back to article Let's take a closer look at these claims of anti-ransomware SSDs

A security company is claiming to have developed a flash drive with built-in ransomware prevention support that can protect any data stored on it against being stolen or encrypted by malware. We're pretty sure we've heard claims of this sort of thing before, so we took a closer look at this latest stuff. The Cigent Secure SSD …

  1. Flocke Kroes Silver badge

    Hope there is an off switch

    The AI would an easier time if it understands NTFS. If they have taken the easy path then EXT4 will confuse the hell out of it unless support turns up, things get worse with the non-default file systems and fall apart completely with next next versions of them. Perhaps something is possible by watching the whole disk without understanding the file system. That should be fun with a swap partition, multiple partitions with different file systems, file systems distributed across multiple disks and CPU based encryption.

    Then comes the application layer. How will it react to true positives let alone false positives?

    I am far more terrified of this solution than the problem.

    1. Phones Sheridan Silver badge

      Re: Hope there is an off switch

      "I am far more terrified of this solution than the problem."

      But as an IT professional you have a comprehensive backup routine, so why would you be afraid of something that if it works saves you many hours of restore time, and if it doesn't, then you just get a pop up telling you that you might have ransomware because the amount of writes has exceeded X? Do you run with antivirus turned off just in case it gets it wrong?

      1. FrogsAndChips Silver badge

        Re: Hope there is an off switch

        Because a false positive may also trigger a lock of your data, resulting in downtime for your users until the alert is cleared. You don't want that happening every other day.

        1. Phones Sheridan Silver badge

          Re: Hope there is an off switch

          Your argument is identical to those I was seeing 30 years ago regarding antivirus in production and corporate environments.

      2. Anonymous Coward
        Anonymous Coward

        Re: But as an IT professional you have a comprehensive backup routine

        backup routine, including backup, is a myth, like those gators in NY sewers! ;)

      3. vtcodger Silver badge

        Re: Hope there is an off switch

        Downvoted because the OP clearly thinks there is virtually no chance of this thing being anything other than an additional problem in a domain that already has more problems than any of us can cope with. I agree with him. At best, it'll probably be an obtuse storage device that resists reformatting or repartitioning, won't work properly with many OSes and is prone to mysterious hangs. At worse, it'll do something truly horrible.

        At very best it probably doesn't need AI. Just some routine logic. And a LOT of OS/driver support because the operator needs to be able to talk to it and find out why it is balking or that it's OK to overwrite everything (because sometimes it is).

        This gizmo sounds to me like an ideal device for those who believe in the powers of magic. For the rest of us? Probably not so much

        Operative principle: If it sounds too good to be true it is probably too good to be true.

        1. Phones Sheridan Silver badge

          Re: Hope there is an off switch

          So my response to the OP would be, why would you buy a device advertising a specific functionality, hoping that there is an off switch? If the features being offered are not to your liking, why buy it to turn them off. Simply continue buying the devices you already are, and leave this device to those who do want that functionality.

  2. Mishak Silver badge

    "if in a few minutes a significant chunk of data on the disk is being written"

    Like when I run a script to apply "clang format" to code blocks on 10k+ pages (text files) in a wiki?

    Please let there be an "off switch"!

  3. ChoHag Silver badge

    Or --- hear me out on this --- don't store a single copy of your sensitive data in one place, thus reducing to zero the impact of not only ransomware but literally everything else as well.

    No you're right. Not enough AI in it.

    1. katrinab Silver badge
      Meh

      Mirroring certainly doesn't help. The bad data will get automatically mirrored to all the other locations.

      Backups won't necessarily help either, because the bad data will get backed up.

      Snapshots do help, because you can go back in time to a point when the data wasn't damaged.

      Backups seem to be more about dealing with catastrophic failure of the device, or environmental hazards like floods and fires, which is obviously imporant, and you need to do it, but I think for ransomware, it will be the snapshots that save you.

  4. Captain Scarlet
    Facepalm

    "AI" marketing

    I hate this "AI" marketing, I assumed it would have snapshots or be massivly overprovisioned by over 50% to cover.

    1. Michael Wojcik Silver badge

      Re: "AI" marketing

      There's no way a microcontroller is running anything like a big ML model, so even by today's weak-sauce standards there's no "AI" here. There might be some processing of some sliding window of telemetry data by a canned model of some sort that's amenable to processing by a relatively low-power processor in an embedded system, such as an HMM. So, yeah, this is some arrant-nonsense marketing.

  5. John H Woods Silver badge

    Snapshots

    You don't need AI to recover from RW, you need version history. We've got everything we need to implement that already, copy-on-write filesystems, snapshots, syncing, backups.

    You don't need AI to detect RW, you just need to detect abnormally high, lengthy, widespread or just unexpected write activity; and you should probably be looking for that anyway. In my case, I monitor the size of my ZFS snapshots, which grow as the current state of the filesystem increasingly diverges from them. You still can't tell whether it's ransomware or a user bulk uploading / modifying / encrypting files, but you can, when you get an alert, diff the filesystem from a recent snapshot and see the activities responsible.

    How is this AI going to stop "data being stolen" other than refusing to co-operate when you, the user, attempt to read a large number of files? There are plenty of reasons to do so, including file-level deduplication.

    I'd rather have devices that reliably do what they're asked, rather than make some internal decision at device level about how, or even whether, they will honour a read or write request. There is plenty of scope in Operating Systems, File Systems and, tbh, simple business processes (like regular backups) to deal with ransomware, it's not some magical threat that we are still struggling to counter.

    1. Flocke Kroes Silver badge

      Re: detection

      I use canary files. I do not change them so if they ever change something bad has happened.

      1. Captain Scarlet
        Thumb Up

        Re: detection

        Thats actually a good idea, you do get some monitoring software used in corps that can see changes as well.

      2. Paul Kinsler

        Re: I do not change them so if they ever change something bad has happened.

        It might be sneakier to change some of them, but only in carefully controlled ways. What if a ransomware writer has thought about such canaries, and tries to avoid touching them..?

        1. Michael Wojcik Silver badge

          Re: I do not change them so if they ever change something bad has happened.

          There are a number of ransomware techniques that try to avoid basic detection methods, such as only encrypting certain types of files or encrypting files in a random order. That sort of approach might eventually trigger detection but possibly late enough that some damage would already be done. But of course earlier detection is always better.

          There are also ransomware strains which hook the filesystem and decrypt on the fly to remain unnoticed until all files and recent backups are encrypted, and then spring the trap. So checking canaries through direct disk access is better – but of course gets more complicated with more-sophisticated storage systems. (Here checking backups routinely on an isolated, dedicated system – preferably automatically – can help detect "stealth" ransomware.)

          It's the usual arms race. As with any arms race, though, even if you don't have great defenses against the state of the art, protecting yourself from the run of the mill is a good idea and gives you some breathing room for worrying about a really sophisticated attacker.

  6. Arthur the cat Silver badge

    Sniff, sniff

    Is that snake oil I'm smelling?

    1. Anonymous Coward
      Anonymous Coward

      Re: Sniff, sniff

      "Is that snake oil I'm smelling?"

      Yes .... partly !!! :)

      It has been found that 'Snake Oil" is the perfect sealant when packaging "Bulls**t" on this scale .... multi-million '50 Gallon' drums !!!

  7. DJV Silver badge

    So, Cigent have basically just laid down a challenge to the ransomware crowd saying "You can't break this."

    I wonder what sort of timescale we are looking before the response of "wanna bet" comes back. months, weeks or days?

  8. Howard Sway Silver badge

    How's it going to respond to OS updates?

    As these replace so many system files, it will surely look to the "AI" as if the system's under attack. And if they have to provide mitigation for this, the ransomware pricks will then start disguising their stuff as OS updates.....

    The worst thing about this idea is that some people will think that they don't need to worry about backups any more, because they're "protected". Until an exploit is found and they aren't.

    1. FrogsAndChips Silver badge

      Re: How's it going to respond to OS updates?

      OS system files are easy to replace and not as valuable as your data. You should be able to exclude the system drives from the tool's config.

      1. Paul Crawford Silver badge

        Re: How's it going to respond to OS updates?

        Replacing certain "OS files" is a good means to implement malware like remote access, etc.

        1. FrogsAndChips Silver badge

          Re: How's it going to respond to OS updates?

          We were talking ransomware here, not other *wares. A remote access malware is unlikely to replace thousands of files.

      2. Flocke Kroes Silver badge

        Re: Should

        From the article:

        The Data Sheet also specifies that Secure SSD+ needs to be installed as the boot drive ...

        Well that is all the boot files on this AI device before we start thinking. Next up, you want the AI to recognise system files from the firmware inside the drive. Without OS support it has to recognise the partition scheme, file system, and then work out which things are system files. To make that more fun, modern file systems write the data to unallocated areas of the disc and afterwards they write the meta data changes to the journal before updating the meta data. The drive cannot know writes are creating new system files until at least after the journal update. What most users perceive as overwriting a file usually involves writing the data to unallocated space, writing a journal update to point a randomly generated file name at the data, then another journal update to rename the random name to the correct name and unlink the data referenced by the previous directory entry for the correct name. That is a giant amount of complexity even if you know what the OS is, what version number it is, what the file system is and what version that is. OS updates can to some extent reorder those writes. The OS is likely to be updating multiple files at the same time. This can involve having multiple unallocated space lists so each core can work on one update without locking the others out. Even without the file system driver changing to something the AI has never seen before untangling that multicore mess will be a real pain from the drive's point of view. It gets told what numbers to store at what position on the disc, not why or what the numbers mean.

        I really doubt that any attempt has been made at getting close to that level of complexity. If you think you can ignore all the details an just let AI fix everything for you then I recommend watching AI play chess. Last year, this sort of product would have "used" blockchain.

  9. Anonymous Coward
    Anonymous Coward

    on-board processor that uses machine learning algorithms

    but is it 'green' and 'sustainable'?

    1. Paul Crawford Silver badge
      Trollface

      Re: on-board processor that uses machine learning algorithms

      More to the point, is it using block chain?

      1. katrinab Silver badge
        Holmes

        Re: on-board processor that uses machine learning algorithms

        Blockchain is so last year. AI is the new next big thing.

        Having said that, zfs uses Merkel Trees, which is a way of chaining blocks together, and it is an actually very good way to store data and ensure its integrity.

        I think zfs snapshots, combined with a good backup policy, is the way to go, so, in otherwords, they actually should be using blockchain.

  10. David-M

    Now what would be nice would be a disk or area where new items can be added or moved in name, but nothing changed in content or deleted, implemented by the hardware. Most of our precious files are going to be static in content once created.

    d

  11. Grogan Silver badge

    I think I'd put my money on an "anti-ransomware" backup strategy instead of gimmicks :-)

  12. Jotrav

    When I read this article my first thought was "three (and a bit) weeks late"...

  13. Anonymous Coward
    Anonymous Coward

    I use Secure Folders to hide the drive - you can't even see it in Computer Management unless you allow it. Nothing gets thru unless it's allowed by me.

    ONLY the programs I allow to have access - other wise you get Drive not accessible - Element not found.

  14. Aussie Doc
    Pint

    New challenge?

    I'm imagining some ransomware crim saying "Hold my beer" or "Challenge accepted" or something.

    Not sure this will end well.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like