Comments

TatütataMay 13, 2016 2:11 PM

It would be satire if they didn't ask for money, so SCAM.

I tried to see what the science" is, but came out absolutely empty. "We built an ‘exploit’ that destroys their ‘exploit’." HA!

The "management" team allegedly oversaw projects worth gazillions, but don't have the wherewithal to fund a measly 25k$ project, resorting instead to panhandling on Kickstarter. Smells fishy.

AnonMay 13, 2016 2:15 PM

They have 512 kilobyte(sic) encryption! Inspires confidence indeed!
So, yes - let's give money to people who don't know the difference between a bit and a kilobyte.

Also, I was unaware of any brute force attacks against AES - floating around on darknet or otherwise. Anyone know anything about this?

WaldoMay 13, 2016 2:17 PM

"Don't trust anyone.... But you can trust me"

I find that to be satire. A scam is usually people trying to be serious.

AnuraMay 13, 2016 2:23 PM

They sound like snake oil salesman to me:

To accomplish our goal of building an impenetrable data security solution, we first had to be able beat hackers at their own game using their own tools. To do this, we reverse engineered several commercially available automated password cracking programs, and two which are not, to understand these programs methodologies. Following the decompile and disassembly procedure, we designed and built our own cracking program, and then we set about defeating our new 'super hybrid'. Goal met.

Shorter Version: We limit the number of password attempts for online attacks.

Of course, this comes after a bunch of stuff on how AES has a backdoor and is failing (which is just plain bullshit), and then they go on to say they created their own cipher (which I'm guessing is a closely guarded secret - AKA, not to be trusted at all). Oh, but 512kb keys! Umm... Okay.

TatütataMay 13, 2016 2:26 PM

We created a cipher that is 6,000,000 times stronger than current data security, as proven by algorithmic mathematics.

An oil extractor somewhere must have decimated just as many snakes.

Then there is the great patriotic wrapping in an American flag, with the statement Our Pledge To Serve Those Who Protect Us, and some stock pictures labeled with the legend "Active duty and first responders", with "special" rates further down the page.

I also googled several of the names at the end of the page... Zilch. The names sound like those you would typically see in spam e-mails.

Underestimates StupidityMay 13, 2016 2:27 PM

Well they did collect people's money, so if it's a joke it's going a bit far.
I want to hope that this is satire, but after seeing so much amateur crypto, it's hard to believe that they aren't dead serious.

AnuraMay 13, 2016 2:30 PM

@Underestimates Stupidity

Luckily for the backers, Kickstarter doesn't fund unless the project meets its funding goal.

Nick PMay 13, 2016 2:32 PM

The page is all marketing. The blog doesn't load. They have no technical details aside from false claim their app can protect data on potentially-compromised mobile. The capabilities are ripped straight from SpiderOak far as I can tell with extra claims on top. They reference a NIST roadmap I've never heard of. Given I track high-security, it's strange I've never heard of them or actually anything coming out of Orlando, FL in this field. There's a lot of acting, marketing, and con jobs in Orlando, though. Now, on top of it, they want money through Kickstarter.

Total scam. Especially given the features they mention are too complex for even experts to have bulletproofed at this point. Much less a small firm. Not even worth a security review.

AnonMay 13, 2016 2:40 PM

Oh lol - it get's better and better.

Their material seems to indicate a Hollywood style password cracking where you guess the first digit in the password before moving onto the next.

As a result, their added security comes from being being forced to guess the digits in the right order or something rather than stumbling on the randomly. The security is proven by "algorithmic mathematics", which from the slide is the difference between a numeric permutation versus a combination (basic 1st or 2nd year combinatorics).

I really don't know what to something like this brazenly nonsensical. I hope the backers are not trying for anything more expensive than the hat or t-shirt, otherwise they're throwing away their money.

vinceMay 13, 2016 2:48 PM

I didn't see a single mathematician or computer scientist or anyone with any sort of real expertise on their about us section. I think thats about all I need to know.

albertMay 13, 2016 2:51 PM

I might donate for Data Angels breast augmentation. At least there would be 'real' results to see.
. .. . .. --- ....

AnuraMay 13, 2016 2:56 PM

I decided to one-up them and write an algorithm with an unlimited keyspace.

void encrypt(uint8_t *data, size_t data_len, uint8_t *key, size_t key_len)
{
    int i, j;
    for (i=0; i<data_len, i++)
    {
        for (j=0; j<key_len; j++)
        {
            data[i] += key[j];
        }
    }
}
void decrypt(uint8_t *data, size_t data_len, uint8_t *key, size_t key_len)
{
    int i, j;
    for (i=0; i<data_len, i++)
    {
        for (j=key_len-1; j>=0; j--)
        {
            data[i] -= key[j];
        }
    }
}

Provably secure against full key recovery attacks for sufficiently large keys.

boogMay 13, 2016 2:58 PM

Scam or Satire?

Depends on if they get funded.

If so: total scam.
If not: accidental satire..?

DanielMay 13, 2016 3:05 PM

Now that I've thought about it some more it's more than a scam, it's cruel, even evil. It reminds me of the origins of the term "snake oil". There are many people who simply don't understand computer security and yet have a real need for computer security. So what else can they do but put their trust in strangers? And here are some of those strangers taking advantage of their ignorance by peddling them false hope. Shameful.

There isn't anything amusing about it unless you are the type of person who finds setting a cat's tail on fire amusing. It galls me that they thought they could get away with such nonsense and no one would notice or care.

Dan3264May 13, 2016 3:47 PM

@Anura,
Yes, your algorithm is provably secure against full key recovery attacks for sufficiently large keys. It is also provably insecure against full plaintext recovery attacks for sufficiently structured plaintext. It also has O(m*n) encryption/decryption time, where m is the plaintext length and n is the key length. I assume that all these features are intentional ;-)

DaveMay 13, 2016 3:47 PM

Whois for mydataangel.com comes up with an e-mail raytal@gate.net, which shows up associated with one Raymond J Talarico in certain SEC filings related to health care companies in FL (MEDirect Latino and Medtino Incorporated). whoisology.com shows a bunch of domains registered with that e-mail, most are blank pages, several are related to mydataangel.com.

Looks like a scam to me, there's no hint of satire. I'm taking for granted that godaddy verifies ownership of an e-mail before using it to register domains, and this guy's e-mail wasn't just hacked.

Scott RomanowskiMay 13, 2016 3:55 PM

@Anura I'm sorry but after a long day of coding I couldn't resist analyzing your functions. Your code adds the sum of all the bytes in key to each byte of data, so I could rewrite your functions as

void encrypt(uint8_t *data, size_t data_len, uint8_t *key, size_t key_len)
{
    size_t i, j;
    uint8_t SumKey = 0;
for (j=0; j<key_len; j++) { SumKey += key[j]; }
for (i=0; i<data_len, i++) { data[i] += SumKey; } }
void decrypt(uint8_t *data, size_t data_len, uint8_t *key, size_t key_len) { size_t i, j; uint8_t SumKey = 0;
for (j=0; j<key_len; j++) { SumKey += key[j]; }
for (i=0; i<data_len, i++) { data[i] -= SumKey; } }

"Provably secure against full key recovery attacks for sufficiently large keys."

I think not since the key size doesn't matter because you are essentially using a 1-byte key. :-)

Also an int is not guaranteed to have the same range as a size_t. According to "C: A Reference Manual", size_t is often implemented as an unsigned long.

AnuraMay 13, 2016 3:55 PM

@Dan3264

Optimized implementations exist that reduce encryption and decryption time to O(m).

TatütataMay 13, 2016 3:58 PM

Good find Dave!

Talarico shows up on page 14 of this 2014 issue of a horse racing sheet, in assoociation with one Debra T. Towsley, a name which is mentioned on the Kickstarter page. Could that be a pure coincidence?

Marcos MaloMay 13, 2016 4:00 PM

Did anyone watch the video? It's a joke and intended as such. The joke signifiers are all over it (encoded, if you will) from the subtle changes to the spokesmodel segments to the (as Anon mentioned) Hollywood style brute force attack. Plus, there is the message encoded in the yoyo string subcarrier harmonics with the brief message "this is a joke"*. I expect @Clive and a few others picks up on that.

They haven't collected any money. When cash gets transferred to their bank account, we can call it a scam and debate if their joke claims amount to fraud.

I suspect the tshirts, baseball caps, and beanies are real, though.

*This is a joke, but seriously, a yoyo? Dead giveaway.

AnuraMay 13, 2016 4:02 PM

@Scott Romanowski

Case in point.

"Provably secure against full key recovery attacks for sufficiently large keys."

I think not since the key size doesn't matter because you are essentially using a 1-byte key. :-)

It's true assuming a very specific definition of Full Key Recovery. Yes, you can find an equivalent key in O(1) time, but you can't recover the original key.

Also, I was going to make an excuse about me spending only 20 seconds on writing the implementation, but thinking about it further, the size_t/int thing is inexcusable.

Scott RomanowskiMay 13, 2016 4:06 PM

@Anura
You got me, you can't recover the key but you can generate an infinite number of equivalent keys. :-D
I do embedded a lot of different-sized µCs and have been caught often enough with size issues that it's written in scars on my ego.

zMay 13, 2016 4:13 PM

The fact that it's hard to tell if it's satire or not is pretty telling of the state of commercial encryption products in 2016.

DeanMay 13, 2016 4:26 PM

Scam.

I could smell the snake oil as I moved further down the page. They even 'sell' t-shirts!

Now if they'd stated that AES had been broken then that would have been the only thing they'd said; not that it would make me favour their product over AES.

DeanMay 13, 2016 4:28 PM

Correction:

Now if they'd stated that AES had been broken then that would have been the only true thing they'd said; not that it would make me favour their product over AES.

Data WangleMay 13, 2016 4:45 PM

If they'd made an unachievable target (for example, all the $100 options had gone, leaving only $1 options and an impossible target of $100,000) then it would have been satire.
As it is, it's a scam on anyone who funds, and a satire on Kickstarter and the way that so many Kickstarter projects only ever fund the production of a video.

-estebanMay 13, 2016 4:53 PM

Just Google "talarico towsley" and start with the MEDirect Latino Inc.'s SEC 8-K filing.

hiiruMay 13, 2016 5:08 PM

I wonder why they do the security approach, because nearly nobody really cares about security, sadly... (except the crowd here)

if they have a key algorithm which allows kilobyte and bit to be equal.
they should have turned this into an compression algorithm, over 8000% compression rate (too bad it's not over 9000) ^^
at least a video which shows how they make floppy disks useful again for storing movies would have been a lot funnier than this :P

Nick PMay 13, 2016 5:19 PM

@ Sara

Thanks for the tip! I missed these gems by not reading the comments.

@ All Let me quote the project rep:

"Following independent validation from Underwriters Laboratory of our cryptographic module"

Underwriters Laboratory, who aren't crypto geniuses, will be validating this crypto.

"Given the abject failure of AES to secure and protect data"

Funny given the U.S. and NIST still recommend it with it still uncracked outside implementation bugs.

"...both the White House and Secretary of Commerce, understanding that a new data security standard is vital to national security, corporate and private interests, proposed FIPS 140-3 in late 2013."

The Wikipedia page says nothing about AES. Instead, it's an update to the standard that was canceled largely because nobody could agree about what constituted hardware security for tamper-resistance. That was smart given all the cracking.

So, we have two straight lies with quite a creative story around them plus an unqualified evaluator being used for cutting-edge crypto. Priceless reply.

-------------------------

Jay chimes in with memorable questions addressing real-world concerns relevant to their security claims:

"Anyway... so needless to say these documents will bring the entire wrath of the US government and each and every yoyo toting hacker from the Dark Web (including the deep web, even). "

"Do you guys plan to bring in a Computer Hacking Wizard (like adrian lamo) to try to hack you so that we know you can't be hacked? "

Note: Oh, please do bring in Adrian Lamo. Real hackers are standing by waiting for that one.

"kickstarter.com's preferred cipher suite is "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256!" Since kickstarter.com is using AES, can you please acknowledge receipt of my last message? Should I pay you through some other, less broken channel?"

STKMay 13, 2016 5:35 PM

Think it was actually fun to read, esp. quote "commitment to build an impenetrable data encryption solution", considering no such ting exists!

When I came across ".. we first had to be able beat hackers at their own game using their own tools .." I wanted to close the browser tab but kept reading on, until the military stuff and horses *whiiieeeeah*.

Finally I wondered why they ".. created a cipher that is 6,000,000 times stronger than current data security .." and not one that is 12,000,000 times stronger – btw. implementation on a Windows platform first!? *sigh*

The young lady with the "data angel" shirt is pretty though. So therefore kudoz to the author. :]

Nick PMay 13, 2016 5:48 PM

Reported their asses with a link to Schneier's Snake Oil cryptography page and all the boxes they checked. Among other things. Fuck those con artists. I don't want them getting even a penny. At least a nice trip down memory lane. ;)

ImWithHimMay 13, 2016 6:22 PM

>> DataGateKeeper: The FIRST Impenetrable Anti-Hacking Software

You have to give DataGateKeeper some credit. The product may or may not be impenetrable but the sales pitch is impenetrable... gobbledygook.

DanielMay 13, 2016 6:35 PM

In figuring out who these people are the horse racing connection is key. Debra L. Towsely owns a horse racing stable among other things:

http://articles.sun-sentinel.com/2005-01-20/news/0501190699_1_pompano-park-florida-bred-horses-standard-bred

And according to this page she is President of one of the firms mention by @Dave above in conjunction with Raymond Talarcio. She is also listed as President of My Data Angel.

http://www.bizapedia.com/people/DEBRA-TOWSLEY.html


What connects them all together, however, is the classic fraudster mistake of reusing addresses.


http://www.bizapedia.com/fl/MYDATAANGELCOM-INC.html

Debra L. Towsley address on the FL Registered Agent form for MyDataAngel is 3001 West Highway 318 while the addresses for her horse racing business is 2999 West Highway 318.

So it is the same Debra L. Towsley in both cases.

So it doesn't appear that the principles behind MyDataAngel have ANY background in either computer security or even any kind of security. Debra L. Towsley has run a horse racing stable and a marketing firm.

It is difficult for me to imagine how people with such backgrounds would be engaging in a satire or a parody or even political action. They have no connection with anything related to computer security at all.

Ewan MarshallMay 13, 2016 6:46 PM

I love how they openly admit their whole management team are marketeers, business school graduates and art school graduates. Not one claims any technical expertise in cryptography. Not one has even claims to have a BSc or MSc... So who is the remarkable genius that Cain up with those secret better than AES encryption algorithm?

DanielMay 13, 2016 6:48 PM

This gets even better. Frank Ruppen, who is listed as a director and is the company's secretary for MyDataAngel principle business is owning a company called 4BigBoys.

http://www.bizapedia.com/fl/4BIGBOYS-LLC.html

That company has a fictitious name listing:

http://florida.intercreditreport.com/company/mod-wine-lounge-g15000040320

which is this:

http://www.yelp.com/biz/mod-wine-lounge-fort-lauderdale

That's right, he owns a bar.

So the president of the company owns a horse racing stable and the managing director primary business is a bar.

ROTFLMAO

Mbutu DugongoMay 13, 2016 8:30 PM

Dear Mr DataGateKeeper,
I'm Mbutu Dugongo, First Vice Prime Minister of Elbonia. I'm willing to fund your company with 5 bellion dollars (500000000000000000 elbonian us dollars) but as you may know my bank account was blocked due ongoing civil war in your country.
Please send me your banking password and numbers, alongside 5,000$ cash for minor bureaucracy expenses so I can unlock my account in First National Elbonian Bank and transfer the money funds to your company.
Your Faithfully,
Mbutu Dugongo mvp, msrp, etc.

Ole JuulMay 13, 2016 10:21 PM

The invested money plus an easily monetised list of gullible people with extra money is a sure winner. So, obviously satire.

AZMay 13, 2016 10:55 PM

The DataGateKeeper Team had simply found out one of the greatest ways to make extra cash today: crowdfunding

I guess that's "capitalism in action", as in "con your fellow man".

"Communism in action" would have been "government cons the populace" instead, or something like that.

GrauhutMay 14, 2016 12:30 AM

@Comrade Major: "Scam or Satire? Political activism."

Social psychology experiment

ParkerMay 14, 2016 4:29 AM

How is this different than the tens of $ billions in garbage security products and services foisted on enterprise customers by big name pros for the past fifteen years?

SchneieronSecurityFanMay 14, 2016 4:38 AM

The logo of mydataangel.com is a stylized horse's head.

There is a vlog on their web site. The first entry describes the company.

Could this constitute wire fraud in the United States?

TatütataMay 14, 2016 6:10 AM

The "backers" count went from 20 to 21 since Bruce first posted this yesterday afternoon, and pledged funds from 1699 to 1821$.

P.T. Barnum's sucker birth rate constant ought to be updated.

I like the "hardened and waterproofed" USB key.

I wondered too whether this was some sort of social engineering experiment, to see how long it took a group of people to check whether something is legit, and how they go about it.

One advantage of Kickstarter is that the crap is in writing, which is somewhat easier to take apart than if it were delivered by a fast and a smooth talking huckster in the style of the "Wolf of Wall Street" or "American Hustle".

TatütataMay 14, 2016 7:03 AM

SchneieronSecurityFan: The logo of mydataangel.com is a stylized horse's head.

Horse's head? I just shuddered remembering the scene in the Godfather where film producer Woltz wakes up...

Still better than having the animal's other extremity in your face.

WhereIsBigglesMay 14, 2016 8:19 AM

I'd like to start a thread about their tshirts. I like the grey one.

John E. QuantumMay 14, 2016 8:33 AM

Donald Trump may be behind this. He wants to make great American cybersecurity in order to make America great again. The standard encryption methods currenty in use aren't as fabulous, aren't as fantastic and aren't as tremendous as they could be if he put his awesome brain power to bear on the issue. He will build a cyber wall to keep foreign hackers out. Either we have a country or we don't

CallMeLateForSupperMay 14, 2016 9:52 AM

The pitch sells the sizzle, not the steak. This tells a reader very little and does not set itself apart from b.s. Not very well edited either. Wonder if any of those [TM] are legitimate.

"Impenetrable" is an extraordinary claim and is not accompanied by extraordinary evidence. Fail. Move along; nothing to see here.


"And you want to be my latex salesman..." - Jerry Seinfeld

Bidness As UsualMay 14, 2016 10:44 AM

Being one of the few Florida residents who actually DOESN'T dive into alligator-infested lakes/ponds to flee the police, let me assure you that Florida is absolutely INFESTED with "business people" like this. Hey, SOMEBODY has to put "companies" into all those abandoned strip malls, otherwise the Florida "economy" would go tits up.

DanielMay 14, 2016 12:10 PM

God I can't figure out what is worse, the people who are pledging money or the people in this thread who keep making excuses for this cast of fraudsters. They think that because the scheme is so outlandish there must be some other explanation other than fraud. No. Bruce has already blogged about the specific technique that these scammers are using here:

https://www.schneier.com/blog/archives/2012/06/far-fetched_sca.html

It is a complete rip of from the Nigerian playbook.

rMay 14, 2016 2:45 PM

Snake oil, unless it's homomorphic?

Lots of talk about SSL, AES... I guess with that many plugs out most be chalk (chock?) full of holes.

rMay 14, 2016 2:55 PM

Reading the comments on here makes me think it's a local investor scam, not really intended for the wider audience it's getting here.

Might be worth investigating all his companies. :)

unbobMay 14, 2016 3:05 PM

Anyone want to place bets on how long it will take for this whole house of cards to collapse?

Sancho_PMay 14, 2016 4:46 PM


Err, no, neither scam nor satire.

It’s the truth, but it is encrypted.
We only don’t understand the meaning.

Terrorists are everywhere.
See, this is our problem: We are going dark!
Terrorists can communicate in the open and we don’t understand what they say.

All together now: We are going dark!

We must ban unbreakable encryption.
Exceptional access for our LE, to all and everything, worldwide.
Now.

- Doesn't make sense?
Yes, because it is encrypted.

All together now: We are going dark!

a.s.f., endless loop.

Who?May 15, 2016 12:53 PM

Both scam and satire.

@ Anura and Scott Romanowski

"Provably secure against full key recovery attacks for sufficiently large keys."

I think not since the key size doesn't matter because you are essentially using a 1-byte key. :-)

No! You have discovered the NSA backdoor. You know, we are safe because it is unexploitable, a NOBUS...

TatütataMay 15, 2016 1:22 PM

I think not since the key size doesn't matter because you are essentially using a 1-byte key.

Like they say, it's not about the size of your key, but how you use it.

I'm outta here.

Martin VahiMay 16, 2016 8:06 AM

I think that it is a fine satire and it is OK to ask money for a fine satire, if everyone knows that it is a satire, but the problem of that add is that not everyone is technically proficient to recognize that it is a satire, so they should create some mechanisms, how to refund to those people, who do not have the technical background to recognize that it is a satire and they should really keep the money of all the geeks, who paid. :-D

So, all in all, I would classify it as a thing that was created with good will, but turned out a ugly due to lack of preparation.

AnuraMay 16, 2016 12:03 PM

@Martin Vahi

Everything I see from this shows that this is a handful of people trying to make a buck by selling some bullshit product. The only people laughing at it are people who actually have some understanding of the concepts.

MooMay 17, 2016 3:16 PM

Well, the t-shirts and beanies look cool .... so the product must be legit! :-)

ACPMay 18, 2016 11:46 AM

I agree with the vast majority of the comments - I think it is ludicrous that anyone would think anything other then SCAM!

Zaphod Beeblbrox May 18, 2016 3:09 PM

I wonder how many viruses and ransom-ware get installed when one tries to use that "Hardened USB key".

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.