On the Infosec once again

April 30th, 2009 by Andrey Belenko
Category: «General»

There is a lot of speculation about what has happened between Elcomsoft and PGP here on Infosecurity Europe 2009 in London, so I would like to share my own point of view which may or may not coincide with Elcomsoft’s.

First, I’d like to make it clear that I do respect PGP Corporation; those guys are making great software.

Now, I’d like to comment on Jon Callas (CTO of PGP) blog entry. There are some important factual errors which I suspect Jon is not aware and which I would like to correct. He writes:

We complained to the trade show that someone else was being factually incorrect about our product, and the trade show staff spoke to the company in question, and then took the sign down.

Well, I’m not sure if "to spoke to the company in question" means to try to remove wall paper in the absense of Elcomsoft staff 30 minutes before exhibition opening, and this is what has exactly happened. We’ve been approaching our stand when organizers were removing the wall paper. Nobody has even tried to contact us beforehand (they have mobile phones of every exhibitor, I guess), nor they gave us a chance to talk to PGP representative to explain anything. So that was not a really nice behavior, and pictures are only showing how ridiculous it was.

Marketing is a not something I feel comfortable with, but I suspect that if organizers remove every statemement which is not 100% true then we’ll see mostly white walls on most exhibitions. I can only see PGP’s request to remove our questionable (yes, I personally do admit this) marketing statement as a sign of inability and incompetence of their booth staff to expalain basics of password security to their (potential) customers.

Next, Jon writes:

1. They’re not breaking into PGP, they’re doing password cracking. There’s a difference.

2. They’re not the only people who do it. As I’ve said before there are plenty of other password crackers, both commercial and open source.

Breaking (into) something means breaking the weakest link. With PGP this is definitely the human being, not the technology. We did not say anything about breaking PGP encryption, so I don’t think we’re said something wrong here. Breaking password is usually sufficient to gain access to desired data and this is what often called breaking the system. And this is a slogan, not a technical paper.

We’re the only to provide hardware acceleration for PGP password recovery using commonly available hardware. This makes our product unique, so I believe word only can be here.  By the way, there are not "plenty" of products, maybe just one or two besides ours, and no open source PGP Disk and/or PGP Whole Disk Encryption password crackers that I am aware of.

Again, I do respect PGP Corporation. Today we do not have many security vendors who make source code available for review, and this is just one thing I respect PGP for. And I really hope we will resolve this situation to our best.