Somebody took the time to reverse engineer one of those new USB enclosures that claims to encrypt the hard drive with 128 bit AES, and found out it is just doing XOR encryption:
http://www.heise-online.co.uk/security/Enclosed-but-not-encrypted--/features/110136
Pretty disgraceful. It turns up they encrypted the key with AES, but the actual data with a "proprietary algorithm" that in fact is trivial to break. Here's the chip the product uses. Notice that there's no mention in their specifications of a proprietary encryption algorithm or that the chip only encrypts the keying material with AES.
http://www.innmax.com/en/im7206.html
You just can't trust those fuckers in the computer security business. Yes, I realize my last job was as a software developer for a company that made security products. That just makes me all the more aware. I'm not saying the company I worked for made bad products but rather that the job exposed me to alot of other companies' security products (including source code in many cases), and I can say that they were all complete crap. And we're not talking about security companies that nobody has ever heard of. We're talking about top security vendors that make the firewalls and authentication tokens your company is probably using to protect it's network.
Unfortunately we're not talking about security bugs. Every product will have bugs in it and some of those are exploitable (although there are techniques that can be employed to compartmentalize the risk). Just about every vendor I worked with had fundamental design flaws in their product that were just ridiculous.
Do you really think the chip vendor above didn't realize that the design was fatally insecure? They're taking the gamble that you don't find out. You could argue that they were incompetent, but bear in mind that doing it right would have cost alot more money to design and the unit cost on the chip would be much higher. Why on Earth would they spend the money if you're too stupid to be able to tell the difference? It's pure economics.
Ever wonder why encryption products certified for government use are so damn expensive? It's because proper design, implementation, and validation is such a costly process. Programs like FIPS 140-1 in the U.S. or CESG in the U.K. are specifically setup to not allow certification of poorly designed products.
The company you work for probably paid tens of thousands of dollars for these products that are riddled with security holes that they pray you never look close enough to find out about.
