[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Challenge: Hack Elementrix!





Everyone,

I think that with all the recent attention to Netscape and Microsoft that
another target has been altogether overlooked:  Elementrix POTP <spit>.
 
> New encryption method announced
> 
> Sept. 29 -- Elementrix Technologies has announced a breakthrough in data
> encryption that does away with the need for passwords and public/private
> keys, instead working transparently at either an application or hardware
> level. Using the One Time Pad method of encryption -- acknowledged for a
> long time as being a superior encryption method -- Elementrix has released
> both an FTP and E-Mail package that makes sending secure messages as easy
> as just clicking a button. Its Power One Time Pad (POTP) technology
> promises to ensure that in the very near future, the entire Internet can
> become a fundamentally secure place.

Elementrix is on the Web.  http://www.elementrix.co.il/

Reposted from sci.crypt:

In article <[email protected]>, Phil Karn <[email protected]> writes:
> This announcement pegs my bogometer (a device for measuring bogons,
> the elementary particle of bogosity).
> 
> Readers of the Skeptical Inquirer and other similar publications will
> recognize all the classic signs of a scam, either deliberate or
> self-delusionary:
> 
> 1. Breathless, overhyped language ("revolutionary", "breakthrough", etc)
> 
> 2. Clear misstatements of well-established theoretical principles
> (the discussion of the one-time pad)
> 
> 3. Reluctance to get specific, usually by citing proprietary concerns.
> When this is combined with a claim that a patent application has been
> filed, this is a clear sign of bogosity -- one's patent
> rights can be compromised only by publishing *before* filing, not after.
> 
> Unless, of course, the claim is rejected by the patent office,
> which is almost unheard of these days even for clearly bogus and/or
> trivial "inventions".
> 
> Phil

While Elementrix has failed to provide any detailed technical information
(specifications, source code, etc.) this is not entirely out of reach.

You can obtain an evaluation copy of their "secure" FTP client from
ftp://ftp.elementrix.co.il/pub/secftp/

This appears to be a binary for Microsoft Windoze.

The server at ftp.elementrix.co.il is a "secure" server.  Note:

    ftp> open ftp.elementrix.co.il
    Connected to ftp.elementrix.co.il.
    220 sunex FTP server [Elementrix POTP(1.51) Secure FTP(1.5-3)] ready.
    Name (ftp.elementrix.co.il:dwa): anonymous
    331 Guest login ok, send your complete e-mail address as password.
    Password:
    230 Guest login ok, access restrictions apply.
    ftp> close
    221 Goodbye.
    ftp>

So there you go.

Sure, commented source code with accompanying specifications for an
implementation are nice, but did Ian and David have such luxuries for
their Netscape hack?

I will confess that I have not actually tried running their software,
let alone reverse-engineering it, as I am Windoze-challenged (running
on SunOS 4.1.x as we speak).  However, I'm sure there are probably many
people on this list with suitable Windoze platforms complete with the
necessary reverse engineering tools.

In many ways, Elementrix is a more enjoyable target.  Their claims of
security reek of more marketing hype than even Microsoft would stoop to,
and their use of the term "One Time Pad" is disgusting.  At least Netscape
is trying to use respectable crypto algorithms and is being open about
their code.  These people deserve to flamed far more than Netscape (and
even Microsoft) ever did.

Perhaps someone could even convince Sameer to do T-shirts.  I'll even
agree to cover the cost of one for the first exploit.  How about it,
Sameer? :)


Dana W. Albrecht
[email protected]