The Doghouse: Meganet and for this to Dept of Labor gave $4million

[Dave Farber <dave () farber net>]

The Doghouse: Meganet

by Bruce Schneier 
Founder and CTO 
Counterpane Internet Security, Inc.
schneier () counterpane com
<http://www.counterpane.com>

Back in 1999 I wrote an essay about cryptographic snake oil and the common
warning signs. Meganet's Virtual Matrix Encryption (VME) was a shining
example. It's four years later and they're still around, peddling the same
pseudo-mathematical nonsense, albeit with a more professional-looking
website. I get at least one query a month about these guys, and recently
they convinced a reporter to write an article that echoes their nonsensical
claims. It's time to doghouse these bozos, once and for all.

First, an aside. If you're a new reader, or someone who doesn't know about
cryptography, this is going to seem harsh. You might think: "How does he
KNOW that this is nonsense? If it's so bad, why can't he break it?" That's
actually backwards. In the world of cryptography, we assume something is
broken until we have evidence to the contrary. (And I mean evidence, not
proof.) Everything Meganet writes clearly indicates that they haven't the
faintest idea about how modern cryptography works. It's as if you went to a
doctor who talked about bloodletting and humors and magical healing
properties of pyramids. Sure, it's possible that he's right, but you're
going to switch doctors. Two essays of mine at the bottom of this section,
one on snake oil and the other on amateur cipher designers, will help put
this into context. 

Back to Meganet. They build an alternate reality where every cryptographic
algorithm has been broken, and the only thing left is their own system. "The
weakening of public crypto systems commenced in 1997. First it was the
40-bit key, a few months later the 48-bit key, followed by the 56-bit key,
and later the 512 bit has been broken..." What are they talking about? Would
you trust a cryptographer who didn't know the difference between symmetric
and public-key cryptography? "Our technology... is the only unbreakable
encryption commercially available." The company's founder quoted in a news
article: "All other encryption methods have been compromised in the last
five to six years." Maybe in their alternate reality, but not in the one we
live in. 

Their solution is to not encrypt data at all. "We believe there is one very
simple rule in encryption ú- if someone can encrypt data, someone else will
be able to decrypt it. The idea behind VME is that the data is not being
encrypted nor transferred. And if it's not encrypted and not transferred ú
there is nothing to break. And if there's nothing to break ú- it's
unbreakable." Ha ha; that's a joke. They really do encrypt data, but they
call it something else.

Reading their Web site is like reading a litany of snake-oil warning signs
and stupid cryptographic ideas. They've got "proprietary technology."
They've got one-million-bit keys. They've got appeals to new concepts: "It's
a completely new approach to data encryption." They've got a "mathematical
proof" that their VME is equal to a one-time pad. A mathematical proof, by
they way, with no mathematics: they simply show that the encrypted data is
statistically random in both cases. (The "proof" is simply hysterical to
read; summarizing it here just won't do it justice.)

They've got pseudo-scientific gobbledygook galore, including paragraphs like
this: "Stated simply, the content of the message is not sent with the
encrypted data. Rather, the encrypted data consists of pointers to locations
within a virtual matrix, a large (infinitely large in concept), continuously
changing array of values." I just love stuff like this. It almost just
barely makes sense. It's as if someone took a cryptography book, had it
machine-translated from language to language to language, and then tried to
write similar-sounding text. Some of the words and phrases are scientific,
but the paragraph makes no sense. (Although, sadly, their stuff looks very
much like the virtual one-time pad that TriStrata came up with some years
ago.) 

They have unfair cracking contests and challenges, unsubstantiated claims,
outright lies, and a weird "evaluation" from one professor and even weirder
"experimental results" from another. It's every snake-oil warning sign in
the book in one convenient-to-make-fun-of place.

Unfortunately, this stuff seems to have continued to hoodwink buyers.
According to a press release on their Web site, the U.S. Department of Labor
recently gave them $4M. Various smaller companies are supposedly using this
stuff. SC Magazine gave them a five-star rating, for goodness' sake! I am
amazed at the sheer stubbornness that can be exhibited by a company that
simply refuses to accept reality.

Another quote from the news article: "Most of the encryption community
called our product snake oil. Everyone competed to throw stones at us and
didn't bother trying to understand the product." What does Meganet expect?
Most snake oil is subtly bad; their marketing is so over-the-top it's
entertaining, their "science" is so eccentric it's ridiculous, and their
claims are so laughable it's dangerous.

Meganet's technology Web site:
<http://www.meganet.com/Technology/default.htm>

Funny news article on Meganet:
<http://www.israel21c.org/bin/en.jsp?enPage=BlankPage&enDisplay=view&enDispW
hat=object&enDispWho=Articles%5El306&enZone=Technology&enVersion=0&>

My original snake-oil essay:
<http://www.counterpane.com./crypto-gram-9902.html#snakeoil>

My "Memo to the Amateur Cipher Designer" essay:
<http://www.counterpane.com./crypto-gram-9810.html#cipherdesign>



-------------------------------------
You are subscribed as interesting-people () lists elistx com
To unsubscribe or update your address, click
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/