Schneier on Security

IIRC, SSH changes (session) keys several times a session...nothing new...nothing to see here...move along.

they've reinvented VPN protocols?!?

So to get into the doghouse you actually have to sell it or....?

It's not so much snake oil but more like over-the-top marketing. They're talking about HAIPE (http://en.wikipedia.org/wiki/HAIPE) which basically is IPsec in a box with shiny management interfaces.

But there's a photograph of a helicopter, so it must be good!

The actual devices seem to be not that bad, judging by what little documentation I found. Nothing groundbreaking, just your basic VPN appliance with some goverment/military certifications so they'll sell better.

More a case of horrible marketing than of horrible products, I think.

"EADS is in talks with the Pentagon about supplying the US military with the system..."

I assume some knowledgeable responsible person at NSA will have a good laugh, then deploy ye olde clue bat and ring the skull of the pentagon types who are thinking about buying into this.

On the other hand, if I were a US official, I'd be very interested in having as many _other_ countries as possible buy this stuff...

"hacker-proof"

There is a probability of exactly 100% that their solution is NOT hacker-proof.

I know that and I'm not even a cryptologist. Heck, I don't even play one on TV.

Enigma designers must be rolling in their graves - so much for partnering with French instead of invading them .. somehow that bought out the best in the Germans :-)

Did anyone else notice how awful the 'journalism' of this article is?

The heading starts with the company developing a hacker proof system.

In the middle of the 'article' they have a blurb about Chinese hackers and at the end a bit about a fighter plane contract with Saudi Arabia.

The decline of decent journalism is really scary. No wonder this snake oil is easy to peddle!

On the other hand, I've really,really enjoyed your writing Bruce. Thanks for all your hard work.

"Enigma designers must be rolling in their graves"
I have this image of 3 graves, with lights, and 3 Enigma designers rolling back and forth, encoding a message....

Coming soon to a theater near you...

So their implementation of HAIPE is nothing but a bunch of hype? ;)

I recall one day, few years ago, when a "start-up" company tried to convince my firm to support their new secret encryption algorithm of "million bit encryption" (patent-pending!!! :) ).

When I asked if they published a paper in Crypto, they said it's a secret and a patent. The algorithm.

BTW, the method for decryption was a password of less than 10 letters...

Snake-oil.

Oh, I forgot to add that a credit-card company bought their algorithm for communication encryption. I'm serious.

I Disagree - this kind of story is unsettling.

Millions of honest, hard working but 'security clueless' people read these kinds of stories, whether it's about a new way of protecting their own data or a new way of safeguarding the planet, and *believe* them or at the very least become more confused about what to believe.

Unfortunately, in the case of serious crypto, many who do take security seriously are still not skilled enough to aggressively critique a specific algorithm or implementation, but their b/s-ometer is often a good guide and alerts like Bruce's are extremely helpful.

There you have it: "...has developed what it thinks is..."
Does "anyone can devise a security system that he himself cannot break" ring any bells?

Smells like marketing speak for dedicated hardware to implement a DH key exchange very frequently, like every 512bits =D

Quote:
"Enigma designers must be rolling in their graves"
I have this image of 3 graves, with lights, and 3 Enigma designers rolling back and forth, encoding a message....
EndQuote:

That is the funniest thing that I have read all week.

The problem is that these scientists and engineers have not studied cryptography; it is not their area of expertise. Even so, it would be one thing for them to claim to have found something useful in the field. It is quite another thing for them to claimt to have out-done everyone in the field.

And the super-duper hacker-proof version has 5 Enigma designers rolling in their graves.

I don't know about other countries, but in the US, it's impossible to patent a secret. The patent has to DISCLOSE what you're patenting. That discrepancy alone should set off at least as many warning bells as the "million-bit key".

@Carlo Graziani: "I assume some knowledgeable responsible person at NSA will have a good laugh, then deploy ye olde clue bat and ring the skull of the pentagon types who are thinking about buying into this."

Actually, I think it depends on how much the units cost. If the cost is reasonable (despite the over-the-top hype), the Pentagon might just be interested in several thousand easily-deployed internet-appliances that support some kind of SSL. Of course, if they change the keys *too* frequently, your bandwidth is going to be eaten alive by continual protocol-handshaking...

Better than Virtual Matrix Encryption?
Crack the code and win a Hummer H2!
http://www.meganet.com/challenges/hummer/hummerH2.htm
No winner for the Ferrari 360 challenge!
http://www.meganet.com/challenges/ferrari/ferrari.htm

"Virtual Matrix Encryption, or VME, is the industry's only commercially available, unbreakable encryption engine. Utilizing a combination of Virtual Matrices and a 1,048,576 bit symmetric key, VME is impervious to brute force attacks."
What's a Virtual Matrice?
/* Execute the action on the local memory for the current interval and
* increment pptrbuff and ptrsizebuff of the intervalsize */
/* Notice that if the interval is contigous in the virtual matrice, it is
* also contigous in the real one ! */

http://www.netlib.org/lapack/Windows/nmake/ScaLAPACK_1.8.0_for_Windows/scalapack-1.8.0/REDIST/SRC/pztrmr2.c

Virtual Matrix Encryption
VME Spy Phone™
Eavesdrop on Conversations From Anywhere in the World
http://www.meganet.com/Products/VMESpyPhone/VMESpyPhone.asp

Selling security by selling stuff to break it? Sounds like Bart Simpson planning.

Note: (VME Spy Phone™) Pursuant to Federal law at 47 U.S.C. 302a, this product is available only for use by the Government of the United States or any agency thereof. Other interested parties are urged to contact appropriate regulatory oversight entities to determine whether any additional exceptions or arrangements have been authorized and implemented to permit use of this product consistent with controlling law.

Don't try getting one. It's for us dubious secret agents with a phone in our shoe.

The first indication of this was the fact that it was reported.

Even as technology permeates every facet of our lives, there are plenty of people who are utterly clueless about it. Cryptography and related fields are even more esoteric for most people.

Some of those technologically-challenged people are also journalists whose qualifications are on the order of "I know how to use computers - hell, I've typed this here article on one! I must, therefore, be qualified...".

It must be said that the PR folks at a given company also know up whose ass they can blow smoke to get their message out. This is not unlike the spam emails - people know this is BS, but some will get interested, might get roped into a sales pitch, and presto-sello, there be orders.

"EADS is in talks with the Pentagon about supplying the US military with the system..." -- "We've sent them the PR packet. The purchasing officer showed it to the crypto people. They can't return our calls because they are not done laughing yet"

Off topic: TV station runs competition with $30,000 wedding as prize, winner to be determined by e-mail voting. Then they are surprised when cheating happens. I'm only surprised that they noticed.

http://www.stuff.co.nz/stuff/dominionpost/4214417a6000.html

Just noticed more vitriol than I would expect for this story. Be sure to pay attention to the people mentioning HAIPE (http://en.wikipedia.org/wiki/HAIPE). I think some of the ingredients of this snake oil are "dubious" algorithms such as AES and SHA. Also of note is that the company's website is remarkably absent of the usual snake oil pitch.

peri: Any article claiming an encryption algorithm is "hacker proof" deserves whatever amount of vitriol we can safely throw at it.

eam: your unqualified claim suggests articles are "hacker proof,"-- when some random employee (Sales Manager) is possibly misquoted then I say unbounded virtriol might be excessive.

Strangely, most commenters have missed the point that it is about an idiotic reporting, not a product. Based on available documents, I would say that Ectocryp seems to be a fairly decent HAIPE. Although I tend to agree that they are using a pretty strange 'A' in the product's name.

Grandiose claims? Check.
Fear-mongering bit on "teh Chinese hackers"? Check.
Unrelated stock photography of a helicopter? Check.

I'd buy that for a dollar!

Seriously though, I think the hype can be blamed both on the quoted sales manager and the quote-unquote journalist. Between product-hype and news-sensationalism, there's no room for any incentive to have grounded, objective reporting.

Nothing is 100% Hacker-Proof. Not even a rusted file cabinet in a disused lavatory in the basement with a sign reading, 'Beware of Leopard.'

Hu, sometimes it's so embarrassing to be european....

First read about this on www.heise.de (german newsticker) and immediatly thought about Bruce and his definition of snake oil.

Still remember the good old MAGENTA algorithm by the german TELEKOM.

...embarrassing

"Hacker-proof" is a claim I can at least entertain. Depends on your definition of "hacker", of course, and I confidently predict that any definition of "hacker-proof" which this algorithm meets, is also met by existing standard crypto algorithms.

"Fool-proof" is the give-away: no system in existence is proof against even the average fool.

....after thinking a while...it was clear...these people MUST be nuts !

Nothing to it-

Snakeoiler:"[ring]Hello, Pentagon? We'd like to sell you our stuff!"
Pentagon:"No[click]"

Snakeoiler:"[ring]Hello, Pentagon? We'd like to sell you our stuff!"
Pentagon:"No[click]"

Press release:"We are in talks with the pentagon about buying our product"

I have spotted the Hitch hikers guide to the galaxy reference and I claim my £5!

Journalism by press release. Great!

It'll never beat a rot13 done twice. Doing it twice makes it 2X as hard to break

There needs to be a Godwin's type law for rot13 done twice.

Something along the lines of "Whenever you see a 'rot13 done twice' reference, the jokes are all made and it's time to move on"

Of course the reporting is bad, it's the Torygraph.
More here, particularly the 'Satire' section:
http://en.wikipedia.org/wiki/The_Daily_Telegraph

In defense of the defnese contactor.

EADS are one of the biggest defense contractors in the world. They ar a conglomeration of various British and German arms companies.

Greatest hits include breach loading artilery (Armstrong Whitworth), the steam turbine (Vickers Thorneycroft) , both the Hawker Hurricane and the Messerchmit 109, some crap tanks (from Vickers) and some superb armored vehicles (from Panther descended from the WWII Tiger tank), the worlds first second and third military jets and the worlds first two commercial jet airliners.

So they do have some sort of track record. Applying a filter to remove the marketing speak the article really says "we are the first defense company to get our HAIPE equipment certified".

The people this "article" really makes me feel bad for are the actual engineers and cryptographers who made the product. Somewhere, a bunch of people at EADS are crying into their beer.

Anonymous who thinks it's impossible to patent a secret in the USA: that's normally true, but the NSA has an exemption. They can have a patent issued and hold it unpublished until someone else tries to patent the same idea. Of course the clowns we're talking about today are not the NSA and don't have that power.

peri: I would never suggest an article is hacker-proof, and if the "journalists" are misquoting staff from the company, that's even more reason to start being vitriolic.

@Matthew Skala

Exactly.

Also, remember the patent tribulations of the inventor of the LASER, Gordon Gould (http://en.wikipedia.org/wiki/Gordon_Gould).

EADS is a modern arm of the British empire apparatus, and a very good friends of hedge funds, mercenary units and other fine bits of poison.

"Something along the lines of "Whenever you see a 'rot13 done twice' reference, the jokes are all made and it's time to move on""

I think that should be when you see the rot13 joke done twice...

I wonder what other topics the Telegraph understands, and describes, this poorly.

The NSA and Pentagon may have a few of their "front line" folks that have to deal with sales pitches like this, but the guys in the backend data centers running the mainframes that really run the government comm systems, and the cryptographers working on new codes or breaking current codes probably won't even be bothered with "news" of it.

And any nation foolish enough to implement any of this stuff in any of their systems probably will be conquered at some point or another anyway if the builders of their infrastructures fall for this.

Good reporting, Bruce!

If you're going to put out a press release containing the words "hacker proof" then you're going to earn the scorn of Schneier and others like him. There's no such thing as "hacker proof". Now, if they can explain what they're doing and why it's sufficiently secure (this presumably means it not being filtered through a journalist!), they might have a claim.

Google took me to http://www.eadsdsuk.com/ectocryp/ from where you can download an info PDF. Looks to me like a VPN endpoint with expensive governmental certification; it claims support for UK Eyes and Suite A (do they mean NSA Suite A?), so I doubt that any more details will become public.

@ Matthew Skala, Anonymous, Ishai Wertheimer

"Anonymous who thinks it's impossible to patent a secret in the USA"

Outside of the USA you are required to keep the "methods" in your patent application secret untill after it is granted otherwise you have "disclosed" and therefore no patent granted or you lose it when challenged (the result of a quaint old aspect of English law).

Due to the length of time it takes to get a patent you often have to go "commercial" prior to patent grant (for other quaint reasons), which as you can guess gives rise to quite a few messy complications (which is why legal bods specialising in IP can get very very rich without realy trying ;).

Ishai Wertheimer's comments about the specifics of the system he was talking about may well be true but.... He did include,

"(patent-pending!!! :) )"

So he may well have mis-reported the requirment for the secrecy at the time.

As far as I can tell, this is a decent device; 'ECTOCRYP' looks like an FPGA-based high-grade assurable platform, on top of which the product that they're pushing is a network encrypter using standard algorithms.

It's likely to be hacker-proof in the reasonably strong sense that no input packet can change the functionality of the hardware, since the packets are touched only by hardware which, because of the way FPGA programming works, can't be reprogrammed by their contents.

It's has a completely separate management interface, which will be attached to an internal secure network in the government communications centre in which these things will be installed.

I suspect the press release is to announce that the product is CAPS certified; CAPS certification is a slow-moving bureaucratic nightmare of a process, but a device being CAPS-certified to Top Secret UK Eyes is an indication that a lot of very good engineers at CESG have gone over it with very fine-tooth combs and pronounced it adequate.

Thank god, yet another great and well documented article by Bruce.

If it was not for Bruce I might have used another snake oil product by this shaddy EADS company: http://www.airbus.com