Episode 143: Is Decentralized Proof of Security Leveraging Blockchain the Future of Cybersecurity? With David Carvalho

September 25, 2024

In this episode of The Virtual CISO Podcast, your host, John Verry, engages in a casual conversation with David Carvalho, a renowned cryptography and cybersecurity researcher with over 25 years of experience. David shares insights from his extensive career, including his role as a global chief of security and advisor to nation-states on cyber warfare, terrorism, and espionage. Tune in as they explore key topics such as:

The evolution of cybersecurity in critical infrastructure
The potential of blockchain technology in decentralized trust models
The rising threat of quantum computing to traditional cryptography
The implications of Gen AI in cybersecurity and trust systems

John Verry (00:00.098)
casual conversation, it’s gonna go wherever it goes. But you know, I’ve heard you talk, you’re obviously really good at this, so it should be fun. All right, All right. Hey there, and welcome to yet another episode of the Virtual See -Saw Podcast. With you as always, your host, John Verry, and with me today, David Carvalho, I think is the way to pronounce it. Hey David.

DC (00:22.369)
Pretty good, thanks John, nice to see you.

John Verry (00:25.11)
Nice to see you as well. Thank you for, I was going to say good morning or good afternoon, but it’s actually good evening for you. From the sunny climbs of Portugal. Well, thanks for staying up late and joining us here. I always like to start simple. Tell us a little bit about who you are and what is it that you do every day.

DC (00:34.945)
That’s right. That’s right. The north cold sunny places in Portugal.

DC (00:47.585)
So yeah, my name is David Carvalho. I have been a cryptography researcher, cybersecurity researcher for close to 25 years now. So I’ve been an ethical hacker for about that time as well. I’ve been global chief of security for a number of multi -billion dollar companies, both in Europe and also in the UK. And I’ve led various, how can I say, at both at nation state level and also in very large companies.

from a digital perspective, focusing on cyber, of course, but also with the good elements of what you would call kind of like disruptive technology, things like blockchains and cyber security and AI at the time was disruptive and things like this. And I’ve also been advising a number of nation states that are members of the European Union and NATO members on cyber wars, cyber terrorism and cyber espionage.

for close to a decade and a half now. And dealing with real world events, advising on them, also helping with legislation, data protection, things like this. I’m part of a number of think tanks in those areas, very much focused on risk mitigation, on critical environments, critical infrastructure, highly regulated spaces. And I’ve been involved in the blockchain space for

quite a while now, so I was kind of like part of DOGs in the beginning. it was since 2010 about that. So I’ve been a miner, I’ve been a developer, I’ve been an innovator in this space. And yeah, that’s about me.

John Verry (02:17.421)
Thank

John Verry (02:26.062)
I always ask what’s your drink of choice?

DC (02:29.405)
my drink of choice. That’s a good question. My poison is tequila.

John Verry (02:34.658)
Ooh, I’m an equal opportunity offender. Bourbon probably, beer, red wine, tequila, mezcal. Yeah, there’s not much that I’m not willing to drink. I think alcohol is a wonderful social, I drink often but not a lot would be the way I would say it.

DC (02:35.765)
And yours?

DC (02:58.421)
Well, if I was with the right company, would probably drink constantly.

John Verry (03:02.734)
Well, listen, if you’re advising world governors on cyber warfare, I don’t know how you don’t drink all the time. Because like you’re one of those guys that probably knows a lot of things that the average person doesn’t want to know. So I’m surprised you’re not drinking just because you have to when you know the crap you know.

DC (03:18.635)
You know, after a while, it kind of averages out. So the necessity of drinking is just the same as anybody else.

John Verry (03:25.23)
Yeah, I don’t know about that but anyway, alright so this should be an interesting podcast for me you and the listeners like for me Despite my best efforts. I spent some time looking at your Nayors protocol website and it’s fascinating and actually listening to one of your podcasts and I’m hoping you can dumb it down enough that I can understand it better than I was able to understand it

From the audience, think it’s important that they get a glimpse into the challenges and potential architectures of the future of blockchain. I think the challenge of your website and me consuming all of it and understanding it was you involve so many leading edge technologies into your solution of what you guys are trying to do there. You talk about blockchain, you talk about a post -quantum world, which I don’t think people fully understand the implications of. You talk about zero trust, I understand how that kind of plays in.

You talk about Web 3 versus Web 2. You talk about Gen. AI as a particular threat. You talk about D pins. I those are just a bunch of new things that an average person isn’t aware of. So hopefully, I’m going to ask, is the best way to attack this is in a way that a 10 -year -old might be able to understand it would be for you to explain what the problem is or what the problems are and then discuss how your solution solves them?

DC (04:47.019)
Yeah.

Yeah, that’s a good, I think that’s a good start. There’s a lot of caveats and technologies that kind of like build into this and a lot of them actually come from the web 3 environment. Others come from, you know, risk management approaches and so on and so forth that are also kind of like futurist looking. But I’ll start with the context of risk and things like this. So if we look at cyber today and this is something that, you know, most listeners are aware.

We’re looking at close to in the next year or so, $10 trillion if not more, damaged directly and indirectly from cyber risks. And that’s what’s, how can I say, Because a lot of it is nation -state related and it’s not really counted. it’s cyber espionage and exfiltration of data and god -knit, whatever. So if you think about this, this is a massive, massive issue.

Like it’s probably the biggest issue in the world from a perspective of loss to the global economy. So if you think about that, it would be kind of like if it was a nation, it would be probably like the third biggest economy in the world. And that’s just lost. Or actually, it’s probably reinvested into things that are not good. Right? So it’s something to tackle.

that impacts all of us, it impacts our devices, it impacts our data, it impacts our governments, it impacts our safety, so on and so forth. And I believe that those risks, not just by myself, the people that are involved in our protocols, so our advisors, our board members, some of the people that, for example, were some of the creators of the internet as we know it, to an extent created protocols for the internet itself, or the random internet even that we have in our board, like David Holtzman.

DC (06:39.777)
They believe the biggest problem of this comes from the fact that, well, every device really in the world, especially with IoT and going into like 150 billion devices, so on, so forth, is kind of like a point of failure for everything else that it is connected to. And that’s not just the devices, that’s also the software, the drivers, the operating systems, all the complexity. So…

Everything that exists that’s plugged into anything else is a point of failure from cybersecurity or cybersecurity perspective to everything that’s connected to. So in other words, an attacker or malicious developer or whatever could actually take over to an application or a vulnerability, a single device, a single process, and eventually take over a full network and do really what they want to do. Exfiltrate data, ransomware, destroy it, you name it.

And, you know, this is really nobody’s fault, even though it’s a global problem. This is how the internet is made. So our approach was really kind of like to change these primitive, let’s call it, or this fundamental paradigm by bringing blockchain into the accruation and allowing for each device really, or even applications to become nodes in networks. that

they are part of what we call decentralized consensus mechanism. In our case, we created it together under former NATO leadership advisory, let’s say a consensus dedicated to this objective that’s called decentralized proof of security or DIPOSEC that has the simple objective of bringing every device, for example, in a network or across various networks that are part of some critical operation into consensus about the mathematical trust and validity of these operations. So in other words,

Right now, if my phone is communicating with the bank and the bank is communicating with another bank and so on, getting some data from an API in the cloud and so on, there is really no validation that this is all trusted. The bank doesn’t know your application is tampered with or not. Maybe your account has been taken over and you’re going to get wiped. The bank doesn’t know, right? That’s a risk for the bank. You don’t know if the bank’s getting data from a good API. The bank doesn’t know either.

DC (09:01.749)
They don’t know if the system that created the data in the cloud that you’re consuming and that’s going to lead to your transaction was actually in a trusted state or if it has been hacked or if it was not following best practice or not patched properly or whatever. And then the other system that receives this data and transforms it and sends it to another server in the cloud that has an API that you connect to and the bank connect to, none of you know if that API is trusted and if the system has been hacked and so on.

And if it is, you probably don’t want to consume this data, right? So really what we are creating is kind of like an internet of trust in what we call a decentralized cybersecurity mesh. So we call it, it’s really a decentralized security and trust layer for systems to provide data assurance and security under a decentralized paradigm. So the more machines you have in a system like this, the more complexity you have traditionally, the more quote, quote, points of failure you have, the more opportunity you have.

through a system, through a program to actually take over the whole environment or destroy it, right? Or at least tamper with it. Under the paradigm that we are working on together with our partners in academia and in defense and in other areas, the objective is really to leverage that complexity and use them all kind of like as an army that ends up validating each other in a hyper resilient cryptographic environment, all the way up to post quantum resilience level cryptographically.

talk a little bit more about that further, in order to prove mathematically that you can trust that system and get the data from this application that’s running on it in another network, maybe in the cloud, without actually having access to it. So it’s kind of like, it’s a trustless environment that at the same time allows for zero proof of knowledge, which just means that you can prove something is good.

John Verry (10:44.461)
Hmm.

DC (10:57.609)
without really knowing what it is and still maintaining its privacy. So if you think about it, exactly.

John Verry (10:59.502)
Right, right, right. if you trust the system, if you trust the system that, know, whatever this, call it algorithm protocol, whatever it might be, that somehow validates that every compute endpoint, for lack of a better phrase, has been validated to be secure, you know, as long as you trust that system, you know, it’s almost like a certificate authority, right?

DC (11:23.595)
That’s right. A decentralized certificate authority for every action, every action, for every piece of software, for every transaction, for every state, like all the time. So if you think about it, this is extremely powerful because all the data moves in this way, but currently we have no idea if you can trust any of it. We just assume we can, but we have no way to know if that centralized validation system is actually trusted or not.

John Verry (11:26.456)
for devices, right? Yeah, yeah.

Yep. Right. That’s crazy. Yes.

John Verry (11:45.42)
Right. All right. So here’s a question.

John Verry (11:51.532)
Right, but assuming we trust the centralized validation system, like we trust the certificate authority, then yeah, if we assume that, and I think it would be, I think that would be a reasonable thing to be able to architect. What I’m not certain of is how would one go about architecting some type of a solution that can validate the security posture, the trustworthiness of a

an insanely diverse array of endpoints of some sort. How does that part

DC (12:26.369)
Right. Right. So you would have to create what’s called kind of like a group of best practices, let’s say. And they could be, know, because cybersecurity is never 100%. Right. It’s really, you know, there’s no way for you to know 100 % that something is or isn’t centrally, really. So you just assume a lot of things. Like you need to do a lot of assumptions. Or do I trust this integrity validation system?

I actually need to trust the system to trust it, but I don’t know if I can trust the system. And I don’t know if I can trust what the system tells me, because itself it’s really easy to manipulate. It’s a central system. So basically a group of best practice, kind of like GRC, for lack of a better expression, standards have to be defined to create what’s called a decentralized security baseline in our case.

And that decentralized security baseline is basically just guarantees and their consensus, not just one system saying it, but all of them validating that it’s true. And that’s powerful. Why? Because if I want to tamper with this principle, normally I just tamper with one machine or the machine itself. That’s it. I’m done. I win. But under this paradigm, I actually need to tamper with the validation structure itself that is decentralized and it’s a noble. don’t know where they are. You don’t know who they are. And you don’t know what they’re validating. Right.

So if the baseline is defined mathematically to be a structure, right? And that structure is just checking, you know, is this system up to date? Are there any non -vulnerabilities in the system? Is it following like, I don’t know, NIST or ISO 27001 or PCI DSS or whatever it is in the environment that it is. It doesn’t almost matter. Like if it is a cloud system or a laptop or a phone or an IOT device, you just know that,

this is doing best practice, I can actually prove it mathematically at every point in time that it is happening. And therefore, I have a much higher, like exponentially higher level of trust on the data that’s coming from it because I actually know it’s a trusted environment. Because right now we don’t know any data transfer is actually coming from a trusted environment. Yeah.

John Verry (14:38.68)
So.

John Verry (14:43.34)
No, logically I get it. And fundamentally I agree with the concept completely. Yes. Yes.

DC (14:48.767)
And really the baseline is a blockchain baseline. kind of like the principle of decentralization is this. We’re just doing this for data and systems instead of doing it for what it’s.

John Verry (14:57.304)
Blockchain is the record keeping, right? The blockchain is the way that we’re going to do a lookup, I’m assuming, that I’m assuming you’d have to some sort of an agent, if you will. Because if you think about it, like an API, you’d have to be on the backside of the API, because the API is only exposing what it is. Without credentials, you can’t tell. So as an example, if we had, let’s say, a server, and let’s say the server, it only has one port exposed, so you can’t really

DC (15:11.521)
It’s not really like an agent.

John Verry (15:25.999)
from an external perspective look at it. But if it had an agent on it, and let’s say we could validate that CIS benchmarks were enabled completely. And you said, okay, that gives me a trust level mathematically of this. Okay, that gets recorded on the blockchain. So now my system goes to talk to that device and it says, hey, based on, I look up on the blockchain, like I look up on a CA and say, is this really Amazon? I’m looking up and saying, okay, is this a trustworthy device? It can give me a scale of trustworthy, I assume, right?

DC (15:49.414)
Mm

DC (15:55.201)
potentially.

John Verry (15:55.406)
because devices are not going to be always on. There is no 100 % security, right? And it could be 95 % compliant with the CIS benchmark. So the trust level would be a little bit lower. But I could then, let’s say, configure my system to work within certain levels of trust. That’s actually pretty cool. And then you could do the same thing with an API, right? So if an API, could do it where it’s maybe, do they have a digitally readable SBOM, right? If they had a digital SBOM, we could actually read the SBOM.

DC (15:59.018)
No.

DC (16:03.52)
Right, right.

DC (16:12.756)
Absolutely.

John Verry (16:24.534)
And we can make a determination as to whether or not there are any vulnerabilities associated with the libraries and things that are, okay, I see what you’re doing. That’s really cool.

DC (16:33.505)
So this is quite transversal. So everything that you were imagining and kind of like, you could do this, you could do this. Absolutely. So it’s kind of like, if you think about it, it’s almost like, I wouldn’t call it an agent. call it, it’s kind of like it’s a DAP, right? So decentralized application that connects directly to the consensus mechanism. So itself, it is a server and the client at the same time. And it doesn’t live alone. It’s part of this mesh.

John Verry (16:38.702)
Yep. Yep.

John Verry (16:54.145)
Okay.

DC (17:02.945)
of trust that all of them need to agree that mathematically what’s happening is actually true. And this can be done in a hybrid public or private way. So if you want, some of this data can be completely viewed to you internally and you see all these details only you because only the validators are the company, for example, or their networks or the cloud, so on and so forth. But this can also be completely public.

So in our case, it’s really, it’s a mix of things. We’re going to go public with the public one, but we’re already working with governments and banks and critical infrastructure and defense organizations on the other one, which is either the private or hybrid approach.

John Verry (17:43.586)
Yeah, so I can imagine for a supply chain, right? For a critical supply chain, something like this makes complete sense. And it gets around a lot of those challenges that you’re inherently going to have with fully public infrastructure, where we’re going to end up in endless debates about how secure and how often we have to sample and things of that nature. But if we were doing this in a supply chain where we were going to be more open with what exactly was going on on each of these devices, yeah, that would be an awesome way of doing this.

DC (18:01.718)
That’s right.

DC (18:12.233)
Absolutely. mean, if you think about it, most of the, let’s just think about, for example, as an example, insurance company, right? I’m an insurance company. want to do cyber insurance. Like I have seen a lot of different cyber insurance. I’ve seen a lot of situations where randomly they got paid other times they didn’t get paid. But the question is visibility and trust. Like, you know, it’s a different environment. You cannot see it.

You know, the insurance company just signs a paper with you and you know, it’s hard for you to get paid. Let’s just be honest. Like, cause the opportunities for the insurance company to claim something was not ideal somewhere is almost infinite, right? Even though the risks are not going away. So for example, this sort of approach allows for the insurance company to have pseudo visibility of the SLAs from the systems of the client in under, for example, smart contacts, automatically adjust the pricing structure.

Like, do you have a bit of risk here? I don’t know what risk it is. I just know that this line and this line from ISO 27001 or PCI DSS or CIS or whatever are not being followed. And you have 60 days to fix this and send us like the plan. Otherwise, we’re going to increase the fees.

John Verry (19:24.43)
It’s Uber surge pricing, it’s CLI surge pricing, They didn’t patch vulnerabilities this week, suddenly their CLI policy cost them, instead of $500 this week, it’s $5 ,000 because that’s a critical risk and you didn’t patch it.

DC (19:28.826)
Exactly.

DC (19:38.209)
So imagine you’re a financial regulator. Absolutely. You have no visibility. You send a guy. And the guy, this is the standard right now. The guy goes there, big four, whatever, nothing against them. They’re doing their job. The guy goes there and is like, OK, I have a template. You are a banker. 50 ,000 devices across 10 ,000 locations. And I’m going to fill this template. I’m going to ask some questions to the board. And they’re going to answer it.

John Verry (19:43.096)
Yeah.

DC (20:06.401)
I’m going to check two or three computers out of the 50 ,000. I’m going to give you a stamp and somebody is going to give me a million dollars. And that’s a picture in time in a year. sometime next year, you’re going to do the same. And this is kind of like the best practice. But under this principle, it’s a very different, more transparent approach that actually uses the whole infrastructure of the bank, for example, for consensus, which makes it extremely resilient and hard to tamper with. Because really what we’re talking about is really bringing the

John Verry (20:17.806)
That’s great. Yep.

DC (20:35.265)
hyper resilient cryptographic structures of blockchains into any trust, any system that needs enhanced trust or any process, let’s say, of digital, of any kind of digital.

John Verry (20:46.84)
Mm -hmm. Yep.

Yeah, which are almost all transactions, ostensibly, right? mean, there’s not a lot. So question for you. So, all right. So I see where the blockchain is basically the immutable capability for the record keeping and the smart contracts and all that kind of stuff. That makes complete sense to me. You make a big point on the website, and I didn’t really understand this, the post quantum. Why is this solution more, seems important to me today.

DC (20:53.469)
That’s right. That’s right.

John Verry (21:19.34)
Why is this so important post -quantum? What’s the significance of that?

DC (21:22.741)
No, that’s OK. So we are very connected to a number of former NATO leaders, generals, and so on, in intelligence spaces. And we take the quantum computing or quantum singularity risk very, very seriously, as do the environments that we work with. So very quickly, what does that mean? Well, there is a very high probability that it’s already happened or in the next one, two, three, or five years,

there’s going to be some sort of quantum singularity or whatever you want to call it. A computer that has enough qubits or with a certain technique that breaks any and all elliptic curve cryptography. So it basically would allow the attacker actor to be at the nation state or any other kind of adversary to have access to all secrets for everything all over the world at the same time. And that includes private keys, PKI’s…

blockchains, all of it and break it. Obviously that actor wouldn’t want anybody to know they have that capability for the longest time because that’s their advantage. So there are two things that are happening right now and this is factual. One of them is the harvest now decrypt later approach for keys. So there’s nation states and other, let’s just say groups that are harvesting in large quantities keys.

of the internet in any sort of transactions that are cryptographic in nature, that they cannot decrypt yet potentially, we are not sure. But they are waiting for the time, could be potentially very soon or already, that they can actually decrypt it all in the future. So this is the reason why right now environments that care about their secrets, they care about their IP, they care about their business continuation, they care about security.

care about defense, they care about national defense even, they are very aware of this and they want to basically create ways that are very resilient cryptographically and that’s where the post quantum or quantum resistant or quantum safe cryptography enters to basically protect their secrets in transit and at rest right now, which means their keys that they’re using and into the future. And for them, this is the

DC (23:47.391)
Like probably the most strategic thing, I’m not exaggerating at all. It’s probably the, it’s the biggest thing for them. They’re not even like, the biggest thing for us is AI. No, it’s quantum. We want to exist into the future and yeah.

John Verry (24:00.106)
Is there, but real quickly, is there a salute, so excuse my ignorance, right? Will there be cryptography that can not be broken by quantum computing?

DC (24:18.207)
Yeah, so with normal computers, so traditional computation, there are various mathematical methods that lead to cryptography, for example, like prime numbers and things like this, that are really easy to compute in one direction, not on the other. And this is really the basis of most of our cryptography. But on the quantum realm, things change when you start looking at qubits, because they have, from a physics perspective,

they have the capability to be zero and one at the same time and everything in between. Right? So if you think about it, you really need the quantum computer and these things are evolving very fast. There’s new techniques always coming out that actually allow for much stronger computation and breaking of potential cryptography traditionally with less qubits than what you would think are necessary. So answering your question directly, just

Like with traditional cryptography, on the post -quantum cryptography side, there are also mathematic techniques that we could potentially generate with existing computers, quantum chips or not, that are also very hard for quantum computers to deal with. So there’s just different methods. And for example, the National Institute for Standards and Technology, they have been doing a competition on post -quantum algorithms for a while now.

And they have actually just posted, I think it was last week that they have reached the end of this journey, journey that we have been part of for like three years. And we are already using these on our chain and believe we are the only ones doing this backed by a number of organizations, universities, and also focused on defense that has the objective of doing this with blockchains for key management systems, KPIs, and also data protection in general that opens the way to many, many interesting things.

from post -quantum VPNs to you name it, very, very interesting opportunities by using these cryptographic means that can be created or leveraged by either meshes of normal computers, so normal computers working together to create these really powerful things, that are actually theoretically resilient to quantum computers. In other words, they have been tested against quantum chips.

DC (26:39.933)
Okay. And also against traditional vulnerabilities on mathematical vulnerabilities by academia. Right. And we have basically put this together into a decentralized ledger and decentralized consensus mechanism that can basically wrap any sort of application or process or service or data stream. So this is extremely, that’s the power of, of, of it. But the risk I would say of quantum is, you know, it’s one of those things that

doesn’t make me, it makes my sleep harder, let’s say. The risk is so, so high.

John Verry (27:12.942)
This is why you’re drinking tequila. Is it Casa Amigos or Dona Patron?

DC (27:17.493)
Yeah, Tequila is, it makes me happy. I’m not a millionaire, so it’s not, it’s usually not, Dame Mas or something like that. No, it’s not, it’s not, it’s generally, I don’t find it much in this side of the Atlantic.

John Verry (27:27.758)
It’s not one of those? Just tell me it’s not Corvo. Just tell me it’s not Corvo. Okay, And I think we just lost Corvo as a sponsor, but you know, what are you going to do? So that’s what the post -quantum is, is that what you’ve done is the solution as you have architected or proposed it is capable of surviving quantum computing.

DC (27:40.787)
We have other opportunities.

John Verry (27:56.512)
It’s not going to break the minute quantum computing becomes a reality.

DC (27:56.769)
That’s right.

DC (28:01.083)
That’s right. That’s right. And backed by a again, backed by a resilient decentralized ecosystem. Because yes, you could break something centrally, but because all the nodes are actually in consensus, you’ll probably have to break everything at the same time, which is really, really hard. And so in the end, it’s really about the word resilience. Right. And if we look, for example, at what NIST has come out with, so for example, last week, they said, well,

that is this global mandate really coming in the next one year, two years. Well, it’s already out. The word is already out. So companies, know, highly regulated spaces and other organizations need to start thinking about their post -quantum strategy, like how to change, you know, their programming libraries, their cryptographic fundamentals for everything that they do into a post -quantum standard of some kind. And this is just some of them, right?

But that just came out last week with that, which I thought was really timely and powerful for a disk call.

John Verry (29:05.996)
Interesting. another one of the ones that I was confused by and that, you I think it makes total sense here is zero trust. mean, fundamentally what you’re, you know, that idea of I’m not going to communicate with this endpoint unless I’ve looked them up and validated the security posture and it is zero trust to the nth level. So that makes complete sense to me.

DC (29:25.353)
It’s exactly that. great you mentioned this because we ourselves, use kind of like different, we talk about it in a different way. So in Web3, we use something that’s called ZKSnarks or Zero Knowledge Proofs that allows you to achieve a different level of zero trust. So zero trust normally is, as you know, like, I have a system that has an API somewhere and then there’s zero trust, there’s a system somewhere.

that has the right IP, the right MAC address, blah, blah, blah, in the cloud that can access it between eight and nine PM and we can extract data, right? And it has the right key. Okay, that’s all fine. But how do you know that the system you’re accessing and extracting data from is actually in a trusted state? Like, how do you know it’s right? But you’re getting that data. Yeah, yeah.

John Verry (30:07.02)
No, don’t. Yeah, you don’t. Yeah, know whatever the criteria were that you gave it, like you said, you can have this contextual -based authentication, contextual -based operation, but you don’t absolutely know the state at that moment. So this kind of layers that on top of zero trust.

DC (30:21.003)
That’s right.

DC (30:25.675)
That’s right. That’s right. It’s about providing two things. One thing is decentralized identity for systems. So every system is their own unique butterfly on chain and you can follow it forever. You know, it’s that it hasn’t been cloned so on so forth, whatever. Exactly. And you can follow its life cycle also.

John Verry (30:31.628)
Yep. Yep.

Yep. Yep.

Hasn’t been altered, right. It’s an immutable DLT. I know who it is, we know what it is, and that’s forever.

DC (30:48.565)
But it’s not only that, it’s like, yes, it is forever, but it’s also changing. So yes, the proof that it is changing is forever. That’s what I mean. So it has a, it’s like it has an aging process that you can follow quote, quote forever. That’s right. That’s right.

John Verry (30:55.266)
Yes, right.

John Verry (30:59.992)
Well, it’s got a history, right? mean, and even I can imagine in your model, right? Because you’re going to have to sample periodically, right? You referred to it as something different than an agent. You had a name for it. A DAP. OK, so the DAP has a periodicity to assessing. And there’s going to be a window, because you’re not going to run continuously. There’ll be some window. But what’s cool is that even that history of that security posture over

DC (31:07.915)
That’s right, that’s right.

DC (31:14.177)
I call it the DAP, decentralized application.

John Verry (31:29.71)
could be part of that security score. So hey, we only sample once a day, but in the last year, this security score has only deviated between 99 and 97 versus where some might deviate between 99 and 53. So even if it was a 99 the last I looked at it, I might want to score it lower than that because of the fact that it has greater variability.

DC (31:32.565)
Yes.

DC (31:46.678)
Right.

John Verry (31:57.102)
than one that might be more consistent, right? A 97 that never changes off a 97 might actually be more trustworthy than a 99 .9 that ranges between 99 .9 and 65.

DC (32:08.193)
Yeah, yeah, yeah, I totally get what you’re saying. in this case, think, of course, you know, we use scores already for lots of things. I think the main difference here is that you actually know it to be true. It’s not that machine just telling you that because there’s a guy there pulling strings and say, hey, repeat the talk, whatever. No, there’s like a whole ecosystem that is agreeing in every point in time, you know, and this is custom could be like every 10 milliseconds saying, no, this is, this is it.

You know, this is real and it’s not just these guys saying it’s real. It’s like, you know, you would have to compromise all the zero trust, decentralized modules nodes for you to change this principle, which is really expensive for it to do.

John Verry (32:48.472)
Right. Like you said, it’s a mesh. It’s a mesh. It’s not a single entity. mean, that’s the value prop. Right, yeah, exactly. Yeah. So one other thing that I thought was interesting, you mentioned Gen AI as a threat. What did that mean?

DC (32:54.561)
It’s a hive mind in a way, right? It’s a, yeah. That’s it.

DC (33:05.617)
That’s a deep one. So myself and David Holtzman, David Holtzman is the, well, he’s the former chief of technology of IBM and he was an advisor to a number of American presidents or president candidates in the US. And he also created the DNS system is in our board is our chief of strategy. And we have a call every week and we have conversations like that. And we talk about questions like that.

So all right, I’m going to ask you a question. If you could tell me in a phrase an answer to your question, what it be? And then I’ll go back.

John Verry (33:51.63)
Well, just for the record, I’m the podcast host, you’re the guest. I get to ask the questions, you don’t. So I might just say no. mean, no, know, Gen .ai as a…

DC (33:57.633)
We’re ping -ponging here. I’m just curious. I’m just curious.

What’s your opinion, like, personally? Because everybody has a personal opinion about this.

John Verry (34:11.478)
Well, I think Gen A, I’m guessing what you meant by Gen A I as a threat is that it is becoming easier for a malicious individual to create situations that are more likely to put you in a position where you’re trusting something that you shouldn’t trust.

So I’m assuming that there’s some technological component to that that you were kind of inferring there.

DC (34:48.865)
Thank you, John. I appreciate that. I appreciate you giving me your answer here and not the question. No, not at all. There’s no way it is. The way is that you can look at the problem in completely different ways. And that’s why I wanted to see your perspective because you can talk about this from a very kind of like existential perspective, which makes a lot of sense. And you can talk about it from a more kind of like niche perspective, like your answer, right?

John Verry (34:51.95)
And you haven’t laughed yet, so I guess it wasn’t a horrible answer.

John Verry (35:09.332)
Mm -hmm.

DC (35:16.661)
So from your answer, yes, that’s absolutely true. What you say, it’s a big issue. It’s only going to get worse. Right now, if you read a Gen .ai text that you tell, write this like Eckhart Tolle or whatever, if you didn’t read all the books from this guy, you think it’s him. And we’re already seeing, for example, fraud that

John Verry (35:36.68)
it’s crazy. Yeah. Yep.

DC (35:44.273)
know, like multi -million dollar, tens of million dollar fraud of like people’s voice being like repeated into a phone saying, make a transfer. I’m acquiring this company. Right. And that all of it. That’s right. That’s right.

John Verry (35:54.126)
Well, the video, 25, I mean, that’s a known story. $25 million was a Zoom meeting with three people on it, and two of the people were JNAI’d, right? They were artificial. And the guy went and 25 million bucks, gone.

DC (36:02.783)
Yeah, absolutely. So if you think about this, like, okay, let’s talk very quickly about this. Like, okay, so this is all the proof of life systems gone, right? All the KYC systems gone.

John Verry (36:13.982)
Are you saying that you’re going to make a person an endpoint in the protocol? Could you actually make a person like so? I was thinking this was all just compute endpoints in the Neores protocol. Could a person be in the Neores protocol? Is there a way that a person could be an endpoint?

DC (36:34.305)
That’s so interesting. So a person as a biological being? Potentially, but I’m not sure if I wanted to be part of that. So I would say, for example, there’s good things too. For example, right now in our decentralized command and control system, you can have a big collection of nodes, right? And they’re all doing whatever they’re doing.

John Verry (36:38.914)
Yeah, yeah.

DC (37:03.169)
Some are doing transactions for banks, others are SAP systems, whatever. They’re doing what servers do or systems do. AI actually allows me to directly query the whole… We have this thing called Swarm AI that you have created with universities in Europe and the US that allows us to actually use a consensus -based AI that learns from edge computing in a decentralized way. You can literally ask it questions like,

Hey, what do you think is the biggest risk that’s going on the last 12 hours on network? And it will vomit out the answer. boy. Okay. I’ve got to check this and this and this. Things that you would never correlate. Things that you couldn’t correlate centrally, which is really interesting because if you have like something potentially malicious happening here and another server that they have in Chile and another one that they have in Germany and that happened the last week, four times and there’s no way you’re going to know. So this is going to pick up these.

these patterns that are not possible to do locally or centrally and tell you that this is a thing. And you can, it’s really powerful from that perspective, but it’s equally powerful, if not more, from an attacker’s perspective. And my issue with Gen .ai, quote, quote, there’s many issues. We were just talking about that, like, okay, what you have just described, you just killed KYC, right? You just killed proof of life. you know.

Here’s me. How do you know it’s me? In here, I’m just a group of bits and a sound and image. That’s me. But this is easily manipulatable. So we’ll need to come up with completely different capabilities to do this. That will involve certainly hardware and different…

John Verry (38:46.68)
Yeah.

DC (38:56.521)
you know, the connection of the drivers themselves to the I mean, to be technical, but the connection of drivers themselves to the operating system into the hardware device in the blockchain, even in an enormous way to prove that what’s actually what you’re seeing is actually coming from a real device and not a piece of software. Right. And that needs to happen. And it will probably happen after something really bad has happened. So not yet.

John Verry (39:20.27)
Yeah, if someone had if somebody thinks that you’re what you’re saying is crazy if they have not looked at the Microsoft Vasa dash one demonstration. It’s staggering that they can take a single frame photograph. And 15 seconds to your voice and they can this interview could you could you could have been giving this interview as you through Microsoft Vasa and you know it’s remarkable.

DC (39:31.389)
It’s scary. Yeah.

DC (39:42.091)
Yeah. Yeah.

You know, and that brings me back to, you know, my point with David Holtzman. We talk about these maybe every two weeks and it just happens. We don’t want to, which we ended up talking about it. And we were talking about it like a couple of years ago, three years ago, four years ago, no, a bit earlier than we’re saying, you know, probably we’ll have like gen AI, like, you know, like full brain emulation, whatever you want to call it. Like in, I don’t know, 25, 50 years, like 90%. And now we’re talking about like five, you know,

And that’s, if that’s not scary, this is, you know, this is one of the things if you put quantum and you put AI together. So just think about something that you cannot verify. You don’t understand. And it’s infinitely capable for computing and it can probably rewrite itself at every, you know, in smaller and smaller and smaller time scales and become more and more intelligent. We, you’re looking at the end, like it’s the last invention we will ever make. So.

And the thing that I speak about AI a lot today is that you have no trust over anything. So one of the things that we focus a lot on it is like, example, swarm AI is transparent. So everything, all the data sources are proven to be good. Otherwise they cannot be ingested. And you actually have all tracking of it on chain. So if you ask it the question, you actually know the answer is the right answer to your question. And it’s the right, you know, it’s answering the right question. And all of that is proven on chain.

But with the current AI, say for example, chat GPT or whatever, you have no idea if your answer is biased or is being tampered with by a power or the source of the data is in any way good or anything. You don’t know if the model has been tampered with since the last five minutes. You don’t know nothing. So this is all about, you know, versioning transparency and AI transparency. And I think we’ll need something like this. And I don’t see any other way. And I’ve talked a lot about this to actually, you know, track and validate.

DC (41:43.155)
AI’s or models, you know, in a way to make sure they’re, you know, beneficial to us and not, you know, bad.

John Verry (41:49.806)
Yeah, we’re working with, you know, and the EU AI Act is an interesting act, very hard to consume, but they’ve got some good ideas in there. 42001 is a pretty interesting standard. It’s not perfect, you know, and it’ll evolve over time, but at least it’s, you know, it’s giving you, to some extent, it’s almost like what you said. And even like ISO and SOC 2, they’re not, trust me.

DC (42:07.081)
It’s definitely a start.

John Verry (42:14.67)
It’s a measure of trust. It moves them higher up on a trust scale than someone who can’t produce that. But you can’t blindly trust, and I’m an ISO 27 ,000 certified lead order, huge fan of the framework, third party attestations are the best thing we have right now. But they’re certainly not foolproof. And a certificate or a pen test result that happened yesterday provides the degree of assurance it provides the next day the next day it goes down each time.

DC (42:29.665)
I completely agree.

DC (42:42.017)
That’s right. That’s right. You just need to be cognizant of that,

John Verry (42:48.482)
Right, so in a weird way, in a weird way what the Neorist Protocol is, is like real time, centrally validatable, know, posture, security posture, trustworthiness, right? And it could be against, like you said, ISO could be against this, could be against anything, right? We can agree on whatever that is, Yeah.

DC (43:09.973)
That’s right. That’s That’s right. That’s right. That’s right. It could be, is this specific binary the same one? It could be, right? Yeah.

John Verry (43:19.372)
Well, yeah, exactly, exactly. Well, this is fascinating. where you got, know, like, look, I mean, something like this has an academic component to it, right? I mean, you know, getting something like this from theory to reality is got to be a massive, undertaking a massive challenge. You know, where are you guys at in the process and where are the…

DC (43:34.635)
Very strong, very strong.

John Verry (43:47.406)
short -term use cases that are paying the bills and if somebody needs something, how would they know to reach out to you?

DC (43:56.225)
Right. So until now, there has been a very, very big effort to pass from the POCs in all the incubators and accelerators we participated on, which were really about validation and bringing investment and all that stuff that we have done the last years. So we have gone through about 16 of them, global ones, very big ones from telecommunications, fintech, you name it, defense, so on.

And we won 11 of them, which I’m really, really, really proud of. And that was kind of like an initial group of steps. the interesting thing is that we, don’t think, because this being a protocol, right? The Web3 protocol that applies to Web2, Web2 being non -blockchainable things that under this principle become blockchains from a trust perspective, right? They, they,

there was this kind of like need to go into academia that doesn’t really go into Web3 generally and say, hey, PhD person, hey, professor person, hey, you that wrote this paper, that is interesting for us, they want to collaborate. And the answer has been really, really, really positive. And we have come out with various papers. So papers on like edge computing, learning, decentralized consensus.

for trust and security on edge computing, for IOTs, and also on the post -quantum computing side from a decentralized perspective. And we published these papers and other white papers as well that we made public. And we are currently writing two books with some of these, some of the people that, know, one of the people I mentioned here and a number of other, you know, PhD teachers from various universities, both in the US and also in Europe.

on those topics that should come out sometime in quarter four, together with more papers. So academia and actually embracing students that are doing PhDs and so on, that have their own connections has been really, really good for us and really powerful for the community. And on the other side, on the business side, and that goes back to the incubators or accelerators, I don’t think we ever done the same thing. Like, because this is a, it’s a decentralized paradigm that people can build on top of.

DC (46:22.325)
So we ourselves are now kind of like creating our own hackathons and so on, where companies that might be doing cyber, they might be doing compliance, we might be doing data protection, whatever, they can come and basically say, hey, we would like to integrate, we would like to bring this capability in in some way, so on and so forth. So that’s something we’re doing. From a business perspective, clients usually ask us for solutions that they don’t have.

So they look at the baseline technologies that we allow for and how trust, the principle of risk management and trust changes under a decentralized paradigm. They look at their risk statements and they are like, okay, maybe I have all the best stuff, but I’m not still satisfied. Or I’m very aware of my risks and I’ve been breached last year or whatever, and I was doing everything right. So I need to do something different, right? Or maybe I’m just a nation state operator of some kind.

I just need to be ahead of the curve. And we have recently won a large contract on that I cannot talk about that focuses a lot on post quantum capabilities, both in centralized and decentralized ways and decentralizing decentralized risk. basically decentralizing the physical infrastructure of critical environments that support society that currently are

John Verry (47:28.673)
Of course.

DC (47:49.585)
collection of points of failure, right? And people are quite aware of that. So that’s the kind of thing that brings in the bugs these days. It’s a mix of investment and it’s a big, a mix of, you know, critical or highly regulated spaces that want to build on top of the protocol, some sort of solution for them that fixes a gap that they don’t have. And we help them do that.

John Verry (48:11.418)
And when you say decentralizing central, I mean that would be like so as an example AWS right AWS goes down Like half the world goes down right or Microsoft goes down, right? Right. So so things you think change health care if you were familiar with the change health care breach Okay, that’s the kind of stuff you’re talking about This this has been fascinating and it actually was a lot so you either either I was either those two glasses of wine influenced my ability to understand your website or

DC (48:19.649)
That’s a good point. That’s a good point.

DC (48:28.127)
Yeah, absolutely. Those are good examples.

John Verry (48:40.386)
your website’s not as good as talking about the stuff as you are, because it really wasn’t as complex as I thought it was. But it’s cool as hell. And I’m rooting for it. So keep me posted if you’d be so kind. If a use case comes out and there’s a particular way that a particular group of, particular industry, as an example, if you came out with a very focused solution for that.

Certainly would love to know about it because conceptually the idea is brilliant.

DC (49:12.713)
I’m sure we’ll be doing this again before the end of year because there’s a lot on the pipeline. Most of it is private, but we’re going to make a good part of that public very soon. And I’m sure you would like to ping pong some balls here and the same with more than happy to bring…

John Verry (49:28.098)
Well, if you come up with something really cool, yeah, if big news breaks and you want to come back on and talk about it, I enjoyed the conversation a ton. Thank you.

DC (49:35.541)
For sure, man, appreciate it. I’m more than happy to bring also David Holtzman if you’d like to talk with him as well.

John Verry (49:40.728)
Sounds good.

Pivot Point is now part of CBIZ. Click Here for more information.

Episode 143: Is Decentralized Proof of Security Leveraging Blockchain the Future of Cybersecurity? With David Carvalho

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

How CMMC Enhances Defense Supply Chain Security

Is Decentralized Cybersecurity Mesh the Future of Cybersecurity?

What is a Post-Quantum Strategy and Does Our Business Need One?

What is Kubernetes Security Posture Management (KSPM) and Why Should We (as Cloud-Native Developers) Care?

Registered Practitioners Versus Certified CMMC Professionals: What’s the Difference for DIB Orgs Seeking CMMC Compliance?

What is a Cloud Native Application Protection Platform (CNAPP) and What Can It Do for My Business?

What is Cloud Infrastructure Entitlement Management (CIEM) and Why Is It Becoming So Important?

What is the CMMC Assessment Process (CAP) Handbook and Why Should DIB Orgs Care?

ISO 27001 vs NIST 800-53: All You Need to Know

ISO 27001 vs NIST Cybersecurity Framework: What’s the Difference?

The Primary Importance of CUI Scoping for CMMC Certification

Know the Difference between ISO 27001 vs 27002 vs 27003

What is Content Disarm and Reconstruction and Why Should I (as a Recipient of Digital Documents) Care?

The Role of Leadership in ISO 27001 Compliance

Why File-Based Malware Dominates Cyberattacks

Data Detection and Response for Privacy and Compliance

DIB SMBs Rate Their Cybersecurity as Much Better than It Actually Is – Why?

Top 5 Insights from Radicl’s DIB Cybersecurity Maturity Report 2024

How Should Crisis Management Connect with Incident Response?

CMMC Certification vs. CMMC Compliance: Which One Do You Need?

How can we help you?

Services

Compliance

Insights

Pivot Point Security