Exclusive: Cyber-Security Guru Vlastimil Klima Talks Blockchain and Cryptelo
This week I sat down with the renowned cyber-security expert and co-founder of StartupYard alumni company Cryptelo, to talk about a topic we’ve covered a lot lately: blockchain, and security.
We have informally dubbed Cryptelo. “The Unbreakable Dropbox.” You can also check out a previous interview with his fellow co-founder and CEO at Cryptelo, Martin Baros, or visit their website to learn more about their products.
Hi Vlasta, tell us a bit about your involvement with Cryptelo. How did you and Martin Baros start working together?
Martin actually came to me after encountering security issues himself. He wanted to create a secure storage solution that didn’t exist anywhere on the market.
As an entrepreneur, he had a natural instinct that caused him to seek me out. When he proposed the idea, I realized: “yes! Why hasn’t anyone done this?” I joined as his chief cryptographer, and together we built Cryptelo.
You have a fascinating background in Cyber-Security, and are named among the top cryptologists in the world. You’ve worked for the Czech government, and you were among the few to seriously break SSL as a whitehat. What drew you to cybersecurity?
As a little boy, I was a very good chess player and a mathematician in high school. I also took part in the International Mathematical Olympiad. Later, I learned/realized that since that point I had been watched by the “head hunters” of the secret service.
That sounds like something from the movies, but it really happens!
Once I graduated with a mathematics degree from Charles University, I ended up working for the state, in a secret department for censorship and cipher development. As I discovered later, there are many great mathematicians and participants in the international mathematical Olympiads working in the secret services of the various states.
One of the big attractions for somebody like me to this kind of work is the opportunity to solve very complex problems that no one else has done before. You have a sense of tackling the unknown, which is very rewarding.
In my work I dealt with the development of cipher and cryptographic devices as well as cryptanalysis. Later I was also in charge of the ciphers for our agents abroad. After the Velvet Revolution in 1989, I was entrusted with the development of ciphers independent of the Soviet Union.
For almost two years I worked for the General Staff of the Czech Army, and then I went to the private sector. The pearl in my story is that I did my first private-sector job together with Eduard Kucera and Pavel Baudis (nowadays Avast’s vice-presidents) for their company, which is now among the top antivirus companies in the world. I’m quite proud of that.
Then a number of security companies followed, for which I developed different cryptographic products or did security and cryptological analysis or cryptographic designs. Some time ago I worked for the Czech National Security Authority on the design of cipher and cryptographic devices already in operation for five years. I was very fortunate to have always been able to work with the most advanced technologies or even the “upcoming” technologies, both in cryptanalysis and in cryptography.
Let’s talk about blockchain. Today it’s often described as highly secure. As an expert, what is your view on this?
The “blockchain” concept is very good and very safe compared to other [data verification] concepts. It is based on distributed security and responsibility, which is great.
But it’s just one building block in the whole system. Much depends on the other parts of the system. Surely you remember the lesson that an attacker chooses the weakest link in the chain. In security, you are only ever as good as that weakest link.
Why is it that despite the integrity of bitcoin’s ledger, there are still so many bitcoin heists and thefts?
Bitcoins are based on the blockchain principle, but paying with them requires the protection of cryptographic keys. In all major world bitcoin thefts, these keys have been stolen. The thieves then simply transferred the bitcoins to their bitcoin accounts.
So this is something like building the most secure safe in the world, with keys impossible to copy and locks impossible to crack, but then having it breached by the thief simply taking the keys off your desk. The whole concept of the unbreakable safe is not much good if getting into it is so easy.
Let us note that there has been a shift in our collective understanding of security – we are not talking about cryptographic techniques, but only about keys, their creation, distribution and protection. In many respects, we have figured out cryptography quite well. Information can easily be made very secure in terms of encryption. But that does not mean we have “solved security.” Far from it.
People think of Bitcoin and other cryptocurrencies as anonymous. Is that a mistake?
Bitcoins may be anonymous, but they may not.
The advantage of bitcoins and other blockchain-based coins is that transactions with these coins can be verified. For the same reason, it is possible to see how the coins “travel” on different “wallets”.
If someone makes a mistake, you can determine who they are, and what they bought for bitcoins.
I worked as a forensic expert on investigating several bitcoin thefts involving illegal drugs and arms markets, and managed to prove who controlled the marketplace and who stole the bitcoins. These are not truly anonymous platforms.
If I’m a regular guy wanting to buy crypto-coins of any kind, how can I protect myself from theft?
Every security breach up till now has consisted of theft of cryptographic keys, which were inadequately protected.
Here comes the simple advice: protect your keys and do not give them to anybody else. At big markets and shops, it is common that you have to give them their keys to make deals for you. Here you have to be very careful, because the purses of the big stores are the most threatened. Just give them small amounts or at best trade peer to peer.
As a cryptologist, what are one or two ways you wish every software company would think differently about data security?
This is very difficult. We all do just what we have to do. It is natural that we do not perceive security as important until we become a victim of a security incident. I have experienced this myself, so I know what I’m talking about.
Most of the time, data security problems arise from a lack of time and money to do the work properly. And attackers choose just this kind of company to attack, because it is vulnerable. So the best defense against security breaches is to maintain a high standard – higher than your competitors.
Predators prey on the weak. As we say: the gazelle does not have to be faster than the cheetah, it simply has to be faster than the other gazelles.