Meganet's "unbreakable" cryptography? I'm skeptical.

From: Fredric L. Rice (frice_at_skeptictank.org)
Date: 09/16/03 

Date: Tue, 16 Sep 2003 03:13:50 GMT

Meganet's "unbreakable" cryptography? I'm skeptical.

<groan> Meganet is out there trying to whip up support for
their pseudo-encryption again. In my opinion as a skeptic
their claims have the smell and all the classical earmarks
of the old snake oil salesmen. A check of their web site
-- http://www.meganet.com/ -- reminds me of my High School
and College days when each year a pack of students would
independently come up with some "new unbreakable" encryption
scheme, inviting their buddies to break it, gloating in the
thought that nobody can or wants to. Most High School
students have the good sense not to open their yaps where
teachers and professors can hear them least they're invited
to explain their algorithm and get it shot full of holes
-- or be informed by their teachers that their idea has
been thought of and shot down endless times over the past
30 years.

Meganet makes such grandiose claims that I can't help but
wonder if the company is run by a couple of High School
kids. Many of the claims are so boisterous and obviously
false that they might be cute coming from a 10-year-old,
but from people who want the world to take them seriously
it looks profoundly pathetic. Such as the claim:

    "All other encryption methods have been compromised
    in the last five to six years." --
    http://www.israel21c.org/bin/en.jsp?enPage=BlankPage&
    enDisplay=view&enDispWhat=object&enDispWho=
    Articles%5El306&enZone=Technology&enVersion=0&

That's *got* to be a misquote or something, right?

Horribly the company claims the U. S. Department of Labor
signed a contract with them for four million dollars. Our
tax dollars at work!

http://www.meganet.com/news/press/pressrelease02-25-02.htm

There's plenty of coverage on secret encryption algorithms
and the amusing antics of those who believe in them
available on the 'Net yet presumably Meganet hasn't bothered
to check out the wonderful coverage on Counterpane.COM --
such as the "Memo to the Amateur Cipher Designer." Or
perhaps if they did check it out, some how they decided it
didn't apply to them.

A week or so ago, it looks like, Saul from Meganet was out
here trying to gain support for the company. Like his
namesake, he appears to have scales over his eyes but at
least while he's stumbling along through his rather whiny
complaint, the rest of us can derive some amusement and see
how *not* to make an appeal to fairness.

-=- Begin quote -=-

    From: Saul Backal <saul@meganet.com>,
          Ralph Lotkin <lotkinlaw@aol.com>
    Subject: Meganet

    Meganet Corporation is the inventor and owner of
    encryption technology referred to as VME--Virtual
    Matrix Encryption, a 1 million-bit symmetric
    encryption algorithm that was granted U.S. Patent
    No. 6,219,421 on April 17, 2001. Despite this
    patent grant, and the fact that major customers
    exist for the technology worldwide, certain
    individuals in the "crypto-community" still express
    disdain for Meganet Corporation and belittle VME
    without ever having taken a serious look at the
    technology.

-=- Pause for comment -=-

Golly! They have a patent! I wonder if Meganet believes
that having a patent number means the patent office vouches
for their claims. I could use crushed snails as part of
an encryption algorithm -- some how; haven't though about
it much -- and the Patent Office would issue me a patent.

As far as there being "major customers," I'd like to know
who they are. So far we find that the U. S. Department of
Labor has bought into this "snake oil" and without a doubt
people all over the 'Net are sending the agency tutorials
on what constitutes valid encryption and what constitutes
snake oil. After all, it's our tax dollars being wasted.
And I'd like to know who these "major customers" are so they
can be added to the list of companies to educate about what
constitutes strong encryption and what constitutes highly
dubious, untestable, unverifiable claims.

And I like the enquoting of the "crypto-community" here.
They appear to be a bit miffed at being ridiculed and not
being invited to join serious, real cryptographic cabalistic
gatherings. (I'm reminded of L. Ron Hubbard who complained
about the mental health industry not taking his freakishly
bizarre notions seriously.)

-=- Resume quote -=-

    In our view, both Meganet Corporation and VME have been
    misjudged. All we ask is that you give our technology
    a serious look. The only outcome we desire is that the
    crypto-community judges Meganet and VME objectively.

-=- Pause for comment -=-

Okay, provide your algorithms for evaluation and provide
mathematical proofs to back up your assertions. I'm sure
that every High School freshmen computer student also feels
that their "unbreakable" encryption scheme isn't given due
consideration, either.

-=- Resume quote -=-

    Why has there been criticism? The first answer is
    because we made some unintended business mistakes.
    And, for its part, the community rushed to judgment
    relying upon those errors rather than upon an objective
    and thorough analysis on the merits.

-=- Pause for comment -=-

Actually their web site, advertisements, mock "news stories"
and "press releases" sound like they're coming from a young
prepubescent Jimmy Bakker or Oral Roberts. Business mistake
number one is their grandiose, untestable, unverifiable,
outrageous claims. Business mistake number two is not
making their algorithm open for evaluation by their betters.
Business mistake number three is whining about how unfair
their betters are by ridiculing the newbie.

-=- Resume quote -=-

    Meganet Corporation started as a two-man operation. The
    technology was great, but there was no professional
    marketing force so, not having an experienced,
    businessman on board, we naively selected the wrong
    marketing company -- a company that presented itself to
    be a leader in marketing but was not what it claimed.

-=- Pause for comment -=-

Golly! A company that lied about its capabilities?! Say it
just ain't so! If true then it sounds like Meganet employed
a service provider that was just as unforthright about their
abilities and products than they appear to me to be.

Fact: A product that actually does what it claims to do and
manages to surpass the capabilities of all others in the
same price range manages to survive and even thrive quite
well on its own regardless of poor management, poor
marketing, and even poor sales people. This is the age of
the Internet: word of mouth for your new mousetrap gets
a well-beaten path to your web site. (A good example is
Lantronix's XPORT product. See http://www.lantronix.com/
for their XPORT and also do Google searches on XPORT near
Lantronix. Real products get real reviews, real acclaim,
and make real sales to people who know what they're buying.)

-=- Resume quote -=-

    The VME technical documentation was broken into pieces
    to create marketing documents in an industry they did
    not know or understand and, of course, the results were
    tragic. People who read the material disparaged VME
    without ever seeing it or evaluating it thoroughly. The
    sad fact is that, to our knowledge, not one of those
    experts ever looked at our algorithm, the source code,
    the U.S. Patent, or even called us.

-=- Pause for comment -=-

Okay, provide your algorithms for evaluation and provide
mathematical proofs to back up your assertions. Don't bitch
about your betters not evaluating your product when you
don't provide the source and other tools required for your
product to be accurately evaluated. You want people in the
crypto community to look at your algorithm, show it to
them.

-=- Resume quote -=-

    So, what did Meganet do wrong? We employed the wrong
    marketing team with no knowledge of the industry or
    technology, a mistake many new startup companies make.
    With the benefit of hindsight, that hopefully has been
    corrected.

-=- Pause for comment -=-

1) Blame someone else 2) then fire them, 3) then proceed to
continue making unfounded, unverifiable claims.

-=- Resume quote -=-

    Second, Meganet was faulted for its decision not to
    publicly disclose the source code for VME. However, we
    did this to preserve our ability to make a profit
    selling our technology and to prevent others from making
    illegal copies or incorporating our intellectual
    property into their own.

-=- Pause for comment -=-

I would even suspect that this company actually believes
that. High School students also dream of making millions
from their "unbreakable" encryption ideas. But the fact is
that if you want to play in the cryptography arena, and if
you want to make claims about your encryption, you have to
make your algorithm public to back up your claims.

Claims that you can't make money because others will steal
your intellectual property are absurd: you do what the rest
of the world does if somebody steals your work: you file
criminal charges and then you file civil lawsuits. Anyone
with encryption products that wants to be taken seriously in
the real world make their algorithms available for public
review -- and public ridicule of its flaws.

-=- Resume quote -=-

    In Applied Cryptography, Bruce Schneier claims that such
    non-disclosure is "security through obscurity" and is
    unacceptable. Nevertheless, when discussing Professor
    Shamir's RC4 and RC5 algorithms, Schneier did not hold
    Shamir to the same disclosure requirement; apparently
    because Shamir is a respected professor and therefore was
    deemed exempt. RC4 and RC5 became mainstream algorithms.
    Why were the algorithm kept private?

-=- Pause for comment -=-

By not disclosing your algorithm, you're producing a
product that is undeniably "security through obscurity." If
Meganet's encryption process is strong and actually works,
releasing the details won't hurt the users or the sales of
the product one bit. By obscuring what it is this
mysterious black box is alleged to be doing, nobody who
knows what encryption is and what snake oil is will fail to
make the distinction in this case.

Then we have some apparently clueless newbies trying to
compare themselves with Professor Shamir and his work. Does
Professor Shamir also claim his process is unbreakable? And
does he also claim that all other encryption processes have
been compromised?

On the other hand, hasn't Processor Shamir provided proofs
and concept outlines of his process, drawing on the work of
other experts who came before him? We have something in the
scientific arena called "peer review." For a theory to gain
credibility it gets documented and passed around to peers to
be picked apart and shot down. Good theories are those that
survive, bad theories are those that have holes shot through
them. Bad theories are *also* those that aren't made
available for peer review since they lack all credibility.

I'm fondly reminded of the Christian Creationist extremist
who offered a glib, "Of course Einstein disagrees with me"
as if Einstein even knew who he was or that simply holding
different notions than science some how vindicates and/or
validates one's own notions.

-=- Resume quote -=-

    We believe it was because Professor Shamir sought to
    earn a profit on the sale of his technology, unlike
    RSA, that in the first eight years of its existence
    saw the whole world use their technology royalty free,
    even though they had a patent in place. To our
    knowledge, it took RSA approximately two decades before
    it began earning a decent profit from their technology,
    while RC4 and RC5 earned a profit quickly.

-=- Pause for comment -=-

They also believe they don't have to expose their algorithm
to be taken seriously.

Meganet might want to examine a procedure known as a "Non-
disclosure agreement" or "NDA" for short. Companies,
government agencies, or other individuals who want to take
a crypto company seriously are often given the option of
obtaining source for evaluation after signing an NDA. Doing
so is a much weaker process in terms of credibility than
making the source widely public and open for review... but
even then if Meganet's encryption process were to be blessed
by people who know what they're doing -- like Counterpane
or the NSA -- that would go a long way toward removing that
sigma of the snake oil salesman.

Meganet may present their algorithm to the government's
standards evaluations offices and have them evaluate whether
their work meets the requirements for IPSec. If blessed by
a real agency with real people who know what encryption
really is, it'll go a long way toward being accepted. The
government isn't going to steal their work and start
marketing it or making it freely available. They could get
their certification and then maybe people would buy it.

-=- Resume quote -=-

    Thus, we do not agree that our refusal to disclose
    source code was, or continues to be, a mistake.

-=- Pause for comment -=-

Then die out like a good dinosaur and stop complaining.

At least now they can't blame their failures on some
marketing company claiming they didn't know what they were
doing. Meganet made the decision not to make its algorithm
public so they have nobody to blame but themselves when
they're not taken seriously.

-=- Resume quote -=-

    Importantly, the VME application has been available for
    free (in EVAL versions) for 7 years. So again we ask,
    "Did any of the experts ever look at the patent and
    algorithm materials thoroughly"? Did anyone ever
    contact us? To the best of our knowledge, the answer
    is, "No".

-=- Pause for comment -=-

The patent is damn near worthless until the claims made
about the product are made testable, verifiable, and then
are vindicated.

Here Meganet is demanding that it's up to others to do their
work for them. That's not the way science works. You make
the claim, you provide the evidence. If it worked the way
Meganet wants to pretend it does, they owe me $50,000. Now
they need to prove they don't owe me $50,000 otherwise they
must pay up. (It just don't work that way, Meganet.)

So far as "algorithm materials" are concerned, Meganet has
not provided any "algorithm materials" that can be used to
accurately evaluate the strengths and weaknesses of their
encryption. The source code will do just that quite nicely,
however. Until it's released for proper evaluation, the
onus remains upon Meganet to support its claims with
evidence.

-=- Resume quote -=-

    Perhaps it is easier to claim that VME is "snake oil"
    than it is to analyze a new approach to encryption.

-=- Pause for comment -=-

Only once in a lifetime does a Galileo come along. Aren't
we fortunate to have Meganet provide the world with a "new"
approach to encryption? Our savior. Will we start to see
claims of an inner cabal conspiracy within the cryptographic
community to halt the spread of this financially-damaging
(to the status quo) miracle cure? It wouldn't surprise me.

But the fact is that Meganet can't even claim their
algorithm or theory behind it is even new -- at least they
can't make the claim and be taken seriously by people who
know cryptography. Computer teachers run into students who
think they've developed a new idea all the time; I saw it at
my High School and the College I went to.

Also, a patent doesn't mean an idea's new. An effort is
made to examine all living patents to see if an idea has
already been registered however when it comes to math, the
fact is that it's hopeless to have any degree of certainty
that an existing patent doesn't impinge upon a new one
seeking registry. It's up to the patent holders of an idea
or process to make an appeal to a Judge whether the exercise
of a process violates a patent and the filing date and
degree of impingement factors into the decision as to who
holds primary patent on an idea or process. (That's my
understanding of patents; yours may be significantly
different.)

-=- Resume quote -=-

    Furthermore, disassembly of the VME executable code,
    which is a scant 160KB, should be a simple task for
    encryption experts. If "security through obscurity"
    is, per se, bad, how is it that an industry filled with
    experts cannot simply decompile a 160KB executable code
    to prove that VME is "snake oil" or solve repeated
    challenges to do so?

-=- Pause for comment -=-

Meganet is taunting people to break the rules of the
notoriously bad Digital Millennium Copyright Act (DMCA.)
(Reverse engineering for purposes of breaking encryption is
a naughty-naughty.)

Aside from that, once again Meganet has got it backwards:
They supplied the claims, they get to provide the evidence
to back up their claims. Until such time that they prove
their assertions, their credibility suffers and people will
consider them "snake oil salesmen." They want to claim
they're unbreakable, they get to prove it.

Amusingly, Meganet applies the "Einstein disagrees with me"
logic fallacy: who says any expert even bothered to crack
Meganet's evaluation files? A quick check of the company's
web site turns up no financial offers for doing so, only a
vaguely worded "financial reward" without any specific
dollar amount.

Tell you what, Meganet, you offer one million U. S. dollars
-- $1,000,000.00 -- to anyone who breaks your encryption
and then maybe we'll start seeing your betters take you a
little more seriously. Let's provide some incentive to get
MIT's people spending their free time to crack you and see
how quickly your reward lasts.

-=- Resume quote -=-

    Indeed, many have complained about the challenges we
    issued periodically to hackers and encryption
    enthusiasts. Those challenges were attacked as "unfair",
    "lies", and "unfounded". We disagree. We gave the
    application that encrypted the file. We also gave the
    cyphertext file and, at the end of the challenge, each
    and every participant was able to enter the solution
    published on our website and decrypt the file themselves
    on their own computer to prove that there was indeed a
    solution for the challenge. Nothing was missing. Isn't
    this how credible government and corporate security are
    supposed to work?

-=- Pause for comment -=-

Newbies. Xenu love 'em, one and all.

No, that's *not* how credibility for cryptographic products
work. Horribly, Meganet managed to find a clueless U. S.
government agency -- the U. S. Department of Labor -- to buy
four million dollars worth of tax-payer "snake oil." Their
cluelessness doesn't give Meganet credibility, nor does any
vague "challenge" that lacks serious rewards for serious
time expended garner any credibility.

To be fair Meganet must divulge their algorithm and subject
it to expert, industry, and hacker examination. The last
thing Meganet can afford is to be fair about it; not because
they'll lose possible revenues like they claim, but because
there's a very good chance their algorithm has been thought
of and shot down numerous times over the years.

Until they make their code public, they're no way anybody
can tell whether their process is credible.
    
-=- Resume quote -=-

    Finally, criticism has been focused on the basic claim
    of our technology - one million bits. What an
    attractive opportunity to poke fun, indeed the so-called
    first sign of "snake oil". If it is so bad, then how is
    it that the algorithm ridiculed by the technology
    community has now been acquired and is available for use
    in thousands of U.S. Government computers and even by
    more corporate users worldwide? Why did they buy the
    technology?

-=- Pause for comment -=-

There's a clueless governmental sucker born every minute,
that's why. Half a million suckers could purchase a pile of
crap and proclaim it "dinner," if they wanted to, but in the
end it's still crap.

Horribly, millions of people still believe in astrology.
Millions of people still believe in gods, goddesses,
creation myths, Communism, and Democracy. Something like
72% of the American populace thought Iraq was responsible
for the terrorist attacks in New York -- over 100 million
people. Just because large numbers of people believe
absolute bull*** doesn't mean their notions have any
credibility.

If Meganet's software is running in thousands of U. S.
government computers and in corporations world-wide, if
it's our tax money being wasted we need the names and
addresses of these government and corporate offices so they
can be brought up to speed on what strong cryptography is
and what constitutes snake oil.

-=- Resume quote -=-

    Because they apparently concluded that VME is one of the
    most competitively priced and strongest commercially
    off the shelf symmetric encryption technologies
    available.

-=- Pause for comment -=-

Because there's a clueless sucker born every minute. And in
the computer arena, there's a government moron born every
10 seconds. The next generation of government employee will,
with luck, be better prepared to successfully evaluate the
validity of claims concerning computer hardware and software.

-=- Resume quote -=-

    Where do we go from here? We offer the following
    suggestions:

    First, check out VME for yourself -- don't simply accept
    or parrot others' opinions. Not understanding a phrase
    does not mean that it is incorrect or meaningless.
    Better yet, if you wish more information, just call us.

-=- Pause for comment -=-

I'd be glad to. Hand over the source code so we can check
out the encryption algorithm ourselves. We'll put it
through its paces and come to our own conclusions, making
them available in public like what's done with encryption
out in the real word.

The ball's in your court, Meganet.

Failing that, provide a real financial incentive for
breaking your process. Don't promise vague cookies, we want
real money in return for real work.

-=- Resume quote -=-

    Second, participate in the "Crypto-Community Challenge"
    that will be posted on our website and will start on
    September 15 and will last 6 months. We will provide
    an encrypted file and the application that encrypted it
    and will decrypt the solution on your own computer, free
    of charge. If successful, the winner will be given a
    large monetary prize.

-=- Pause for comment -=-

Not good enough. Offer a million dollars or it's just not
worth the time and effort. "...large monetary prize" to
these guys could be anything -- and to judge by their claims
and utterly unprofessional behavior, a tape cassette of
Barry Mannilo's Biggest Hits might qualify.

-=- Resume quote -=-

    We invite -- better yet -- we urge Bruce Schneier and
    Counterpane to organize the entire crypto-community
    into an effective challenge-breaking attempt, just like
    the one that was undertaken to respond to the RSA
    challenges. Be thorough and see for yourself if VME
    is truly what it claims to be.

-=- Pause for comment -=-

There's no incentive to do so. Meganet wants the world to
do their homework for them and doesn't provide suitable
incentive. One million dollars... James "The Amazing"
Randi makes a million bucks handy to anyone who can prove
their claims of the paranormal or supernatural, Meganet
should be able to make it worth their better's whiles to
pick their black box apart.

Offer real money for real work and High School freshmen
computer students the world over will start working on it
for extra credit.

-=- Resume quote -=-

    As a constantly evolving technology community, we owe
    it to ourselves to be professional and to examine new
    and emerging approaches on their merits. Meganet seeks
    only this minimal fairness. We hope this brief
    communication will help start that re-examination.

    Thank you for your attention.

-=- Pause for comment -=-

Oh, well. Unrealistic hopes are too easily dashed in the
face of stark reality and fairness. 

---
"I spewed bodily fluids." - Shydavid  http://www.skeptictank.org/  
http://www.RonTheNut.ORG/ PGP: http://www.skeptictank.org/frice.pgp 
-- You love drugs!  You love drugs, don't you?!  You better
not say anything about my mother!  Don't you DARE say anything
about my mother! -- Scientology's International President (Audio
files of this nutter at http://www.linkline.com/personal/frice