FN: Snake Oil or Strong Medicine
Posted by admin on September 8th, 2011
So what do people think of FN, our ideas and our yet to be seen product… Well that is exactly the topic of today’s blog post. To be kind, I would say that views on FN seem are mixed with a bearish bias, ranging from mildly positive to the strongly negative, including dare I even say this out loud that… gasp, FN is nothing more than “Snake Oil”. For those of you not fully versed in the use of the term Snake Oil, Wikipedia http://en.wikipedia.org/wiki/Snake_oil provides a concise summary of the term, as follows:
“Snake oil is a traditional Chinese medicine made from the Chinese Water Snake (Enhydris Chinensis), which is used to treat joint pain. However, the most common usage of the phrase is as a derogatory term for quack medicine. The expression is also applied metaphorically to any product with exaggerated marketing but questionable and/or unverifiable quality or benefit”.
It is the latter use, which has become a defacto derogatory ‘term of art’ in the software security industry as popularized by Bruce Schneier who later further generalized the term as ‘security theatre’. Bruce has a number of posts on the general subject, including one aptly entitled Snake Oil. http://www.schneier.com/crypto-gram-9902.html as well as his Memo to the Amateur Cipher Designer http://www.schneier.com/crypto-gram-9810.html#cipherdesign. Further, his ‘Snake Oil’ blog post also references Matt Curtin’s Snake Oil FAQ http://www.interhack.net/people/cmcurtin/snake-oil-faq.html.
To facilitate a consistent view and analysis of the parameters germane to evaluating Snake Oil, we took the admittedly subjective liberty of summarizing some of the salient arguments, for and against FN being Snake Oil and of course if you think we have inappropriately framed the constructs intended by the original authors, by all means add a comment and your thoughts as we by all means recognize our obvious conflict in preparing the listed items below, and have done our level best to present a balanced viewpoint, but alas, we do have a bias:
| Snake Oil Signs / Parameters | Arguments For FN Being Snake Oil | Arguments Against FN Being Snake Oil |
| Who is FN? What credentials do you have? | FN’s team has little formal software security expertise | When things aren’t working, like in cyber-insecurity, aren’t fresh perspectives and ideas sorely needed? |
| What have you broken? (a variant of the credentials question) | This argument is typically made related to cryptography, which is to say that to break a known crypto, you must be pretty smart, so maybe, just maybe your crypto may be of some value. However, unlike cryptography, breaking software systems as its trivially easy for any idiot to do, so the fact that we can break systems, is hardly a marker of credibility, compromise user data (which does however support our contention of the in-effectiveness of current solution directions). | FN can clearly break other solutions, as shown at the Demo 2010 Conferences. On a related note, we plan to hi-lite in the glorious Technicolor of video the glaring deficiencies of existing client side end point solutions, at or around the time of our products release – somewhat akin to the transparency that Lulsec brought to server security deficiencies, but without the travesty of exposing real user data. |
| Proof that FN is immune to well known attacks | Although BT testing validates the efficacy of FN’s solution set against known attack methods, their is no Peer Review of FN’s ASL protocol’s design, implementation and/or its source code (of ASL and the rest of its solution). | Again, unlike cryptography, software systems are easily subject to empirical testing (much more so in fact than design reviews can ever hope to accomplish). That is, it generally very easy to find and demonstrate flaws in software system security via “black box” testing for anything that is more easily circumvented than broken, a use case which SSL clearly seems to fit (making peer review much less relevant). For empirical veracity, we would simply point to the “no flaws” noted in FN’s BT ethical hacking reports (as of Dec. 10, 2010). |
| Reasonable chance of success? | Hard to tell, given lack of info on site – maybe now helped by addition of the Why FN section, maybe not… | The fact that BT can’t break FN with known tools should provide some clues that maybe FN is on to something…particularly if one recognizes that breaking all other vendors products/solutions in a myriad of ways with the same tools is trivial… |
| No Public Availability | FN’s product is not publicly available (yet?), but allegedly will be in Summer 2011 (same was said of Spring 2011). | And it looks like we’ll miss our latest target date by a week or two, again….but We are neither the first nor likely the last software product or vendor that is late in shipping… |
| Proprietary/Patented | If you won’t discuss it, you have something to hide (we would argue that this point is again much more applicable to the fact and circumstance of cryptography, as algorithms are unpatentable). | FN believes in intellectual property rights (as well as capitalism in general, for that matter) and as such FN has in fact filed certain patents/provisional patents related to system security./td> |
| Hacking Contests, Bug Bounty’s Etc. | Contests are not proofs. | In fact nothing is provable – even mathematics if you want to get technical about it, so now what? For FN, which has shown empirically, that neither we nor the experts we hired can break FN’s system with known tools, it seems logical to us to subject the system to further review, including the compensation of researchers through bounties, rewards etc.. Besides, these methods seem to be working for Google, Mozilla and others… |
| Military Grade Claim | This is an unsubstantiated claim in cryptography, which again does not seem too relevant to security systems. Further, military cyber-security is no panacea as hacking activities rightly seem to confirm. | Once again unlike cryptography, it’s easy to validate the security as well as quality/maintainability of coding standards as defined by military and/or other mission critical systems (i.e. NASA) and we for one think they are not only valid, but laudable (just expensive as heck to implement…). |
| Unsubstantiated claims. | “Most secure product in the world” sounds bold at a minimum, audacious at best and perhaps ludicrous for a small company, without any security experts, from Canada (okay, I added that last part just for grins and giggles). | In fact, ‘most secure’ claim is not a high hurdle given the current state of cyber insecurity – and we are not trying to be factious (this time). That said, the known hacking tools that easily circumvent existing solutions are provably ineffective against FN and as such, our claims do not appear to be completely spurious. |
Before taking our poll, you might want to check out the newly added Why FN section of our website, where we articulate a little more clearly our thought processes and directions as well as technologies and benefits.
Loading ...
We know everyone’s time is valuable and are appreciative of your thoughts and views, good, bad or otherwise for in the case of feedback like press, its all good! So please do respond as we’d appreciate more information both regarding perceptions and facts concerning our solution set and direction and we’d love to further debate the issues a little…
And yes, full disclosure, we are aware that we hold certain advantages that relate to information asymmetry regarding the efficacy of our solutions, but hey, that seems only fair as we are the ones being labeled as morons, er, I mean Snake Oil Salesman. So go ahead and live a little and take a view, as these folks already have:
- K McIntyre commenting on an article noting FN here http://www.theglobeandmail.com/report-on-business/small-business/digital/biz-categories-technology/plucky-david-aims-a-rock-at-cybersecurity-goliaths/article1858338/comments/
- Seemingly made under the taciturn guise of political correctness here http://www.somaini.net/justins-journal/2011/4/24/forbes-security-vendor-gone-wild.html#comments, made by Jared of Third Defense
- And lastly much more explicitly here http://www.ashimmy.com/2011/04/ask-not-what-the-security-industry-can-do-for-you-but-what-you-can-do-for-the-security-industry.html on the Ashimmy blog. As an aside, we are readers of the the blog, respect his views, love the awards and wholeheartedly applaud him for actually taking a position, although we must emphatically agree to disagree on his conclusions (not to mention that we feel some vindication given that the cyber Insecurity article he references was published well before the Lulsec rampage that seems to emphatically add more than just a little credibility to our views.
Thanks in advance for participating.
Comments
Its ridiculous that someone would say that your product is snake oil.
Thanks mom!