Sophos Cloud Optix
Ancient Roman propaganda poet Publius Vergilius Maro, better known as Virgil, famously had one of his more cynical characters cry out:
If you don’t know Latin, but you do know that Teucri refers to the people of Troy, and Danaos to the Greeks, you can probably guess what this is about.
The highlighted words mean, “Don’t trust the horse, chaps!”
The thing about the Wooden Horse of Troy, of course, was the question that perplexed Laocoon, the priest who is speaking in the extract above, namely, “Why?”
Of all the gifts you could leave behind, why a giant wooden horse? Why that shape? Why that size?
Laocoon even flung his spear at the horse, by way of science, and noted that it didn’t produce the sort of resonance that you’d expect from an innocently hollow wooden statue.
But no-one listened, and it didn’t go so well for the Teucri after that.
As it happens, this story is about an App Store program that probably isn’t a Trojan Horse – I didn’t feel like paying six quid to find out, to be honest – but it is a great example of the sort of story that cries out for an answer to “Why?”
The software is called Redact Secure Messenger, and it claims to fill an important niche by sending “heavily encrypted messages from one phone to another without passing through any central servers.”
The first thing that will attract your attention (perhaps not in the way the marketing people intended) if you are interested in cryptography is its claim to be “the world’s first totally secure instant messenger application.”
Wait a minute! Didn’t Blackberry do that years ago?
Didn’t Blackberry do secure, free instant messaging so well, in fact, that it got into hot water for it when a giant wave of criminality lashed the UK back in 2011?
And what are the words totally secure doing next to each other? Didn’t Alan Turing have something cautionary to say way back in the 1930s about the problems of putative programmatic perfection?
Keep reading, because the story gets weirder.
The company behind this product, which identifies itself on its web properties (that I could find, anyway) only with a mailto:info@redactapp.com link, is offering a “£10,000 prize to anyone who can intercept a message” secured by the app.
Actually, that’s not what it’s offering at all.
It’s not anyone, it’s not any message, and merely intercepting it is not enough.
To have a crack at the £10,000, you have apply, and then be one of up to 20 people chosen by the company; then you get a chance to try to decrypt a single message that will be bounced back and forth between a pair of phones at an as-yet undisclosed location in London.
Oh, and it gets even weirder still.
When you apply, it’s like being phished.
You have to fill in your full name, address, phone number and – wait for it! – upload your Curriculum Vitae (British English for resumé).
All this, even though you are as good as guaranteed in advance not to win.
(If if is, indeed, possible to win, then the app’s claim to be totally secure is false.)
If you want to be a gung-ho encryption company with grandiose claims – like Kim Dotcom’s MEGA, for example – then you should at least be open about your cryptographic methods, set a clear and public challenge, and be prepared to defend it against all comers.
That’s what MEGA did with its bounty programme, and whatever you think of MEGA, of its founder and of its raison d’etre, it nevertheless reflects to the company’s credit that it offered bounties at all.
What Redact is doing just invites too many “Whys”.
This sort of thing is a bad look for the encryption industry, and we can do without it.
I was going to respond to that message with my CV but I received another text moments later.
That second text message informed me that a Somali Prince recently discovered some terminally ill woman in Iraq whose recently deceased husband had uncovered a corrupt oil company in Saudi Arabia had hidden a trunk of money in a fig orchard.
Her late husband was then mistakenly shot as an alleged terrorist by an American soldier while he was crossing the desert on his way to an Argentinean bank to wire that money to his investment attorney in Scotland.
However because of some complicated Argentinean export law the money was instead shipped to Ireland where an English barrister invested it in Microsoft lottery tickets and based on my IP address as a worldwide computer user it has been determined that I am one of the winners. The Irish Lottery Commission has since dispatched a diplomatic courier to my city and state who is currently awaiting my Western Union customs declaration fee to be paid before he can deliver my ATM card to me.
Otherwise I would have entered the encryption contest as I needed the money.
If it was really secure they would have provided a lot of money, like a million. Limiting it to 10k means they expect there's actually a chance they'll have to pay up (assuming they're honest about it)
Maybe it's just a recruiting gimmick–something like Google might do. They send job offers to the submitters of the best resumes. Or maybe to the submitters of comments about whether there could really be a 100% secure message application.
Hmmm, given the upload a file option for your CV one could either supply the CV in encrypted form, so if they have good crypt analysts, they can get your details – this is sort of a reverse test of their qualifications to engage you…
Or just test their filtering by delivering any number of malformed files. Test that totally secure statement:-)