computer in to view these files? The answer is simple, the Ironkey is it’s own mini computer inside a thumb drive that borrows needed files from your drive to operate but never leaves a trace that it did so. I turned a friend of mine (college degree in computer guru science) loose on my computer to test Ironkey’s claims. He can’t find any history on the drive of any activity I’ve had while my Ironkey was busy doing what it does.

I think the Ironkey is a must have piece of COMSEC hardware.

Thanks for the work that you do, I hope you and your readers find this helpful. – M.Y.