CyberVenice

(tm) STILL NOT STABLE: SYMANTEC YOUR EYES ONLY January 1997

When I first purchased Symantec Norton Your Eyes Only, it caused me a lot of grief in terms of destabilizing my system, so I uninstalled it.

Thanks to the very kind sysops on the Compuserve Symantec forum, a few months ago Symantec sent me a revised version with file dates in 11/96. I installed it last week, and uninstalled it Tuesday after system crashes demolished 4 entire directories on my drivespace-compressed drive that were not smartlocked or encrypted in any way. I have no idea why those particular directories got trashed.

SUMMARY

Although the 11/96 version was a definite improvement, the product is still not ready for the real world on a widescale basis, in my professional opinion as a consultant who assists in selecting products for a couple or 5 very large organizations.

The product's flaws fall into three areas:

1 What it does do, it does not do well.

2 There are many things it does not do, ie, there are several weaknesses or holes in it's approach to protecting privacy.

3 Questions as to whether Symantec is committed to this product area, or whether it will remain a niche player or pull out of the market segment entirely.

Therefore, I cannot and do not recommend this product as a means of protecting privacy in its current form. I will be most glad to test any future versions. I also want to note that I pay retail price and use the normal lines of support while evaluating this product.

DETAIL

YEO attempts to apply encryption with with minimal impact on the user. This is unsuccessful because YEO impacts the user and the system in many ways, and requires a high-level of dedicated, expert, maintenance. Use of this product will require the user to commit to downloading various highly technical documents and also requires an intricate and intimate knowledge of the workings of Windows 95. Although IS departments may be reluctantly willing to keep, for example, a dedicated Lotus Notes expert on staff to support Notes, they are unlikely to keep a dedicated Symantec YEO expert on staff to support YEO, and really, nothing short of that is likely to succeed. This product cannot be supported casually, and definitely not by end-users.

As designed, YEO would allow the user to identify "Smartlock" encrypted folders. Once logged in to YEO through an additional, separate log-in (it is not possible to have a single Windows/Network/YEO login), the contents of these encrypted folders are decrypted as used and re-encrypted when saved. It is possible to create exceptions, so that files backed up to tape are backed up in encrypted form and are not decrypted when accessed for backup.

Unfortunately, the automatic encryption process also entails several lengthy processes when starting Windows and when exiting Windows. None of these processes are adequately announced to the user. For example, when shutting down, I was never once able to get a normal Windows shutdown to proceed to a normal conclusion: the "Please wait" notice remained on the screen for over 10 minutes, after which time I rebooted. Symantec says that YEO may have been analyzing the encryption status of the smartlock folders. And then again, it may not; there is simply no notice on screen and no way to tell. However, turning off the system or cold-booting during this period can also cause disk corruption - it did on my system, causing the significant loss of data.

I also experienced numerous failed boots, where Win95 refused to fully boot up except in safe-mode. I also experienced numerous lockups and other bizarre Win95 behavior which appeared after YEO was installed, and disappeared when I uninstalled it.

After installing YEO, I repeatedly got some kind of apparent message that was displayed using the wrong type of video driver, making the screen dissolve into a green cascade of garbage characters. Maybe YEO was trying to tell me something but not doing a very good job of it. Sometimes pressing a key would cause a reboot, and sometimes after pressing a key the system would flash back into normal video mode and continue on as if nothing had happened. There is no method of determining the source of this problem and Symantec support blames this on outdated and non-standard video drivers. However, I have never experienced this problem except with another Symantec product (Norton Anti Virus), so maybe Symantec has some common defective code.

Overall, YEO destabilized my system, causing frequent crashes, loss of data, unpredictable behavior. Although Symantec tech support may be able to solve these problems at least partially on a user-by-user basis, unless an organization has identical systems installed on every desk top, I believe they will have to solve problems on a case-by-case basis.

Based on the improvement from the first to the second delivered versions, I believe that Symantec may eventually be able to turn this into a reliable product at some time in the future, in which case it could be re-evaluated at that time.

There are many ways that Symantec Your Eyes Only fails to secure the user's data. The general security model assumptions made by YEO are invalid in the current environment most users face. For example, YEO assumes that the data is in danger of theft only when the system is out of the control of the user. YEO would protect data on a stolen laptop very well, for example.

In the current environment, a rogue app unknowingly accessed from an internet web page will have full access to the unencrypted files, since YEO will kindly unencrypt and deliver any file asked for by any application not on the exclusion list. A better approach would be to have an *inclusion* list, so that, for example, only Word and Excel would receive the benefits of automatic unencryption.

YEO does not attempt to provide any integration of encryption with common email systems.

YEO does not protect removable drives, a highly desirable feature and a mysterious oversight on the part of the product.

YEO does not allow the user to log-in to the automated encryption system except at start-up. For example, it is not possible to log-in when the user desires access to the encrypted folder or drive.

YEO makes it difficult for the user to understand when files will be decrypted and when not. It would be very, very easy for a user to accidentally email an attached file in decrypted form without realizing it.

YEO seems to implement features in a way to provide maximum ease to the programmers who create it, with little thought of the users. Even if every aspect of YEO worked properly, without damaging or destabilizing the user-system, it would at best do less than half the job of protecting the privacy of data on the user's system.

Microsoft has a long history of competitive and aggressive attacks on the makers of utility software, for example bundling partial implementations of functions previously provided by third-parties. The weak bundled implementations have failed to eliminate the need for backup programs, or general problem-solving utilities such as Symantec Norton Utilities, which are still viewed as necessary in spite of the weak similar utilities bundled with Windows 95. But in other areas, Microsoft has eliminated entire categories: for example, compression software is now obsolete since Microsoft's solid implementation in Windows 95.

It is hard to predict in which categories this will happen and in which they won't. However, I predict that even a minimal implementation of encryption in the Windows 98 operating system, should it occur, will quickly displace 100% of the Symantec Your Eyes Only market because of the minimal services offered by Symantec YEO and because of the instability of the product.

Symantec may also be thinking this way, and that may explain the apparent lack of investment and commitment to this product even in the face of a huge new demand for encryption. For example, Microsoft's announcement that the Windows API will be available to Java programs running in their browser, Internet Explorer, will, when realized, create a huge demand for encryption and other privacy-protection products. Possibly, Symantec is expecting Microsoft itself to satisfy this demand.

The threat that Microsoft may decide to enter any market and dominate it with free, giveaway products is not lost on development companies, and continues to weaken the Windows platform while increasing Microsoft's profits in the short term and threatening the success of the Windows platform in the long term. There are few who do not wish for a change to this situation although there are even fewer with solutions.

Overall, I give Symantec's Your Eyes Only an evaluation of:
NOT RECOMMENDED

1	What it does do, it does not do well.
2	There are many things it does not do, ie, there are several weaknesses or holes in it's approach to protecting privacy.
3	Questions as to whether Symantec is committed to this product area, or whether it will remain a niche player or pull out of the market segment entirely.