And trivially so, to boot. You can see the story on
Slashdot. To paraphrase, Lexar’s Secure Jump Drive includes an XORed
version of the password within the drive itself. Or, you can simply attach a
debugger to the Lexar-provided management software and sniff the password
in plain text. Of course, once you have the password, decrypting the
contents of the drive isn’t hard.
Now I’ll take this opportunity to share a story of a budding young
programmer, working in his spare time on his dad’s Windows 98 machine, with a
Trial copy of Borland C++ 5.02 that he got from a How To Program book that
he looked at for one day, and which to this day sits in a book completely
ignored.
This young budding programmer was still quite new to the whole idea of
making programs. The fact that he was learning programming using the Win 32 C
API wasn’t helping his skills along either. But he made progress, and made a
not-so-sophisticated fractal drawing program, which even supported plugins for
the hell of it.
This programmer then read a book on cryptography, and thought that it would
be neat to integrate crypto into an application. Thinking briefly, he decided
to make a simple application to keep track of birthdays and anniversaries and
such.
This program ended up working, although it was nothing special. But even
though the programmer was still very inexperienced at the art of programming,
he knew enough from reading the book to know that you couldn’t store any kind
of encoded form of the password in the file you were supposed to protect.
Instead, you had to store a hash, which you would check against the user’s
proposed password later. And so that’s what the application did.
This young programmer was myself, about 5 or 6 years ago. And although I
didn’t take such preventive steps as locking the memory page that was holding
the password (although I did clear it out when I was done with the password
IIRC), I knew enough about the basics to make a program that (I hope) was
relatively secure in its approach. I even think that I found a SHA-1
implementation on the Internet somewhere to use as my hashing function. And I
know I used Rijndael (now AES) for the actual encryption.
There’s no reason for crypto to be hard, as many people much smarter than
we are have thought about, and solved, problems that we still don’t even need
solving. This problem has also been solved, and once again a company has been
hoist on its own petard because their programmers (or managers) thought that
they were smarter than some of the brightest minds in history.
EDIT: I saw this link in the Slashdot comments. You must be this
intelligent to use the Internet. I must save this link somewhere for
future use. =D
