Meet Cryptelo: The Unbreakable Dropbox
Cryptelo joins StartupYard as few companies do, with a fully launched product and existing customers. Founded in 2014, Cryptelo is an end-to-end secure file storage and messaging platform, offering a measure of protection unparalleled by the major file storage, transfer, and communication platforms.
Cryptelo, originally targeted at security conscious consumers, has shifted its focus toward organizations with highly sensitive data, and a need to make controlled access to that data readily available, and totally safe. Already becoming a favorite among the Czech legal community, Cryptelo is poised to challenge big storage providers by offering first-in-class protection against all manner of cyber-attacks, including physical penetration. To do this, they’ve recruited one of the world’s leading cryptologists, Vlastimil Klima, who was among the first to crack the SSL protocol, the security relied upon by the world’s banks. I caught up with Founder and CEO Martin Baros, to talk about his technology, and his vision for Cryptelo.
Hi Martin, Cryptelo is a very ambitious project; solving cloud storage security is something the biggest players haven’t really tackled. What made you want to do it?
My personal experience has taught me how important security really is. Years ago, I was hacked, and my intellectual property was stolen. That cost my company over 2 million CZK (about 100,000 Euros).
It was not fair. It felt like a violation- and that’s a common feeling for victims of theft. I blamed myself, but in time, I came to see that people are really being set up to fail when it comes to digital security. Someone, somewhere, decided that security doesn’t sell, and that’s not right. I set out to change it.
So I decided to create my own solution. This was the start of Cryptelo. I believe that no matter how big your company is, you should have an accessible tool for great security to keep your documents yours.
There was a time in which company security was easy: someone just could not read your documents and communications from the other side of the world, much less the other side of the room. But no more. Most information today is created digital. I’m convinced that we must have a full right to decide who can read our documents. This sense that we now have, that nothing we say will stay private, is chilling. It tells us that we cannot be candid and we cannot take intellectual risks and speak our minds. That’s not right at all.
That’s why I like cryptography – it can bring freedom and real security in the current digital era.
Let’s talk a bit about your team. You have some of the best cryptography talent in the world. What makes your team better than any other?
I have a strong technology background based on studying at MFF UK and 10 years of professional experience as a software developer, team leader and key account manager in projects with Accenture, Wüstenrot and AirBank.
When we developed the technical proof of concept of Cryptelo, I decided to approach Dr. Vlastimil Klíma – one of the best cryptographers in the world. After just an hour’s discussion where I described our vision, he decided to join us and has became part of our team. He created the cryptographical basis of Cryptelo
Then we needed superior implementation. Just imagine a product, which could encrypt all of your data, but wouldn’t be able to decrypt it. It would be secure, for sure, but not that useful.
That’s why I set out to build our team from the most talented programmers I have met during my career. Together we have over 40 years of experience in enterprise development. With this knowledge we started building the best software of our careers.
During development we have applied modern methodologies for software development and created amazing infrastructure, which enabled us to deliver new features almost immediately after they passed through testing. From the beginning we focused on automated testing – the underlying cryptographic elements are tested cross platform, to find incompatibilities which exist between different implementations on different platforms. Each change is built, packaged and is required to pass through wide range of UI tests, where an automated process simulates a user clicking in our application, trying to verify, that everything works as expected. We manage our fleet of servers remotely using SaltStack and monitor a wide range of properties of each host. We have also been running all of our services on docker from the beginning, which allowed us to offer on-premise solution early on.
You’ve experimented with B2C and B2B business models. What are you focusing on now, and why?
We started the service Screesh.com, which is similar to uschovna.cz (a file storage solution), but with strong encryption in the background. We also allowed users to encrypt files with a password directly in the browser without any extension. We believed that this would be much easier than usual way – using winrar with a password and sending documents as attachments.
We observed that even though screesh.com is so easy to use, the number of users was growing slowly. We found out that people individually don’t really understand how to price their own security. It makes it very difficult to sell a totally secure solution.
We began to realize that a better way is to go for institutions that you trust, and put great security there. We all rely on banks, telco operators and even small businesses on a daily basis. Why should you take sole care of your personal security if big companies aren’t doing it themselves?
Currently, selling digital security to individuals is like selling crash helmets to pedestrians. It doesn’t do much good if the corporations are driving rally cars on the sidewalks.
Individual digital security is like crash helmets for pedestrians while companies drive rally cars on sidewalks. @CrypteloDrive Click To Tweet
Why do you think it is that in 2017, security discipline is still generally so poor in many companies?
Imagine that you built a city with parks, family houses and skyscrapers. And when everything is ready you find out that you built it in an earthquake zone. But your houses are not ready for circumstances like this. What would you do? Would you demolish the whole city and build it from the scratch?
Cyber attacks are quite similar. Most companies didn’t know they should implement security and they built their businesses without it. And now there are 130 000 cyber attacks every single minute. That’s like 130,000 tiny little Earthquakes, and you’re just praying it doesn’t happen to you.
There is a significant trend to move data to the cloud. Cloud is connected with a lot of risks – you lose physical control of your data. End-to-end encryption is one answer for that. With E2E encryption your data are locked in the black box and travel like this securely over internet and are stored on the server. Only authorized people have the right key to open it on their computers.
All well and good, but the problem is that the most effective way how to implement this level of security is start from scratch. Especially big companies cannot demolish houses in their cities, because there are people already. But the truth is that the infrastructure of many big data companies just wasn’t designed properly. They are built for speed, for flexibility, and for accessibility. You can’t do that and expect unbreakable security at the same time, unless you build something secure from the ground up.
What are, to you, the 2 or 3 biggest mistakes most people make when it comes to their digital security? How can they fix these mistakes?
Cyber security risks are invisible to most people. That’s why they aren’t mindful.
We wouldn’t walk in a bad neighborhood in the night with money in your hand. But we pay online with our credit cards through unknown web pages using unsecured wifi. That’s pretty much the same thing. You won’t automatically get robbed, but if you knew how dangerous it was, you might not do it.
You don't walk around with your money out in public. But you do the same online every day. @CrypteloDrive Click To Tweet
We wouldn’t use a postcard even for love letter, but we send our personal information and details of million dollar contracts by email. That’s a serious dissonance in our sense of what is secure and what is not.
Worst is that the big players don’t want you to care about security, they want you to use their service and share there as much as possible about your likes, plans, dreams and your friends. This data is gold in the e-commerce business and many businesses are based on it these days. That’s why Facebook will never bring real security to their products. It would kill its business. They will always be playing catch-up with cyber-security because anything more proactive would only slow them down.
It’s also much cheaper if you don’t care about security too much. Have you ever tried to upload a well known movie on a file-storage platform? It’s uploaded in a few seconds. How is that possible? The reason is that users data are shared between accounts. That means, in effect, that the platform is scanning and analyzing everything you upload, and that data is all going somewhere out of your control.
Tell me a bit about your technology: how does Cryptelo work, and why is it unique? What can customers do with the platform?
Cryptelo is a virtual encrypted drive. It has the basic functionalities of a Dropbox or a Google Drive – you can use your web browser to access files from any computer.
Even though Cryptelo is as easy to use as Dropbox, it brings end-to-end encryption and a zero-knowledge server concept. We have a totally different approach to security than Dropbox or Google drive. The standard approach is to create a service, put it on the physical server, and build barriers – spread data into more datacenters, put this servers behind a firewall, keep servers in the datacenter located in an anti-nuclear shield, restrict people who can access it.
But even with top-notch data center security, a “mission impossible” type attack could breach these barriers and gain physical access to the server. That’s about as secure as a bank vault- and bank vaults get robbed all the time.
Our approach is that we also have all these barriers, but when Tom Cruise steals the server, there is nothing useful on it. All data are encrypted and the keys for opening it are not there. The data is useless.
But Cryptelo is not just virtual encrypted drive. Drive is just one of the uses, and a first step toward what we are building with our secure platform. The technology we’ve built is able to secure chat, email, and provide strong authentication based on cryptography.
Just out of interest, why do you think it is that Czech engineers have gained such a strong reputation for security and cryptology prowess? Does something in the culture or history of Czechia make them particularly suited to the task?
It’s probably a combination of talent and environment. Slavic people are known for their strategic, probing thinking, and it’s a bit of justified stereotype that we produce chess masters and rocket scientists faster than we produce world renowned writers and artists. We have these too, but to Czech people, there is art in working with your hands, and solving puzzles.
If someone describes the rules of a game – law, technical environment – we start to think: Is it bullet proof? Could I bypass it? It’s natural. We just like puzzles and smart solutions. And that’s exactly what maths and cryptography is.
We call it the “Zlate Ceske rucicky,” or “Golden Czech Hands.” Czech people just like to fix things, and to squeeze the tiniest efficiencies out of their materials. Sometimes we say this in a joking way, as a Czech would rather fix something old than buy something new. But it is deep in our culture that we build things that will last a lifetime. Just look at our cities: we have trams that have been running continuously for over 60 years, bridges and towers that have stood for centuries. We build for endurance.
And I think Czech technology proves out that trend as well. We have had 40 years of communism behind us. Times when we had to find ways to create and fix things with limited resources. Look at our arms industry, or automotive- we produce robust products at low prices.
Combine these things and superior programmers and security experts are born.
And you can really see this trend in Czech: Avast (now together with AVG), TCP Cloud (acquired by Mirantis), TeskaLabs, Apiary (acquired by Oracle).
Before Google built sales offices in Europe, they built a development center in the Czech Republic. No coincidence.
What is the biggest difficulty you have in selling Cryptelo as a solution for your core customers, like law firms or consultancies?
We are currently targeting trusted institutions that need to set a high bar for their security with client communications, as well as internal communication. That means law firms, tax and finance companies, even banks. And one of the challenges here is that, again, people do not want to think about security. We find, for example, that potential customers often want to buy our solution because of its features, like storage and sharing, and not because it is secure. To them, security is seen as an add-on, and not the core value.
That takes some adjusting, and we need to meet our customers somewhere in the middle. They need to see the value in security, and paying more to have it. But that the same time, they need to feel that they are doing something that will not create an undue burden on them. People don’t want to “buy security.” They want to buy secure solutions- and that means selling both security and the solutions together, and they need to be educated to measure their value appropriately.
That has been a learning process for us, and one we have been applying successfully in our talks with law firms in the Czech Republic. Finding out what is most important to these law firms is key to helping them see the benefits of using Cryptelo- so we have learned more and more to focus on what the customer sees in the solution, not just what we see as its core value.
How has your experience been at StartupYard? What surprised you? Which of the mentors had the biggest impact, and why?
In StartupYard I fully realized that there are two different tracks in building a real company: the hard part of creating a product, and then the even harder part of selling it. It’s crucial to get advice from someone who’s been in your shoes. Thanks to SY we got the opportunity to talk with scores of experienced mentors and entrepreneurs who have all been there, and understand our struggles, and how to get past them. You can’t read this kind of thing in books.
Would you recommend that other startups apply to an accelerator?
100% SY is like a First Aid Kit for most of your business troubles. Imagine that you decide to build a company to fulfill your vision. How will you incorporate, get first money to build MVP? How would you know it wasn’t just a terrible idea, or completely the wrong direction to take? Where will you meet tens of your potential customer to verify your market fit? How will you create and learn how to perform the perfect pitch, that you need for getting customers and bigger investors?