Cryptography and Snake Oil

Bruce Schneier is a bright guy and a first-class writer but he does have the unfortunate habit of appearing to rubbish new security products, without any evidence that he’s actually looked at them. With most people this wouldn’t matter a jot, but Bruce is a highly influential blogger and thousands of people might be left with a negative opinion of the product.

So I was disappointed to read his recent posting on the press coverage of the EADS Ectocrypt encryption system. When he mentions snake-oil he might have had the media reporting in mind, but it reads to me as though the product itself is worthless. And Ectocrypt is not a worthless product, it’s a high-performance, award-winning encryption system, built to the highest NSA and CESG standards.

But unfortunately a large chunk of the blogosphere will now assume that it’s all hype. As Spiderman put it “with great power comes great responsibility”.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Frankly, if EADS wants people to take their products seriously, they shouldn't advertise them with transparently unrealistic promises. Coca-Cola is tasty, but if they start advertising that it can cure cancer, then it deserves to be rubbished.
What neil said. While Bruce did jump the gun a bit (and has since printed an update referencing, among other things, this column), if all I did was read the marketing materials, I'd pass as well, at least at first. They claim too much, and put in too few caveats. The press release quotes a sales manager as saying "All the computer technology in the world cannot break it," which is, of course, horse manure. It may be difficult to break, and they have the right to say so, but it's not 'unbreakable'.
Something to compare this to, for a bit of perspective, is the advertising from "Big Pharma". Antidepressants are important medications, but they won't turn a wallflower into the life of the party - they aren't happy pills. Treating erectile dysfunction is a perfectly valid medical pursuit, but a pill to make studs studlier is a recreational drug, not a medical one. Even restless leg syndrome is a real and difficult disorder that deserves to be treated, but it's rare and more than just shaking your leg while you fall asleep. Advertising that misleads breeds contempt and neil, above, is correct. Companies that engage in such behaviors deserve not just to have their advertising criticized, they deserve to have their products ridiculed as well. Those who know better know better and will ignore the advertising and the ridicule and use the products appropriately. Those who don't know better need to be lead away from the products by the ridicule before they use those products incorrectly and dangerously. (The newer, more responsible ads about the drug that treats restless leg syndrome have starting warning about things like gambling and other addictive behaviors.)
Bruce has posted an update with link to your blog
It seems clear that EADS are making vastly exaggerated claims. Quotes from EADS about their system include; "All the computer technology in the world cannot break it," "There is nothing to compare with it," Both of which tend to be claims that companies people make that over time are shown to be wrong. Any crypto system can be broken with the right amount of time. Sure the information that has been encrypted may not be useful any more, but that doesn't mean that the encryption can't be "broken" even if it is by brute force. There is also the possibility for social engineering in order to gain access, which is something that their NSA certification doesn't take into account. I'm also sure that if they're addressing an identified problem then there are going to be products that others have come up with to solve it. EADS may not be aware of them, but that doesn't mean they're not out there. It should also be noted that the HAIPE IS certification they mention is defined by the NSA as a type 1 ceritification which ".. refers only to products, and not to information, key, services, or controls..", so although it has the right components there is no guarentee that they've been put together correctly. In the current market where new security products come daily (if not every few hours), you have to make a judgement call on what you consider worth looking at more closely, and given EADS focus on big claims and lack of focus on technical detail on their website I agree with Bruces initial assessment, it looks like snake-oil.
I have no doubt that the EADS product mentioned above is good.... but given enough time, money and human resources that are motivated and capable then any network or system is vulnerable (vulnerable to what and to what degree is another question ;-) Nevertheless, with corporate information security consumers becoming more intelligent I would have thought that making OTT capability statements is probably not the right way to go. From purely making judgement on EADS's marketing sound bites I too would think snake oil. Of course the devil is in the detail with this one.