Idiotic Cryptography Reporting

Oh, this is funny:

A team of researchers and engineers at a UK division of Franco-German aerospace giant EADS has developed what it believes is the world's first hacker-proof encryption technology for the internet.

[...]

Gordon Duncan, the division's government and commercial sales manager, said he was convinced that sensitive data could now be sent across the world without fear of it being spied on by hackers. "All the computer technology in the world cannot break it," he said yesterday.

At the heart of the system is the lightning speed with which the "keys" needed to enter the computer systems can be scrambled and re-formatted. Just when a hacker thinks he or she has broken the code, the code changes. "There is nothing to compare with it," said Mr Duncan.

EADS is in talks with the Pentagon about supplying the US military with the system, although some American defence companies are also working on what they believe will be fool-proof encryption systems.

Snake oil, absolute snake oil.

EDITED TO ADD (9/26): Steve Bellovin, who knows what he's talking about, writes:

Actually, it's not snake oil, it's very solid -- till it got to Marketing. The folks at EADS built a high-assurance, Type I (or the British equivalent) IP encryptor -- a HAIPE, in NSA-speak. Their enemy isn't "hackers", it's the PLA and the KGB++. See this and this.

Of course, Marketing did get hold of it.

David Lacey makes the same point here.

Posted on September 24, 2007 at 1:58 PM • 57 Comments

Comments

PhillipSeptember 24, 2007 2:10 PM

IIRC, SSH changes (session) keys several times a session...nothing new...nothing to see here...move along.

Henryk PlötzSeptember 24, 2007 2:51 PM

It's not so much snake oil but more like over-the-top marketing. They're talking about HAIPE (http://en.wikipedia.org/wiki/HAIPE) which basically is IPsec in a box with shiny management interfaces.

MaikSeptember 24, 2007 3:01 PM

The actual devices seem to be not that bad, judging by what little documentation I found. Nothing groundbreaking, just your basic VPN appliance with some goverment/military certifications so they'll sell better.

More a case of horrible marketing than of horrible products, I think.

Carlo GrazianiSeptember 24, 2007 3:09 PM

"EADS is in talks with the Pentagon about supplying the US military with the system..."

I assume some knowledgeable responsible person at NSA will have a good laugh, then deploy ye olde clue bat and ring the skull of the pentagon types who are thinking about buying into this.

On the other hand, if I were a US official, I'd be very interested in having as many _other_ countries as possible buy this stuff...

nzrussSeptember 24, 2007 3:13 PM

"hacker-proof"

There is a probability of exactly 100% that their solution is NOT hacker-proof.

I know that and I'm not even a cryptologist. Heck, I don't even play one on TV.

sooth_sayerSeptember 24, 2007 3:24 PM

Enigma designers must be rolling in their graves - so much for partnering with French instead of invading them .. somehow that bought out the best in the Germans :-)

chrisSeptember 24, 2007 3:38 PM

Did anyone else notice how awful the 'journalism' of this article is?

The heading starts with the company developing a hacker proof system.

In the middle of the 'article' they have a blurb about Chinese hackers and at the end a bit about a fighter plane contract with Saudi Arabia.

The decline of decent journalism is really scary. No wonder this snake oil is easy to peddle!

On the other hand, I've really,really enjoyed your writing Bruce. Thanks for all your hard work.

Erik WSeptember 24, 2007 3:41 PM

"Enigma designers must be rolling in their graves"
I have this image of 3 graves, with lights, and 3 Enigma designers rolling back and forth, encoding a message....

Ishai WertheimerSeptember 24, 2007 4:25 PM


I recall one day, few years ago, when a "start-up" company tried to convince my firm to support their new secret encryption algorithm of "million bit encryption" (patent-pending!!! :) ).

When I asked if they published a paper in Crypto, they said it's a secret and a patent. The algorithm.

BTW, the method for decryption was a password of less than 10 letters...

Snake-oil.

Oh, I forgot to add that a credit-card company bought their algorithm for communication encryption. I'm serious.

Rob MayfieldSeptember 24, 2007 4:31 PM

I Disagree - this kind of story is unsettling.

Millions of honest, hard working but 'security clueless' people read these kinds of stories, whether it's about a new way of protecting their own data or a new way of safeguarding the planet, and *believe* them or at the very least become more confused about what to believe.

Unfortunately, in the case of serious crypto, many who do take security seriously are still not skilled enough to aggressively critique a specific algorithm or implementation, but their b/s-ometer is often a good guide and alerts like Bruce's are extremely helpful.

FladoSeptember 24, 2007 4:46 PM

There you have it: "...has developed what it thinks is..."
Does "anyone can devise a security system that he himself cannot break" ring any bells?

HarrkevSeptember 24, 2007 5:09 PM

Quote:
"Enigma designers must be rolling in their graves"
I have this image of 3 graves, with lights, and 3 Enigma designers rolling back and forth, encoding a message....
EndQuote:

That is the funniest thing that I have read all week.

RCSeptember 24, 2007 5:17 PM

The problem is that these scientists and engineers have not studied cryptography; it is not their area of expertise. Even so, it would be one thing for them to claim to have found something useful in the field. It is quite another thing for them to claimt to have out-done everyone in the field.

AnonymousSeptember 24, 2007 5:26 PM

And the super-duper hacker-proof version has 5 Enigma designers rolling in their graves.

AnonymousSeptember 24, 2007 5:28 PM

I don't know about other countries, but in the US, it's impossible to patent a secret. The patent has to DISCLOSE what you're patenting. That discrepancy alone should set off at least as many warning bells as the "million-bit key".

X-the-UnknownSeptember 24, 2007 6:09 PM

@Carlo Graziani: "I assume some knowledgeable responsible person at NSA will have a good laugh, then deploy ye olde clue bat and ring the skull of the pentagon types who are thinking about buying into this."

Actually, I think it depends on how much the units cost. If the cost is reasonable (despite the over-the-top hype), the Pentagon might just be interested in several thousand easily-deployed internet-appliances that support some kind of SSL. Of course, if they change the keys *too* frequently, your bandwidth is going to be eaten alive by continual protocol-handshaking...

JimSeptember 24, 2007 6:11 PM

Better than Virtual Matrix Encryption?
Crack the code and win a Hummer H2!
http://www.meganet.com/challenges/hummer/hummerH2.htm
No winner for the Ferrari 360 challenge!
http://www.meganet.com/challenges/ferrari/ferrari.htm

"Virtual Matrix Encryption, or VME, is the industry's only commercially available, unbreakable encryption engine. Utilizing a combination of Virtual Matrices and a 1,048,576 bit symmetric key, VME is impervious to brute force attacks."
What's a Virtual Matrice?
/* Execute the action on the local memory for the current interval and
* increment pptrbuff and ptrsizebuff of the intervalsize */
/* Notice that if the interval is contigous in the virtual matrice, it is
* also contigous in the real one ! */

http://www.netlib.org/lapack/Windows/nmake/ScaLAPACK_1.8.0_for_Windows/scalapack-1.8.0/REDIST/SRC/pztrmr2.c

007September 24, 2007 6:25 PM

Note: (VME Spy Phone™) Pursuant to Federal law at 47 U.S.C. 302a, this product is available only for use by the Government of the United States or any agency thereof. Other interested parties are urged to contact appropriate regulatory oversight entities to determine whether any additional exceptions or arrangements have been authorized and implemented to permit use of this product consistent with controlling law.

Don't try getting one. It's for us dubious secret agents with a phone in our shoe.

PavelSeptember 24, 2007 6:27 PM

The first indication of this was the fact that it was reported.

Even as technology permeates every facet of our lives, there are plenty of people who are utterly clueless about it. Cryptography and related fields are even more esoteric for most people.

Some of those technologically-challenged people are also journalists whose qualifications are on the order of "I know how to use computers - hell, I've typed this here article on one! I must, therefore, be qualified...".

It must be said that the PR folks at a given company also know up whose ass they can blow smoke to get their message out. This is not unlike the spam emails - people know this is BS, but some will get interested, might get roped into a sales pitch, and presto-sello, there be orders.

"EADS is in talks with the Pentagon about supplying the US military with the system..." -- "We've sent them the PR packet. The purchasing officer showed it to the crypto people. They can't return our calls because they are not done laughing yet"

periSeptember 24, 2007 8:24 PM

Just noticed more vitriol than I would expect for this story. Be sure to pay attention to the people mentioning HAIPE (http://en.wikipedia.org/wiki/HAIPE). I think some of the ingredients of this snake oil are "dubious" algorithms such as AES and SHA. Also of note is that the company's website is remarkably absent of the usual snake oil pitch.

EamSeptember 24, 2007 8:56 PM

peri: Any article claiming an encryption algorithm is "hacker proof" deserves whatever amount of vitriol we can safely throw at it.

periSeptember 24, 2007 9:13 PM

eam: your unqualified claim suggests articles are "hacker proof,"-- when some random employee (Sales Manager) is possibly misquoted then I say unbounded virtriol might be excessive.

Ilya LevinSeptember 24, 2007 9:23 PM

Strangely, most commenters have missed the point that it is about an idiotic reporting, not a product. Based on available documents, I would say that Ectocryp seems to be a fairly decent HAIPE. Although I tend to agree that they are using a pretty strange 'A' in the product's name.

Albert SweigartSeptember 25, 2007 1:44 AM

Grandiose claims? Check.
Fear-mongering bit on "teh Chinese hackers"? Check.
Unrelated stock photography of a helicopter? Check.

I'd buy that for a dollar!

Seriously though, I think the hype can be blamed both on the quoted sales manager and the quote-unquote journalist. Between product-hype and news-sensationalism, there's no room for any incentive to have grounded, objective reporting.

TheDoctorSeptember 25, 2007 4:12 AM

Hu, sometimes it's so embarrassing to be european....

First read about this on www.heise.de (german newsticker) and immediatly thought about Bruce and his definition of snake oil.

Still remember the good old MAGENTA algorithm by the german TELEKOM.

...embarrassing

SteveJSeptember 25, 2007 4:38 AM

"Hacker-proof" is a claim I can at least entertain. Depends on your definition of "hacker", of course, and I confidently predict that any definition of "hacker-proof" which this algorithm meets, is also met by existing standard crypto algorithms.

"Fool-proof" is the give-away: no system in existence is proof against even the average fool.

bobSeptember 25, 2007 6:35 AM

Nothing to it-

Snakeoiler:"[ring]Hello, Pentagon? We'd like to sell you our stuff!"
Pentagon:"No[click]"

Snakeoiler:"[ring]Hello, Pentagon? We'd like to sell you our stuff!"
Pentagon:"No[click]"

Press release:"We are in talks with the pentagon about buying our product"

Tim the EnchanterSeptember 25, 2007 7:11 AM

I have spotted the Hitch hikers guide to the galaxy reference and I claim my £5!

JustSomeGuySeptember 25, 2007 8:12 AM

There needs to be a Godwin's type law for rot13 done twice.

Something along the lines of "Whenever you see a 'rot13 done twice' reference, the jokes are all made and it's time to move on"

supersnailSeptember 25, 2007 8:51 AM

In defense of the defnese contactor.

EADS are one of the biggest defense contractors in the world. They ar a conglomeration of various British and German arms companies.

Greatest hits include breach loading artilery (Armstrong Whitworth), the steam turbine (Vickers Thorneycroft) , both the Hawker Hurricane and the Messerchmit 109, some crap tanks (from Vickers) and some superb armored vehicles (from Panther descended from the WWII Tiger tank), the worlds first second and third military jets and the worlds first two commercial jet airliners.

So they do have some sort of track record. Applying a filter to remove the marketing speak the article really says "we are the first defense company to get our HAIPE equipment certified".

Kadin2048September 25, 2007 10:49 AM

The people this "article" really makes me feel bad for are the actual engineers and cryptographers who made the product. Somewhere, a bunch of people at EADS are crying into their beer.

Matthew SkalaSeptember 25, 2007 11:01 AM

Anonymous who thinks it's impossible to patent a secret in the USA: that's normally true, but the NSA has an exemption. They can have a patent issued and hold it unpublished until someone else tries to patent the same idea. Of course the clowns we're talking about today are not the NSA and don't have that power.

EamSeptember 25, 2007 11:06 AM

peri: I would never suggest an article is hacker-proof, and if the "journalists" are misquoting staff from the company, that's even more reason to start being vitriolic.

X the UnknownSeptember 25, 2007 1:02 PM

@Matthew Skala

Exactly.

Also, remember the patent tribulations of the inventor of the LASER, Gordon Gould (http://en.wikipedia.org/wiki/Gordon_Gould).

ForRealSeptember 25, 2007 2:11 PM

EADS is a modern arm of the British empire apparatus, and a very good friends of hedge funds, mercenary units and other fine bits of poison.

GSeptember 25, 2007 4:44 PM

"Something along the lines of "Whenever you see a 'rot13 done twice' reference, the jokes are all made and it's time to move on""

I think that should be when you see the rot13 joke done twice...

The WandererSeptember 25, 2007 11:11 PM

The NSA and Pentagon may have a few of their "front line" folks that have to deal with sales pitches like this, but the guys in the backend data centers running the mainframes that really run the government comm systems, and the cryptographers working on new codes or breaking current codes probably won't even be bothered with "news" of it.

And any nation foolish enough to implement any of this stuff in any of their systems probably will be conquered at some point or another anyway if the builders of their infrastructures fall for this.

Good reporting, Bruce!

Andy CunninghamSeptember 26, 2007 6:29 AM

If you're going to put out a press release containing the words "hacker proof" then you're going to earn the scorn of Schneier and others like him. There's no such thing as "hacker proof". Now, if they can explain what they're doing and why it's sufficiently secure (this presumably means it not being filtered through a journalist!), they might have a claim.

Ross YoungerSeptember 26, 2007 9:52 AM

Google took me to http://www.eadsdsuk.com/ectocryp/ from where you can download an info PDF. Looks to me like a VPN endpoint with expensive governmental certification; it claims support for UK Eyes and Suite A (do they mean NSA Suite A?), so I doubt that any more details will become public.

Clive RobinsonSeptember 27, 2007 5:04 AM

@ Matthew Skala, Anonymous, Ishai Wertheimer

"Anonymous who thinks it's impossible to patent a secret in the USA"

Outside of the USA you are required to keep the "methods" in your patent application secret untill after it is granted otherwise you have "disclosed" and therefore no patent granted or you lose it when challenged (the result of a quaint old aspect of English law).

Due to the length of time it takes to get a patent you often have to go "commercial" prior to patent grant (for other quaint reasons), which as you can guess gives rise to quite a few messy complications (which is why legal bods specialising in IP can get very very rich without realy trying ;).

Ishai Wertheimer's comments about the specifics of the system he was talking about may well be true but.... He did include,

"(patent-pending!!! :) )"

So he may well have mis-reported the requirment for the secrecy at the time.

Tom WomackSeptember 27, 2007 6:10 AM

As far as I can tell, this is a decent device; 'ECTOCRYP' looks like an FPGA-based high-grade assurable platform, on top of which the product that they're pushing is a network encrypter using standard algorithms.

It's likely to be hacker-proof in the reasonably strong sense that no input packet can change the functionality of the hardware, since the packets are touched only by hardware which, because of the way FPGA programming works, can't be reprogrammed by their contents.

It's has a completely separate management interface, which will be attached to an internal secure network in the government communications centre in which these things will be installed.

I suspect the press release is to announce that the product is CAPS certified; CAPS certification is a slow-moving bureaucratic nightmare of a process, but a device being CAPS-certified to Top Secret UK Eyes is an indication that a lot of very good engineers at CESG have gone over it with very fine-tooth combs and pronounced it adequate.

Bwn DoverJanuary 3, 2009 7:32 PM

If the pointers are truly meaningless once the encryption is broken why don't they just email the pointers?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..