July 18, 2002 4:00 AM PDT
Selling secure laptops no open-shut case
- Related Stories
Security company drops PGP encryptionMarch 8, 2002
Yet Gonggrijp believes it's possible for his new company to find buyers for its innovative products, which include an encrypted PC, a secure cellular phone and a better way to do secure e-mail. To encourage broad adoption, Amsterdam-based NAH6 plans to release much of its work as open-source software for noncommercial use.
"The roads of crypto business are littered with corpses left and right," Gonggrijp said in an interview here at the H2K2 hacker conference last weekend. "I think the only way to do this is to start small. See if you can find this yourself and grow gradually."
NAH6 plans to release its first product, called Secure Notebook, with no price set so far, next month. It's a software application designed to appeal to business or government travelers who worry about losing their laptops but can't be bothered to encrypt each sensitive file on them.
Statistics compiled by the Safeware insurance company say that in 2001, about 600,000 laptops were stolen, up 53 percent from the previous year. By contrast, thieves nabbed only 15,000 desktop computers.
Even spies aren't immune from missing laptops. In 2000, Britain's Ministry of Defense admitted it lost 67 laptop computers during the previous three years, including ones with secrets about the peace talks in Northern Ireland, and the U.S. State Department has also lost classified laptops.
Secure Notebook would be the first product to take the novel approach of running Microsoft Windows on top of Debian GNU/Linux, with the underlying Linux layer ensuring that all Windows files stored on a hard drive remain encrypted.
This approach solves vital problems that other disk-encryption products such as PGPdisk do not. Unlike those systems, even Windows' virtual memory files and temporary files are stored in encrypted form, meaning a corporate spy or thief who snatches a Secure Notebook would be unable to read any data.
Secure Notebook and NAH6's three other planned offerings have one thing in common: They're designed to glue near-unbreakable encryption into a PC or handheld device while shielding users from the oft-befuddling underlying complexity.
"The crypto is well-hidden," Gonggrijp said. "There's no geekiness. There's no command line."
Probably NAH6's most ambitious plan is a secure phone project, still at least half a year away from release with no price set. The idea is to turn the PocketPC, a hybrid of a handheld PC and cellular telephone that runs Windows CE, into a military-strength encryption device.
Gonggrijp says that the software will be free for noncommercial uses and will let GSM users activate a scrambled communication channel by pressing a button.
Security experts uniformly applauded the idea, but some questioned whether the current PocketPC platform was powerful and flexible enough for the project to succeed. Others doubted that there was sufficient demand among paying customers for either product.
"People don't care about security," Lasser said. "Witness the astounding success of Web mail accounts through entirely insecure providers. Convenience trumps security every time."
Peter Trei, an experienced engineer who works for a large encryption vendor, says, "At the moment, the vast majority of the people on the Net don't use crypto, see no need to, and aren't going to lift a finger to do so. That leaves you with the rather limited market of people who are activists in one sense or another, and people with real operational needs."
Trei also said that governments that rely on wiretaps for intelligence or criminal investigation may not welcome encrypted laptops and cellular phones. "Things which thwart (surveillance) may become difficult to market, and could land users in hot water," Trei said. "I understand that Holland has one of the highest wiretap rates in the world. They could easily ban the crypto phone."
NAH6's Gonggrijp doesn't seem worried. He's had experience battling government restrictions, both as the founder of the legendary Hack-Tic hacker magazine in the 1980s and co-founder of the Dutch Internet firm xs4all, which has hosted controversial Web sites during its 10-year history.
"These things just need to be built," Gonggrijp said. "Everyone's screaming for it. These four projects represent about 70 percent of what people are demanding."
Gonggrijp is funding the four-person start-up, which is about 9 months old and is based in his home in Amsterdam.
A version of Secure Notebook seen by CNET News.com includes a graphical interface that allows users to choose between encryption strengths, make backups and type in their pass phrase to continue booting. The electronic key that, in combination with the pass phrase, unlocks the hard drives, can be stored on a USB dongle.
NAH6's other products include a program called Crypt-o-Matic, a transparent way to PGP encrypt and decrypt all incoming and outgoing mail. It works by grabbing mail messages after they're sent and before they arrive and silently handling the encryption.
Crypt-o-Matic will be available in a few months, NAH6 says, and free for noncommercial use.
Another offering is a patch to the popular Mailman mailing list software, sponsored by the Free Software Foundation. It upgrades Mailman to support encrypted mailing lists and will be released under the GNU General Public License.
Even if its products turn out to be cloyingly friendly and easy-to-use, security experts seem pessimistic about NAH6's commercial chances. About the only way to make money in desktop security, they say, has been to own key patents like RSA Security did.
"There's no money in desktop security," said Bruce Schneier, the CTO of Counterpane Internet Security, which sells intrusion detection services. "It's a tough world. Everyone likes to talk big about security, but no one really cares. Good luck to them."
Perry Metzger, a security advisor at wasabisystems.com speculated that NAH6's biggest impact may be political, not commercial.
"I've seen a couple of people propose that before, including one who tried to start a company to do it," Metzger said about the encrypted phone. "My guess is that skill required to set such a thing up--even the minimal skill in question--might keep it from becoming mass popular."