Tai Zen: I want to share with you guys a little bit about Steven Sprague here. And all we got disclose guys whatever projects I talked about, just assume that I’m invested in that way. You guys know there’s any conference of interest all right so Steven Sprague is from he handles the when I called the hardware security.
So in the blockchain space when I first entered it I never had to worry so much about computer security. And study about it, learn what enCryption is what cryptography is and all this fancy you know scientific and mathematical stuff. But I want one of the things that that we have to all pay attention to is computer security.
And there are two sides to computer security, one side is the software side and the other side is the hardware side. As far as the hardware I have not met personally met anyone else in the industry that understands hardware security more than Stephen. The first person I met that I thought really understood hardware security was I think his name what was the name of the guy open up the Trezor. Yeah, Carl!
He’s one of the founders of the grid plus project the Cryptocurrency project that is that working on the energy field. So, Carl, I read an article by him that open it where he opened up a Trezor. And then he examined it, explaining how it works and he explained where the weak links were in the Trezor.
Okay now I have not met anybody else and I haven’t ever in the Crypto space that understands hardware security to that level where they can dissect a Trezor hardware wallet. And they would explain to you what each component is doing, and what you know where these security flaws are at. And based on his analysis, Trezor had to go in and fix the things that he recommended need to be fixed increases security.
So that does not that an average human being cannot do that you have to really know what you’re doing in hardware to do that. And at a conference I witnessed myself and a few colleagues witnessed that individual Carl have a conversation with Stephen about hardware security. And I was like the the the what is it clash of the titans when it comes to hardware security.
And I have to say I was very impressed with what Stephen had to educate Carl on when it came to hardware security. And we’re not Carl is not somebody you mess with when it comes to hardware security because I don’t go around opening up Trezor to see if it’s well built. Okay, so this is a level that we’re talking about these guys are at a very high level of hardware security that I’m going to turn it over to Steven so welcome on Steven.
Steven Sprague: Thank you already. So I appreciate the introduction I’m not a software developer or hardware developer, I’m a mechanical engineer. The beauty of mechanical engineering is all the gearboxes have been designed so we just have to know a little bit about everything and not actually very much about anything. But I I have employed some of the smartest people ever and trusted computing and written a lot of specifications.
And so I’m at I don’t know replacement at least $550,000,000 so far and in trusted computing just in my team for the last 20 years. And that brought you 1,500,000,000 PCs with hardware security built into the motherboard of the PC. And you’re now in a generation like 3 or 4 technology out of Intel-based on some of the trusted computing standards.
And we’re on 2nd or 3rd generation out of ARM within all the handsets. There have been a billion handsets that have been shipped which could have run a Trezor grade wallet in the handset. So these are technologies have been around for a little bit. I have good things and bad things some days depending on how you look at them.
By the way, we’re built the whole solution that whole health care records problem thing like 20 years ago so we’re still slaving away on that front than that subject. But let me talk a little bit about decentralized security. Decentralized security is a real challenge because everything that we’ve done in cyber-security today has been centralized.
Your company runs at some entity runs it for you etcetera so when you get to decentralize securities, it’s easy was to write up. There it’s very cool to call marketing term in the concept of Blockchain but actually implementing provable decentralized security, I’m a little sporting. So why blockchain is cool, blockchain is a project I’m going to step back here a little bit actually if you don’t mind cuz then I can also read my slides without looking over my shoulder.
The blockchain is cool because of all the things you heard about earlier today you know it’s censorship proof it’s trustless its immutable ledger, it’s a very cool technology, by the way, the fact that it is censorship proof. There’s a byproduct of that it also means its network security proof. So network security is censorship you set up a firewall you block traffic, you control ports it’s all about censorship of the data.
So building a blockchain while really sexy means all the stuff we currently have the multi-hundred million billion-dollar business of cybersecurity doesn’t apply. So what they’ve done is they’ve built things like IBM hyper ledger where you run our permission chain inside the castle walls. So that we can reapply all that gold classic 1970s Enterprise architecture for security.
So we can watch the instructions coming in and we can block the ones that come from Moscow because we wouldn’t want the Kremlin like adding transactions on the chain as fake news. So this is the problem, we know the data is immutable we just can’t tell you whether the data it was intended. This is a really interesting challenge you have to kind of test every project you read about as to whether the intent of the data is important.
So I can use a really simple example, let’s do a simple blockchain what we’re going to do is we’re going to keep track of all the ammunition in the US Army. So we have 50 people shipping ammunition, and we got 10,000 people like schlepping boxes ammunition out to the field and guys shooting it off right. So fantastic! What happens if the Kremlin steals one key?
How much ammunition do you have when I know whatever they want the blockchain to say is how much ammunition you have because, in essence, you have a shared wallet that was what an inventory would look like? And in that, you have transaction so you’d have you know thousands of transactions a day in your shared wallet. And one of those keys would be not the key you control.
And as a result, the data on the ledger while all properly collected might not be true. So it’s a really interesting challenge their lots of places where like we just talked about HIPAA compliance proof that the doctor actually requested the data how do you know the doctor requested the data?
Oh by the way you’re only allowed to use the chain as evidence, you’re not allowed to use the Microsoft antivirus or the Oracle cybersecurity system or the video camera surveillance of the guy using the computer like that.
That’s not how we’re securing blockchain we thought we could secure blockchain with blockchain. And that’s really the interesting challenge if you only have a chain, you have this transaction on-chain you know the transaction hash is really anybody’s going to Etherscan to see whether your transaction happen. You can click on a transaction hash and you can see the transaction you just don’t know whether you did the transaction or not.
You can’t prove that with only the data that’s on the chain. So I have to redo this slide so it animates so I can do into steps what we do today is just the bottom arrow. We have instructions that’s what you create with wallets write wallets don’t hold Bitcoin, they hold a key that allows you to sign and instruction or message.
Send that message across the network, and the message when consumed tells it they move this amount of money from this account to that account. Follow the script the blockchain network basic is a very simple smart contract executes that script. If it’s a smart contract it can be a more complex script.
But we don’t know anything about the keys or the rules or the environment in which that instruction was created. Whether it was hand-coded, whether it was executed on you know Linux independent machine running in the closet isolated from the core network or you’re running it on your Windows laptop with the key stored in a text file. We just don’t know right there’s no way to know.
So cool so what we’re trying to say is that actually what you want is a trusted execution environment. The purpose of trusted execution environments to tell you what rules were enforced a rule is like a PIN number for a key. Maybe have to call your mother in order to use your key like a multi-stage inside your wallet that be cool right.
We could do all sorts of kinds of rules, a rule could be you have to be in this room. And somehow the device knows how to detect electronically that it’s in the room so we can have a variety of different cool rules of the trust agent basically enforces. So what we know is the trust agent is in place that the rules were in place and now that the key was used.
And we can store that attestation hash which is basically a sign of the health and integrity of the device that produces the transaction. And it controls and binds it into an actual blockchain event. A year ago, October we did our first transaction that did this we did it on a fully modified version of Bitcoin.
It’s just a lab experiment but we demonstrate that we could make a mathematically provable cyber-security control bound into the instruction. When the transaction was written to the chain very cool. By the way, this is really useful for things like IOT like I sent the transaction to the drone to shoot the guy.
What did it come from me or from somebody else like it’s sorry I was just out talking to people the other day was talking about AI using weapons on. It was just fantastic it’s like we’re talking about automatic money on machines and like well that’s simple. So you know what rules.
Rules are things like PINs and passwords verification of the quality the execution gets all sorts of rules in place. By the way, the nice thing about rules is there relatively invisible and machines don’t mind following them the humans might be slightly annoyed by them. But in general, these are machine rules, not human rules you know we don’t want you to dance around three times and then push the button.
We want your machine to dance around three times and then push the button and machines don’t mind following rules. What we’ve done is we’ve introduced the concept of a token the power assertion of these rules. And the different kinds of environments around so we can have a provable control bound into the transactions.
So how do we create money on a machine that has the policy? They can enforce these rules are automatically verified prior to every transaction. And those that that verification is ultimately recorded on one or many different types of chains, this is not designed to be a single chain model we’re building technology that could easily be inserted into any of the blockchains we’ll eventually provide.
Some of the technology to incorporate that in general change ourselves. As well as we certainly hope others will be incorporated as well. Why is this important? The stronger the quality that we can make of the protection that produces and instruction the more valuable the data is that we can store on the chain. So we could 10x the value of data on everybody’s chains. That’s cool!
And I think that’s what this really is about you shouldn’t think of this in the context of risk. This is about improving the quality of the information that we write the proved ability of the information. The proof is a really interesting thing, it’s actually kind of a fun exercise.
Take any project that you’re working on it, and then pull back a foot and say okay what really can we prove if I only have this data as evidence what can I prove. And we got informed in this in my previous company we’re heavily involved in self-enCrypting hard drives when we first built to technology. We sold totally the wrong thing to the customer and the customers all bought totally the wrong thing.
They bought enCryption state of California put out regulation in order to like you know if you lose a chip a laptop with a hundred thousand HIPAA records on it. You know you got to go stand in the parking lot take all your clothes off tell them you lost all the data put in a press release at the bottom. But if the hard drive is encrypted you don’t have to do anything so I’m great by enCryption turns out you don’t want encryption.
What you want is proof the device was enCrypted when lost turn out that’s a totally different product. And you have to like turn off all sorts of features in order to really clearly establish proof. It was really informative is a very simple transaction like storage is a perfect example of a company that fantastic enCryption across their distributed architecture network in the data shared enCrypted and all kind of stuff.
Prove to me you haven’t lost the private key, you got any controls on that like all you have is the storage chain I got nothing else you’re not using Windows Active Directory to ensure the integrity of the antivirus to protect the keys in the storage network from being stolen right. We have just the storage chain so I don’t think storage could meet HIPAA compliance status.
I can’t prove the credentials have been stolen and so that’s a really interesting challenge to figure out how you go down that path, what we’re trying to do is to help assert. The greater we provide the protections and controls, the higher the value of the data is. So what’s trusted execution?
Trusted execution is an isolated execution environment, it’s real definition is a known set of inputs that always produces the same output. A computer you can trust you said give it this data, this stuff will come out every time not something else you didn’t really expect. So it’s a known computer writing in a known environment.
We as an industry branded this stuff trusted computing is probably the wrong word was great. In 2001, the problem is it’s really measured computer what we’re saying is this computing environment was properly measured and is properly controlled. And I can tell you what measurements were placed and the parts that you measured actually works.
If you didn’t measure a part then who knows what you got. As long as you measure the components and to the quality of whatever that measurement is you should be able to make some assertions about what it’s capable of doing. These basically measurements are hashes and their Cryptographically bound together in a Merkle tree.
So this idea that we get a top hash that represents that these following you know these previous 27 steps were done to build this computer environment. It turns out to be really quite consistent with the whole blockchain architecture because we just end up with a hash. So this is a very simple and elegant mechanism to combine the benefits and values of the trusted computing spaces with blockchain simplify tokens are coins operate chains.
Trusted Computing operates token think about that Trezor is a trusted computing device, ledgers is a trusted computing device, multi-sig is a trusted computing device. You won’t have trusted computing operating your tokens. We don’t do that very well that is why we today use mostly online wallets, we’re doing authentication to an online service, we’re trusting them not to lose our keys.
Probably not the best plan because they can steal your keys, and they might lose them anyway. So what’s inside one of these devices, these devices were built to secure your e-commerce experience. And we’ll go through the exact steps of what e-commerce is because nobody really knows we do it every single day.
And most people can’t really tell you what it is now in blockchain we’re beginning to learn because we know that like we’d like to have a trusted display we’d like to have some input. But these technologies exist within the device. Why? Because the European Union set standards over a decade of work into the standards bodies to require what’s called payment security directive 2 which is basically you should have a Trezor in your house for using your visa card. That’s cool!
By the way, it’s required to be in place for all banking transactions in 2018 guess who’s compliant nobody. There’s a great opportunity for blockchain maybe we could be compliant then we can have a really fun conversation which is so European Union. Exactly why are you letting these banks do transactions?
They’re not compliant with your regulation because we’re building a new payment platform we have the opportunity for the transactions to become compliant going forward. There’s an enormous opportunity out there consuming public through their governments have asked for better security in e-commerce because it doesn’t really work. So one of our places that we’re starting is with two-factor authentication (2FA).
This is our first product went live on the 31st of December. And it’s in closed beta so they’re about a hundred something users of it today. And it’s compatible with I think almost all of the exchanges that are out there today so if you have an exchange that’s running Google Authenticator or Authy we use the same protocol the difference is.
Instead of storing your seed keys in software with the same quality security of Snapchat. We’re storing your keys in the tamper-resistant hardware on the device with the same security of Apple pay. So cool! So you should have the basic infrastructure of what it means to have a properly protected hardware seed.
You’re just using it with an exchange by the way I have talked to the exchanges they’re already implemented Google Authenticator or auth support. So it just works, this is fantastic is ever tried to call and exchange first off there’s nobody home. Secondly, they’re infinitely busy cuz they’re signing up too many customers per day.
All of whom have insecure access to their accounts with username and password and now with a cute little off you know Google code. And if we have a blog post on our site about it but my favorite is if you haven’t read it, it’s just sport. The cracking guys put out an um blog post on the 40 steps plan to secure your Google Authenticator on an Android phone emphasis on the word 40-steps-plan.
By the time you’re done, the phone is just about useless but it’s fantastic and we agree with every step along the way. The only thing that’s interesting is we’ve actually implemented some of the new advanced capabilities that came out of NIST in June 22nd I think it was our 20th. They publish new guidance on strong authentication after a-decade-and-a-half.
And that it’s really anybody who’s trying to do identity authentication or things I got it’s worth reading NIST 800-63. There are two parts of it that are important. The three parts section A B and C. Section A is what you guys all think of is KYC, it’s how you add attributes to an accountant what attributes are.
And if you think you want to participate in any token sale that’s doing attributes for KI KYC I would read the misguidance. Section A is not that hard to read, and it’s really quite informative. Section B is how do you protect your keys use primarily for multi-factor authentication although it does include embedded credentials as well.
And so things like PIN number so the human is present when their two-factor authentication is used are parts of how you get to medium assurance two-factor authentication. There’s attestation in it as we will come back to that next step. But the 863 stuff really worthwhile reading by the way section C.
It’s called Federal PKI. You just replace that with blockchain which is really cool because the Federated PKI stuff we tried that for a decade-and-a-half. That’s a headache of the first order, that’s actually one of the core answers to the question around the HIPAA compliance question. Why do hospitals want to do this? Because they don’t have to have the risk of the independent entities with their own keychains with their own Federated PKI trust in the other.
One of the most interesting things I worked on the project around the F-35 Joint Strike Fighter, we were part of the 50 companies that were adding technology into this conversation. It took 5 years to secure email they lost the plans before we got done with the secure email thing so. But it’s just brilliant.
That the problem at the end of the day was at the Boeing guys would not trust Lockheed Martin’s test of U.S. passport keep that in the back your head and all this KYC attributes stuff like they wouldn’t actually trust. If you went to Boeing, yet to get your passport checked again all the other identity credentials are fine but not your passport. So what’s a secure transaction, everybody does this every time you go shopping at every single retail location you go to and you take your new chip card base card and you plug it in that little box.
The first step trusted display you don’t believe what the cash register says that’s lying to you. You believe what that little black box that you plug your card into that has a measured trusted display. The second step has some form of user intent typically in this case of credit card transactions is a PIN number unless you’re an American in which case they didn’t trust us to remember PIN numbers so we do chip and signature by the way nobody checks the signature.
So they wanted to do this chip and signature thing but nobody checks the signature on any of the boxes anywhere in the world. I’m not aware that they check the signature. So it’s fantastic really we can’t remember PIN numbers that it’s kind of funny to go to Europe and they’re like you do chip and what.
There are billion people in Europe that know how to keep member a 4 digit PIN number with their card which actually makes it safe and fraud went to basically zero for retail. So trusted execution that’s what the little chip is on your chip card. The fourth piece is interesting fourth pieces attestation that the previous three pieces are working right.
It is great that got a little box but who knows if somebody came along stuck a USB device in the box and changed all the software in the box. Does steal your credit cards and all your PIN number is everything right. So they want to assure and that’s what they call PCI compliance but we want to be able to do attestation within a transaction.
The role of attestation is how do we properly protect an assure that the capability that we are asserting was part of the transaction was actually there this is this. How do I actually measure that the infrastructure that was in place what’s correctly implied that there are no unknown software providers that the software is properly signed? Did we check all these signatures every time we do a transaction or not?
Like when we loaded the thing or win the FedEx with the Trezor arrived. Let’s do it every single time that we did is as I’ve described before. We actually built the process on the chain where this can be not only verified as a policy enforcement point.
But it can actually be recorded on the chain and so this provides a really interesting capability because I can now prove that the data on the chain came from a known device in known condition with known controls. And that cybersecurity claim will turn to be very valuable in the space as we were building our prototype what we learned was not only could we measure the internal stuff.
But we could tell the trust agent in the device as an oracle about anything else. So in essence what this shows is a rivet attribute registrar and internal-external integrity is basically that oracle. The trusted device can do a secure handshake to an external server like an appliance in Enterprise or a cloud service whatever you can ask any question.
That you won’t say only do the transactions if Mom says it’s okay cuz I can put a secure messaging thing to Mom’s phone. Mom has to push the yes button you’re not spent any Bitcoin unless mom says it’s okay. That might be a really good plan or you could decide only from this room.
Or we could like put a beacon on a nuclear submarine and unless you’re within range of the Bluetooth beacon on the nuclear submarine you can’t do a transaction. By the way, the chain doesn’t know you’re on a nuclear sub. It just knows that you have a signature that matched. So cool.
I can make trading rooms where the trading for the transactions can only ever happen from the trading room. And then I can assert that those tests were in place before the transactions were executed. It’s kind of like multi-sig but inside your device.
So now you can make all sorts of forensic claims about the quality of the data type of information that’s aggregated. This is another transaction hash stored on the chain and it really is just a hash so you probably want it took to a whole second chain which is the one that controlled by the owner that actually tells you what tests are run. If I ran these 731 test.
And I achieve this hash that hash was compared when this transaction was done. And therefore, as an owner, I can assert that all these 731 tests were done what’s the chain now nothing. How’s the weather like tokenized KYC oh so we do like the tokenized KYC.
So I know you got $1000000 token from Citibank. It says you can do a $1000000 transaction. But the exchange doesn’t know who you are you’re just a customer that had $1000000 Citibank KYC AML token that is cool right. Now if you do something bad I can reverse the transaction I can go look up the token.
And say ah that Steven and I can in cooperation with Citibank unmask who did the transaction. But the rest of the time, I have no idea who does the transaction so high assurance instructions are a really important piece of the puzzle whether we’re doing IOT we want to tell things what to do. You know whether we’re operating an IOT a chain and we want to make sure the transactions go across it.
Whether we’re storing secure data on something like storage, whether we want to enable a HIPAA Healthcare type environment where I know the identity of all the doctors that are involved in the systems. And that they were authorized to do these transactions. The list goes on and on and on the vast majority of your ICO tokens that are out there. Are expecting to have a more automated process of authentication.
These are the tools to help make that possible. One of the byproducts of that is that we can store money on a device that can be automatic. And this is really cored to the principal on a long-term basis of the rivet token. So think of this as an allowance on a device.
What you want is a device that has the ability to have $5 to spend for VPN services or data services are authentication or a variety different services where doesn’t have to ask you to go get your Trezor out. Type in the codes in order to spend a dime because that will get really annoying. We know what this experience like I’m old enough where you had like I remember talking to my girlfriend this was an expensive transaction where you had to put quarters in the Payphone.
You know when you’re like 16 that can take a lot of quarters. This is security by design, this is security built-in properly executed. We all know what this feels like what’s your favorite form of multi-factor authentication all of us have one.
And so just as it is an exercise just think in your head at this moment of multi-factor authentication what’s your favorite one. And then I’ll bet you you’re wrong right so this is good to bet you that you’re wrong about the favorite one that you know in your head. It’s the send button on your phone you dial the phone number and push send.
Does hardware-based multi-factor authentication with an embedded hardware security device with the multibillion-dollar infrastructure underneath that they got you those keys. And the manager at work brilliantly. We taught mom how to use that we taught the kids how to use it.
And it’s simple and it’s embedded and it’s invisible. That’s the mission we need to get to the point where our devices will work as well as the send button. By the way, we always used to have a send button it used to be ways you just dial the damn phone.
Didn’t have to push send what’s the send thing for, turns out the same thing is the authentication so we think this is a whole new business model for cyber-security. This is a decentralized model we’re not looking for centralized controls we have any controls so you have cloud controls you can have local controls. You have any third-party service provider providing controls.
So what we’ve tried to do is create a token that allows a machine with an automatic store of money and allowance to pay for the control the owner is prescribed as rules that must be enforced before you can spend your money. And so this becomes a really interesting set of capabilities that you could do for every different token different way not all tokens are the same.
You know when you want to spend $100,000 you might want some more controls in place and when you’re spending a $99 on a coffee. And so it’s really the owner who’s in control and so we think the owner will tell their device here’s the policy for these collections of things. And it can be as simple as feels like a quicken interface you know my device spent money on these 10 different services.
And you know you want to say well don’t spend on that anymore or spend more on this. There are some really interesting ways to accomplish this. That’s going to be one of the real challenges of the sort of consumer experiences of this kind of more complex model.
And to take the first step if you’re involved in a projected figure out how to move the keys in the hardware. Let’s make this a simpler experience, anybody who’s traded any Cryptos had that panic sense. Let’s make that go away because that’s not going to work well with a hundred million people.
Like that, you typed in all the numbers and you’ve got the ICO address and you’re like here’s $10,000, like how do you even know you got the right address as you got it on Skype really. Like what are you thinking did you get on Skype and on email and on slack and on Reddit so you got it like at least 4 different channels.
Because don’t get it on one right before you put your and in our case in our pre-ICO, we had one address that somebody put two and a half million dollars on. By the way just for fun and sport. Took them three times to do the transaction right. Nobody in this space knows what they’re doing I mean it’s this isn’t I’m not picking any one person but none of us know.
Know what we’re doing we’re like totally making it up every step of the way. Any questions. Excellent! The second said just saying so let me use another simple example I’m old and the nice thing about being old is that I have a cable box. So unlike my children who every time they want to watch video have to get out of the tablet and then type in a password.
And then they log into some Netflix experience and then I can watch the video I can sit on the couch and I push a button and HBO comes on I got this box thing if you don’t pay the cable bill. The box won’t show you the videos, you can call DirectTV while you’re sitting in bed. And give me your credit card number and the TV comes on you didn’t have to get out of bed, this is fantastic.
Last summer, the kids are all texting me in a panic. Somebody’s hacked our Netflix account this is like so unbelievably funny so we’re like trying to figure out what happened because the password is changed what’s the new password and how do you recover your Netflix account and the kids were beside themselves. Guess who hack the Netflix account Grandma.
The Grandma had lost the password she figured out how to login because she knew my wife’s email. And she knew how to log in to my wife’s email get the recovery password and changed the password on Netflix because the kids had shared Netflix like Grandma this is brilliant. It was like the kids are all on panic for the entire afternoon because Grandma had hacked the Netflix account.
And the point of the story is very simple when we set up Netflix in their house in Florida. Brilliant, son-in-law transaction if I say to myself they had DSL and I managed to get AT&T can come in replace the DSL with FiOS. And the bill went down by $10.
This is good for Thanksgiving like good son-in-law activity right. You now proved the bandwidth for the whole household AT&T roll the truck two guys came because one of the guys was being trained and they spent 2 hours one around the house trying to test the DSL and the Fiber and all kind of stuff. And they pay a lot of attention to television set I paid a lot of attention to Wi-Fi hotspot.
And they left with both those things working swimmingly enough half the money on the floor of the house. Because there were all these other devices in the house Phones, Tablets, and PCs. Every single one of those devices had embedded hardware security on the motherboard of that device because I helped put it there.
And they forgot to put an AT&T credential in those devices so when you take your laptop to the hotel room what you have to do to log into DirectTV login. Why? 1.5 Billion PCs of a chip on the motherboard that would remember permanently in a way that can’t be stolen your AT&T login.
So why not? We haven’t yet understood that these are networks of devices we’re just human operators. They’re not networks of humans and we have to ship mentally from the world of humans logging into unknown computers to all of us have personal computers that are ours. I know that sounds like a really weird term of a personal computer.
But a personal computer that is mine which it owns all the credentials to log me into all the experiences I wish to have. So I log into my device log me into the world. And all then we’re asking the human to do does not have to remember complicated passwords not figure out when your passwords have been stolen.
We’re just asking the human to notice if their device goes missing. And then you can take action but if I take your phone, you’ll notice that’s actually. Yeah we can do that in cybersecurity training we can actually train you like you show up at the office and the computer’s not on your desk anymore. Either it’s been stolen or you been fired.
Both are good reasons for panicking or you got moved to the corner office that I supposed to be a good thing. There must be some questions.
Questioner 1: I think I can articulate a question. You should have graphic up there while you were talking about the European security requirements. And it showed what appeared to be one of these and it seemed like you were indicating this device has those features including the trusted security module. But yeah we just went on to.
Okay, all of that’s in here including the secure trusted security module.
Steven: Yep. I’m pretty much every ARM processor and I think I think Galaxy S3 got to get below. That maybe S2 this is a timeline basis you got to get back to iPhone like 2 or 3 kinda like really early on ARM put it. In like 2007 and everything built that was a cellphone grade ship. Well, that’s the part question a little is.
Questioner 1: How do we use it?
Steven: The question is how do you take advantage of this trust execution environment that’s the part that’s been a little too complicated? Because you used to have to go negotiate with your carrier. And In 2011 a startup was a form called trustonic which we use the software they produce.
Because that’s what’s called a trusted execution environment OS. So we’re able to write an app that runs in the OS and so we’ve been working hard over the course last 3 years to do that. And so what we do is provide you with a developer toolkit so you can use it.
So you don’t need to know all this you just download the rivets toolkit. And make it part of your application. Here’s an example this phone has two-factor authentication on it that screams the other screen change to a pin pad. That pin pad screen is not drawn by the OS that the pin pad screen is drawn by the trusted execution environment.
This is commercial off-the-shelf of Galaxy S6. So this screen in theory if you root the phone right any Android app you have root control to the operating system you can do anything you want in a memory dump and etc. You can’t read what I type into that screen nor can you read what’s displayed on it.
Trusted input and output a point to sale terminal and oh I could send you a telegram message that can’t be read by anything. Oh, you might be able to have a keypad that you could type a telegram message that can’t be read by anything. Are we just getting started? Could I have drone controls?
So you can’t intercept the drone controls. Can I have a Bitcoin wallet so you can’t see what I type? It’s only half a billion phone so it’s almost getting to be enough that it might be useful for everybody. Now the problem of course is it’s a closed system right it’s an arm processor that is not an open-source processor built by Samsung, etc.
So there’s potential for holes in this for sure I think the answer to that at the end of the day is that what we want to do is great identity. And we want to do attestation that we know it came in an operating condition from the factory. So we discover a hole we know what Samsung’s fault not because somebody put malware on this because this is a provable executing code.
At least our attempt at approval executing code and will improve it over time always we’re we have a very good team of a very solid team of some of what I would call core developers and trusted computing. They’ve been part of my team some of them work for me for many years. But we’re adding to that more blockchain expertise we’re building a company right.
So we’re based out of both New York and California but we’re looking for great people who want to contribute to projects.
Questioner 2: One of the previous requirements for I say requirements standards for good security when you had different websites was to change your password every couple of months. How would rivets play into that?
Steven: Also, two things one the guy who put that guidance out there. In the previous NIST guidance around strong authentication apologize for that the other day because it turns out that’s actually not true. And so if you go down at they did the analysis of believe it or not the Ashley Madison site. And they discerned determined by looking at that.
Did the vast majority of those passwords are heavily reused because people can’t remember changing this all the time. So can I so the computer could change the code every time like one of these that’s interesting is Sim chips today use one code in there in the SIM ship. What you really would like is a Sim chip that every time it changes towers changes codes.
What computers could do that be like a hierarchical deterministic wallet inside your Sim ship that’d be killer so now I can track you? So today they have it so at least when I go to a different country uses a different identity call T SIM or TI MSI TMSI. I think it is a trusted MSI where they change at each time but you know things like that.
So computers are really good at changing the code all the time hey here’s my algorithm of code let’s change the code every time. Yeah, so this so the question is does not that require the website to have changed it. So like I can make bittrex more secure by giving them secure 2FA but you really want to make them smoke and more secure.
Let’s get them to send you the transaction as a message on trusted display so that when you go to do a transaction they’ve at last at least invested like 3.2 nanoseconds in programming to say. Let’s push this message not to a totally insecure browser on a totally insecure computer rank totally insecure software instead push it an enCrypted message to assure the measured display environment.
So you can confirm $100000 from this account to that account push yes. Wouldn’t you like to check that like ah I could send you your ICO address through a secure channel? So you knew the channel you were the transaction or investing it was actually the code you typed in. Don’t assume that the cuz you typed it into your phone or into your PC that went out of your PC with the same thing.
That’s what the hackers are doing is with what’s on your screen and what it says are two different things all of a sudden your money went to a different address you like that’s not the address I cut and paste it in. There was a Brazilian hack of their e-commerce system for 4 5 6 years ago. Where on Friday they change the bank routing numbers so what was on the screen was this.
And then they routed all the money somewhere else I’m like all the money spent to the government on a Friday afternoon went somewhere else. Brilliant hack. But that’s like a simple thing to do in the blockchain.
Questioner 3: Just to put it simply what are the products that you’re offering to common people like us you know how can we really maybe we will want to use our Blockchain wallet so right.
Steven: So for users rivets will produce a 2FA app will produce a secure messaging app we’re working on a Bitcoin wallet. But really these are intended to be demonstration apps for developers are the real product is a set of developer tools so that everybody can incorporate these built into their products.
We don’t think we can build the best wallet we shouldn’t try we should build the tools that allow everybody to build the best wallet. We don’t want to build the best messaging system we want to build the tools so you can hack it up into you know the whisper protocol you can take the rivets basic toolkit you can modify the open-source.
The whisper protocol and then I’ll send everything that runs whisper can have keys held in hardware. So we’re trying to pick some simple things so that as the beauty of 2FA is I can go give it to like the CIO of Boeing one phone and all of a sudden his handsets more secure than everybody else at Boeing did not change anything.
And so we’re looking for those early very simplistic wins. Not because they’re necessary Avenue drivers but because they can get the technology into your hand so you can say oh I touched this. Why the hell is everything else working like this like I’ve got trusted display for this stupid 2FA app.
Why can’t I have it for every crazy ICO transaction you’ve heard out there.
Questioner 4: How are you funding this project and how will do developers have to pay you for the technology do individuals that use the technology…
Steven: So so rivets today we did an ICO that completed in September. So we launched the rivet token, we raised about $ 20,000,000 in Ethereum we’ve converted about $ 10,000,000 of that into cash which pays the rent today. The resulting remaining Ethereum is now worth $20,000,000 so it’s like that’s kind of entertaining.
So we got to love this space, we also as a company we sold only 16 17% of the tokens in the market place we hold the balance in Treasury so on a long-term basis we will both help fun projects with tokens as well as continue to fund the expansion of this on a global basis with tokens as the tokens really start to engage. We don’t have to trade a single additional token out of Treasury ever there’s no obligation to.
But it provides us with access to resources going forward as we finished the tools. What you’ll see from us you will see us at every hackathon you will see us at every event that there’s a developer at. And we will support with bounties a variety of projects in the marketplace I think which is a little early for us still on that pro in that process but we want to fund developers to build really cool things with these tools and help offset their cost of putting them to work.
So you’ll see us putting our tokens to work on that basis and that’s how you get potentially hundreds of developers within a project beginning to take advantage of embedded security. And we think this is an opportunity for every project to realize you know they don’t want to spend money on security what they want to do is increase the value of their project. And so our mission is to show that if you add rivet’s to a project we can multiply by multiple times the value of the project because of the quality of the data.
And the capability of the system goes up if we improve the quality security think of it as a user interface. Don’t think of it as security right today we’re like The New York apartment lock their 17 locks in a big bar in a chain right. What you’re really wanting is the Steve Jobs door you know which is like white and has no handles right.
It just opens and probably has a grill on the floor so that if you’re the wrong person they just electrocute you turn to dust and it cleans you up automatically that would be an excellent Apple door right. So something along those lines right you needs a good AI that doesn’t zap the dug any other questions if not I’ll wrap it up.
Tai Zen: alright so I think that’s it, alright guys, everyone give a big applause to Steven.