Beware of encryption companies bearing gifts!


Ancient Roman propaganda poet Publius Vergilius Maro, better known as Virgil, famously had one of his more cynical characters cry out:

If you don’t know Latin, but you do know that Teucri refers to the people of Troy, and Danaos to the Greeks, you can probably guess what this is about.

The highlighted words mean, “Don’t trust the horse, chaps!”

The thing about the Wooden Horse of Troy, of course, was the question that perplexed Laocoon, the priest who is speaking in the extract above, namely, “Why?”

Of all the gifts you could leave behind, why a giant wooden horse? Why that shape? Why that size?

Laocoon even flung his spear at the horse, by way of science, and noted that it didn’t produce the sort of resonance that you’d expect from an innocently hollow wooden statue.

But no-one listened, and it didn’t go so well for the Teucri after that.

As it happens, this story is about an App Store program that probably isn’t a Trojan Horse – I didn’t feel like paying six quid to find out, to be honest – but it is a great example of the sort of story that cries out for an answer to “Why?”

The software is called Redact Secure Messenger, and it claims to fill an important niche by sending “heavily encrypted messages from one phone to another without passing through any central servers.”

The first thing that will attract your attention (perhaps not in the way the marketing people intended) if you are interested in cryptography is its claim to be “the world’s first totally secure instant messenger application.”

Wait a minute! Didn’t Blackberry do that years ago?

Didn’t Blackberry do secure, free instant messaging so well, in fact, that it got into hot water for it when a giant wave of criminality lashed the UK back in 2011?

And what are the words totally secure doing next to each other? Didn’t Alan Turing have something cautionary to say way back in the 1930s about the problems of putative programmatic perfection?

Keep reading, because the story gets weirder.

The company behind this product, which identifies itself on its web properties (that I could find, anyway) only with a mailto:​info@​ link, is offering a “£10,000 prize to anyone who can intercept a message” secured by the app.

Actually, that’s not what it’s offering at all.

It’s not anyone, it’s not any message, and merely intercepting it is not enough.

To have a crack at the £10,000, you have apply, and then be one of up to 20 people chosen by the company; then you get a chance to try to decrypt a single message that will be bounced back and forth between a pair of phones at an as-yet undisclosed location in London.

Oh, and it gets even weirder still.

When you apply, it’s like being phished.

You have to fill in your full name, address, phone number and – wait for it! – upload your Curriculum Vitae (British English for resumé).

All this, even though you are as good as guaranteed in advance not to win.

(If if is, indeed, possible to win, then the app’s claim to be totally secure is false.)

If you want to be a gung-ho encryption company with grandiose claims – like Kim Dotcom’s MEGA, for example – then you should at least be open about your cryptographic methods, set a clear and public challenge, and be prepared to defend it against all comers.

That’s what MEGA did with its bounty programme, and whatever you think of MEGA, of its founder and of its raison d’etre, it nevertheless reflects to the company’s credit that it offered bounties at all.

What Redact is doing just invites too many “Whys”.

This sort of thing is a bad look for the encryption industry, and we can do without it.