Secure Channels is a startup cryptographic company that's off to a rough start — so much so that it's been reduced to using anonymous Twitter accounts to accuse a critic of criminal copyright infringement.



Crowing that its encryption technology was "unbreakable" and "unhackable," Secure Channels hit the security conference circuit, offering dazzling rewards — cold hard cash and a new BMW — to anyone who could decrypt a file encrypted by Secure Channels' products. Brian Krebs, a journalist covering security issues,1 called Secure Channels to the carpet, calling Secure Channels' stunt a "cleverly unwinnable series of contests," as inability to break the result of a process does not mean that the process itself cannot be undermined. Krebs questioned the company's honesty, noting that Secure Channels CEO Richard Blech had pleaded guilty to securities and wire fraud for his participation in a "massive Ponzi scheme."

After taking its beating, Secure Channels backtracked, using an outside public relations firm to issue a statement to Krebs promising to do better:

“We realize that sometimes a technology innovator’s earliest critics can be their best sources of feedback. We hope to solicit constructive involvement from the infosec community and some of its vast array of experts.”

This promise hasn't panned out.

Asher Langton is one of Secure Channels' critics. In addition to his infosec expertise, Langton is a master at spotting and unraveling frauds, scams, and snake-oil peddlers. He's highly worth a follow on Twitter.

There, Langton has criticized Secure Channels' lofty claims, its employees for reviewing their own product, the company's near-verbatim use of others' articles to promote itself2, and raised evidence suggesting that one of Secure Channels' products was simply a rebranded version of a product available elsewhere for free. In addition to raising questions about Secure Channels' general credibility, Langton also pointed out a potential security flaw: hardcoded into one of Secure Channels' products was, apparently, the password to its own gmail account, which was used to send password reset codes to the user. Thus, there was the potential that a reset code could be intercepted and the encryption wouldn't matter at all.

So how did Secure Channels respond to this criticism? It welcomed his criticism, thanked him for helping to point out potential flaws, and described how it would address the issue, like a responsible and transparent security company would.

This week, two new Twitter users began machine-gun bursts of tweets directed at Langton's employer and, uh, Roseanne Barr for some reason.

These tweets claimed, among other things, that Langton had engaged in criminal copyright infringement, although it's unclear whether Langton's supposed guilt arose from tweeting screenshots or decompiling Secure Channels' source code. In either case, the claims are patently frivolous: reverse engineering for personal use is certainly a fair use, and posting screenshots of snippets of code for criticism of a company that purports to invite criticism only reinforces a fair use analysis. The suggestion otherwise is the result not of a reasoned interpretation of the subtleties of law, but of a layman's interpretation of what they hope the law to be, because it serves their barenuckled attempt to intimidate a critic.3

How do I know the interpretation is a layman's? Well, in addition to being just plain wrong, the anonymous users' tweets included screenshots of Langton's tweets — including the poster's browser tabs:

But a how-to-take-a-screenshot guide won't teach you common sense, like logging out of your original Twitter profile when taking a screenshot to preserve your anonymity. Screenshots posted by both of the anonymous accounts feature the Twitter profile picture of Deidre "Dee" Murphy, the Director of Marketing for Secure Channels. In other words, it's likely that the 'anonymous' accounts were operated by, or in conjunction with, one of Secure Channels' executives.4

So much for a commitment to listening to critics.

Update (9/4/15 12:15pm): About an hour and a half after this post went live, SecureChannels CEO Richard Blech (or someone claiming to be him) sent a DMCA notice to Twitter for two of Langton's tweets, complaining that they consisted of "employee pics, company and personnel, posts copyright material, hacks products and posts copyright code from products, using trademarks, targeted harassment, slander to destroy commerce." As for the description of the "original work," Blech blathered: "Cracked an app and placed code online, uses trademarked logos to attack company."

This is a censorious abuse of copyright law to suppress criticism. It is, in essence, an attempt to use copyright law for everything except copyright. That SecureChannels would use copyright law to shield criticism on the basis that its trademarks are being used and because of "slander" is, well, hysterical. This is not a company interested in permitting people to criticize it.

Update (9/6/15, 9:30am): Twitter, realizing the error of its ways, restored Langton's tweets without the need for a counter-DMCA notice, after Techdirt's Mike Masnick tweeted about it.

Secure Channels also appears to have now added an end user licensing agreement to OccuLock, the product at issue here. I assume it contains (as many EULAs do) a prohibition on reverse engineering. While this is fairly common (and reputable companies would not enforce such a provision against someone who reports a defect), this means that Secure Channels would have a colorable legal claim for breach of contract if the product is decompiled or reverse-engineered in the future. If you want to explore their products for vulnerabilities, get permission.

Disclaimer: Ken White did not participate in the investigation or writing of this post.

Last 5 posts by Adam Steinbaugh