Wednesday, 7 October 2015

An open response to Veiltower and Edsard Ravelli's Kickstarter update

An update was posted on the Veiltower Kickstarter earlier today. This was in response to the furor expressed by myself and many others on Twitter since yesterday morning. As a result of this response and as a follow up to my previous entry, I've opted to opine on the response.
Dear Backers,
Edsard here, developer of Veiltower. Our project has now been active on Kickstarter for over 24 hours. To say that it has been overwhelming is a major understatement.
On the one hand we’ve been receiving a lot of praise - particularly from friends, colleagues and business partners who know us - and on the other hand there has been criticism directed at our project from a few people in the information security community. 
The criticism was primarily directed at one thing; the ‘100% secure’ statement on our Kickstarter page. Information security officers will always tell you that nothing can be infinitely 100% secure. And that is true. But frankly this is, in my honest opinion, a theoretical debate. For instance ‘PGP’-encrypting technology for e-mail is great, but 99% of people on the planet don’t use it. Why? 

This isn't amateur hour: the fact that you tried to enter the cyber security space with what appears to be inadequate knowledge and research should be enough to warrant scorn and ridicule over the use of the term "100% secure".

Trying to also pass off praise from friends, colleagues, and business partners in face of this valid criticism is akin to a child receiving praise from their parent after having achieved a failing grade in school. The opinion of the parent is not going to change the outcome of the child's inability to perform.

The reason why information security professionals who are adept at their jobs frown upon "100% secure" statements is that it is impossible to have such a thing. If your device was even remotely capable of providing this, you wouldn't be selling it at $159 but instead for much, much more. By using that statement, you've put yourself in a league of many other failures who've gone and made such a remark and then later found to be far from secure.

The problem with information security isn't a device or application problem: it's a human one. The human problem--or as I like to call it, the "Layer 8 Problem"--is the primary culprit behind breaches, malware infections, and scams. With infections and scams, users tend to fail to keep their machines up to date or do not take a critical look at what they're being presented with. You fail to understand this but have no problem going about stating that a simple VPN and "secure" access point is going to solve everything.

I am ignoring your PGP question because if you truly understood the problem you're facing you would have not asked that.
If you want to secure yourself as a tech-savvy person you would setup a solution in your home with a strong firewall, strong Wi-Fi encryption, and add into the mix a VPN both on your system at home as on all of your devices. You will configure and maintain them daily, spend the effort and remain vigilant at all the time. Simple. But most of you, and the majority of internet users, neither have the time or the experience to set this up, let alone maintain it. 
And that’s what the Veiltower concept is all about. It’s about combining existing and proven methods in a way that’s easy for ‘Average Joe’. The real threat to our security – as stands today – is the complexity of use and the lack of usability. We don’t use ‘PGP’ because it’s perceived as complex. 
The "real threat to our security" is not just the complexity of it or that humans make mistakes, it is also the fact that people like you try and sell half-baked solutions. I come across many, many products on a constant basis in my line of work where the vendors promise that it will do this with minimal cost on resources. For every one good security product out there, there are umpteen that are complete garbage and are backed by individuals like yourself. I rarely if ever endorse a product but I have no problem calling one "garbage" when I see it--and yours comes under that category.

When you go on Kickstarter claiming "100% secure" then go on Twitter and claim that you're just stating this for the common layperson, you're being deceitful and demeaning. It doesn't matter if you're talking to an information security professional or a common user: you tell the truth. Making security easier for users is something that all of us should try and do, but we do it in a way that doesn't require us to talk down to them--like you are--and also doesn't involve us manipulating them by making outright lies--such as claiming "100% secure".

Also, while I won't explain the problem with PGP in this response, I will explain the problem with your example. PGP is not something that you'd use to secure a network or computer but instead it's something to secure data. PGP won't stop malware, won't stop data leaks on networks, and won't prevent the human problem. This is a really an inadequate example on your part and I am not sure why you'd want to use this other than you have no clue which is really what I think is going on here.
And that is what I have focused on for the past 12 years; taking something very complex and making it easy to use. For example in 2001 at KPN (biggest Dutch carrier) I created a simple way to connect via ‘GPRS’ – because they understood that without usability nobody would use their service. I introduced automatic carrier detection and Wi-Fi (including automatic authentication to various hotspot providers) into the Vodafone Connection Manager worldwide in 2005 and 2006, although it seemed like it couldn’t be done because Wi-Fi was a ‘competing technology’ to their mobile data offering. In 2009 I created a solution for Best-Buy that would do both GSM and CDMA (2 competing technologies used by AT&T and Verizon) and switch a user from one network to the other, based on the best coverage for that user at that location - without the consumer having to do anything. 
Veil Systems is not based around a small group. It’s about a collection of idealistic people from the US, UK, Ukraine, Argentina, The Netherlands, Switzerland, Germany and Russia that came together – all bringing their own expertise – to create Veiltower. Our goal: help stop cyber-crime and protect the people that need protecting. 
Great. I am glad that you have this team and experience behind you: why are you just pointing out yourself, a designer, and a logistics person in the Kickstarter instead of you know maybe people who are behind the development of this project? You claim to have people scattered all over the Americas and Europe yet only focus on yourself and two people from the Detroit area. When you cite these countries, are they the actors in your videos or are they actually the main people behind the project?
We received comments about the lack of technical specs on our Kickstarter page. We did this deliberately. In our experience most of you don’t care about the various technical ‘flavours’ which could have been used. EAP-TLS vs. EAP-TTLS vs. EAP-FAST or 256-bit symmetric key vs. 2048-bit asymmetric key or Broadcom vs. Intel chipsets or why 256Mb is enough instead of 512Mb or Debian vs. OpenBSD vs. openSUSE. Every one of them have pro’s and con’s. That creates an infinite debate without end. In the end; it’s a ‘flavour’. You – the people we have built Veiltower for - just want it to work. You just want it to protect you. We knew, well in advance, that with adding a lot of tech specs we would scare you off or run the risk of our story would end up in a technical debate. And that is not what this should be about. 
You're essentially telling everyone that you'd rather create a blackbox rather than give any level of specifications on the product? This makes no sense considering even other Kickstarters like your own have referenced such things. Also, calling encryption symmetries as "flavours" is woefully ignorant and just demonstrates a lack of technical depth that you have.
Is Veiltower is finished product that has undergone every possible certification and validation process? No! It’s a prototype that we have developed, tested and that works. Can it be improved? Always! And that’s exactly why we are on Kickstarter. The funding will allow us, as part of our 6 month process, to do the types of improvements, certification and validation tests that the information security community – rightfully – demands from a finished product.  
Whoa. Stop the fuck right there.

So what you're telling us is that Veiltower has not gone under every possible certification and validation process, but you had the audacity to claim that it is "100% secure"? What sort of validation tests do you plan to take on this? What sort of certification? Can you elaborate on how you tested the device?
Note: If we don’t achieve our funding goal. Nobody pays anything. And if we achieve our funding goal and we don’t deliver we also refund your money. We have stated this on our Kickstarter page very clearly. 
This opens up a question for me: how are you going to continue to guarantee support for the product after raising all the money? The reason why I ask this is that in 2013, your prior company, Diginext claimed bankruptcy, leaving the organization owing almost half-a-million Euro.

If your product is as good as you claim it to be, you would not be going to Kickstarter for getting it launched because you'd have investors crawling all over you for what would be considered the Holy Grail of Cyber Security. Your business plan to use Kickstarter and your earlier bankruptcy does not seem to add up in my books as something that will work long-term for users.
Let’s do this!
Edsard Ravelli
Let's say we don't do this and instead end the Kickstarter. You're making yourself look like a fool and you're tarnishing the names of two other individuals who do not deserve to be part of your failure.


  1. I was hired as a sub-contractor to assist with their original launch, before it was delayed. I can honestly say I have rarely been treated as disrespectfully as I was with Edsard's team.