Cyph: Mach37 Alumnae Interview with Ryan Lester and Josh Boehm

defcon-joshandryan

Ryan Lester and Josh Boehm, Cyph Co-Founders

What opportunity did you recognize that led to the founding of Cyph?

Ryan Lester & Josh Boehm: Back in AIM’s heyday, the two of us would often chat online using Pidgin with the OTR plugin (the end-to-end encryption setup du jour). This wasn’t because we’d had any particular need for that level of privacy, but more because it seemed cool and made us feel like secret agents.

cyph-purple-horizontalHowever, as “cool” as OTR seemed to us, we couldn’t get any of our other friends to start using it with us; it was just too much of a pain to download and set up a new application, install some third-party plugin, generate a key pair, verify friends’ public keys, learn enough crypto 101 to even understand what public key authentication meant/was/did, etc.

Years later, we were working at SpaceX together, where we repeatedly witnessed firsthand the critical need to protect trade secrets from powerful adversaries and to keep strict compliance with export controls such as ITAR. During this time, Edward Snowden’s leaks about the NSA’s extensive digital surveillance programs also came to light.

Instantly, it clicked for us that both business and consumer contexts faced an urgent unmet need for truly private communication. There were some tools and methods that existed, but from experience we’d learned that they would largely remain unadopted without a user experience that equalled or surpassed existing non-secure communication solutions.

What specific value does addressing that problem provide for your customers?

Lester and Boehm: We have no doubt that people want more security and privacy when it comes to their communication and data online — just not if it comes at the cost of their convenience or has a learning curve to it. By addressing this and making user experience second only to application security in our priorities, Cyph is making cutting-edge quantum-resistant cryptography more accessible and easier to use than ever before.

Instead of the traditional painful user experience, you don’t need to force anyone to sign up or install some software to communicate with them. When someone doesn’t already have a Cyph account, you can simply send them a link which will work on any device with a modern web browser.

On that note, the browser turned out to be a very interesting technical challenge for us. Due to the plethora of attack vectors which entirely undermine the security of web applications within the context of our threat model, initially it seemed like we wouldn’t be able to offer our desired UX (in good conscience, anyway) — which brings us to our next answer…

Why aren’t current solutions addressing this problem effectively?

Lester & Boehm: Before our talks at Black Hat 2016 and DEF CON 24 on the research that went into Cyph — more specifically on something we call WebSign — providing code signing (a standard practice in native apps, and an absolute prerequisite to secure communication) within a web application was considered by the security industry at large to be literally impossible. Given that we had to invent the solution to this daunting technical problem, it isn’t surprising that we’re the first to address it effectively.

Going forward, WebSign is an advantage that we’ll most likely retain uniquely to Cyph, as we have a patent pending on the technology.

What makes your approach different and better from existing approaches?

Lester & Boehm: First, as implied in our previous comment, Cyph is the only secure communication tool in the world that can run as a web app. This may sound minor, but it actually makes a huge impact on the user experience. Most people don’t want to have to download and install new software for something as simple as sending a text message or joining a video call — particularly your non-technical friends who may not fully understand your frenzied rants about NSA spying. To get started with Cyph, they can just click a link.

Second, Cyph is one of a tiny handful of solutions that are remotely trustworthy for secure communication — the other major one being Signal by Open Whisper Systems — among which Cyph is the only one to attempt to protect present-day communication from theoretical future quantum computing attacks. This may actually kind of matter, given the NSA’s recent announcement.

What about your team’s background puts you in a unique position to succeed?

Lester & Boehm: The two of us have worked together and known each other for the last 20 years or so. We know our strong suits and shortcomings, and each complement the other’s. We’ve worked on numerous cool projects and jobs together, but what generally defines our ethos to most people is the time we spent leading Software Quality Assurance at Elon Musk’s SpaceX (occasionally working on the same code with Tesla Motors). It was our responsibility to ensure that all of our internal software was free of bugs, defects, and vulnerabilities; downtime could potentially cost the company millions.

While our team was understaffed and we were overworked, our experience with SpaceX and Tesla was invaluable preparation for running a successful software product. We gained experience working directly with their CIOs, and of course with some of the brightest programmers in the world. While SpaceX was a large company, it retained a startup feel with open offices, flat reporting structures, and people “wearing many hats”; the whole environment was like a pressure cooker for entrepreneurship.

Plus, we’ve noticed that saying you’ve worked with Elon tends to open a few doors. :)

What are some of the milestones you have passed since graduating from Mach37’s fall 2014 cohort?

Lester & Boehm:

  • We closed our $500k seed funding round last fall, with the lead investors being Goel Fund and Mach37’s former parent company CIT
  • We’re now working to monetize on the enterprise side, while keeping Cyph completely free for individual end users
  • We had an extremely positive code audit report from the pentesting firm Cure53: “Cyph provides security from a broad range of cryptographic attacks and very strong client-side crypto. The general conclusion of the test is that no major issues in regards to application security or cryptographic implementations could be spotted in spite of a thorough audit.”
  • As mentioned, we recently gave a successful talk at Black Hat and DEF CON (the two largest hacker conferences in the world)

What one aspect of the Mach37 programs did you personally find most beneficial?

Lester & Boehm: Coming from pure software engineering backgrounds, Mach37 helped immensely in spinning us up on how to run a real startup — (“real” in the sense of being a full-time venture with external stakeholders and financial targets, rather than just a side project). A large portion of Mach37’s three-month program focuses on quickly getting founders up to speed on material you would expect to see in an MBA program — particularly as it pertains to startups, fundraising, and the cybersecurity industry.

What question should we have asked but didn’t?

Lester & Boehm:
“How are you going to make money?”

First of all, if you’re an individual (i.e. not using Cyph for business purposes), access to the core product will always be free. People aren’t used to paying to talk to their friends and family, nor do we believe they should have to just to ensure basic privacy. While we may eventually offer a premium tier for users who want to support us, something like that would only grant access to non-essential bonus features. The free tier of Cyph will never be less capable than paid options when it comes to privacy or security.

The money comes in from licensing our software to businesses and government, either to protect their internal communications or to allow for easy secure channels to their customers/clients. One of the first industries that we’ve noticed crying out for an answer is the telehealth space. By law their communication needs to meet HIPAA standards and yet for many older patients the solution for that must be easy to use and absolutely intuitive.

However, the biggest opportunity may very well turn out to not even be Cyph itself, but rather licensing out WebSign for entirely separate use cases. The potential utility of “secure websites” (in-browser code signing) is almost certainly broader than our narrow focus on end-to-end encrypted communication.

Learn more about Cyph here.

Related Posts

Virgil Security Raises a $4 Million Series A

virgil-co-founders-with-rick-gordon

Virgil Security Co-founders Michael Wellman (left) and Dmitri Dain (right) Ring the Mach37 Bell to Celebrate Reaching Escape Velocity; Rick Gordon Joins In the Celebration

 

On October 7th, Virgil Security closed a $4 million Series A investment, led by KEC Ventures. KEC is a venture firm founded by Jeff Citron, who also founded Island ECN, Datek Online and Vonage.  For those of you who are close to Mach37, you know I have been promising for many months that we have several companies ready for Series A investment. Virgil was one of them.

As I thought about using this blog to crow about our investment strategy (we actually hunted for a company that offers easy-to-implement encryption infrastructure) or in some way hype-up just how smart we are at Mach37, a conversation I had last week caused me to think better of it. Virgil’s CEO Michael Wellman offered the key insight. As I was verbally high-fiving Michael, he took a characteristically humble look at the company’s journey so far and remarked:

“You know Rick, it used to be that if you worked hard, had talent, OR got lucky, you could make it to the NFL (National Football League).  These days, to make it you need to work hard, have talent AND get lucky to even have a chance.”

And, so it is with technology start-ups.  The hidden truth is that entrepreneurs can have talent, make every right decision, and work their butts off, but if serendipity does not smile the company will fail.

In the case of Virgil, I can point to a handful of inflection points that relied heavily on just being in the right place at the right time.  I can say the same for Invincea and Lookingglass, two companies I was intimately involved with during their early struggles that have since achieved similar inflection points.  However, the truth is that all of these companies still have additional milestones to achieve before any of us can declare victory.

So, instead of trying to convince you that the Mach37 team is smarter than we really are, I’ll just say that we feel really fortunate to have had the opportunity to invest early in Virgil. It is a company that has the world class talent and drive required to be successful AND was able to create the necessary luck along the way to close its Series A.

Related Posts

 

Bring-Your-Own-Keys: Bringing Trust into SaaS

Below is a guest post by Karthik Bhat, founder and CEO of SecureDB, a MACH37 portfolio company.  SecureDB’s Encryption as a Service product makes implementing encryption into applications fast, easy, and inexpensive for businesses of all sizes – from startups to Fortune 500.  Learn more about SecureDB at https://securedb.co/.

– Ledger West, Associate Partner, MACH37


Over the last few years, a wide variety of internal functions of business – HR, Payroll, CRM, e-signature, Benefits Management, Health Insurance, Project Management etc. have moved to respective SaaS companies. With more and more enterprises handing over their sensitive data to SaaS providers, there is a tremendous need to protect this data in the cloud using encryption. Any responsible cloud provider should be encrypting this sensitive customer data along with all proper key management practices.

However, the biggest challenge of cloud-encryption is: who owns the keys? Quite a number of companies will be okay with their SaaS provider owning and managing the encryption keys. Many will not.

The need of the hour is for the cloud platforms and SaaS companies to allow their customers to bring their own encryption keys – Bring Your Own Keys (BYOK). This way, customers can rely on SaaS companies without any apprehensions about data-leaks. BYOK will ensure that a SaaS company’s access to customers business data is always controlled. Thus, cloud providers and SaaS companies can continue focusing on the core value that they provide to the enterprises, without sweating much about security of sensitive customer data.

Why BYOK is Important?

The beauty of the BYOK is that enterprises have full control over the life cycle of the keys (generation, usage, backup, rotation etc.). The enterprise can also assign specific permissions on the encryption keys that limits what the cloud provider could do with the keys (for example, give only ‘encrypt’ and ‘decrypt’ permissions and not ‘key-rotate’, ‘key-delete’ permissions). The enterprise can also view the key usage logs to ensure the keys are used in accordance with the agreement.

When the enterprise wants to cease using the SaaS provider, they could download their data and simply revoke the access to the key. The SaaS provider no longer will be able to view or process the data. No more worries about whether the SaaS provider has done the right and responsible thing and deleted your data.

Bring Trust into SaaS
At SecureDB, we anticipate this to be the next logical step to acceleration of SaaS adoption.

Bring-Your-Own-Keys (BYOK) for data-encryption converts cloud and SaaS (inherently un-trusted) environments into trusted environments.

BYOK-Bring-Your-Owk-Keys-For-Cloud-SaaS-Platform-SecureDB-Data-Encryption

Source: https://www.flickr.com/photos/1116926
34@N04/11406956076

Consider this: when your company is using a SaaS service, your company data is most likely sitting right next to some other company’s data – in the same table or in the same database. This means that if an attacker finds a way to compromise the SaaS provider’s database, your company data is compromised just as everyone else’s.

Enter BYOK. If the SaaS provider supports BYOK, your data is encrypted using the keys you own. Now, you are protected against a whole slew of attack vectors. You can revoke the keys at will. This is in the best interest of SaaS companies too. They can vastly reduce their exposure to risk.

Write this into contract
Before a company hands over the data to SaaS companies, it is in the company’s best interest to ensure the SaaS company is encrypting the data. Call out specific fields that must be encrypted and provide the SaaS company with BYOK key.

We agree, this is still few years out. But we need to start somewhere. Please share your thoughts in the comment box below.