Beware of encryption companies bearing gifts!

Filed Under: Cryptography, Featured, Mobile

Ancient Roman propaganda poet Publius Vergilius Maro, better known as Virgil, famously had one of his more cynical characters cry out:

If you don't know Latin, but you do know that Teucri refers to the people of Troy, and Danaos to the Greeks, you can probably guess what this is about.

The highlighted words mean, "Don't trust the horse, chaps!"

The thing about the Wooden Horse of Troy, of course, was the question that perplexed Laocoon, the priest who is speaking in the extract above, namely, "Why?"

Of all the gifts you could leave behind, why a giant wooden horse? Why that shape? Why that size?

Laocoon even flung his spear at the horse, by way of science, and noted that it didn't produce the sort of resonance that you'd expect from an innocently hollow wooden statue.

But no-one listened, and it didn't go so well for the Teucri after that.

As it happens, this story is about an App Store program that probably isn't a Trojan Horse - I didn't feel like paying six quid to find out, to be honest - but it is a great example of the sort of story that cries out for an answer to "Why?"

The software is called Redact Secure Messenger, and it claims to fill an important niche by sending "heavily encrypted messages from one phone to another without passing through any central servers."

The first thing that will attract your attention (perhaps not in the way the marketing people intended) if you are interested in cryptography is its claim to be "the world's first totally secure instant messenger application."

Wait a minute! Didn't Blackberry do that years ago?

Didn't Blackberry do secure, free instant messaging so well, in fact, that it got into hot water for it when a giant wave of criminality lashed the UK back in 2011?

And what are the words totally secure doing next to each other? Didn't Alan Turing have something cautionary to say way back in the 1930s about the problems of putative programmatic perfection?

Keep reading, because the story gets weirder.

The company behind this product, which identifies itself on its web properties (that I could find, anyway) only with a mailto:​info@​ link, is offering a "£10,000 prize to anyone who can intercept a message" secured by the app.

Actually, that's not what it's offering at all.

It's not anyone, it's not any message, and merely intercepting it is not enough.

To have a crack at the £10,000, you have apply, and then be one of up to 20 people chosen by the company; then you get a chance to try to decrypt a single message that will be bounced back and forth between a pair of phones at an as-yet undisclosed location in London.

Oh, and it gets even weirder still.

When you apply, it's like being phished.

You have to fill in your full name, address, phone number and - wait for it! - upload your Curriculum Vitae (British English for resumé).

All this, even though you are as good as guaranteed in advance not to win.

(If if is, indeed, possible to win, then the app's claim to be totally secure is false.)

If you want to be a gung-ho encryption company with grandiose claims - like Kim Dotcom's MEGA, for example - then you should at least be open about your cryptographic methods, set a clear and public challenge, and be prepared to defend it against all comers.

That's what MEGA did with its bounty programme, and whatever you think of MEGA, of its founder and of its raison d'etre, it nevertheless reflects to the company's credit that it offered bounties at all.

What Redact is doing just invites too many "Whys".

This sort of thing is a bad look for the encryption industry, and we can do without it.

, , , , , ,

You might like

4 Responses to Beware of encryption companies bearing gifts!

  1. Tony · 854 days ago

    I was going to respond to that message with my CV but I received another text moments later.

    That second text message informed me that a Somali Prince recently discovered some terminally ill woman in Iraq whose recently deceased husband had uncovered a corrupt oil company in Saudi Arabia had hidden a trunk of money in a fig orchard.

    Her late husband was then mistakenly shot as an alleged terrorist by an American soldier while he was crossing the desert on his way to an Argentinean bank to wire that money to his investment attorney in Scotland.

    However because of some complicated Argentinean export law the money was instead shipped to Ireland where an English barrister invested it in Microsoft lottery tickets and based on my IP address as a worldwide computer user it has been determined that I am one of the winners. The Irish Lottery Commission has since dispatched a diplomatic courier to my city and state who is currently awaiting my Western Union customs declaration fee to be paid before he can deliver my ATM card to me.

    Otherwise I would have entered the encryption contest as I needed the money.

  2. Mike · 854 days ago

    If it was really secure they would have provided a lot of money, like a million. Limiting it to 10k means they expect there's actually a chance they'll have to pay up (assuming they're honest about it)

  3. Larry M · 854 days ago

    Maybe it's just a recruiting gimmick--something like Google might do. They send job offers to the submitters of the best resumes. Or maybe to the submitters of comments about whether there could really be a 100% secure message application.

  4. sean · 853 days ago

    Hmmm, given the upload a file option for your CV one could either supply the CV in encrypted form, so if they have good crypt analysts, they can get your details - this is sort of a reverse test of their qualifications to engage you...

    Or just test their filtering by delivering any number of malformed files. Test that totally secure statement:-)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog