Home IT-security The inventor

The inventor

Erik Zalitis
-
0

This is a story about a podcast I and a friend run and the strangest interview I have ever been part of. It turned out to be a great learning experience, but I must start the story in 2013, before the podcast even existed.

I was a new employee in a company, working as a security specialist. My first assignment was a brand-new encryption solution that I was asked to evaluate. My manager wanted me to tell him if this product was worth investigating further or not. I was given a production presentation pamphlet. It was something you don’t hear every day: a Swedish company offering a totally new encryption solution. It was one of those startups that had gotten a healthy injection of cash from a “corporate angel”. In short, they were given money to realize a new solution. It was presented as something brand new and never seen before. It didn’t need any keys, passphrases or other information that could give away the secrecy of the data. Also, it was based on a security protocol that the inventor of the solution had invented herself. And it also boosted that it was patented and the patent registration number was printed in the pamphlet.

It was easy for me to get the patent document from the patent office. It read as the same “marketing fluff” that the pamphlet did with the addition of a generic diagram and some text talking about quantum encryption. Most of the statements raised red flags for me. I will explain shortly why. Then I thought that “maybe there is something to download to test it?”. No download links and no instructions on who to contact at sales to get a trial version. Checking their website and other sources gave me no further information. I started doubting that they had some sort of software solution ready. This was weird. The company was at the time a few years old. “They got to have some sort of beta”, I thought. But nothing came up anywhere. I noted to my manager that I didn’t recommend going any further with this solution. My manager wasn’t a bit surprised. He had read the marketing text and didn’t think it was interesting to pursue further. Fair enough, not all things on the market are worth the effort. There’s nothing strange about that.

A few years later I read a popular Swedish magazine where a reviewer had gone through the solution. The most interesting part of the article was when he commented on the claim about “quantum properties”. The marketing text stated that the solution through quantum properties could detect if someone was eavesdropping the encrypted data. Not hacking or trying to decrypt it. Just watching the packet stream would set off an alert. This was claimed to work on any kind of connection. The reviewer noted that an ethernet connection as opposed to a fiber optic connection doesn’t have quantum properties. The claim was wrong as this feature could not work. It was physically impossible.

Years passed and in 2018 me and a friend decided to start a podcast together. We both worked at the same company at the time and in the IT security industry. So, it was clear we would cover the IT-security field. That’s a story for another day, though. A few months later we were offered a sponsorship by a large security organization in Sweden. This included that they sent interesting IT-security and info security lecturers for us to interview. We started doing regular interviews during the spring and it continued.

In the summer the other host went on vacation, and I decided to take the reins of the podcast myself during his vacation. I ran the show, covering the events in the IT-security field during each week. One of the last podcasts I made before he came back was about the inventor and her company. I was careful not to mention her name or the name of the company. But I talked about the claim that she had invented an encryption protocol herself. This is generally a very bad thing to do. Especially if you don’t make the solution open. Her encryption, if it existed at all, was closed source. Microsoft made this mistake in the 90s when they released Windows 95. It had the passwords of the users stored in passwordlist-files. Those encrypted .pwl-files were built so no one got to know how they worked and that was supposed to be secure. It was not. Not by a long shot. Hackers had a field day with the solution and what little security Windows 95 could offer was lost. The .pwl files were properly hacked and became useless. A new encryption format must go through years of vetting and attacks before getting trusted for implementation in standards. Some encryption standards that were considered secure, have been broken over the years and then stopped being used. This is the harsh reality and the reason why this was a red flag for me. I noted this on the podcast.

This is where it got interesting. What happened next was something I would never have seen coming. Our contact in the organization suggested another guest for our podcast. He said she was a bit controversial but may be interesting. We had to decide ourselves if she fit the podcast. She had invented her own encryption. You guessed it, it was her and it was the very same solution that I had evaluated previously. Who would have thought? What was the likelihood of our paths crossing? Me and the other host agreed to allow her on. It was a bit of risk taking, but a self-made inventor could be interesting to have on. I silently wondered if we knew what we had gotten ourselves into. We had no idea…

It was a nice day in autumn when she arrived at our work office. We led her to a conference room we had been allowed to use. She told us she had just come back from a large company nearby. She had been presenting her product to them, and she seemed to be very hopeful of it leading to some business for her company.

 The recording went off to a bad start. It wasn’t her fault. It was mine. She spoke about prime numbers, and I explained what that was. Got the explanation right but also suggested a few numbers that were prime numbers. Among them was 9, which is not a prime number at all. It’s divisible by 3. I got to hear that a number (haha!) of times from listeners and thought there was no end of it. What happened next was worse. She claimed that her cryptography did not use mathematics and pointed to a matrix with binary numbers she drew on the whiteboard. Listeners could not see that, but if they had, they would probably have drawn the conclusion I did: a matrix, a mathematical thing. At least I learned to use them in math class in school way back when. Either way, I have never heard about cryptography not using math. I tried a conversation starter by telling her that her solution reminded me of the Kerberos protocol. That did not sit well with her. I started worrying that she might stand up and walk out on us if we asked the wrong questions. It was probably not what we should have done. She was kind of worked up from my question. We really didn’t know how to challenge her different views on how encryption was to be done. In the end, she told us her point of view without much intervention. We thanked her for her time and then stopped recording.

What she said later totally should have gone into the recording but didn’t. It was interesting and unexpected. The first thing was that she was going to teach herself Microsoft C#, a popular programming language, to be able to build the software solution. I could hardly believe that I heard her right. At this time, her company was 10 years old. It confirmed what I suspected from the beginning: there was no functioning solution. They basically had an unrealized idea that yet had to materialize. This is kind of the most long-standing “vapor ware” I have ever heard of. What could she really sell to an interested customer if she had no solution ready? Then came the next thing she said. She told us of her quantum computer that she had in her cellar. Some background: quantum computing is bleeding edge research technology. Companies like Microsoft, IBM and Google pour loads of money into their projects to create the first quantum computer capable of reaching the goal of being powerful enough to bring massive parallel computing to this world. This technology advances but is many years away from being done. Back when this interview was conducted there were just a handful of quantum computers in the world. Somehow, she had one in her cellar. Such statements are impossible to verify unless you look in her cellar, I guess. This left me wondering exactly why she said something like that.

We went home to our respective homes, and the episode was uploaded and spread though the podcast services on time and to a waiting community. The response came a few days later.

Someone posted a message in a Swedish Facebook group specializing in IT-security. This message was about the interview, and it was surprisingly respectful for an angry take on our podcast. The people posting in the thread called us out and wondered why we had put her on the show. They also wondered if we knew anything about cryptography, given that we didn’t question anything she said. And few days later someone posted a new post without knowing about the first one. There were the same critical questions about the interview. We responded the best we could.

Something good came out of it. A man working with cryptography in a Swedish university offered himself as a guest on our show. We let him on, and it became a good introduction to cryptography and quantum computing. The calmness began to come back to our world. This is the end of the story, right. Nooooo… Not by any stretch of imagination.

Time passed and we continued producing podcast episodes. Months passed, but one day I got an email from a listener. It was addressed to me and asked me if I believed in her solution. At this time, I had to be careful what to respond. I didn’t want to be too negative about it. I noted that all I had to do was to say it like it was. I responded something like “there is no product to test in order to evaluate its capabilities. Until such a solution exists and can be tested, I do not believe it works. If I ever get to test it, it’s unlikely I will believe in it. But let me at least try”. I felt pretty good about that answer.

20 minutes later, I stood outside the building I work in, so I could get some fresh air. Then the phone rang. It was her and she wanted to talk to my manager. It was a moment of “ouch, dammit!”. It wasn’t just my direct manager she wanted to talk to. Not even the CEO of my company. Nope, she wanted to talk to the CEO of the company group. I thought I was going to get into some hot water. But she was nice and polite. I gave her his number. Then I went back to the office and sent him a message. I asked him to be a bit on the skeptical side with her. I got no response from either of them. It later struck me that it was probably just a coincidence she called me at the time she did. She most likely wanted to do a sales pitch. It was not her with a fake name I had mailed back to. A sigh of relief later it was all forgotten.

More time went on. Months later I got a message from her. She wanted to come again as a guest of our show. I didn’t have the heart to tell her no. I asked her to come back to her later. Time passed and I didn’t hear from her at all and forgot about it.

This story has a sad ending. One day I saw a message from her daughter on social media telling us that the inventor, her mother, had passed away recently.

There is an old saying: “Don’t speak ill of the dead”. I really don’t want to do that either. Remember that my first experience with their security product was before I even met her. My whole point is to tell a story about working in the IT industry. We must be hard on security companies, because so much of our society will be entrusted to their protection. It’s nothing personal really.

Big whoop! Wanna fight about it? ... Or maybe... you know... just leave a nice comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© Newspaper WordPress Theme by TagDiv