Friday, 1 May 2015

Sever and the idiocy within

A few days ago, I posted some e-mails depicting an actual exchange between myself and a group calling themselves "Rogue Foundry" who are presently engaged in a Kickstarter campaign. The product they're trying to sell is a box called "Sever" that promises complete anonymity when used between you and the Internet.

As stated from their Kickstarter, it makes the following claim:
Sever™ is an embedded forced routing, peer to peer internet networking device with inherent DNS security protections built in, individual packet encryption, a data containment engine, and IP obfuscation capabilities.  Its engineered to make what you do online private, faster, and untraceable! Its designed to work with your existing internet hardware and setup takes only minutes. 

Sever™ enhances secure network communications, secures wired and wireless devices and networks including mobile devices, PCs, servers, and other Internet Protocol based systems. 
Devices like this are not new really as the more recent example of Anonabox make use of a similar sort of tactic--ignoring that particular device's shortcomings here of course.

However, what got my attention were the following two claims on the Kickstarter page itself:
Increase network speeds up to 10X
[...]
Sever™ shreds your data into billions of tiny data packets, encrypts each one with a powerful new encryption algorithm developed to STOP villains dead in their tracks and keeps you, what you do and your data from those you don’t want to have it. 
These are fairly outlandish claims as not only are they stating that they can turn your 25 Mbps network connection up to 250 Mbps, they're claiming that they've developed a whole new encryption algorithm--did they roll their own crypto?

It all started with a tweet and then Twitter going nuts about it the next morning. I figure I'd write my observations into a post here and let you know what I know about Sever and Rogue Foundry.

If you're looking for a good backgrounder besides my e-mails, I also suggest reading 0xabad1dea's account.

Who are these Rogue Foundry guys?


It has been a bit hard to determine who works for them, but I have managed to find out that they are a registered corporation in the state of Delaware but have based their operations in Dracut, MA according to this corporation registrar. Because we have these corporation details, we know who's on their board.

Name Role
Anthony (Tony) McDermott President, Treasurer, Director
Jay C. Grant Secretary
William Edwin Bridgeford Director
Joe Burleigh Director

Besides this board, what I have been able to determine from e-mails with a few people is that there are at least two to four videographers amongst their organisation (which explains this corny video). One of the videographers is a local musician and another one also holds a job at a local Apple store--I have chosen not to link to any details on these individuals. As for the other two, I haven't worked out who they are or if they exist. Having said that, there is no evidence so far that they even have anyone working on the software at their organisation. There is only one employee mentioned on LinkedIn having association with the corporation.

Tony McDermott has been mentioned in the news alongside his daughter advocating for bulletproof glass to be installed in all public schools. In the article, he's cited as owning a company called "Critical Clouds" which is cited by the article as " highly specialized security-software company based out of his Wheeler Road home in Dracut". The only details I was able to glean on this company was any related story to the aforementioned news article. He does have several domains connected to him including scumbags.us and tonymcdermott.com.

In my e-mails with Tony, he cites that he has someone on his executive board who was responsible for "the day-to-day operations of the President's network". Well, that is likely true: Jay C. Grant has indicated on his LinkedIn he worked at the White House--except it was for less than four months and it was merely a role to supervise the operations centre. Jay is pictured in the KS page as the individual standing top-left.

I have very little to no information on Joe Burleigh other than he has posted a job opening for a part-time PHP and "Pearl" developer back in mid-March--normally I wouldn't rag on spelling mistakes, but "Pearl" is used twice. William Bridgeford is cited as a retired photojournalist but other than that there isn't much information on him.

In Tony's second e-mail to me, he mentions Pete Ochinko, who he states is a "former United States Secret Service Presidential Protection Lead"--but unlike the others is not listed on the official corporate registrar. This sort of title makes it seem like just like Jay, Pete is claimed to have worked for the US government. According to this PR release there is some supposed truth in this:
Ochinko retired from the United States Secret Service in 2002 after a 20-year career with the agency. His assignments included the White House, Baltimore Field Office, Miami Field Office, Counter Assault Team, Washington Field Office, Mobile, Alabama Field Office and West Palm Beach Resident Agency. His duties included developing comprehensive security plans for Presidential, Vice Presidential and Foreign Dignitary visits both domestically and around the world.
None of these guys have any real computer security background other than manning an operations centre and their activities on the Internet have been limited to press releases and LinkedIn profiles. Backgrounds are being embellished here a bit much to say the least.

No known cryptographers and no known software developers, but at least four to five executives with very little technology background overall and two to four videographers--one of which has made some half-decent music. How can we trust that they'll put out a product that does as they say?


What is the supposed technology behind Sever?


Tony decided to e-mail me with details on their underlying technology using a brochure that only gave me a high-level overview of everything that offered nothing substantial. It took a bit to cut through what the product was trying to describe itself as but here's the important bit:
the data is broken into packets and sent through multiple constantly randomized pathways via the various servers, PCs, tablets, and smartphones that comprise the Dispersive Technologies Spread Spectrum IP™ network. [...] In fact, the multi-stream strategy is so hack-proof, Dispersive Technologies’ original product didn’t leverage traditional encryption at all!
In its own words, it tries to spell out that it chops up the data into smaller chunks, reorders them in some fashion, and then transmits them without engaging in any encryption--effectively, it reads as if it is a scytale cipher of sorts. Since there has to be a method to decipher what is being received, it should be trivial to determine the order required to successfully reassemble the data without needing to be an authorised recipient of the data.

Of course, nobody in their right mind would want to use such a method to encode their data. Governments and organisations agreed and as such Dispersive Technologies was forced to add encryption.

Dispersive began to experience resistance from procurement officers because the networking system did not incorporate encryption – traditionally a foundational element of every competitive product in the space. Despite Dispersive Technologies’ reservations, it was clear that encryption would be required to grow market share.

[...]
SafeLogic’s CryptoComply module contains a variety of NIST-validated algorithms, allowing Dispersive to dynamically assign each pathway to be encrypted with an entirely different algorithm. This flexible, multi-stream, multi-algorithm system makes the Dispersive Technologies network incredibly secure, and provides an added level of security over traditional single-algorithm, single-stream data networks. The assortment of CryptoComply’s encryption schemes meshed perfectly with Dispersive’s strategy; depending on user needs, customers can configure various pathways and mix-and-match with any number of encryption algorithms.
And we can see that we have NIST-validated algorithms at play here. We can also confirm via NIST themselves that SafeLogic had went and submitted details for validation:
-FIPS Approved algorithms: AES (Cert. #2273); HMAC (Cert. #1391); DSA (Cert. #709); ECDSA (Cert. #368); RSA (Cert. #1166); SHS (Cert. #1954); Triple-DES (Cert. #1420); DRBG (Cert. #281); CVL (Cert. #44); RNG (Cert #1132)

-Other algorithms: RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
.
Where does the 10x speed come into play? Well in the document that was provided, it makes the following claim:
The system inherently features redundancy and load balancing, and alleviates bandwidth bottlenecks at the servers. The result is a 2x­-5x increase of network speed, a reduction in network traffic by up to 50%, and a significant improvement on traditional networks.

Well that's not "10x speed" but really I question whether or not that the SafeLogic technology can even achieve this the way Sever implies considering the laws of physics and whatnot. Technologies like this have been bantered about before with it not living up to the promises or ending up as vapourware all together.

Now, for Tony, who has previously ran a specialised computer security company, why can't he answer with that? Of course, he doesn't himself know what crypto his product uses because on Twitter, he went on about two, unrelated crypto products instead:


These two products are not like SafeLogic's and nowhere in the document that they submitted to NIST does it mention HAIPE, which is what these two use.

Needless to say, I believe Tony knows not what his product does nor has no clue about cryptography in general. For someone who again previously ran a specialised computer security company to not know much about the cryptography in their highly-hyped product should be damning enough.

Why are you picking on these guys anyway?


To put it simply: I hate snake oil and abhor claims from security vendors that they have the holy grail of security.

To elaborate: one of the problems with the information security (or "cyber security") industry is that there are a lot of players. A lot of people within the sector are quite good and I am privileged enough to consider many involved to be good friends and people I overall like.

However, with more players comes a large number of people who choose to throw away ethics or common sense and come out with claims akin to the discovery of unicorns on how great their product is. Attrition has done a great job documenting the problems certain individuals have brought upon the industry and it should be worth a read if you're still having doubts about what I am saying. It should be noted that there are many other problems too but that is a discussion for another time.

In the case of Rogue Foundry, if they have a product as good as they say they do, they wouldn't need your Kickstarter money. Such a device that promises to make you "hacker-proof" would have larger vendors clamouring all over the technology. We don't see that going on here and as such you should take that as evidence enough that the product wouldn't work were it to actually exist. Just because the technology was featured at RSA this year does not mean that it's worth having. I am certain that if I were to sit down and bother, I could find many examples of technologies promoted at the conference that ended up being nothing more than smoke and mirrors.

Instead of answering my questions about their background and history, they've opted to go silent for two days. When they did speak up, they opted to not go through on their promise to update their Kickstarter with answers to my questions and instead made a video mocking those who called them out on their idiocy. I guess this is what you should expect from a company that has a handful of executives in addition to a handful of videographers.

Rogue Foundry's Sever doesn't work and there's more than enough evidence to say that.

No comments:

Post a Comment