Saturday, July 29, 2017

Tozny Launches InnoVault - Encryption Toolkit For Developers

We are proud to announce the release of our latest product, InnoVault - a toolkit that enables developers building websites, apps, and other software to easily embed end-to-end encryption for data security and privacy. 2016 saw a 40% increase in data breaches over 2015, and the team here at Tozny decided we wanted to do something about it. InnoVault is our answer to protecting user data with the same type of robust measures already used for credit cards, but too often left off of other user data.

Friday, June 16, 2017

Tozny at the Cloud Identity Summit and the Design Automation Conference

Tozny’s CEO, Isaac Potoczny-Jones, will be presenting at Cloud Identity Summit (CIS) in Chicago on June 19, 2017.  Come learn about E3DB, a security toolkit to build privacy-preserving products from the ground-up.
Talk Abstract: On the modern Internet, securely collecting personal data is extremely challenging. Software developers and enterprises are losing the arms race against malicious attackers every day. The Internet of Things (IoT) adds new challenges, including hardware limitations, lack of upgrade paths, and control of physical systems. In this talk, Isaac will outline Tozny's work with NIST on E3DB, a security toolkit to build privacy-preserving products from the ground-up.
The Design Automation Conference is in Austin - Isaac will be participating in a panel discussion on June 20, 2017 on hardware security technologies.
Panel Summary: Hardware security schemes are often treated as an afterthought: an extension of the system but not an inherent design metric for the whole system. This limits their adoption and benefit to real-world architectures. Emerging applications, for instance in IoT area, increasingly involve large numbers of connected and heterogeneous device swarms and pose crucial challenges on the underlying security architectures. In the recent years we have seen hardware security solutions from Trusted Platform Modules (TPM), ARM's TrustZone, to Intel's SGX, to name some have been rolled out. However, these solutions are rarely used by user applications, require strong trust assumptions in manufacturers, are too expensive for small constrained devices, and not scalable. This panel will discuss the real-world impact of currently available security hardware, the related shortcomings as well as new research and development directions in hardware-assisted security and privacy solutions.
Are you heading to CIS or DAC? Contact Isaac to meet up! @SyntaxPolice Top image credit: User BitchBuzz, Creative Commons

Friday, May 5, 2017

Tozny at HCSS - High Confidence Software and Systems

Tozny's CEO, Isaac Potoczny-Jones, will be presenting at the High Confidence Software and Systems Conference (HCSS) on May 9, 2017.  Come learn about NIST's Risk Management Framework and how you can apply it to your work.  And if you happen to be out in Annapolis, meet up with Isaac at the conference! @SyntaxPolice

Applying NIST's New Privacy Risk Management Framework (Abstract)

NIST’s influential cybersecurity frameworks have been a cornerstone of the certification process. They provide methodologies and standards to help organizations rigorously analyze the security of their systems. These standards are an important step in clarifying the policy, technical, and mental models that can lead to formal and semi-formal implementations. Building on the impact of the Risk Management Frameworks for cybersecurity, NIST is developing a Privacy Risk Management Framework. Rather than emphasizing the classic cybersecurity triad of Confidentiality, Integrity, and Availability it contributes the core privacy principles of Predictability, Manageability, and Disassociability. According to NISTIR 8062:
  • Predictability is the enabling of reliable assumptions by individuals, owners, and operators about personal information and its processing by an information system.
  • Manageability is providing the capability for granular administration of personal information including alteration, deletion, and selective disclosure.
  • Disassociability is enabling the processing of personal information or events without association to individuals or devices beyond the operational requirements of the system.
Tozny is implementing an End-to-End Encrypted DataBase (E3DB) for any type of mobile or web application to build secure workflows into their systems. It is a type of Personal Data Service (PDS). A PDS is designed to give end users significant control over the collection, retention, and sharing of their personal data. This approach improves privacy by inverting the model where data brokers control user data and choose which 3rd parties access user data. E3DB is one of the first projects implemented using NIST’s new privacy frameworks. In this talk, we will provide:
  • An overview of NIST’s Privacy Framework, and related standards (800-53, 800-63),
  • An experience report on implementing a product based on these standards, and
  • An in-depth review of our cryptographic approach and how it supports privacy.

Tuesday, April 11, 2017

The Security Panacea: Striking Balance with Usability

To keep up in today’s competitive technology market, perfecting the user experience is a must; making added security measures a tough sell to leadership. We consistently see brands sacrifice security, adopting the attitude, ‘it won’t happen to me.’ But when it does (which it will), brands are unprepared and scrutinized for their lack of foresight.

Read the interview with Manuela Marques, tyntec’s Product Marketing Director and Isaac Potoczny-Jones, CEO of Tozny, a leader in multi-factor authentication systems. We discuss the common mistakes brands make with security and provide insight on how brands can balance security and usability.

Thursday, February 2, 2017

Visit Tozny at the RSA Conference

We are now in an age where security can breached with just a simple push of a button. With today’s technological breakthroughs come an increasing demand for a more well-rounded and tightened cybersecurity. The tools required to protect each individual from cyber-attacks and threats has also proven that more technical expertise is now more than just a necessity, but of great significance as well.

RSA Conference will be held at Moscone Center in in San Francisco, February 13-17th, 2017 To better educate individuals and to lend them insights on the matter, a panel discussion is organized to be held on February 16, 2017 at Moscone West with a roster of notable names in the cyber privacy and security industry, including Tozny CEO Isaac Potoczny-Jones.

Privacy Enhancing Technologies Work—But Can Anyone Use Them?
  • Thursday 02/16/2017
  • 2:45 PM- 3:30 PM
  • Room: Moscone West | 2018
  • Session length: 45 Minutes
  • Track: Human Element
  • Session code: HUM-R11
Tools that help people assess and protect their own privacy are not new. But as the challenges to protect individuals' privacy become more substantial, the tools to insulate people from privacy risks require more technical expertise. This panel will discuss specific privacy challenges and review research efforts to make advanced privacy-enhancing technologies more accessible to everyday people.

Isaac Potoczny-Jones is the founder and CEO of Tozny. Previously, Isaac worked as a developer of security and authentication solutions for defense agencies and other government agencies with 10 years under his belt as a cybersecurity researcher at Galois. He graduated with a Bachelor’s Degree in Computer Science and Master's degree in Cybersecurity.
Other panelist include:
  • Lee Tien, Senior Staff Attorney and Adams Chair for Internet Rights for Electronic Frontier Foundation
  • Tanvi Vyas, Tech Lead, Security User Experience for Mozilla.
  • Naomi Lefkovitz, Senior Privacy Policy Advisor for NIST will act as moderator.

Come meet us

You can come meet us at the NIST booth (number S2815) at the following times:
  • Tuesday 2/14 Noon - 2:00 PM
  • Wednesday 2/15 at 5:00 PM

Monday, February 15, 2016

Encryption Debate: The issue isn’t strong crypto; It’s easy crypto

An article by Tozny CEO Isaac Potoczny-Jones at NextGov:
Strong cryptography has been around for a long time, but the user interfaces have been terrible. As a result, most individuals and even software programmers struggle to use them effectively. Over the last few years, we’ve seen a push by technology industry leaders to prioritize easy to use encryption technologies in their products on the front end. This is an enormously positive and important development that expands adoption of secure products.  Backdoors and storing encryption keys don’t strengthen crypto; they weaken it, and the lack of good security in commercial and government products and services has left the United States extremely vulnerable to industrial espionage from determined foreign adversaries.

Saturday, February 13, 2016

The tension between Agile, MVPs, and Security

Here's a great article by George V. Hulme, including discussions with Tozny CEO Isaac Potoczny-Jones about the tension between Agile, MVPs, and Security. See also the complete Q&A with Isaac at CSO Magazine.
The first step is just saying, "We're going to include security in the Agile definitions of done," and once you've at least penetrated that level, which I don't think a lot of people have, then they’re going to at least do the right things. You're either going to start to build it either into the user stories or the acceptance testing. But you can’t leave it to the end of the process. If you leave security acceptance testing toward the end (and naturally your schedule is going to slip) then you'll get to the security testing and find there's a lot more work to do. Then you'll be in this unfortunate decision of either having to fix the security issues and let your schedule slip, or choose to let something go out the door that's not secure.
Read More.

Tuesday, December 1, 2015

GCN Article: Making mobile phones the authentication hubs for smart homes

Our NSTIC privacy project was highlighted in an article at GCN by Derek Major.
Tozny serves as the technical lead for the pilot programs and will build the data storage and sharing platform by tackling one of the weakest links in cybersecurity today: the password. Tozny’s solution replaces the username and password with something people use for almost everything: the smartphone, or wearable device. Tozny is working with IOTAS, a developer of a home automation platform that integrates preinstalled hardware (light switches, outlets and sensors) with software to create a unique experience in which users learn from and interact with their homes. Together, the companies are working to help users to log in to the IoT management console installed in their apartments without a password. Tozny is providing cryptographic authentication that is based on mobile phones.
Read More.

Tuesday, November 24, 2015

Article: NIST Testing out passwordless smart home

Mohana Ravindranath over at NextGov wrote a nice piece about our NIST privacy pilots.
Tozny, a subsidiary of tech company Galois, aims to test one system that encrypts user data generated by the "smart home," and another that would let transit riders use their mobile phones as tickets, Galois principal investigator Isaac Potoczny-Jones said in a blog post outlining more details about the project.
The NIST pilot, through an initiative called the "National Strategy for Trusted Identities in Cyberspace," focuses on these two applications. But NIST has recently been drafting broader standards for tech companies creating products for the "Internet of Things": In September, it released a Draft Framework for Cyber-Physical Systems, essentially a guide teaching device manufacturers how to build safer devices.
Read More.

Tuesday, November 17, 2015

Interview: DoD embraces public key infrastructure to secure tactical networks

Isaac contributed to some technical background for an interesting article at about the use of Public Key Infrastructure (PKI).
"Humans are terrible at generating and remembering random stuff, and the strong crypto on PKI is virtually impossible to brute force," said [Tozny CEO] Isaac Potoczny-Jones, research lead, computer security, for Galois, a technology research and development consulting firm with an office in Arlington, Virginia. "On a scale from one to 10, PKI is a 10 for security and password is a two."
Read More.

Sunday, November 15, 2015

FedScoop: NIST IoT project explores how to ditch passwords, maintain privacy

Head on over to FedScoop to read the latest about Tozny.
A project that lets consumers use their mobile-phone bus passes to control smart home systems may set the table for a forthcoming framework from the National Institute for Standards and Technology dedicated to protecting user privacy... 
"The idea is to build privacy-preserving personal data stores to allow new ways for user information to be shared across organizational boundaries in a way that the user is in control over how the data shared, what is shared, with who and when," Potoczny-Jones told FedScoop. "It’s important that with emerging IoT technologies and the new way people are getting around via ridesharing or public transit, we collect this share this information in a way that the user has a lot of control over it."
 Read More.

Monday, November 9, 2015

Interview: Portland Business Journal covers Tozny's NSTIC project

The Portland Business Journal discusses Tozny's new NSTIC project in an article by Malia Spencer.
"Computer science research and development firm Galois, mobile ticketing firm GlobeSherpa and smart home startup IOTAS are teaming up on a project funded by the federal National Institutes of Standards and Technology. The effort could lay the groundwork for Internet of Things applications that will be secure and protect privacy.

Galois, through its mobile security subsidiary Tozny, is the lead on the two-year project. So far, the government has committed $1.86 million to the first year of work.

Menlo Park-based SRI International and 6 Degrees Consulting are also participating in the project."

Read More.

Sunday, November 8, 2015

Tozny's NSTIC Pilot Project

Amid growing concerns that IoT devices are inherently vulnerable to attacks that could compromise users’ information privacy and security, Tozny today announced that it has been awarded a $1.86 million NIST National Strategy for Trusted Identities in Cyberspace (NSTIC) grant to build a secure data storage system that enables next-generation IoT capabilities without sacrificing privacy. Galois’ authentication and mobile security subsidiary, Tozny, will serve as the technical lead for the NSTIC pilot program.

Read More.

Monday, November 2, 2015

Here's a great article over at NextGov about various efforts the Federal government is involved with to secure the Internet of Things. Tozny CEO Isaac Potoczny-Jones mentioned NIST's new privacy frameworks in the context of IoT.
Galois is working with NIST on a pilot in which consumers' information, culled from smart-home services, could be integrated into a "privacy preserving data store," Potoczny-Jones said.
Read More.

IoT security & privacy requires overcoming a legacy of insecurity

Head over to Network Computing to read Isaac's article about Internet of Things security and privacy work we're engaged in.
Vendors must adapt a different approach for IoT than was done with the Internet, which was “you are the product, not the customer.” Sticking with this old approach would treat IoT user privacy as second fiddle. Getting privacy right is even more important with IoT than it is with computers because IoT extends beyond a smartphone or laptop screen to end user applications such as Internet-connected baby monitor video cameras, door locks that can be opened remotely with an app, wearables that track our movement and smartphones that track our location.

Friday, October 16, 2015

Regarding ID Podcast - Isaac Interview

Listen to Isaac's interview about the new NSTIC projects on the Regarding ID Podcast.

Galois, a Portland-based company that focuses on cyber security primarily for the U.S. government, is the final winner of the fourth round of NSTIC pilots.

Galois and its partners will build a tool that relies on biometric authentication to enable the storing and sharing of private information online. They also intend to develop transit ticketing on smart phones, integrating the secure system into an Internet of Things (IoT) enabled smart home.

Tozny CEO Isaac Potoczny-Jones spoke with Regarding ID’s Gina Jordan about the project, which involves two separate production pilots.

Tuesday, September 22, 2015

Galois won an NSTIC pilot!

NIST just announced that Galois received a grant from the National Strategy for Trusted Identities in Cyberspace! I'm very excited to be leading this project here at Galois and the related work at Tozny.

Galois, Inc. (Portland, Ore.: $ 1,856,778) Galois will build a tool to allow users to store and share personal information online. The user-centric personal data storage system relies on biometric-based authentication and will be built securely from the ground up. As part of the pilot, Galois will work with partners to develop just-in-time transit ticketing on smart phones and to integrate the secure system into an internet of things-enabled smart home.

Monday, September 21, 2015

Article: Don't fall into the MVP trap!

Isaac's article on building security into the software development lifecycle was published in August at Software Magazine. My key point is that the market demands of software development encourage leaving security to the end for a variety of reasons:
  • Many companies want to validate a market before investing in product security, so the “minimum viable product” (MVP) approach might leave it out.
  • The risk of getting attacked is lower at the beginning of a product’s lifecycle, so companies can validate a product by getting market traction even if it has vulnerabilities.
  • Ultimately, it comes down to a false assumption that your “minimum viable product” will not attract serious attackers, but this presumes that you do not get traction or media attention, which is a lose-lose proposition—either your MVP is a failure, and so security doesn’t matter, or your MVP is a success and you will get attacked.

Thursday, September 3, 2015

KATU News: Baby Monitor hacks

Isaac was interviewed via Skype by KATU news to comment on about Rapid7's case study on security vulnerabilities for baby monitors. Key points to keep in mind:
  • Internet of Things devices are being connected to the Internet without sufficient analysis of potential security problems.
  • The security industry doesn't have enough personnel to help address these issues.
  • Companies don't take security seriously during product development.

Sunday, August 16, 2015

Isaac's GPG Key

Below is my 2015 GPG public key. Please feel free to email me encrypted communications. Also, please note that the key ID is DadBd017.
Read more for the key itself.

Tuesday, August 4, 2015

NIST Cybersecurity Standards apply to government contractors

Since November 2013 a new government contracting rule is in place that adds security requirements for all government contractors. I actually predicted this several years ago. Read more for how to figure out if this standard applies to you and where to go for more information.

Wednesday, June 24, 2015

Talk: An Overview of Emerging Cybersecurity Policy and Law

Date Tuesday, June 30, 2015 Time 11:00 AM
Speaker Isaac Potoczny-Jones
Slides: Download here

How to get from laws to technical requirements from Galois Video on Vimeo.

Why is cybersecurity such a hard problem? The US government, its citizens, and the organizations that write software are all on the same team, but in many cases, our interests are just not aligned. For instance, there have been endless political and social disagreements about the best way to share cyber threat intelligence without sacrificing consumer privacy.

It’s these competing concerns that are the kink in our collective armor and that’s what our adversaries exploit, day-in and day-out.

In this talk, Isaac will present the high-level strategic concerns and challenges in the cybersecurity industry, how those challenges interact with emerging policy and law, and how those policies will impact you.

Read the abstract at

Saturday, May 30, 2015

Talk: 2015 Northwest Aerospace & Defense Symposium

I recently gave a talk on cybersecurity policy and law for the Pacific Northwest Defense Coalition and Pacific Northwest Aerospace Alliance. This was for the 2015 Aerospace & Defense Symposium held at Joint Base Lewis-McChord.

It was great to share the stage with Peter S. Chiou, Principal Strategist and Business Development Manager for Azure DoD, Microsoft and Special Agent Joshua Michaels of the FBI Cyber Task Force. Three different perspectives on a topic that impacts all of us.

Thanks very much to PNDC for bringing me into the event!

Tuesday, April 28, 2015

Quotes for KGW: The Internet of Things - How safe is 'smart' technology

I'm quoted in an article by Wayne Havrelly at KGW about the Internet of Things. This ran on TV as well!

"Any system, as it gets more complex, the likelihood of a weak link in the chain grows," said Isaac Potoczny-Jones, computer security expert with Galois. "So as cars get these integrated entertainment systems or wireless features, these open up avenues of attack."

Monday, March 2, 2015

Talk: User identity and authentication in Wordpress

Download the Slides

The other day Isaac gave a talk at the Portland WordPress Developers Meetup about authentication in enterprise and web environments and how WordPress fits into the Identity Management alphabet soup. At the end, I showed off our WordPress Plugin, which can be used for easy and secure login to WordPress instances.

Abstract: Your users’ experience during account creation and login is one of the first and most important ways they interact with your web site. Passwords are by far the most common authentication factor, but they are extremely unfriendly for users: Good passwords are hard to remember, and bad passwords are easy to guess. In this talk, we will explain the trade-offs among various types of authentication: passwords, mobile login, social login, two-factor auth, single sign-on, SAML, and OAuth. Finally, we’ll discuss the impact these choices have on your development process and your users.

Tuesday, December 16, 2014

Talk: Common crypto mistakes in Android

Date Tuesday, December 16, 2014 Time 11:00 AM
Speaker Isaac Potoczny-Jones

If you do a web search for “encrypting Strings in Android”, you’ll find a lot of example code, and they all look pretty similar. They definitely input a String and output gibberish that looks like encrypted text, but they are often incorrect. Crypto is tricky: it’s hard to tell that the gibberish that’s being printed is not good crypto, and it’s hard to tell that the code example you picked up from Stack Overflow has serious flaws.

The problem here is that sites like Google and Stack Overflow rank results based on popularity, but the correctness of crypto isn’t something we can vote about. It’s not a popularity contest. To use it correctly, you have to understand the properties of the algorithm and the security goals of your code. Maybe the bad crypto someone pasted up on the Internet was acceptable for their needs, but there’s a good chance it’s completely unacceptable for yours.

In this talk, we’ll discuss the use of a very common crypto algorithm, AES, and show how code examples on the Internet usually make serious mistakes in how they use AES libraries. What are the consequences of these mistakes and what are more reasonable defaults. We’ll also talk a bit about our simple Android library that tries to do AES right.

More information on the Tozny blog.

Monday, December 1, 2014

Encrypting strings in Android: Let's make better mistakes

If you do a web search for “encrypting Strings in Android”, you’ll find a lot of example code, and they all look pretty similar. They definitely input a String and output gibberish that looks like encrypted text, but they are often incorrect. Crypto is tricky: it’s hard to tell that the gibberish that’s being printed is not good crypto, and it’s hard to tell that the code example you picked up from Stack Overflow has serious flaws.

Read more on the Tozny blog, watch Isaac's talk on this topic and check out the Github repo for the AES library.

Friday, November 28, 2014

Godaddy's SSL certs don't work in Java - the right solution

Chrome and other browsers are phasing out SSL certificates that are implemented using the weak SHA-1 hash. As a result, SSL certificate authorities, like GoDaddy are also phasing out SHA-1 in favor of SHA-2. GoDaddy is one of the largest providers, at about 13% of all SSL certificates.

This means that GoDaddy had to switch to their SHA-2 root certificate and get it installed in all the major browsers, OSs, and other important clients. For some reason, it wasn’t installed in some versions of Oracle’s Java 7 or 8. This has caused some problem for Java clients.

Monday, November 10, 2014

Blaming users for security incidents is counterproductive

The Associated Press has done some important research into the cause of cybersecurity incidents in the federal government. Unfortunately, they come to the wrong conclusion. They document the huge rise in security incidents, and then add:
"And [federal] employees are to blame for at least half of the problems."
Specifically, not because the employees are the hackers, but because
"They have clicked links in bogus phishing emails, opened malware-laden websites and been tricked by scammers into sharing information."
This is counterproductive. It blames end users for problems that the security community should be taking accountability for.

Tuesday, September 30, 2014

Shellshock: Making sense of the question, “Am I vulnerable?”

It seems like such a simple question, “Am I vulnerable to Shellshock,” but it’s surprisingly complicated. Lots of Internet forums suggest pasting some magic code into your command line. If the code outputs “Vulnerable” then you need to upgrade. Unfortunately, it’s not that easy.

There’s an ongoing dance among security researchers, OS venders, the Bash authors, and attackers. Here’s what we know today (read more at the Tozny blog).