After Snowden revealed in 2013 incredibly pervasive spying by the US and Five Eyes agencies, researchers have increasingly publicised critical vulnerabilities deep down in nearly all mainstream and high-security systems. Vulnerabilities that, apparently, so often the story goes, went unnoticed for years or decades by their makers and by western security agencies.
The public dumping of thousands of CIA hacking tools revealed Wikileaks Vault 7 and that of the source code Hacking Team platform – for the semi-automated scaling of hacking to thousands – reveals not only that state-grade targeted hacking tools are available to mid-level hackers, but also their capability to scalably exploit them.
Meanwhile, over the last 2 years, nearly all media and experts reports how end-to-end encryption apps, blockchain and open source will deliver meaningful protection to the endpoint, but they are wrong.
In fact, more than $4 billions have been raised last year via ICO by blockchain startups to bring unprecedented levels of security and immutability to nearly all economic sectors. Yet, the security that blockchains are increasingly bringing to the database/ledger level is completely lost at the endpoint edges. It is lost by the client devices used to write to it or read from it, which are more broken than ever. Cybersecurity, after all, is as good as the weakest link.
In fact, even after what we’ve learned, media still wildly overestimates the security of current of current and emerging endpoint solutions because of an uncoordinated alignment of IT providers marketing their new products and security agencies pretending that they are“going dark” in order to drive more criminals to use techs they can crack remotely.
Nonetheless, a large number of enterprise CSOs and top executives by now know better about where real costs and threats reside. While they have learned they can easily mitigate from ransomware, and quickly recover their stock valuation from the public dump of a massive user database, they understand that they are practically naked, when it comes to protecting their most sensitive communications, negotiations, trade secrets, and protecting their execs and boards from blackmailing.
This recent news, and other facts listed below, make a strong case that 2018 will be about meaningful endpoint security and that our TRUSTLESS.AI and Trustless Computing Association has a great potential to deliver – initially to all user’ most critical computing – what the World is waiting since Snowden. Let’s look into them in some more detail.
Days ago Telegram, an app-based “secure” messaging platform with 170M users – fast expanding its features to become a sort of non-Chinese WeChat – announced an unprecedented $500 millions ICO in order to its app-based platform a uniquely private and fast blockchain to “pay for services purely through digital tokens without relying on banks or payment processors, which are often the target of government scrutiny or censorship”.
But they haven’t and won’t deliver because they inexplicably use of new obscure non-time-proven encryption protocol and for the simple fact that their security is merely app-based, and therefore completely compromisable in integrity and confidentiality, by a malware easily installed on the endpoint device, by even mid-level hackers. Also, hiding large financial transaction from a legitimate investigation is not only immoral but it will also never be allowed by large states.
MeltDown and Spectre
Last week, the public disclosure of MeltDown and Spectre vulnerabilities revealed how a large majority of modern CPUs – even for high-security scenarios – have been critically comprised in their data confidentiality for over 20 years, allowing any app or VM running on the machine to copy data and encryption key from any other running app or VM.
In a recent post, we clarify not only that our CPU is immune from such vulnerabilities but most importantly, but our overall solution and supply chain is are highly more resistant than state-of-the-art to the iper-complexities, security-through-obscurity, lack of coherent certifications and need to leave backdoors for states, that have lead to Spectre and Meltdown, and the many similar critical vulnerabilities in endpoint stacks – of even systems for high assurance scenarios – that are continuously publicized, will be publicised, and especially those that will never be discovered, or publicised, for years.
Our solution doesn’t rely on SW or HW isolation to protect against less “trusted” applications or virtual machines. It is a self-contained VPN-isolated end-to-end “computing universe” where any app that runs on it would be subject to exactly the same levels of security standards as all other technical and supply chain stacks.
Last December, Sirin Labs, the maker 15k$ cryptophone raised 157M$, to address exactly the same user problem that we are addressing. But they keep doing so in trusted way, with plenty of black-box components and processes, rather than uncompromisingly trustless way.
In a way, it is disheartening that startups based on market failed products and old trusted computing approaches are so successful in ICOs, when well funded, but yet it validates the size of the problem, as we outline in this post.
In recent days, an open source CPU and SoC project, OpenRisc – widely-praised in the hacking community and mostly paid lip service by the industry – clarified their immunity to Meltdown and Spectre and stating its claims to be able to provide meaningful endpoint security through the full transparency of its source designs.
Unfortunately, OpenRisc technologies and ecosystem were never conceived to radically increase security but rather to provide for open source alternative to high-performance computing, and therefore plagued by architectural, governance and complexity choices that they made accordingly.
As a DARPA analysis of OpenRisc as a platform for ultra-high assurance computing highlights on page 9 (pdf) the huge funding and effort challenges of trying to reconcile high performance and features, with ultra-high levels of assurance.