Trust, but Verify

The internet has done some remarkable things for commerce; among other things, it has opened up a whole new world, literally, of merchants to your average consumer. Competition is the heart of capitalism, or so they tell me, and who am I to argue? Buying online can come with risks – aside from the obvious concerns about buying counterfeit merchandise or otherwise dealing with scammers and fraudsters, there are other pitfalls for the unwary. A lot of online merchants aren’t “authorized retailers” of the products they carry; this usually isn’t a huge problem, except that it can mean – among other things – that the manufacturer won’t honor their warranty. Usually, what this means is that the merchant didn’t get their stock directly from the manufacturer, but through a middleman. Usually, these middlemen are drop-shippers, or wholesalers, and there’s nothing to be too concerned about.

Sometimes, though, you run into a much more sinister problem. This recently happened to me.

I recently found a good price online for Kanguru’s Micro Drive AES, a FIPS-certified encrypted flash drive, and bought one. It arrived last week, and I immediately began to suspect that “something was up”.

You see, it was sealed in the original package – re-sealed in the box, in fact. Quite well done, but still noticeable. Not a huge deal, in and of itself – it probably just means the product is “refurbished”, right? Considering that this is a security device, however, I opted to approach things cautiously.

The first thing I noticed was that the drive contained what I assumed to be the encryption software, already loaded on it. But it wasn’t in a folder named “Kanguru”, or “MicroDrive”, or anything like that – it was in a folder labeled with the name of a major defense contractor. Slightly suspicious, I scanned the folder with antivirus software, and found nothing of concern.

I then double-clicked the setup program, and instantly, we had problems – two subsequent runtime errors, followed by an alert from my antivirus software about a fairly generic Trojan. I canceled out of the installation, copied everything on the drive to a folder on my hard drive, and compared the software on the flash drive with the software on the installation CD. Guess what? Not the same at all – and to make a long story short, the software on the CD worked just fine, without any virus or trojan warnings – or error messages, for that matter.

I did contact the seller, who was very apologetic, and confirmed – as I’d suspected – that they’d acquired a fairly good number of the drives at auction, from an out-of-business tech supplier near one of the offices of the defense contractor whose name appeared on the flash drive.

It just goes to show – you can never be too careful.

For what it’s worth, the Micro Drive AES is a fairly large, fairly flimsy-looking drive, but the encryption software is pretty easy to use, and it allows you to do something no other encrypted flash drive I’ve seen does – encrypt other media, while requiring the Micro Drive for decryption. This only works on devices (i.e., an entire memory card) and not files or folders, but it’s potentially quite useful – as decrypting that memory card, or whatever, requires two-factor authentication; what you have – the Micro Drive – and what you know – the password to the drive. Spiffy, huh?

Published in: Geekiness, General, Security | on March 13th, 2008| Comments Off on Trust, but Verify

Both comments and pings are currently closed.

Comments are closed.