Time for my first rant: Lexar readies "secure" CF card; Phil Askey laps it up

I've been a long-time reader of dpreview.com, because it's a great resource for information about digital cameras. But with his latest product preview, Phil Askey shows that he should stick to telling us how cameras perform.

It seems that Lexar has a new technology called "LockTight". LockTight is a system to make a piece of digital media only usable by people with a certain password, or by particular digital cameras. Oh, and LockTight has a terribly striking lozenge logo, too.

(By the way, kudos to Lexar for figuring out a new way to milk digital photographers for a whole new set of media, and for helping to lock them further into systems of proprietary hardware and software.)

Anyway, Askey wows us with some screen shots, and gets to the meat of the issue: Just how secure is it? Here is his test, and his conclusion:

As you may expect attempting to use a protected card in another camera displays either a 'Not Formatted' or 'Card Error' warning. Attempting to format the card in a different camera (a Canon EOS-1Ds Mark II) fails with a 'Cannot Format' error, returning the card back to its assigned D2X showed that no images had been lost or damaged. Attempting to read the card in another card reader or on another computer using the Lexar card reader also failed to work, Windows didn't even register that a card had been inserted.

So it's clear that the Lexar LockTight technology really does work. For the extra peace of mind and security it can provide LockTight does exactly as intended. It's a shame that for now it's limited only to Nikon's D2X and D2Hs digital SLR's (sic), its wider use depends largely on the devices which support it. (emphasis mine)

So you put the card in another computer, double clicked, and it gave you an error or something? Now, I'm no Bruce Schneier but I know that this doesn't prove the security of anything. If you want to be confident that a system is secure you base it on an algorithm that has had scrutiny, you engineer the rest of the system to be secure against some threat model, and once that's received scrutiny you could provisionally call the system secure.

What has Lexar, or Askey, told us about the algorithm? Nothing, besides that it's a 160-bit key. I don't even understand what the threat model is, and nobody's telling how the software works, anyway.

What could the threat model be? That people may steal your camera, and you want to deprive them of the value of the media? The media is a tiny part of the value of the photographer's whole kit. That people may steal your images? They can steal them after they're off your camera and on your titanium ibook or on your web page. (and when they steal the camera and the card together, they'll find a way to read the key from the camera, or snoop the data as the camera reads the image from the card for in-camera playback)

As a hobbyist photographer, I fear most that I'll accidentally damage my camera, and second that I'll somehow lose the day's photos. I can't imagine that a wedding photographer, for instance, feels much differently.

I suspect there is no threat model—at least nothing relevant for photographers who are not in law enforcement, or maybe a spy movie—just a revenue model for Lexar. ("Trick 'em into buying another few gigs of CF cards at a 200% markup, and blowing $100 on their next USB reader instead of $20") It's too bad Phil Askey so eagerly reviews anything from the well-known names, when his loyal readers may buy the technology based on his implication that it solves some problem.

Oh, did I invoke Bruce Schneier? That reminds me, Lexar already screwed up once when they tried to deliver their "JumpDrive Secure" product. It's too bad anybody will believe these clowns the second time they sell a secure flash memory product.

By the way, I'm a proud user of brand-X CF cards (maybe "dane-elec"?) in my digital camera. They work great, I have plenty of capacity for a day's shooting, and the price beats the crap out of Lexar the last time I checked.

original article on dpreview.com

Entry first conceived on 6 June 2005, 23:09 UTC, last modified on 15 January 2012, 3:46 UTC
Website Copyright © 2004-2014 Jeff Epler