Lexar’s “Secure” Jump Drive Has Been Cracked

And trivially so, to boot. You can see the story on Slashdot. To paraphrase, Lexar’s Secure Jump Drive includes an XORed version of the password within the drive itself. Or, you can simply attach a debugger to the Lexar-provided management software and sniff the password in plain text. Of course, once you have the password, decrypting the contents of the drive isn’t hard.

Now I’ll take this opportunity to share a story of a budding young programmer, working in his spare time on his dad’s Windows 98 machine, with a Trial copy of Borland C++ 5.02 that he got from a How To Program book that he looked at for one day, and which to this day sits in a book completely ignored.

This young budding programmer was still quite new to the whole idea of making programs. The fact that he was learning programming using the Win 32 C API wasn’t helping his skills along either. But he made progress, and made a not-so-sophisticated fractal drawing program, which even supported plugins for the hell of it.

This programmer then read a book on cryptography, and thought that it would be neat to integrate crypto into an application. Thinking briefly, he decided to make a simple application to keep track of birthdays and anniversaries and such.

This program ended up working, although it was nothing special. But even though the programmer was still very inexperienced at the art of programming, he knew enough from reading the book to know that you couldn’t store any kind of encoded form of the password in the file you were supposed to protect. Instead, you had to store a hash, which you would check against the user’s proposed password later. And so that’s what the application did.

This young programmer was myself, about 5 or 6 years ago. And although I didn’t take such preventive steps as locking the memory page that was holding the password (although I did clear it out when I was done with the password IIRC), I knew enough about the basics to make a program that (I hope) was relatively secure in its approach. I even think that I found a SHA-1 implementation on the Internet somewhere to use as my hashing function. And I know I used Rijndael (now AES) for the actual encryption.

There’s no reason for crypto to be hard, as many people much smarter than we are have thought about, and solved, problems that we still don’t even need solving. This problem has also been solved, and once again a company has been hoist on its own petard because their programmers (or managers) thought that they were smarter than some of the brightest minds in history.

EDIT: I saw this link in the Slashdot comments. You must be this intelligent to use the Internet. I must save this link somewhere for future use. =D