All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Xennt's Out and Already Selling Vaporware
darkmaster
Member
So I just found out that Hermann Xennt already launched a new project.
During his time in prison, he said he had "many plans for the future" and that no one could stop him from achieving his vision. Well, looks like he wasn't kidding.
He launched this new encrypted messaging platform called CREO (https://creo.ws and https://creo.solutions). It's supposedly using quantum-resistant AES-512 cascade encryption with no central servers, no message storage, and no data collection. They claim there are no master keys or backdoors.
The whole thing reminds me of https://xkcd.com/927/
In my eyes it's all bullshit, honestly. Why would I pay him for some EncroChat style setup when I can just use Matrix for free? Matrix is open source, federated, actually audited, and doesn't come with the baggage of a guy who just got out of prison for running criminal infrastructure. The whole pitch screams of someone trying to cash in on the "ultra-private" crowd who think paying money somehow makes things more secure. The product isn't even out yet and he's already selling "certificates" and "governance tokens" for vaporware. Oh, and will only be available for phones, so good luck if you actually need to do any real work on a desktop. Hard pass.
What do you all think?
Comments
As someone who worked with him for multiple years, I can only say, the app definitely exists. He doesn't sell thin air. He obviously tries to use some of his history to market CREO and make it more popular, but he also genuinely believes in his vision and has the resources to work on it.
However, he sometimes chases ideas that could benefit from more peer review, which can make some of the concepts or thoughts he shares feel a bit off, overly ambitious, or not fully thought through. Surprisingly enough, he has always been lucky enough to find people who are interested in those ideas and willing to help realize them.
As for CREO, like some of the other apps, it's probably not targeted toward everyone, definitely not you or most people here. But there are still surprisingly many people who are interested in it, each with their own reasons.
Trust is a very odd thing. Signal, for example, is open source, regularly audited by various third parties, and still some people believe the CIA can read every message. Sometimes people place more (subjective) trust in a party whose public image opposes whatever they fear. Telegram is a good example, when it comes to security, it's one of the worst options out there. Even Facebook Messenger is better. Yet people trust Telegram more because of its "we ignore government requests as much as possible" attitude. Some people think that if an app costs $500 it must be more secure than a free one. That's basically why EncroChat or Sky existed in the first place.
There will be people who are interested in it, and there will be people who use it 🤷
Would I recommend using it? Not before it's held to the same standards, including external audits, as Signal, Matrix, and others.
Fair points, and I appreciate the insider perspective. You're right that trust is subjective and people will use whatever aligns with their threat model, or their perception of it, anyway.
But here's the thing: you say "the app definitely exists" but the website itself says it's still being developed. So which is it? There's a working product, or there's a product in development that he's already selling certificates and governance tokens for? Either way, if it's not ready for external audits yet, why is he already monetizing it? That's textbook vaporware sales tactics, even if the product eventually materializes.
The Telegram comparison is spot on though. You're absolutely right that people trust branding over actual security. But that's exactly why this concerns me. Xennt is banking on his "anti-establishment" reputation to sell an unaudited product to people who probably need real security, not security theater. Those are the people who end up in handcuffs when their "ultra-secure" app turns out to have been compromised from day one.
I'm not saying he's running a scam or that the app won't work. I'm saying that until it's externally audited and proven, people should stick with the boring, audited options that don't come with a criminal conviction. No amount of "quantum-resistant AES-512" marketing changes that.
No it isn't, that's standard business. You just need a prototype to prove that with development work, you can achieve a certain result.
SMH.
Did they fake a demo? Falsify anything? No? Then get a new textbook.
Well, CREO isn't really something new. Xennt has been working on chat apps for nearly two decades now. Previously, other apps like Exclu, Underground, and a couple of others existed, following a similar concept. If I understand it correctly, they are currently working on moving the app into a pVM and improving some of the encryption.
Regarding the current fundraising, as Timbo mentioned, that's nothing incredibly unusual.
You come up with an idea, maybe work on a prototype, then try to find investors to actually get the capital to make this a viable product. Sometimes those investors are big venture capitals, sometimes they are just regular people investing through crowdfunding. Or, well… if you bring crypto into this, you buy some tokens.
Not the biggest fan of this, but that's kinda how capitalism works I guess 🤷
"Standard business" is exactly what I'm criticizing. Just because something is standard doesn't make it ethical or smart for consumers. Sky ECC was standard business. EncroChat was standard business too. Theranos was standard business with a prototype. "We didn't technically lie" is a hell of a low bar.
My textbook is fine. It's got a whole chapter on due diligence, external audits, and not throwing money at unproven security products just because the founder has an anti-authority aesthetic. Maybe check yours for the section on "caveat emptor."
You're right that the fundraising model isn't unusual, but that's kind of the problem. We've normalized selling promises to retail "investors" who get a PDF certificate and hope, while VCs get contracts and legal recourse. That's not capitalism working, that's the worst parts of it. Privatize profits, socialize losses.
If Xennt has been working on chat apps for two decades, and his previous apps like Exclu and Underground were literally for the criminal underground, why does he keep starting over with new branding? Either they failed, got busted, or he's just repackaging the same concept every few years for whoever will pay. That pattern doesn't exactly inspire confidence in the longevity or security of CREO.
I get that development costs money, but when you're positioning yourself as the anti establishment privacy champion while using the exact same extractive fundraising tactics as every crypto grift, and selling "governance tokens" and "DAO voting rights" like that's democracy instead of just pay to play corporate structure with extra steps, it rings hollow. At least be honest: this is a commercial product being sold for profit using hype instead of audits. That's fine, but don't dress it up as revolutionary digital resistance when your track record is selling encrypted phones to drug dealers.
It's weird that people would still use an Encrochat-like service after so many of them have been hacked by governments and used to put people in jail for serious amounts of time.
I've never heard of anyone getting locked up because their Signal messages got intercepted, but it seems to happen a lot with these solutions that you only ever hear about after they've been hacked 🤷♀️
He was previously working on an encrypted spam-proof email solution upon his return from an extended stay working in India a while back.
What I find so comical, is the sentence he received, when you consider hundreds of pounds of heroin, MDMA, and just about every other hard drug you can name, following the raid when the 600 German paramilitary police nabbed him.
On the other hand, he truly believes in at least most of the projects he promotes, having associated with him back in the PacificRoot days and the ICANN wars when he fired up public-root. He was always straight with me and I insisted on everything being above board where my work was concerned, and I had some hopes that his Net Bank66 I think he called it. In the end it went nowhere, but I do think he truly believed in what he was doing. I remember photoshoot series of pics where Cytrax all elated when they were wheeling in an AS-400 I believe as the first installment of the bank's computing infrastructure.
His associations with "Mr. Green" (Probably the Penguin), and some other shady characters were things that were ill-advised (understatement), but I guess when you need a bankroll you sometimes get in too deep and do the bidding of some dodgy characters.
I was asked to come and manage the original Cyberbunker before the fire and discovery of the Ecstasy manufacturing, and interestingly enough, foreign people were litterally paid to take the rap for that instead. I guess in the Netherlands, you can have someone else do the time for your crimes.
Instead of me, because I couldn't accept the post (raising a child as a single father at the time and CTO of a SoCal VAR/ISP myself), my friend at the time, Joe Baptista, signed on and indeed went to Goes, Netherlands to work there, but he came back disenchanted, and rather zip-lipped, until after the initial bust, when he freely confided in me what he found once he got there and was disillusioned.
In hindsight, I'm truly glad I didn't take Xennt up on his offer, besides, there wasn't much that I couldn't manage there remotely anyway, but I don't think I would have been amused to discover the illicit operations he actually had going on there.
I thought that once he secured the bunker in Germany and set out to refit it as a premier data center, things had truly changed, but alas, they had not.
I wish him luck in his latest endeavor and do hope that it at least does bear some truly functional fruit for him, and that he remains legitimate in his business ventures.