Perpetual Doghouse: Meganet
I first wrote about Meganet in 1999, in a larger article on cryptographic snake-oil, and formally put them in the doghouse in 2003:
They build an alternate reality where every cryptographic algorithm has been broken, and the only thing left is their own system. “The weakening of public crypto systems commenced in 1997. First it was the 40-bit key, a few months later the 48-bit key, followed by the 56-bit key, and later the 512 bit has been broken…” What are they talking about? Would you trust a cryptographer who didn’t know the difference between symmetric and public-key cryptography? “Our technology… is the only unbreakable encryption commercially available.” The company’s founder quoted in a news article: “All other encryption methods have been compromised in the last five to six years.” Maybe in their alternate reality, but not in the one we live in.
Their solution is to not encrypt data at all. “We believe there is one very simple rule in encryption: if someone can encrypt data, someone else will be able to decrypt it. The idea behind VME is that the data is not being encrypted nor transferred. And if it’s not encrypted and not transferred, there is nothing to break. And if there’s nothing to break, it’s unbreakable.” Ha ha; that’s a joke. They really do encrypt data, but they call it something else.
Read the whole thing; it’s pretty funny.
They’re still around, and they’re still touting their snake-oil “virtual matrix encryption.” (The patent is finally public, and if someone can reverse-engineer the combination of patentese and gobbledygook into an algorithm, we can finally see how actually awful it really is.) The tech on their website is better than it was in 2003, but it’s still pretty hokey.
Back in 2005, they got their product FIPS 140-1 certified (#505 on this page). The certification was for their AES implementation, but they’re sneakily implying that VME was certified. From their website: “The Strength of a Megabit Encryption (VME). The Assurance of a 256 Bit Standard (AES). Both Technologies Combined in One Certified Module! FIPS 140-2 CERTIFICATE # 505.”
Just goes to show that with a bit of sleight-of-hand you can get anything FIPS 140 certified.
Trevor • June 14, 2007 1:22 PM
Let me be the first to admit this post was over my head. I’m guessing you were targeting industry insiders, though, and not people like me, who have a more basic interest in security.
I did get the keywords though. Meganet=snake oil.