Posts Tagged: Malcolm Hutchinson

Aug 15

How Not to Start an Encryption Company

Probably the quickest way for a security company to prompt an overwhelmingly hostile response from the security research community is to claim that its products and services are “unbreakable” by hackers. The second-fastest way to achieve that outcome is to have that statement come from an encryption company CEO who served several years in federal prison for his role in running a $210 million Ponzi scheme. Here’s the story of a company that managed to accomplish both at the same time and is now trying to learn from (and survive) the experience.

unbreakabletothecoreThanks to some aggressive marketing, Irvine, Calif. based security firm Secure Channels Inc. (SCI) and its CEO Richard Blech have been in the news quite a bit lately — mainly Blech being quoted in major publications such as NBC NewsPolitico and USA Today  — talking about how his firm’s “unbreakable” encryption technology might have prevented some of the larger consumer data breaches that have come to light in recent months.

Blech’s company, founded in 2014 and with his money, has been challenging the security community to test its unbreakable claim in a cleverly unwinnable series of contests: At the Black Hat Security conference in Las Vegas last year, the company offered a new BMW to anyone who could unlock a digital file that was encrypted with its “patented” technology.

At the RSA Security Conference this year in San Francisco, SCI offered a $50,000 bounty to anyone who could prove the feat. When no one showed up to claim the prizes, SCI issued press releases crowing about a victory for its products.

Turns out, Blech knows a thing or two about complex, unwinnable games: He pleaded guilty in 2003 of civil and criminal fraud charges and sentenced to six years in U.S. federal prison for running an international Ponzi scheme.

Once upon a time, Blech was the CEO of Credit Bancorp. Ltd., an investment firm that induced its customers to deposit securities, cash, and other assets in trust by promising the impossible: a “custodial dividend” based on the profits of “risk-less” arbitrage. Little did the company’s investors know at the time, but CBL was running a classic Ponzi scheme: Taking cash and other assets from new investors to make payments to earlier ones, creating the impression of sizable returns, prosecutors said. Blech was sentenced to 72 months in prison and was released in 2007.



In April 2015, Lance James, a security researcher who has responded to challenges like the BMW and $50,000 prizes touted by SCI, began receiving taunting Tweets from Blech and Ross Harris, a particularly aggressive member of SCI’s sales team. That twitter thread (PDF) had started with WhiteHat Security CTO Jeremiah Grossman posting a picture of a $10,000 check that James was awarded from Telesign, a company that had put up the money after claiming that its StrongWebmail product was unhackable. Turns out, it wasn’t so strong; James and two other researchers found a flaw in the service and hacked the CEO’s email account. StrongWebmail never recovered from that marketing stunt.

James replied to Grossman that, coincidentally, he’d just received an email from SCI offering a BMW to anyone who could break the company’s crypto.

“When the crypto defeats you, we’ll give you a t-shirt, ‘Can’t touch this,’ you’ll wear it for a Tweet,” Blech teased James via Twitter on April 7, 2015. “Challenge accepted,” said James, owner of the security consultancy Unit 221b.  “Proprietary patented crypto is embarrassing in 2015. You should know better.”

As it happens, encrypting a file with your closed, proprietary encryption technology and then daring the experts to break it is not exactly the way you prove its strength or gain the confidence of the security community in general. Experts in encryption tend to subscribe to an idea known as Kerckhoff’s principle when deciding the relative strength and merits of any single cryptosystem: Put simply, a core tenet of Kerckhoff’s principle holds that “one ought to design systems under the assumption that the enemy will gain full familiarity with them.”

Translation: If you want people to take you seriously, put your encryption technology on full view of the security community (minus your private encryption keys), and let them see if they can break the system.

James said he let it go when SCI refused to talk seriously about sharing its cryptography solution, only to hear again this past weekend from SCI’s director of marketing Deirdre “Dee” Murphy on Twitter that his dismissal of their challenge proved he was “obsolete.” Murphy later deleted the tweets, but some of them are saved here.

Nate Cardozo, a staff attorney at the nonprofit digital rights group Electronic Frontier Foundation (EFF), said companies that make claims of unbreakable technologies very often are effectively selling snake oil unless they put their products up for peer review.

“They don’t disclose their settings or what modes their ciphers are running in,” Cardozo said. “They have a patent which is laughably vague about what it’s actually doing, and yet their chief marketing officer insults security researchers on Twitter saying, ‘If our stuff is so insecure, just break it.'”

Cardozo was quick to add that although there is no indication whatsoever that Secure Channels Inc. is engaging in any kind of fraud, they are engaged in “wildly irresponsible marketing.”

“And that’s not good for anyone,” he said. “In the cryptography community, the way you prove your system is secure is you put it up to peer review, you get third party audits, you publish specifications, etc. Apple’s not open-source and they do all of that. You can download the security white paper and see everything that iMessage is doing. The same is true for WhatsApp and PGP. When we see companies like Secure Channel treating crypto like a black box, that raises red flags. Any company making such claims deserves scrutiny, but because we can’t scrutinize the actual cryptography they’re using, we have to scrutinize the company itself.”


I couldn’t believe that any security company — let alone a firm that was trying to break into the encryption industry (a business that requires precision perhaps beyond any other, no less) — could make so many basic errors and miscalculations, so I started digging deeper into SCI and its origins. At the same time I requested and was granted an interview with Blech and his team. Continue reading →