Innovation

, , ,

Cyph: Mach37 Alumnae Interview with Ryan Lester and Josh Boehm

, , ,

defcon-joshandryan

Ryan Lester and Josh Boehm, Cyph Co-Founders

What opportunity did you recognize that led to the founding of Cyph?

Ryan Lester & Josh Boehm: Back in AIM's heyday, the two of us would often chat online using Pidgin with the OTR plugin (the end-to-end encryption setup du jour). This wasn't because we'd had any particular need for that level of privacy, but more because it seemed cool and made us feel like secret agents.cyph-purple-horizontalHowever, as "cool" as OTR seemed to us, we couldn't get any of our other friends to start using it with us; it was just too much of a pain to download and set up a new application, install some third-party plugin, generate a key pair, verify friends' public keys, learn enough crypto 101 to even understand what public key authentication meant/was/did, etc.Years later, we were working at SpaceX together, where we repeatedly witnessed firsthand the critical need to protect trade secrets from powerful adversaries and to keep strict compliance with export controls such as ITAR. During this time, Edward Snowden's leaks about the NSA's extensive digital surveillance programs also came to light.Instantly, it clicked for us that both business and consumer contexts faced an urgent unmet need for truly private communication. There were some tools and methods that existed, but from experience we'd learned that they would largely remain unadopted without a user experience that equalled or surpassed existing non-secure communication solutions.

What specific value does addressing that problem provide for your customers?

Lester and Boehm: We have no doubt that people want more security and privacy when it comes to their communication and data online — just not if it comes at the cost of their convenience or has a learning curve to it. By addressing this and making user experience second only to application security in our priorities, Cyph is making cutting-edge quantum-resistant cryptography more accessible and easier to use than ever before.Instead of the traditional painful user experience, you don't need to force anyone to sign up or install some software to communicate with them. When someone doesn't already have a Cyph account, you can simply send them a link which will work on any device with a modern web browser.On that note, the browser turned out to be a very interesting technical challenge for us. Due to the plethora of attack vectors which entirely undermine the security of web applications within the context of our threat model, initially it seemed like we wouldn't be able to offer our desired UX (in good conscience, anyway) — which brings us to our next answer...

Why aren’t current solutions addressing this problem effectively?

Lester & Boehm: Before our talks at Black Hat 2016 and DEF CON 24 on the research that went into Cyph — more specifically on something we call WebSign — providing code signing (a standard practice in native apps, and an absolute prerequisite to secure communication) within a web application was considered by the security industry at large to be literally impossible. Given that we had to invent the solution to this daunting technical problem, it isn't surprising that we're the first to address it effectively.Going forward, WebSign is an advantage that we'll most likely retain uniquely to Cyph, as we have a patent pending on the technology.

What makes your approach different and better from existing approaches?

Lester & Boehm: First, as implied in our previous comment, Cyph is the only secure communication tool in the world that can run as a web app. This may sound minor, but it actually makes a huge impact on the user experience. Most people don't want to have to download and install new software for something as simple as sending a text message or joining a video call — particularly your non-technical friends who may not fully understand your frenzied rants about NSA spying. To get started with Cyph, they can just click a link.Second, Cyph is one of a tiny handful of solutions that are remotely trustworthy for secure communication -- the other major one being Signal by Open Whisper Systems -- among which Cyph is the only one to attempt to protect present-day communication from theoretical future quantum computing attacks. This may actually kind of matter, given the NSA's recent announcement.

What about your team’s background puts you in a unique position to succeed?

Lester & Boehm: The two of us have worked together and known each other for the last 20 years or so. We know our strong suits and shortcomings, and each complement the other's. We've worked on numerous cool projects and jobs together, but what generally defines our ethos to most people is the time we spent leading Software Quality Assurance at Elon Musk's SpaceX (occasionally working on the same code with Tesla Motors). It was our responsibility to ensure that all of our internal software was free of bugs, defects, and vulnerabilities; downtime could potentially cost the company millions.While our team was understaffed and we were overworked, our experience with SpaceX and Tesla was invaluable preparation for running a successful software product. We gained experience working directly with their CIOs, and of course with some of the brightest programmers in the world. While SpaceX was a large company, it retained a startup feel with open offices, flat reporting structures, and people "wearing many hats"; the whole environment was like a pressure cooker for entrepreneurship.Plus, we've noticed that saying you've worked with Elon tends to open a few doors. :)

What are some of the milestones you have passed since graduating from Mach37's fall 2014 cohort?

Lester & Boehm:

  • We closed our $500k seed funding round last fall, with the lead investors being Goel Fund and Mach37's former parent company CIT
  • We're now working to monetize on the enterprise side, while keeping Cyph completely free for individual end users
  • We had an extremely positive code audit report from the pentesting firm Cure53: "Cyph provides security from a broad range of cryptographic attacks and very strong client-side crypto. The general conclusion of the test is that no major issues in regards to application security or cryptographic implementations could be spotted in spite of a thorough audit."
  • As mentioned, we recently gave a successful talk at Black Hat and DEF CON (the two largest hacker conferences in the world)

What one aspect of the Mach37 programs did you personally find most beneficial?

Lester & Boehm: Coming from pure software engineering backgrounds, Mach37 helped immensely in spinning us up on how to run a real startup -- ("real" in the sense of being a full-time venture with external stakeholders and financial targets, rather than just a side project). A large portion of Mach37's three-month program focuses on quickly getting founders up to speed on material you would expect to see in an MBA program — particularly as it pertains to startups, fundraising, and the cybersecurity industry.

What question should we have asked but didn't?

Lester & Boehm:"How are you going to make money?"First of all, if you're an individual (i.e. not using Cyph for business purposes), access to the core product will always be free. People aren't used to paying to talk to their friends and family, nor do we believe they should have to just to ensure basic privacy. While we may eventually offer a premium tier for users who want to support us, something like that would only grant access to non-essential bonus features. The free tier of Cyph will never be less capable than paid options when it comes to privacy or security.The money comes in from licensing our software to businesses and government, either to protect their internal communications or to allow for easy secure channels to their customers/clients. One of the first industries that we've noticed crying out for an answer is the telehealth space. By law their communication needs to meet HIPAA standards and yet for many older patients the solution for that must be easy to use and absolutely intuitive.However, the biggest opportunity may very well turn out to not even be Cyph itself, but rather licensing out WebSign for entirely separate use cases. The potential utility of "secure websites" (in-browser code signing) is almost certainly broader than our narrow focus on end-to-end encrypted communication.Learn more about Cyph here.

Related Posts

, , ,

Guest Blog by Michael Wellman: Virgil Security’s $4 Million Series A Round Is About More Than Just Fundraising

, , ,

Michael Wellman and Dmitry Dain, founders of Virgil Security

Last month, DCInno’s Eric Hal Schwartz, in his DC's Cybersecurity Startup Scene Is Hot. Can It Get Hotter? article gave Virgil Security (and MACH37) the following shout out:

If venture investors are on fire for cybersecurity opportunities, a group of D.C.-based accelerators are cropping up to supply the fuel. MACH37 graduates around half a dozen startups from its program twice a year, with notable successes like Virgil Security, which partnered with Twilio, one of the fastest-growing cloud computing companies around, in April.

Last week, Virgil Security closed a $4 million Series A investment. I’ve long contended that funding news isn’t really news, but what makes it interesting this time is that we’re a MACH37 company – the first MACH37 company to close a Series A round. And that is news! Let me explain why…Our lead investor was KEC Ventures out of NYC. Oher institutional investors included Charge Ventures in NYC, Bloomberg Beta out of San Francisco, Sparkland Capital from both Silicon Valley and China, plus NextGen Venture Partners which, while originally DC-based, now has a national footprint. Notable individual investors included Ray Rothrock and Matt Grimm. Ray Rothrock is practically the godfather of West Coast cybersecurity investing; he led the Series A and Series B investments in PGP Corporation back in the day, and, more recently, led the Series A investments in CloudFlare. Matt Grimm was, until recently, a partner at the San Francisco-based Mithril Capital Management. Our ability to draw national and international funding to a Northern Virginia startup further validates Virginia’s investment-driven model for economic development. The combined vision of former CIT leader Pete Jobse, Delegate Tag Greason, and the Northern Virginia Technology Council (NVTC), plus the sustained support offered by Governor Terry McAuliffe, the Virginia’s Secretary of Technology Karen Jackson, and the Center for Innovative Technology (CIT) brought MACH37 into existence. Without the opportunity that MACH37 provided us to distill our underlying business case, Virgil Security would potentially simply not exist today. Because of all of their efforts, the $50,000 that MACH37 invested in Virgil in the fall of 2014 just drew 80 times that in private investment – with most of it coming from outside the DC area but with much of it to be spent in the DC area! Our ability to draw this investment into the greater DC area also helps demonstrate that Virginia’s recent focus on cybersecurity is aligned with the future we need to create. And we’re trying hard to do our part. Our mission at Virgil Security is to #SecureTheFuture. For Virgil, that means ensuring that the future is cryptographically secure, but, for all of us, that means ensuring that the future is economically secure. To help further both goals, Virgil Security is working with the University of Virginia’s College at Wise to create a curriculum which will better enable Virginia graduates to find and fill the tens of thousands of unfilled cybersecurity jobs in Virginia, the hundreds of thousands in the United States, and the million plus around the world. So, while funding news isn’t normally news, I think this particular bit of funding news represents something bigger. And in our view, it’s a story worth sharing.- Michael W. Wellman

, , , ,

Virgil Security Raises a $4 Million Series A

, , , ,

virgil-co-founders-with-rick-gordon

Virgil Security Co-founders Michael Wellman (left) and Dmitri Dain (right) Ring the Mach37 Bell to Celebrate Reaching Escape Velocity; Rick Gordon Joins In the Celebration

On October 7th, Virgil Security closed a $4 million Series A investment, led by KEC Ventures. KEC is a venture firm founded by Jeff Citron, who also founded Island ECN, Datek Online and Vonage.  For those of you who are close to Mach37, you know I have been promising for many months that we have several companies ready for Series A investment. Virgil was one of them.As I thought about using this blog to crow about our investment strategy (we actually hunted for a company that offers easy-to-implement encryption infrastructure) or in some way hype-up just how smart we are at Mach37, a conversation I had last week caused me to think better of it. Virgil’s CEO Michael Wellman offered the key insight. As I was verbally high-fiving Michael, he took a characteristically humble look at the company's journey so far and remarked:

“You know Rick, it used to be that if you worked hard, had talent, OR got lucky, you could make it to the NFL (National Football League).  These days, to make it you need to work hard, have talent AND get lucky to even have a chance.”

And, so it is with technology start-ups.  The hidden truth is that entrepreneurs can have talent, make every right decision, and work their butts off, but if serendipity does not smile the company will fail.In the case of Virgil, I can point to a handful of inflection points that relied heavily on just being in the right place at the right time.  I can say the same for Invincea and Lookingglass, two companies I was intimately involved with during their early struggles that have since achieved similar inflection points.  However, the truth is that all of these companies still have additional milestones to achieve before any of us can declare victory.So, instead of trying to convince you that the Mach37 team is smarter than we really are, I’ll just say that we feel really fortunate to have had the opportunity to invest early in Virgil. It is a company that has the world class talent and drive required to be successful AND was able to create the necessary luck along the way to close its Series A.

Related Posts

, , ,

A Tale of Four Cities (with apologies to Dickens)

, , ,

It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair…” Charles Dickens, A Tale of Two CitiesSince the beginning of 2016, it seems like the worst of times. We have seen a correction in the stock market as the Chinese economic bubble has popped, taking the global oil markets with it, and bringing back the all-too-recent memories of the Internet bubble of 2000 and the financial bubble of 2008 (watch out, 2024!). The misery has spread to the Tech sector. The unicorn, unofficial mascot of Silicon Valley, which had gone from being a rare beast in 2014 to a veritable population explosion in 2015, is once again on the verge of extinction.Yet the economic talking heads tell us this is normal, that the U.S. economy is doing well and is reasonably insulated from both the Chinese economy and the negative oil shock. That corrections are a necessary part of the market, to restore balance after a period of irrational exuberance. So, what the heck is going on with Tech?In 2015 I was Principal Investigator for a DHS-funded program called EMERGE, working to leverage commercial business accelerators to help commercially-focused innovative companies bring some of their technology to address needs of the DHS community. As part of this program we were fortunate to get an inside view of four different business accelerator programs in four different cities:

Slide2

Slide4

Slide1

Slide3

ST Apts

Here is what I learned. First, tech innovation does not occur in isolation; it is the result of effective regional innovation ecosystems that include customers, entrepreneurs, funding sources, a high concentration of expertise and ideas, and enough of a support infrastructure to help the entrepreneurs through the early pitfalls. Each of the four accelerator programs above has done an outstanding job of helping build and then leverage their local ecosystem as an integral part of what makes each region grow.Second, Silicon Valley is not identical to the Tech sector. Although news coverage often glosses over this fact, innovation occurs in many places across the country. I will argue below that while Silicon Valley is indeed unique in many ways, generalizations based on that unique set of circumstances can often be wrong. In the current situation, the doom and gloom based on over-priced investments there is less relevant in other parts of the country.And so, the four cities.Dallas – Texas has several innovation centers including both Dallas and Austin. There is a diverse industry base, with concentrations in energy, health care/life sciences and tech, significant university presence, and a good concentration of wealth. Tech Wildcatters has successfully provided leadership to the region’s startup community with special programs in both health care and tech, and most recently going to a year-round program from the more typical discrete sessions. Dallas is a vibrant startup location, although it is unclear what effect the collapse of oil prices may have on access to capital in the region.Chicago – political issues aside, Chicago has the benefit of a high concentration of Fortune 500 Corporate Headquarters, a robust investment sector and strong University presence. TechNexus has done a masterful job first in priming the innovation ecosystem development 7 or 8 years ago, and now tapping into the innovation needs of Corporate strategic partners who are looking to early stage companies as a source of new products and ideas. If the city can recover from its social strife it is certainly positioned to continue as a significant center of tech innovation.San Francisco – San Francisco/Silicon Valley is the undisputed investment capital of the world for tech. According to Pitchbook in the third quarter of 2015 more than 27% of all the venture capital invested globally came out of Silicon Valley. China has risen rapidly as both a source and target of VC investment, although the collapse of the economy in China seems certain to be a major setback in this area, as the graph seems to indicate starting in Q4 of 2015. New York ranks third on this list, providing just north of 8% of the globally invested capital.Yet with all that money floating around it appears that some Silicon Valley investors may have had more dollars than sense. If you look at the number of deals and the dollar amounts as compiled by Pitchbook, the dollars invested continued to rise in 2015 even while the number of deals plummeted, leading to a rapid rise in median valuations.By comparison, valuations in New York during this same time were only 10% of the San Francisco valuations, an enormous disparity. There are some possible alternative explanations for this disparity (bigger opportunities, move towards later stage investments, etc), but both the anecdotal evidence at the time (“too much money chasing too few deals” was a sentiment we heard more than once) and the subsequent down rounds of investment even for some of the high flyers indicates over-valuation on the part of investors was at least one primary cause of the disparity.A second point. Why on earth would you want to locate and operate a company in the outrageously expensive environs of San Francisco where none of your employees can afford to live? Or Palo Alto, where Palantir is driving out start-ups by snapping up office space at high rents. Well there are certainly some reasons: if you want to hang with the cool kids, California is the place you ought to be. If you need to raise a billion dollars or so, where else would you go? And certainly if you want frothy valuations during the good times, the target destination is clear.A recent Harvard Business School study (http://www.hbs.edu/faculty/Publication%20Files/09-143.pdf) hinted at one possible evolution of this trend. According to the study:“Venture capital firms based in locales that are venture capital centers outperform… [as a result of] outsized performance outside of the …firms’ office locations…”That is, if you are a VC you want to be in one of the centers of VC activity because there is a strong ecosystem of investors…but, the big returns are to be found by investing in other places. Certainly Silicon Valley is not going away as the primary center of activity. Increasingly however, those investors seem to be syndicating with other groups in places such as Dallas, Chicago or…Washington DC – The region centered around Washington DC is generally considered to include Maryland, Virginia (or at least Northern Virginia), and DC itself. The Federal Government is a large presence, along with some of the specialty areas such as cybersecurity and data analytics it has helped develop. Health care/life sciences is also a major player in the area, and there are multiple world-class universities that support the ecosystem. The region generally ranks in the Top 10 innovation areas of the country, and the area’s capital investments are growing, actually increasing in the 4th quarter of 2015 even while investments were declining nationally. One reason for this increase is the growth in cybersecurity, with the potential for more than a billion dollars in cybersecurity investments in the region in 2016. The two biggest areas were health care/bio and software (including cyber), and there is an organized, active ecosystem working to promote the growth of these and other industry sectors.Conclusions – Clearly the stock market is in correction territory, driven initially by economic issues in China and the energy sector. While the tech sector also appears under pressure, the fundamentals here are very different. In the short term, what appears to be a broad retrenchment in the sector is actually mostly a correction of inflated valuations on the West Coast that are not indicative of the sector as a whole. As Rick Gordon, Managing Partner of the MACH37 Cybersecurity Accelerator puts it: “while Silicon Valley has been out on the great unicorn hunt, we have been building an army of cockroaches…small, fast, nimble, designed to survive a nuclear winter, and available at a reasonable price.”The age of easy money from building the next mobile app may be behind us, but the advent of autonomous vehicles, personalized medicine, data-driven everything and more will ensure that the tech sector will continue to drive the next wave of innovation and economic growth for decades to come. But it is increasingly likely that the actual innovations will be found in places like Dallas, Chicago and the Washington region even if the investment capital still flows from New York and Silicon Valley.

Information Security: Can We Win?

The Mach37 Security Leader Dinner series has become a premier forum for discussing important topics in Information Security. On October 23, Philip Reitinger was the guest speaker. Although these discussions are non-attribution, and the philosophical musings, views, and opinions expressed are solely those of the author, a few of the ideas in this post are paraphrased from Mr. Reitinger's prepared remarks, and are used with his permission. Some other ideas presented are crowdsourced from the community discussion or represent my own ideas on various topics.Can we win the information security war? Currently the answer is no, and the situation is getting worse rather than better. It is getting worse for three reasons: complexity, connectivity, and criticality. The internet is so complex that nobody fully understands it, yet we are connecting everything to it, including all of our personal data and most critical infrastructure. At least we are finally paying attention to the issue, and our defensive technology is improving, so should we expect to be able to win in the long run? If winning means reasonable expectations of privacy, and reasonable expectations of protection for transactional information and intellectual property then the answer should be yes. So what would it take?First, the internet was designed for connectivity rather than security, so there are some fundamental flaws to be fixed. There is some hope that the transition to IPv6 will address many of these issues, if not subverted by the providers. Baseline strong encryption of all internet traffic with no back doors is currently feasible. Strong authentication, providing some assurance that you are who you claim to be as we interact remotely, is on the horizon.Second, the "edge of the network" is now every device, and the information and core computing resources (processor, storage, network interface) need to be encrypted and hardened. The move to stronger security by major device providers is a good step in this direction. Next comes automation. Procedures that involve highly skilled operators continuously monitoring for dangerous traffic simply cannot scale; they are orders of magnitude too slow and too expensive. The information security community is developing more automated processes and techniques which will help improve this situation.Finally for the U.S. comes the legal and social changes necessary to support the technological changes. Unlike some parts of the world, we have criminalized much of the behavior of the "hacker" community in identifying issues and fixes in various information services, even among that large majority of the community willing to use their skills for positive purposes; we need to find ways to enlist their support rather than suppress it. We have also built an ecosystem where service and application providers of all types have been given free license to trade on individual's data at the expense of privacy. Fixing these major legal/cultural loopholes is a key step in fixing the underlying security flaws, giving incentives for security rather than ignoring it.So, in spite of the complexity, connectivity and criticality issues that widen the gap if all we do is play catch up, the answer is yes, we are still in a position to win…IF we put our minds and technology to the task…IF we are able to change some of the legal and structural problems…and IF we accept a relative rather than absolute version of what it means to win.EPILOGUE (Call to Action): Phil Reitinger summarized the state of information security by re-telling the old tale of the two campers. As they get ready for bed, one starts putting on his sneakers, and the second one says “why bother; if a bear comes during the night, you won’t be able to outrun it”. To which the speedy camper replies “I don’t need to outrun the bear, I just need to outrun you”. We are very much under this type of extraordinary evolutionary pressure in cyberspace. The weak will continue as prey, and the predators will continue to roam. To survive in this new age the call to action is simple: Put on your sneakers and start running. Maybe if we all do it we might even starve a few dragons and bears along the way.

,

Industrial Cyber Espionage

,

According to published news reports this morning covering a press conference by Attorney General Eric Holder, “The United States has for the first time filed criminal charges against foreign government officials in connection to cyberspying allegations.” The grand jury indictment charges five men with “conspiring to commit computer fraud and accessing a computer without authorization for the purpose of commercial advantage” according to the New York Times. In the press conference, the Assistant Attorney General provided specifics related to the case examples of companies affected and the types of information stolen from them.Officials mentioned the Mandiant Report, last year’s watershed public exposure of this type of activity. In that report, Mandiant describes the theft of hundreds of terabytes of data from more than one hundred companies in twenty major industries since 2006. On average, a target company was attacked and then remained exposed for a year or more while information such as technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, emails and contact lists were targeted. Many of the targets turn out to be major companies such as Westinghouse, US Steel and Alcoa.But this is just the tip of the iceberg. In the U.S., much of the innovation and many of the jobs come from small or startup companies who don’t grab the headlines and who may not know that they are targets. In the manufacturing sector, for example, data from the NIST Manufacturing Extension Partnership (MEP) indicate that something like 80% of current U.S. manufacturing jobs are with companies of fewer than 50 people. Most of these companies spend a large majority of their time simply trying to grow the business and stay ahead of the competition through innovation, and may not have either the expertise or resources to adequately protect their intellectual property from cyber attack. These companies are perhaps the most underserved segment of the industrial base with current large enterprise cybersecurity solutions, and the largely invisible damage inflicted here represents a particularly corrosive threat to legitimate areas of competitive advantage for the country.Indeed, we know they are a target. According to the NetDiligence 2013 report Cyber Liability & Data Breach Insurance Claims, 63% of US Secret Service forensics investigations are at companies of fewer than 100 employees, and 45% of insurance claims paid are to companies in the small-cap (less than $2B revenue) or nano-cap categories (less than $50M revenue), split about evenly. According to Rep. Frank Wolf (R-VA), chairman of the House Appropriations subcommittee that funds NASA and many of the nation's science programs, "I have seen up close how certain countries...have targeted federal agencies, contractors and law firms to steal billions of dollars of cutting-edge technology that diminishes our national security and undermines job creation."There may be some hope however, creating sector-focused markets of small and mid-tier companies for a new generation of emerging cybersecurity solutions such as those at Mach37. We are in active discussions with manufacturing organizations and other industry alliances, regional threat-sharing groups, and similar partnerships that can bring appropriately scaled technologies to groups facing a common set of threats. We are also fostering a set of potentially disruptive technologies that can help fill this dire need. To name a few:-          Pierce Global Threat Intelligence provides a new mechanism for real-time sharing of threats-          Identia provides one approach to securing supply chains by simplifying identity management across organizations-          MSB Cybersecurity provides support for cybersecurity standards compliance along with actionable recommendations-          Axon Ghost Sentinel detects unusual behaviors in distributed device environments-          Disrupt6 is on the leading edge of new security paradigms for the emerging world of the production internet (IPv6)To be sure, nobody has the silver bullet to “fix cybersecurity”. But, active promotion of the next generation of cybersecurity solutions and companies, and accelerated connection of those solutions with the groups that need them most, can go a long way to effectively dealing with the high stakes world of cybersecurity in which we live.