Today, I received an email. It's not quite spam in that I gave them my address when I went to a gambling conference a while back, but morally, it's spam. Normally I'd just delete it, but the conference is on again this week and is just down the road, so I gave it a quick skim thought. One of the products being advertised caught my eye:
Money Controls is using IGE 2010 in London this week to launch the ccTalk DES - Data Encryption Standard - encrypted products. The product is a response to customer demand for improved machine security in places where fraud is a constant menace, such as arcades, motorway service stations and pubs.
Uhhhh... that can't be right. It's 2010 and they appear to be talking about launching a product based on DES. Maybe they're using the phrase in the generic sense, rather than the US NIST encryption system of the same name. However, they go on to say:
A significant deterrent in combating fraud, the products use over 72,057,594,037,927,936 combinations.
7.2 x 10^16 combinations? That looks suspiciously like 2^56 to me. Yep. They really are launching a new product based around 56-bit DES, an encryption system that has been theoretically broken for 20 years (probably for longer than that by people keeping it quiet) and practically broken for at least 10 years. The same DES that was withdrawn as a US federal standard 5 years ago, even in its stronger Triple-DES form (which this product doesn't appear to be using). Yes, that DES. How are they not only not embarrassed about this, but actively boasting about it in product release blurb? Fine, so maybe encryption isn't their core competency. But surely even a cursory glance at the web when considering which encryption algorithm to use would be a good idea? At the very least, it would point you in the direction of AES/Rijndael or something (anything) other than DES.