Sunday, August 16, 2015

Isaac's GPG Key

Below is my 2015 GPG public key. Please feel free to email me encrypted communications. Also, please note that the key ID is DadBd017.

The Key:

pub  2048R/DADBD017 2015-08-11
     Isaac Potoczny-Jones <ijones tozny.com>
     Isaac Potoczny-Jones <ijones galois.com>
     Isaac Potoczny-Jones <ijones keybase.io>
     Isaac Potoczny-Jones <ijones syntaxpolice.org>
  Fingerprint=23F6 EC8F E989 BD9D E618  CB54 C5DE DA08 DADB D017 

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQENBFXKe4MBCACpn5r/eVaCW5z2H7+LM8vQdeL/P0OsCIREIVQp+PO7qcpL86iU
DU+o3V3tnt0+bLr04VYUpQu4D3b6CXS6kq+fmegwjAAFW09xYhdLcsazcUVOgZj2
pBndHab64o8/sV++PszLepj1hfeNgxbEPsxWrIY13A/NvmEqVxETnzgnfveS0sU0
/FLmXV+LInzPU0sh/UcdT9jTIxseFm7nPFaDd5PrWNgbZ8ex+Di/Ho/fULG9ndFy
wpbI8jkrtJa1S/r3lvJSNk/PgSki6O5DSUIepzab5DN2GgLSWQys13fpLam4gwSW
38Uj2NS/95YgCEcy+BtJ3Nnva65r/ASeMJEnABEBAAG0KElzYWFjIFBvdG9jem55
LUpvbmVzIDxpam9uZXNAa2V5YmFzZS5pbz6JAT8EEwEIACkFAlXLl8ICGwMFCQlm
AYAHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDF3toI2tvQFxJpB/9vtJzr
YpxJngoeZrC0eWMBoL7Jxg8rVPQyu6MePK7Cwi8JsaNUQdnArWvd2haHqLLRdfCX
krFq4ledo6mkQGy6sgltcGvIJGvjIo5txt1tj7ZB/Y1MmsfRZQsN4blwKIg+8vhv
bC+K5ol91GUZm7hLqiv7NITIPmr0lDDB3n+MyJG/xnQXaiAErwAtd29ttsaxFVGZ
jRNGAfiYyEy0i4eS2KmfRoEo3sXN62J7WAdnY0HbpShv1ofKWOm2OI+QKNE5uhf0
jXZUcVjLEDofCug6c8Sh6/BqDybHhDV4jbHj4CX2dkg4r2IKwqfJ0fTeb+tCuJsC
aUGsnWvx/Z0zeQvriEYEEBECAAYFAlXRAiMACgkQBLPTZ7K4MaJdSwCgqNLyJgMK
eS3MsE0Hs76nOQnwBlgAoKMtQoE4jJVObGt+aUs9Ah+GqYDttCdJc2FhYyBQb3Rv
Y3pueS1Kb25lcyA8aWpvbmVzQHRvem55LmNvbT6JAT8EEwEIACkFAlXKjowCGwMF
CQlmAYAHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDF3toI2tvQF66zB/9I
Ltwr7Evdjnf36kybBC9Rrvd18PFovLmXbBjD0nwF3nvA6mQXtZ4XautyhFQZTW22
aUa0DAC6gdW88iKUimM3+To4mmO9JMxB+EoyzZ/AV2h4YyRviDF6R5pJV7kMEDdQ
2vfqE1nRwcqWyu3CGxrc5D9173KZo9d0LJtA9gAklkgGyM4Q01TTwzH4QSY1oPc8
vBQeP9bTOKszkd0wyStQWBy22Z2RUfAWSkWLMXKwd/Y9RnEoUO+5qdQD2Wobmm3m
n2TXn8Z3hNW7R98eH2QA0gDJnFobF2ab15cv+UUnsCQjwA31xZYTI9UoZqA8zoH7
KLIiUa0o8m/2Yz84DA2/iEYEEBECAAYFAlXRAkoACgkQBLPTZ7K4MaK7LgCfdX1M
SWQJqiFHHmTNNNckLWDE1J0An3Tm5lBo7z72dI95zIzxQoNYc6s1tC5Jc2FhYyBQ
b3RvY3pueS1Kb25lcyA8aWpvbmVzQHN5bnRheHBvbGljZS5vcmc+iQE/BBMBCAAp
BQJVynuDAhsDBQkJZgGABwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQxd7a
CNrb0Bf6CggAkI/2DKXA3qKmXSea1qvR4UePQEpioztNbeFK0U4EDQBZOXNDyKZ6
GWFXXTLC3WhEygzQRQwttKrpYVp1LGoo/Xah2UXnejf+SsMsngOOnIGZ9s3H6gV7
V/JWLiNBwkK6GUxxxnXskebh4RPj6u5yq6TY7ajxguZw1FWEpOA1bea/brYcOIJg
YJ6mlYkhq+Ty+gXHR1neEY/jlDyq0D0QGNMihXanPWR9zZw5Jee5p3Qposecqqe2
XTvBxhM+dicRlqa37trGHJkF0sgWUb991KDms1JEKtd+V/zV9jBsMrdCvT76jRIG
2owNW2Np1qg8hMffZ+p8u3tGiJBQeSDpTIhGBBARAgAGBQJV0QJKAAoJEASz02ey
uDGi/YMAmwbFWI1xEyLDsecWrhY+bCuFhj/AAKCjvwGqTF+JBA+HYzYhdaXNVvN6
W7QoSXNhYWMgUG90b2N6bnktSm9uZXMgPGlqb25lc0BnYWxvaXMuY29tPokBPwQT
AQgAKQUCVcqOcwIbAwUJCWYBgAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJ
EMXe2gja29AXtikIAJSV/5RJHT00VeG7p9///eKwfZrvryA9HNXsF0jwY4QQdIDV
1uoAPFFvwECBQgYtrUC8mUW5YjjhWcwK4jscPWlrjRij5lf4AtH7h8GGAE9qHdY8
xZx3l5TXlSeDRpivwEAxDtboU0dVrKbIsnAmBDVJkAQcecFYXKqwA3ljNoT+ltN3
T7oL+hLYEsKA3Rd5tzD1hkBvtRabrMGVoIQJXX2I//sj+4e/nh47uP3cv4n31tVV
bruURSYYxXXqcga5jw++fq7b3mO3rjQBesa/IOY007BJUsKioKnkoF2z1bLRErLl
Ahs41FWPor4RB4zsIB+IBAGZi+xLTkPRSQ8W4DiIRgQQEQIABgUCVdECSgAKCRAE
s9Nnsrgxog4fAJoCMTZF5cY4P7SGSGgBpDEBR2xA8gCffIecvNIrFATv7xvrEmXQ
nye2T7G5AQ0EVcp7gwEIAMdI7Jt5DrgPlezIpBBuMkG/uE2C1vm/UwKBz7JXIzfL
BFoLR/O1WCefhZ9TwMTEo+lXvkxNkECBlBmVX9Zilin1ydWK80VLgKELXiZpL/wq
F9bL2ryf+uORTcfWOFoguwPbyxZyLnRaeKLB/1GvvuoUlTtu2wZZwvHt32+9O7/o
FqDCxDiUWkOrXylAjIr/0CGsZlb5fCPlIF9X02UvgrYpATDbx8LYUuBBqk6wc9gX
03z/XPVpT6zYcXBTUgvLIGz76+q1ozc72BpDZCNNBY/o1yjWWNs6woK/FzD2uap1
GqmCV0h22mFhY7E3lFHqMOzZz7Z7ympdALtDi27Om7UAEQEAAYkBJQQYAQgADwUC
Vcp7gwIbDAUJCWYBgAAKCRDF3toI2tvQF1BqB/9qhMNJ/X/jKEbgEUIz9loNWDO0
iGA35khTU9COVrv9gMJOBxCNOjxGzHNEtlV22LosfZ/S8W7jA4/aVKLwnJ1LUwVD
W1nH+D+DBHNGtqG60VQsAvIkh2x9/HSI/RcmbWGLGGkI77C9cih50xAakj2Xmazk
04mrSo+eCrB6N/x/c56lZUrG7EYp6YYFtvCLhRiHd0kJrYwwtxzIOQsxmp6qZobI
ZgBH74yGerHWcWttwGE2gkLQ8E3rZAo854LrHnLsEp8B/zwejr6UZnb/pmfibtJX
kfKD68v34tRvfaEQdCYRSXV9BScIGSwZ/I6lZXWmENUBfPPpfSyil6D+eg2q
=ePFF
-----END PGP PUBLIC KEY BLOCK-----

Tuesday, August 4, 2015

NIST Cybersecurity Standards apply to government contractors

Since November 2013 a new government contracting rule is in place that adds security requirements for all government contractors. I actually predicted this several years ago. Read more for how to figure out if this standard applies to you and where to go for more information.

Wednesday, June 24, 2015

Talk: An Overview of Emerging Cybersecurity Policy and Law


Date Tuesday, June 30, 2015 Time 11:00 AM
Speaker Isaac Potoczny-Jones
Slides: Download here



How to get from laws to technical requirements from Galois Video on Vimeo.

Why is cybersecurity such a hard problem? The US government, its citizens, and the organizations that write software are all on the same team, but in many cases, our interests are just not aligned. For instance, there have been endless political and social disagreements about the best way to share cyber threat intelligence without sacrificing consumer privacy.

It’s these competing concerns that are the kink in our collective armor and that’s what our adversaries exploit, day-in and day-out.

In this talk, Isaac will present the high-level strategic concerns and challenges in the cybersecurity industry, how those challenges interact with emerging policy and law, and how those policies will impact you.

Read the abstract at Galois.com

Saturday, May 30, 2015

Talk: 2015 Northwest Aerospace & Defense Symposium

I recently gave a talk on cybersecurity policy and law for the Pacific Northwest Defense Coalition and Pacific Northwest Aerospace Alliance. This was for the 2015 Aerospace & Defense Symposium held at Joint Base Lewis-McChord.


It was great to share the stage with Peter S. Chiou, Principal Strategist and Business Development Manager for Azure DoD, Microsoft and Special Agent Joshua Michaels of the FBI Cyber Task Force. Three different perspectives on a topic that impacts all of us.

Thanks very much to PNDC for bringing me into the event!

Tuesday, April 28, 2015

Quotes for KGW: The Internet of Things - How safe is 'smart' technology

I'm quoted in an article by Wayne Havrelly at KGW about the Internet of Things. This ran on TV as well!

"Any system, as it gets more complex, the likelihood of a weak link in the chain grows," said Isaac Potoczny-Jones, computer security expert with Galois. "So as cars get these integrated entertainment systems or wireless features, these open up avenues of attack."

Monday, March 2, 2015

Talk: User identity and authentication in Wordpress


Download the Slides

The other day Isaac gave a talk at the Portland WordPress Developers Meetup about authentication in enterprise and web environments and how WordPress fits into the Identity Management alphabet soup. At the end, I showed off our WordPress Plugin, which can be used for easy and secure login to WordPress instances.

Abstract: Your users’ experience during account creation and login is one of the first and most important ways they interact with your web site. Passwords are by far the most common authentication factor, but they are extremely unfriendly for users: Good passwords are hard to remember, and bad passwords are easy to guess. In this talk, we will explain the trade-offs among various types of authentication: passwords, mobile login, social login, two-factor auth, single sign-on, SAML, and OAuth. Finally, we’ll discuss the impact these choices have on your development process and your users.

Tuesday, December 16, 2014

Talk: Common crypto mistakes in Android


Date Tuesday, December 16, 2014 Time 11:00 AM
Speaker Isaac Potoczny-Jones


If you do a web search for “encrypting Strings in Android”, you’ll find a lot of example code, and they all look pretty similar. They definitely input a String and output gibberish that looks like encrypted text, but they are often incorrect. Crypto is tricky: it’s hard to tell that the gibberish that’s being printed is not good crypto, and it’s hard to tell that the code example you picked up from Stack Overflow has serious flaws.

The problem here is that sites like Google and Stack Overflow rank results based on popularity, but the correctness of crypto isn’t something we can vote about. It’s not a popularity contest. To use it correctly, you have to understand the properties of the algorithm and the security goals of your code. Maybe the bad crypto someone pasted up on the Internet was acceptable for their needs, but there’s a good chance it’s completely unacceptable for yours.

In this talk, we’ll discuss the use of a very common crypto algorithm, AES, and show how code examples on the Internet usually make serious mistakes in how they use AES libraries. What are the consequences of these mistakes and what are more reasonable defaults. We’ll also talk a bit about our simple Android library that tries to do AES right.

More information on the Tozny blog.

Monday, December 1, 2014

Encrypting strings in Android: Let's make better mistakes

If you do a web search for “encrypting Strings in Android”, you’ll find a lot of example code, and they all look pretty similar. They definitely input a String and output gibberish that looks like encrypted text, but they are often incorrect. Crypto is tricky: it’s hard to tell that the gibberish that’s being printed is not good crypto, and it’s hard to tell that the code example you picked up from Stack Overflow has serious flaws.

Read more on the Tozny blog, watch Isaac's talk on this topic and check out the Github repo for the AES library.

Friday, November 28, 2014

Godaddy's SSL certs don't work in Java - the right solution

Chrome and other browsers are phasing out SSL certificates that are implemented using the weak SHA-1 hash. As a result, SSL certificate authorities, like GoDaddy are also phasing out SHA-1 in favor of SHA-2. GoDaddy is one of the largest providers, at about 13% of all SSL certificates.

This means that GoDaddy had to switch to their SHA-2 root certificate and get it installed in all the major browsers, OSs, and other important clients. For some reason, it wasn’t installed in some versions of Oracle’s Java 7 or 8. This has caused some problem for Java clients.

Monday, November 10, 2014

Blaming users for security incidents is counterproductive

The Associated Press has done some important research into the cause of cybersecurity incidents in the federal government. Unfortunately, they come to the wrong conclusion. They document the huge rise in security incidents, and then add:
"And [federal] employees are to blame for at least half of the problems."
Specifically, not because the employees are the hackers, but because
"They have clicked links in bogus phishing emails, opened malware-laden websites and been tricked by scammers into sharing information."
This is counterproductive. It blames end users for problems that the security community should be taking accountability for.