18
Aug 15

How Not to Start an Encryption Company

Probably the quickest way for a security company to prompt an overwhelmingly hostile response from the security research community is to claim that its products and services are “unbreakable” by hackers. The second-fastest way to achieve that outcome is to have that statement come from an encryption company CEO who served several years in federal prison for his role in running a $210 million Ponzi scheme. Here’s the story of a company that managed to accomplish both at the same time and is now trying to learn from (and survive) the experience.

unbreakabletothecoreThanks to some aggressive marketing, Irvine, Calif. based security firm Secure Channels Inc. (SCI) and its CEO Richard Blech have been in the news quite a bit lately — mainly Blech being quoted in major publications such as NBC NewsPolitico and USA Today  — talking about how his firm’s “unbreakable” encryption technology might have prevented some of the larger consumer data breaches that have come to light in recent months.

Blech’s company, founded in 2014 and with his money, has been challenging the security community to test its unbreakable claim in a cleverly unwinnable series of contests: At the Black Hat Security conference in Las Vegas last year, the company offered a new BMW to anyone who could unlock a digital file that was encrypted with its “patented” technology.

At the RSA Security Conference this year in San Francisco, SCI offered a $50,000 bounty to anyone who could prove the feat. When no one showed up to claim the prizes, SCI issued press releases crowing about a victory for its products.

Turns out, Blech knows a thing or two about complex, unwinnable games: He pleaded guilty in 2003 of civil and criminal fraud charges and sentenced to six years in U.S. federal prison for running an international Ponzi scheme.

Once upon a time, Blech was the CEO of Credit Bancorp. Ltd., an investment firm that induced its customers to deposit securities, cash, and other assets in trust by promising the impossible: a “custodial dividend” based on the profits of “risk-less” arbitrage. Little did the company’s investors know at the time, but CBL was running a classic Ponzi scheme: Taking cash and other assets from new investors to make payments to earlier ones, creating the impression of sizable returns, prosecutors said. Blech was sentenced to 72 months in prison and was released in 2007.

THE UNBREAKABLE COMPETITION

humblethehacker

In April 2015, Lance James, a security researcher who has responded to challenges like the BMW and $50,000 prizes touted by SCI, began receiving taunting Tweets from Blech and Ross Harris, a particularly aggressive member of SCI’s sales team. That twitter thread (PDF) had started with WhiteHat Security CTO Jeremiah Grossman posting a picture of a $10,000 check that James was awarded from Telesign, a company that had put up the money after claiming that its StrongWebmail product was unhackable. Turns out, it wasn’t so strong; James and two other researchers found a flaw in the service and hacked the CEO’s email account. StrongWebmail never recovered from that marketing stunt.

James replied to Grossman that, coincidentally, he’d just received an email from SCI offering a BMW to anyone who could break the company’s crypto.

“When the crypto defeats you, we’ll give you a t-shirt, ‘Can’t touch this,’ you’ll wear it for a Tweet,” Blech teased James via Twitter on April 7, 2015. “Challenge accepted,” said James, owner of the security consultancy Unit 221b.  “Proprietary patented crypto is embarrassing in 2015. You should know better.”

As it happens, encrypting a file with your closed, proprietary encryption technology and then daring the experts to break it is not exactly the way you prove its strength or gain the confidence of the security community in general. Experts in encryption tend to subscribe to an idea known as Kerckhoff’s principle when deciding the relative strength and merits of any single cryptosystem: Put simply, a core tenet of Kerckhoff’s principle holds that “one ought to design systems under the assumption that the enemy will gain full familiarity with them.”

Translation: If you want people to take you seriously, put your encryption technology on full view of the security community (minus your private encryption keys), and let them see if they can break the system.

James said he let it go when SCI refused to talk seriously about sharing its cryptography solution, only to hear again this past weekend from SCI’s director of marketing Deirdre “Dee” Murphy on Twitter that his dismissal of their challenge proved he was “obsolete.” Murphy later deleted the tweets, but some of them are saved here.

Nate Cardozo, a staff attorney at the nonprofit digital rights group Electronic Frontier Foundation (EFF), said companies that make claims of unbreakable technologies very often are effectively selling snake oil unless they put their products up for peer review.

“They don’t disclose their settings or what modes their ciphers are running in,” Cardozo said. “They have a patent which is laughably vague about what it’s actually doing, and yet their chief marketing officer insults security researchers on Twitter saying, ‘If our stuff is so insecure, just break it.'”

Cardozo was quick to add that although there is no indication whatsoever that Secure Channels Inc. is engaging in any kind of fraud, they are engaged in “wildly irresponsible marketing.”

“And that’s not good for anyone,” he said. “In the cryptography community, the way you prove your system is secure is you put it up to peer review, you get third party audits, you publish specifications, etc. Apple’s not open-source and they do all of that. You can download the security white paper and see everything that iMessage is doing. The same is true for WhatsApp and PGP. When we see companies like Secure Channel treating crypto like a black box, that raises red flags. Any company making such claims deserves scrutiny, but because we can’t scrutinize the actual cryptography they’re using, we have to scrutinize the company itself.”

THE INTERVIEW

I couldn’t believe that any security company — let alone a firm that was trying to break into the encryption industry (a business that requires precision perhaps beyond any other, no less) — could make so many basic errors and miscalculations, so I started digging deeper into SCI and its origins. At the same time I requested and was granted an interview with Blech and his team.

I learned that SCI is actually licensing its much-vaunted, patented encryption technology from a Swiss firm by the same name – Secure Channels SA. Malcolm Hutchinson, president and CEO at Secure Channels SA, said he and his colleagues have been “totally dismayed at the level of marketing hype being used by SCI.”

“In hindsight, the mistake we made was licensing SCI to use the Secure Channel name, as this has led to a blurring of the distinction between the owner of the IP and the licensee of that IP which has been exploited,” he told KrebsOnSecurity in an email exchange.

SCI’s CEO Blech has been quoted in the news media saying the company has multiple U.S. government clients. When asked at the outset of a phone interview to name some of those government clients, Blech said he was unable to because they were all “three-letter agencies.” He mentioned instead a deal with MicroTech, a technology integrator that does work with a number of government agencies. When asked whether SCI was actually doing any work for any government clients via its relationship with MicroTech, Blech conceded that it was not.

“We’re on their GSA schedule and in a flow with these agencies,” Blech said.

The same turned out to be the case of another “client” Blech mentioned: American electronics firm Ingram Micro. Was anyone actually using SCI’s technology because of the Ingram relationship? Well, no, not yet.

Did the company actually have any paying clients, I asked? Blech said yes, SCI has three credit union clients in California, two who of whom couldn’t be disclosed because of confidentiality agreements. In what sense was the third credit union (La Loma Federal Credit Union) using SCI’s unbreakable encryption? As Blech explained it, SCI sent one of its employees to help the bank with a compliance audit, but La Loma FCU hasn’t actually deployed any of his products.

“They’re not ready for it, so we haven’t deployed it,” he said.

I asked Blech what about the gap in his resume roughly between 2003 and 2007. When he balked, I asked whether he’d advised all of his employees of his criminal record when they were hired? Yes, of course, he said (this, according to two former SCI employees, was not actually the case).

In any event, Blech seemed to know this subject was going to come up, and initially took ownership over the issue, although he said he never ran any Ponzi schemes.

“This is in my past and something I’ve addressed and paid my debt for in every way,” Blech said. “I took the approach that was going to get me home to my family the soonest. That meant cooperating with the government and not fighting them in a long, drawn-out battle. I took responsibility, financially and in every way I had to with this case.”

Then he added that it really wasn’t his fault. “There were people in my company that were in America while I was living in Europe that went out and did things inappropriately that got the attention of the authorities,” pointing out that virtually all of the money was returned to investors.

“I put more than $2 million of my own money into this company,” Blech said of SCI. “I could have hidden, and spent that to reinvent myself and sit on a beach in the Bahamas. But I didn’t do that.”

PATENTLY OBVIOUS?

Why in the world wouldn’t anyone want to deploy an unhackable security product? Perhaps because the product doesn’t offer much beyond existing encryption technologies to justify the expenditure?

The subject of all this hoopla — US Patent No. 8,744,078 B2, Issued June 3, 2014 — carries the title: “SYSTEM AND METHOD FOR SECURING MULTIPLE DATA SEGMENTS HAVING DIFFERENT LENGTHS USING PATTERN KEYS HAVING MULTIPLE DIFFERENT STRENGTHS.”

Put simply, SCI’s secret sauce is a process for taking existing encryption techniques (they only use vetted, established code libraries) and randomizing which one gets used to encrypt the file that needs to protected, and then encrypting the output with AES-256. Seems patently obvious, yet otherwise harmless. But how does this improve upon AES-256 — widely considered one of the most secure ciphers available today?

It’s not clear that it does. In case after case, we’ve seen security technologies that were previously secure compromised by the addition of functionality, features or implementations that are fundamentally flawed. In the case of the HeartBleed bug — a massive vulnerability in OpenSSL that enabled anyone to snoop on encrypted Web traffic — the bug was reportedly introduced accidentally by an OpenSSL volunteer programmer who intended to add new functionality to the widely-used standard.

Robert Hansen, vice president of WhiteHat Labs at WhiteHat Security, pointed to another example: Acutrust, a once ambitious security firm that came up with a brilliant idea to combat phishing attacks, only to create a new problem in the process.

“Acutrust turned a normal [password] hash into a pretty picture as a convoluted way to prevent phishing and it made it super easy to brute-force every username and password offline, and didn’t help with phishing at all,” Hansen wrote in a Facebook message. “This article single handedly effectively put them out of business, FYI.”

All told, I spent more than an hour on the phone with Blech and his team. At the beginning of the call, it was clear that neither he nor any of his people were familiar with Kerckhoff’s principle, or even appreciated the idea that having their product publicly vetted might be a good thing. But by the end of the call, things seemed to be turning around.

At first, Blech said anyone who wanted to try to break the company’s technology needed only to look to its patent on file with the U.S. Patent & Trademark Office, which he said basically explained the whole thing. I took another look at SCI’s press release about its precious patent: “One of the most interesting things about technology is the personalities behind it,” the company’s own in-house media firm crowed. No question about that.

Early in the interview, Blech said he wouldn’t want to let just anyone and everyone have access to their product; the company would want to vet the potential testers. Later in the call, the tone had changed.

“Without the decryption key, even if you have the source code, not going to be able to get through it,” Blech said. “We don’t know the randomization sequence,” chosen by their technology when it is asked to encrypt a file, he said.

Now we were getting somewhere, or at least a whole lot closer to crotchety ole’ Kerckhoff’s principle. The company finally seemed opening up to the idea of an independent review. This was progress. But would SCI cease its “unhackable” marketing shenananigans until such time? SCI’s Marketing Director Deirdre Murphy was non-committal, suggesting that perhaps the company would find a less controversial way to describe their product, such as “impenetrable.” I just had to sigh and end the interview.

Just minutes after that call, I received an email from SCI’s outside public relations company stating that SCI would, in fact, be publishing a request for proposal for independent testing of its technology:

“As an early stage company we were focused on coming to market and channel partnering.  We now realize that specific infosec industry norms around independent need to be met – and quickly.  We’ve been using the peer review and testing of existing partners, advanced prospects and early engagements up until now. WE hear the infosec community’s feedback on testing, and look forward to engaging in independently conducted tests.  We are today publishing requests for proposals for such testing.”

“We realize that sometimes a technology innovator’s earliest critics can be their best sources of feedback. We hope to solicit constructive involvement from  the infosec community and some of its vast array of experts.”

Kerckhoff would be so proud.

Tags: , , , , , , , , , , , , , , , , , , , , ,

75 comments

  1. Humanity’s Critical Path: From Weaponry to Livingry. R. Buckminster Fuller. War is obsolete. It is imperative that we get the word to all humanity —- “RUSH” —-

    The Grifters: ‘How to make her run? No problem there. For a fearful shadow lies constantly over the residents of Uneasy Street.

    Encryption is just the fence posts, not the fence. Now they’re trying to fence more stolen goods. The casinos lost a fortune with smarter players and Atlantic City went bust with smarter idiots. Play the horses!

  2. The sheer audacity is strong with this one.

  3. Interesting read…….if not for a good laugh

    I can’t help but envision this BMW getting forced off the road and into the ditch after being hacked while a devilish laugh plays through the speakers.

    @Ian McKenzie
    Delusions of grandeur are nothing new in this arena. Although these things do often produce impressive levels of arrogance. It’s reminiscent of history’s lessons not learned from the Titanic (the unsinkable ship).

  4. Interesting that they chose diamond as a metaphor.

    True, diamond is the hardest substance known.

    However, diamond is NOT very tough: you can smash one to dust with a tack hammer.

    And, diamond is NOT very heat resistant: you can burn one like a charcoal briquette using a propane torch.

    Therefore: “hard” != “indestructible”.

  5. All I can say is, that Brian made them think in another direction, potentially making them a little bit smarter. The Bullying Ad programs and Ego”testical” marketing plan is annoying and shows a potential control issue when something goes sour.

    So they use AES, and probably do some weird thing like whats done to DES or triple DES. The problem is, if the method to their madness is figured out, it very well might compromise everyone – not just a single key.

    I hate to tell them this, but the reason some of the “three letter word agencies” use this, it to see what what makes this stuff tick, and how to crack it, and watch the people who use it. Its not going to be their primary encryption tool.

    Clearly these 3 letter word agencies have a lot more secure code than anyone realizes, unless it is places like ABC, BMW, CNN, DHL, EMI, FUN, GAP, and the list goes on.

    Have they even set up a demonstration of how this…… stuff works? In any event, I don’t like it. It stinks to the core of the code.

    • Ego testical – ha ha ha thanks for that one. Just describes the company marketing perfectly, and brings to mind so many others who used the same practices bringing useless products to market.

      Great article and the kind of reporting that sets Krebs so far apart fromt the rest. Thanks Brian!

  6. Well done, Brian! Freedom of the press, and a journalist’s skill and tenacity, seems to be mitigating another threat.

  7. Even if this survived peer review it would be an example of a better lock. If the prize is still inside some crook will get it.

    There has to be a better way.

    Jonathan @nc3mobi

  8. Along the same lines is a recent paper by Smartmatic (voting system vendor) published on Springer’s website, claiming that their voting system is “unbreakable” (their word), and that they can calculate the risk of a breakin with “mathematical precision” (again, their term) of 1×10^19. There’s a lot of snake oil out there. (And why Springer, a respected company, is publishing such drivel is beyond me.)

    I’ve written about this on my blog – rather than put a link which becomes spambait, I’ll suggest that if you search the name of the vendor and my name, you’ll find it.

    • Hah, I was reminded of your article as well.

      Does this snake oil marketing really work with anyone? I suppose I could see it working with some county-level politicians buying voting machines. But with people sourcing encryption products??

      • Andrew Rossetti

        Agreed. Any company with even a basic vendor management program would shy away from this type of firm. Only the smallest of companies/local govt agencies would likely fall for this.

      • If my experience with “senior leadership” is any indication, yes, some people DO buy into this kind of snake oil marketing.

  9. That patent was issued extremely fast – this says something about the technology. All crypto applications get screened by a bunch of experts, unlike other fields. The examiner is at the bottom. An application that is significant will take several times as long to issue than this. They basically rubber-stamped it because they didn’t care.

  10. Stop calling it snake oil. It’s not a goofy cipher – they use a bunch of different established ciphers in different places. It may not offer a compelling use case but it is not snake oil. Does anyone even know what snake oil is anymore? Or do you just sling the term around when something new appears? And I don’t care about the guy’s background – that reflects on the company itself. Even if they’re a bunch of crooks or idiots, it doesn’t have any bearing on the technology. Are you going to throw out ground-breaking mathematical algorithms because the mathematician broke the law sometime? It’s irrelevant – why don’t you stick to the facts regarding technology itself.

    As far as the technology itself is concerned, FYI there are numerous patents that mix up ciphers and change up key lengths to obfuscate information flow. It can create other vulnerabilities. Most consider it unnecessary, since, if the ciphers are weak mixing them up won’t help.

    Funny, you ask yourself – what’s this got on AES256? But not before criticizing anyone for stating their crypto was unbreakable. Does that mean that you believe AES256 is NOT unbreakable? It follows, logically, that is what you’re suggesting. Notwithstanding the latest NIST recommendations, there are no known breaks in AES256. No one can prove that AES256 is stronger than AES128 – most think it must be, but they don’t know. The key length is twice and it uses 14 round instead of 10, but that’s not the problem. The problem has always been key management. It doesn’t matter what cipher you choose or how good it is. If you depend on a passphrase all bets are off. You didn’t go into this but should. All encryption has the same problem. On top of the fact it’s a pain in the ass. I don’t care about this guy or his company, there are a lot of big name company’s out there selling me-too crap, why do they get a free pass?

    You didn’t actually break this, did you? Someone else did the hard work.

    • quoting wikipedia: Snake oil is an expression that originally referred to fraudulent health products or unproven medicine but has come to refer to any product with questionable or unverifiable quality or benefit.

      This is unproven and unnecessary. It’s not the strongest cipher we rely on when you’re doing what they are doing, it’s the weakest.

      Also… still unproven… also… unnecessary.

    • “Does anyone even know what snake oil is anymore?”Sure, we do: DriveCrypt, Truecrypt, Silent Circle, Blackphone, Privazer. Is that enough? Oh, I forgot: Ironkey USB stick. Basically: anything called “unbreakable” and “military strenght”.

  11. OT/Just in case the contact form didn’t work…

    This should be interesting to your visitors:

    [videos] camp2015 – Chaos Communication Camp 2015

    https://media.ccc.de/browse/conferences/camp2015/index.html

  12. Wow! Just wow….the ego emitting heat from these guys is just insane! I’m not going to pick on them for claiming they have an “unbreakable system” as we all know that’s simply not true. What drives me nuts however is how hard SCI tries to push down everyone’s throat on how awesome and unmatched they are. If they were so great as they claim, the CEO wouldn’t have opened the crafted e-mail and allowed his account to be hacked. Enough said…

    • Adam, you are confusing SCI with the company Telesign. According to Krebs’ articke, “Telesign, a company that had put up the money after claiming that its StrongWebmail product was unhackable. Turns out, it wasn’t so strong; James and two other researchers found a flaw in the service and hacked the CEO’s email account. StrongWebmail never recovered from that marketing stunt.”

  13. Diamonds break. That’s how diamonds are cut in the first place.

    How did Krebs control himself breaking into laughter while speaking to this guy?

    • Interesting link. Too bad whomever wrote their promise confused a `t` for an `f` in their conditions:

      «Lifetime Protection Against Loss

      If your original diamond (0.18 carat to 2.10 carat) chips, cracks or separates from its original Spence ring mounting, and your ring is in good condition in the opinion of Spence and you have brought in your ring for inspection every calendar year to quality [s.b. qualify] for this benefit, Spence will replace your lost diamond free of charge once during the life of your Spence ring.»

      Quoted from:
      https://www.spencediamonds.com/footer/customerservice/spencediamonds_guarantee_canada

      (I encourage people to use web.archive.org for content that may be changed between when citations are made and when they read the referenced page…)

      Oddly, I can’t find any case where their “promise” doesn’t have the error…

    • Interesting link. Too bad whomever wrote their promise confused a `t` for an `f` in their conditions:

      «Lifetime Protection Against Loss

      If your original diamond (0.18 carat to 2.10 carat) chips, cracks or separates from its original Spence ring mounting, and your ring is in good condition in the opinion of Spence and you have brought in your ring for inspection every calendar year to quality [s.b. qualify] for this benefit, Spence will replace your lost diamond free of charge once during the life of your Spence ring.»

      Quoted from:
      https://www.spencediamonds.com/footer/customerservice/spencediamonds_guarantee_canada

      (I encourage people to use web.archive.org for content that may be changed between when citations are made and when they read the referenced page…)

      Oddly, I can’t find any case where their “promise” doesn’t have the error…

      (I can’t figure out if my comments are being eaten)

  14. It’s quite amusing to me that this article about a convicted felon and fraudster trying a new (old) trick, was ended with an advertisement for Mitnick’s “Security Awareness Training.” Wow. This just keeps getting better!

  15. This guys LinkedIn profile says he is currently the owner or manager of 6 business/enterprises. (I wonder if he got the name Eco Corporation from Marvel comics?) These “cover” his period of “inactivity” too. Plus he has 36 skills including solar energy, cloud computing, energy efficient HVAC, and financial analysis. I guess he used his time in prison to study and prepare. 🙂

    In many fields, past activities reflect character in th efuture. That’s why many computer companies will not hire anyone who hacked, even as a teen. I imagine that many of the professionals who work at Blech’s companies are putting out their resumes today.

  16. I wouldn’t trust an encryption product built by a company run by an ex-convict EVER. And an ex-convict who stole life savings from people ranks up there with the worst. The last place this jerk should be is creating and promoting security solutions. This makes my perspective on the claims of their product’s capabilities a moot point. BS all around.

  17. They encrypt the content twice?

    Weak! Prior art Triplesec used by Keybase encrypts 3 times: https://keybase.io/triplesec

  18. A Telco Security Dweeb

    If he makes a few million selling encryption snake oil, then it gets debunked, his numbered company goes bankrupt while he enjoys the million$ stashed away in some bank in the Bahamas… is he really so stupid?

    Like The Donald, Mr. Blech’s target is NOT “people who know how to do encryption, properly”. His target is “people who don’t know squat, but who want to buy a ‘miracle cure'”. As Barnum famously said, “there’s one born every day”.

  19. Yes like the other readers, I enjoyed this article as well and how many more of these types are out there? Look at the CEO’s background, finance of course and where stuff like this has it roots. People do cheat and lie with code or over sell it for sure. Sure there are glitches and those come with the territory but people need to be responsible for their code.

    I call it “Operation Perception-Deception” and it’s alive and well in the US, sadly. I live in the OC so this does not surprise me at all, lot of gaming technologies located here. I keep telling all we are under the attack of the Killer Algorithms everywhere we turn and like this article shows, the “perception” marketing is huge out there. People get confused as there is legit technologies that are considered break throughs but telling the difference for an average consumer reader is challenging, and me too as I read this stuff.

    http://ducknetweb.blogspot.com/2015/06/operation-perception-deception-into.html

    With 60% of the news being written by journobots today too, we get knock-off news that repeats some of the “junk” news that gets out there as well. When you look at the math, and I seem to communicate with quite a few mathematicians of late, people get shown a math formula in an article and it could be totally bogus but because it has a square root in it that people recognized, they assume it has to be good, but that may not be the case at all. There are some smart quants and mathematicians that do speak up and call foul on a lot of these though, which is good. I have my whole series on Killer Algorithms of videos I put together from people smarter than me and who learned from. I used to be a developer so I’m very aware of how folks can cheat, lie and over sell with computer code I spend my time going after such in the health care area, primarily insurance as they too have hired armies of quants to model policies and a lot more to connect actuarial models to quant models to watch up to the minute impact of models on their stock, just like Wall Street.

    It’s a tough battle as the average consumer can’t see this stuff that executes out there, much less understand half of it, so yeah, it’s rigged.

  20. jack's broken heart

    Are you Lance James’s hatchet man now? This is really shameful. I used to have a ton of respect for your work, Brian, but this is really going too far.

    This company doesn’t deserve accolades by any means, but what was the point of this post besides helping out your buddy Lance? This industry is full of attention whoring charlatans way worse than these guys (pew pew).

    For those of you who don’t know the backstory, Lance got into a bit of a scrap with this company and some harsh words were exchanged over the Twitters, including them accusing Lance of being a fraud. So, out of spite, Lance got Brian to write a hit piece on them.

    Stick to the excellent work you do on cyber crime, Brian, and don’t lower yourself to doing this gutter-type TMZ reporting on some petty feud.

    • Hatchet man? Shameful? Hit piece? Gutter reporting? I think not. I get my hackles up when I see companies making wild claims they can’t or won’t back up.

      See this story for the last example

      http://krebsonsecurity.com/2015/05/security-firm-redefines-apt-african-phishing-threat/

      It’s funny how the most caustic comments almost always come from anonymouse readers…

      • Know what I find funny? How journalists continue to sink to the bottom of all professions when the public is asked who they trust. Last I checked, they’re now somewhere between lawyers and pond scum. It’s no secret … when a DC politician wants to destroy someone they call a journalist.
        I know I don’t like providing personal information for fear of dirty tricks. I’m not fooled by the psycho-community of other commenters who imagine they’re all your friends. I’m afraid to even visit many sites now for fear of dirty tricks. And I’m not fooled by the “caped crusader” nonsense either.
        I came here poking around for information about all the phishing tech newsletters. I guess their mailing lists have been stolen. Some are even security newsletters. It’s bad enough tech writing is horrible, but now this. Most don’t have any idea what they’re talking about, they just copy off each other, then they started attacking each other. Now mailing lists have been hacked and I can’t even open these anymore because they’re phishing.
        Are you taunting a commenter? Really? “anonymouse?” What are you like… 12?
        Would you possibly consider returning to original investigative reporting? Because until then…

        • I’m not sure that Brian has ever called himself a journalist but, in my opinion, he is one of the better ones. Yes, there are a lot of pseudo-journalists including some who’s major skill is looking nice on TV and reading from a teleprompter.

          Other than that, I’m not sure what your point is. jack’s broken heart was attacking Brian and Brian needed to respond. Are you worried that Jack is going to be offended to the response to his offensive post?

          Anyway, I liked the anonymouse reference. I’m stealing it.

  21. I guess I am confused. A product comes along that no one knows how to defeat and the response is ‘show me how you did that’?

    • Obfuscation does not equal security.

      • Are you sure? Because then I guess neither does being obscure or anonymous. And maybe someone should tell that to the linux community that thinks not using their computer and being boring or less attractive targets is being “secure”.

        Why would people want to censor and limit themselves more then the gov’t would?

        In fact I’m still on the fence about whether, “more eyes on the code” = more security at all and is not just some naive notion. Besides the fact power has a tendency to corrupt are there really any other reasons for more transparency? Especially in a world where the unaffiliated black to white hat ratio is ridiculously uneven.

    • Their product contest was analogous to saying break into our car’s security system but we won’t tell you where the car actually is.

      Not exactly a defeatable product.

      • So you are saying unless you have the source code you can’t crack it? How do blackhats reverse engineer closed source products then?

        I’d love to see more whitehats doing this to help free firmware. I mean these kids planting firmware in hdd’s must have reverse engineered alot of them no? I guess we will never know exactly without the proof of concepts.

        The only reason i’m for open source software, is because power corrupts. Not because I think its closed sourced software is secure but because I think it has the potential to be more malicious by design to its users. Its that simple for me.

        • *” not because less secure for a 3rd parties benefit , but potentially more malicious towards users for the developers benefit”

        • give me the product either way… open or closed… but they didn’t even do that. They hid the product and said break it, here’s a text file.

          • I see, so they didn’t even give you the product to encrypt your own text file for testing? interesting and I agree thats extremely suspect.

            Also interesting that every time i try to post on this site now it goes offline for a couple minutes and my posts aren’t appearing….

          • Michael McMillian

            Really Lance James? Who are you to demand anyone give you anything? After reviewing your Twitter escapades, it seems more like internet bullying and you trying to build up a name for yourself.

            I guess you don’t believe in proprietary IP or that companies should make money on all the work they create? I think you are living in the wrong country.

            I highly doubt that Gemalto, Vormetric or IBM would hand over anything to you through Twitter, without a professional service agreement, an NDA and maybe a better understanding of what companies do before you just blatantly flame them with your tabloid club partners.

            • If you want someone to test your encryption algorithm, then you kind of need to provide them the algorithm. How many weapon-grade levels of stupid do you have to be to not understand that?

  22. So, let’s reason this out together? Bernie Maddoff gets 150 years for pissing his Banker /Wall Street buddies off by being bold. Bernie ,” you understand, you went wild like Pres. Clinton and we can’t have the ordinary public looking towards us and figuring out that we do steal from them”. So a DB is a DB. Remember that my old playground pals.
    Best Regards

  23. I’m kind of amazed the word “bitcoin” didn’t show up in this article.

    • Just because the early adopters of bitcoin got rich at the expense of those who invested later doesn’t make it a Ponzi scheme. Or does it?

      But note all the alternative digital currencies popping up with others hoping to cash in on the same effect.

  24. From his .biz site:

    “earned his BA in Business Administration from the Lausanne Businxess Institute in 1994,”

    hilarious…

    • Business School Lausanne: They corrected the typo in the meantime. Still, therere is no “Business School Lausanne” unless you talk about a three year commercial apprenticeship… They got the uni and the federal politech, that is it.

  25. Is this a piece on a technology? Or a guys background?

    I’m pretty sure people still buy Martha Stewart products… and she has done far worse…

    • You HAVE to trust your encryption/security partners if you’re sane. You don’t have to trust Martha Stewart for anything other than that the linen isn’t made of poison – and there’s just a lot less at stake except in the poison scenario.

  26. Yodeling Pickle

    Krebs on Security blog has a diverse reader community -from security researchers to folks interested in the info sec world. The lesson here is for anyone who is being sold a security product to ask the right questions and to do proper research.
    Corporations have the teams of folks who vet vendors and do proper research on their products capabilities (most times). Smaller companies may not have the resources to help assess products or companies or the budget to invest in mature products.

  27. Here’s another 3-letter agency that Blech can claim to serve: I-B-S

  28. I see six exclamation points: ‘WE DO!!!!!!’. That’s all the proof I need they’re insane.

  29. “SCI’s Marketing Director Deirdre Murphy was non-committal, suggesting that perhaps the company would find a less controversial way to describe their product, such as “impenetrable.””

    I would have used: “ununderstandable” to qualify their product. Especially for the upper management of this company.

  30. It’s strange how the security community is constantly going on about Kerckhoff’s principle of disclosing algorithms while the NSA, who is doing the exact opposite, never seems to take any flack for it. Don’t get me wrong I’m all for governments being able to better protect their citizens by using classified and unreleased algorithms in protecting state secrets, but then why do private companies/individuals take so much flack when they decide to do the same? It’s like everyone read that Kerchoff’s principle is the widely accepted one and now no one wants to think for themselves or dare to break the mold…?
    (NSA Suite A Cryptography is NSA cryptography which “contains classified algorithms that will not be released.” – ref: https://en.wikipedia.org/wiki/NSA_cryptography)

    • This is not rocket science and you’re making this way too complicated.

      Let’s say I develop a new encryption algorithm. I have two choices: Reveal the algorithm and let others check it for holes or keep it secret. If I keep it secret, it may have holes including that the security researchers find them without knowing the algorithm. The strength of the encryption algorithm should not depend on the secrecy of the algorithm.

      The NSA, by keeping their classified algorithms secret, may be setting themselves up for failure when someone finds a hole without knowing the algorithm. They apparently don’t care.

      • A key difference with the NSA/IA is that even though certain algorithms remain classified they are one of, if not the, largest single employer of the worlds best cryptography researchers and mathematicians. If anything they are the exception that makes the rule for the rest of us.

        What “encryption” companies such as the one Brian has written about are failing to understand is that secrecy is not the same as security, like you said.

        Without the vast knowledgebase and budgets afforded to the greater intelligence community you stand no chance at maintaining anything more than appearances.

        • The other thing secrecy allows is hiding incompetence. I’m sure that this doesn’t apply to the NSA but lesser organizations have run into this.