Sprites mods has a very nice in-depth hardware security review of the Disk Genie hard drive. The first problem seems to be how easily the device is opened. The next failure comes from how it indicates failures to the attacker. Spoiler alert: here are the conclusions.

If you’re just a generic Joe Blow who wants to make sure your private pictures don’t get viewed by your collegues or kids, you’re golden. The fact that the there’s no way a software-only attack can get the pincode means that some hardware-experience is needed to start hacking the device, and that will deter casual onlookers enough to make the device completely safe for curious neighbours or collegues, even if they are smart enough to, for example, install a keylogger on your PC.

If you’re a business-person with actual info to hide, info that could financially benefit other parties… you can still use this, but make sure to pick a strong pincode. More than 11 digits should do, depending on how badly others want the data.

If you’re, say, the president of a nuclear country and want to use this to carry around the launch codes of your nukes, I wouldn’t recommend this device. While the thing is safe for a casual hacker like me, someone with money or the resources to de-cap chips can probably get to the data fairly easy: the PIC which contains the keys to the HD is not a secure device and when decapped under a microscope in a laboratory can probably be made to give up that key fairly easily.

Is that a qualified hint to the Pentagon or just an example?

The California Attorney Jerry Brown has filed charges against e-waste recycler’s execs

In late 2008, CalRecycle auditors contacted investigators at the California Department of Toxic Substances Control after noticing discrepancies in the claims submitted by Tung Tai and the records kept by Golden State Records and Recycling, a company that collected and transferred materials to Tung Tai, Brown said in the release.

In July 2009, state agents searched the Tung Tai facility and discovered two separate sets of records, Brown said. Those records showed that Tung Tai had significantly inflated the pounds of recycled material it submitted for reimbursement to CalRecycle between January and September 2008, Brown’s office said.

Two separate sets of records? That is pretty bold.

Qualys has sent out a notice of change to how their QualysGuard provides reports for PCI

Within the QualysGuard Consultant interface, you will still be able to run PCI specific scans using the PCI Option Profile. You will also still be able to run PCI pass/fail reports; however, these reports will now be flagged as non-certified reports and cannot be submitted to your clients’ acquiring banks to pass PCI Compliance.

Approved Scanning Vendors (ASV) using QualysGuard are not affected if they are already using the ASV Portal. The portal gives only a Pay Per Host license with unlimited external scans instead of the Pay Per Scan. Internal scans for requirement 11.2 have to be done with another tool or a different account.

Those who are not an ASV will no longer be able to own the scanning license and can not submit reports to the PCI council for certification on behalf of a client.

Qualys says the changes are related to the new PCI Council guidelines on ASV from last March. The following differences will be seen after their new product launch next week, on August 31.

# Attestations: Customers are required to confirm on a quarterly basis that reports adhere to PCI DSS requirements for scoping, false positive documentation, and scan completeness. ASVs must then review these submissions and provide their own attestation. QualysGuard PCI will provide simple workflows to assist scan customers in providing and tracking the status these attestations.
# Report Content Changes: The ASV Scan Report must use a new format that includes additional content, revised scoring terminology (High, Medium, and Low), and sections for attestations. QualysGuard PCI reports will incorporate all required changes.
# False Positives: Approved false positive requests must be resubmitted by the customer to the ASV for review on a quarterly basis. QualysGuard PCI workflows will provide scan customers an easy-to-use interface for viewing and resubmitting false positives.
# Scoring Changes: As a result of clarifications concerning CVSS scoring, certain QIDs have changed their compliance posture and will now cause components to fail PCI certification. The complete list of QIDs is detailed in the FAQ referenced below.

Scoring changes can be found in an appendix of their FAQ. A long list of exploits (QID in Qualys terms) will now have CVSS v2 scores of 4.0 or higher.

Their most recent notice does not mention this but instead focuses on who is an ASV and the services provided — a company can not compete directly with an ASV just by using the same software and running the same reports. The PCI Council charges a fee to become an ASV and be listed as an ASV. The change thus seems to have come from a combination of licensing issues and quality control.