2 Replies Latest reply on Aug 11, 2011 11:18 AM by Eurometal

    CAN ANYONE PLEASE CONFIRM - SSD "320 series" STILL NOT AS SECURE AS REG. HARDDRIVES w/ATA PASSWORD and/or FDE ?

    Eurometal

      Product: Intel "SolidStateDrive, 320 Series"

      Specific part#: SSDSA2CW160G* (160GB capacity), part# not important b/c problem covers all SSD's - unfortunately even new "[secure] 320 series" ?

       

      Two problems uncovered (which probably limit Intel sales!).

      Let me first state two Questions (short), then go onto Explanation (lengthy):

       

      1) HOW CAN THESE BE ADVERTISED with SECURITY BEING ITS STRONG POINT, WHEN SETTING "ATA PASSWORD" TURNS OUT TO BE EXCEEDINGLY RISKY (DESTROYS DEVICE!)? 2) CAN INTEL 'SSD TOOLBOX' LET CUSTOMER SET "ATA PASSWORD", OUTSIDE of BIOS (when BIOS lacks such feature)? =====

       

      Explanation: Please assure your Technical knowledge is deep enough b/c to avoid bloating this Post, I provide minimum explanations for a subject some sales folks keep confusing with another (people who use  cheapo computers, have no clue BIOS/PowerOn password has no relation to Harddisk/ATA Password [ATApass in turn exists in 2 forms: Master & Supervisor]) - so would help if  an engineer or  technically-inclined customer(s) or enthusiasts respond to following: If you use computers for serious business (in my case design engineering, financials/etc. storing secrets) rather than "pictures, music" or similar waste; you are likely using either or both protections: a) Encryption (Software or Hardware types)  and/or  b) Harddisk aka "ATA Password" (been part of ATA Command Set since mid 1990's, professionals know).

       

      ===== Problem:

      A)

      "Intel 320series" products Hardware Encryption (aka Self, Built-In) is utterly useless without setting up a "Harddisk/ATApassword".  But it appears to be: ** extremely dangerous **  ==> dueto violation of ATA standard on SSD's side causing SSD self-destruct or host computer hang with subsequent need for massive complete restoration (for a Terabyte sized system nobody wants the nightmare).  Is Intel correcting this critical issue making new "320" series security not only useless but also self-destructive?

       

      ATA Password can be set in most business/hi-end laptops BIOS'es simply because they don't hide such functionality; cheaper/consumer laptops & most desktops hide it to deny 'idiot-customers' [who  only use computers for entertainment], tho manufacturers like Intel , HP or Asus may offer also on consumer laptops & business desktop Mobos.  But it appears despite emulating Harddrives, SSD's even  "Intel320" advertised as specifically secure and implying the usage of ATA Password, are killed when password is really used - READ BELOW WHY!: If we can't safely use ATA Password, what's the point of Encryption (other than deterring an unlikely thief who instead of stealing SSD as one piece, desolders/steals individual flashmemory chips from it  and solders into another controller (or Logically probes them) - being encrypted they can't be read, but why bother when Thief can simply unplug/steal entire SSD in 5 seconds, w/o ATApassword the  encryption would be meaningless and SSD can be plugged into another computer!?).  So we cannot trust secret data to an SSD - even one of the finest/securest on the market Intel320 - unlike a regular  Harddrive in a computer whose BIOS allows such password? I am getting a headache b/c it means SSD can't be used for anything beyond simple boot-up device, at least not in Professional or Corporate environment.  You wouldn't secure your Games, Grandma's  photos or worry about someone stealing p 0 r n collection; but for anything more serious - you lose sales because unlike Harddrives, passwording SSD is dicey.

       

      FIRST CHECK THIS OUT (WEBLINK):

      INTEL'S OWN WARNING LAST UPDATED IN MARH 2011; HERE: http://www.intel.com/support/ssdc/hpssd/sb/CS-030724.htm

      also similar warning surfaced earlier at this link:

      http://www.intel.com/support/ssdc/hpssd/X25M/sb/CS-030723.htm

       

      Confirmed by numerous users on public Forums you may not be aware of.  You can enable ATA Pass on Intel320 or competing SSD's like on a regular harddrive, nothing bad happens at first; but wait  afterwards - you better never change or disable it or move SSD to another computer or other normal  actions people need - b/c your data/money might die if you try.  Just moving storage device like  Harddrive or SSD to a new computer is a basic, frequently needed task.  BUT WORST OF ALL - simple entering computer into Standby and returning back, or any power cycle like Turn on/of - system may hang often w/permanent data loss.  I use Standby mode profusely and turning computer on/off is obviously a everyone's common action, so using SSD Security is effectively impossible - unless you willing to take chances!

      Cheer up - Intel's 3 main competitors suffer from same plague now, but they don't advertise security feature as heavily as "Intel 320 Series" or they explicitly say "No". One solution which may or may not work, is backing up (Imaging) entire SSD, then issue Secure Erase command in Intel SSDToolbox which somehow implies changing/disabling password, then  restoring whole thing again on same or new computer, then playing with password again - a major annoyance unheard of with regular Harddrives.  A regular Harddrive ATA password can be changed  instantly (if you're the owner and know old), also all you need to move to a new computer is disable it prior on original machine.  Try that with SSD even Intel320 - you might be locked up forever, you're likely to lose a lifetime of data (whole drive) + maybe Operating System.

       

      Trust me I ran a massive research which led me to rumors enabling ATA password on a competing SSD does the above behavior, I got Intel320 instead - I love Intel for other reasons (technical/reliability  specs, thorough testing), but too bad it turns out to be identical problem, which means your SSD's controller/firmware still doesn't comply with ATA Security Xtension for practical use.  Looks good on  datasheet or advertising, but can't be used conveniently.  Who wants to wipe out and restore their system, should they change a password or move to another computer?  Okay maybe it's tolerable (maybe  someone likes to sit thru 1Terabyte monster restorations), but the point is sometimes SSD is crashed even if NOT changing ATA password - just setting that Password in itself turns out to be risky for  SSD (not Harddrives).

       

      ======= **) Second question is simple:

      As professionals know, while business/hi-end laptops do have; some consumer laptops and many desktops don't have Harddisk/ATA Password option in their BIOS (do NOT confuse with  PowerOn/BIOS/Supervisor pass present in most even cheapo computers - but completely unrelated & worthless, can be reset by kids in minutes!).  There's a way to "hack" with special utilities, into  emulating what BIOS supposed to offer in terms of harddisk/ATApassword (set, disable/change when owner needs, etc.) - but obviously it's not normal, it's like swimming in Tuxedo - very few people  had been successful or posses knowledge, many caused perma-damage.  So the question is:

      DOES INTEL "SSD TOOLBOX" ALLOW SETTING THIS PASSWORD, OUTSIDE of BIOS (when BIOS lacks such feature)?

       

      That would be so SO GREAT, another competitor's Forums are buzzing about it but I only go with Intel and we want it in Intel SSD Toolbox.  Intel historically has had the best data integrity specs & track record, even if it's not always fastest, for us reliability is more important, I DON'T CARE for competitors' SSD esp. b/c Sandforce's implementation of AES Encryption is partially wrong!, we need this  password thing for Intel 320 Series even if BIOS lacks that option, please.

       

      Yes I know what was in "IntelSSD Toolbox" in earlier version - no ATA Password for sure (Secure Erase or BIOS/PowerOn password have nothing todo with it); I could install an update and recheck or  Google or answers since SSD Toolbox specs don't say it clearly; but right now sitting on a pile of work and 3 new computers (for CAD design) awaiting my free time later, and Googling didn't clear it up - just wanted to know how to set ATA password if BIOS doesn't offer!

       

      I got a Netbook also, some of world's best (HP DM1Z) perfect, except if someone steals which is ridiculously easy for a tiny laptop of Notepad thickness, I am dead.  It's got Intel320 300GB drive full of  emails, drawings, finances/banks.  Its BIOS doesn't let me set "Harddisk Password", it does have 'PowerOn/BIOS supervisor" password but as explained above that one is totally not what we discuss here  (ATA Password)- so if SSD is removed by Thief, it can be read in another computer. Not to mention even if I set such password, it can ruin Intel320 but at least to know SSD Toolbox can set it outside BIOS would be a partial relief.

       

      ======= P.S.  You might be wondering if I am too stupid to use "Software FDE" (Full Disk Encryption) instead of all the above (Hardware Encryption + ATApassword)? Sorry, but I know all about it.  Soft Encryption - typically FDE (e.g. BitLocker, TrueCrypt, PGP) as opposed to Hard Encryption w/coupled "ATA Password", is outside the scope of this Message (too  long) - it maybe perfect for Harddrives but only for specific cases and has ISSUES with SSD's especially with those which already encrypt in hardware (Intel320, Sandforce).  Not for people like us, too  long to explain why.

      I do run FDE ("BitLocker" flavor) on one machine only (b/c it's got regular Harddrives (WesternDigital RE4 series) & very powerful  i7-2600 w/AES encryption accelerator), but really: We just want plain good old "ATA Password" to work - I've been using it w/Harddrives since 1998!, seems an easy wish but SSD manufacturers give us hell! Precluding your sales/profits to expand into more professional, corporate market, beyond "speedy bootup and gaming" stuff.

        • 1. Re: CAN ANYONE PLEASE CONFIRM - SSD "320 series" STILL NOT AS SECURE AS REG. HARDDRIVES w/ATA PASSWORD and/or FDE ?

          Eurometal,

           

          Thank you for the feedback. I have some good news.

           

          1)      The errata web page you have sighted (http://www.intel.com/support/ssdc/hpssd/sb/CS-030724.htm) is in error.  This is an outdated page which only applied to the Intel ® X25-M and X18-M SSDs, and only specifically to the “G2” versions which used the 2CV102G2 firmware revision.  This issue was corrected in the 2CV102G9 and newer firmware revisions in August of 2009.  I can assure you that there are no outstanding open sightings against the Intel® SSD 320 Series drives which relate to ATA password functionality.  The Intel 320 Series SSD products (and current firmware versions of Intel X25-M SSD) will function as you describe “A regular Harddrive ATA password” functions.  Thank you very much for pointing this detail out to us.  We are in the process of removing this outdated link.  

          2)      The short answer here is no.  There are a couple key reasons… 
          A. Setting an ATA  password on a system who’s BIOS does not support password capabilities would cause the SSD (or HDD) to no longer be recognized by that system.  The BIOS of a system must enumerate a storage device at power on, identify the boot sector of the storage device, and begin reading the OS in order to enable the system to boot.  If a storage device is locked with an ATA password installed and the BIOS is not designed to unlock the storage device at power-up, the system will hang and likely report “no system disk found”.  This happens because the BIOS will attempt to read the OS from the storage device, but the locked storage device will abort the commands as it is in a locked state.  As this is the case, you would not be able to boot the system into an OS.  Further, the Intel ® SSD Toolbox must be executed within an OS, therefore enabling such a capability within the SSD Toolbox could easily result in a user setting a password on such a system and at next power cycle no longer be able to access their storage device without moving it to a host system which does support ATA password unlocking within BIOS at power on.
          B.  Within the ATA Security Standards (see www.t13.org for details), a command called “SECURITY FREEZE LOCK” is defined.  This command was created to help limit security attacks on storage devices, as it “freeze locks” the security state of the drive until next power cycle.  Many system BIOSs execute this command after enumerating (and if necessary unlocking) the storage device, prior to handing off to the OS.  This command causes a storage device to abort any security commands (abort set or remove passwords, or secure erase, etc.) until the next power cycle.  This “freeze lock” limits the ability to have broadly compatible security features enabled within the SSD Toolbox.  This is the same reason that a user often must power cycle their SSD during the Secure Erase function within the SSD Toolbox, to remove this “freeze lock”.  Most OS typically do not respond well to having the primary storage device removed (by removing power), therefore this is problematic even if you could solve the issue above and read the OS from a locked drive.  Additionally, it would be exceptionally inconvenient to enable such a feature forcing the user to regularly to plug and unplug in order to lock and unlock drives, let alone the challenges when the system would go into standby and sleep modes (where storage device power is often removed, locking the device again), etc.

          Thanks again for the great feedback, for catching our mistake, and for supporting Intel products.  We appreciate it.  Please keep the ideas coming!

           

           

          -James

          • 2. Re: CAN ANYONE PLEASE CONFIRM - SSD "320 series" STILL NOT AS SECURE AS REG. HARDDRIVES w/ATA PASSWORD and/or FDE ?
            Eurometal

            Jim,

             

            Thanks for a profusely comprehensive response, looks like I succeeded in soliciting a real technical guy to answer, b/c often initial contact is thru SALES/Marketing people who are nice & smiley people but  have no clue of engineering!  OK, now just a couple other things FYI - NO RESPONSE NECESSARY (unless you want it publicly posted for others to see - but I consider topic closed):

             

            a) This link is still active:

            http://www.intel.com/support/ssdc/hpssd/X25M/sb/CS-030723.htm

            That ERRATA may or maynot be in error, it's upto you to take a look, I just report.

             

            b) The only painful factor that prevents people from buying Intel320's series is infamus "8MB bug" you are working to fix,  affects a small % of customers but people are overly cautious w/SSD's after the early generations convinced us they're still an unstable technology which still must be coupled w/magnetic (spinning) harddisks.

            So if Intel fixes that 8MB bug you will be good!

            Market your SSD's with an advantage of stability/reliability vs. OCZ fast-burning junk.

            People who buy OCZ or even Crucial don't value their data, they value speed... but when you lose your work/data then they learn a lesson.

            Intel is not 100% bullet proof but comparatively is the lowest failure rate put of top 10 SSD makers (note: OCZ was in bankrutpcy actually, and re-emerged specifically to hype up their new direction - SSD's, instead of hi-perf RAMmemory they used to be known for).

            Besides, Intel510 ElmCrest is nearly on par with competitors speed, yet more reliable.

             

            So basically "8MB bug" is the only thing that's hurting you and it's better to fix ASAP, I know it's difficult (EE here) but just staing the fact it needs to be off problem list.

             

            === P.S.

            I sound like an "Intel fanboy" hired to post public promo-post, but no, you peope can verify I am infinitely far from Intel employment - I just like to promote good technical products (Engineer here), maybe it's a form of OCD Disorder (OCD reviewer)!

            Just fix that da*n 8MB bug, the last frontier for 320-series (hopefully).

            Likewise I posted positive reviews of some HP, Kingston USBflashdrives, Crucial memory, WesternDigital RE4 HDD's, etc so I am not promoting here one company, on the contrary I also put out brutally negative reviews of some other stuff when it's really bad.

            Intel SSD's & Processors are good stuff, just fix 8MB bug.