SOURCE: Meganet Corporation
 
Meganet Corporation Ships Virtual Matrix Encryption 
Nationwide; New $1.2 Million Challenge Begins Today
 
LOS ANGELES, April 1 /PRNewswire/ -- 
 
Meganet Corporation, who challenged Microsoft (Nasdaq:  MSFT - news),
Intel (Nasdaq: INTC - news), Dell (Nasdaq: DELL - news), AT&T (NYSE: T -
news), NCR (NYSE: NCR - news) and many other high tech companies with
their unbreakable encryption is shipping VME98 nationwide. 
 
As of today, April 1st, 1998, anyone in the continental United States of
America can buy VME98 directly from the Meganet web site at
http://www.meganet.com. Prices for the standard edition are only $100 for
a fully operational application.
 
After 12 months of Research & Development, Meganet Corporation completed
21 different commercial versions of VME98 last month, and the product is
now being sold nationwide through the World Wide Web. 

Virtual Matrix Encryption is the strongest encryption available today, and
the product is available ONLY in the United States of America.

Meganet Corporation is also launching their 3rd challenge which is worth
$1.2 million over the next 12 months. 

Starting today, and for the next 12 months, Meganet Corporation will post
a monthly $100,000 challenge for registered users of VME98. This new
challenge shows Meganet Corporation has absolute confidence that VME98 is
completely unbreakable. 

Today's date also marks 1 year from the first 1 million dollar challenge
that brought Meganet Corporation nationwide recognition. The challenge
lasted 45 days and over 55,000 people participated. None have succeeded. 

Today also marks the end of the second challenge which lasted over 6
months, where Meganet Corporation challenged the top 250 corporations in
the U.S. to test and break VME97.  None have succeeded.

The challenge solution will be posted on the Meganet web site at
http://www.meganet.com. 

=-=

From: "Peter A. DeNitto" 

This contest is mostly a Publicity stunt, and not one to actualy test
whether their code is scure or not.

They do not publish source code, they cannot sell to foreign nationals,
and you cannot attempt to crack their code without first ponying up $100
to buy their toolkit.

55,000 participants... Does this mean that they count everyone who has
bought their product as a participant?

Meganet's contest is less of a contest and more of a Sweepstakes.  
If they cannot publish the source, then crypto groups cannot take a real
look at their code and determine if different ways of attacking their
contest can be found (other than brute force).  

And also, I find the fact that... "Due to strict export regulations we
can not create a demo / shareware application that will allow everybody to
participate in the challenge."  Definately a win situation for meganet,
since if you want a chance at $1.2Million you have to spend $100.  I think
this is against the law in most states.  But then this is the internet
and you can get away with most anything anyways.

Reading their document, I believe their big flaw with their encryption to
be tied with this statement:

http://meganet.com/VME.html

...
"...the key is not transferred but rather recreated on both ends based on
a common file.  The key can not[sic] be compromised[sic] since it's not
being transferred."

Having a common file on both machines from which a key is generated sounds
like bad mojo in a live system.  For their challenge, it's fine, but in a
live system it's trouble waiting to happen.

If you really want a contest that is acheivable, check out
www.distributed.net, or http://www.certicom.com/chal/index.htm, or
http://www.rsa.com/rsalabs/97challenge.  These all detail the algorithms'
used, provide source, and exercises.  

An interesting link also is
http://www.interhack.net/people/cmcurtin/snake-oil-faq.html
Authored by Matt Curtin 
...

Secret Algorithms

Avoid software which uses secret algorithms.  This is not considered a
safe means of protecting data.  If the vendor isn't confident that its
encryption method can withstand scrutiny, then you should be wary of
trusting it.
...

Check out your local sci.crypt newsgroup or www.dejanews.com.  There's a
lot better discussion there.

--Pete