[ISN] Selling secure laptops no open, shut case

From: InfoSec News (isnat_private)
Date: Thu Jul 18 2002 - 05:26:13 PDT

  • Next message: InfoSec News: "[ISN] The case of the missing code"

    By Declan McCullagh 
    Staff Writer, CNET News.com
    July 18, 2002, 4:00 AM PT
    NEW YORK -- Rop Gonggrijp admits that it's not a promising time to
    start an Internet privacy company.
    The founder of NAH6 knows all about flops such as Privada, abandoned
    software such as PGP and SafeWeb, and struggling firms such as Zero
    Yet Gonggrijp believes it's possible for his new company to find
    buyers for its innovative products, which include an encrypted PC, a
    secure cellular phone and a better way to do secure e-mail. To
    encourage broad adoption, Amsterdam-based NAH6 plans to release much
    of its work as open-source software for noncommercial use.
    "The roads of crypto business are littered with corpses left and
    right," Gonggrijp said in an interview here at the H2K2 hacker
    conference last weekend. "I think the only way to do this is to start
    small. See if you can find this yourself and grow gradually."
    NAH6 plans to release its first product, called Secure Notebook, with
    no price set so far, next month. It's a software application designed
    to appeal to business or government travelers who worry about losing
    their laptops but can't be bothered to encrypt each sensitive file on
    Statistics compiled by the Safeware industry company say that in 2001,
    about 600,000 laptops were stolen, up 53 percent from the previous
    year. By contrast, thieves nabbed only 15,000 desktop computers.
    Even spies aren't immune from missing laptops. In 2000, Britain's
    Ministry of Defense admitted it lost 67 laptop computers during the
    previous three years, including ones with secrets about the peace
    talks in Northern Ireland, and the U.S. State Department has also lost
    classified laptops.
    Secure Notebook would be the first product to take the novel approach
    of running Microsoft Windows on top of Debian GNU/Linux, with the
    underlying Linux layer ensuring that all Windows files stored on a
    hard drive remain encrypted.
    This approach solves vital problems that other disk-encryption
    products such as PGPdisk do not. Unlike those systems, even Windows'
    virtual memory files and temporary files are stored in encrypted form,
    meaning a corporate spy or thief who snatches a Secure Notebook would
    be unable to read any data.
    NAH6 won't market Secure Notebook itself. It plans to sell Secure
    Notebook, which requires at least a 1GHz processor and 512 MB of RAM,
    to laptop makers and resellers that target security-conscious
    customers. Noncommercial users will be able to download the Secure
    Notebook software at no cost, but they'll have to buy the necessary
    VMware application for about $300.
    Secure Notebook and NAH6's three other planned offerings have one
    thing in common: They're designed to glue near-unbreakable encryption
    into a PC or handheld device while shielding users from the
    oft-befuddling underlying complexity.
    "The crypto is well-hidden," Gonggrijp said. "There's no geekiness.  
    There's no command line."
    Probably NAH6's most ambitious plan is a secure phone project, still
    at least half a year away from release with no price set. The idea is
    to turn the PocketPC, a hybrid of a handheld PC and cellular telephone
    that runs Windows CE, into a military-strength encryption device.
    Gonggrijp says that the software will be free for noncommercial uses
    and will let GSM users activate a scrambled communication channel by
    pressing a button.
    Security experts uniformly applauded the idea, but some questioned
    whether the current PocketPC platform was powerful and flexible enough
    for the project to succeed. Others doubted that there was sufficient
    demand among paying customers for either product.
    "Security is doomed"
    Jon Lasser, a security consultant in Baltimore and author of "Think
    Unix," says "security is doomed, as an industry."
    "People don't care about security," Lasser said. "Witness the
    astounding success of Web mail accounts through entirely insecure
    providers. Convenience trumps security every time."
    Peter Trei, an experienced engineer who works for a large encryption
    vendor, says, "At the moment, the vast majority of the people on the
    Net don't use crypto, see no need to, and aren't going to lift a
    finger to do so. That leaves you with the rather limited market of
    people who are activists in one sense or another, and people with real
    operational needs."
    Trei also said that governments that rely on wiretaps for intelligence
    or criminal investigation may not welcome encrypted laptops and
    cellular phones. "Things which thwart (surveillance) may become
    difficult to market, and could land users in hot water," Trei said. "I
    understand that Holland has one of the highest wiretap rates in the
    world. They could easily ban the crypto phone."
    NAH6's Gonggrijp doesn't seem worried. He's had experience battling
    government restrictions, both as the founder of the legendary Hack-Tic
    hacker magazine in the 1980s and co-founder of the Dutch Internet firm
    xs4all, which has hosted controversial Web sites during its 10-year
    "These things just need to be built," Gonggrijp said. "Everyone's
    screaming for it. These four projects represent about 70 percent of
    what people are demanding."
    Gonggrijp is funding the four-person start-up, which is about 9 months
    old and is based in his home in Amsterdam.
    A version of Secure Notebook seen by CNET News.com includes a
    graphical interface that allows users to choose between encryption
    strengths, make backups and type in their pass phrase to continue
    booting. The electronic key that, in combination with the pass phrase,
    unlocks the hard drives, can be stored on a USB dongle.
    NAH6's other products include a program called Crypt-o-Matic, a
    transparent way to PGP encrypt and decrypt all incoming and outgoing
    mail. It works by grabbing mail messages after they're sent and before
    they arrive and silently handling the encryption.
    Crypt-o-Matic will be available in a few months, NAH6 says, and free
    for noncommercial use.
    Another offering is a patch to the popular Mailman mailing list
    software, sponsored by the Free Software Foundation. It upgrades
    Mailman to support encrypted mailing lists and will be released under
    the GNU General Public License.
    Even if its products turn out to be cloyingly friendly and
    easy-to-use, security experts seem pessimistic about NAH6's commercial
    chances. About the only way to make money in desktop security, they
    say, has been to own key patents like RSA Security did.
    "There's no money in desktop security," said Bruce Schneier, the CTO
    of Counterpane Internet Security, which sells intrusion detection
    services. "It's a tough world. Everyone likes to talk big about
    security, but no one really cares. Good luck to them."
    Perry Metzger, a security advisor at wasabisystems.com speculated that
    NAH6's biggest impact may be political, not commercial.
    "I've seen a couple of people propose that before, including one who
    tried to start a company to do it," Metzger said about the encrypted
    phone. "My guess is that skill required to set such a thing up--even
    the minimal skill in question--might keep it from becoming mass
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Jul 18 2002 - 07:57:15 PDT