Nearly all or all CPUs appear to be comprised. Nothing we can do about it?!

In recent days, most were surprised about the reporting of Spectre and Metldown critical vulnerabilities in nearly all mainstream CPUs for the last 15 years are unfixable to a large extent, even through OS updates.

We are not surprised.

It was 2014, when Bruce Schneier, the World most recognized security expert - in reply to a declaration of Intel CEO that their chips had not been hacked - clearly stated that, after Snowden, we should be assuming all mainstream CPUs to be compromised in undetectable ways, due to design and supply chain complexities or state backdoors. See minute 32.40-34.00 of this video.

Nothing we can do about it? Nearly everyone seems to think so.
But, since 2014, at TRUSTLESS.AI and the Trustless Computing Association, we’ve been promoting an approach to CPU/chip design (and fabrication!) that removes upfront trust, and radically reduces complexity, and enables for an offline in-person privacy-respecting lawful access so states don’t have to backdoor it.

Also, our Kryptus SCuP architecture - the only secure CPU in the world publicly verifiable in HW and SW design according to the Head of Information Superiority of EDA - is immune from such kind of vulnerabilities "as the underlying core does not employ speculative execution".

But we go way beyond, implementing our Trustless Computing CivicFab fabrication oversight processes, that are well in excess in user trustworthiness than even NSA Trusted Foundry Program processes.

Pitch and exhibit in Cannes and Berlin. New advisors and investor traction.

Some updates for the last month and next:

  • On Nov 28-30th, we'll be in Cannes at the TRUSTECH conference attended last year by 13,000 people. We were chosen as 1 of only 4 startups (out of the 44 participating and pitching) for a free-of-charge package including a full stand, a 7 minutes pitch to 200 people, and participation to a closed workshop with VCs and corporate VCs, including Astorya.vc, Axa Strategic Venture, P101 Ventures, dPixel, TIM #WCAP Milano, Digital Magics, ICCREA Banca, Innogest, Berlin Innovation Venture.
  • On Dec 7th, we'll be in Berlin hosted as "alumni startup" to BetaPitch INvestor Day, hosted by the Hardware.co Pre-acceleration Program from which we graduated in July 2016.
  • We have great new advisors joining the team - Fabrice Croiseaux and David Drake, and a new cofounder, Ryan Molecke, with great core blockchain expertise.
  • We are making advances in the prototyping, architecture and business modeling of the project, and fundraising strategy: see Overview.
  • We were sought and invited to apply by the MDs of 4 of World's most prestigious acceleration programs. We passed the 1st phase of 3 of them including a call with the team and their MDs:
  • Over the last 6 months, 4-5 leading equity VC investors in the blockchain/crypto domain have been actively interested in investing. We are actively engaged in detail discussions with 3 small pre-seed venture funds.
  • We have been holding off until the closing of the round before pursuing a formalization in Pilot Partner MoUs with 3-4 of the many prospective end-users which had engaged with since us last spring. 

New headquarters in Luxembourg, and offices in Berlin.

After spending November and December 2016 in Silicon Valley mostly business planning, prototyping and successfully building relationship with top VCs , we decided last January to move our commercialization and prototyping office to EU for our first go-to-market. It became evident that EU laws and practices and political climate are more in tune, in the near future, with the possibility of offering ultra high levels of cybersecurity to eterprises and consumers.

We therefore spent January and March 2017 in Berlin – location of our OS/microkernel partner at the time – where we: built our non-security critical supply chain; advanced our product virtual prototyping, UX and UI designs; improved our web presence and product video; and expanded our team with an amazing local team with Toby Shotz, Nikoloz Kapanadze and Alexander Elkin. Check out team page for details!

Interest in our startup by private and public investors, and by prospective pilot clients, has soon moved beyond Berlin, especially in Luxembourg. Since end of March, through the introduction of our new advisor and former Minister of Defense and Communications,, Jean-Louis Schiltz, we met a large number of angels, cofounders and public institutions in Luxembourg.

We have entered in LoI for a wide long-term partnership agreement with the Univ. of Luxembourg SnT – Interdisciplinary Centre for Security, Reliability and Trust, and in the process of re-incorporating from Delaware USA to Luxembourg concurrently with the closing our 200k€ angel round with local investors in the next weeks.

A substantial interest manifested so far by Luxembourg public entities justifies expectations for: (a) an active and formal joint promotion of a Trustless Computing standards, certification and labels, to help Luxembourg lead in enterprise and financial cybersecurity; and for (b) large opportunities for public and public-private investments and financing, for both our angel and seed rounds.

The European Cyber Fund and Minister of Economy comments to it, the Luxembourg Future Fund, the mission and aims of LuxTrust, “Security made in Luxembourg” initiative, “Hosted in Luxembourg” label, some LuxInnovation, and of U. Lux Interdisciplinary Centre for Security, Reliability and Trust (SNT), seem to converge in the aim of attracting and promoting business to Luxembourg, through the provisioning of world-leading IT services, legislation, infrastructure and ecosystem for digital information, communication and transaction security. Our startup TRUSTLESS.AI, the non-profit from which it spun off 6 months ago, Open Media Cluster, its non-profit global event series Free and Safe in Cyberspace, its emerging non-profit Trustless Computing Consortium and Trustless Computing Certification Body are uniquely positioned to deliver on such vision, and enable Luxembourg to:

  • (A) attract and retain global enterprises based on radically-unprecedented levels “confidentiality and integrity protection from competitors and hackers” through public and private IT service offerings, advanced legislation and related unique IT security Trustless Computing Certification and labeling. Such locational advantage would complement existing ones, including the “confidentiality protection of tax planning from other EU member state tax agencies”, since upcoming EU tax transparency regulations, announced historical US tax reforms may, in the near future, reduce such locational advantage.

  • (B) In the medium term, foster the creation of a local ecosystem that leads a few other EU members states – such our current members of the Consortium, Italy and Austria – to create the World 1st ultra-high assurance IT cluster, the EU Trustless Computing Cluster, with other EU member states, with Luxembourg leading; and

  • (C) Ultimately play a critical role to help Luxembourg lead Europe in cybersecurity, by turning a huge threat into a huge opportunity for economic growth, political leadership and social impacts.

We are relocating and re-incorporating in Luxembourg concurrently with the closing of our 200K€ angel round, in 1-2 weeks. We are dealing with 5 active Lux-based angel investors, 2 cofounders, 2 public-private and private VCs, and the European Investment Fund.

Could Trustless Computing be the key answer to the massive leaks of CIA hacking tools just reported by Wikileaks?!

Today, Wikileaks has started releasing amazing ground-breaking revelations about CIA capabilities – to scalably and critically compromise the most modern communication security systems, and connected cars safety – and, especially, their supposed widespread inability to keep innumerable others from finding and exploiting them. Here is a post about it by the World most esteemed IT security expert.

The Wikileaks statement said: ”This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA,” the site said in a statement. “The archive appears to have been circulating among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

If such statement is even half true, it would be historical. We’d need to conclude that all enterprises, banks, public institutions and everyone, are much more naked to both scalable and targeted, than they thought they were. Not only against advanced state actors or determined actors, but to much smaller competitors, criminals, states and stalkers. It would be orders of magnitude bigger than the release of Hacking Team tool sets.

For 3 years, we at TRUSTLESS.AI and the Trustless Computing Consortium have been building technologies, standards and strategic partnerships to, not just increase, but radically increase the state-of the art of cybersecurity by (a) completely removing the need or assumption of unverified trust along the entire supply-chain and lifecycle of all critical IT service components (down to CPU, fabrication and standard setting) and (b) applying to them consistently-extreme levels of independent expert review relative to complexity.

If our approach have seemed paranoid to many, we invite you to read this week’s news and analysis of the huge Wikileaks revelations about CIA capabilities – to scalably and critically compromise the most modern communication security systems, and connected cars safety – and especially they inability to keep other from finding those capabilities. Though much was known or desumable from Snowden revelations, this new revelations clears away much CIA/NSA and cybersecurity vendors media deception over these years, and may well drive mainstream the demand for approaches to cybersecurity as extreme and uncompromising as those of TRUSTLESS.AI and the Trustless Computing Consortium are pursuing, which no one in the World is even getting close to do to our knowledge.

Special Keynote at Stanford University: “Trustless Computing & The Future of Artificial Intelligence”

Wednesday, November 9th 2016, 5-6:30pm

Stanford University – Symbolic Systems Program
Margaret Jacks Hall, Greenberg Roo
Stanford, CA, 94305

Can radically-higher levels of assurance (i.e. trustworthiness) of deterministic IT systems – and related certification governance models – become a key factors to foster sustainable AI-driven economic development, as well as short- and long-term AI safety and value alignment? If so, how can we prevent malevolent use and ensure constitutional lawful access?

The Trustless Computing Initiative is a 2-years old global initiative by world-class partners and advisors, lead by the Open Media Cluster, for the creation, from existing open components, of a complete general-purpose ICT service platform, lifecycle, ecosystem and non-governmental certification body, that will radically exceed state-of-the-art in assurance of deterministic IT systems in area of human communications and AI digital assistants, while avoiding any significant added risks of malevolent abuse by criminals, or obstruction to constitutional and lawful cyber-investigations.

We’ve been asked by Todd Davies, Associate Director of Stanford University – Symbolic Systems Program (SSP) – the largest department at Stanford University dealing with AI, with over 90 professors and hundreds of students – to host a 1.5 hours presentation and discussion on our revolutionary Trustless Computing Initiative, its spin-off TRUSTLESS.AI, and their contribution to the economic and societal sustainability of critical AI systems.

The Initiative ultimate and sole goal is to substantially contribute to short- and long-term artificial intelligence safety, accountability and human values alignment.

SPECIAL KEYNOTE BY:

  • RUFO GUERRESCHI, Exec. Dir. of the non-profit Trustless Computing Initiative, and CEO of the spin-off startup Trustless.ai. Since 2013, as Exec. Dir. of the Open Media Cluster, Rufo has conceived and lead the Trustless Computing Initiative, Consortium and Manifesto, aggregating global partners and advisors with globally-rare or unique expertises, and open IP assets, in high or ultra-high assurance IT, spanning the entire IT lifecycle. Since 2015, he conceived, launched and coordinated the Free and Safe in Cyberspace event series (Brussels, Brazil, New York, Rome), which has attracted the leading EU and US experts and governmental institution to build consensus on new standards for ultra-high assurance IT in critical sub-domains. Since May 2016, together with key advisors and partners of the Consortium have created the spin-off startup TRUSTLESS.AI as the main strategy to reach the goals of the Initiative.

POST-KEYNOTE DISCUSSANTS:

  • TODD DAVIES, Associate Director of the Symbolic Systems Program at Stanford University. Todd teaches and does research on deliberation, collaboration technologies, social decisions, information policy, and collective behavior.

  • ANDREW CRITCH, Senior Fellow at MIRI (Machine Intelligence Research Institute), one of the leading long-term AI R&D center in the World. Andrew earned hisPhDin mathematics at UC Berkeley studying applications of algebraic geometry to machine learning models. He co-founded the Center for Applied Rationality and SPARC. He left a position as an algorithmic stock trader at Jane Street Capital to join MIRI in September 2015. His current research interests include logical uncertainty, open source game theory, and avoiding arms race dynamics between nations and companies in AI development.

Special Keynote at the Headquartrs of Semi

Trustless Computing Initiative & opportunities for Valley semiconductor foundries

November 8th 2016 at 11.30AM PST, we will give a special 30-minute keynote plus Q&A about the Trustless Computing Initiative and its spin-off startup TRUSTLESS.AI to the monthly meeting Silicon Valley Strategic Advisers (SVSA) at the headquarters of the most historical semiconductor organization in the world, SEMI.

Our keynote will focus on our revolutionary fabrication oversight socio-technical solution, CivicFab, and its potential economic impact in the industry and territory, when combined with the creation of a solid and resilient Trustless Computing ecosystems.

We were invited by Jon Scadden, board member of SVSA, and the president of American MiniFoundry, a long time partner of the Initiative. AM tech lead is the former Technical Director of the NSA Trusted Foundry Program, Gerry Etzold.

Consortium Holds Free and Safe in Cyberspace Conference in New York

In New York City, on July 21st 2016, the Free and Safe in Cyberspace workshop brings e-privacy and public safety one step closer

WORKSHOP REPORT: “Free and Safe in Cyberspace” workshop on July 21st 2016 in New York City continues to strive for meaningful e-privacy and increased public safety

A small workshop was held on 21 July 2016 in New York City, as part of the “Free and Safe in Cyberspace” International event series, was focused on discussing and planning possible solutions to provide meaningful levels of e-privacy and e-security for all users, while also increasing public safety and cyber-investigation capabilities. Following the great success of the 2015 Edition, a larger two-days 2° EU Edition will follow on Sept 22-23rd 2016, again in Brussels, where a major comprehensive proposal will be presented by a number of speakers involved in the event series, as well as selected results of innovation projects of EIT Digital.

In introducing the July 21st event, Rufo Guerreschi (executive director of Open Media Cluster and event co-organizer) summarized a few crucial points for the entire Free and Safe in Cyberspace event series: “Recent episodes showed that, on the one hand, citizens and institutions suffer a great loss of civil rights and sovereignty, while, on the other, EU and US IT companies are struggling to seek ways to offer the levels of trustworthiness required by both National customers and legislations. But this clash about the need of ensuring public safety and security of state-nations and also user privacy actually could be reconciled. In fact, if you had to choose one of the two you will not be able to sustain democracy. Democracy and freedom require both citizen safety and privacy protection. We hope that our discussion events can reconcile such gap and find a common ground to build a more equitable, effective toolkit for all stakeholders involved”.

Expanding on this introduction, Jovan Golic (EIT Digital Privacy, Security and Trust Action Line Leader and renowned cryptographer) provided a general overview of the deeply complex technical issues at stakes: “It is not true that there is a tradeoff between cyber-security and cyber-privacy, they are both on the same side. We need to talk about more of both, and at the same time ensure data protection. If you don’t protect data then you cannot help cyber-security, because the data will be prone to attacks. However, there is a tradeoff between cyber-surveillance and cyber-security. And by talking about these topics, we can try to change the existing trend where governments have their own ways how to control things in the security area, including legislation, and big security companies prefer to just stay quiet and comply with government mandates. This is the reason why we are still lacking good solutions in regards to data protection practices”.

In his keynote speech, Professor Joe Cannataci (UN Special Rapporteur on Privacy, SRP) explained that “the safeguards and remedies available to citizens cannot ever be purely legal or operational”. Therefore, a much better option is to “involve all stakeholders in the development of International law relevant to privacy” and to “engage with the technical community in an effort to promote the development of effective technical safeguards including encryption, overlay software and privacy protection”. Both goals are at the forefront of the SRP overall efforts, added Cannataci, while also pointing out an important and recent advancement: “Both the Netherlands and the USA have moved more openly towards a policy of no back-doors to encryption, a step that should be encouraged by the UN and other International bodies”.

In the second keynote speech, Max Schrems (leading Austrian privacy activist) summarized the story of his lawsuit for the invalidation of the Safe Harbor Agreement that allows US companies to store European citizen personal data. “What was the reason for the lawsuit? Even if the European Union talks a lot about mass surveillance, with EU resolutions, angry letters and so on, we knew that this kind of ‘public outrage’ was not going anywhere. Therefore, we looked at what I call ‘public/private surveillance’: companies like Facebook are subject to both US and EU jurisdictions, so this law conflict that must be resolved. In turn, this gave us the possibility to bring a legal case (mostly opposing mass surveillance) in a European Court and even have jurisdiction there, because obviously, we cannot have jurisdiction in other countries”. This lawsuit (and it on-going outcomes) was just a first step to making public some problems about global mass surveillance procedures. Another important issue, according to Schrems, is that “given the policies now being adopted and/or rewritten around the world, the de-identification and anonymization of data is no longer a sufficient safeguard if governments & corporations continue to repurpose data originally collected for one specific purpose”. His possible solutions to move forward? “First we need some codes of conduct that could possibly be drafted by and implemented throughout the industrial sector. And then we should establish shared certification options and make sure that companies are fully compliant (with some help from an independent body monitoring)”.

The event included four discussion panels or Challenges, focused on a series of inter-related challenges (A – How can we achieve ultra-high assurance ICTs?, B – Can ultra-high assurance ICT services comply with lawful access request while meaningfully protecting civil rights?, C – What is the role of AI in providing ultra-high assurance ICTs? D – What National policies or International treaties can we envision to support ultra-high assurance ICT standards?).

Here are a few highlights:

Jovan Golic delivered an introductory keynote for panel B about the interplay between cyber-security, cyber-privacy, and cyber-investigation, about the need to reconcile cyber-investigation with cyber-security and cyber-privacy by widely accepted transparent solutions, which would foster business opportunities in the area of digital security, and already practical advanced crypto techniques for data protection, including threshold cryptography based on shared key escrow and practical fully homomorphic encryption, as well as innovation & business results of EIT Digital in this area.

Roman Yampolskiy delivered an introductory keynote for panel C on the security threats related to modern AI systems and smart things, on one side, getting more and more powerful and helpful for humans, but possibly threatening their lives and work by improper designs and implementations, on the other.

Daniel Castro, Vice President of the Information Technology and Innovation Foundation: “How do we create a situation where secure software and hardware systems can be developed? Let’s make a comparison with the construction industry, where developed countries established certain types of regulations and guidelines and today we have buildings that can sustain an earthquake or a fire. We got rid of poor standards and introduced a system based on specific building codes, inspectors and so on, thus achieving a level of safety that seemed impossible just a few years ago. We need to promote public-private partnerships and formalize strong standards and accountability in this area and pushing hard to have governments and businesses working together”.

Yvo Desmedt, renowned cryptographer, and pioneer of threshold cryptography: “What can you do when you really, really worry about privacy? The answer is very simple. don’t use a smartphone. I do not carry a smartphone. Secondly, if you are worried about being eavesdropped, use paper and pen or do what the Russians have done for decades, use typewriters. But given that these are radical and extreme security options, will most people want to use them? No. Can we achieve today economically-feasible and effective security? The answer is no”.

Rufo Guerreschi: “Today’s ‘smart technologies’ (deployed via wi-fi in our homes or to help in natural disasters, etc.) are not at all resistant to hacking by criminals or by authorities. And despite recent advancement, technologists seem unable to ensure a decent level of individual privacy and there is little hope that National legislations can protect it either”.

Rufo Guerreschi: “We currently do not have solutions which are meaningfully private, even if you pay a lot of money or are willing to deal with the inconvenience. That’s also proven by the fact that the market for crypto devices is completely inexistent. It’s a matter of a few thousand devices. Not to mention the fact that, if buy a crypto-phone, you’re flagging yourself, suggesting that probably you’re trying to hide something and most likely you have no clue about that.”.

Jovan Golic:“We need to look at the reality of data protection at different stages. At the first stage of data collection, there are privacy policies and user consent, but they do not prevent uncontrollable mass data collection by big Internet service providers. What is protected in practice is data communications, typically between a client and a server, rarely end2end between two clients. However, data encryption is endangered by various so-called backdoors at different levels of the data security chain, including crypto algorithms and protocols, key generation and management, and software and hardware implementations. Backdoors are by definition secret and proprietary before they get revealed to the public and essentially mean that the used cryptosystem is inherently insecure due to them. In practice, they are used for cyber-investigation by privileged parties. But, they are also used by hackers and cyber-criminals, which renders the cyberspace insecure. Instead, for the same purpose, one may use the so-called front doors, which are by definition transparent and may be based on properly implemented threshold cryptography with shared key escrow providing forward and backward secrecy and focused cyber-surveillance. Data storage is protected by encryption and controlled access, but there are too many breaches of database servers storing sensitive data, because of cryptographic key management issues and various software vulnerabilities. Data processing is practically not protected at all, not even for sensitive data such as the e-health data, because service providers work on plain data to provide their services, regardless of the emerging practical techniques for fully homomorphic encryption, which enable data processing in the encrypted domain. Consequently, what is needed in order to improve the current unsatisfactory situation and trends is the application of existing, but rarely applied, trustworthy technologies for data protection”.

Rufo Guerreschi: “A large majority of people think that secure products are already out there and easily available, including Apple iPhones and the Tor system. But there’s an incredible alignment of interest between Apple, Tor makers and security agencies. Why? Apple and Tour makers they have an interest that people believes their thing is secure so they buy their stuff instead of our stuff. Security agencies have a huge interest that this security is oversold so that people use this tool, communicate secret stuff and they can spy them using directly implanted backdoors or vulnerabilities that are by them discovered or bought and not publicized”.

Daniel Castro: “I think we can have highly regulated systems, for example, financial systems, where we are going to want recovery, in general, to discuss what that looks like and how we enable lawful access. It even might make sense in some regulated communication services. There are multinational companies that have a large user base and we need to consider how to regulate them. In many cases, I can write software and have communications with someone else around the world and we are using software that we’ve written that nobody else has access to. That’s going to be secure and outside of the scope of what law enforcement. But, we still need to figure out how to deal on the policy side with what we are going to do with those situations”.

Zachary Goldman: “At least in the US, there are questions about the circumstances under which you can compel individuals to provide decrypted information. There are questions about the circumstances in which you can require the manufacturers of systems to build systems and networks in a way that clear-text data will always be available. There are questions about whether and under what circumstances you can compel device or app manufacturers to provide clear text data. … I don’t feel comfortable living in a world in which the law enforcement community doesn’t have the ability to infiltrate and take down” such communication networks”

TRUSTLESS.AI Accepted in Hardware.com Acceleration Program in Berlin

Our startup Trustless Inc. was one of the 9 finalists selected for the yearly 2016 Hardware.co Acceleration Program, at the Betahaus center in Berlin, Germany, from July 10-20th 2016.

The program is accelerating greatly the definition of our business models, products and presentation documents, and exposing us to an amazing amount of talented prospective advisors, team members, co-founder and angel investors.

 

Special Keynote at the European Defence Agency to 22 EU Ministries of Defense

On June 2nd 2016, our Exec. Dir. Rufo Guerreschi held a 40 minutes keynote speech and R&D proposal to 22 representatives of EU Ministries of Defense at European Defense Agency annual Cap Tech Meeting.

We presented the huge dual-use potential of the UVST project, and the binding MOU among its core core technical participants, which – as opposed to an ongoing similar but closed R&D project for a “EU trusted compting platform”  like EDA SoC – ensure bindingly, and sustainably in time, the radical openness of the resulting platform, as far as both complete verifiability of critical componetns, as well as low and crystal clear overall IP royalties.

The radical openness of the platform and ecosystem would overall reduce the chance for malevolent use by criminal entities, as it would deploy unique socio-techncial standards – such as those we’ll discuss at our upcoming Free and Safe in Cyberspace event in Brussels on Sept 24-25th  – which ensure at once unprecedented levels of user privacy, and effective lawful access and interdiction. In fact, an MOU among participants makes it binding that the resulting post-R&D consortium and the resulting standard body, CivicAuthority, to respectively offer and certify only TRUSTLESS Hybrid P2P Service mode, as opposed to Pure P2P, which include a CivicRoom processes open to lawful access requests.

We proposed that 2 or more EU Ministries of Defense, and possibly national defense IT contractors, join OMC and selected partners of the User Verified Social Telematics project, to submit by October 2015 a 2-300K€ proposal to EDA-funded R&T Studies for a feasibility assessment of a 15-20M€ dual-use R&D proposals to be submitted in 2016 or 2017 as a EDA Category B project, in coordination with H2020 and/or ECSEL funding programs.

A 10-pager draft of the proposal is available on qualified request.

Consortium Submits 4M€ R&D proposal to EU R&D DS-01 RIA

On April 12th 2016 – together with amazing participants and advisors, with rare or unique high assurance IT expertises we submitted two groundbreaking R&D proposals, based on our Trustless Computing Initiative, to European R&D funding programs:

A 4.8M€ TRUSTLESS proposal to H2020 DS-01 RIA:

  • Title: Trustless socio-technical systems for ultra-high assurance ICT certifications, and a compliant open target architecture, life-cycle and ecosystem, for critical societal use cases and consumer adoption.
  • Docs: Full PDF of 109 pages.(Summary, excellence, business plan, societal impact, tech description, work plan, partners, steering boards and the ethics and security assessment).

Among the participants:

  • Kryptus, the only maker of  CPU for general-purpose computing that is publicly-verifiable in HW and SW;
  • DFKI, the largest AI R&D center in the World by number of employees and amount of external funds;
  • Genode Labs, the makers of the leading FLOSS micro-kernel framework, compatible with Sel4;
  • EOS, the largest IT security industry association of Europe;
  • Two members of SO-GIS, the Austrian A-SIT and the Italian OCSI, national public authorities that certify for all IT systems authorized to deal with state secret.

A 1M€ TRUSTLESS proposal to H2020 DS-01 CSA:

  • Title: Facilitating the evolution to uniquely comprehensive and comparable assurance certification of ICT services and lifecycles. 

NEXT STEPS: Over the next months – together with key technical participants and partners – we’ll be mostly:

  • (A) seeking other public funding opportunities;
  • (B) adapting the already extensive description and business planning for possible equity funding, including seed/angel;
  • (C) extending our next editions of the Free and Safe in Cyberspace, in New York (July 21st) and Brussels (Sept 22-23rd), which pursue exactly the ultra-high assurance certification which was the goal of our CSA proposal, and half of the goals of the RIA proposal above.

A new “Free and Safe in Cyberspace – Aims, and Backgrounder” is published

We have been updating extensively our event series Backgrounders for each of the FSC Challenges: A, B, C and D.

For your convenience, their full content has been made available, although in a older version of February 23rd 2016, in a single 20-pager Free and Safe in Cyberspace – Aims and Backgrounders, authored by Rufo Guerreschi and Jovan Golic (which updated FSC “original” backgrounder page of EU Edition 2015, published September 23rd 2015).

Authors:

Rufo GuerreschiExec. Dir. Open Media Cluster

Jovan GolicEIT Digital Action Line Leader for Privacy, Security and TrustTelecom Italia Information Technology

Consortium Holds Free and Safe in Cyberspace in Brussels

Today there are over three billion internet users worldwide. For many, half of their awake life spent online in wide-ranging activities, spanning from personal email to grocery shopping, from political activism to enjoying best cat videos. Privacy seems a far away dream to most. But, is it?! Can’t a limited but truly private sphere created and protected! Can new standards and technologies, supplementary to overly complex mainstream devices, allow ordinary citizens to reach meaningful levels of privacy and security, at least for the most critical and personal parts of their online lives? If so, can these be made user-friendly and affordable for all, and still prevent grave risks for public safety and cyber-investigation capabilities?

These are the urgent challenges being addressed by a new public event series through the launch of the first of such events with the Free and Safe in Cyberspace 2015 workshop, held in Brussels on September 24-25th 2015, a Latin America edition to be held next Oct 16th, in Brazil, and a North American version in the works. The Brussels event included: EU and US most recognised IT privacy and security experts, Schneier and Preneel, the father of free software, Richard Stallman, senior officials of leading civilian and military EU institutions, high-assurance IT executives, and experts in advanced artificial intelligence. The workshop aimed specifically at building consensus on innovative techno-organizational certifications and certification governance models for next generation high-assurance IT services, as well as targeted (endpoint) lawful access systems. Slides and videos of this event are available on the program page.

“Perfect privacy and perfect security are impossible, and most likely will always be so. Nevertheless, it is essential to define some very high and measurable levels of trustworthiness that are compatible with the exercise of civil rights in cyberspace”, said in his introduction Rufo Guerreschi, executive director of Open Media Cluster, a small R&D non-profit based in Rome. Jovan Golic, from the co-organizing EIT Digital Privacy, Security and Trust Action Line, said: “It is frequently said that there is a trade-off between cyber-security and cyber-privacy, but that is misleading and blocking for both cyber-privacy and also for business in this area. In fact, if you don’t have cyber-privacy you cannot have real cyber-security because the data will be vulnerable to cyber attacks“. Golic went on clarifying that: “There is indeed a trade-off between cyber-surveillance and cyber-privacy, but cyber-surveillance is not the same as cyber-security. … So, we would like to have both cyber-security and cyber-privacy and also lawful cyber-surveillance. In order to achieve that, we need secure and trustworthy technologies.”

In his keynote speech, Michael Sieber (European Defence Agency) addressed a hot and controversial topic, particularly after the widespread surveillance programs revealed by Edward Snowden and more recent hacks. “Among EU member states it’s hilarious: they claim digital soverignty but they rely mostly on Chinese hardware, on US American software, and they need a famous Russian to reveal the vulnerabilities”. Most importantly, he envisioned an exciting step forward for the EU: “We can create a joint vision, big in ambition and funding; concentrate on our strengths; effectively combine ‘smart clustering’ and ‘smart regulation‘”.

Bruce Schneier, world-renowned security expert, focused on trust as a key feature to better understand the main challenges laid out for this event (and the entire “Free and Safe in Cyberspace” project). “Trust is essential to human society and we, as a species, are very trusting. But what are the security mechanisms that make this work, particularly in the IT world? Mostly we rely on transparency, oversight, and accountability,” – explained Schneier. “And so in order to avoid some mechanism failure, as was the case with the recent Volkswagen cheat, we must integrate them – along with verifiable standards, liability measures and institutional drive to encourage cooperation. We’d strive to apply this formula also to these challenges, aiming at ultimately providing affordable, user-friendly IT-related services for all.”

In his trademark style, Richard Stallman, founder of the Free Software Foundation, proposed a few interesting insights: “We should stop thinking about security as against third parties, we should stop assuming that program developers are on our side. Actually, the programmer can be the enemy, so we must be sure that there is no one with that much control”. More controversially, during Panel 2 on the role of free/open source software, Stallman said that computing trustworthiness is a “practical advantage or convenience” rather an additional requirement for computing freedom. Guerreschi opposed a different opinion by which the lack of meaningful trustworthiness turns inevitably the other four software freedoms into a disutility to their users. According to Michael Hohmuth (CEO at Kernkonzept, Dresden), one obstacle preventing user control is the “complexity of our operating systems…and of course the solution is trying to reduce this complexity, something that we try to address by putting all the components that user cannot trust anymore in its own little compartment“, thus enabling some simpler verification steps.

On the hardware side, Kai Rannenberg (Professor of Business Informatics at Frankfurst’s Goethe University) focused on the importance of “embedding” trust in the same manufacturing process, and “today EU seems to have only a limited capacity to come up with its own value chain to build trust in hardware, and companies should definitely move forward on this direction“. And Stallman highlighted the essential part of “developing free hardware designs for the kind of chips that you need…and people are working on such projects“.

In wrapping up on the hardware security issue, Andreas Wild (executive director of ECSEL JU) insisted on a broader and integrated strategy for a possible solution: “Most widely publicized cyber-attacks happen through unauthorized access and malicious software alterations in inter-connected operational systems. Therefore, a secure system needs robust design methodologies, trustworthy supply chains, controlled manufacturing sites, and safe methodologies in deploying and operating it, and this with regard to both hardware and software”.

On the related topic of IT certifications for safe methodologies, two engaging panels covered the new high-assurance international certifications and governance models (Panel 1) and the prospect voluntary certification procedures for lawful access (Panel 3). The panelists agreed that this is a long-term process, and we’d always stay focused on providing safeguards that are at least good enough to reconcile meaningful personal privacy, effective lawful access and prevention of malevolent use. The leading cryptographers Ivo Desmedt and Jovan Golic presented some broad options for key recovery options, that may enable public or private entities to voluntarily provide compliance to lawful access requests, through independent and offline third-party processes based on decades of experience with secret sharing cryptographic protocols, which can also ensure the so-called  forward secrecy. The president of the Brazilian IT agency SERPRO, Mazoni, presented his plans for delivering meaningful privacy and enabling lawful investigations for public employees.

The last panel on Day 1, number four, looked into the role of new high-assurance IT standards to promote the benefits and prevent the risks of advanced AI (Artificial Intelligence), as well as considering its role in state public security activities as both a tool, and threat to freedom and public safety. A concluding panel on the second day attempted to merge the various perspectives emerged in the two-day workshop – insisting, among other things, on the need to broaden the international cooperation on these complex topics, particularly on IT certification procedures.

Finally, Rufo Guerreschi announced that “probably next spring we will have a similar workshop in Washington DC”, and introduced the upcoming Free and Safe in Cyberspace – LatAm Edition event in Iguazu, Brazil (October 16th 2015), as part of LatinoWare 2015, one of the largest free software conferences in the world.

For further information, please contact us at info@free-and-safe.org

Consortium submits 4M€ R&D proposal EU H2020 FET-Open RIA

On March 31st, we have achieved the most important milestone for the UVST project, since its inception. We submitted a 4M€ proposal to H2020 FET-Open RIA Call with a sub-set of our current partners, and a key operational role of our new technical and scientific boards members. We are truly honoured by the participation to our project of entities and experts with such globally-unique expertises.

Given the foundational nature of the UVST project, we are now actively preparing new UVST-based R&D proposals for various H2020 calls over the next 6 months, and other relevant activities, as per our roadmap.

A set of Preliminary UVST Socio-technical Paradigms have been widely co-edited and approved by all FET-open participants as binding during and after the project, except by Lfoundry. Therefore – to the extent it is compatible each H2020 Call requirement – we’ll give priority to Core Partners (FET-Open participants), than to our Other Partners, and than to additional prospects.

In reference to our roadmap, we are actively seeking additional and suitable partners interest in:

  • Participating to our upcoming proposals, especially ESCEL (1-2 suitable additional large micro-electronics) and Trust eServices (1-2 large eID/smart-card players, etc).

  • Participate to our upcoming June 2015 event in Brussels with EIT ICT Labs, which has a strong focus on the prospect of UVST Paradigms to inspire new ICT security standards.