PGP Advisory Board
Lies, Damned Lies, and Marketing
Tuesday, April 28th, 2009
I wrote last week about the latest update of a password cracker that’s using graphics processing cards as parallel processing.
The company who made this has a great product, and as I said then, it’s a very cool product. They also did a tasteful, professionally done press release describing their new product, which you can find here.
However, this week at the Infosec security trade show, their booth said, “the only way to break into PGP®.” This is a lie, and a lie in two directions.
- They’re not breaking into PGP, they’re doing password cracking. There’s a difference.
- They’re not the only people who do it. As I’ve said before there are plenty of other password crackers, both commercial and open source.
In short, the sign was factually incorrect, and lies about PGP.
We complained to the trade show that someone else was being factually incorrect about our product, and the trade show staff spoke to the company in question, and then took the sign down. All settled, right? I stand by my previous statements that they have a cool product. It’s so cool that they shouldn’t tread from being a valuable forensic tool.
However, the same company decided to put up a blog post about it, which you can see here in which they try to make it look like some sort of scary takedown.
I’m not going to apologize. We take our reputation seriously. We and our customers hold us to a higher standard and we do our best to live up to it. We also come clean when we make mistakes. It’s even flattering to be mentioned as a gold-standard product. But, we will defend our reputation, and there’s a difference between saying that you can crack passwords and saying you can break into PGP.
Some people understand that difference. While the people who set up that booth might not, here’s a quote from a noted expert in the field of password cracking who does understand this subtle difference, the CEO of ElcomSoft:
However, current status of technology does not threaten PGP® Disk encryption based on 128-bit and 256-bit AES. “PGP® protection had always been and still remains secure,” ElcomSoft’s CEO Vladimir Katalov says. “We don’t guarantee successful recovery of PGP®-encrypted data, especially if a strong password has been used. On the other hand, PGP® users can still benefit from some secure protection of their personal and commercial information if they choose passwords that are long and secure enough.”
On the one hand, ElcomSoft is a responsible company that makes a great product as evidenced by the measured words of their CEO. And on the other hand, ElcomSoft’s marketing people were called out in their lies and are trying to cover up a marketing gaffe by documenting their very lies. Thanks, guys. It would be harder to prove that we, not you, are the offended party without your own pictures and quotes from your own press release. It’s rare that I get to give homage to Jon Stewart. I couldn’t have done it without you.
Semantically speaking I do not think what ElcomSoft is doing can be called a “break in”, but if they crack the password they break in.
The whole affair seems like a marketing war to me, I am glad I am not the judge to decide who is right.
I recall using PGP whole disk encryption and after entering the password wrong a few times it makes you wait when you attempt to enter it again, I always thought this to be a great method to protect against brute force attacks (which is what ElcomSoft does).
If someone has engineered a way around this protection it does not seem like too good.
Frank
Thursday, May 7th, 2009 at 9:30 pm