Jean-Pierre Pennacino joins as advisor

Following our selection to the 2018-2019 Fintech fusion program in Geneva, Switzerland, Jean-Pierre Pennacino has joined us as special advisor for the Swiss market.

Jean-Pierre is a Geneva-based senior IT and hardware cybersecurity executive with over 25 years of senior and executive positions in financial, operation and growth in leading IT companies, including PwC, Motorola, Gemalto and STMicroelectronics.


Moving to Geneva

Four weeks after getting accepted in the prestigious Fintech Fusion acceleration in Geneva, we decided to move our main operations office in this beautiful Swiss city and private banking capital of the World.

Geneva will be our main operational and sales office indefinitely. We’ll retain our incorporation in Luxembourg, while we’ll likely move our development office to Berlin after closing of our 2nd fundraising event in Q2-Q3 2018.

In fact, in addition to providing experienced mentoring, highly-fitting industry networking opportunities, Fintech Fusion provides a unique opportunity to engage its funding partners from the banking sector, which include some of World largest banks, private banks and banking technology providers, including some of the partners include BNP Paribas, SwissRe (Credit Suisse, AMEX), Temenos, Saxo Bank, Notz Stucki, and more.

Such partners, and Switzerland role as “banking capital of the World”, perfectly align with the recent refocusing of our B2B2B and B2B2C business model that moves away from generalistic banks to private banks as our main customers; while our end-users remain ultra-high net-worth individuals and large global corporates.

Furthermore, pitch events towards local angels and VCs will take place late next month, November 2018, and then in late Q1 2019.

Selected for Fintech Fusion acceleration in Geneva


Following pitch finals last Monday Sept 17th - with 17 shortlisted startups from 10 countries - TRUSTLESS.AI was selected as 1 of only 9 out of 400 applicant startups a to join the 2018-2019 program of the prestigious Fintech Fusion acceleration in Geneva.

In addition to providing amazing and experienced mentoring, and great office space in Geneva, it provides for a unique opportunity to engage funding partners from the banking sector, which include some of World largest banks, private banks and banking technology providers, including some of the partners include BNP Paribas, SwissRe (Credit Suisse, AMEX), Temenos, Saxo Bank, Notz Stucki, and more.

Such partners, and Switzerland role as “banking capital of the World”, perfectly align with the recent refocusing of our B2B2B and B2B2C business model that moves away from generalistic banks to private banks as our main customers; while our end-users remain ultra-high net-worth individuals and large global corporates.

Furthermore, pitch events towards local angels and VCs will take place late next month, November 2018, and then in late Q1 2019.

Joonyoung Park joins as cofounder Executive VP of Engineering

Last June 6th, Joonyoung Park, an advisor since Oct 2016, has also joined as Cofounder and Executive VP of Engineering. He brings an incredible CV and very fitting expertises. He worked with the CEO Rufo in Seattle in 2001, and has been active advisor since 2016.

A Joonyoung led 30-staff team in Palo Alto at Kudelski, a global leader in IPTV and cybersecurity, for the design of new devices concept-to-manufacturing.

He co-managed and exited in 2018 JRC, a family-owned 200M$/yr 7-sigma electronics manufacturing plant (EMS) in South Korea. Was Chief of Engineering Staff for B2B Solution Development at LG Solutions. Was Principal Staff System Engineer at Motorola.

Last June 1st, we were selected to pitch at Tech Invest Milan, where our CEO Rufo Guerreschi gave an 8-minute pitch presentation:


   

 

 

Hosting our 5th Free and Safe in Cyberspace in Berlin

The Trustless Computing Association - the non-profit organization from we at TRUSTLESS.AI spun-off in 2017 - hosted  its 5th Edition of our Free and Safe in Cyberspace conference on May 4th 2018 in Berlin.

Speakers included IT security, blockchain and GDPR experts, and digital civil rights activists, as well as current and former top cybersecurity officials of Deutsche Telekom Labs, the Austrian CIO,  the German Armed ForcesGermany Ministry of Interior, and European Defence Agency.

As for its previous 4 editions, participated by amazing speakers, the event hosted   centered on discussing and widening a consensus around solutions to the challenge that we have been tackling with TRUSTLESS.AI offering: 

  • (A) Can we create a new IT and AI security certification body - and compliant open systems - that radically exceed the security state-of-the-art? and

  • (B) If so, can we do so while at once increasing public safety and preserving legitimate and constitutional lawful access capabilities?

During the event, Rufo Guerreschi, - Executive Director of Trustless Computing Association and CEO of TRUSTLESS.AI - will present the just-published Position Paper - Case for a Trustless Computing Certification Body (pdf), which will describe and argue in detail about a proposed joint solution to the Challenge A and B described above.

 

Everything is backdoored: why our approach minimizes the risk.

Many civil rights activists and activist cryptographers and IT security professional have been suggesting that we are just building a IT system and standard with a backdoor, out of incompetence or collusion with security agencies.

On the contrary, in a World where every device is broken -  at birth, by design down to CPU design and fabrication as shown by the recent scandal about Intel and about AMD CPUs - we are building the CivicPod, the FIRST IT device and service in the World which can be plausibly argued to be WITHOUT backdoors, state-sanctioned or state-inserted - for the first time since algorithmically unbreakable encryption was made wide available in the 90’s.

Backdoors are everywhere, today, and we are. 

 In fact, given extremely high plausible deniability, it is virtually impossible to ascertain which of those critical vulnerabilities are errors due to hyper-complexity or incompetency or are backdoors - stockpiled, spiffed by an insider developer or subversively inserted by nations.

 By nature of such tools and techniques - impervious to accountability and attribution when skillfully deployed - such backdoors are wildly abused and abusable by nations agents and criminals without due legal process.

 We should assume that all or nearly all devices and services available today are backdoored and hackable by large number of actors. Bruce Schneier said "I assume that all big companies are now in cahoots with the NSA, cannot be trusted, are lying to us constantly," he said. "You cannot trust any company that makes any claims of the security of their products. Not one cloud provider, not one software provider, not one hardware manufacturer. 

Though perfect security will never exist -  by uniquely implementing extreme transparency, oversight, accountability, and ethical and expert security review in relation to complexity - our certifications will spur the creation of the 1st IT systems and device in the World that removes any and all upfront unverified trust along the entire supply chain and lifecycle.

As opposed to all other systems, exploitable by nation and criminals without a proper judicial authorization, such systems will only be offered in privacy-respecting EU nations and deploy radically extreme and transparent technical and organizational safeguards - involving even citizen juries in multiple democratic jurisdictions, accountable to such certification body, an highly ethical, international, trustworthy non-profit “trusted third party” - to vet and manage the legitimacy and constitutionality of lawful access requests.

2018 may well be about endpoint security: the role of TRUSTLESS.AI

In this long post we'll argue that demand for endpoint security will explode in 2018 in all IT domains. We'll look at how leading projects like Sirin Labs Finney, Telegram TON and OpenRisc plan to meaningfully mitigate from critical vulnerabilities -  like Spectre and Meltdown - and how TRUSTLESS.AI compares and positions. 

After Snowden revealed in 2013 incredibly pervasive spying by the US and Five Eyes agencies, researchers have increasingly revealed critical vulnerabilities deep down in nearly all mainstream and high-security systems. Vulnerabilities that, apparently, so often the story goes, went unnoticed for years or decades by their makers and by western security agencies.

The public dumping of thousands of CIA hacking tools revealed Wikileaks Vault 7 and that of the source code Hacking Team platform - for the semi-automated scaling of hacking to thousands - reveals not only that state-grade targeted hacking tools are available to mid-level hackers, but also their capability to scalably exploit them.

Meanwhile, over the last 2 years, nearly all media and experts reports how end-to-end encryption apps, blockchain and open source will deliver meaningful protection to the endpoint, but they are wrong.

In fact, more than $4 billions have been raised last year via ICO by blockchain startups to bring unprecedented levels of security and immutability to nearly all economic sectors. Yet, the security that blockchains are increasingly bringing to the database/ledger level is completely lost at the endpoint edges. It is lost by the client devices used to write to it or read from it, which are more broken than ever. Cybersecurity, after all, is as good as the weakest link.

In fact, even after what we’ve learned, media still wildly overestimates the security of current of current and emerging endpoint solutions because of an uncoordinated alignment of IT providers marketing their new products and security agencies pretending that they are“going dark” in order to drive more criminals to use techs they can crack remotely.

Nonetheless, a large number of enterprise CSOs and top executives by now know better about where real costs and threats reside. While they have learned they can easily mitigate from ransomware, and quickly recover their stock valuation from the public dump of a massive user database, they understand that they are practically naked, when it comes to protecting their most sensitive communications, negotiations, trade secrets, and protecting their execs and boards from blackmailing.

This recent news, and other facts listed below, make a strong case that 2018 will be about meaningful endpoint security and that our TRUSTLESS.AI and Trustless Computing Association has a great potential to deliver - initially to all user’ most critical computing - what the World is waiting since Snowden. Let’s look into them in some more detail.

Telegram

Days ago Telegram, an app-basedsecure” messaging platform with 170M users - fast expanding its features to become a sort of non-Chinese WeChat - announced an unprecedented $500 millions ICO in order to its app-based platform a uniquely private and fast blockchain to "pay for services purely through digital tokens without relying on banks or payment processors, which are often the target of government scrutiny or censorship”.

But they haven’t and won't deliver because they inexplicably use of new obscure non-time-proven encryption protocol and for the simple fact that their security is merely app-based, and therefore completely compromisable in integrity and confidentiality, by a malware easily installed on the endpoint device, by even mid-level hackers. Also, hiding large financial transaction from a legitimate investigation is not only immoral but it will also never be allowed by large states.

MeltDown and Spectre

Last week, the public disclosure of MeltDown and Spectre vulnerabilities revealed how a large majority of modern CPUs - even for high-security scenarios - have been critically comprised in their data confidentiality for over 20 years, allowing any app or VM running on the machine to copy data and encryption key from any other running app or VM.

In a recent post, we clarify not only that our CPU is immune from such vulnerabilities but most importantly, but our overall solution and supply chain is are highly more resistant than state-of-the-art to the iper-complexities, security-through-obscurity, lack of coherent certifications and need to leave backdoors for states, that have lead to Spectre and Meltdown, and the many similar critical vulnerabilities in endpoint stacks - of even systems for high assurance scenarios - that are continuously publicized, will be publicised, and especially those that will never be discovered, or publicised, for years.

Our solution doesn’t rely on SW or HW isolation to protect against less “trusted” applications or virtual machines. It is a self-contained VPN-isolated end-to-end “computing universe” where any app that runs on it would be subject to exactly the same levels of security standards as all other technical and supply chain stacks.

Sirin Labs

Last December, Sirin Labs, the maker 15k$ cryptophone raised 157M$, to address exactly the same user problem that we are addressing. But they keep doing so in trusted way, with plenty of black-box components and processes, rather than uncompromisingly trustless way.

In a way, it is disheartening that startups based on market failed products and old trusted computing approaches are so successful in ICOs, when well funded, but yet it validates the size of the problem, as we outline in this post.

OpenRisc

In recent days, an open source CPU and SoC project, OpenRisc - widely-praised in the hacking community and mostly paid lip service by the industry - clarified their immunity to Meltdown and Spectre and stating its claims to be able to provide meaningful endpoint security through the full transparency of its source designs.

Unfortunately, OpenRisc technologies and ecosystem were never conceived to radically increase security but rather to provide for open source alternative to high-performance computing, and therefore plagued by architectural, governance and complexity choices that they made accordingly.

As a DARPA analysis of OpenRisc as a platform for ultra-high assurance computing highlights on page 9 (pdf) the huge funding and effort challenges of trying to reconcile high performance and features, with ultra-high levels of assurance.

Why Spectre and Meltdown are likely "state-allowed" backdoors

Nearly all think that Meltdown and Spectre were just errors by the CPU industry derived from their prioritizing performance over security, and that surely is the main "technical" reason.

Many forget that Bruce Schneier said back in 2014 that, after what we learned with Snowden, "we should assume all mainstream CPUs to be compromised" (minute 32 of https://youtu.be/rJRsanm-ODI).

In another instance, he said: "I assume that all big companies are now in cahoots with the NSA, cannot be trusted, are lying to us constantly. You cannot trust any company that makes any claims of the security of their products. Not one cloud provider, not one software provider, not one hardware manufacturer.”

There are reasons to believe that Spectre and Meltdown vulnerabilities were not just discovered 6 months ago but they were known for a long time - by one or more CPU makes and governments - who deliberately inserted or discovered and left them there to allow government (more or less) lawful access.

This is the same exact thing as "inserting" a backdoor. No difference at all. Actually, it is the best and sleekest way to place a backdoor because you have near perfect deniability by all parties involved. In fact, the discovery of this bugs translates in a temporary decline in the stock prices and more orders for Spectre-proof chips from the same vendors, which may be required to enterprise and governments for compliance to GDPR or other rules.

Just very few need to be in the know. For example CPU making executive or senior R&D staff just have to make some architectural choices rather than other ones - or close an eye on a critical bug - and then slip out a word to high-level gov agencies.

Nothing we can do about it?

No, we can remove all unverified upfront trust not only in CPU makers, but in all critical components makers, designs and fabrication processes, and even in standards-setting - and allow an extremely safeguarded offline process to allow legitimate lawful access - as we are doing at TRUSTLESS.AI and the Trustless Computing Association.

EDITED TO ADD 1/11/2018: Our Trustless Computing Paradigms, on page 8 of our Whitepaper Summary (on our site) include since 2015 this assumption, baked into all our techs, governance and supply chain:

D. MEASURE: assumes that xtremely skilled attackers are willing to devote even tens of millions of dollars to compromise the lifecycle or supply chain through legal and illegal subversion of all kinds, including economic pressures; and many tens of thousands to compromise of the individual end-user.

 

 

 

 

Nearly all or all CPUs appear to be comprised. Nothing we can do about it?!

In recent days, most were surprised about the reporting of Spectre and Metldown critical vulnerabilities in nearly all mainstream CPUs for the last 15 years are unfixable to a large extent, even through OS updates.

We are not surprised.

It was 2014, when Bruce Schneier, the World most recognized security expert - in reply to a declaration of Intel CEO that their chips had not been hacked - clearly stated that, after Snowden, we should be assuming all mainstream CPUs to be compromised in undetectable ways, due to design and supply chain complexities or state backdoors. See minute 32.40-34.00 of this video.

Nothing we can do about it? Nearly everyone seems to think so.
But, since 2014, at TRUSTLESS.AI and the Trustless Computing Association, we’ve been promoting an approach to CPU/chip design (and fabrication!) that removes upfront trust, and radically reduces complexity, and enables for an offline in-person privacy-respecting lawful access so states don’t have to backdoor it.

Also, our Kryptus SCuP architecture - the only secure CPU in the world publicly verifiable in HW and SW design according to the Head of Information Superiority of EDA - is immune from such kind of vulnerabilities "as the underlying core does not employ speculative execution".

But we go way beyond, implementing our Trustless Computing CivicFab fabrication oversight processes, that are well in excess in user trustworthiness than even NSA Trusted Foundry Program processes.

Pitch and exhibit in Cannes and Berlin. New advisors and investor traction.

Some updates for the last month and next:

  • On Nov 28-30th, we'll be in Cannes at the TRUSTECH conference attended last year by 13,000 people. We were chosen as 1 of only 4 startups (out of the 44 participating and pitching) for a free-of-charge package including a full stand, a 7 minutes pitch to 200 people, and participation to a closed workshop with VCs and corporate VCs, including Astorya.vc, Axa Strategic Venture, P101 Ventures, dPixel, TIM #WCAP Milano, Digital Magics, ICCREA Banca, Innogest, Berlin Innovation Venture.
  • On Dec 7th, we'll be in Berlin hosted as "alumni startup" to BetaPitch INvestor Day, hosted by the Hardware.co Pre-acceleration Program from which we graduated in July 2016.
  • We have great new advisors joining the team - Fabrice Croiseaux and David Drake, and a new cofounder, Ryan Molecke, with great core blockchain expertise.
  • We are making advances in the prototyping, architecture and business modeling of the project, and fundraising strategy: see Overview.
  • We were sought and invited to apply by the MDs of 4 of World's most prestigious acceleration programs. We passed the 1st phase of 3 of them including a call with the team and their MDs:
  • Over the last 6 months, 4-5 leading equity VC investors in the blockchain/crypto domain have been actively interested in investing. We are actively engaged in detail discussions with 3 small pre-seed venture funds.
  • We have been holding off until the closing of the round before pursuing a formalization in Pilot Partner MoUs with 3-4 of the many prospective end-users which had engaged with since us last spring. 

New headquarters in Luxembourg, and offices in Berlin.

After spending November and December 2016 in Silicon Valley mostly business planning, prototyping and successfully building relationship with top VCs , we decided last January to move our commercialization and prototyping office to EU for our first go-to-market. It became evident that EU laws and practices and political climate are more in tune, in the near future, with the possibility of offering ultra high levels of cybersecurity to eterprises and consumers.

We therefore spent January and March 2017 in Berlin – location of our OS/microkernel partner at the time – where we: built our non-security critical supply chain; advanced our product virtual prototyping, UX and UI designs; improved our web presence and product video; and expanded our team with an amazing local team with Toby Shotz, Nikoloz Kapanadze and Alexander Elkin. Check out team page for details!

Interest in our startup by private and public investors, and by prospective pilot clients, has soon moved beyond Berlin, especially in Luxembourg. Since end of March, through the introduction of our new advisor and former Minister of Defense and Communications,, Jean-Louis Schiltz, we met a large number of angels, cofounders and public institutions in Luxembourg.

We have entered in LoI for a wide long-term partnership agreement with the Univ. of Luxembourg SnT – Interdisciplinary Centre for Security, Reliability and Trust, and in the process of re-incorporating from Delaware USA to Luxembourg concurrently with the closing our 200k€ angel round with local investors in the next weeks.

A substantial interest manifested so far by Luxembourg public entities justifies expectations for: (a) an active and formal joint promotion of a Trustless Computing standards, certification and labels, to help Luxembourg lead in enterprise and financial cybersecurity; and for (b) large opportunities for public and public-private investments and financing, for both our angel and seed rounds.

The European Cyber Fund and Minister of Economy comments to it, the Luxembourg Future Fund, the mission and aims of LuxTrust, “Security made in Luxembourg” initiative, “Hosted in Luxembourg” label, some LuxInnovation, and of U. Lux Interdisciplinary Centre for Security, Reliability and Trust (SNT), seem to converge in the aim of attracting and promoting business to Luxembourg, through the provisioning of world-leading IT services, legislation, infrastructure and ecosystem for digital information, communication and transaction security. Our startup TRUSTLESS.AI, the non-profit from which it spun off 6 months ago, Open Media Cluster, its non-profit global event series Free and Safe in Cyberspace, its emerging non-profit Trustless Computing Consortium and Trustless Computing Certification Body are uniquely positioned to deliver on such vision, and enable Luxembourg to:

  • (A) attract and retain global enterprises based on radically-unprecedented levels “confidentiality and integrity protection from competitors and hackers” through public and private IT service offerings, advanced legislation and related unique IT security Trustless Computing Certification and labeling. Such locational advantage would complement existing ones, including the “confidentiality protection of tax planning from other EU member state tax agencies”, since upcoming EU tax transparency regulations, announced historical US tax reforms may, in the near future, reduce such locational advantage.

  • (B) In the medium term, foster the creation of a local ecosystem that leads a few other EU members states – such our current members of the Consortium, Italy and Austria – to create the World 1st ultra-high assurance IT cluster, the EU Trustless Computing Cluster, with other EU member states, with Luxembourg leading; and

  • (C) Ultimately play a critical role to help Luxembourg lead Europe in cybersecurity, by turning a huge threat into a huge opportunity for economic growth, political leadership and social impacts.

We are relocating and re-incorporating in Luxembourg concurrently with the closing of our 200K€ angel round, in 1-2 weeks. We are dealing with 5 active Lux-based angel investors, 2 cofounders, 2 public-private and private VCs, and the European Investment Fund.

Could Trustless Computing be the key answer to the massive leaks of CIA hacking tools just reported by Wikileaks?!

Today, Wikileaks has started releasing amazing ground-breaking revelations about CIA capabilities – to scalably and critically compromise the most modern communication security systems, and connected cars safety – and, especially, their supposed widespread inability to keep innumerable others from finding and exploiting them. Here is a post about it by the World most esteemed IT security expert.

The Wikileaks statement said: ”This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA,” the site said in a statement. “The archive appears to have been circulating among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

If such statement is even half true, it would be historical. We’d need to conclude that all enterprises, banks, public institutions and everyone, are much more naked to both scalable and targeted, than they thought they were. Not only against advanced state actors or determined actors, but to much smaller competitors, criminals, states and stalkers. It would be orders of magnitude bigger than the release of Hacking Team tool sets.

For 3 years, we at TRUSTLESS.AI and the Trustless Computing Consortium have been building technologies, standards and strategic partnerships to, not just increase, but radically increase the state-of the art of cybersecurity by (a) completely removing the need or assumption of unverified trust along the entire supply-chain and lifecycle of all critical IT service components (down to CPU, fabrication and standard setting) and (b) applying to them consistently-extreme levels of independent expert review relative to complexity.

If our approach have seemed paranoid to many, we invite you to read this week’s news and analysis of the huge Wikileaks revelations about CIA capabilities – to scalably and critically compromise the most modern communication security systems, and connected cars safety – and especially they inability to keep other from finding those capabilities. Though much was known or desumable from Snowden revelations, this new revelations clears away much CIA/NSA and cybersecurity vendors media deception over these years, and may well drive mainstream the demand for approaches to cybersecurity as extreme and uncompromising as those of TRUSTLESS.AI and the Trustless Computing Consortium are pursuing, which no one in the World is even getting close to do to our knowledge.