In 2003, security researchers Katie Moussouris and a colleague at enterprise security firm @stake—which would later be acquired by Symantec—found a bad flaw in an encrypted flash drive from Lexar. It was trivial to uncover the password that decrypted the drive's data. But when they tried to let Lexar know? "Things went wrong," says Chris Wyspol, who was also working at @stake at the time.
The @stake team had the same two options that anyone does when they discover a vulnerability: either publish the findings openly or go to the developer directly, giving them time to fix the flaw before going public. In theory it seems like the latter would be a win-win, since it reduces the risk that hackers could exploit the bug maliciously. But the reality, in this case and so many others, can quickly get much more complicated and contentious.
Moussouris and her coworkers attempted to contact Lexar through any channel they could find, to no avail. The encryption itself was sound, but an attacker could easily leverage an implementation issue to leak the plaintext password. After two months without success, @stake decided to go public so people would know that data on their purportedly secure drives could in reality become exposed.
"The point was to warn people that the protection was absolutely broken," Moussouris says. "We recommended treating it like something that has no encryption on it, because that’s what was going on from our perspective."
That, at least, got Lexar's attention. The company contacted @stake, saying the disclosure hadn't been responsible. Wysopal says that when he asked Lexar employees why they hadn't responded to @stake's emails and calls, they said they had thought the communications were s ..
Support the originator by clicking the read the rest link below.
