Tuesday, September 22, 2015

Galois won an NSTIC pilot!

NIST just announced that Galois received a grant from the National Strategy for Trusted Identities in Cyberspace! I'm very excited to be leading this project here at Galois and the related work at Tozny.

Galois, Inc. (Portland, Ore.: $ 1,856,778) Galois will build a tool to allow users to store and share personal information online. The user-centric personal data storage system relies on biometric-based authentication and will be built securely from the ground up. As part of the pilot, Galois will work with partners to develop just-in-time transit ticketing on smart phones and to integrate the secure system into an internet of things-enabled smart home.

Monday, September 21, 2015

Article: Don't fall into the MVP trap!

Isaac's article on building security into the software development lifecycle was published in August at Software Magazine. My key point is that the market demands of software development encourage leaving security to the end for a variety of reasons:
  • Many companies want to validate a market before investing in product security, so the “minimum viable product” (MVP) approach might leave it out.
  • The risk of getting attacked is lower at the beginning of a product’s lifecycle, so companies can validate a product by getting market traction even if it has vulnerabilities.
  • Ultimately, it comes down to a false assumption that your “minimum viable product” will not attract serious attackers, but this presumes that you do not get traction or media attention, which is a lose-lose proposition—either your MVP is a failure, and so security doesn’t matter, or your MVP is a success and you will get attacked.

Thursday, September 3, 2015

KATU News: Baby Monitor hacks

Isaac was interviewed via Skype by KATU news to comment on about Rapid7's case study on security vulnerabilities for baby monitors. Key points to keep in mind:
  • Internet of Things devices are being connected to the Internet without sufficient analysis of potential security problems.
  • The security industry doesn't have enough personnel to help address these issues.
  • Companies don't take security seriously during product development.

Sunday, August 16, 2015

Isaac's GPG Key

Below is my 2015 GPG public key. Please feel free to email me encrypted communications. Also, please note that the key ID is DadBd017.
Read more for the key itself.

Tuesday, August 4, 2015

NIST Cybersecurity Standards apply to government contractors

Since November 2013 a new government contracting rule is in place that adds security requirements for all government contractors. I actually predicted this several years ago. Read more for how to figure out if this standard applies to you and where to go for more information.

Wednesday, June 24, 2015

Talk: An Overview of Emerging Cybersecurity Policy and Law

Date Tuesday, June 30, 2015 Time 11:00 AM
Speaker Isaac Potoczny-Jones
Slides: Download here

How to get from laws to technical requirements from Galois Video on Vimeo.

Why is cybersecurity such a hard problem? The US government, its citizens, and the organizations that write software are all on the same team, but in many cases, our interests are just not aligned. For instance, there have been endless political and social disagreements about the best way to share cyber threat intelligence without sacrificing consumer privacy.

It’s these competing concerns that are the kink in our collective armor and that’s what our adversaries exploit, day-in and day-out.

In this talk, Isaac will present the high-level strategic concerns and challenges in the cybersecurity industry, how those challenges interact with emerging policy and law, and how those policies will impact you.

Read the abstract at Galois.com

Saturday, May 30, 2015

Talk: 2015 Northwest Aerospace & Defense Symposium

I recently gave a talk on cybersecurity policy and law for the Pacific Northwest Defense Coalition and Pacific Northwest Aerospace Alliance. This was for the 2015 Aerospace & Defense Symposium held at Joint Base Lewis-McChord.

It was great to share the stage with Peter S. Chiou, Principal Strategist and Business Development Manager for Azure DoD, Microsoft and Special Agent Joshua Michaels of the FBI Cyber Task Force. Three different perspectives on a topic that impacts all of us.

Thanks very much to PNDC for bringing me into the event!

Tuesday, April 28, 2015

Quotes for KGW: The Internet of Things - How safe is 'smart' technology

I'm quoted in an article by Wayne Havrelly at KGW about the Internet of Things. This ran on TV as well!

"Any system, as it gets more complex, the likelihood of a weak link in the chain grows," said Isaac Potoczny-Jones, computer security expert with Galois. "So as cars get these integrated entertainment systems or wireless features, these open up avenues of attack."

Monday, March 2, 2015

Talk: User identity and authentication in Wordpress

Download the Slides

The other day Isaac gave a talk at the Portland WordPress Developers Meetup about authentication in enterprise and web environments and how WordPress fits into the Identity Management alphabet soup. At the end, I showed off our WordPress Plugin, which can be used for easy and secure login to WordPress instances.

Abstract: Your users’ experience during account creation and login is one of the first and most important ways they interact with your web site. Passwords are by far the most common authentication factor, but they are extremely unfriendly for users: Good passwords are hard to remember, and bad passwords are easy to guess. In this talk, we will explain the trade-offs among various types of authentication: passwords, mobile login, social login, two-factor auth, single sign-on, SAML, and OAuth. Finally, we’ll discuss the impact these choices have on your development process and your users.

Tuesday, December 16, 2014

Talk: Common crypto mistakes in Android

Date Tuesday, December 16, 2014 Time 11:00 AM
Speaker Isaac Potoczny-Jones

If you do a web search for “encrypting Strings in Android”, you’ll find a lot of example code, and they all look pretty similar. They definitely input a String and output gibberish that looks like encrypted text, but they are often incorrect. Crypto is tricky: it’s hard to tell that the gibberish that’s being printed is not good crypto, and it’s hard to tell that the code example you picked up from Stack Overflow has serious flaws.

The problem here is that sites like Google and Stack Overflow rank results based on popularity, but the correctness of crypto isn’t something we can vote about. It’s not a popularity contest. To use it correctly, you have to understand the properties of the algorithm and the security goals of your code. Maybe the bad crypto someone pasted up on the Internet was acceptable for their needs, but there’s a good chance it’s completely unacceptable for yours.

In this talk, we’ll discuss the use of a very common crypto algorithm, AES, and show how code examples on the Internet usually make serious mistakes in how they use AES libraries. What are the consequences of these mistakes and what are more reasonable defaults. We’ll also talk a bit about our simple Android library that tries to do AES right.

More information on the Tozny blog.