DataGateKeeper: First Encryption Software Engineered to Defeat Hacking Programs, Granting Superior Data Protection & Cloud Storage
Use this space to cheer the creator along, and talk to your fellow backers.
Have a question?
Making a pledge, perhaps just a minimal amount, without selecting a specific reward is most definitely *not* a "loophole" in KS but part and parcel of the whole KS experience, as will be clear to anyone who has paid *any* attention to how it all works. As Julius points out, the feature has been available since day 1
As well as just allowing money to be donated without strings, it is *also* a way to tell a proiect creator "You've caught my attention, now I want to be alerted whenever you post an update: are you able to keep my interest and maybe convince me to make a more robust pledge?".
"We are finalizing the release of the DataGateKeeper on the Windows platform, and the development and stress testing of the Android and Apple platforms." Will you also support linux or not?
"We felt this action was the most responsible avenue to take once the fringe quasi-InfoSec wannabe community began attacking you, our DataGateKeeper Backers. We have never seen anything like that and likely, no campaign has ever had Backers personally attacked for making a Pledge. "
I have to admit this is not true. I have seen multiple companies do this, only to get their whole history being dug up and used against them. When people start raising red flags, you usually can do two things: Either admit defeat or go to battle with an open visor. If you either keep hiding the truth (either by your own stupidity or ignorance) or don't admit that you are wrong, red flags will keep raising. I have seen one where big well-known websites discussed how things were working, only to realize that flagging the whole idea as a "scam" was the best idea, also backing the project itself to warn others (referencing the site). I have seen companies that altered their whole description after their so-called idea was "too good to be true". I don't mind backing stuff, as long as they have a clue on what they are doing. Personal insults though are not what should be discussed and yes, they should be removed from Kickstarter.
"These miscreants did not Pledge for any Rewards, however, they used a loophole, in this platform to disrupt and gain access to you, our Backers, which is reprehensible." This loophole you are mentioning is something that has been in Kickstarter since the beginning. Some people just pledge money "because they can", not because they want something in return. Its the "no reward level", which is basically a pledge without any reward attached to it.
"In addition, we had several “journalists” contact us to do a “story” for their “readers”. We also elected not to engage them for several reasons; the well had been poisoned, our message had been diluted, and their intentions and loss of objectivity had been made clear by their online social media activity. "
Okay, I am curious about this one. Most journalists cover a story to get both sides. If they only cover one side of the story, then I wonder what kind of journalists they are. If you can show them that your service works, that it is way better than most other systems, and they can see that your system works better than anything out there, then I am pretty sure that this campaign would be a bigger success.
"It is not a field of a few acres of ground, but a cause, that we are defending, and whether we defeat the enemy in one battle, or by degrees, the consequences will be the same." Thomas Paine, 1777
Dear DataGateKeeper Software Backers,
No truer words were ever spoken. As true in 1777, as it is nearly 240 years later.
You are true Data Angels; your foresight in the face of aggressive and salacious attacks from the fringe is a testament to your fortitude and an inspiration to us. You will have your DataGateKeeper. Our resolve to deliver to you the DataGateKeeper Total Data Protection Software™ and SafeDataZone™ has never been greater.
We are finalizing the release of the DataGateKeeper on the Windows platform, and the development and stress testing of the Android and Apple platforms.
We launched our Kickstarter campaign to test both our message and the market. Unfortunately, we did not gain perspective on either issue. A key driver for success on any crowdfunding platform is getting the word out on social media. On this matter, we failed you, as we elected to cancel all of our promotional efforts, nearly immediately. Why?
We felt this action was the most responsible avenue to take once the fringe quasi-InfoSec wannabe community began attacking you, our DataGateKeeper Backers. We have never seen anything like that and likely, no campaign has ever had Backers personally attacked for making a Pledge.
These miscreants did not Pledge for any Rewards, however, they used a loophole, in this platform to disrupt and gain access to you, our Backers, which is reprehensible. The twittidiots and their ilk even attacked our employees and supporters – all anonymously. We apologize to our DataGateKeeper Backers and Team for any offense or verbal attacks you sustained.
In addition, we had several “journalists” contact us to do a “story” for their “readers”. We also elected not to engage them for several reasons; the well had been poisoned, our message had been diluted, and their intentions and loss of objectivity had been made clear by their online social media activity.
During the campaign, we engaged these crypto-crazies in an effort to understand their boggle. As is typical of any engagement with flakes that hide behind anonymity, the 80/20 Rule was in full force. 80% of the twittidiots could not conjugate a response, while 20%, who did not hide behind their twitter account, proved to be helpful, and we had productive conversations. We thank them here.
What Did We Learn?
1. Controlling the message is important, however, controlling the environment for that message is critical. Today we will move to control both the message and the environment. We believe in the first amendment, however not at the expense of decorum, respect for others’ opinion and dignity.
2. Given the plethora of crowdfunding sites available in the market, the Kickstarter platform is likely not the best platform for software, absent a techie gadget connection or video game. Software clearly underperforms on this platform.
What are We Prepared to do for Our DataGateKeeper Software Backers?
1. We are going to complete our DataGateKeeper Total Data Security Software and make it available to you first for the price you Pledged and for the Reward you Backed. We are currently arranging to do this very thing.
DataGateKeeper Backers, you have our private email address, we look forward to continued communications. Please contact your Data Angel Team if you have any further questions.
The Data Angel Team
Come on people, only a couple of hours to go! I want my hat.
On a more serious note; is it worthwhile to buy just the circulator that can be attached to anything, e.g. a normal pot? The complete sous vides feels kind of bulky.
Someone DataGateKeeper'd their web server. It's so encrypted that even the public can't see it anymore!
On a more serious side note; it looks like this campaign is in its final death throes which is good news for the folks who "legitimately" gave money for this project as it means they avoided a messy scam which really could have adversely affected their personal files (what if DataGateKeeper choked on something and corrupted a file after encrypting it?).
This comment has been removed by Kickstarter.
Also, who broke their website? Its all 404 except the homepage...
Jeez, I wish I had one like that...
Ah, 130F! I'll give it a whirl and see how it comes out. I have a 10 liter Sousvide Supreme. You guys think it's worth it to upgrade? My great Aunt gave me a Target gift card for Boxing Day and I picked it up on a whim not knowing much about Sous-Vide.
Yes Jay - 130F is six million times better! This is the datagatekeeper campaign after all.
Sous-vide at 120F? The horror! Try 130F, way better ;)
I see that you (or somebody, wink, wink) dutifully scrubbed the campaign page of all mention of the stronger key length. However, Jensen still states that the key is 512 "kilobytes." Did the NSA miss that one? I'm surprised that she hasn't undergone a rendition to force her to renounce strong cyber security for the masses.
P.S. Can you ask Chad what temperature I need to Sous-Vide a fillet of sole? I tried 120 F for 15 mins, but it came out terrible. The cuts are less than an inch thick. I must be doing something wrong because Terry (he's my across the street neighbor) uses the same settings and his are to die for.
Hey MyDataAngel team, I believe Bert was asking what Security Level you were planning on trying to get validated for (security level 1 through 4). I don't see that detail in the section you referenced.
Is that what you were asking , Bert?
Bert, Please see Validation Plan under Mr. Wizard.
What's the FIPS level of the Datakeeper?
Do you care to comment about the key strength reduction I mentioned in an earlier comment?
512kb -----Reduced by 3 orders of magnitude----> 512b
768kb -----Reduced by 3 orders of magnitude----> 768b
1024kb-----Reduced by 3 orders of magnitude----> 1024b
Or do you have a gag-order from a 3 letter agency? Your silence speaks volumes.
In your videos you show password cracking one character at a time. Can you please show some real world examples of this type of password checking implementations which work like this? I am not aware of any which work like that.
Just all system I have been involved hash the password using a specialist password hashing algorithm with a per user salt and a server salt (user salt in the DB and the server salt on the file system (so an attacker would require SQLi and arbitrary file read or RCE)). This standard security practise will only tell an attacker when they have the password and both the salts) correct. The way the hashing works a brute force attack can't tell if it has 0 characters or 99.9% character correct in the passwords and salts, it will return a generic fail in all the cases.
Yes there are some side channel timing attacks where you can work character in the hash and then only try passwords which hash to that sequence of hash values. But they are no getting password but just the value of the hash. From the hash you can not reverse it to a password.
Just a follow up... please don't see my comments as attacks or anything of the kind. I'm passionate about my industry and enjoy the back and forth on various topics. These are the same convos at various industry conferences we have while drinking at nights.
Who is the person actually responding to these comments? What is your background? You have been commenting on technical matters, I'm sure those of us who do work in security as our jobs would like to know your credentials and background. Of the 9 listed on your page, the ones I could easily find info on did not appear to possess any type of security background... including the CEO, President, the two hosts on the video, the content director, and the Chief Strategy Officer. I'm not saying that like it is a bad thing... all companies make up SMEs outside of their vertical... but if the comments are going to be a serious discussion on these topics, then it would be nice to know the background of whom we are conversing with.
No one said it is a password problem. BUT I will say, that many of the problems with security now are PEOPLE problems. They represent a distinct lack of training and education in what is safe and not safe. Too many companies and organizations think a once a year course is going to cut it. It's not. Academic studies on both the subject and on just adult education in general will show a once a year traditional classroom educational component will have very little effect on retention of knowledge. THIS is why SE, weak passwords, etc. are such a common threat attack surface for criminals. While I am a big proponent of encryption, especially on a file level, to protect data, it is only as powerful as its weakest link... which is going to be humans. As you've stated previously, your product is equally susceptible to them (ie someone pwns the desktop of a person who is logged into their account).
I don't think any of us disagree with Yorant's comments. Again, not really sure how it was relevant to our conversation or why you posted it twice as an update, but it doesn't matter.
You list below "Automated attacks". That's about as broad and vague as one can be. I mean the low and slow password attacks that have become a staple of APT attacks are "automated". Heck, a vuln scan is automated. I don't think ANY report I've ever read lists that as an attack.
Look, very few people perform brute force attacks against live systems. 1) They are noisy and anyone monitoring a system is gonna notice it pretty fast and 2) They can knock a system over sometimes. Brute force is usually used offline when someone has hashes they are cracking.
Low and slow dictionary attacks are very common place in APT type attacks. They usually do 1-3 attempts per hour to avoid lockouts and avoid alerting SIEMS, etc.
What we are honestly seeing now for breaches isn't just a single attack avenue for a breach. It is multi pronged. Might be a phishing email with malware attached to create a backdoor. Or a low and slow password attack to gain access to an email account or other account and then using that to leverage additional access. We also are seeing LESS going after domain admin (again, if monitoring is right, creating a new DA account should tip off the blue team pretty damn quick) and more smash and grab data jobs... which I agree that an encrypted service such as this WOULD be helpful to help mitigate the risk... unless the user is stupid.... one of the reasons why most of us abhor the use of the term HACKER PROOF.... cause there is NOTHING that is hacker proof in the end. There are ways to make it not worth the time... but I and many others will ALWAYS question vendors who claim to be hacker proof... as you've even said... you guys would be vulnerable to a pwned desktop (as any encryption software would be).
I'll send you a DM... email me at info at circlecitycon dot com as well.
Agreed. Thank you for the link. A good read.
Persecuted? A bit harsh. We said disruptive. Quite the difference. We are happy to stop calling out the disruptors in open channel and play Whack-a-Mole. But, quid pro quo mate, quid pro quo!
Feel free to mesage me off-channel to discuss your conference.
Breach comes in many forms. From social engineering, to automated attacks, to insider maliciousness among a few. Yes, password breach is the easiest explanation to sell to the non-infosec community. You know better than "this is a password" problem.
As, Yorant points out, rigid dogma in cybersecurity not only prevents and stifles innovation it creates opportunities for failure. As we see on a nearly daily basis. We share the RSA President Yorant's sentiments.
As our campaign clearly lays out.
Also, please stop the comments and updates that you are being persecuted by criminal hackers and such. If that were the case, all the skeptical posts and such would not be made by people using their own Kickstarter accounts. Newest account was Jan of 2016. Most have backed at least 5-10 projects... None were recently made or used to only back this. These people may not like the project or have some questions on the claims, but to keep claiming you are being targeted by criminals is just ridiculous. Trust me when I say... These are people who do this for a living or enjoy it very much. If you seen the attacks on the companies and people who have pissed off the scary kids (HB Gary and that whack job church in Kansas that is anti LGBTQ and protests funerals are good examples) then you know this isn't it.
1) You neglected to answer my question for your source that SE and Password compromise weren't factors in hardly any data breaches last year. Still waiting for that, and will continue to ask for said source.
2) So... Your big argument is the quote from the leader of a company (whose biggest breach happened via a targeted Phishing email with a tainted excel file attached, but I digress) who was referring to the vendors in the industry not evolving as threats have...in this case that the target has increasingly become the data... And that's correct....there is no one with any intelligence in the industry who disagrees with that statement. It's why pentesters worth their salt aren't necessarily going for domain admin anymore but instead going after the data.
And seriously, just saying it's broken... That's not an argument. Just throwing that out there makes it look like you don't know the security space at all. Why is it broken? Make the argument yourself.
I'll tell you what. I run an information security conference in Indianapolis. Our next conference is June. If one of your people would like to come speak about how Infosec is broken and what is needed to fix it, I'd be happy to have you. It just can't be a sales pitch for the product. You can talk about some fixes (such as better encryption etc) but just can't sit there selling the product (although you can mention the company name you work for and put it on your slides). Let me know if you are interested. Talks are recorded so you can post it on your website. It is a very technical crowd of security defense SMEs (blue team), pentesters (red team), developers, and management. Or we can set up a panel... Is it possible to Hacker Proof your data... Something along those lines. This isn't a troll or anything like that. I'm genuinely offering you a slot. I'd say the name of the conference in the comments but I'm not sure if there are rules against promoting things like that. However if you are interested, please DM me.
The reason why RSA is saying that infosec is fundamentally broken is due to the shifting factors of security: Instead of trying to break into a firewall, you just have to go the other route: Find an unsuspected victim. That is how they were breaking into banks in India: Find someone stupid enough to watch porn on their network, and you got yourself a way in.
Its a nice read on topics that I like most. How to blend in and get inside a building? Have you ever noticed how easy it is to walk inside a building with a fake ID and some smooth talking?
Is that the same industry that has mitigated and patched itself to life-cycle obsolesce?
Wish we would have said this:
RSA: Cyber-security industry is "fundamentally broken", says Amit Yorant, president of RSA and former cyber-security director at the US Department of Homeland Security. Infosec is "fundamentally broken".
Oh? You know what, I just reviewed our campaign and we did say that!
I should clarify my response. SE attacks, Malware attacks And a combo of both were common breach attacks. Not just the combo. Of course, as I said, I could have misinterpreted the data, so I'm asking for the source of your claim. Thanks!
Whomever is actually typing these responses... You seem to fail to understand that the people that have been leaving negative comments WORK IN THE INDUSTRY!! They aren't criminals.... They do this stuff professionally. They work for companies like Google, Microsoft, Intel, Optiv, PWC, etc. They speak at industry conferences like Blackhat, Defcon, RSA, etc. They publish white papers. They research and report vulnerabilities to CERT or to companies through Bug Bounties. They have Masters and Doctorates. In short, they have the skill sets to be criminals but choose to work for the Government or Private sectors to help secure their infrastructure. To keep insinuating otherwise, is an insulting slap in the face. Remember...the courtesy rules work both ways. I, myself, have been working IT and security for 17 years, have my masters and am working on my doctorate.
Yes, I agree with you on poor password management. But you make the claim to be hacker proof. If you said, we force Multifactor using one of the many tools out there (Google Authenticator, for example) then that would significantly reduce the risk of poor passwords... Again, the marketing in the pitch claims to be hacker proof, and when people are pointing out basic attacks, you give angry responses about people coordinating efforts to derail your Kickstarter. Remove the word Hacker proof, say we implemented new techniques to help prevent specific attacks, and that would be a lot more accurate. Of course, until they are tested and verified, no one knows (yes you have a plan...acknowledged) if they actually will prevent attacks.
Now, I'm going to ask you to please provide some proof to MY favorite part of your reply... Your claim that SE and poor password attacks represent a marginal percentage of data breaches each year. Where are you getting your numbers from? Because they run counter to most of the published reports from last year such as IBM, McAfee/Intel, Verizon, etc. According to them, SE attacks such as phishing, mixed with malware or backdoors are a major breach cause.
But these are data sets based on those companies specific customers who cooperated with the various annual studies. So I'm asking the source of your claim... Perhaps I'm mistaken...if so, id like to educate myself by reviewing those sources for future research for papers and such I write.
We have a product that has the ability to secure our Backers digital privacy and confidentiality. That must be horrifying to the scum who have been preying on our citizens.
Once we are operational we plan to offer satisfaction guarantees to consumers, if they are not happy with our product in any way, we will refund their purchase, we see that as a good business practice. As such, there is no reason not to offer the same here.
Attacks based on social engineering or poor password naming consistencies, are, absent user diligence, difficult to protect against, as is the nature such targeted intrusion. However, this type of intrusion, represents a marginal, if any, percentage of the 150 million data breaches or the nearly 17 million identity thefts which occurred in the U.S. last year.
Public Service Announcement: If you use 'password' as your logon credentials you should likely not do so.
As to trolling -- All of the trolling comments here are not from Backers of the software, but you know that. They come here to disrupt. We have a provocative and timely product that the underbelly wants to comment on. We understand we are going to put them out of business and they are fighting for their life.
The more vicious the attacks the more we realize how scared the underbelly of society has become that the DataGateKeeper is going to end their life as they know it. It our pleasure to Put Them Out of Business. Frankly, thats our Plan.
We have a product that has the ability to secure our Backers digital privacy and confidentiality. That must be horrifying to the scum who has been preying on our citizens.
Your: "I know a few of the commenters in real life."- maybe my favorite sentence of this whole Comments section so far. So its your plan to cancel your Pledge just so you could Comment? Good to know we haven't touched a nerve with you and the other people you know who are not organized against our campaign and come to this forum solely to disrupt.
We laid out a clear and concise plan for validation and our position on open source - maybe you should actually review our campaign.
Data Angels: in the comments I keep seeing you say "You can request a refund and we will give it to you". I'm not sure if you fully understand how Kickstarter works. There is no refund. We aren't charged anything until it's funded. We can cancel ANYTIME we want with no adverse effects. One could back at your highest level and choose to cancel at anytime. That's why you limited the $1 pledges is kind of pointless. Enough people can sign up at other levels, troll you, and then cancel anytime they want. Other than complaining to Kickstarter, there really isn't much to do.
Now for my question... You have mechanisms against brute force attacking... And I applaud this. But you must realize that doing that doesn't mean you thwart all password attacks. In fact, the type of Brute force you protect against is not one we see being used in the real world very often. Instead, slow attacks against a user using common passwords is much more common... Things like MonthYear! For example. Usually a couple each hour to avoid lockouts. This is a common attack technique used....how do you protect against that...basically users using insecure passwords (even when requiring complexity, insecure passwords like June2016! Are very common).
I don't know how effective your product is. It might be very effective, but without the verification we simply don't know. And that's cool.
But you claim that you are able to make this "hack proof" and that's WHY you are getting trolled on here... People making that claim are often seen as charlatans in the security industry.
I know a few of the commenters in real life. There isn't some coordinated effort against you with any of the ones I know. These people aren't some criminal hackers as you insinuate I your update. These are professionals who work as consultants, pentesters, CISOs, etc for companies that range up to Fortune 100s. They don't care if your product can stop criminals and the Feds...heck, many would support products that can. But to claim it can without offering proof....well many see that as Leveraging FUD (Fear, Uncertainty, Doubt) for your own financial gain, and that tends to anger them...they view you as trying to take advantage of people...much like turn of the century Snake Oil sales people.
I'm not saying this is your intent at all... But I'm saying that it does come across that way based on a campaign that's heavy of marketing and light on actual proof. Based on the principles involved and their financial positions, I'm a little surprised you didn't do the third party validation ahead of time. It probably would have saved you a lot of headaches on this campaign.
In the end, you all will do what you want. But instead of posting some crazy conspiracy theory that hackers are trying to thwart you (because until your algorithm is protecting PII, ePHI, intellectual property, financial accounts and nation state secrets...the stuff that is generally stolen and sold...criminals won't care about trying to find a way around the solution...and if you really think they are then please provide examples of criminal hackers trying to derail security product launches in the past) talk with some of the people who are asking questions (silly and otherwise) and find out their exact objections to the product or the way it is represented. I'm guessing it will open some eyes.
You stated in your campaign video @ 1:03 that the DataGateKeeper cipher is 512Kb (which I assume you mean to be the key length) and then subsequently state incorrectly that the AES cipher is 256Kb (I assume you meant key length here as well).
Firstly, AES can use key sizes in 128, 192, and 256 bits. Not kilobytes. Does this mean the DataGateKeeper software is 16,000x stronger than even the highest possible AES key size? If this is true, how would modern computers even be able to handle a key that is 40960000000000000 bits long? Does this not have a significant performance impact?
Oops, sorry, posted into the wrong project! Mea culpa.
> We have contacted Kickstarter and have had several offensive posts removed.
FYI if KS remove a comment it is replaced by the text "This comment has been removed by Kickstarter." as you can plainly see in, for example, this unfortunate project:
Hi Data Angels!
I'm a little worried that you are actively ignoring my comments for some reason. Let me reassure you that I'm not some open source 'guy' like Bill. Sorry to throw you under the bus, Bill, but you're pretty much an Information Communist with those beliefs. The real life iron curtain fell and soon the Cyber iron curtain will fall when all of you wanna-be Richard Stallmans and Eric Raymonds of the world come to your sense.
I am also not affiliated with David Jacobs, who is obviously the puppet master of all these attacks. You can check my cookies and plainly see that I'm am not one of them. Sorry to call you out, David, but cookies and IP addresses don't lie and the Data Angels are nobody to mess with.
Anyway.. I have a more serious question to ask you today. I see that you changed your Campaign page and got rid of the 512kb, 768kb, and 1024kb keys are replaced them with 512bit, 768bit, and 1024bit keys, respectively! DID YOU REALLY JUST REDUCE YOUR ENCRYPTION STRENGTH BY 3 ORDERS OF MAGNITUDE!!!!!!! I thought you guys were trying to "prevent the type of interagency meddling which has now compromised AES." Were you coerced by a 3 letter agency to reduce the strength? Or was this simply and empty promise to begin with? I thought you guys performed "...months of research, decompiling, and disassembly..." to come up with this encryption algorithm. By reducing the strength, you went backwards (compiled and assembled, if you will).
I also want to thank you for exercising restraint in dealing with your backers instead of going off on them (which, as you said, would be totally justified on your part).
Hope to hear from you soon! Thanks!
You still haven't answered some basic questions. Me thinks your product cannot withstand the scrutiny.
"Methinks thou dost protest too much".
Hostility? We have been gracious and respectful in our responses in the face of organized headwinds framed to attack and defame our team and our product. Our real Backers are PM'ing us to reciprocate and stop being so 'respectful'. Out of respect for ourselves, our real Backers and our stakeholders, we will not engage in the kinds of attacks you and your ilk are party too.
Again, thank you for making our point...again!
Wow – why all the hostility and accusations? I guess that is one strategy – attack your critics and people that ask questions instead of answering them.
Where to start? First of all – I used the term “we” in the general sense. I could have used the word “one” – as in “Generally when one discusses encryption…” I was not referring to a group – just framing up how the strength of various encryption algorithms can be described.
I am not part of some group that you insist is out to derail your efforts. I assure you that whatever you are looking at that you believe is evidence that I am associated with some group is completely false – I am not.
You managed to answer two of my questions in between accusing me of coming here solely to disrupt your efforts. I guess you consider asking legitimate questions on Kickstarter as disruptive.
One of the answers you provided contradicts the details on your campaign site. You said you were not selling different levels. OK – fair enough only one of the levels is available on Kickstarter, but your first graphic under the “For Mr. Wizard” section clearly shows the different levels I was describing which articulate 50, 75, and 100 years of protection. So my original question remains unanswered.
As for the question on where the data is encrypted, yes the video shows the software performing the encryption but the key that is used to do the encrypting could either be stored in the software on the client desktop or on your server (or both for that matter). It is not clear from that video what is happening. You could have simply answered the question instead of making baseless accusations that I have some type of agenda.
The remaining questions are still unanswered and I have placed below for your convenience:
- How do you manage your encryption keys?
- You chart states your competitors do not allow encryption of any type. This is not true - some of them do allow any file type.
- How do you come up with "six million times more secure"? This seems to contradict the notion of purchasing 50, 75, and 100 year grade protection.
- Who are your encryption and security experts? I see a lot of people with marketing and operations experience on your team but no real security expertise.
Looking forward to clear answers to these questions without the hostility
Hey Data Angels!
Just checking in since I didn't get any answers to my previous questions. I had my Mother confirm that she could see my comments from her house in Cleveland and she said that my comments sounded a little "out there" and that's probably why you guys aren't answering. I can assure you that I am a serious man. I keep telling her that SSL is just a myth and I need some serious protection if I am to remain safe. My endeavors make me an enemy of the state and she doesn't seem to get that. She says that you guys don't have a cryptographer, a mathematician, or anybody else that's remotely qualified to deliver such a product and that I'm going to waste all of my money, but she doesn't get it (she was actually quite harsh and said Frankie is the most qualified member of your team). She's not a target like me. She probably thinks that AES is perfectly fine to use (lol).
Anyway... if you could spare some time, I would like an answer to my previous questions before I become a "real" backer (unlike these human scum that only decided to give you $1, am I right?). Thanks in advance!
Thank you Julius.
Frankie is excited to send all his fans something very special. The beanie is ultra cool and the T-shirt is a staff favorite.
Thank you for $1 Pledge and making our point. We especially like the part -- “I am certainly not part of any organized campaign…” and then follow that up with “Generally when we discuss encryption…”
“We?” My favorite word when describing that I’m not affiliated with anyone.
Anyway, we are confident that you made your way to our Campaign organically. Yes, that was meant sarcastically, as tracking shows otherwise. Funny what can be derived from IP addresses & embedded cookies.
Had you taken the time to review the Rewards you would have noted that only the Civilian version is available. We are not selling or offering “levels” as you suggest. Had you come to the Campaign for any other reason but to disrupt you would have seen that.
We addressed our validation plan in an earlier post. Had you come to the Campaign for any other reason but to disrupt you would have seen that.
Encryption is performed on your device. Again, had you come to the Campaign absent ill intentions you would clearly see the DataGateKeeper Software use in the video, or in Features, under the same heading. Had you come to the Campaign for any other reason but to disrupt you would have seen that.
The chart clearly shows what the other cloud providers provide by the way of encryption. Had you come to the Campaign for any other reason but to disrupt you would have seen that.
Not to plagiarize your last sentence. But!
I have many more comments - but I'll stop here.
We are certainly happy that we have been able to provide a forum for the defenders of current data security protocols. The same community that has done such a fine job protecting our digital Privacy and Confidentiality from breach. By the way, that was also sarcastic.
"Potential Backers please note that "ALL" of the Backers who posted Comments to date, but 1, are from Backers who Pledged less than $2 and are organized and have been tracked through sponsored websites looking to derail this Campaign."
First of all, I pledged 2 dollars to get some exclusive deals and a nice postcard to hang on my wall. Who cannot resist having an authograph from a skeleton? Might consider changing to a t-shirt though...
Secondly, I am sure that reddit offers sponsored ads, but I am pretty sure that they are a reputable company and don't just start flamewars. So, if you feel offended by the comment that someone made on there, then there is always a report button. I am pretty sure that they will remove the comment, similar to the way kickstarter removes abusive comments. My handle on there is mrseeker btw, but thats not how I got here.
In fact, I got referred by a friend on IRC who told you about your campaign. Also seemed to have found your campaign in my list of "kickstarters to check out" due to certain keywords that you have put in your campaign. So, claiming that I am being sponsored to put offensive claims on here are untrue. I am not getting paid by anyone to blackmail people.
"The consumer isn't a moron; she is your wife." - David Ogilvy
My DataAngel Team:
I have a few questions and some comments. I have been reading the comments here and your responses with some interest. Especially your most recent comment (posted a couple of hours ago) alleging some grand conspiracy against this project. I am certainly not part of any organized campaign to derail your kickstarter project nor do I believe there is such a conspiracy.
Certainly there have been some uncalled for comments and possibly more then normal levels of sarcasm but that may likely me as much a reaction to the over the top videos on this campaign site as it is to the often vague and confusing responses you have been providing to legitimate questions around cryptography.
You make claims that you are unwilling or unable to provide proof for - like the "back door" that you claim that exists in AES encryption. You describe your software as "Impenetrable", but yet offer 50, 75 and 100 years of "protection". So it is either impenetrable or it is not - by selling these "levels" you are suggesting that the protection will only last that many years? Or maybe that is when the license expires and the software stops working?
Generally when we discuss encryption, we discuss the length of time it would take modern computers to brute force the keys based on the type of encryption used and the key length. Since modern encryption algorithms are known, and math is math, these things can be calculated.
You also discuss your product in broad terms and mix the topic of data in motion and data at rest. The encryption approaches used for these two are very different because the use cases for each are different. For data in motion you generally want speed so that drives the use of a different encryption algorithm. Also, the key length in these different algorithms are not necessarily directly comparable - shorter key lengths in some can actually be stronger than longer key lengths in others.
There are no real technical details to explain the algorithms you plan on using. If your algorithm is sound, then it can withstand scrutiny. If you need to rely on secrecy, then your algorithm isn't sound.
- Where is the encryption performed? On the client device or on your servers?
- How do you manage encryption keys?
- You chart states your competitors do not allow encryption of any type. This is not true - some of them do allow any file type.
- How do you come up with "six million times more secure"? This seems to contradict the notion of purchasing 50, 75, and 100 year grade protection.
- Who are your encryption and security experts? I see a lot of people with marketing and operations experience on your team but no real security expertise.
I have many more questions - but I'll stop there. I am not here to derail your campaign, there is no conspiracy against you. I think if you had more coherent answers to questions then you would find support and have a well funded kickstarter campaign.
Dear True Backers,
We expected the underbelly and fringe of society to go on the attack given the stakes involved in identity theft and the billions of dollars spent in post data breach auditing. However, for a competitor to sponsor a hit piece and blog site and pay to have that link posted in our Comments section to dissuade Backers from Pledging is reprehensible.
Potential Backers please note that "ALL" of the Backers who posted Comments to date, but 1, are from Backers who Pledged less than $2 and are organized and have been tracked through sponsored websites looking to derail this Campaign. They Pledge the minimum amount to access our Comments Section to leave torrid and salacious Remarks to deter you.
This should tell you all you need to know, and, that we are on the right track. We, you, us, together real Backers, this is now 'our' Campaign. Our statement.
They do not want you to be able to protect your Privacy or digital security with the DataGateKeeper. Clearly, we have touched a nerve.
We have contacted Kickstarter and have had several offensive posts removed. We are hopeful you have not been offended nor will you look unfavorable upon this platform.
We will continue to be diligent and equally civil with our responses, as you can see. Please note every response we made is to someone who came specifically to our Campaign intending to disrupt this process. As a Backer, our Campaign is as much yours as it is ours. As such, we treated these disruptors and their Comments with courtesy and candor, as you would expect of us, as you would do yourself. A true measure of professionalism and equal part, restraint.
We will march forward, with you and for you. Your right to demand digital Privacy and Confidentiality shall not be infringed upon.
In this with You,
You’re Data Angel Team
“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” ― Benjamin Franklin
I joined solely to leave this comment...
This makes all of the points that I wanted to make. TL;DR you don't have good history, fearmongering is a shit tactic, and your math doesn't make sense. I'd love to support a good security software, but this is a tad silly.
The sole reason why I mention "investor" is that I "invest" in an idea. I don't "buy" it, I don't own any shares, and I know that if the project fails in whatever way, its unlikely that Kickstarter won't give refunds ("its the sole responsibility of the campaign owner to deliver"). I am different from all the other people on kickstarter and indiegogo that I don't start yelling when I don't get my stuff on time. I see it as a "pre-order" without a fixed date, which makes me (in my eyes) an "investor", not a buyer. I pay for a "claim" on a product that is not yet on the market. And yes, that does mean that I sometimes can be very skeptical, especially when there is a lot of buzz going around in my network, especially from those in the security industry.
You mention "Underwriters Laboratory" as the place where they will test it. Is that UL LLC? Out of curiosity, any reference to the tests they will be performing?
Secondly, a "cloud provider" is not just "a cloud provider". I work for a company that uses a cloud provider, and we are quite limited on who we get as the provider because our data is what we like to call "highly sensitive". This means that the whole line has to comply with certain ISO standards. Not only us, but also our cloud provider and our customers using it. If it fails on our customer's side, its their problem. If the fault lies with us, we have a claim on our ass so big that it is really hard to find a company that is even willing to insure us for that. So, simply telling me that it is a complementary service and that it will be similar to mega (which encrypts files client side) does not guarantee me that the data is secure. If you tell me that your software complies with certain standards set by the government for military grade security, then you have to back it up with evidence to prove it.
And last, you claim to have a cryptographic module, but have not done any tests on it for validation and have not patented yet. You have spent 4 years on this, of which 2.5 years seem to be with a team. What prevented you from starting in september 2014 with the tests + patents? Why start now (or even in december)?
You said in an earlier comment:
>"SSL? You have no idea. Maybe we should have been less proactive in our vlog on the matter. Our host has assigned it to the wrong c/panel and its going to take 4 days to sort. Can't even simply buy a new certificate...a mess. Your right on that -- no matter its flaws."
Forgive me, but I feel if no one on your team has the very basic level of expertise required to setup a simple LEMP/LAMP stack with SSL, it seems like a new cryptographic algorithm would be insurmountable.
Also mentioned in the video that the "hacker" community "[...] haven't even been able to get the first digit of the password because the Data Gatekeeper Software does not allow for repetitions"
Now, I'm no cryptographic expert but that's not how any widely-used cryptographic algorithms work at all. If you're using asymmetric encryption, it's impossible to tell if you have a portion of the end result correct.
Why is there no Linux Version? :(
If it's not open source we just need to reverse engineer it^^
- Though with Quantum computing is your algorithm hardened against quantum computing? Some of the new algorithms (encryption and hashing) being developed have aspects that will mean they will stay strong even with quantum computers. Given that you are giving a range of 50 to 100 years for protection Quantum computing is going to happen in that time frame, so needs to be a consideration.
- So if DataGateKeeper is only good on non compromised computers how would it helped in the OPM for example (seeing you mention that in your product literature and videos)? OPM entire network was compromised.
- With HTTPS Certs https://letsencrypt.org/ does them for free in five minutes and is all automated (request and setup on the server) hence it taking five minutes from installing the Letsencrypt client to HTTPS on the site. Have set up many this way, if setting up a HTTPS cert is taking more than five minutes something is seriously wrong.
The DataGateKeeper is not available outside of the U.S. so we appreciate your support all that much more - May I suggest for you a beanie or a cap? The T-Shirt also is pretty hot. Just sayin'
- Quantum computing is likely going to change the face of cryptography in our humble opinion much like leaps in processing power has sped the compromise of aged data security protocols. Researchers in your hemisphere at the University of NSW recently created a microchip using atoms rather than transistors to speed multiple complex calculations. At this point all we can do is a form of 'mathematical' deductive reasoning to arrive at an answer to your question and the answer is: we need more data, but quantum computing is a game changer.
- I wish I had a better answer than the one I'm going to give you. Data, while in-use, if the host is compromised, than no matter the follow-on security, is also, likely subject to compromise. I don't want to get to in the weeds on some of these answers so please feel free to PM me if you'd like to dive deeper into the issue. Simple answer: If the host is compromised then the DataGateKeeper would be of little value. Great Question.
-we are all for updated standards if they are independent and absent interagency meddling. 1.2 is now 8 years old? To put that in perspective: In 2008 Intel had just introduced the i7. Barrack Obama had just been elected. The U.S. Treasury had just received $750 Billion to bail out Wall Street and the U.S. automakers collapsed. A lot has happened since 2008 - TLS is catching up, which is to say: why does transit data security lag, given the dominance of commerce transacted over its protocols? 1.2+ (as you call it) (really 1.3-) is necessary patchwork. Not like you can simply throw the baby out with the bathwater. We do like the fact that 1.2 does provide increased security and the new cipher suites ease the load on the servers. 1.3? We'll see.
- I'll pass the free tools on. Our guys are currently dealing with a c/panel issue that has our cert assigned to the incorrect domain. Perfect question actually given this conversation. Thank you Karit for those free sites. Bookmarks due.
Thank you for your questions.
Please share our campaign with your friends.
If a One-Click Solution to safeguard your digital Privacy and Confidentiality for data both 'at-rest' and 'in-motion' is important to you, please grab one of our Early-Bird Rewards.
* What protections does the algorithm have against Quantum computing based attacks?
* How is the data protected while in use? Just I know a lot of attacks like SQL Injection can data while it is in use instead of at rest and in transit. My understanding a lot of the data breaches happen through techniques like SQL Injection or malware on computers so protection while in use is important.
* Will the move to TLSv1.2+ mitigate the majority of issues you see in SSL?
* Do you run any of the following tools over your site? They are all free to use and will help with security and also anyone can run them by just entering a domain name or URL: