HOWTO Commit Corporate Espionage

bart_scriv writes "Worried about who might be spying at your company? Businessweek looks at the latest in espionage gadgets and technology in response to the recent HP boardroom scandal. The article looks at devices designed for counter-espionage, which range from mundane confidential email services to sophisticated camera and listening-device detectors. '...for every method of spying, there's a counteroffensive. One of them is the eavesdropping protection kit, manufactured by Dynasound in Norcross, Ga. To secure a room in an office building, devices are placed on ceiling plenums, floors, HVAC ducts, doors, walls or windows — basically anywhere voices can travel.'"

Yeah, that'll work

[Aliencow]

WHO GOES THERE? Another protection: vanishing e-mail. Called VaporStream, the system lets people send e-mails that cannot be tracked, copied, forwarded, or printed--leaving no trail. Users pay $39.99 a year to subscribe to the service and must log into the site every time they want to send a confidential e-mail. Wow, I'm sure nobody will ever find a way to print it out or take a screenshot of it.

Re:Yeah, that'll work

That product is for when both ends want to delete the email, not just the sender. Example: Yankees trainer Brian McNamee gets an order acknowledgement for 6 pallets of steroids. He doesn't want to keep the email, or have it tracked, so he requests that it be sent using this service.

Re:Yeah, that'll work

[B3ryllium]

Uh. In the transaction you describe, one end of the deal (the steroid seller) might want a copy ... so a printout or a screenshot could be used for blackmail or extortion purposes.

Re:Yeah, that'll work

[russ1337]

So how can we be sure this service isn't an NSA honeypot?

Re:Yeah, that'll work

[owlnation]

Yes, but since the major preoccupations of anyone who works in Corporatia are, "covering your ass" and "passing the buck", I don't think that anyone will have any use for email you can't store and use as a future weapon against one of your backstabbing brown-nosing colleagues.

Re:Yeah, that'll work

[Instine]

yer the print protection sounds like a fairly stupid claim too far.

FTFA I REALLY like the lazer listener idea though. How clever is that! I want one now. But I'm not going to falk out 50,000USD for it. I'm quite sure that I could build one for less than a grand.

Re:Yeah, that'll work

[sootman]

Wow, I'm sure nobody will ever find a way to print it out or take a screenshot of it.

Or take a picture of the screen. My monitor is 1600x1200 and my camera is 2048x1536. It takes "screenshots" just fine.

Re:Yeah, that'll work

[plover]

A friend of mine did that over 20 years ago when he was a kid, using just a homebuilt Heathkit HeNe laser. He shined the laser on a window, and aimed a telescope at the window. He taped a CdS photocell at the focal point of the telescope and built it into a simple audio amplifier. Even with that crude setup he was able to make out that loud sounds happened inside the house from across the street.

I bet using a modern phototransistor matched to the wavelength of an off-the-shelf laser diode plus a $100 Target toy refracting telescope should yield pretty good results. (A refracting telescope will always be a better choice for the tiny signal changes that need to be detected here.) Also, it will be easier to aim one with a cheaper alt-azimuth mount rather than an expensive equatorial mount (equatorial mounts are really useful only for astronomy.)

Re:Yeah, that'll work

[russ1337]

The chance of this could be reduced by showing the details (sender-recipient etc) of the e-mail on one page, and show contents of the e-mail on another. Of course, filming or recording the transition between the two could be incriminating.

I recall from a PGP app, the ability to show the e-mailed text in a muddy yellow box with slightly darker writing, this any compression from a screen capture makes it very hard, if not impossible to read.

All of this still doesn't address your concern though - it just makes it more difficult for the perp.

Re:Yeah, that'll work

[Fulcrum+of+Evil]

Or you could accept that this is only useful when the recipient is complicit in wanting the email to vanish later.

Re:Yeah, that'll work

I'm a brown-nosing corporate minion, you insensitive clod!!

Re:Yeah, that'll work

[Smallpond]

I was trying to think of a good, cheap countermeasure. I guess gluing a small speaker to the window connected to a white noise generator (or the company music-on-hold system) would work.

Re:Yeah, that'll work

[plover]

Right idea, but music is a poorer choice than white noise. A sophisticated eavesdropper could acquire his own copy of the music you use, and "subtract" the known waveform from the received waveform, leaving just the ambient room sounds. If the volume of the music makes you talk louder, it's all the better for the listener.

And just so you don't think you're safe just because you're IMing over an SSL port, with the proper sensor (a Hamamatsu H6780-01 photosensor module) the same telescope can be used to spy on your screen just by detecting the reflected light from your monitor. Markus Kuhn wrote this paper (read section 6) about just such an attack.

Get smart phone.

[krell]

Do these guys also sell a cell phone built into a shoe, go to with the cone of silence?

Great lengths at great heights

[ian_mackereth]

I had occasion to visit the office of a major oil company CEO in Melbourne (Australia) a few years ago, while it was being fitted out.

Along with the obvious requisites like the bedroom and the seperate airconditioning (he was the only person in the building allowed to smoke!), the windows were double-glazed and had a white-noise generator in between the panes to foil any sneaky lasers from other oil companies' CBD high-rises!

I was at first bemused at the expense of it all, but then I thought about the millions he'd get as salary, and the hundreds of millions affected by the decisions made in that office, and thought better of it...

Re:Great lengths at great heights

[voice_of_all_reason]

Fool. Windows can't stop ninjas.

Re:Great lengths at great heights

[BadAnalogyGuy]

Who's the fool? Ninjas are stopped just fine with Windows. It's pirates that Windows can't stop.

Re:Great lengths at great heights

Pfft! Booze plus hooker beats any high-technogimzology.

Re:Great lengths at great heights

[Single+GNU+Theory]

Posts like that make me wish mod points could go to eleven.

Re:Great lengths at great heights

[n2art2]

Forget Ninjas. . . . What about a virus? I thought everyone knew that Windows suck at security.

Re:Great lengths at great heights

[Lumpy]

and every bit of it thwarted easily in a low tech way....

Find a IT guy that is disgruntled, (not hard at any company) and either pay him for a copy ofthe CEO's laptop contents or other tidbits.

$10,000.00 cash waved in front of a IT guy that is training his indian outsourced replacement or hearing of the cost cutting changes that management is goign to aim for would be all over that low risk bit of work.

Hell I bet you could get entire copies of the accounting database for the right amount of money.

All you need is someone on the inside being treated poorly and you have your circumvention to all the security.

Re:Great lengths at great heights

[DamnStupidElf]

Hmm, my guess is that the white noise generator is practically worthless between the panes. The first pane will reflect a certain percentage of the laser, and the second pane will reflect another percentage of the laser. Subtract the two reflected signals, adjusting for the distance between the panes and the reflectance percentages, and the result will be the difference between sound on the inside and outside of the window minus the white noise. What might actually work is to attach a separate white noise generator to each plane to introduce echoes and interference that would be more difficult to filter out. In the end, given enough lasers and processing power my guess is that any white noise generation could be defeated. The trick is to always sample the white noise as close as possible to the generator, before it has been distorted, and then cancel it out at the point where the strongest "hidden" signal is available, but IANAS (I am not a spy).

Re:Great lengths at great heights

[Scrameustache]

Forget the pirates, You should see what zombies do to windows!

Re:Great lengths at great heights

I bumped you to +5 funny, as I often agree.

Serve them right

[tygerstripes]

God knows I don't get anything out of our meetings, so how some industrial spy is supposed to is beyond me. Serve them right if they absorb non-productivity osmotically...

Re:Serve them right

[dptalia]

I had this really scummy guy who kept trying to hit me up for insider information... I always told him I was looking for outsider informatin! The outsiders always seemed to know more than us poor peons....

Re:Serve them right

[garwain]

I hear you there... Nothing beats spending 4 hours sitting there drinking coffee, then walking out asking a co-worker if he had any idea what the purpose was. Only thing I find worse than an office meeting is a church meeting, that I'm not paid to attend, but don't seem to have much choice...

Fixed 40 Years Ago

[dankstick]

Problem Solved.

Best Device USB thumbdrive

[bryz]

How about a thumbdrive? With capacities seemingly doubling every couple months, it should be real easy to swipe off a good amount of data.

Re:Best Device USB thumbdrive

[z0idberg]

That has a low-tech solution. Do what my (very large) company does and have Windows NT as the standard desktop. No USB support. Shithouse when you need to run any software made this century but hey! no USB support!

or

just pay someone that has access and an excellent memory.

Finding someone that has photographic memory and lacks ethical guidance is left as an exercise for the reader.

Illegal in the US and many other countries

[TrueJim]

Note that corporate espionage for the purpose of uncovering Trade Secrets is generally illegal in the U.S. That's why companies mark documents as "proprietary," for instance; doing so identifies the document as something that the company considers a trade secret. If you use corporate espionage techniques to obtain such a document (i.e., if the company doesn't exercise due diligence in making sure that such documents aren't publicly disclosed) then relevant Trade Secret laws would apply.
http://en.wikipedia.org/wiki/Trade_secret

assuming it's already in CVS

[castlec]

cvs commit -m "added more theft options." corporate_espionage.c

But I want to know where to sell the info!!

[neo]

Sure, I've collected all this great data, but now how to I find a buyer? Do I just walk up to the competition's CEO and say "Hey, I got the goods on company XYZ, how much is that worth to you?" Do I take out an ad in the paper... or 2600? I need real answers.

Seriously. I want this to be my full time job, but this article doesn't tell you shite.

Re:But I want to know where to sell the info!!

eBay, silly. An open auction would surely bring in top-dollar.

Re:But I want to know where to sell the info!!

[Billosaur]

Sure, I've collected all this great data, but now how to I find a buyer?

we-buy-secret-corporate-info.com

Re:But I want to know where to sell the info!!

[frdmfghtr]

Sure, I've collected all this great data, but now how to I find a buyer? Do I just walk up to the competition's CEO and say "Hey, I got the goods on company XYZ, how much is that worth to you?"

You could do something like that...

http://www.washingtonpost.com/wp-dyn/content/artic le/2006/07/05/AR2006070501717.html

Re:But I want to know where to sell the info!!

[k4_pacific]

It's probably easiest to use it to extort money from the company you stole it from. That way, you don't have to bother actually finding a buyer, just threatening to should be enough.

Re:But I want to know where to sell the info!!

[h890231398021]

That's what these people tried. Didn't work so well, though.

Re:But I want to know where to sell the info!!

[gd23ka]

Which is why you shouldnt try to sell Audi secrets to Volkswagen. If at all
go after their supply chain. The F500 as well as banks and insurances cooperate.
If youre prepared to do the time, I would recommend small to medium sized businesses
to whom you can indeed sell competitor information. Dont expect to be paid
millions though.

Re:But I want to know where to sell the info!!

It's called "Insider Trading".

No business would touch this, it's all individual. Go to Wall Street and find the sleaze, they pay well. The worst that happens if you get caught is being fired.

Things of interest: Daily Sales Audit Reports (Plan vs. Actual), Mass Marketing, Logistics, etc. Generally the things you get from Data Centers, as long as you know mainframes. Luckily many companies outsource these things, and the companies they outsource to hire contractors, with little background checking.

The way to find and make your contacts on the street is the trick.

Re:But I want to know where to sell the info!!

[mutterc]

Sell it to the company's employees, who would probably love to know what's really going on.

Re:But I want to know where to sell the info!!

There's a much better reason why you don't sell Audi secrets to Volkswagen. VW owns them!

Trade Secrets

[Sensi]

Sometimes it's as easy as walking by to get all the info you need.

http://flickr.com/photos/reboof/259086845/

Three words

[Billosaur]

Cone of Silence.

Re:Three words

[Rob+T+Firefly]

*leans out from under cone*

WHAT??

Anyone else thinking..

[Channard]

.. that you'll pay your money, open the boxes they send you to find that they all contain egg cartons and a few tubes of pritt-stick?

Odd use of "buy antispy stuff" FUD here...

[xxxJonBoyxxx]

OK, so Slashdot is famous for putting marketing FUD on its main page, but even I don't get how putting anti-spy devices in would have prevented the head of HP from spying on people. (I can imagine the work order crossing the CEO's desk: "Hmmm...here's a request from some peon for a company anti-spy installation to prevent what I'm up to. Denied, ya' think?")

Well, that does it.

[Rob+T+Firefly]

Thank you, Slashdot, for putting up a page with this title for me to read over the company's network. I was getting ready to be fired soon anyhow.

Re:Well, that does it.

[Billosaur]

If you think that's bad, how do you think your employer feels when they see you reading about Uranus...

Note: Ha-ha! Didn't expect a Uranus joke in an article on corporate espionage, did you?!?

Re:Well, that does it.

[tehcyder]

Ha-ha! Didn't expect a Uranus joke in an article on corporate espionage, did you?!?

The person reading this over your shoulder is a complete fuckwit who enjoys wearing his wife's panties on his head while masturbating to horse porn videos and smoking crack cocaine.

Ha-ha!

It's Easy

If you have access to the network racks it's easier than you might think. Plug a microphone into an empty network socket, a patch lead from the microphone socket to a socket in your office, and an amplifier plugs into the wall socket in your office. Boardroom meetings were bugged like this for six years by a friend of mine and nobody noticed a thing.

Bug sweeps might not find anything because no RF is emitted.

Re:It's Easy

Bug sweeps might not find anything because no RF is emitted.

yeah but now they can just follow the wires right to you. (hint: maybe have an RF transmitter on that side, far away from the room being bugged)

Re:If you comply you should have nothing to hide

[eln]

If you aren't doing anything evil why do you need secrecy (or privacy)?

Because I don't like to be spied on. The thought of people going through my personal files or even listening in on my private conversations creeps me out. I also don't like to use public restrooms with the stall door open, and I don't live in a completely transparent house.

If I'm a business, I want privacy because I don't want my competitors learning information about my future plans or strategies that they could use to their advantage. If I have a product that I've spent billions researching and developing, I don't want my competitor to steal it and start selling it before I do.

Re:If you comply you should have nothing to hide

[aplusjimages]

If you aren't doing anything evil why do you need secrecy (or privacy)?

The government always follows this saying with "Do as I say not as we do." BTW Nice sig.

monkey see monkey do

[thedrunkensailor]

and we learn this from the most amusing of monkeys: the federal government.

White Noise Generator ... $6,000 and up ... WTF?!?

[user1003]

$6000 and up for a white noise generator? WTF?? Anyone with basic electronics skills can build one with parts that will cost about $10. Anyone with basic coding skills can code one for free in about 10 min.

Am I getting something wrong here, or did corporate greed just get worse?

Bugging

[Alioth]

Bugging an office has never been easier, now that data cables run into all of them!

Re:If you comply you should have nothing to hide

[shawn(at)fsu]

After reading you sig thanks to the mention it got from someone else, I was wondering, wouldn't it be easy to make the argument that goverments who fear their people are just as apt to by tyranicle. I mean the USSR feared it's people so it sent them to prisions in sibera or worse for trival reasons. The same can be said about Sadam's goverment and probably many others. I mean it seems that all tyrnaical goverments fear the people and fear that they will learn and rise up and thus the goverments rule with an iron fist. So maybe it should be when goverments repsect their people their is freedom. I guess that just doesnt have the same ring to it....

Old toys

[TrueKonrads]

Most of the toys mentioned in article are pretty lame and sucky. Granted, for the PI or Spy that buys everything off-the-shelf, the counter-surveilance mentioned works, but otherwise it sucks, here's why (pont by point)

White-noise generators assume that You have no access to the room or that it is impossible to plant a small piece on the person. Say, bump in "accidentally" into the CEO in question and place a 5 square milimeter chip. It will have an internal clock and mic. Once the CEO is out in fresh air, it will transmit the data back in one encrypted burst and destroy the information it had.

Pretty much the same applies for cameras. One, you assume they are broadcasting within some pre-defined spectrum and do so all the time. Again, do a remote on/off or encrypted packet burst and such suverlance mechanisms fail. Besides, with advent of WiFi, if your super agent picks up emissions in 2.4Ghz range, he'll assume it's wifi and let it rest. Also, you can sramble the transmission, do a frequeny hop and bob knows what else.

About that phone-line tap: Do we live in dark ages? Nobody has analogue phones and taps that feed off phone current.You can't detect it over ISDN lines (most offices) and it deosn't do anything for cell networks.

No comments on vapourstream :)

I have to admit, that the laser window snooping is the most effective in the list, as it is probably the easiest method and most reliable. For nice security, go low-tech : Have a friendly chat near a cooler (no windows), in a bath-house (most devices choke on humid air, transmission also would suck) or in a pool or sea (waves splashing, children, loud music).

Besides, the entire chain of communications should be scure, aka TEMPEST approach - if once bit of wire is not tempest - entire chain is invalid. If one of the two persons in conversation, repeats what he heard over dinner table with his wife - what's the point?

Re:Old toys

[Frosty+Piss]

I have to admit, that the laser window snooping is the most effective in the list, as it is probably the easiest method and most reliable.

And that's the thing. Most industrial espionage is from disgruntled employees / former employees with lose lips. You can't solve this problem with electronics. Look at the HP thing: Sure the leaker used email to talk to the reporter, but he didn't have to. Remember Deep Throat?

Re:Old toys

How can I forget?

Linda Lovelace was fantastic...oh...you mean that Deep Throat. Sorry.

Re:Old toys

[drauh]

you've forgotten the Cone of Silence.

For added discretion:

[Ayanami+Rei]

Purchase a bunch of simple RJ45 "protective caps" or covers and use them in all of the unused outlets in the room. You could then modify one of the caps to contain the microphone without looking out of place.

http://www2.elecom.co.jp/cable/accessory/ld-rj45ca p/image/img.jpg

Interestingly

[k2r]

the US / NSA has been proven to use echelon for industrial espionage in other countries eg. on Enercon in Germany: www.europarl.eutopa.eu, search for "Enercon" . It's quite difficult to find anything in English on this, but there's a lot of stuff in German about this case.

k2r

Re:Interestingly

Yeah but the NSA is allowed to spy on anyone outside the US (non us citizens ) for whatever reason it wasnt. I think that's always been perfectly legal.

Re:Interestingly

I'm in the Netherlands, and a former colleague told me he was offered a IT job once by an US company into "filter software", you know, monitor your employees surfing behaviour etc., but in reality it turned out to be the NSA. They wanted him to outsource him to work "on location" at one of their biggest customers, a huge oil company. They told him getting in and getting the job was easy because the head of IT was also employed by them... They also told him they were in a lot of countries and governments, offering services but in reality installing Echelon backdoors. If anything he said was true, it would mean the US has direct access to all digital information of a lot of major companies and economies in the world.

PS He didn't take the job because he would have been a pawn. A year later, the company was "gone" and the site even non existent on archive.org.

Bozon cloud?

[ldholtsclaw]

Sounds like you've got the kind of envrionment that precipitates Bozon Cloud formation ...

Bozon: A quantum unit of stupidity.
This term I picked up from Headcrash (Roadkill on the Information Superhighway) by Bruce Bethke. A very entertaining read, I might add. Bruce himself is a great guy too, as I discovered while he was our Special Guest at the last Chattacon (a Science-Fiction convention in Chattanooga). I could say something about the ProctoProd(tm), but I don't want to ruin the book.

Why do I need secrecy?

[giafly]

If you aren't doing anything evil why do you need secrecy (or privacy)?

Because "people who live in glass houses shouldn't throw stones" does not imply "people who don't throw stones should live in glass houses".

Duh, wifi spy clock.

[amcdiarmid]

Try a Wall Clock with a wifi camera and microphone.

Something like this: http://www.spycameras.com/item4.htm

I'd look for a more real office type wall clock, but you get the idea. After all, what corporate meeting room doesn't have wifi?

Re:If you comply you should have nothing to hide

[rthille]

Sorry the mods' sarcasm detectors are on the fritz this morning...

Privacy Lost

[Stupidfat]

In a related story, it was found in a co-relation study that there was a relationship between privacy advocation and parental status. It was found that parents with even a single child over the age of 6 months have learned to give less than a shit about privacy.

Gadgets and HP Scandal

[Narcogen]

What does one have to do with the other? The HP scandal revolves around a leak at the very top-- a member of the board of directors who supplied inside information directly to journalists. What the heck do all these amateurish gadgets have to do with anything? And how is being aware of them or being able to protect oneself from them of any value when one of your own board members is giving information to the press? There's no technological silver bullet for that kind of problem. Trying to connect these two subjects is just silly.

Re:Gadgets and HP Scandal

This is slashdot

News for^H^H^H^H^H^H^H^H Nerds.^H^H Stuff that matters^H^H^H^H^H^H^H^H^H^H^H^H

Re:If you comply you should have nothing to hide

[eMbry00s]

If privacy is removed from the workplace, potential whistleblowers will not be able to do disclose information when companies do things that break laws (wether moral or juridical).

Place sensitive calls from server room

[fyoder]

Of course, it can also be difficult to hear the person on the other end of the phone.

That's why I run Linux

[wiredog]

It stops both of them.

Re:That's why I run Linux

[Profane+MuthaFucka]

Linux is a wide-open penguin hole. Wait, that didn't come out right.

Ego and adolescent mentality

[dpbsmith]

Woot! Secret decoder rings! Invisible ink! See-bak-ro-scopes! And that great key to popularity, "Fool your friends!"

And those X-Ray Specs... (do they really see through clothing? Better get a pair, it's the only way to find out! And even if you can't, you always get a reaction by pretending they do...)

Gee whillikers, CEOs must be saying to themselves, now that I'm a big-deal important person, I can send away for ALL that stuff! Boy, will my friends be impressed when they realize my words are so important that other people are trying to overhear them... and that I have the wherewithal to spend tens of thousands on impressive-looking gadgets.

Re:White Noise Generator ... $6,000 and up ... WTF

$12.95 for a radio.......

Low Tech and Cheap

[thorkyl]

Go to a garage sale and buy a TV put it on channel 13 with no antenna
    White noise generator

Defeat laser listener
    Place radio on window sill with sub woofer pointed at glass

Stop all eaves dropping
    don't talk us a #2 pencil and legal pad
      Shred the pad then burn the shredded paper then put the ashes in a bucket of water

Good think he didn't take it...

[Vr6dub]

...He is either lying or has a hard problem keeping sensitive things to himself. They (the DoD) wouldn't release classified information like that to a potential employee.

Re:If you comply you should have nothing to hide

[gugux]

Since you comply there is no reason to spy on you.

Secure phones

[cesarbp]

I developed a secure phone software to be used by corporate users against espionage. It uses a Microsoft PocketPc or Smartphone, encrypt the voice using AES (Advanced Encryption Standard) with 256 bits key and uses Elliptic Curve Cryptography to do key exchange (ECDH 571 bits). I don't know if into US the corporate people can use this kind of huge cryptography. My site is at http://www.raseac.com.br/ I think if your corporate people want some privacy, this product is a good solution.

Re:If you comply you should have nothing to hide

[GWBasic]

If you aren't doing anything evil why do you need secrecy (or privacy)?

I'm hoping your questions is rhetorical. Let me give you a few examples:

• Richard Nixon bugged John Lennon because he was a political opponent.
• Dr. Martin Luther King Jr. was on the CIA's watch list.
• Illegal != evil. There are illegal activities in the USA that aren't evil. In order to avoid debate, I'll point to the past example of alcohol prohibition. Back in the 1920s, it was illegal to call up your buddy to sample his latest brew, although not evil.
• I don't want my bank account information in any database that isn't mine.
• Some people would prefer to keep their phone sex conversations private.

what about REAL spy gadgets?

[schweini]

i guess i'm not the only one who is a bot dissapointed by these spy gadgets, since they all seem a bit wannabe-james-bond.
anybody know of real high-tech (or highly sneaky) gadgets that real spies use or used?
one of my favourites was the Great Seal Bug

Simple principle - also available in Germany

[cheros]

Given the simple principle these things work on (voice transmission over crypto wrapped data channel) the prices charged for them are generally plain rediculous, and I've seen them all over the planet.

Furthermore, unless the source is available for the product it will not be subjected to independent review, and any claim that it's thus 'the best' or even 'secure' is thus meaningless, as is your website claim "no backdoors to our knowledge". That claim would still be valid if you allowed a US NSA official some time alone in the room with the code prior to compilation. You wouldn't know then, would you? All of these claims also assume that the base platform itself (WinCE) is uncompromised which is in itself amusing and unprovable.

BTW, for someone really in need of secure comms, Due Diligence on the product and product comparison would be a minimum requirement and the above is enough to delist yours from such a process.

Sorry to rain on your self advertising, but a bit more substance would be a good idea. Otherwise you're just competing with other snake oil vendors, and I've seen enough security BS over the last few months to last me a lifetime.

= Ch =

Re:Simple principle - also available in Germany

[cesarbp]

About "Given the simple principle these things work on (voice transmission over crypto wrapped data channel) the prices charged for them are generally plain rediculous, and I've seen them all over the planet.":
Why not ask us about our price?.

The main problem with source code to independent review is the fact of deploying sensible code to be copied and deployed under another product name.

About "no backdoors to our knowledge" :
It is under contract:
The "no backdoors" exists in our product because we can do that, in our country we can sell this kind of product and we do that. I would like to see if in your country you have any software "without backdoors" under contract.

About "if you allowed a US NSA official some time alone in the room with the code prior to compilation":
We think NSA won't do that, because:

• They need to know what you are talking about (unless you are from government).
• For civil communication asking to NSA to assure the product is working won't be useful against them, we are not allowed to sell an integrated (hardware + software) voice encryption product without backdoor for civil communication in your country, because NSA won't allow that.
• Selling a product with backdoor will allow the code be analysed by your enemies and being broken using the backdoor.
• Your government is using AES (Advanced Encryption Standard), and this algorithm do not came from your country, why not asking NSA to deploy your own AES symmetric algorithm? Because your own government do not have confidence in the NSA guys.
• NSA exists to protect your country, not to protect your communications against them.

If you want to have the source code available to NSA and be analysed, is because you have information sensible enough to be protected, in this case contact us, because i think you will have enough money to pay for our source code, and we have One Time Pad to sell.

About "All of these claims also assume that the base platform itself (WinCE) is uncompromised which is in itself amusing and unprovable.":

If you are really preoccupied with this, you can contact Microsoft to get the WinCe source code and analyse it, or you can buy our source code that works with landline modem, using landline modem and using One Time Pad will solve your problem.

If you want a good system to protect your business against spies, we have a good one to sell, with a very good price.

Regards.
Cesar.

Re:Simple principle - also available in Germany

[cheros]

I'm game for the price - I'll email you from your website.

As for 'not publishing for fear of duplication' - I agree, that is on one hand a problem. On the other hand, it would allow others to pitch in as well, not to mention the fact that you could publicly be seen as having the best code. So, in the middle lies the question if your code could be reviewed under NDA by an independent party.

I can see you commit yourself contractually to the 'no backdoors', but I'm observing the fact that such a committment is meaningless in the way it's phrased for the aforementioned reasons. I can claim to be 'totally cancer free as far as I know' because I have no reason to assume otherwise, and thus have not tested it. It lacks independent confirmation. So, cute from a marketing perspective, pointless from an assurance angle. That is in general the problem with your plug - you make claims you cannot substantiate as you have no independent validation to offer. Leave that out and you're fine (or even suggest paths by which a buyer can do that - honesty wins in security, there are enough people selling BS already).

WinCE is IMHO not one of the most ideal platforms to carry this on (it's even crap with default apps), but the Linux platforms are AFAIK not yet mature enough (may be wrong here, I'm just not really in that market anymore). No idea about Symbian, but that was at least already doing small device multitasking (when it was called SIBO) when MS was still thinking about selling Worries for Workgroups so I'd imagine there should be decent support there.

You may want to think about making your code portable - also makes it easier to support other devices and thus widen your market.

= Ch =

Re:Simple principle - also available in Germany

[cesarbp]

Thank you for your nice words. I am a small developer that have done the things totally alone, including the site.
About "The best" i wrote in my site, was about "one of the best" encryption specifications using key exchange, i corrected the errors i wrote previously, thank you.
About "No backdoors", i agree with you, it is not a solution to the problem, but it is a good beginning.
About "An independent evaluation", i agree with you, the best way is deploying the source code to an independent review under a NDA by a credible organization (credible enough to not deploy my source code), this is the best solution and i will try to do. Before doing, i will need to build a good commercial partnership, and currently i am trying to find one.
About "WinCE", i agree with you, the code needs to be portable, i developed this system using GSM-CSD because it is the best suited to send encrypted voice over GSM, and doing modem connections and avoiding internet access does the things harder to the attackers.
Regards.
Cesar.

Re:Simple principle - also available in Germany

[cheros]

Well yes, but you're going to sell sod all if you don't respond to email queries asking for a price. I sent you 3 in total, so enjoy being a poor developer because you're not going to get an income from this without customers.

And I stand by my comments - there is ALWAYS a potential for unintentional backdoors. Your assurances, although well intended, are not enough to sell in the security market. Without independent product evaluation you're asking people to believe you that it's not spyware infested, will not destroy the phone they put it on and has no ability to be tapped. That's not asking for belief, that's asking for religion.

You may want to think about partnering with someone to sell

Re:Simple principle - also available in Germany

[cesarbp]

Dear Mr. Cheros.
Sorry if i did not respond to your e-mail, i will see what is happening because i did not receive them.
I personally reply all incoming e-mails my site receives and your information is very important for me.
I will deploy a message page inside my site to allow direct messages and correct this problem.

Again sorry for this problem, my product is a decent product, works well and i have customers using it for more than two years and they enjoy it a lot.
Regards.
Cesar.

Doing bad business

[Oshkoshjohn]

If you are conducting business about which you don't want others to know, then face-to-face is still the best. A wooded area, away from buildings, on a windy day is just good practice. Finally, never do shady things with people you haven't known all your life.

Re:Doing bad business

[jgercken]

Naw, that wouldn't be conspicuous at all. Honey I'll be back in 4 hours. I have to drive to the hills for another business meeting. Traditionally this has been done in strip clubs, or is that what you meant by "wooded area"?

Re:If you comply you should have nothing to hide

[ZWarrior]

If you aren't doing anything evil why do you need secrecy (or privacy)?

Heh, I realize that this poster is only trying to get a rise out of the rest of us, but I thought I might post in response to this.

I find it interesting that every time privacy is brought up, this is the phrase that we hear EVERY time. However, I never hear anyone ask them a simple question in response --- "Do you close the door when using the public restroom?" Think about it, you close the door because you really don't want to be bothered, or bother others when partaking of the facilities. Do you keep the door on your house closed? Do you publicly post your account balance and how much you do, or do not, make at your job? Do you make your health records public?

The answers to these questions are exactly why there are privacy measures. Somethings are important to me that I do not want you knowing. Some people are more careful about the information they allow out than others, but being as we are in the USA, we enjoy the right we have to privacy.

Simply put, the simple response to that stupid statement is a series of equally stupid questions.