Tuesday, November 24, 2015

Article: NIST Testing out passwordless smart home

Mohana Ravindranath over at NextGov wrote a nice piece about our NIST privacy pilots.
Tozny, a subsidiary of tech company Galois, aims to test one system that encrypts user data generated by the "smart home," and another that would let transit riders use their mobile phones as tickets, Galois principal investigator Isaac Potoczny-Jones said in a blog post outlining more details about the project.
The NIST pilot, through an initiative called the "National Strategy for Trusted Identities in Cyberspace," focuses on these two applications. But NIST has recently been drafting broader standards for tech companies creating products for the "Internet of Things": In September, it released a Draft Framework for Cyber-Physical Systems, essentially a guide teaching device manufacturers how to build safer devices.
Read More.

Tuesday, November 17, 2015

Interview: DoD embraces public key infrastructure to secure tactical networks

Isaac contributed to some technical background for an interesting article at c4isrnet.com about the use of Public Key Infrastructure (PKI).
"Humans are terrible at generating and remembering random stuff, and the strong crypto on PKI is virtually impossible to brute force," said [Tozny CEO] Isaac Potoczny-Jones, research lead, computer security, for Galois, a technology research and development consulting firm with an office in Arlington, Virginia. "On a scale from one to 10, PKI is a 10 for security and password is a two."
Read More.

Sunday, November 15, 2015

FedScoop: NIST IoT project explores how to ditch passwords, maintain privacy

Head on over to FedScoop to read the latest about Tozny.
A project that lets consumers use their mobile-phone bus passes to control smart home systems may set the table for a forthcoming framework from the National Institute for Standards and Technology dedicated to protecting user privacy... 
"The idea is to build privacy-preserving personal data stores to allow new ways for user information to be shared across organizational boundaries in a way that the user is in control over how the data shared, what is shared, with who and when," Potoczny-Jones told FedScoop. "It’s important that with emerging IoT technologies and the new way people are getting around via ridesharing or public transit, we collect this share this information in a way that the user has a lot of control over it."
 Read More.

Monday, November 9, 2015

Interview: Portland Business Journal covers Tozny's NSTIC project

The Portland Business Journal discusses Tozny's new NSTIC project in an article by Malia Spencer.
"Computer science research and development firm Galois, mobile ticketing firm GlobeSherpa and smart home startup IOTAS are teaming up on a project funded by the federal National Institutes of Standards and Technology. The effort could lay the groundwork for Internet of Things applications that will be secure and protect privacy.

Galois, through its mobile security subsidiary Tozny, is the lead on the two-year project. So far, the government has committed $1.86 million to the first year of work.

Menlo Park-based SRI International and 6 Degrees Consulting are also participating in the project."

Read More.

Sunday, November 8, 2015

Tozny's NSTIC Pilot Project

Amid growing concerns that IoT devices are inherently vulnerable to attacks that could compromise users’ information privacy and security, Tozny today announced that it has been awarded a $1.86 million NIST National Strategy for Trusted Identities in Cyberspace (NSTIC) grant to build a secure data storage system that enables next-generation IoT capabilities without sacrificing privacy. Galois’ authentication and mobile security subsidiary, Tozny, will serve as the technical lead for the NSTIC pilot program.

Read More.

Monday, November 2, 2015

Here's a great article over at NextGov about various efforts the Federal government is involved with to secure the Internet of Things. Tozny CEO Isaac Potoczny-Jones mentioned NIST's new privacy frameworks in the context of IoT.
Galois is working with NIST on a pilot in which consumers' information, culled from smart-home services, could be integrated into a "privacy preserving data store," Potoczny-Jones said.
Read More.

IoT security & privacy requires overcoming a legacy of insecurity

Head over to Network Computing to read Isaac's article about Internet of Things security and privacy work we're engaged in.
Vendors must adapt a different approach for IoT than was done with the Internet, which was “you are the product, not the customer.” Sticking with this old approach would treat IoT user privacy as second fiddle. Getting privacy right is even more important with IoT than it is with computers because IoT extends beyond a smartphone or laptop screen to end user applications such as Internet-connected baby monitor video cameras, door locks that can be opened remotely with an app, wearables that track our movement and smartphones that track our location.

Friday, October 16, 2015

Regarding ID Podcast - Isaac Interview

Listen to Isaac's interview about the new NSTIC projects on the Regarding ID Podcast.

Galois, a Portland-based company that focuses on cyber security primarily for the U.S. government, is the final winner of the fourth round of NSTIC pilots.

Galois and its partners will build a tool that relies on biometric authentication to enable the storing and sharing of private information online. They also intend to develop transit ticketing on smart phones, integrating the secure system into an Internet of Things (IoT) enabled smart home.

Tozny CEO Isaac Potoczny-Jones spoke with Regarding ID’s Gina Jordan about the project, which involves two separate production pilots.

Tuesday, September 22, 2015

Galois won an NSTIC pilot!

NIST just announced that Galois received a grant from the National Strategy for Trusted Identities in Cyberspace! I'm very excited to be leading this project here at Galois and the related work at Tozny.

Galois, Inc. (Portland, Ore.: $ 1,856,778) Galois will build a tool to allow users to store and share personal information online. The user-centric personal data storage system relies on biometric-based authentication and will be built securely from the ground up. As part of the pilot, Galois will work with partners to develop just-in-time transit ticketing on smart phones and to integrate the secure system into an internet of things-enabled smart home.

Monday, September 21, 2015

Article: Don't fall into the MVP trap!

Isaac's article on building security into the software development lifecycle was published in August at Software Magazine. My key point is that the market demands of software development encourage leaving security to the end for a variety of reasons:
  • Many companies want to validate a market before investing in product security, so the “minimum viable product” (MVP) approach might leave it out.
  • The risk of getting attacked is lower at the beginning of a product’s lifecycle, so companies can validate a product by getting market traction even if it has vulnerabilities.
  • Ultimately, it comes down to a false assumption that your “minimum viable product” will not attract serious attackers, but this presumes that you do not get traction or media attention, which is a lose-lose proposition—either your MVP is a failure, and so security doesn’t matter, or your MVP is a success and you will get attacked.