Wifimity compares itself to a 50-year old computer

Once again we find ourselves with a KickStarter (archive copy) that’s claiming wireless networks are the sole reason for why users find themselves compromised.
Wifimity” promises to produce a “cloak of invisibility” with a device that is “military security level” for at least €77–the campaigners are looking to raise €48,000, or $54,000 USD.

[Ed: You really ought to read their Kickstarter page, it is a right mess.]

Actually, it’s really two devices: one called “Safebox” which just stores your passwords with authorization via a fingerprint reader; and another called “Shield”, which does the same, but also acts as some sort of VPN tunnel. It is supposed to sit between your device and wireless access point, and it connects itself to a service that the creators operate.

We’re going to ignore the password-only device since it is plausibly functional, and instead focus on the Shield device, where the meat and potatoes are.

Here are some of the features they claim will come with Shield:

  • “anonymous surfing” – It’ll anonymize your IP via something that sounds a lot like NAT.
  • “device cloaking” – It’ll scrub the identifying info off your HTTP requests.  Their use case is device-specific price discrimination.
  • “DNS server” – It’ll blackhole suspicious websites’ IP addresses.  No mention of where they get their blacklist…
  • “anti-virus” – The KickStarter claims that this is still “under construction”.
  • “encrypt your cloud” – Their only substantive stretch goal, they promise the Shield will encrypt all the data you “upload to your cloud”.

This really seems like a keychain version of some previous KickStarters we’ve covered.

These claims are bonkers

We should start off by pointing out that the number of people affected by compromised wireless networks is minuscule, compared to the number affected by corporate or government breaches.

Adobe’s 2013 breach affected well over a hundred million people, Home Depot’s hit over 50 million credit cards, and Target had taken out about 40 million.  These are far larger than the total number of times in history that someone has been affected by an individual running Aircrack at Starbucks. This isn’t to say that compromised wireless networks are not a threat, but these frequent “wifi protector” KickStarters all come back to the notion that user wifi insecurity is interchangeable with anything the layman would identify as “hacking”.

Here’s something we’ve seen before (see Sever) that makes us wonder if and how it defies the laws of physics:

Faster Surf: With this option activated you can increase up to 50% your browsing speed.
[…]
Speed: It doesn’t reduce your device speed because it runs out of your mobile, tablet, or PC.

Now there are some possibilities for this claim; they could include the following:

  • It removes half of the content that makes a website slow to load. Website bloat is a real thing and just by having an ad blocker or turning on certain features within the browser, page loading does become faster. Where is it doing this processing?
  • It compresses and decompresses every single thing that comes in and out in addition to providing an encrypted tunnel. How is this possible with a device that, based on its housing, is probably nothing more than a basic ARM-based device running at low-power? They claim that it won’t slow down your PC either, so again, where is it doing this?
  • They have no idea what they’re talking about and have no specific plan as to how they would make everything faster.

The first one seems to be probable as they link to an article from the Wall Street Journal about tracking cookies. Their concern over “price discrimination” – that your Internet activity will lead to online stores increasing prices on you, insurance companies increasing fees, and banks raising interest rates – has some merit, but these issues can be solved by the typical user, by employing the tools included with every modern web broswer. There is no need to throw money at a €140 device when all of this can be done for free.

There are hints that maybe they really don’t know what they’re talking about, however; at the start of the KickStarter page, there’s a statement about AES reminiscent of MyDataAngel.com’s DataGateKeeper:

“AES is the first (and only) publicly accessible cipher approved by the National Security Agency (NSA)..”

Really? I don’t suppose that they’ve heard of DES, have they? If you’re going to sell a cryptography product, it would be good to at least know a thing or two about the development of the algorithms.

More than 1,000,000 times the capacity of the Apollo 11 computer.

What do they mean by “capacity”? If we’re going to based on the storage capacity of the Apollo Guidance Computer (a computer that is 50 years old), which had 36 kilobytes of storage (in ROM), suggesting that it’s 1,000,000 times the capacity means that it has 34 GB of storage–let’s assume it’s 32 GB really. This is in no way a large amount of data by modern standards.

The specifications given for the device make no sense

Wifimity has provided a hypothetical specification for their keychain-sized device:

32 bits high speed microprocessor.
Cryptochip, high level security by hardware.
WiFi 2.4GHz chip or bluetooth BLE.
WPA2, TLS 1.0, HTTPS.
A battery 500mA with an intelligent charge system for long life.
A custom operative system (OS) to avoid hacking.

A 32-bit “high-speed microprocessor” is more or less the standard for devices these days (it’s later described to be a 32-bit ARM Cortex-based processor).  Their “cryptochip” appears to be a hardware implementation of AES, and 2.4 GHz wireless and Bluetooth are what I expect, but the rest of this just doesn’t hold water.

On the subject of cryptography, why is this using TLS 1.0? It’s vulnerable to both POODLE and BEAST. How was this overlooked? I guess this “custom [operating] system” that has been created to “avoid hacking” will take care of that problem right?

The cryptography doesn’t really make sense either considering this snapshot from one of the videos:

Screen Shot 2016-06-22 at 19.11.51

I can turn off encryption? I can turn off device cloaking and anonymizing options?

It gets weirder when you realise what the options at the top of the display webpage are for:

Screen Shot 2016-06-22 at 19.12.21

Oh wow. It just inserts a frame at the top? What’s the point of this device? Why is it not doing this passively? Does this mean that Facebook and other applications that do not make use of the mobile device’s browser do not get the same level of protection?

Nonsense. If we go back to the encryption part again, we see this gem as part of their stretch goals if they manage to achieve €250,000 in funding:

We keep a lot of important information in our cloud and this goal is to sure that it is safe and the all copies are unreadable in case we delete the cloud info.

So are they storing all your data on their own servers in cleartext unless they hit this stretch goal?  Or is this a clumsy restatement of their earlier claims about “encrypting your cloud”?

None of these features require a fancy device sitting between the user and a server to make it happen. In fact, this does nothing to solve the problem that the campaign seeks to resolve.

Who are these people?

As with previous exposés on this website, we like to document who’s leading these campaigns, as information on their backgrounds helps to discern between scammers and optimists. Unlike previous campaigns, there is very little information given on who’s behind it. This is evident in this passage:

Together with our team, we take our passion for innovation beyond our products and into every decision we make. In our product development process, simplifying people’s lives has always driven us at every stage. Simple products that can help people.

Pablo, our SEO, with several patents registered, has worked for more than 25 years in custom electronic projects. He has developed complex algorithms in collaboration with the mathematics department of UPV University and has made modems for GPRS, modems narrow band, and WiFi systems with encrypted solutions.

“Pablo” is actually “Pablo Jose Reig Gurrea”, CEO of Ladegar in Bilbao, Spain. His KickStarter profile is a bit more detailed:

Pablo is currently the CEO of Ladeger, company that develops technologic solutions for the consumer market. He graduated in Electronic engineering and worked more than 25 years in tailor-made solutions for industry, in British and German multinational companies. He has several patents registered and used to collaborate with the UPV university for developing algorithms and custom made solutions.

His prior work explains how he was able to build a demonstration device that appears to work as well as it does, but there is little to no evidence of his involvement in information security prior to this campaign. No website for his company appears to exist.

We get the impression however that Pablo is unsure of how his product will be assembled, as evident in this image:

madeinusa

But then it’s stated they’re still in negotiations over where it will be made:

We are in negotiations to manufacture in two plants, one in Albuquerque, USA for the American and Canadian market. “Made in USA.”

And the other in Bilbao, Spain for the European market. “Made in Europe.”

So it has gone from “will be” to “in negotiations”? Also, Canada would not permit “made in USA” just to be clear here.

We don’t expect this campaign to succeed.

Wifimity - Passwords & Surf Safe with Just a Key ring! -- Kicktraq Mini

MyDataAngel ends KickStarter and then feigns being a victim

We’ve previously covered this campaign in several entries before, but with some level of elation, we’re happy to report that the individuals behind the MyDataAngel /DataGateKeeper KickStarter campaign have cancelled their project just a few hours before it was expected to fail.

However, it appears that they won’t go out without kicking and screaming and have thus issued a rebuttal directed at those of us who tweeted and blogged about them in a manner that was to their displeasure.

“It is not a field of a few acres of ground, but a cause, that we are defending, and whether we defeat the enemy in one battle, or by degrees, the consequences will be the same.” Thomas Paine, 1777

Dear DataGateKeeper Software Backers,

No truer words were ever spoken. As true in 1777, as it is nearly 240 years later.

You are true Data Angels; your foresight in the face of aggressive and salacious attacks from the fringe is a testament to your fortitude and an inspiration to us. You will have your DataGateKeeper. Our resolve to deliver to you the DataGateKeeper Total Data Protection Software™ and SafeDataZone™ has never been greater.

We are finalizing the release of the DataGateKeeper on the Windows platform, and the development and stress testing of the Android and Apple platforms.

We launched our Kickstarter campaign to test both our message and the market. Unfortunately, we did not gain perspective on either issue. A key driver for success on any crowdfunding platform is getting the word out on social media. On this matter, we failed you, as we elected to cancel all of our promotional efforts, nearly immediately. Why?

We felt this action was the most responsible avenue to take once the fringe quasi-InfoSec wannabe community began attacking you, our DataGateKeeper Backers. We have never seen anything like that and likely, no campaign has ever had Backers personally attacked for making a Pledge.

These miscreants did not Pledge for any Rewards, however, they used a loophole, in this platform to disrupt and gain access to you, our Backers, which is reprehensible. The twittidiots and their ilk even attacked our employees and supporters – all anonymously. We apologize to our DataGateKeeper Backers and Team for any offense or verbal attacks you sustained.

In addition, we had several “journalists” contact us to do a “story” for their “readers”. We also elected not to engage them for several reasons; the well had been poisoned, our message had been diluted, and their intentions and loss of objectivity had been made clear by their online social media activity.

During the campaign, we engaged these crypto-crazies in an effort to understand their boggle. As is typical of any engagement with flakes that hide behind anonymity, the 80/20 Rule was in full force. 80% of the twittidiots could not conjugate a response, while 20%, who did not hide behind their twitter account, proved to be helpful, and we had productive conversations. We thank them here.

What Did We Learn?

  • Controlling the message is important, however, controlling the environment for that message is critical. Today we will move to control both the message and the environment. We believe in the first amendment, however not at the expense of decorum, respect for others’ opinion and dignity.
  • Given the plethora of crowdfunding sites available in the market, the Kickstarter platform is likely not the best platform for software, absent a techie gadget connection or video game. Software clearly underperforms on this platform.

What are We Prepared to do for Our DataGateKeeper Software Backers?

  • We are going to complete our DataGateKeeper Total Data Security Software and make it available to you first for the price you Pledged and for the Reward you Backed. We are currently arranging to do this very thing.

DataGateKeeper Backers, you have our private email address, we look forward to continued communications. Please contact your Data Angel Team if you have any further questions.

It’s interesting that they quoted from Thomas Paine’s American Crisis, which is a series of pamphlets meant to encourage American colonists to support a war against Great Britain using deistic preference suggesting that they’ll win against the Crown. In the case of Raymond Talarico and his crew, the request for accountability is the real tyranny, and thus is definitely worth fighting a war against.

As one person put it to me: MyDataAngel believes that they’re the “founding fathers” of truly-secure encryption. If you have a problem with this, then you must hate America. Well, MyDataAngel, I guess that since I am Canadian and thus a subject of the Crown, I really am hellbent on this idea.

Why you actually failed

You waged a fierce and determined campaign against any kind of investigation or scrutiny. You made outrageous claims about your software’s functionality. You refused to answer any of the technical questions asked of you in earnest. You complained bitterly when, in the absence of technical content, we instead analyzed your staff’s backgrounds for plausible competence in the field of information security.  Information security is not a field that has much patience for secrecy, and you’re exactly why.

You claim that 20% of the respondents on Twitter were “helpful”. Of course, this can’t be backed up with data, because you because you’ve gone and made your account private. Fortunately, I am still following you, and can read a random sampling of these tweets–none of them seem to indicate that they were “helpful” at all.  They really are just calling you out on your nonsense.

You complain about the unwashed masses of anonymous “crypto-crazies”, nameless “twittidiots” (shouldn’t it be “twidiots”?), or unspecified members of the “fringe quasi-InfoSec wannabe community” attacking you via social media.  In my case, this is demonstrably untrue; I first wrote about MyDataAngel on my own personal blog, with my full real name in the page header and the URL.  I also wrote to you with my personal e-mail address, as I’ll discuss later.

You, meanwhile, really don’t like being identified. We’ve reached out to a number of your former business partners and none of them returned our e-mails. All we can find are community forum posts from people who work at a single-person company or press releases making wild claims about your product and a supposed partnership with another seemingly single-person company. One is left to wonder why a multi-billion dollar company hasn’t snatched your product up.

After being called out on your claims of “512 KB” encryption strength, you edited them to reflect something more plausible, yet made no attempt to explain why this change was made–going from claiming “512 KB” encryption back to just “512” without mentioning the word “bit”.  This calls into question whether you know what the number 512 is meant to measure, in this context.

There are other reasons to suspect that you don’t know anything about cryptography.  Here’s a tweet where you try to coyly hint at what encryption algorithm you’re using:

mda_crypto

Truly bizarre to suggest that Huffman coding, a 1952 equation (which is almost a half-century before AES was ratified and supposedly “too old” by your standards) is encryption when in fact it’s compression, used as a basis for PKZIP, JPEG, GZIP, and MP3 file formats to name a few.

In a similar vein, before you took down your website, it was providing explanations about cryptography concepts plagiarized from various books and Wikipedia:

page8page7

Whether or not you know what you’re doing with cryptography, you’ve clearly already gone ahead and built the Windows version of your encryption software. A demonstration copy was supposedly made available when it was still known as Centuri Cryptor. We can see in this YouTube video from when it was known as FileWarden that it was already working.

sleuth1

Since you clearly have a functional product already, it’s only natural that I’d want to test it!  As mentioned above, I reached out to you regarding a demonstration of your application. Here’s the e-mail exchange:

From: Colin Keigher
Sent: Friday, May 13, 2016 11:56 AM
To: HackMeIfYouCan@MyDataAngel.com
Subject: Interested in a demo

Hi there,

I’d like a copy of your software to demo and test. Please let me know how I can review this.

Thanks,
Colin

Subject: RE: Interested in a demo
Date: Friday, May 13, 2016 11:59 AM
From: “Hack Me If You Can” <HackMeIfYouCan@MyDataAngel.com>
To: “‘Colin Keigher'”, <HackMeIfYouCan@MyDataAngel.com>

Outstanding.

We respect anonymity so we won’t ask you for any identifying information
about who you are.

Having said that — We have two questions?

1. Would you please tell us a little about yourself.

2. Or recommend someone you think would take on this Challenge. We want to choose someone the community respects and trusts.

Back to all qualified entrants on May 16.

Your Data Angel Team

From: Colin Keigher
Sent: Friday, May 13, 2016 12:14 PM
To: Hack Me If You Can <HackMeIfYouCan@mydataangel.com>
Subject: RE: Interested in a demo

Hi there,

Thanks for getting back to me. I have some follow up questions.

1. What are you looking for here? I am a security engineer who runs his own company.
2. In what sense do you mean “someone the community respects and trusts”? What are your qualifiers?

Thanks,
Colin

Subject: RE: Interested in a demo
Date: Friday, May 13, 2016 1:08 PM
From: “HackMeIfYouCan” <HackMeIfYouCan@MyDataAngel.com>
To: “‘Colin Keigher'”
Copy: “‘Hack Me If You Can'” <HackMeIfYouCan@mydataangel.com>

Hi Colin,

We’ll do our due diligence, and, following, chose those parties whom represents the largest demo vis-a’-vis followers, trust and respect.

We believe this plan is likely the best practice for achieving our goal.

We are open to suggestions as to criteria, and welcome yours and the communities opinion on our selection criteria.

You Data Angel Team

Your last response suggests that you’ll be choosing yourself the parties you “trust” and “respect”. Concealing your encryption algorithm isn’t going to make it any more secure, and really is just going to attract more suspicion. If you want to have some level of credibility, you’re going to have to allow people to test your algorithm without being able to vet them, because you don’t get to vet the real attackers when they’re after your real customers’ data. If you had the confidence in your software that your advertising copy suggests, you’d gladly let me or anyone else publicly test it out with no restrictions beyond not sharing the software with others.

The information security community takes claims like yours seriously, which is why we have been so ardent in criticizing you. Documenting charlatans and bad organizations is a time-worn hobby for this community. You cannot expect to pull a fast one on us, because the tricks you’re attempting to pull are far from new.

We think the real reason why you insist on going for the crowd-funding model is that you know your claims given are nonsense and that nobody well-informed about your product would choose to spend money on it, much less trust it with important secrets. This is why you set the kickstarter goal at a piddly $20,000 USD to fund a team of nine people, and it’s why you would then pad out your total with a few high-dollar-value backers–because it lets you turn to potential investors and claim that there’s consumer interest in your product.

You close off stating that KickStarter was not the place to launch your project and that you’re going to look at other options; we’ll close off by suggesting that you do not.

Kickstop the Blind Ego

With permission from the original author, we are reposting details on a failed KickStarter project called “Blindeagle”. It was cancelled by its project creator on April 12th after only achieving less than 10% of its goal.

Blindeagle is asking for money for a product, a product that promises private and secure communication with anyone over the internet and wants 90,000EUR to do it. For an additional 920,000 EUR, they’ll even remake what RedPhone already does for free. With a pricetag like that, it better not just be useful but live up to every one of its promises. What are its promises, anyway?

The advertised unit is a keychain that plugs in through the headphone jack of a mobile device, meant to interact closed-source app to provide impenetrable crypto. This crypto is said to use a one-time pad (OTP) system. The design, photos, prototype, and social networking vibe feel all too similar to the vaporware you’d expect a San Francisco based startup of 5 college students to poorly slap together and unload to unsuspecting venture capital firms for a million in seed money, who later are forced to abandon the broken concept and cut their losses. But it’s not like that– these 5 college students are from Belgium!

The broken English consisting primarily of hypespeak and buzzwords is a bit difficult to extract hard data from, so building a critique of the supposedly infallible security model wasn’t cake. By focusing on the major claims only and not nitpicking about general hyperbole, we show this product for the fraud it really is — a broken security model rife with contradictions, in the best case simply dangerous for its users, and in the worst an intentional scam surrounded by lies.

Why be so hard on a kickstarter that will likely never meet its goals in the first place? Because this campaign masquerades as an infallible solution to a current global crisis on data privacy, capitalizing on people’s fears and ignorance while overpromising and dangerously underthinking a science that often means the difference between life and death. Cryptography is the backbone for all security on the internet, and doing it right has always been undeniably hard. If their team of expert cryptographers are working on this device, we’re prepared to give some leeway to explain themselves, open source it, and work on it over the years like Telegram was given a chance to do at first… except there is no team of cryptographers, not even a “math expert”. So who is the savior that will guide us through this privacy crisis?

No background in crypto

Meet David (no last name provided). With no crypto background and “now over 5 years of experience in Java, web and iOS/OS X development”, “he .. takes care of the technical side of blindeagle, from the website to the apps and including programming the servers and the external units”. Let’s not be too hard on David, he’s likely been suckered into this by a friend and is either too naive to realize the ramifications or is ignorant and being used as a fall guy by a scammer. Assuming he hasn’t singlehandedly broken the underlying security of everything due to human error, miscalculations, improper security model, or a complete and utter lack of proper crypto background or experience, we can move on to the message and leave the messenger be for now.

Closed-source

As quoted from their product homepage, using their device “guarantee[s] you total confidentiality and absolute security”. That’s quite a claim to make, especially since it’s impossible. Every legitimate cryptographic tool or product in the world is designed with an understanding that as time passes, the likelihood of its security being compromised increases exponentially; that vigilance, not a false promise of trust, is the backbone of true security. Security is not a fixed-state, it is an evolving process. Does Blindeagle understand that process? By asking us to trust their closed-source apps written entirely by David on closed-source devices manufactured by an unknown third-party supplier, the picture looks pretty grim. Despite several free, secure applications that do encryption “right” (XMPP+OTR, BitMessage, Tox), we’re to believe that we need a separate closed-source device. What does that device even do?

Magic box

The device purports to feed one-time Vernam cyphers from a pool stored in its memory directly to the mobile app. Properly implemented Vernam Ciphers (and OTP in general) can be extremely secure, but the difference between broken and sound cryptography is often in its implementation. While claiming it is infallible compared to email or other chat apps in terms of encryption, it fails to describe in any detail whatsoever how this particular implementation can’t be intercepted by a rogue app on a rooted phone, sniffed over the air via the device itself, or any number of potential attack vectors. That would take actual knowledge!

Weak magic

No, instead we are lead to believe that the infallible OTP key material preloaded onto the device at manufacturing has not been copied, tampered with in any way, and loaded in a secure way that could not be extracted through a simple buffer overflow or injection attack. OTP key material that was generated when you plug the device in might lead to secure keys, but trusting their third-party manufacturer presses the boundaries of what can be considered “secure”. Keys generated by the company could be stored and used to decrypt all the messages you use at any point in time. Even if the company wasn’t malicious, what’s to stop a malicious nation-state actor forcing them to hand over every single key they produce? Whilst some of this is protected by the plausible deniability given by a OTP system, they only provide 2GB of material. That is 2147483648 bytes of key material. Computers are incredibly fast. End users expecting a fast gaming experience from their cheap desktop may not realize it, but computers are designed to be fast for simple XOR operations. A computer could process all 2 gigabytes of the key material and break the message in probably a matter of minutes. Compare this to seed files used for real OTPs, which are often in the terabytes, to ensure an attacker could not load the seed into memory.

Powered by buzzwords

According to the copy, “the key existing in the external unit is generated using quantum phenomena”. This is buzzspeak for “a mirror sensor looks at light and makes a key based on the photo it takes”. While interesting in theory, theories that cryptographic security revolve around should be tested and proven before going into production. It goes on to guarantee that the keys in the device can only be used once, that it behaves as single use memory. Except, if, somebody copies the key data. Let’s go back to how the device plugs into the headphone port onto your device. Putting aside the logistics of getting a device like this to work on a computer without a combined headphone and microphone socket, what’s to stop a malicious app pretending to be the official app, reading in all of the key data, and then simply saving it to your local storage? There is no technical explanation provided by Blindeagle how this can be guaranteed aside from a brief introduction to “potting”.

The straw that broke the crypto’s back

Among the claims of perfect crypto is the use of “end to end encryption”, something by definition readable by only two-parties and is unbreakable unless the underlying crypto is broken or a key materializes. End-to-end crypto– if done right– is a good thing and Blindeagle would be silly not to include it as a main feature. But is Blindeagle truly end-to-end encrypted?

After data is encrypted using your Blindeagle device, it is sent to their closed-source proprietary servers in the EU. From that point, the data is “decrypt[ed] with the sender key followed by the instantaneous encryption with the receiver key, just before the destruction of the encryption keys”. If you are thinking to yourself, “isn’t that the definition of a middle-man?”, you’re likely more suitable to lead their team than poor David.

Blindeagle clearly advertises “no data is stored on our servers”, in addition to the “No data-retention” laws in Belgium. Despite being empty and unprovable claims, we have learned from experience and leaks that neither nation-state actors nor hackers need permission, nor do they follow laws when hijacking, injecting, seizing or bugging servers for their own malicious purposes. By purposely introducing a middle-man into their transport protocol, they cannot make the claim with absolute certainty that no data will be stored.

Verdict

Blindeagle’s security model does not meet the requirements of even the most basic security theory, its advertised implementation is dangerous, and its claims are contradictory, misleading and at times downright lies. At this point it’d be preferable if it ends up having been a non-delivering scam.

Written mostly by sn0wmonster from the ##crypto IRC on freenode, with some technical input from SunDwarf.

DataGateKeeper (aka MyDataAngel.com) is no longer “impenetrable” but now “engineered”

If you look at the original KickStater (via this Archive.org link), you’ll have seen it showing the following:

Screen Shot 2016-06-03 at 13.11.06

Now it has been edited to show that it is no longer “impenetrable”, but “engineered”:

Screen Shot 2016-06-03 at 13.10.55

There have been several other changes to the KickStarter as well.

This was the original text with their take on the “backdoors” in AES:

In the late 1990’s, AES, while under ‘well-intentioned’ government oversight, somehow, a ‘back-door’ found its way into this ‘approved’ data security solution, — as has been widely reported. The unintended consequences of this back-door allows for complete access to your data, without your permission, to data monitoring, data-mining and active eavesdropping.  Effectively, voiding your right to privacy and confidently. So common is this practice it has a name: Active Snooping.

Now it has been changed to “flaws”:

In the late 1990’s, while under ‘well-intentioned’ government oversight, flaws found their way into this ‘approved’ data security solution, — as has been widely reported (see, notes below). The unintended consequences of these flaws allows for complete access to your private and confidential data, without your permission, promoting underground data monitoring, data-mining and active eavesdropping. So common is this practice it has a name: Active Snooping.

This paragraph has been removed:

Simply, ‘the other guys’ use standard SSL (Secure Sockets Layer), and the failing AES, in an attempt to secure your Privacy & Confidentiality. The same data security hackers took advantage of in the breach of Target, Home Depot, iCloud, Sony, Anthem…you get the idea. You Deserve Better.

What replaced it was the last sentence.

In an attempt to make themselves appear as if they’re trying to be more open, they decide to remove the tripe about the levels of encryption and replace it with some story about their plans to improve the software.

The R&D Plan

To build the DataGateKeeper, we disassembled and reverse engineered several automated password cracking software programs. This was to understand their procedural sequence and methodologies related to code acquisition, code cracking, or as it is known, hashed access to code and source. Additionally, we decompiled these programs to gain insight on hacking software’s proclivity to exploit weakness in cycle rates, including their integrated and powerful automation multipliers, and natural GPU processor affinity. Following months research we had what we needed to protect you.

This seems like complete nonsense. If you had read the previous expose we’ve done on this KickStarter, this project has been floating about for years and has changed hands a handful of times. At no point have we seen any evidence that they’ve spent any time researching any automated password cracking applications.

Furthermore, that second last sentence? It doesn’t make any sense and reads like something akin to out of Reddit’s VX Junkies. Much of the above existed when it was just labeled as “The Math” which is no longer on the page.

Validation Plan

Now that our cryptographic module is complete, we plan to submit our DataGateKeeper module for independent validation the sooner of; official final publication of the NIST pronouncement on the Federal Register seeking comment to portions of 19790 (deemed 19790:2014), to update 140-2, or, the official abandonment of such update. We plan to use Underwriters Laboratory (UL), however, there are several certified laboratories performing FIPS certification. Following validation and patent (currently, we rely on trade secret to protect our algorithm) we will release our algorithm to the select members of the cryptographic community for further development and analysis under a very specific set of guidelines which we will solely determine.

Oh. There’s a patent-pending for this or are you still keeping this close to your chest? I did a cursory search on Google Patents using various names and keywords relating to this project and nothing has come up for anything relating to this encryption suite of yours.

You tend to rag on AES encryption here yet mention nothing else. If you have looked at the 140-2 validation list, you’ll notice that you’re facing an uphill battle to get your fancy, never-before-seen cipher validated.

Open Source

Before you ask or comment, we have no plans to release any portion or portions of our code as Open Source. Those of you in the software community who are Open Source advocates are welcome to invest your time, effort and capital to develop a competitive data security solution and release it as Open Source…we encourage it. Go getem’ champs.

I’m certain that if you ever release this software that we’ll figure out how to decipher it without much effort.

Vulnerability Coordination & Bug Bounty Platform

We are currently coordinating efforts to provide the DataGateKeeper under strict guidelines to one or more vulnerability coordination platforms, such as Hackerone. Our plan includes inviting, predetermined, preselected software testers to leverage their skills and creativity to undertake periodic reviews of our data security solution to inspect for vulnerabilities and assist us future planning and software updates. We will use this form of Bug Bounty Platform to provide independent testers a voice to aid us in future developments and testing before updates are published.

Don’t see you listed on HackerOne yet.

They’ve also changed who they’re going to give part of the proceeds post KickStarter to. Here’s the original statement:

MyDataAngel.com is proudly participating in Kicking It Forward Initiative, promising to pledge 5% of its post-release profit to other Kickstarter projects.

And now they’re just going to give their software to an organization of a backer’s choice instead of money to Kicking It Forward:

When you visit our website you will see we plan to make available, two versions of our DataGateKeeper software. One available here on Kickstarter, our Civilian version, at 512-bit, and a second 768-bit version for our First Responders, Active Duty and retired Military personnel. We designed the 768-bit version of the DataGateKeeper for those individuals who protect us and run into danger so we don’t have to.

As a thank you to you and the Kickstarter community for supporting us, for every reward pledge we receive for our DataGateKeeper software during this campaign. We will award a complimentary lifetime subscription of our 768-bit First Responder DataGateKeeper Software including 500GB of our SafeDataZone in your name to one of the organizations listed in our post campaign survey, tending to the people who protect our lives and our liberty. They should not have to worry about data theft when their mission is far greater.

Support “are” troops right? Nothing says patriotism like shoving bogus crapware on to veterans.

In a (not so) surprising move, they’ve went and removed any details about themselves from the KickStarter minus a few quips remaining in the bottom text. For posterity, here’s a mirrored copy:

fb8a8a22dfed1a15035616240d143a14_original

Again, these people are:

  • Raymond Talarico, CEO
  • Debra Towsley, President (and wife of Raymond)
  • Frank Ruppen, Chief Strategy Office
  • Joshua Noel, Creative Director
  • Loreena Stanga, Cat Herder & Code Management
  • Jensen Dillard, Data Angel Host
  • Steve Talbot, Advisory Board
  • Chad Thilborger, Data Angel & Host
  • David Smith, Advisory Board
  • Frankie, Data Angel & Celebrity

If you’re trying to make yourselves seem more legitimate, removing details about who is on your team late in the game is not a way to do it.

DataGateKeeper: The FIRST Impenetrable Anti-Hacking Software -- Kicktraq Mini

If this makes it to the $20,000 by the end of the campaign, they’ve had someone pump it.

MyDataAngel.com is not new and is an outright scam

This is a repost from an earlier blog entry on a bogus KickStarter posted on May 17.

As evident in this KickStarter and this other one, we’ve seen countless snake oil being peddled to helpless people who are only looking to protect themselves on the Internet. Well, this time we have a product called DataGateKeeper (DGK), and they’re looking for $25,000. Their claims are that it’s anti-hacking software that provides encryption levels far more advanced than AES.

Because I hate this sort of crap, I figure it’s time to document who these people are and what the product actually is. I should note that I initially wondered if it was a troll (as did Bruce Schneier), but I am now convinced that it is a scam.

I am going to refer to this as MyDataAngel.com or “MDA” as there’s a tonne of confusion here due to the iterations this software has goen through. What they’re selling is not only not new, it has been attempted to be sold under many different names with various other people involved.

I’d like to thank Ryan O’Horo for helping out form the timeline and provide other tidbits.

Meet the Team

Here’s an image from their KickStarter:

It helps to know who these people are in order to paint a picture of what we’re dealing with.

  • Raymond Talarico (CEO) – once sued over a suspected embezzlement of $30,000 (via the SEC) from a company he was formerly CEO and founder of, Raymond is the CEO of MyDataAngel.com. Formerly, he was a director of FileWarden.com, which has a relationship with MDA, until July of 2014. Talarico is also President of American Pacific Rim Commerce Group (APRCG).
  • Debra Towsley (President) – Debra has worked alongside Raymond for at least a decade and was cited in the aforementioned SEC document. She was formerly president (and later CEO) of the company Talarico founded, There are claims that she worked as Director of Marketing for Blockbuster in Florida and she has been cited as involved in several other companies. She has recently taken to scrubbing her LinkedIn profile for some reason.
  • Frank Ruppen (Chief Strategy Office) – a Harvard Business School graduate, having worked at large companies such as Proctor and Gamble (as claimed in his LinkedIn), Frank is the founder of Forward Associates, a “brand management” company whose mission statement is to provide 404 pages. I should also note that the use of “Office” in his title is not a mistake on my part.
  • Joshua Noel (Creative Director) – the creative director and likely cameraperson behind the useless videos that were incorporated into the KickStarter. Formerly a YouTube LetsPlay turned wedding videographer, Joshua now finds that his business address is being shared with MDA’s.
  • Loreena Stanga (Cat Herder & Code Management) – an arts student, turned code manager for MDA. She has recently deleted her LinkedIn and Twitter accounts.
  • Jensen Dillard (Data Angel Host) – host of the dumb KickStarter videos, she left her job as an employee at a veterinarian hospital to host a fake newscast.
  • Steve Talbott (Advisory Board) – you can refer to him as “Captain Steve” as he runs a yacht tour company in the Florida Keys.
  • Chad Thilborger (Data Angel & Host) – an TV food personality who’s best known for some South Floridan TV show and shoving a tonne of what I can only assume is parsley into his mouth.
  • David Smith (Advisory Board) – probably one of the most generic names possible, I was unable to get any information on him so I have nothing snarky to say.
  • Frankie (Data Angel & Celebrity) – likely the most intelligent individual amongst this team as it’s nothing more than a lousy skeletal model that they use as a gag prop in their videos.

There have been other people involved in the past but I will mention them as I go along. For the most part, the two people of interest should be Towsley and Talarico. I will also mention that there are no cryptographers working for them.

Update – 20-05-2016

It turns out that Talarico and Towsley are married. You can read this claim in this article from 2006:

Talarico joined family and friends in watching his filly J P Sage take the lead near the final turn and trot on to win the night’s 10th race. Talarico, his wife Debra Towsley, and their group then posed with J P Sage for the traditional winner’s circle photo.

This detail will help paint a picture of what is going on with this KickStarter. Thanks to Stephen Tinius for pointing out his involvement with APCRG and his relationship status with Towsley.

Before MyDataAngel.com, there were other iterations

Here are some names we should make ourselves familiar with before we go on about how the timeline makes no sense:

  • Centuri Cryptor
  • FileWarden.com

And here’s an cropped copy of their KickStarter timeline up until now:

Let me give you guys a better timeline that is more factual:

1997-01-21 Raymond Talarico incorporates Sci-Fi Megaplex in Fort Lauderdale, FL florida.intercreditreport.com
1998-01-01 Debra Towsley serves as VP of business development for Sci-Fi Megaplex sec.edgar-online.com
1998-07-05 SOFNET, Inc. a/k/a SOFTNET, Inc. is incorporated by Raymond Talarico and Glenn Jackson in Florida search.sunbiz.org
2000-09-01 Raymond Talarico resigns from Sci-Fi Megaplex sec.gov
2001-03-16 SEC announces fraud scheme at Hawa Corporation involving future FileWarden.com director Ilona Alexis Mandelbaum of West Palm Beach, FL sec.gov
2001-01-01 Raymond Talarico and Debra Towsley found Medirect Latino Inc. sec.edgar-online.com
2001-01-22 Sci-Fi Megaplex files for bankruptcy bizjournals.com
2001-09-21 SOFNET, Inc. is dissolved search.sunbiz.org
2002-01-01 Raymond Talarico founds MGI Consultants Inc. companiess.com
2002-07-19 MEDirect Latino, Inc. incorporated by Raymoond Talarico and Debra Towsley in Florida search.sunbiz.org
2003-07-22 State of Wisconsin issues C&D against SOFNET, Inc., Raymond Talarico, and Glenn Jackson for selling unregistered securities wdfi.org
2005-01-01 IntelaKare Marketing Inc. a/k/a ikarma Inc. otcmarkets.com
2005-11-29 Success Exploration and Resources, Inc. (SE&R), a mineral exploration company, incorporated in the State of Nevada nasdaq.com
2006-10-16 Three directors resign from MEDirect Latino, Inc. citing irregularites sec.edgar-online.com
2007-02-14 Ilona Alexis (a/k/a Roza) Mandelbaum files for bankruptcy in Florida Southern Bankruptcy Court plainsite.org
2007-07-11 MGI Consultants Inc. incorporated in Nevada by Debra Towsley nvsos.gov
2007-11-09 MEDirect Latino Inc. goes into default with several lenders globenewswire.com
2008-01-23 HSC Holdings, LLC incorporated in Florida by Ilona Mandelbaum search.sunbiz.org
American Pacific Rim Commerce Group (APRM) and MGI Consultants
2010-01-01 According to a LinkedIn account, Centuri Global is created and claims to come from Hobe Sound, Florida linkedin.com
2010-05-21 Fraud lawsuit filed against HSC and Ilona Mandelbaum in Texas nasdaq.com
2010-06-22 Iliona Mandelbaum and HSC Holdings sued for fraud in Texas court dockets.justia.com
2011-01-28 SE&R website snapshot successexploration.com
2011-02-28 IntelaKare spins off Medtino Inc. otcmarkets.com
2011-06-07 SEC suspends trading of American Pacific Rim Commerce Group (APRM) sec.gov
2011-10-10 SEC filing connecting SE&R In Ontario and Nevada sec.gov
2012-03-15 Secured Income Reserve, Inc. incorporated in Delaware, Ilona Alexis Mandelbaum and Matthew H. Sage, Executive Officers bizapedia.com
formds.com
2013-07-13 centuriglobal.com registered research.domaintools.com
2013-07-30 SE&R stock purchase agreement entered into by HSC Holdings, LLC and Matthew H. Sage, then appointed Officer and Director, Alexander and Jonathan Long resign as Executive Officers marketwatch.com
2013-07-30 SE&R change their SIC code from Metal Mining to Computer Processing and Data Preparation sec.gov
2013-08-22 Centuri Cryptor demo video posted to Youtube by Nick M. youtube.com
2013-09-06 Ilona Mandelbaum appointed Secretary and Director at SE&R bloomberg.com
2013-09-11 Question regarding Centuri Cryptor was posted to SpiceWorks community.spiceworks.com
2013-10-04 Centuri Cryptor website appears on the Internet. Matthew H. Sage is cited as COO and Henry Mandelbaum is CTO. Nick McCord is cited as software and network administrator. centuriglobal.xtreamsolution.com
2013-10-13 Centuri Cryptor Twitter account created twitter.com
2013-10-15 Raymond Talarico is compensated by SE&R for services through his majority owned company IntelaKare Marketing, Inc. with 129,400 shares of common restricted stock of SE&R and a $10,000 monthly payment. sec.gov
2013-10-18 Centuri Cryptor claimed to have been presented at a nameless show at the Jacob Javits Center in New York City to a crowd of 40,000 people. Said convention centre held the PIX11 Health and Wellness Show and 135th International AES Convention that weekend. healthexpo.pix11plus.com
aes.org
2013-10-18 Alan Edwards of Whitehorse Technology Solutions LLC registers unbreakable-encryption.com and provides details on Centuri’s unbreakable status unbreakable-encryption.com
2013-10-22 “Alan9701” of Whitehorse Technology Solutions LLC claims to have demoed the application and found it uncrackable. It was his first response to any SpiceWorks community message. community.spiceworks.com
2013-11-21 Matthew Sage registers FileWarden.com with Centuri Global as the registrant organization.
2013-11-27 Talarico registers xtremehacker.com, xtremehackergames.com, hackmeifucan.com
2013-12-11 Raymond Talarico registers MoneyWarden.com, reflecting the FileWarden branding
2014-01-29 Raymond J. Talarico appointed CEO of SE&R bloomberg.com
2014-02-12 SE&R files name change with SEC for FileWarden.com sec.gov
2014-03-28 FileWarden.com’s Matthew H. Sage applies to operate a business in the State of Florida. Raymond Talarico is cited as President and Director. search.sunbiz.org
2014-07-11 Raymond J. Talarico resigns as Director of Filewarden.com bloomberg.com
2014-07-11 Talarico registers idataangel.com, mydataangel.com
2014-07-14 FileWarden.com delisted from OTCBB bloomberg.com
2014-07-16 Talarico registers datagatekeeper.com
2014-11-15 Talarico registers safedatazone.com
2014-11-17 State of Wisconsin issues C&D against Secured Income Reserve, Inc., Ilona Alexis (a/k/a Roza) Mandelbaum, Matthew H. Sage. David A. Zimmerman, and Tamda Marketing, Inc. for selling unregistered securities wdfi.org
2014-12-01 MyDataAngel.com, Inc. incorporated in Florida by Debra Towsley search.sunbiz.org
2015-02-04 Talarico registers mydataangle.com
2015-02-09 FileWarden demo video posted to Youtube by “Nick Scott” youtube.com
2015-08-08 Talarico registers datagatekeeper.tv, safedatazone.tv
2015-09-11 Talarico creates a demo video on how MDA works youtube.com
2015-09-12 Talarico registers dataincidentreport.com, miangeldedatos.com, mydatatv.com, worlddataheadquarters.com
2015-09-18 “About MyDataAngel.com” posted on Youtube youtube.com
2015-10-23 Talarico registers safedatasolution.com
2015-11-11 MyDataAngel.com issues an “executive brief” Mirror
2015-11-24 dataangel.news is registered by Raymond Talarico
2015-12-10 MyDataAngel.com issues a year-end update for its investors. Mirror
2015-12-16 MyDataAngel.com issues a PowerPoint presentation with an overview of their new product. Henryk (Henry) Mandelbaum is cited as CTO, Raymond Talarico as Founder and CEO, and Debra Towsley as Founder and President. Mirror
2016-01-15 Talarico registers edatabuzz.com, edatanews.com, edatatareporter.com
2016-04-01 Installation tutorial posted youtube.com
2016-04-01 First use tutorial posted youtube.com
2016-04-05 DataGateKeeper help document created. Mirror
2016-05-13 MyDataAngel.com KickStarter is launched. kickstarter.com

So what does this all mean? For one, the individuals involved have been scheming for years through the use of holding companies to launch their own ventures.

Sometime shortly before 2010, Centuri Cryptor was written although based on its design, it’s really tough to say if it was not started earlier, had an incompetent programmer involved, or was actually written later than what is claimed on LinkedIn. The use of controls reminiscent of Windows 3.1 is really confusing. The first evidence of the application in use does not appear on YouTube until the summer of 2013.

It is at this point that Ilona Mandelbaum arranged a compensation package for Raymond Talarico’s involvement in HSC Holdings (the assumed owner of Centuri) several months after Mandelbaum’s mining company transitioned into a technology one. A website was launched mentioning Henry Mandelbaum as CTO and Matthew Sage as COO.

Immediately following Talarico’s involvement, promotion of Centuri began via Twitter and a supposed, nameless conference in New York City. All of this appeared to be very feckless and a non-starter however.

At some point, Matthew Sage created FileWarden.com and transitioned Centuri over to that company with him and Talarico at the helm. Talarico then resigns from FileWarden just four months later but shortly before Mandelbaum and Sage were issued a cease and desist order by the State of Wisconsin for their business activities in another organization.

Eight months later, Talarico registers MyDataAngel.com, with Henry Mandelbaum (a relative of Ilona) as CTO, Talarico as CEO, and Debra Towsley as President. In November of 2015, work begins on creating a KickStarter and involvement of investors is suggested. And now in May 2016, we have the KickStarter where they’re asking for $25,000 USD but with no mention of Henry or Ilona Mandelbaum.

Does the application even exist?

It’s really tough to say but probably? The aforementioned YouTube video shows it in use but there are lot of problems with its claims.

The cryptography claims that it’s using a kilobyte-sized keyspace is absurd and the idea that AES is weak in contrast to them is just as much. They’re offering fifty to one-hundred year protection meanwhile with the right implementation of AES, you could be waiting until the heat-death of the universe to crack the data.

MyDataAngel, DataGateKeeper, Centuri Cryptor, FileWarden, or whatever it is called is complete garbage. They don’t need $25,000 to launch this application: it’s already available or at least is.

Here it is in 2015 (as FireWarden):

And here it is in 2013 (as Centuri):

And here’s Talarico’s video of him using it with Centuri’s name being mentioned:

Lastly, for shits and giggles, here are some amusing folders:

Whose ethics?

My problem

KickStarter’s lack of involvement in addressing these scams is really distressing as there is no legal recourse for someone in the event that it doesn’t follow through on its promises. This is the third time that a campaign for security software that’s outlandish and I am willing to believe that there will be no response from them on preventing new ones in the future. It’s really up to us as a community to pressure these snake oil products from never seeing the light of day.

Raymond Talarico and Debra Towsley don’t need the $25,000 either. As evident in the PDFs I’ve linked to, they claim to have investors and based on the YouTube videos, the software already exists.

This is probably not the last time we’ll have to write about this sort of thing either.

I’ll close off with this: someone forgot to re-register centuriglobal.com, the former domain of Centuri Cryptor so it now redirects to this blog piece.

Sever and the idiocy within

This is a repost of an expose of an earlier KickStarter from May 2015.

A few days ago, I posted some e-mails depicting an actual exchange between myself and a group calling themselves “Rogue Foundry” who are presently engaged in a Kickstarter campaign. The product they’re trying to sell is a box called “Sever” that promises complete anonymity when used between you and the Internet.

As stated from their Kickstarter, it makes the following claim:

Sever™ is an embedded forced routing, peer to peer internet networking device with inherent DNS security protections built in, individual packet encryption, a data containment engine, and IP obfuscation capabilities.  Its engineered to make what you do online private, faster, and untraceable! Its designed to work with your existing internet hardware and setup takes only minutes. 

Sever™ enhances secure network communications, secures wired and wireless devices and networks including mobile devices, PCs, servers, and other Internet Protocol based systems. 

Devices like this are not new really as the more recent example of Anonabox make use of a similar sort of tactic–ignoring that particular device’s shortcomings here of course.

However, what got my attention were the following two claims on the Kickstarter page itself:

Increase network speeds up to 10X

[…]

Sever™ shreds your data into billions of tiny data packets, encrypts each one with a powerful new encryption algorithm developed to STOP villains dead in their tracks and keeps you, what you do and your data from those you don’t want to have it. 

These are fairly outlandish claims as not only are they stating that they can turn your 25 Mbps network connection up to 250 Mbps, they’re claiming that they’ve developed a whole new encryption algorithm–did they roll their own crypto?

It all started with a tweet and then Twitter going nuts about it the next morning. I figure I’d write my observations into a post here and let you know what I know about Sever and Rogue Foundry.

If you’re looking for a good backgrounder besides my e-mails, I also suggest reading 0xabad1dea’s account.

Who are these Rogue Foundry guys?

It has been a bit hard to determine who works for them, but I have managed to find out that they are a registered corporation in the state of Delaware but have based their operations in Dracut, MA according to this corporation registrar. Because we have these corporation details, we know who’s on their board.

Name Role
Anthony (Tony) McDermott President, Treasurer, Director
Jay C. Grant Secretary
William Edwin Bridgeford Director
Joe Burleigh Director

Besides this board, what I have been able to determine from e-mails with a few people is that there are at least two to four videographers amongst their organisation (which explains this corny video). One of the videographers is a local musician and another one also holds a job at a local Apple store–I have chosen not to link to any details on these individuals. As for the other two, I haven’t worked out who they are or if they exist. Having said that, there is no evidence so far that they even have anyone working on the software at their organisation. There is only one employee mentioned on LinkedIn having association with the corporation.

Tony McDermott has been mentioned in the news alongside his daughter advocating for bulletproof glass to be installed in all public schools. In the article, he’s cited as owning a company called “Critical Clouds” which is cited by the article as “ highly specialized security-software company based out of his Wheeler Road home in Dracut”. The only details I was able to glean on this company was any related story to the aforementioned news article. He does have several domains connected to him including scumbags.us and tonymcdermott.com.


In my e-mails with Tony, he cites that he has someone on his executive board who was responsible for “the day-to-day operations of the President’s network”. Well, that is likely true: Jay C. Grant has indicated on his LinkedIn he worked at the White House–except it was for less than four months and it was merely a role to supervise the operations centre. Jay is pictured in the KS page as the individual standing top-left.


I have very little to no information on Joe Burleigh other than he has posted a job opening for a part-time PHP and “Pearl” developer back in mid-March–normally I wouldn’t rag on spelling mistakes, but “Pearl” is used twice. William Bridgeford is cited as a retired photojournalist but other than that there isn’t much information on him.


In Tony’s second e-mail to me, he mentions Pete Ochinko, who he states is a “former United States Secret Service Presidential Protection Lead”–but unlike the others is not listed on the official corporate registrar. This sort of title makes it seem like just like Jay, Pete is claimed to have worked for the US government. According to this PR release there is some supposed truth in this:

Ochinko retired from the United States Secret Service in 2002 after a 20-year career with the agency. His assignments included the White House, Baltimore Field Office, Miami Field Office, Counter Assault Team, Washington Field Office, Mobile, Alabama Field Office and West Palm Beach Resident Agency. His duties included developing comprehensive security plans for Presidential, Vice Presidential and Foreign Dignitary visits both domestically and around the world.

None of these guys have any real computer security background other than manning an operations centre and their activities on the Internet have been limited to press releases and LinkedIn profiles. Backgrounds are being embellished here a bit much to say the least.


No known cryptographers and no known software developers, but at least four to five executives with very little technology background overall and two to four videographers–one of which has made some half-decent music. How can we trust that they’ll put out a product that does as they say?

What is the supposed technology behind Sever?


Tony decided to e-mail me with details on their underlying technology using a brochure that only gave me a high-level overview of everything that offered nothing substantial. It took a bit to cut through what the product was trying to describe itself as but here’s the important bit:

the data is broken into packets and sent through multiple constantly randomized pathways via the various servers, PCs, tablets, and smartphones that comprise the Dispersive Technologies Spread Spectrum IP™ network. […] In fact, the multi-stream strategy is so hack-proof, Dispersive Technologies’ original product didn’t leverage traditional encryption at all!

In its own words, it tries to spell out that it chops up the data into smaller chunks, reorders them in some fashion, and then transmits them without engaging in any encryption–effectively, it reads as if it is a scytale cipher of sorts. Since there has to be a method to decipher what is being received, it should be trivial to determine the order required to successfully reassemble the data without needing to be an authorised recipient of the data.

Of course, nobody in their right mind would want to use such a method to encode their data. Governments and organisations agreed and as such Dispersive Technologies was forced to add encryption.

Dispersive began to experience resistance from procurement officers because the networking system did not incorporate encryption – traditionally a foundational element of every competitive product in the space. Despite Dispersive Technologies’ reservations, it was clear that encryption would be required to grow market share.

[…]

SafeLogic’s CryptoComply module contains a variety of NIST-validated algorithms, allowing Dispersive to dynamically assign each pathway to be encrypted with an entirely different algorithm. This flexible, multi-stream, multi-algorithm system makes the Dispersive Technologies network incredibly secure, and provides an added level of security over traditional single-algorithm, single-stream data networks. The assortment of CryptoComply’s encryption schemes meshed perfectly with Dispersive’s strategy; depending on user needs, customers can configure various pathways and mix-and-match with any number of encryption algorithms.

And we can see that we have NIST-validated algorithms at play here. We can also confirm via NIST themselves that SafeLogic had went and submitted details for validation:

-FIPS Approved algorithms: AES (Cert. #2273); HMAC (Cert. #1391); DSA (Cert. #709); ECDSA (Cert. #368); RSA (Cert. #1166); SHS (Cert. #1954); Triple-DES (Cert. #1420); DRBG (Cert. #281); CVL (Cert. #44); RNG (Cert #1132)

-Other algorithms: RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength).

Where does the 10x speed come into play? Well in the document that was provided, it makes the following claim:

The system inherently features redundancy and load balancing, and alleviates bandwidth bottlenecks at the servers. The result is a 2x­-5x increase of network speed, a reduction in network traffic by up to 50%, and a significant improvement on traditional networks.

Well that’s not “10x speed” but really I question whether or not that the SafeLogic technology can even achieve this the way Sever implies considering the laws of physics and whatnot. Technologies like this have been bantered about before with it not living up to the promises or ending up as vapourware all together.

Now, for Tony, who has previously ran a specialised computer security company, why can’t he answer with that? Of course, he doesn’t himself know what crypto his product uses because on Twitter, he went on about two, unrelated crypto products instead:

These two products are not like SafeLogic’s and nowhere in the document that they submitted to NIST does it mention HAIPE, which is what these two use.

Needless to say, I believe Tony knows not what his product does nor has no clue about cryptography in general. For someone who again previously ran a specialised computer security company to not know much about the cryptography in their highly-hyped product should be damning enough.

Why are you picking on these guys anyway?

To put it simply: I hate snake oil and abhor claims from security vendors that they have the holy grail of security.

To elaborate: one of the problems with the information security (or “cyber security”) industry is that there are a lot of players. A lot of people within the sector are quite good and I am privileged enough to consider many involved to be good friends and people I overall like.

However, with more players comes a large number of people who choose to throw away ethics or common sense and come out with claims akin to the discovery of unicorns on how great their product is. Attrition has done a great job documenting the problems certain individuals have brought upon the industry and it should be worth a read if you’re still having doubts about what I am saying. It should be noted that there are many other problems too but that is a discussion for another time.

In the case of Rogue Foundry, if they have a product as good as they say they do, they wouldn’t need your Kickstarter money. Such a device that promises to make you “hacker-proof” would have larger vendors clamouring all over the technology. We don’t see that going on here and as such you should take that as evidence enough that the product wouldn’t work were it to actually exist. Just because the technology was featured at RSA this year does not mean that it’s worth having. I am certain that if I were to sit down and bother, I could find many examples of technologies promoted at the conference that ended up being nothing more than smoke and mirrors.

Instead of answering my questions about their background and history, they’ve opted to go silent for two days. When they did speak up, they opted to not go through on their promise to update their Kickstarter with answers to my questions and instead made a video mocking those who called them out on their idiocy. I guess this is what you should expect from a company that has a handful of executives in addition to a handful of videographers.

Rogue Foundry’s Sever doesn’t work and there’s more than enough evidence to say that.