I got a comment today on my BlowSearch messenger review from Joe, who wrote on behalf of Blowsearch. Since I doubt anyone is following comments on entries that old, here it is:
Thanks for your comments and we'll take them into consideration as we upgrade BSM.BTW, there is a complete description of the encryption mechanism used in BSM available on the site. There's nothing shady about it. It's proprietary and patent pending. Did you think we would open it up to our competitors? No one else has 4,096 encryption over the open internet. Ours is unhackable.
Also, the "ads" displayed consist of one simple small banner ad, which you fail to mention. There are no pop ups, spyware, or other malicious components involved. Our registration process asks for a lot less information than most other IM products.
Thnaks [sic] for your thoughts.
Proprietary encryption? Established cryptography methods are [in every case I've ever conceived or studied] always superior to proprietary ones. Security via obscurity is not security. Every established encryption algorithm (e.g. RSA, Blowfish, AES, MD5, etc) is mathematically sound, and knowing the math involved doesn't make it any easier to hack (otherwise all the common algorithms would be useless!). Maybe a new algorithm is good, but who's going to verify that it is? Proprietary encryption algorithms can much more easily have vulnerabilities because they are not reviewed by mathematicians worldwide, unlike established algorithms. Here's a good page about cryptography myths. In particular, see the middle two items in the list at the bottom.
No present-day cryptography method is unhackable. It might take a long time under most circumstances--but anyone could get lucky. Quantum computing would destroy every cryptographic algorithm today. Further, bit strength is meangingless in the absence of an algorithm. 512 bit RSA is weak. 256 bit Blowfish is strong. So I really have no idea what 4,096 bit means in an unknown encryption algorithm. See above regarding proprietary encryption.
Any ads are more ads than no ads. As I originally stated, Trillian, gaim, BitWise and others have no ads, so you don't have to pay to not see the ads.
Lastly, every other IM program I've ever used lets you register for an account with less information. Beyond a username, password and email, AIM requires only a birthday. ICQ asks only your age. Yahoo and MSN ask for similar information as BSM, but don't go so far as to demand an exact address, and you get a lot more than just IM.
I'm particularly amused that my original blog post about BSM is the #1 hit on Google when you search for "Blowsearch Messenger." What's even more amusing is that the main Blowsearch Messenger page doesn't even appear in the top 10 results. Or the top 20. I got bored after looking through the Top 100. Apparently they blitzed every download site they could find, but their own site isn't getting much attention.
I still don't see any reason, if you need Big 4 connectivity and encryption, not to use Trillian or gaim, which offer encryption based on time-tested encryption algorithms, for free. Or use BitWise. 8-)
I'm particularly amused that my original blog post about BSM is the #1 hit on Google when you search for "Blowsearch Messenger."I actually couldn't find the site at all via Google until I hit a news article about it, scanned for the company name, and then searched for that instead.
Why you don't understand what encryption levels we used. It is clearly stated on the site at:
http://www.blowsearch.com/bsm/howitworks.php
"Blowsearch Secured Messenger utilizes the OpenSSL library to provide encryption routines for your Instant Messages. We use a combination of randomly selected schemes and bit lengths, ranging up to 4096 bits, with additional algorithms added in to make your messages even more secure. We start with an RSA foundation and move out from there."
You state yourself that "Every established encryption algorithm (e.g. RSA, Blowfish, AES, MD5, etc) is mathematically sound". So then you are agreeing that we have a sound encryption scheme.
RSA is a mathematically sound encryption scheme...we have used that with up to 4096 bits to create the outer encryption layer...we then add additional layers under that to make this an Enterprise level of security. The process that we use is unique and is patent pending. We are actually applying to get Hippa approval...this is the hardest of all approvals to get on a security product.
You then said that "No present-day cryptography method is unhackable", which is correct. In fact, when 128Bit SSL encryption came out it was stated that it would take the world's most powerful computer more time than the age of the earth to go through all of the combinations and hack the code. Knowing that, with each additional bit you exponentially add more combinations. Having 4096Bit RSA has significantly more combinations...hense will take much longer to break...even with today's most powerful computer. In addition, if you did break that layer, you would have several other layers that would have to be broken to get to the message.
The ads are use to offset the cost of maintaining the secured infrastructure for those that choose not to pay. Maintaining a secured environment to house the key exchange servers is not cheap. If you think otherwise, you should investigate...or better yet...contact me directly.
Richard K. Kahn, COO
AdOrigin Corp.
Rich@BlowSearch.com
"Move out from there" does not qualify as a "cleary stated" description of anything, let alone encryption. The previous commenter, Tom, indicated that proprietary algorithms are used, and it is those that I was referring to regarding unsound encryption. You also just refuted the very words of Tom, who said that BlowSearch's encryption was unhackable.
Perhaps the problem here is that not everyone involved has their signals straight. You admit it would be hackable (even if very difficult), while Tom said it was unhackable. Which is it? (Though I think it's quite clear that you, and not Tom, are correct.)
Again, I understand the purpose of the ads. However, for most home users, encryption of that strength is overkill and I continue to assert that there is no reason to use BlowSearch even with it's "nearly unhackable" encryption, versus any other messenger that is both free and ad-free, and encrypted. Trillian. gaim. BitWise. That's just to name a few, there are others as well.
I was looking at the name of this application, "BlowSearch". Curious about the sexually oriented name, I decided to do a google search for "BlowSearch" - I was hoping to find the website for this program, or at least some good videos. Of course, the first link on google is how to remove the BlowSearch spyware; http://www.scanspyware.net/info/BlowSearch.htm
...Ok, so I understand this isn't the application I was looking for. But a quick read about BlowSearch Toolbar told me that it has no removal option and must be manually removed. Moving on, after checking the first 10 results of this google search showed me no sign of the official BlowSearch Page.
The quest continues: I decided to be more specific, I searched for "BlowSearch Messenger".
Needless to say, I did not find the BlowSearch website using that search either. Finally while reading an article here: http://www.pcworld.com/news/article/0,aid,119432,00.asp I found a link to the BlowSearch site. Brilliant. I was now where I wanted to be half an hour ago.
I'm too tired to actually install the program now, and also a little scared after reding all those sites about BlowSearch's adware. That, and I fear that I may not be able to uninstall it.
"Blowsearch Secured Messenger utilizes the OpenSSL library" and "We start with an RSA foundation" is very clear. From a hacking standpoint everything is hackable...all you need is enough processing power and time. In our case, it would take billions of years to go through every combination that exists. Is it hackable? Technically, if you have billions of years. Is it feasable? No...so what we offer is something that is very secure.
Now, the average user may not need this, but this level of security is designed for Enterprise level users, and these users need the strongest level of security that is available...and that is exactly what we offer.
Now for other users...we offer an application that communicates to the major IM networks and use very little system resources. We have ongoing development to add new and useful features to the messenger. As these new features come out, it will prove to be even more useful and unique.
In addition, we had a customer's technical team compare us to Trillian and they found that we use far less resources and offer a superior product. This group also used the paid version of Trillian and also commented that our support is far better as well.
Richard K. Kahn, COO
AdOrigin Corp.
Rich@BlowSearch.com
Starting with RSA is great. It's still the "move on from there" that lacks description. A flaw in the later encryption could weaken the entire scheme. I also agree that what you offer is very secure. However, Joe used the word "unhackable." I've only been responding to exactly what he said. As a point of discussion, I just want to point out that quantum computing would render all present-day encryption algorithms useless, and I think that quantum computing is closer than billions of years away. :)
I fully agree that the level of security is nicely geared towards the enterprise. As for the home users, they still can get more encryption, with no ads, for free. Interfaces, resource usage, usability and support are different areas--all of which you may excel in; nor have I commented on these areas.
Sounds like your research shows you have a great product, that's great! Thought about putting that on your web site?
Lastly, I just want to point out I'm one person in the whole world, and I'm just expressing my opinion. There are 6 billion - 1 (me) other people who can form their own opinion about BlowSearch Messenger. While I find the search results for "BlowSearch Messenger" on Google to be amusing and surprising, that's not my fault or responsibility. Search for any product or service and there are good and bad reviews. I'm just expressing my opinion based on my experience and viewpoints.
All of your comments seem based on the possibility that analysis of the encryption in question is true brute force.
NONE of you can guarantee that someone won't tomorrow publish a way to statistically analyze any of the techniques mentioned that will reduce the amount of time arbitrarily.
Just food for thought.
Quite right. Again, one of my main objections was the use of the word "unhackable." Key-pair encryption methods such as RSA use prime numbers as their foundation, with their strength coming from the fact it is easy to generate large prime numbers but extremely difficult to factor two large prime numbers multiplied together. If an algorithm is developed that could factor huge numbers, such encryption methods would be reduced to useless. Such an algorithm is a mathematical problem, not a computational problem (i.e. not brute force).
What is very secure today may not be tomorrow. Or it could still be secure in 50 years. But under no circumstances is any encryption algorithm ever unhackable--either by a mathematical attack or a computational attack. The feasibility of those attacks, and when those attacks are possible, is, of course, unknown.
Quite true of current technology, though I would love to see a logistically probable attack method to defeat quantum encryption - which was successfully implimented in 2002, if not earlier.
Fascinating subject.