[ISN] Product Review: NOVaSTOR DataSAFE

From: cult hero (jerichoat_private)
Date: Sun Jun 06 1999 - 09:42:53 PDT

  • Next message: cult hero: "[ISN] Technology a threat to right of privacy Silicon Valley"

    From: "L. Sassaman" <rabbiat_private>
    Hash: SHA1
    Product Review: NOVaSTOR DataSAFE
    L. Sassaman
    The NOVaSTOR web site (http://data-encryption.com/index.html) makes this
    bold claim regarding their DataSAFE product:
    "Password Protect, Compress and Encrypt your Files and Email Protect your
    data from prying eyes! The DataSAFE family of encryption software stores,
    transmits and receives electronic files securely. Protect your sensitive
    files and data from prying eyes, whether on your PC or over the Internet
    and World Wide Web. DataSAFE encrypts your data with BLOWFISH or RSA
    secure algorithms which have never been broken, and can encrypt and
    protect every type of file on every kind of media."
    The benefits of using this software package are clear, according to the
    company. "DataSAFE is the only encryption software on the market that lets
    you send secure documents to people who do not have the program."
    Apparently, for a mere $39.50, one can have a quick, easy way of sending
    secure files to anyone with a computer. When using this product, the sender
    uses the program to generate a .exe file, encrypted with Blowfish, that he
    then sends as an attachment through email. The recipient does not need to
    have any additional software on his computer, as the encrypted message
    runs by itself (popping up a cute safe, which spits out the plain-text
    when the correct combination is entered.)
    Now, obviously, this lacks all the benefits of public key cryptography.
    (The key, or "combination to the safe" must be delivered to the recipient
    in some manner deemed secure. We are now back to the days of relying on
    couriers with hand-cuffed brief-cases for security. The web page steps
    over this issue, merely saying "you send [the key] separately".) The
    product offers no identity verification for the author or originator of
    the file being transfered. In addition, the .exe generated is a potential
    carrier of virii, and only works on Microsoft systems. (Though a Java
    version is promised.)
    The product white paper
    (http://data-encryption.com/datasheets/ds_white.html) makes this absurd
    statement regarding public key cryptography (PKC):
    "Public key encryption was discarded because it is too difficult to
    establish key exchange with third party organizations running a variety of
    computer hardware, mail systems and security programs. For example, a
    typical law office needs to be able to send secure documents to a wide
    range of client organizations, each having their own unique combination of
    computers, mail and security systems."
    PGP, and its free clone released under the GPL, GnuPG, are perfect
    examples of secure PKC that are easily implemented across a variety of
    computer hardware, mail systems and security systems. There is an
    established network of public key servers that is widely used by nearly
    every combination of software and hardware across the entire Internet.
    (http://http://pgp.ai.mit.edu/ is one such server.) DataSAFE, however, is
    not available except on systems running the correct versions of Microsoft
    operating systems.
    The closing statement on the product white paper offers this explanation
    for the product's design:
    "It should be recognized that BLOWFISH is just one of many excellent
    encryption algorithms. In real life situations the security provided
    depends much more on the user's ability to make use of the software than
    the mathematical underpinnings of the encryption engine. The NOVaSTOR
    DataSAFE strives to be so simple to use that people are willing and able
    to secure their files."
    Granted, the best encryption software in the world is useless if people
    won't use it. But, in my opinion it is far more dangerous to lure people
    into a false sense of security. Products like DataSAFE could possibly
    encourage someone to reveal sensitive material on electronic
    correspondence that he would otherwise have been reluctant to communicate.
    It is my recommendation that DataSAFE not be used by anyone requiring
    anything more than casual security. The freely available GnuPG
    (http://www.gnupg.org), and the inexpensive PGP (www.pgp.com) offer the
    best system for secure email communication available, and should be used
    by anyone who is concerned about privacy. Products like DataSAFE should be
    set aside, along with the secret decoder ring from the breakfast cereal
    L. Sassaman
    System Administrator                | "What's true in our minds is true,
    Technology Consultant               | whether some people know it or not."
    icq.. 10735603                      |
    pgp.. finger://ns.quickie.net/rabbi |                    --Robin Williams
    Version: GnuPG v0.9.7 (GNU/Linux)
    Comment: OpenPGP Encrypted Email Preferred.
    -----END PGP SIGNATURE-----
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: OSAll [www.aviary-mag.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:24:28 PDT