Last week I attended D-A-CH Security 2011 to talk about inexpensive hiding of files on USB memory sticks. The presentation is based on a bachelor thesis supervised this year. The feedback received at the conference was valuable. Some attendees hinted at possible technical improvements, some found the idea „charming“ to hide files in clusters marked as defective without requiring hardware modifications or cryptographic mechanisms with key management overhead. And then there were the more academically-oriented participants. „This must not be offered to naive customers – they might think that they get high security while they do not. This is weaker security than cryptography – this must not be accepted for high-risk data protection.“
True. Low-cost security is not for everyone. There are applications where a high level of protection is required. On the other hand, we need to give „the rest of the market“ options to choose from. Simply saying that the only alternative to a high security (and high cost) solution is to not use any protection mechanism is not constructive. And constructive it should be. The solution presented does not require additional cost, does not require complicated software installation or key management, and works with off the shelf hardware. And, yes, it must not be used for high-risk data protection (that is even stated clearly in the paper).
A car analogy. Not everybody can afford to drive a Volvo (or a tank), but for most of the market, there are plenty of choices that cost less than a Volvo (or a tank) and offer more protection than riding a bicycle on a motorway.
