Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
It's funny.  Laugh. Encryption Security

Lexar JumpDrive Password Scheme Cracked 565

Saint Aardvark writes "Lexar describes the JumpDrive Secure as "loaded with software that lets you password-protect your data. If lost or stolen, you can rest assured that what you've saved there remains there with 256-bit AES encryption." @stake has a different take: The password can be observed in memory or read directly from the device, without evidence of tampering." And best of all, the punch line: "[The password] is stored in an XOR encrypted form and can be read directly from the device without any authentication." That's why I use ROT-13 for my encryption needs."
This discussion has been archived. No new comments can be posted.

Lexar JumpDrive Password Scheme Cracked

Comments Filter:
  • Even worse... (Score:5, Insightful)

    by Anonymous Coward on Tuesday September 14, 2004 @03:25PM (#10249026)
    Why go through all the trouble of attaching a debugger to the process when you can bribe the user to tell you the password with a chocolate bar [slashdot.org]! Best of all, this trick will still work long after Lexar fixes their security issue.
  • DMCA (Score:4, Interesting)

    by Lead Butthead ( 321013 ) on Tuesday September 14, 2004 @03:25PM (#10249030) Journal
    Doesn't that violate DMCA?
  • by PrimeWaveZ ( 513534 ) on Tuesday September 14, 2004 @03:26PM (#10249034)
    Three years to get .01% of the way done cracking this before someone realized it was ROT13. ;)
  • by michael path ( 94586 ) * on Tuesday September 14, 2004 @03:26PM (#10249039) Homepage Journal
    The password is in XOR'd form? Yeah. That's encryption.

    Couldn't the software or driver have stored the password in a MD5 or SHA1 form, and still present a valid authentication mechanism for end users?

    From the article:


    Vendor Response:

    08-05-2004 Vendor contacted via email to support@lexarmedia.com
    No response.
    08-12-2004 Vendor contacted again via email to support, sales
    Public Relations, Investor Relations, and general
    inquiry email addresses.
    08-12-2004 Automated response from support received
    09-13-2004 No further response from vendor, advisory released

    Vendor has not acknowledged issue or produced a fix.


    This is a pretty embarassing non-response.

    The product is only about 5 or 6 months old, and the password was just sitting there. AES is a perfectly fine standard for encryption, but this is an embarassing implementation. Thankfully, I don't know anyone who owns this.
    • Well it's good to know because I own one. On the bright side if I had ever forgotten my password, I can now retrieve the data. Another point to @stake.
    • by pete-classic ( 75983 ) <hutnick@gmail.com> on Tuesday September 14, 2004 @03:31PM (#10249096) Homepage Journal
      Horseshit. All my data is XORed against itself before it is written to disk. I assure you that you can't crack it.

      -Peter
    • by Alizarin Erythrosin ( 457981 ) on Tuesday September 14, 2004 @03:35PM (#10249143)
      The password is in XOR'd form? Yeah. That's encryption.

      Couldn't the software or driver have stored the password in a MD5 or SHA1 form, and still present a valid authentication mechanism for end users?


      Aside from storing the password in XOR'd form, the software checking the password is flawed. It unencrypts the password first, then compared the password entered. Rather then encrypting the password entered and comparing it to the device?

      There may even be better ways than that. I'm not a cryptography person, but that's the first thing that comes to mind.
    • I've got one of these, so now you do know someone with one.

      If you're carrying around secure documents/files on a jumpdrive using only the included encryption scheme, you may need a lobotomy. I took one look at the security program that came on the drive, and threw it out. I knew I'd never need it. It wasn't a program that looked like it reeked of security, either. I'm acutally surprized this is the first report of the JumpDrive being cracked.

      Since there are dozens of USB drives on the market, and the're

      • by plover ( 150551 ) * on Tuesday September 14, 2004 @06:48PM (#10250881) Homepage Journal
        Don't look to San Disk for any better security.

        I spent a little while analyzing the "CruzerLock" software that came with my Cruzer Mini USB drive. It appears to be using a 64 bit block cypher (perhaps DES) which pretty much rules out any of the more modern encryption algorithms.

        Its biggest readily apparent weakness is that the encryption algorithm is running in ECB mode. If you have a file containing AAAAAAAAAAAAAAAAAAAAAAAA it will encrypt to an 8-byte repeating block on the drive, like this: 123456781234567812345678 When I changed that to AAAAAAAAbbbbbbbbAAAAAAAA I saw the following encoding: 12345678abcdefgh12345678. That indicates Electronic Code Book. If I learn what your first block means, I know the third block means exactly the same data. (Please note that these are just example values with nice visual properties, and not the exact values I saw!)

        Also, the encryption is the same from file to file. AAAAAAAA encoded in one file produces exactly the same results as AAAAAAAA encoded in another. So the IV for the encryption routine is fixed as well.

        At least XORing blocks of encrypted binary nulls with two different keys didn't quickly reveal any obvious common bits, nor did encrypting two successive blocks that differed only by a single bit of plaintext. That means it's at least more than a plain old 8-byte XOR cypher using a folded password.

        I figure if I can find all those holes in an hour of poking around with a hex tool, I know they didn't actually hire any cryptographers to produce the software. All the alarm bells have already gone off, and I never even stepped into it with a debugger to learn how they fold your password into a key, or what the IV was, or what the encryption algorithm itself was.

    • by Chris Mattern ( 191822 ) on Tuesday September 14, 2004 @03:57PM (#10249354)
      > Thankfully, I don't know anyone who owns this.

      I do, and I keep fairly sensitive information on it (in fact, I bought it in order to keep that information handy but secure). But I don't use Lexar's software--never even occured to me to try to use it, as I want to access it in Solaris and Linux. I use GPG; downloaded a GPG for Windows and put it right on the key so that I can use it in any Windows machine as well.

      Chris Mattern
  • Cue::Cat (Score:5, Funny)

    by althalus ( 520424 ) <slashdot@nospAm.lug-nut.com> on Tuesday September 14, 2004 @03:27PM (#10249049) Homepage
    That's what happens when you get your security developers from the Cue::Cat Development team. Wasnt' their 'encryption' just XOR or something similar?
  • by grunt107 ( 739510 ) on Tuesday September 14, 2004 @03:27PM (#10249050)
    It allows those who forget their passwords to quickly access the 'lostpaswd?' file, saving on support calls.
  • Not much detail? (Score:4, Interesting)

    by Anonymous Coward on Tuesday September 14, 2004 @03:27PM (#10249053)
    XOR'ed with what? XOR is just a method of encryption, not a cypher or anything... it's the basis for the one-time-pad, the strongest encryption method next to quantum encryption.
    • by PhilipPeake ( 711883 ) on Tuesday September 14, 2004 @03:41PM (#10249211)
      This is actually a clever sales gimmick.

      You can find the "what with" part by simply XORing again with you key. So to find out what the magic string is, simply buy one of these devices, encrypt some data to it, then locate the encrypted key and XOR you original password with the "encrypted" version.

      Doing this with your own device means you are not violating DMCA - trying this out with someone elses device will subject you to the possibility of 57 consecutive life sentences.

    • by nkh ( 750837 ) <exochicken@@@gmail...com> on Tuesday September 14, 2004 @03:43PM (#10249230) Journal
      Without a doubt it's a xor used with a key length of a few bytes.
      xor + small_key = cypher for dummies, it's an old standard for those who don't care about security.
  • by jmorris42 ( 1458 ) * <jmorris AT beau DOT org> on Tuesday September 14, 2004 @03:27PM (#10249061)
    If ever there was an example of why we need product liability laws, this is it. Unlease the attack lawyers on these bums.
  • Seriously (Score:3, Funny)

    by Alien54 ( 180860 ) on Tuesday September 14, 2004 @03:28PM (#10249068) Journal
    This is up to the highest standards of the RIAA and MPA. Really.

    You will be legally liable for the legal consequences of any attempt to break through this advanced encryption technology.

  • Drive Crypt (Score:5, Informative)

    by xombo ( 628858 ) on Tuesday September 14, 2004 @03:29PM (#10249081)
    That's why I use DriveCrypt [securstar.com]. I got my version years ago and it's pretty antiquated but it supports up to 1024 bit encryption (granted it makes things relatively slow).
    • Re:Drive Crypt (Score:3, Informative)

      by D. Book ( 534411 )
      Just an obligatory mention of the Free / Open Source alternative: CrossCrypt [scherrer.cc], and the graphical version, CrossCryptGUI [fortunecity.com]. Actually, I don't think I could've picked a worse time to mention them. The CrossCrypt site is down, and for some reason, the CrossCryptGUI site now displays a black background (so you can't see the text).

      Nevertheless, I've used CrossCryptGUI 0.75 for some months now with a 20GB encrypted volume, and haven't had a problem (though backups are essential in case of corruption). As far as I'm
  • Inevitable? (Score:5, Insightful)

    by xanthines-R-yummy ( 635710 ) on Tuesday September 14, 2004 @03:30PM (#10249083) Homepage Journal
    Isn't this in line with the whole "No machine[usually meaning computer, but in this case a jumpdrive] is secure if the physical box is in the hands of the hacker/criminal."

    I mean, if you have the jumprdrive in your possession it's only a matter of time before you find a weakness to exploit, right?

    • Re:Inevitable? (Score:4, Interesting)

      by Minna Kirai ( 624281 ) on Tuesday September 14, 2004 @03:45PM (#10249256)
      "No machine[usually meaning computer, but in this case a jumpdrive] is secure if the physical box is in the hands of the hacker/criminal."

      That's not true. If my harddrive contains an encrypted filesystem, it does a "hacker" no good to steal my PC. He's mathmatically less likely to brute force that encryption than if he sniffed encypted email or SSL sessions.

      If the hacker installs a keylogger, and I don't detect the intrusion when I return, then a second trip to physical access could break the security... but getting his hands on it once won't help.

      That famous saying only applies if the machine gets some ongoing use after the hacker has physical access. (Thus it demonstrates a core flaw of DRM, etc)

      I mean, if you have the jumprdrive in your possession it's only a matter of time before you find a weakness to exploit, right?

      No. There is no reason a device like this needs to store the password at all.

      Properly, it shouldn't be a "password" at all, but a decryption-key you type before accessing the files. Type in the wrong key, and the files appear scrambled.
    • Re:Inevitable? (Score:3, Interesting)

      by Erpo ( 237853 )
      Isn't this in line with the whole "No machine[usually meaning computer, but in this case a jumpdrive] is secure if the physical box is in the hands of the hacker/criminal."

      I mean, if you have the jumprdrive in your possession it's only a matter of time before you find a weakness to exploit, right?


      Nope. The jumpdrive is just a data storage device and if it only contains encrypted data, an attacker can only read the (probably useless) encrypted data it stores. You can't decrypt it unless you have the decry
    • Re:Inevitable? (Score:4, Interesting)

      by merlin_jim ( 302773 ) <James.McCrackenNO@SPAMstratapult.com> on Tuesday September 14, 2004 @03:48PM (#10249286)
      I mean, if you have the jumprdrive in your possession it's only a matter of time before you find a weakness to exploit, right?

      No. It is absolutely possible to implement a symmetric encryption scheme that does not expose any details of the password and requires the password to be correct in order to decrypt the data.

      For instance, instead of saving an xored version of the password (I'm assuming you need the cleartext of the password to run through your decryption algorithm), you can save a hash of the password. Then when the user enters their password, you compare hashes for correctness, and if there's a match, you use the cleartext they just entered.

      Assuming all your math is done right and you're using strong crypto, there's nothing anyone could do to decrypt that data without a) knowing the password or b) having more computing power at their disposal than is currently available to any private citizen or group.

  • wow (Score:3, Interesting)

    by Anonymous Coward on Tuesday September 14, 2004 @03:30PM (#10249092)
    I had one of those things. I'm glad that I always manually encrypted sensitive information instead of relying on their tool. That is until the drive mysteriously stopped working at all after about 6 months.

    No way am I buying anything they make again.
  • by ALecs ( 118703 ) on Tuesday September 14, 2004 @03:32PM (#10249105) Homepage
    Why does the password need to be 'stored' anyway? Isn't that kinda the point?

    Is this some sort of 'encrypted session key' thing where one long, secure password decrypts another shorted one that's used to do the dirty work? Is it stored for key recovery by tech support droids?

    Why store the password? Is this just the worst implementation in the whole world or am I missing something?
    • by savagedome ( 742194 ) on Tuesday September 14, 2004 @03:37PM (#10249170)
      Why does the password need to be 'stored' anyway?

      One word: support.

      Ideally, they should not be storing the password on the disk itself at all for it to be a secure drive. But I've seen a lot of these decisions that seem boneheaded because a *lot* of people will forget their passwords and come back *demanding* that you decrypt their shit. If this is someone that even remotely knows the CEO of the company or somebody higher up and if you try to explain them one-way math functions, you will be getting the pink slip in no time.

      Although what these guys did is unpardonable. I mean XOR? Jeez.
      • by pclminion ( 145572 ) on Tuesday September 14, 2004 @04:06PM (#10249441)
        Although what these guys did is unpardonable. I mean XOR? Jeez.

        What's wrong with XOR? Example. I've encrypted a short message of ten bytes, by XORing it with a random sequence of ten bytes. Here's the ciphertext:

        26 6B F1 2C 2E 1E 71 12 A9 68

        Since XOR encryption is so weak, this should be no sweat to crack, right?

        Unfortunately, you'll never be able to crack it, because you don't know what the key was. Even if you found a key that would decrypt this sequence to a meaningful series of bytes, you still don't know if that's the correct answer. More than one valid message can fit into 10 bytes, and you have no way of telling which one of those valid messages was the one I intended. It is literally unbreakable. This is called a one-time pad. Now, if I used the same key repeatedly to encrypt lots and lots of data, you could apply statistical techniques to attack it. But the weakness is not inherent in the XOR operation.

        The weakness is in the key security. If you cannot protect the key properly, not even the most complicated cipher in the world can help you.

        XOR is a perfectly legitimate method for combining the key, or key-generated data, with the plaintext.

        • From Encryption Matters [kuro5hin.org]:

          Here's how to perform an attack that will break the trivial XOR encryption in a few minutes:

          * Determine how long the key is

          This is done by XORing the encrypted data with itself shifted various numbers of places, and examining how many bytes are the same. If the bytes that are equal are greater than a certain percentage (6% accoridng to Bruce Schneier's Applied Cryptography second edition), then you have shifted the data by a multiple of the keylength. By finding the smallest am

        • by Piquan ( 49943 ) on Tuesday September 14, 2004 @05:14PM (#10250133)

          XOR is a perfectly legitimate method for combining the key, or key-generated data, with the plaintext.

          If you're using the key, it has to be an OTP. As soon as you repeat your message using the same key, your cipher's busted.

          In the case of key-generated data, that's pretty much what a stream cipher does. But then you don't refer to the cipher as XOR, you refer to it as a stream cipher. You could just as easily use mod-256 addition as XOR if you wanted; the point of the cipher isn't the combination technique, but the stream generator.

          The grandparent was referring to XOR as the only cipher method. In the case of an OTP (like you used), it's okay, but that's the only case. This is clearly not an OTP we're dealing with here.

          What's worse (and aside from your point), it's open to a chosen-plaintext attack: buy another JumpDrive, set the password, observe. A chosen-plaintext attack can reveal the key of a simple XOR cipher in a single attack (assuming you can ascertain the maximum key length, which is probably something that the password entry dialog gives you). Even without chosen-plaintext, it doesn't take many samples to reveal the key of an XOR cipher, but with chosen-plaintext it's just too trivial.

        • Unfortunately, you'll never be able to crack it, because you don't know what the key was.

          But where do you store this key? do you XOR it with something else? (and what do you do with that something else?) If you use any other more sophisticated method to hide it, why not just use that for the password in the first place? Also, in this case you alredy know what the password is (after all, it's _your_ JumpDrive, whatever that is), so you can xor it and get the 'secret key'. With that, it should be easy to f

          • But where do you store this key?

            But that question has nothing to do with XOR, does it?

            My point was simply that XOR is a key-combining operation. The fact that an algorithm uses XOR does not imply insecurity. There are, of course, plenty of bone-headed possible implementations. But none of those problems are the fault of the XOR operation.

    • You're not the one missing something. The lexar software engineer who came up with this one obviously never read The Cookoo's Egg or the Linux Source Code- or he'd know how to do a password right (yes, the password does need to be stored someplace, NO, it does not need to be in it's original form, and ideally it should be either hashed beyond mathematical recognition or part of the encryption key for the rest of the data or ideally both).
      • The password doesn't have to be stored, in hashed form or otherwise.

        Instead of hashing the PASSWORD, you can hash the DATA. If you decrypt with the wrong key, the hash of the corrupted data will certainly not match the corrupted hash of the original data. Maybe that isn't clear. Let me try again.

        Suppose you have data D and the hash of that data, H(D). Now, encrypt them with key A:

        Ciphertext = Encrypt_A(D . H(D))

        Then ,decrypt with incorrect key B:

        Plaintext_Incorrect = Decrypt_B(Ciphertext) = C . Ga

    • To give them a little (very little) slack... Some form of the password has to be stored away, so you can validate the user-input password. But this shouldn't be rocket science, since SSH, PGP, GPG, and even PasswordSafe have done exactly this type of thing for aeons. All Lexar has done is put it on a little piece of solid-state removable storage.

      Either they're horribly naive about this stuff, and could/should have done a better job;
      Or the constraints of the device wouldn't let (How can this be on a multi-M

      • Passwords can simply be stored by using a simple encryption method and encrypting the password, using the password itself as the key. That way, the only way to read the password to verify it is if you have the password. Works pretty well in the passwd/shadow file...

        There isn't much excuse for this other than "we never thought anyone would try that", but then if that's the thinking, why do we even need security products or encryption?
    • by Lost Race ( 681080 ) on Tuesday September 14, 2004 @04:10PM (#10249483)
      There's only one thing you need to make encryption work, and that's the key (or key pair for asymmetric encryption). Where you store the key is the trick. Ideally you want to keep the key separate from the data at all times -- in a separate medium, in the user's brain, whatever. Unfortunately that would mean either carrying around a separate physical key storage device to unlock your storage device (and of course being able to lose them together since you would naturally keep them both on the same keychain) or memorizing a 50-digit number and typing it correctly every time you want to access the device.

      So what we usually do in these situations is store the main key in the device itself, encrypted with a smaller key which can be generated from a user-selected password. Why not just use the password-generated key as your main key? Because easily-remembered passwords don't have enough entropy to generate a key strong enough to protect megabytes of data, but they are good enough to protect something small like an encryption key.

      Usually such schemes fail when the encryption of the main key is too weak for whatever reason, such that the main key can be recovered without knowing the password. It is indeed bizarre that they would store the password itself on the device in any form, though as we all know the world is full of crappy software "designed" by idiots.

  • by piquadratCH ( 749309 ) on Tuesday September 14, 2004 @03:36PM (#10249157)
    ...that the best encryption algorithm is worth nothing if you fuck up the implementation...
  • Man, that's scary... (Score:3, Interesting)

    by naer_dinsul ( 784040 ) on Tuesday September 14, 2004 @03:38PM (#10249173) Journal
    Geeze... This is probably the first /. story I've read that ACTUALLY applies to me...

    But seriously, I own one of these... In fact, they're pretty popular in my area just because their cheap and sold at Wal-Mart... I don't personally use the password protection because I always felt it was just an extra step and I didn't really need that much security on my Flash Drive anyways...

    (It's not like I was storing all of my server's passwords on it or anything..... Honest...)

    Thank you @stake and people like you for making sure products are as secure as they say they are...
  • by Anonymous Coward on Tuesday September 14, 2004 @03:39PM (#10249181)
    I use ROT-26.

    -
  • by GillBates0 ( 664202 ) on Tuesday September 14, 2004 @03:39PM (#10249184) Homepage Journal
    That's why I store and transmit all my data as plain text.
  • by ARRRLovin ( 807926 ) on Tuesday September 14, 2004 @03:42PM (#10249218)
    There we go.........my little brother won't keep his porn on one of these anymore. haha
  • ROT13? (Score:3, Funny)

    by twigles ( 756194 ) on Tuesday September 14, 2004 @03:44PM (#10249243)
    ROT13 ... oooohhhh! 13!!! Shit, I was using 11! No wonder it wasn't working.
  • by Vexler ( 127353 ) on Tuesday September 14, 2004 @03:45PM (#10249248) Journal
    I tried both calling them and trying their live chat feature from their website, but so far no response. The company is in California, and I am calling them about 3:30 PM EDT. So far, no responses from either the phone call (I am still on hold) or the live webchat.

    Sounds awfully like a head-in-the-sand approach to security to me.
    • Sounds awfully like a head-in-the-sand approach to security to me.

      If you would try that long enough it would probably work. Any data that was in the brain is probably irrecoverable.
  • by bahamutirc ( 648840 ) on Tuesday September 14, 2004 @03:57PM (#10249342) Homepage

    I've seen a number of posts stating the XOR is unbreakable. Hopefully they're just joking and didn't get modded as such, because I've read in several places that XOR sucks. A quick Google revealed the following.

    Hack-FAQ [linuxsecurity.com]

    And I quote: XOR encryption is trivially simply to implement and equally trivial to break. XOR encryption should not be utilized for any data which you would want to protect.

    I could go grab my Applied Cryptography book and make sure, but it's out of arms reach right now.

  • by Vexler ( 127353 ) on Tuesday September 14, 2004 @03:59PM (#10249362) Journal
    After being put on hold for over twenty minutes, I finally spoke with a man named Henry who said that he has never heard that JumpDrive had a security problem (even after I confronted him with the advisory from @Stake), and did not know that @Stake was trying to contact them for over a month. He was quite shocked but promised to check out /. and @Stake to verify the claim.

    The ostrich finally wakes up.
  • by g_adams27 ( 581237 ) on Tuesday September 14, 2004 @04:01PM (#10249389)


    I needed a way to make a "secure zone" similar to what Lexar was advertising - a place where I could drop files and have them automatically protected. After doing a fair amount of research, I decided to use PGPDisk. It allows you to create a PGP-encrypted file on any device (hard drive, CD, USB key, etc) which "expands" into a virtual drive (e.g. "C:\Private\SecretStuff.dsk" becomes a new "Removable drive G:" in Windows once you enter the password). Anything you drop into the virtual drive becomes encrypted. It uses 128-bit symmetric CAST algorithm, which is plenty strong enough for anything I'd need. (I believe the newest versions may also have a Twofish algorithm option). PGPdisk virtual drives can be up to 4Gig on a FAT32 machine, or unlimited size under NTFS.

    You can check out the commercial version at http://www.pgp.com/ [pgp.com], but I would also seriously consider PGPckt 6.58 [zedz.net], a forked and free version that works just fine under WinXP (and previous versions of Windows). That's the version I've been using.

  • Grrrr (Score:4, Informative)

    by c++ ( 25427 ) on Tuesday September 14, 2004 @04:05PM (#10249431)
    This kind of thing just burns me up. Clueless companies hire clueless developers who think they can make software or hardware relatively secure by mearly applying encryption in whatever way they think is convenient. Never mind the plain-text password behind the curtain. Never mind that xor is equivalent to plain text (Lexor). Never mind that supporting multiple decription keys reduces the effective key length (DVD). Never mind that if you somehow store the decryption keys in a way that the software retreive (DVD again) that anyone can extract them. Never mind that storing a strongly-encoded password along with a weakly-encoded one buys you nothing (Microsoft). Never mind that encryption can't prevent copying (DRM). Never mind that this list can go on forever...

    I own a JumpDrive Secure. Don't laugh; I only got it because Wally World didn't have the regular 256MB one. I plugged it in and the first thing it did was install their security software *without asking me*. Yes, Windows XP. Yes, I had turned AutoRun off on my CD. No, I have no idea how to disable AutoRun on a device that has never been plugged in before. Grrrr.

    What did I do? I used Linux to reformat the JumpDrive then uninstalled the software it added without my permission. Now I have a perfectly usable device. (This was 4 months ago)
  • by StressGuy ( 472374 ) on Tuesday September 14, 2004 @04:07PM (#10249454)
    dad once bought.

    It had no keyhole, just a bunch of magnectic "reeds" that would line up when a special magnetic key was put along side of it. My dad had just purchased it that day and was explaining to me how it worked. I asked, "couldn't you just shake it until the reeds lined up?". He tosses the lock to me and says, "here...try it then". I shook the lock for a couple of seconds and, sure enough, it popped right open.

    my dad was pretty grumpy for the rest of the day...

  • ROT-13? (Score:4, Funny)

    by AyeRoxor! ( 471669 ) on Tuesday September 14, 2004 @04:23PM (#10249623) Journal
    How's this for ROT-13?

    Bu abrf! Yrkne = shknerq! [rot13.com]

  • Refunds? (Score:3, Interesting)

    by ShavenGoat ( 63696 ) on Tuesday September 14, 2004 @04:32PM (#10249713) Homepage
    I sent an email to Lexar support demanding a refund for my "Secure" Jumpdrive. While I never used the "security" feature that they offer (I bought this because it was cheep at Sam's Club), this is still deceptive advertising. I don't think you can claim a product as "secure" when it is trivial for someone to bypass security.

    As one poster commented, "Why not just use ROT-13 to hide the password?"

    If Lexar replies, I'll post a follow up. If they don't, then it is off to the BBB to get things fixed.
  • Mac Users (Score:3, Informative)

    by agentkhaki ( 92172 ) on Tuesday September 14, 2004 @04:39PM (#10249782) Homepage
    If you're using a Mac, I'd suggest doing the following:
    • Format your pen drive to MS-DOS
    • Create an encrypted, password protected disk image roughly the size of your pen drive (also in MS-DOS format)
    • Store the disk image on your pen drive
    The reason I recommend using MS-DOS format for both the disk and disk image is two-fold. First off, you can use the extra space not taken up by the disk image to grab files from a PC (since both the Mac and PC can read the MS-DOS file system), and because if you use HFS+, the Mac will store all sorts of file extras on the disk, giving you much less usable space (same reason you can't get the full 654 or 700 MB when you burn an HFS+ CD).

    I would also recommend storing a fake .Trash file on the disk -- that way, when you delete stuff, it dies immediately (after warning you), rather than going to the trash. Google for more info.
  • by digitalgimpus ( 468277 ) on Tuesday September 14, 2004 @04:59PM (#10249986) Homepage
    I bought it for the following reasons:
    - Good cost per MB
    - Fast
    - Great rebate offer at the time
    - DURABLE! This thing looks a little bulky, but it's rock solid. Thick plastic, really solid. Unlike any other I've seen so far.

    I never used the security stuff. IMHO not worth it. But having such a durable, fast, cheap device was more than worth it to me.

    I don't regret my purchase. It's a solid product. I'd still recommend it.

There are two kinds of egotists: 1) Those who admit it 2) The rest of us

Working...