From: Dan Ritter <dritter@bbnplanet.com>
Date: Mon, 5 Jan 1998 21:00:00 +0800
To: Cassidy Lackey <cypherpunks@ssz.com
Subject: Re: Mobile Account Manager
In-Reply-To: <3.0.3.32.19971216090335.00759eec@pobox3.bbn.com>
Message-ID: <3.0.3.32.19980105075118.0072eec0@pobox3.bbn.com>
MIME-Version: 1.0
Content-Type: text/plain



At 03:33 PM 1/3/98 -0600, you wrote:
>Mobile Account Manager v1.1  now encrypts the data to the PalmPilot
>database.  For more information, check out our site at
>http://www.mobilegeneration.com or you can download the trial version at
>http://www.mobilegeneration.com/downloads/acctmgr.zip.  Let me know if
>there is anything else we can do!
>
>Cassidy Lackey
>Mobile Generation Software
>www.mobilegeneration.com
>
>Dan Ritter wrote:
>
>> What sort of encryption is used to protect private information in
>> Mobile
>> Account Manager?

>From http://www.mobilegeneration.com :

>After reviewing the costs and benefits associated with each of the published
>                      encryption algorithms (DES, RC4, RC5, IDEA, etc...)
we have decided to utilize a
>                      proprietary Mobile Generation Software data
encryption algorithm.  Most

This does not answer my original question, which is: what encryption method
are
you using? All it says is which encryption methods you are *not* using.


>                      importantly, data encryption must ensure that no
user can view the data in the
>                      PalmPilot MAM database or the backup MAM database on
the PC.  We feel that it
>                      is highly unlikely that anyone will attempt to
'break' the encryption and therefore the

If I felt that it was highly unlikely, I'd hardly be asking, would I? Poor 
cryptography is worse than none - it encourages people to believe their data
is safe when it is not. Good cryptography can stand up to having its
algorithms
made public. Can yours?


>                      costs incurred by utilizing the published encryption
algorithms would outweigh the
>                      benefits.  Therefore, we are confident that the MAM
encryption algorithm provides
>                      sufficient data security for the Mobile Account
Manager database.

Without providing more information, customers can not make that decision for
themselves.

>
>                      Below are the costs associated with utilizing many
of the published algorithms for
>                      MAM: 
>
>                           U.S. Laws governing encryption software may not
allow for exportation of
>                           MAM outside of the U.S. 

Then you should be active in political groups advocating change of those laws.
In fact, if you really believe in encryption, you might want to offer this as
a test case - even a reporter can see how silly it is not to be able to
protect
your ATM PIN.

>                           Copyrights and royalties associated with many
of the encryption algorithms
>                           may increase the cost of MAM. 

Many strong encryption algorithms are free.

>                           Complex encryption algorithms drastically
increase the size of the application
>                           and slow the response time of MAM. 

Many algorithms can be tuned for different levels of complexity.

>                      If you feel uncomfortable placing your sensitive
data in the PalmPilot, please let us
>                      know and we will give you some other ideas to ensure
that your data is secure.

I am doing so. I am also copying this to the cypherpunks mailing list,
as other people ought to be made aware of this issue. Nothing I have quoted
seems to be nonpublic information.

-dsr-