Originally Posted: March 28, 2016
Addendum: March 31, 2016
Update to fake blog post (original response starts at header Subject below):
Will do this is bullet form as not going to give fake “security researcher” any more space than necessary.
- Not identifying yourself or your company due to in-fighting. Lame excuse. There are lots of credible security consultants and researchers and ALL stand behind what they write. Hiding anonymously gives you zero credibility.
- Just because you type the word TRUE with no explanation as to why it is TRUE after we explain each one of your nonsense points as FALSE, again makes you a joke.
- You again state your explanation from Cellebrite is true although it certainly isn’t. Please explain to an end user how they would contact an organization that will not discuss any of their findings publically to anyone, especially make believe people such as yourself whose only writings in the entire world consist of articles attacking EncroChat.
- In fact we are not owned by a company in Canada. Not that it matters as we have nothing against Canadians. Our resellers and many of our subscribers have actually met us face to face. Clearly you are neither and have nothing to offer except complete misinformation about us.
- Oh and I do like my blog post mostly because it contains actual technical facts, not made up lies and nonsense. You want to believe the world is flat go to town. I prefer to believe 1+1=”2” not “lamp” as you do.
- Love your comment that the evidence is not what it is about. Wow, really? So it isn’t about proving your point, but just slandering without any fact? You say you are protecting the users with your technical expertise, which we have to say in all honestly you don’t have as stringing technical terms together doesn’t count.
- As obviously this article is simply baiting people and we are forced to respond as you spread your nonsense through PGP messages to subscribers we have this proposal: We will meet you at a designated place where you will demonstrate your “evidence." We know you won’t because there isn't any. But hey, you can respond now all you want and you have zero credibility. At least what we write we stand behind, which is why we post on our corporate website (not on an anonymous blog). Oh and because we actually are real and exist we will come out and meet anyone to discuss our product. We aren't hiding anywhere.
- Parting shot: Your blog we don’t take with seriousness. You are missing the point. We are not laughing with, but AT you. See if you can figure out the difference.
Subject: The saga continues Part II titled: lies, lies, lies and using fake blogs to slander.
Sigh, woke up today with users sending me a link to a throwaway blog site where a fake user account has posted slanderous articles about EncroChat. Normally, would just laugh it off. I mean the Internet is a place where anyone can write anything. For instance, it became national news when a rapper said the earth was flat and that spiraled into a big debate. Sheesh. So will respond to satisfy everyone that all is good with EncroChat and also poke fun at anonymous blogs.
Anyways I digress. Let’s look at this first blog entry posted saying there is evidence we are working with NSA and other authorities. First, cool that someone learned photoshop well enough to make an image of one of our devices near the NSA logo. Good job. Already frightened. Blog entry purports to have some sort of whistleblower and that EncroChat is owned by “Super Lock Tight.” Ummm, who the heck is that? Apparently one of the largest PGP providers in Canada and that they have been working with NSA and FBI due to warrants issued. Really, for such a large company, don’t even know who Super Lock Tight is. Goes on to say a guy named Jeff owns EncroChat and he gave authorities access to servers. Huh? Never heard of him either. Oh and that authorities were able to pull private PGP keys and stored messages from OTR accounts, blah blah. Well first, we have no private PGP keys on our servers for our transitional PGP application. PGP public/private key is generated using our PGP client on the EncroChat subscriber device and the private key NEVER leaves the device. To boot we don’t use Off-The-Record (OTR). PGP resellers who compete with us keep saying this. So once and for all guys, we don’t. We are a derivative of OTR (we like the concept of OTR, but have numerous issues with the specific protocol so we vastly improved it). Also, using EncroChat, our subscribers negotiate their own keys directly with each other and those keys are constantly changing every single message.
So in looking over the rest of this blog entry, I’m amazed at the utter lack of truth. Let’s start with the Super Lock Tight angle again. EncroChat has no PGP core base. We started as EncroChat, not as Super Lock Tight (can’t find anyone who knows who this is even supposed to be). PGP resellers blocking us because of this, is amusing. The only reason we are being blocked by PGP resellers and their group of domains is financial. They are losing way too many customers to our EncroChat platform, as their platform has been proven unsecure and exposed by actual real reporters and technical professionals from recognized media outlets (reported without our help I might add).
The blog entry muddles around trying to compare the EncroChat dual OS to Blackphone dual profiles, so somehow they are then the same and therefore we are susceptible to malware and keyloggers. The blog entry states how could EncroChat possibly do two operating systems and not do something wrong? Wow. Well first, it is two separate operating systems, which means one does not see the other or even knows it exists (same as having two physical devices). An infection of the standard Android OS does not infect the secured EncroChat operating system. They are two different platforms, which is why you need to reboot to access either of them. Comparing this to profile switching is just silly. Totally different premise. Oh, and if this "security reseacher" had bothered to look at the standard Android operating system we provide, they would see that it itself is secured.
Then this blog entry goes on about Wi-Fi having some backdoor and the CIA using FinFisher can access the device and send screen shots. What? What convoluted nonsense. I will post a separate blog article on Wi-Fi vs Cellular network (SIM) later explaining that while both WI-FI and Cellular are both hostile environments, Wi-Fi is actually preferable. FinFisher is not a Wi-Fi exploit and the CIA can’t just head on into your phone through WI-FI. Just complete fabrication.
Next, the blog entry purports to have tested EncroChat with their own forensic team. That EncroChat cannot back its security claims. That Cellebrite has commented on EncroChat and admitted to cracking it. Yeah, right more outright fabrications. All I have to say here is put up or shut up. Spreading lies and misinformation is pathetic. If you had anything, anything at all you would prove it. Making up quotes and lies is a bitch move. Grow up. Guess you really think subscribers will swallow any nonsense you make up. Why not tell us the world is flat while you are at it?
Second blog entry from same fake account stating weak PGP encryption and no security.
As my response is getting long, will try to tighten this up. I will just respond to each false statement in blog in simple terms as it tries to baffle users with technical jargon (hey, lot of technical terms, must be true….)
- We leak private IP address every time you send a PGP email so you can be tracked to your device. Sigh. Private IP addresses are non-routable on the Internet. They are designed so private networks can use blocks of IP addresses that cannot be routed on the public Internet (i.e. tracked). This is the very definition of a private IP address. There are literally tens of millions of computers using the exact same private ip address space. FALSE
- We are vulnerable to Heartbleed bug. This is stated so a user can type it in a Google search and find that such a thing exists. We are not susceptible to it. FALSE
- We are using self-signed certs. 100% we are. Snake oil? Really? So the blog entry purports that it is better to go to a Certificate Authority (CA) and get a certificate. You know the ones that government agencies either subvert or hack to get a certificate so they can gain a foothold into your computer, smartphone, etceteras. We don’t accept ANY certificate authority on our platform, except our own which we pin on all our apps so no-one can pretend to be EncroChat or any of the 211+ certificate authorities out there. True that we use self-signed certs. Argument is FALSE (and quite ignorant to boot).
- We use weak Diffie-Hellman keys (1024). This just sounds good as users are like what the heck is Diffie Hellman? Sounds bad if they are using 1024 keys. Diffie-Hellman Key Exchange establishes a shared secret between two parties that can be used for secret communication for exchanging data over a public network. EncroChat uses Triple Elliptical Curve Diffie-Hellman Ephemeral 25519 (ECDHE) key exchange which provides both forward and future secrecy. Claim is again FALSE
Lastly, nice try you cost me some valuable time today responding to utter nonsense. Piece of advice, whoever is writing your blog entries is the technical equivalent of a dumbass.