Selling secure laptops no open, shut case

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1023-944715.html?tag=cd_mh

By Declan McCullagh 
Staff Writer, CNET News.com
July 18, 2002, 4:00 AM PT

NEW YORK -- Rop Gonggrijp admits that it's not a promising time to
start an Internet privacy company.

The founder of NAH6 knows all about flops such as Privada, abandoned
software such as PGP and SafeWeb, and struggling firms such as Zero
Knowledge.

Yet Gonggrijp believes it's possible for his new company to find
buyers for its innovative products, which include an encrypted PC, a
secure cellular phone and a better way to do secure e-mail. To
encourage broad adoption, Amsterdam-based NAH6 plans to release much
of its work as open-source software for noncommercial use.

"The roads of crypto business are littered with corpses left and
right," Gonggrijp said in an interview here at the H2K2 hacker
conference last weekend. "I think the only way to do this is to start
small. See if you can find this yourself and grow gradually."

NAH6 plans to release its first product, called Secure Notebook, with
no price set so far, next month. It's a software application designed
to appeal to business or government travelers who worry about losing
their laptops but can't be bothered to encrypt each sensitive file on
them.

Statistics compiled by the Safeware industry company say that in 2001,
about 600,000 laptops were stolen, up 53 percent from the previous
year. By contrast, thieves nabbed only 15,000 desktop computers.

Even spies aren't immune from missing laptops. In 2000, Britain's
Ministry of Defense admitted it lost 67 laptop computers during the
previous three years, including ones with secrets about the peace
talks in Northern Ireland, and the U.S. State Department has also lost
classified laptops.

Secure Notebook would be the first product to take the novel approach
of running Microsoft Windows on top of Debian GNU/Linux, with the
underlying Linux layer ensuring that all Windows files stored on a
hard drive remain encrypted.

This approach solves vital problems that other disk-encryption
products such as PGPdisk do not. Unlike those systems, even Windows'
virtual memory files and temporary files are stored in encrypted form,
meaning a corporate spy or thief who snatches a Secure Notebook would
be unable to read any data.

NAH6 won't market Secure Notebook itself. It plans to sell Secure
Notebook, which requires at least a 1GHz processor and 512 MB of RAM,
to laptop makers and resellers that target security-conscious
customers. Noncommercial users will be able to download the Secure
Notebook software at no cost, but they'll have to buy the necessary
VMware application for about $300.

Secure Notebook and NAH6's three other planned offerings have one
thing in common: They're designed to glue near-unbreakable encryption
into a PC or handheld device while shielding users from the
oft-befuddling underlying complexity.

"The crypto is well-hidden," Gonggrijp said. "There's no geekiness.  
There's no command line."

Probably NAH6's most ambitious plan is a secure phone project, still
at least half a year away from release with no price set. The idea is
to turn the PocketPC, a hybrid of a handheld PC and cellular telephone
that runs Windows CE, into a military-strength encryption device.

Gonggrijp says that the software will be free for noncommercial uses
and will let GSM users activate a scrambled communication channel by
pressing a button.

Security experts uniformly applauded the idea, but some questioned
whether the current PocketPC platform was powerful and flexible enough
for the project to succeed. Others doubted that there was sufficient
demand among paying customers for either product.

"Security is doomed"

Jon Lasser, a security consultant in Baltimore and author of "Think
Unix," says "security is doomed, as an industry."

"People don't care about security," Lasser said. "Witness the
astounding success of Web mail accounts through entirely insecure
providers. Convenience trumps security every time."

Peter Trei, an experienced engineer who works for a large encryption
vendor, says, "At the moment, the vast majority of the people on the
Net don't use crypto, see no need to, and aren't going to lift a
finger to do so. That leaves you with the rather limited market of
people who are activists in one sense or another, and people with real
operational needs."

Trei also said that governments that rely on wiretaps for intelligence
or criminal investigation may not welcome encrypted laptops and
cellular phones. "Things which thwart (surveillance) may become
difficult to market, and could land users in hot water," Trei said. "I
understand that Holland has one of the highest wiretap rates in the
world. They could easily ban the crypto phone."

NAH6's Gonggrijp doesn't seem worried. He's had experience battling
government restrictions, both as the founder of the legendary Hack-Tic
hacker magazine in the 1980s and co-founder of the Dutch Internet firm
xs4all, which has hosted controversial Web sites during its 10-year
history.

"These things just need to be built," Gonggrijp said. "Everyone's
screaming for it. These four projects represent about 70 percent of
what people are demanding."

Gonggrijp is funding the four-person start-up, which is about 9 months
old and is based in his home in Amsterdam.

A version of Secure Notebook seen by CNET News.com includes a
graphical interface that allows users to choose between encryption
strengths, make backups and type in their pass phrase to continue
booting. The electronic key that, in combination with the pass phrase,
unlocks the hard drives, can be stored on a USB dongle.

NAH6's other products include a program called Crypt-o-Matic, a
transparent way to PGP encrypt and decrypt all incoming and outgoing
mail. It works by grabbing mail messages after they're sent and before
they arrive and silently handling the encryption.

Crypt-o-Matic will be available in a few months, NAH6 says, and free
for noncommercial use.

Another offering is a patch to the popular Mailman mailing list
software, sponsored by the Free Software Foundation. It upgrades
Mailman to support encrypted mailing lists and will be released under
the GNU General Public License.

Even if its products turn out to be cloyingly friendly and
easy-to-use, security experts seem pessimistic about NAH6's commercial
chances. About the only way to make money in desktop security, they
say, has been to own key patents like RSA Security did.

"There's no money in desktop security," said Bruce Schneier, the CTO
of Counterpane Internet Security, which sells intrusion detection
services. "It's a tough world. Everyone likes to talk big about
security, but no one really cares. Good luck to them."

Perry Metzger, a security advisor at wasabisystems.com speculated that
NAH6's biggest impact may be political, not commercial.

"I've seen a couple of people propose that before, including one who
tried to start a company to do it," Metzger said about the encrypted
phone. "My guess is that skill required to set such a thing up--even
the minimal skill in question--might keep it from becoming mass
popular."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.