tag:blogger.com,1999:blog-45038639448488203512023-11-16T09:26:20.014-08:00Isaac's Blog: Welcome to the FutureIsaac Potoczny-JonesSyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.comBlogger121125tag:blogger.com,1999:blog-4503863944848820351.post-20856852170023608802017-07-29T13:03:00.002-07:002017-07-29T13:05:26.649-07:00Tozny Launches InnoVault - Encryption Toolkit For DevelopersWe are proud to announce the release of <a href="https://innovault.io/">our latest product, InnoVault</a> - a toolkit that enables developers building websites, apps, and other software to easily embed end-to-end encryption for data security and privacy. 2016 saw a <a href="https://www.bloomberg.com/news/articles/2017-01-19/data-breaches-hit-record-in-2016-as-dnc-wendy-s-co-hacked">40% increase in data breaches</a> over 2015, and the team here at Tozny decided we wanted to do something about it. InnoVault is our answer to protecting user data with the same type of robust measures already used for credit cards, but too often left off of other user data.<br />
<a name='more'></a><br />
We see this as a natural fit for developers who are collecting user data as part of registrations, form submissions, and data sharing over the web. The toolkit is engineered to be developer-friendly and can be set up in a matter of minutes. A few lines of code, tagging the data for protection, and you’re all set to go. InnoVault has a set of software development kits (SDKs) and an accompanying API, which developers can sign up to utilize. Developers can select an SDK in their preferred language, install the library into their code, and utilize simple functions for complex encryption, key management, and policy management. Currently, <a href="https://innovault.io/developer">available SDKs are Java, Ruby, and Go</a>; we will be releasing additional SDKs over the Summer and Fall. Want to make sure we cover your favorite language? <a href="https://innovault.io/contact">Reach out</a>, and we can prioritize based on customer requests.<br />
<br />
InnoVault is built on Tozny’s <a href="https://innovault.io/technologies">E3DB technology</a> that was developed as part of a 2-year collaborative agreement with NIST. The underlying technology is used by pilot partners under the NIST agreement to secure private data being generated within transit systems, smart buildings, and medical devices.<br />
<br />
InnoVault packages the E3DB technology for easy use by developers and is available with both free and paid tiers.
InnoVault went live today and you can sign up for your free account by visiting <a href="https://innovault.io/">InnoVault’s Website.</a>
<br />
<h2>
How it Works</h2>
<a href="http://tozny.com/wp-content/uploads/2017/07/basic-data-flow.png"><img alt="" class="alignnone size-full wp-image-5415" src="http://tozny.com/wp-content/uploads/2017/07/basic-data-flow.png" height="120" width="400" /></a><br />
The InnoVault Web SDK captures Personally Identifiable Information (PII) from HTML forms, encrypts that information in the browser, and stores it such that you can process that information without ever needing to store the PII anywhere but in the InnoVault database.<br />
<br />
InnoVault uses Tozny’s end-to-end encryption storage solution, E3DB, to store PII. With end-to-end encryption, your systems and <em>only</em> your systems have access to the clear text data. You can access the PII stored in a Form using one of Tozny’s E3DB clients. A command-line client is available, as well as SDKs for Ruby, Go, and Java.
<br />
<h3>
Front End</h3>
We have a fancier JavaScript library, but let’s start with the simple one that automatically hooks into your form. Include <a href="https://tozny.com/documentation/e3db/#get-libraries">our <em>easy</em> JavaScript library</a> and annotate the fields you want to encrypt with "data-innovault-type" or <a download="" href="http://tozny.com/wp-content/uploads/2017/07/index-minimal-easy.html">download a complete one-page HTML example</a><a download="" href="http://tozny.com/wp-content/uploads/2017/07/index-minimal-web.html">.</a>
<br />
<pre><script type="text/javascript"</pre>
<pre> src="https://js.innovault.io/1.0.2/innovault-easy.min.js"></script>
<form data-innovault-token="REPLACE_WITH_FORM_TOKEN_FROM_CONSOLE"</pre>
<pre> method="post" action="https://yoursite.example/contact">
<input type="text" name="fullname">
<input type="text" data-innovault-type="dob">
<input type="text" data-innovault-type="ssn">
<button type="submit">Submit</button>
</form></pre>
Now when your users submit data, these data elements will be end-to-end encrypted. Our <em>web </em>library gives you complete control over form submission, so read below for more information about that.
<br />
<h3>
Back End (CLI)</h3>
For testing and basic reading and writing, you can use <a href="https://tozny.com/documentation/e3db/#get-libraries">the E3DB command-line client</a>. Save your <strong>secret</strong> <i>client key</i> in ~/.tozny/e3db.json, then when you’re ready to read records, you can run:
<br />
<pre>> e3db ls -jd -t pii
</pre>
<h3>
Back End (Ruby)</h3>
Of course, you probably want to handle your form data programmatically using <a href="https://tozny.com/documentation/e3db/#get-libraries">one of the E3DB code libraries</a>. Save your <strong>secret </strong><i>client key</i> in ~/.tozny/e3db.json, install the SDK with 'gem install e3db' then when you’re ready to read records, you can run:
<br />
<pre>require 'e3db'
client = E3DB::Client.new(E3DB::Config.default)
client.query(type: 'pii').each do |record|
puts 'Data: ' + record.data[:dob] + ':' + record.data[:ssn]
puts 'Metadata: ' + record.meta.record_id + ':' + record.meta.type
end</pre>
<h3>
<b>How the Crypto Works</b></h3>
InnoVault is implemented using Tozny’s end-to-end encrypted database, E3DB. Your systems and <em>only</em> your systems have access to the plain text. An E3DB client is generated in the browser. Each field is encrypted with a unique “data key” and the data keys are encrypted with an “access key”. The access key is then encrypted with your client’s public key so that the client can download and access it later. The "names" of the fields are <em>not</em> encrypted, in order to support querying. We may add encrypted names soon. Let us know if this is of interest. <a href="https://tozny.com/documentation/e3db/crypto/">Read more about InnoVault cyrpto</a>.
<br />
<h3>
That’s (no where near) it!</h3>
Who knew end-to-end crypto could actually be easy! <a href="https://tozny.com/documentation/e3db/getting-started/">Read the Quick Start Guide</a> for more information about our JavaScript SDK, command-line client, and libraries.SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0tag:blogger.com,1999:blog-4503863944848820351.post-26115371880510404652017-06-16T13:06:00.000-07:002017-07-29T13:17:05.729-07:00Tozny at the Cloud Identity Summit and the Design Automation Conference<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnOXqPnJOTxqt-a6QedspnfJTwconpbkulXwM6O64AzvOG6_ZKif82t5z5y_c8hRADyFwqTlcOykRh47597X-lDO2egQx7dNE5swrPBBEnxh4GjEMJmjvNN_rb7-bTSP-vmo06OWsr_dGl/s1600/mic.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="333" data-original-width="500" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnOXqPnJOTxqt-a6QedspnfJTwconpbkulXwM6O64AzvOG6_ZKif82t5z5y_c8hRADyFwqTlcOykRh47597X-lDO2egQx7dNE5swrPBBEnxh4GjEMJmjvNN_rb7-bTSP-vmo06OWsr_dGl/s320/mic.jpg" width="320" /></a></div>
Tozny’s CEO, Isaac Potoczny-Jones, will be presenting at <a href="https://www.cloudidentitysummit.com/en/index.html">Cloud Identity Summit</a> (CIS) in Chicago on June 19, 2017. Come learn about E3DB, a security toolkit to build privacy-preserving products from the ground-up.
<br />
<blockquote>
<strong>Talk Abstract:</strong> On the modern Internet, securely collecting personal data is extremely challenging. Software developers and enterprises are losing the arms race against malicious attackers every day. The Internet of Things (IoT) adds new challenges, including hardware limitations, lack of upgrade paths, and control of physical systems. In this talk, Isaac will outline Tozny's work with NIST on E3DB, a security toolkit to build privacy-preserving products from the ground-up.</blockquote>
The <a href="https://dac.com/">Design Automation Conference</a> is in Austin - Isaac will be participating in a panel discussion on June 20, 2017 on hardware security technologies.
<br />
<blockquote>
<strong>Panel Summary:</strong> Hardware security schemes are often treated as an afterthought: an extension of the system but not an inherent design metric for the whole system. This limits their adoption and benefit to real-world architectures. Emerging applications, for instance in IoT area, increasingly involve large numbers of connected and heterogeneous device swarms and pose crucial challenges on the underlying security architectures. In the recent years we have seen hardware security solutions from Trusted Platform Modules (TPM), ARM's TrustZone, to Intel's SGX, to name some have been rolled out. However, these solutions are rarely used by user applications, require strong trust assumptions in manufacturers, are too expensive for small constrained devices, and not scalable. This panel will discuss the real-world impact of currently available security hardware, the related shortcomings as well as new research and development directions in hardware-assisted security and privacy solutions.</blockquote>
Are you heading to CIS or DAC? Contact Isaac to meet up! <a href="https://twitter.com/syntaxpolice">@SyntaxPolice</a>
<em>Top image credit: User BitchBuzz, Creative Commons</em>SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0tag:blogger.com,1999:blog-4503863944848820351.post-68171373600720060822017-05-05T13:08:00.000-07:002017-07-29T13:09:18.056-07:00Tozny at HCSS - High Confidence Software and Systems<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX8wpkhp0brxiY8EFTqK8H921HHd6JWovqn4Q4Px1Sj917lp9KqqYXTZOZIIE3zVeLKGw84wUCkKRxP_Lwlo1UngWFBV83zgCaNEXFDjYfdE6firEQV0-nfyFCdZ86iYrUidSyR6cNy6qU/s1600/NIST.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="218" data-original-width="538" height="129" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX8wpkhp0brxiY8EFTqK8H921HHd6JWovqn4Q4Px1Sj917lp9KqqYXTZOZIIE3zVeLKGw84wUCkKRxP_Lwlo1UngWFBV83zgCaNEXFDjYfdE6firEQV0-nfyFCdZ86iYrUidSyR6cNy6qU/s320/NIST.png" width="320" /></a></div>
<br />
Tozny's CEO, Isaac Potoczny-Jones, will be presenting at the <a href="http://cps-vo.org/group/hcss_conference">High Confidence Software and Systems Conference (HCSS)</a> on May 9, 2017. Come learn about NIST's Risk Management Framework and how you can apply it to your work. And if you happen to be out in Annapolis, meet up with Isaac at the conference! <a href="https://twitter.com/SyntaxPolice">@SyntaxPolice</a>
<br />
<h3>
Applying NIST's New Privacy Risk Management Framework (Abstract)</h3>
<span style="font-weight: 400;">NIST’s influential cybersecurity frameworks have been a cornerstone of the certification process. They provide methodologies and standards to help organizations rigorously analyze the security of their systems. These standards are an important step in clarifying the policy, technical, and mental models that can lead to formal and semi-formal implementations.</span>
<span style="font-weight: 400;">Building on the impact of the Risk Management Frameworks for cybersecurity, NIST is developing a Privacy Risk Management Framework. Rather than emphasizing the classic cybersecurity triad of </span><i><span style="font-weight: 400;">Confidentiality</span></i><span style="font-weight: 400;">, </span><i><span style="font-weight: 400;">Integrity</span></i><span style="font-weight: 400;">, and </span><i><span style="font-weight: 400;">Availability</span></i><span style="font-weight: 400;"> it contributes the core privacy principles of </span><i><span style="font-weight: 400;">Predictability</span></i><span style="font-weight: 400;">, </span><i><span style="font-weight: 400;">Manageability</span></i><span style="font-weight: 400;">, and </span><i><span style="font-weight: 400;">Disassociability</span></i><span style="font-weight: 400;">. According to NISTIR 8062:</span>
<br />
<ul>
<li style="font-weight: 400;"><b>Predictability</b><span style="font-weight: 400;"> is the enabling of reliable assumptions by individuals, owners, and operators about personal information and its processing by an information system.</span></li>
<li style="font-weight: 400;"><b>Manageability</b><span style="font-weight: 400;"> is providing the capability for granular administration of personal information including alteration, deletion, and selective disclosure.</span></li>
<li style="font-weight: 400;"><b>Disassociability</b><span style="font-weight: 400;"> is enabling the processing of personal information or events without association to individuals or devices beyond the operational requirements of the system.</span></li>
</ul>
<span style="font-weight: 400;">Tozny is implementing an End-to-End Encrypted DataBase (E</span><span style="font-weight: 400;">3</span><span style="font-weight: 400;">DB) for any type of mobile or web application to build secure workflows into their systems. It is a type of Personal Data Service (PDS). A PDS is designed to give end users significant control over the collection, retention, and sharing of their personal data. This approach improves privacy by inverting the model where data brokers control user data and choose which 3</span><span style="font-weight: 400;">rd</span><span style="font-weight: 400;"> parties access user data.</span>
<span style="font-weight: 400;">E</span><span style="font-weight: 400;">3</span><span style="font-weight: 400;">DB is one of the first projects implemented using NIST’s new privacy frameworks.</span>
<span style="font-weight: 400;">In this talk, we will provide:</span>
<br />
<ul>
<li style="font-weight: 400;"><span style="font-weight: 400;">An overview of NIST’s Privacy Framework, and related standards (800-53, 800-63),</span></li>
<li style="font-weight: 400;"><span style="font-weight: 400;">An experience report on implementing a product based on these standards, and</span></li>
<li style="font-weight: 400;"><span style="font-weight: 400;">An in-depth review of our cryptographic approach and how it supports privacy.</span></li>
</ul>
SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0tag:blogger.com,1999:blog-4503863944848820351.post-78687394309094707932017-04-11T08:30:00.000-07:002017-07-29T13:10:51.347-07:00The Security Panacea: Striking Balance with Usability<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuLXH4KOO9ztVj-_K4o8qhQRt9_m2tCDU7P2j-OxaLNMgPT4Fc8nJKuJt29oSMyrDkU4ElDEzlYwfxJ_Y6AfXnkV017bQAcuPlivNFupqBy2Jv1I8UzBAtWJNPuBZvfrxxjkuyn2oolLij/s1600/tozny-tyntec-manuela-isaac.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="816" data-original-width="1600" height="163" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuLXH4KOO9ztVj-_K4o8qhQRt9_m2tCDU7P2j-OxaLNMgPT4Fc8nJKuJt29oSMyrDkU4ElDEzlYwfxJ_Y6AfXnkV017bQAcuPlivNFupqBy2Jv1I8UzBAtWJNPuBZvfrxxjkuyn2oolLij/s320/tozny-tyntec-manuela-isaac.jpeg" width="320" /></a></div>
<div class="graf graf--p graf-after--figure" id="3106">
<br /></div>
<div class="graf graf--p graf-after--figure" id="3106">
<br /></div>
<div class="graf graf--p graf-after--figure" id="3106">
To keep up in today’s competitive technology market, perfecting the user experience is a must; making added security measures a tough sell to leadership. We consistently see brands sacrifice security, adopting the attitude, ‘it won’t happen to me.’ But when it does (which it will), brands are unprepared and scrutinized for their lack of foresight.</div>
<div class="graf graf--p graf-after--p" id="e188">
<br /></div>
<div class="graf graf--p graf-after--p" id="e188">
<a href="https://medium.com/@tyntec/the-security-panacea-striking-balance-with-usability-e1f759330ac9">Read the interview</a> with Manuela Marques, tyntec’s Product Marketing Director and Isaac Potoczny-Jones, CEO of Tozny, a leader in multi-factor authentication systems. We discuss the common mistakes brands make with security and provide insight on how brands can balance security and usability.</div>
<div class="graf graf--p graf-after--p">
<br /></div>
<div class="graf graf--p graf-after--p">
<a href="https://medium.com/@tyntec/the-security-panacea-striking-balance-with-usability-e1f759330ac9">Read more at Medium.</a></div>
SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0tag:blogger.com,1999:blog-4503863944848820351.post-66308838648594259852017-02-02T09:00:00.000-08:002017-07-29T13:15:01.341-07:00Visit Tozny at the RSA Conference<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdJu8iixiVA995Um5qp6AB_ayeM7ggSlswZH9o9JpDMS6w747wC_4OsHXjXMWM9QFYFprllAAKlHdZI2ZGM9jyM770YoP_grHJ40eUaVGUZSoEdXqfZrzEle7Yc5tgAjg15UK3ckF9F40V/s1600/RSAConference-2017-logo-horizontal-with-dates.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="431" data-original-width="1400" height="98" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdJu8iixiVA995Um5qp6AB_ayeM7ggSlswZH9o9JpDMS6w747wC_4OsHXjXMWM9QFYFprllAAKlHdZI2ZGM9jyM770YoP_grHJ40eUaVGUZSoEdXqfZrzEle7Yc5tgAjg15UK3ckF9F40V/s320/RSAConference-2017-logo-horizontal-with-dates.jpg" width="320" /></a></div>
<br />
We are now in an age where security can breached with just a simple push of a button. With today’s technological breakthroughs come an increasing demand for a more well-rounded and tightened cybersecurity. The tools required to protect each individual from cyber-attacks and threats has also proven that more technical expertise is now more than just a necessity, but of great significance as well.<br />
<br />
<strong>RSA Conference will be held at Moscone Center in in San Francisco, February 13-17th, 2017</strong>
To better educate individuals and to lend them insights on the matter, a panel discussion is organized to be held on February 16, 2017 at Moscone West with a roster of notable names in the cyber privacy and security industry, including <a href="https://tozny.com/">Tozny</a> CEO Isaac Potoczny-Jones.<br />
<br />
<strong>Privacy Enhancing Technologies Work—But Can Anyone Use Them?</strong>
<br />
<ul>
<li class="block-punches">Thursday 02/16/2017</li>
<li class="block-punches">2:45 PM- 3:30 PM</li>
<li class="block-punches">Room: Moscone West | 2018</li>
<li class="block-punches">Session length: 45 Minutes</li>
<li class="block-punches">Track: Human Element</li>
<li class="block-punches">Session code: HUM-R11</li>
</ul>
Tools that help people assess and protect their own privacy are not new. But as the challenges to protect individuals' privacy become more substantial, the tools to insulate people from privacy risks require more technical expertise. This panel will discuss specific privacy challenges and review research efforts to make advanced <a href="https://tozny.com/documentation/e3db/getting-started/">privacy-enhancing technologies</a> more accessible to everyday people.<br />
<br />
<img alt="" class="size-thumbnail wp-image-4321" src="http://tozny.com/wp-content/uploads/2014/11/Isaac_Potoczny-Jones1-150x150.jpg" height="150" width="150" /><br />
<br />
Isaac Potoczny-Jones is the founder and CEO of <a href="https://tozny.com/">Tozny</a>. Previously, Isaac worked as a developer of security and authentication solutions for defense agencies and other government agencies with 10 years under his belt as a cybersecurity researcher at Galois. He graduated with a Bachelor’s Degree in Computer Science and Master's degree in Cybersecurity.<br />
Other panelist include:
<br />
<ul>
<li><a href="https://www.eff.org/about/staff/lee-tien">Lee Tien</a>, Senior Staff Attorney and Adams Chair for Internet Rights for Electronic Frontier Foundation</li>
<li><a href="https://blog.mozilla.org/tanvi/">Tanvi Vyas</a>, Tech Lead, Security User Experience for Mozilla.</li>
<li><a href="https://www.nist.gov/people/naomi-lefkovitz">Naomi Lefkovitz</a>, Senior Privacy Policy Advisor for NIST will act as moderator.</li>
</ul>
<h3>
Come meet us</h3>
You can come meet us at the NIST booth (number S2815) at the following times:
<br />
<ul>
<li class="block-punches">Tuesday 2/14 Noon - 2:00 PM</li>
<li class="block-punches">Wednesday 2/15 at 5:00 PM</li>
</ul>
SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0tag:blogger.com,1999:blog-4503863944848820351.post-89637545554006519412016-02-15T14:56:00.001-08:002016-02-15T14:56:29.941-08:00Encryption Debate: The issue isn’t strong crypto; It’s easy crypto<a href="http://www.nextgov.com/technology-news/tech-insider/2016/02/encryption-debate-issue-isnt-strong-crypto-its-easy-crypto/125900/">An article</a> by Tozny CEO Isaac Potoczny-Jones at NextGov:
<blockquote>Strong cryptography has been around for a long time, but the user interfaces have been terrible. As a result, most individuals and even <a href="http://tozny.com/blog/encrypting-strings-in-android-lets-make-better-mistakes/">software programmers struggle to use them effectively</a>. Over the last few years, we’ve seen a push by technology industry leaders to prioritize easy to use encryption technologies in their products on the front end. This is an enormously positive and important development that expands adoption of secure products. Backdoors and storing encryption keys don’t strengthen crypto; they weaken it, and the lack of good security in commercial and government products and services has left the United States extremely vulnerable to industrial espionage from determined foreign adversaries.</blockquote>
<a href="http://www.nextgov.com/technology-news/tech-insider/2016/02/encryption-debate-issue-isnt-strong-crypto-its-easy-crypto/125900/">Read More</a>.
SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0tag:blogger.com,1999:blog-4503863944848820351.post-3832081232809988462016-02-13T14:55:00.000-08:002016-02-15T14:55:38.717-08:00The tension between Agile, MVPs, and SecurityHere's a <a href="http://devops.com/2016/02/10/minimum-viable-app-doesnt-mean-minimum-security/">great article by George V. Hulme</a>, including discussions with Tozny CEO Isaac Potoczny-Jones about the tension between Agile, MVPs, and Security. See also the complete <a href="http://www.csoonline.com/article/3028595/mobile-security/mobile-security-qa-securing-the-mobile-minimum-viable-app.html">Q&A with Isaac at CSO Magazine</a>.
<blockquote>The first step is just saying, "We're going to include security in the Agile <em>definitions of done</em>," and once you've at least penetrated that level, which I don't think a lot of people have, then they’re going to at least do the right things. You're either going to start to build it either into the user stories or the acceptance testing.
But you can’t leave it to the end of the process. If you leave security acceptance testing toward the end (and naturally your schedule is going to slip) then you'll get to the security testing and find there's a lot more work to do. Then you'll be in this unfortunate decision of either having to fix the security issues and let your schedule slip, or choose to let something go out the door that's not secure.</blockquote>
<a href="http://www.csoonline.com/article/3028595/mobile-security/mobile-security-qa-securing-the-mobile-minimum-viable-app.html">Read More</a>.SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0tag:blogger.com,1999:blog-4503863944848820351.post-90735654390883053512015-12-01T14:57:00.000-08:002016-02-15T14:57:43.409-08:00GCN Article: Making mobile phones the authentication hubs for smart homesOur NSTIC privacy project was highlighted in an <a href="https://gcn.com/articles/2015/11/24/nstic-identity-infrastructure-galois.aspx">article at GCN</a> by Derek Major.
<blockquote>Tozny serves as the technical lead for the <a href="http://tozny.com/nstic">pilot programs</a> and will build the data storage and sharing platform by tackling one of the weakest links in cybersecurity today: the password. Tozny’s solution replaces the username and password with something people use for almost everything: the smartphone, or wearable device.
Tozny is working with IOTAS, a developer of a home automation platform that integrates preinstalled hardware (light switches, outlets and sensors) with software to create a unique experience in which users learn from and interact with their homes.
Together, the companies are working to help users to log in to the IoT management console installed in their apartments without a password. Tozny is providing cryptographic authentication that is based on mobile phones.</blockquote>
<a href="https://gcn.com/articles/2015/11/24/nstic-identity-infrastructure-galois.aspx">Read More</a>.SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0tag:blogger.com,1999:blog-4503863944848820351.post-39248627141807859742015-11-24T09:32:00.001-08:002015-11-24T09:32:15.448-08:00Article: NIST Testing out passwordless smart homeMohana Ravindranath <a href="http://www.nextgov.com/emerging-tech/2015/11/nist-trying-out-passwordless-internet-things-experiment/123736/">over at NextGov</a> wrote a nice piece about our NIST <a href="http://tozny.com/nstic/">privacy pilots.</a>
<br />
<blockquote>
Tozny, a subsidiary of tech company <a href="http://galois.com/">Galois</a>, aims to test one system that encrypts user data generated by the "smart home," and another that would let transit riders use their mobile phones as tickets, Galois principal investigator Isaac Potoczny-Jones said in a blog post outlining more details about the project.</blockquote>
<blockquote>
The NIST pilot, through an initiative called the "National Strategy for Trusted Identities in Cyberspace," focuses on these two applications. But NIST has recently been drafting broader standards for tech companies creating products for the "Internet of Things": In September, it released a <a href="http://www.cpspwg.org/Portals/3/docs/CPS%20PWG%20Draft%20Framework%20for%20Cyber-Physical%20Systems%20Release%200.8%20September%202015.pdf">Draft Framework for Cyber-Physical Systems</a>, essentially a guide teaching device manufacturers how to build safer devices.</blockquote>
<a href="http://www.nextgov.com/emerging-tech/2015/11/nist-trying-out-passwordless-internet-things-experiment/123736/">Read More</a>.SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0tag:blogger.com,1999:blog-4503863944848820351.post-18284797864015871782015-11-17T11:09:00.001-08:002015-11-17T11:10:08.994-08:00Interview: DoD embraces public key infrastructure to secure tactical networksIsaac contributed to some technical background for <a href="http://www.c4isrnet.com/story/military-tech/cyber/2015/11/16/public-key-infrastructure-tactical-networks/75879968/">an interesting article at c4isrnet.com</a> about the use of Public Key Infrastructure (PKI).<br />
<blockquote class="tr_bq">
"Humans are terrible at generating and remembering random stuff, and the strong crypto on PKI is virtually impossible to brute force," said [<a href="http://tozny.com/">Tozny</a> CEO] Isaac Potoczny-Jones, research lead, computer security, for Galois, a technology research and development consulting firm with an office in Arlington, Virginia. "On a scale from one to 10, PKI is a 10 for security and password is a two."</blockquote>
<a href="http://www.c4isrnet.com/story/military-tech/cyber/2015/11/16/public-key-infrastructure-tactical-networks/75879968/">Read More</a>.SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0tag:blogger.com,1999:blog-4503863944848820351.post-31526470238521649712015-11-15T15:20:00.000-08:002015-11-15T15:20:28.874-08:00FedScoop: NIST IoT project explores how to ditch passwords, maintain privacyHead on over to FedScoop to <a href="http://fedscoop.com/nist-iot-project-explores-how-to-ditch-passwords-maintain-privacy">read the latest about Tozny</a>.
<br />
<blockquote>
A project that lets consumers use their mobile-phone bus passes to control smart home systems may set the table for a forthcoming framework from the National Institute for Standards and Technology dedicated to protecting user privacy... </blockquote>
<blockquote>
"The idea is to build privacy-preserving personal data stores to allow new ways for user information to be shared across organizational boundaries in a way that the user is in control over how the data shared, what is shared, with who and when," Potoczny-Jones told FedScoop. "It’s important that with emerging IoT technologies and the new way people are getting around via ridesharing or public transit, we collect this share this information in a way that the user has a lot of control over it."</blockquote>
<a href="http://fedscoop.com/nist-iot-project-explores-how-to-ditch-passwords-maintain-privacy">Read More</a>.SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0tag:blogger.com,1999:blog-4503863944848820351.post-50620103013920404612015-11-09T14:28:00.002-08:002015-11-09T14:29:15.077-08:00Interview: Portland Business Journal covers Tozny's NSTIC projectThe <a href="http://www.bizjournals.com/portland/blog/techflash/2015/11/how-3-oregon-tech-firms-plan-to-make-the-internet.html">Portland Business Journal discusses</a> Tozny's new <a href="http://tozny.com/nstic/">NSTIC project</a> in an article by <a href="http://www.bizjournals.com/portland/bio/18671/Malia+Spencer">Malia Spencer</a>.
<blockquote>"Computer science research and development firm Galois, mobile ticketing firm <a href="http://www.globesherpa.com/">GlobeSherpa</a> and smart home startup <a href="http://www.iotashome.com/">IOTAS</a> are teaming up on a project funded by the federal <a href="http://www.nist.gov/nstic/" target="_blank">National Institutes of Standards and Technology</a>.
The effort could lay the groundwork for Internet of Things applications that will be secure and protect privacy.
<p class="content__segment">Galois, through its mobile security subsidiary <a href="http://tozny.com/nstic" target="_blank">Tozny</a>, is the lead on the two-year project. So far, the government has committed $1.86 million to the first year of work.</p>
<p class="content__segment">Menlo Park-based <a href="https://www.sri.com/">SRI International</a> and <a href="http://www.6degreesprivacy.com/">6 Degrees Consulting</a> are also participating in the project."</p>
</blockquote>
<p class="content__segment"><a href="http://www.bizjournals.com/portland/blog/techflash/2015/11/how-3-oregon-tech-firms-plan-to-make-the-internet.html" target="_blank">Read More.</a></p>SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0tag:blogger.com,1999:blog-4503863944848820351.post-58909837735463922952015-11-08T14:31:00.000-08:002015-11-09T14:32:05.730-08:00Tozny's NSTIC Pilot ProjectAmid growing concerns that IoT devices are inherently vulnerable to attacks that could compromise users’ information privacy and security, <a href="http://tozny.com/nstic">Tozny today announced</a> that it has been awarded a $1.86 million NIST National Strategy for Trusted Identities in Cyberspace (<a href="http://www.nist.gov/nstic/">NSTIC</a>) grant to build a secure data storage system that enables next-generation IoT capabilities without sacrificing privacy. Galois’ authentication and mobile security subsidiary, Tozny, will serve as the technical lead for the NSTIC pilot program.
<br />
<br />
<a href="http://tozny.com/nstic">Read More</a>.SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0tag:blogger.com,1999:blog-4503863944848820351.post-24879883741705033742015-11-02T12:51:00.002-08:002015-11-02T12:51:44.336-08:00Here's a great article over at NextGov about <a href="http://www.nextgov.com/emerging-tech/2015/11/how-federal-government-attempting-protect-internet-things/123301/">various efforts the Federal government is involved with</a> to secure the Internet of Things. Tozny CEO Isaac Potoczny-Jones mentioned NIST's new privacy frameworks in the context of IoT.
<br />
<blockquote>
Galois is working with NIST on a pilot in which consumers' information, culled from smart-home services, could be integrated into a "privacy preserving data store," Potoczny-Jones said.</blockquote>
<a href="http://www.nextgov.com/emerging-tech/2015/11/how-federal-government-attempting-protect-internet-things/123301/">Read More.</a>SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0tag:blogger.com,1999:blog-4503863944848820351.post-32750857862908646352015-11-02T11:48:00.002-08:002015-11-02T12:52:31.611-08:00IoT security & privacy requires overcoming a legacy of insecurityHead over to Network Computing to read Isaac's article about <a href="http://www.networkcomputing.com/cloud-infrastructure/iot-security-and-privacy-reducing-vulnerabilities/a/d-id/1322921">Internet of Things security and privacy work</a> we're engaged in.
<br />
<blockquote>
<div class="Normal1">
Vendors must adapt a different approach for IoT than was done with the Internet, which was “you are the product, not the customer.” Sticking with this old approach would treat IoT user privacy as second fiddle. Getting privacy right is even more important with IoT than it is with computers because IoT extends beyond a smartphone or laptop screen to end user applications such as Internet-connected baby monitor video cameras, door locks that can be opened remotely with an app, wearables that track our movement and smartphones that track our location.</div>
</blockquote>
<div class="Normal1">
<a href="http://www.networkcomputing.com/cloud-infrastructure/iot-security-and-privacy-reducing-vulnerabilities/a/d-id/1322921">Read More</a></div>
SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0tag:blogger.com,1999:blog-4503863944848820351.post-88407011129971037292015-10-16T11:35:00.003-07:002015-10-16T11:35:56.051-07:00Regarding ID Podcast - Isaac InterviewListen to <a href="http://www.secureidnews.com/news-item/episode-150-galois-using-biometrics-to-secure-private-data/">Isaac's interview about the new NSTIC projects</a> on the <a href="http://www.regardingid.com/">Regarding ID</a> Podcast.<br /><br /> <a href="http://www.galois.com/">Galois</a>, a Portland-based company that focuses on cyber security primarily for the U.S. government, is the final winner of the fourth round of NSTIC pilots.<br /><br /><div>
Galois and its partners will build a tool that relies on biometric authentication to enable the storing and sharing of private information online. They also intend to develop transit ticketing on smart phones, integrating the secure system into an Internet of Things (IoT) enabled smart home.<br /><br /><a href="http://tozny.com/">Tozny</a> CEO Isaac Potoczny-Jones spoke with Regarding ID’s Gina Jordan about the project, which involves two separate production pilots.</div>
SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0tag:blogger.com,1999:blog-4503863944848820351.post-50195920382688867642015-09-22T13:43:00.001-07:002015-09-22T13:43:21.258-07:00Galois won an NSTIC pilot!NIST <a href="http://nstic.blogs.govdelivery.com/2015/09/21/introducing-the-3-newest-members-of-the-nstic-pilots-family/">just announced</a> that Galois received a grant from the National Strategy for Trusted Identities in Cyberspace! I'm very excited to be leading this project here at <a href="http://galois.com/">Galois</a> and the related work at <a href="http://tozny.com/">Tozny</a>.<div>
<br /></div>
<b>Galois, Inc.</b> (Portland, Ore.: $ 1,856,778) Galois will build a tool to allow users to store and share personal information online. The user-centric personal data storage system relies on biometric-based authentication and will be built securely from the ground up. As part of the pilot, Galois will work with partners to develop just-in-time transit ticketing on smart phones and to integrate the secure system into an internet of things-enabled smart home.SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0tag:blogger.com,1999:blog-4503863944848820351.post-18231355847921223662015-09-21T13:00:00.000-07:002015-09-22T13:44:02.807-07:00Article: Don't fall into the MVP trap!Isaac's article on <a href="http://www.softwaremag.com/strategies-for-building-cyber-security-into-software-development/">building security into the software development lifecycle</a> was published in August at Software Magazine. My key point is that the market demands of software development encourage leaving security to the end for a variety of reasons:<br />
<ul>
<li>Many companies want to validate a market before investing in product security, so the “minimum viable product” (MVP) approach might leave it out.</li>
<li>The risk of getting attacked is lower at the beginning of a product’s lifecycle, so companies can validate a product by getting market traction even if it has vulnerabilities.</li>
<li>Ultimately, it comes down to a false assumption that your “minimum viable product” will not attract serious attackers, but this presumes that you do not get traction or media attention, which is a lose-lose proposition—either your MVP is a failure, and so security doesn’t matter, or your MVP is a success and you will get attacked.</li>
</ul>
SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0tag:blogger.com,1999:blog-4503863944848820351.post-33798178803330060152015-09-03T11:59:00.000-07:002015-09-22T13:03:22.026-07:00KATU News: Baby Monitor hacksIsaac was <a href="https://youtu.be/0KLHbG6Tjng">interviewed via Skype by</a> KATU news to comment on about Rapid7's <a href="https://www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-Exposures-and-Vulnerabilities.pdf">case study on security vulnerabilities for baby monitors</a>. Key points to keep in mind:<br />
<ul>
<li>Internet of Things devices are being connected to the Internet without sufficient analysis of potential security problems.</li>
<li>The security industry doesn't have enough personnel to help address these issues.</li>
<li>Companies don't take security seriously during product development.</li>
</ul>
<br />
<a name='more'></a><br />
<br />
<iframe allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/0KLHbG6Tjng" width="560"></iframe>SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0tag:blogger.com,1999:blog-4503863944848820351.post-39399101188499512542015-08-16T19:49:00.003-07:002015-09-22T13:02:47.328-07:00Isaac's GPG KeyBelow is my 2015 GPG public key. Please feel free to <a href="mailto:ijones@syntaxpolice.org">email me</a> encrypted communications. Also, please note that the key ID is DadBd017.<br />
<ul>
<li>It's <a href="https://keybase.io/ijones/">up at keybase.io</a> and also <a href="http://keys.gnupg.net/pks/lookup?search=0xDADBD017&fingerprint=on&op=index">up at gnupg.net</a>. </li>
<li>It's signed with my <a href="http://keys.gnupg.net/pks/lookup?op=vindex&search=ijones@debian.org&fingerprint=on">ancient and weak Debian key</a>.</li>
<li>Proof of control of my <a href="https://gist.github.com/SyntaxPolice/41ffc94943eb55cce662">Github account</a>.</li>
<li>Proof of control of my <a href="https://twitter.com/syntaxpolice/status/631856964750839808">Twitter account</a>.</li>
<li>Proof of control of my <a href="https://keybase.io/ijones/sigs/d9Bd-mXfYYeCzJFLryz5RaqWXjfyu8OrjyLB">SyntaxPolice.org domain</a>.</li>
</ul>
Read more for the key itself.
<br />
<div>
<a name='more'></a>The Key:</div>
<pre>pub 2048R/DADBD017 2015-08-11
Isaac Potoczny-Jones <ijones tozny.com>
Isaac Potoczny-Jones <ijones galois.com>
Isaac Potoczny-Jones <ijones keybase.io>
Isaac Potoczny-Jones <ijones syntaxpolice.org>
Fingerprint=23F6 EC8F E989 BD9D E618 CB54 C5DE DA08 DADB D017
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2
mQENBFXKe4MBCACpn5r/eVaCW5z2H7+LM8vQdeL/P0OsCIREIVQp+PO7qcpL86iU
DU+o3V3tnt0+bLr04VYUpQu4D3b6CXS6kq+fmegwjAAFW09xYhdLcsazcUVOgZj2
pBndHab64o8/sV++PszLepj1hfeNgxbEPsxWrIY13A/NvmEqVxETnzgnfveS0sU0
/FLmXV+LInzPU0sh/UcdT9jTIxseFm7nPFaDd5PrWNgbZ8ex+Di/Ho/fULG9ndFy
wpbI8jkrtJa1S/r3lvJSNk/PgSki6O5DSUIepzab5DN2GgLSWQys13fpLam4gwSW
38Uj2NS/95YgCEcy+BtJ3Nnva65r/ASeMJEnABEBAAG0KElzYWFjIFBvdG9jem55
LUpvbmVzIDxpam9uZXNAa2V5YmFzZS5pbz6JAT8EEwEIACkFAlXLl8ICGwMFCQlm
AYAHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDF3toI2tvQFxJpB/9vtJzr
YpxJngoeZrC0eWMBoL7Jxg8rVPQyu6MePK7Cwi8JsaNUQdnArWvd2haHqLLRdfCX
krFq4ledo6mkQGy6sgltcGvIJGvjIo5txt1tj7ZB/Y1MmsfRZQsN4blwKIg+8vhv
bC+K5ol91GUZm7hLqiv7NITIPmr0lDDB3n+MyJG/xnQXaiAErwAtd29ttsaxFVGZ
jRNGAfiYyEy0i4eS2KmfRoEo3sXN62J7WAdnY0HbpShv1ofKWOm2OI+QKNE5uhf0
jXZUcVjLEDofCug6c8Sh6/BqDybHhDV4jbHj4CX2dkg4r2IKwqfJ0fTeb+tCuJsC
aUGsnWvx/Z0zeQvriEYEEBECAAYFAlXRAiMACgkQBLPTZ7K4MaJdSwCgqNLyJgMK
eS3MsE0Hs76nOQnwBlgAoKMtQoE4jJVObGt+aUs9Ah+GqYDttCdJc2FhYyBQb3Rv
Y3pueS1Kb25lcyA8aWpvbmVzQHRvem55LmNvbT6JAT8EEwEIACkFAlXKjowCGwMF
CQlmAYAHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDF3toI2tvQF66zB/9I
Ltwr7Evdjnf36kybBC9Rrvd18PFovLmXbBjD0nwF3nvA6mQXtZ4XautyhFQZTW22
aUa0DAC6gdW88iKUimM3+To4mmO9JMxB+EoyzZ/AV2h4YyRviDF6R5pJV7kMEDdQ
2vfqE1nRwcqWyu3CGxrc5D9173KZo9d0LJtA9gAklkgGyM4Q01TTwzH4QSY1oPc8
vBQeP9bTOKszkd0wyStQWBy22Z2RUfAWSkWLMXKwd/Y9RnEoUO+5qdQD2Wobmm3m
n2TXn8Z3hNW7R98eH2QA0gDJnFobF2ab15cv+UUnsCQjwA31xZYTI9UoZqA8zoH7
KLIiUa0o8m/2Yz84DA2/iEYEEBECAAYFAlXRAkoACgkQBLPTZ7K4MaK7LgCfdX1M
SWQJqiFHHmTNNNckLWDE1J0An3Tm5lBo7z72dI95zIzxQoNYc6s1tC5Jc2FhYyBQ
b3RvY3pueS1Kb25lcyA8aWpvbmVzQHN5bnRheHBvbGljZS5vcmc+iQE/BBMBCAAp
BQJVynuDAhsDBQkJZgGABwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQxd7a
CNrb0Bf6CggAkI/2DKXA3qKmXSea1qvR4UePQEpioztNbeFK0U4EDQBZOXNDyKZ6
GWFXXTLC3WhEygzQRQwttKrpYVp1LGoo/Xah2UXnejf+SsMsngOOnIGZ9s3H6gV7
V/JWLiNBwkK6GUxxxnXskebh4RPj6u5yq6TY7ajxguZw1FWEpOA1bea/brYcOIJg
YJ6mlYkhq+Ty+gXHR1neEY/jlDyq0D0QGNMihXanPWR9zZw5Jee5p3Qposecqqe2
XTvBxhM+dicRlqa37trGHJkF0sgWUb991KDms1JEKtd+V/zV9jBsMrdCvT76jRIG
2owNW2Np1qg8hMffZ+p8u3tGiJBQeSDpTIhGBBARAgAGBQJV0QJKAAoJEASz02ey
uDGi/YMAmwbFWI1xEyLDsecWrhY+bCuFhj/AAKCjvwGqTF+JBA+HYzYhdaXNVvN6
W7QoSXNhYWMgUG90b2N6bnktSm9uZXMgPGlqb25lc0BnYWxvaXMuY29tPokBPwQT
AQgAKQUCVcqOcwIbAwUJCWYBgAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJ
EMXe2gja29AXtikIAJSV/5RJHT00VeG7p9///eKwfZrvryA9HNXsF0jwY4QQdIDV
1uoAPFFvwECBQgYtrUC8mUW5YjjhWcwK4jscPWlrjRij5lf4AtH7h8GGAE9qHdY8
xZx3l5TXlSeDRpivwEAxDtboU0dVrKbIsnAmBDVJkAQcecFYXKqwA3ljNoT+ltN3
T7oL+hLYEsKA3Rd5tzD1hkBvtRabrMGVoIQJXX2I//sj+4e/nh47uP3cv4n31tVV
bruURSYYxXXqcga5jw++fq7b3mO3rjQBesa/IOY007BJUsKioKnkoF2z1bLRErLl
Ahs41FWPor4RB4zsIB+IBAGZi+xLTkPRSQ8W4DiIRgQQEQIABgUCVdECSgAKCRAE
s9Nnsrgxog4fAJoCMTZF5cY4P7SGSGgBpDEBR2xA8gCffIecvNIrFATv7xvrEmXQ
nye2T7G5AQ0EVcp7gwEIAMdI7Jt5DrgPlezIpBBuMkG/uE2C1vm/UwKBz7JXIzfL
BFoLR/O1WCefhZ9TwMTEo+lXvkxNkECBlBmVX9Zilin1ydWK80VLgKELXiZpL/wq
F9bL2ryf+uORTcfWOFoguwPbyxZyLnRaeKLB/1GvvuoUlTtu2wZZwvHt32+9O7/o
FqDCxDiUWkOrXylAjIr/0CGsZlb5fCPlIF9X02UvgrYpATDbx8LYUuBBqk6wc9gX
03z/XPVpT6zYcXBTUgvLIGz76+q1ozc72BpDZCNNBY/o1yjWWNs6woK/FzD2uap1
GqmCV0h22mFhY7E3lFHqMOzZz7Z7ympdALtDi27Om7UAEQEAAYkBJQQYAQgADwUC
Vcp7gwIbDAUJCWYBgAAKCRDF3toI2tvQF1BqB/9qhMNJ/X/jKEbgEUIz9loNWDO0
iGA35khTU9COVrv9gMJOBxCNOjxGzHNEtlV22LosfZ/S8W7jA4/aVKLwnJ1LUwVD
W1nH+D+DBHNGtqG60VQsAvIkh2x9/HSI/RcmbWGLGGkI77C9cih50xAakj2Xmazk
04mrSo+eCrB6N/x/c56lZUrG7EYp6YYFtvCLhRiHd0kJrYwwtxzIOQsxmp6qZobI
ZgBH74yGerHWcWttwGE2gkLQ8E3rZAo854LrHnLsEp8B/zwejr6UZnb/pmfibtJX
kfKD68v34tRvfaEQdCYRSXV9BScIGSwZ/I6lZXWmENUBfPPpfSyil6D+eg2q
=ePFF
-----END PGP PUBLIC KEY BLOCK-----
</pre>
SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0tag:blogger.com,1999:blog-4503863944848820351.post-48418998951805898472015-08-04T16:17:00.000-07:002015-08-04T16:17:52.131-07:00NIST Cybersecurity Standards apply to government contractorsSince November 2013 a new government contracting rule is in place that adds security requirements for all government contractors. I actually predicted this <a href="http://galois.com/blog/2012/08/is-the-nist-risk-management-framework-poised-to-become-a-national-cybersecurity-standard/">several years ago</a>. Read more for how to figure out if this standard applies to you and where to go for more information.<br />
<div>
<a name='more'></a></div>
<div>
In short, if your contract says this:<br />
<br />
<a href="http://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012">SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION</a> (NOV 2013)<br />
<br />
You have to report cybersecurity incidents to the DoD within 72 hours, assist the DoD in any damage control, and if you have any technical material with <a href="http://www.dtic.mil/dtic/submit/guidance/distribstatement.html">distribution statements</a> that say:<br />
<div>
<br />
<ul>
<li>DISTRIBUTION STATEMENT B. Distribution authorized to U.S. Government agencies only (fill in reason) (date of determination). Other requests for this document shall be referred to (insert controlling DoD office)</li>
<li>DISTRIBUTION STATEMENT C. Distribution authorized to U.S. Government Agencies and their contractors (fill in reason) (date of determination). Other requests for this document shall be referred to (insert controlling DoD office)</li>
<li>DISTRIBUTION STATEMENT D. Distribution authorized to the Department of Defense and U.S. DoD contractors only (fill in reason) (date of determination). Other requests shall be referred to (insert controlling DoD office).</li>
<li>DISTRIBUTION STATEMENT E. Distribution authorized to DoD Components only (fill in reason) (date of determination). Other requests shall be referred to (insert controlling DoD office).</li>
<li>DISTRIBUTION STATEMENT F.Further dissemination only as directed by (inserting controlling DoD office) (date of determination) or higher DoD authority.</li>
</ul>
<br />
Then you need to follow <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">NIST 800-53</a> and do all of this:<br />
<ul>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-2#controlDescription">AC-2 ACCOUNT MANAGEMENT</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-3#controlDescription">AC-3 (4) DISCRETIONARY ACCESS CONTROL</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-4#controlDescription">AC-4 INFORMATION FLOW ENFORCEMENT</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-6#controlDescription">AC-6 LEAST PRIVILEGE</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-7#controlDescription">AC-7 UNSUCCESSFUL LOGON ATTEMPTS</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-11#controlDescription">AC-11 (1) PATTERN-HIDING DISPLAYS</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-17#controlDescription">AC-17 (2) PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-18#controlDescription">AC-18 (1) AUTHENTICATION AND ENCRYPTION</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-19#controlDescription">AC-19 ACCESS CONTROL FOR MOBILE DEVICES</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-20#controlDescription">AC-20 (1) LIMITS ON AUTHORIZED USE</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-20#controlDescription">AC-20 (2) PORTABLE STORAGE DEVICES</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-22#controlDescription">AC-22 PUBLICLY ACCESSIBLE CONTENT</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AT-2#controlDescription">AT-2 SECURITY AWARENESS TRAINING</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-2#controlDescription">AU-2 AUDIT EVENTS</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-3#controlDescription">AU-3 CONTENT OF AUDIT RECORDS</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-6#controlDescription">AU-6 (1) PROCESS INTEGRATION</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-7#controlDescription">AU-7 AUDIT REDUCTION AND REPORT GENERATION</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-8#controlDescription">AU-8 TIME STAMPS</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-9#controlDescription">AU-9 PROTECTION OF AUDIT INFORMATION</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-2#controlDescription">CM-2 BASELINE CONFIGURATION</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-6#controlDescription">CM-6 CONFIGURATION SETTINGS</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-7#controlDescription">CM-7 LEAST FUNCTIONALITY</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-8#controlDescription">CM-8 INFORMATION SYSTEM COMPONENT INVENTORY</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CP-9#controlDescription">CP-9 INFORMATION SYSTEM BACKUP</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=IA-2#controlDescription">IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=IA-4#controlDescription">IA-4 IDENTIFIER MANAGEMENT</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=IA-5#controlDescription">IA-5 (1) PASSWORD-BASED AUTHENTICATION</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=IR-2#controlDescription">IR-2 INCIDENT RESPONSE TRAINING</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=IR-4#controlDescription">IR-4 INCIDENT HANDLING</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=IR-5#controlDescription">IR-5 INCIDENT MONITORING</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=IR-6#controlDescription">IR-6 INCIDENT REPORTING</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=MA-4#controlDescription">MA-4 (6) CRYPTOGRAPHIC PROTECTION</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=MA-5#controlDescription">MA-5 MAINTENANCE PERSONNEL</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=MA-6#controlDescription">MA-6 TIMELY MAINTENANCE</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=MP-4#controlDescription">MP-4 MEDIA STORAGE</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=MP-6#controlDescription">MP-6 MEDIA SANITIZATION</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=PE-2#controlDescription">PE-2 PHYSICAL ACCESS AUTHORIZATIONS</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=PE-3#controlDescription">PE-3 PHYSICAL ACCESS CONTROL</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=PE-5#controlDescription">PE-5 ACCESS CONTROL FOR OUTPUT DEVICES</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=PM-10#controlDescription">PM-10 SECURITY AUTHORIZATION PROCESS</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=RA-5#controlDescription">RA-5 VULNERABILITY SCANNING</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=SC-2#controlDescription">SC-2 APPLICATION PARTITIONING</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=SC-4#controlDescription">SC-4 INFORMATION IN SHARED RESOURCES</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=SC-7#controlDescription">SC-7 BOUNDARY PROTECTION</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=SC-8#controlDescription">SC-8 (1) CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=SC-13#controlDescription">SC-13 CRYPTOGRAPHIC PROTECTION</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=SC-15#controlDescription">SC-15 COLLABORATIVE COMPUTING DEVICES</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=SC-28#controlDescription">SC-28 PROTECTION OF INFORMATION AT REST</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=SI-2#controlDescription">SI-2 FLAW REMEDIATION</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=SI-3#controlDescription">SI-3 MALICIOUS CODE PROTECTION</a></li>
<li><a href="https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=SI-4#controlDescription">SI-4 INFORMATION SYSTEM MONITORING</a></li>
</ul>
</div>
</div>
SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0tag:blogger.com,1999:blog-4503863944848820351.post-48973377653845650302015-06-24T11:10:00.000-07:002015-08-05T09:58:26.928-07:00Talk: An Overview of Emerging Cybersecurity Policy and Law<div style="background-color: white; box-sizing: border-box; color: #222222; direction: ltr; font-family: UniversLTPro-45Light; font-size: 16px; line-height: 1.6; margin-bottom: 1.25rem; padding: 0px; text-rendering: optimizeLegibility;">
<b style="box-sizing: border-box; font-family: UniversLTPro-65Bold; line-height: inherit;"></b></div>
<br />
<b>Date</b> Tuesday, June 30, 2015 Time 11:00 AM <br />
<b>Speaker</b> Isaac Potoczny-Jones<br />
<b>Slides</b>: <a href="https://drive.google.com/a/syntaxpolice.org/file/d/0B-R45nnW5sWDeXREZWdXaWFxSDg/view?usp=sharing">Download here</a><br />
<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="281" mozallowfullscreen="" src="https://player.vimeo.com/video/132483520" webkitallowfullscreen="" width="500"></iframe> <br />
<a href="https://vimeo.com/132483520">How to get from laws to technical requirements</a> from <a href="https://vimeo.com/galois">Galois Video</a> on <a href="https://vimeo.com/">Vimeo</a>.<br />
<b><br /></b>
Why is cybersecurity such a hard problem? The US government, its citizens, and the organizations that write software are all on the same team, but in many cases, our interests are just not aligned. For instance, there have been endless political and social disagreements about the best way to share cyber threat intelligence without sacrificing consumer privacy.<br />
<br />
It’s these competing concerns that are the kink in our collective armor and that’s what our adversaries exploit, day-in and day-out.<br />
<br />
In this talk, Isaac will present the high-level strategic concerns and challenges in the cybersecurity industry, how those challenges interact with emerging policy and law, and how those policies will impact you.<br />
<br />
<a href="http://galois.com/blog/2015/06/tech-talk-overview-emerging-cybersecurity-policy-law/">Read the abstract at Galois.com</a>SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0tag:blogger.com,1999:blog-4503863944848820351.post-57917995611642382102015-05-30T09:51:00.000-07:002015-08-05T09:58:33.923-07:00Talk: 2015 Northwest Aerospace & Defense SymposiumI recently gave a talk on cybersecurity policy and law for the Pacific Northwest Defense Coalition and Pacific Northwest Aerospace Alliance. This was for the <a href="http://www.pnaa.net/events/annual-conference/2015-aerospace-conference/102-events/upcoming-pnaa-events/404-may-27-28-nw-aerospace-defense-symposium">2015 Aerospace & Defense Symposium held at Joint Base Lewis-McChord</a>.<br />
<div>
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXctjJqGExERTG4Jd20RafGR7IvWOGwxYQJQhORgN5InahHTHhkWZKcCIGzGfb_yo1u7bmKWGvTIe0tT6jJNIslbkR64razXbbrK4VdlbF6UTWZu8F3WRW2IFm0CMmHutZ1okUxlAdilI7/s1600/DSC_0728.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXctjJqGExERTG4Jd20RafGR7IvWOGwxYQJQhORgN5InahHTHhkWZKcCIGzGfb_yo1u7bmKWGvTIe0tT6jJNIslbkR64razXbbrK4VdlbF6UTWZu8F3WRW2IFm0CMmHutZ1okUxlAdilI7/s320/DSC_0728.JPG" width="320" /></a></div>
<span id="goog_262252928"></span><span id="goog_262252929"></span><br />
<div>
It was great to share the stage with Peter S. Chiou, Principal Strategist and Business Development Manager for Azure DoD, Microsoft and Special Agent Joshua Michaels of the FBI Cyber Task Force. Three different perspectives on a topic that impacts all of us.</div>
<div>
</div>
<br />
Thanks very much to PNDC for bringing me into the event!</div>
SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0tag:blogger.com,1999:blog-4503863944848820351.post-83253442223066159642015-04-28T17:27:00.000-07:002015-08-31T17:29:33.098-07:00Quotes for KGW: The Internet of Things - How safe is 'smart' technologyI'm quoted in an article by Wayne Havrelly at KGW <a href="http://www.kgw.com/story/news/investigations/2015/04/27/the-internet-of-things-how-safe-is-smart-technology/26479733/">about the Internet of Things</a>. This ran on TV as well!<br />
<br />
"Any system, as it gets more complex, the likelihood of a weak
link in the chain grows," said Isaac Potoczny-Jones, computer security
expert with Galois. "So as cars get these integrated entertainment
systems or wireless features, these open up avenues of attack."SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0tag:blogger.com,1999:blog-4503863944848820351.post-18933124463223734882015-03-02T13:52:00.000-08:002015-08-05T09:59:23.013-07:00Talk: User identity and authentication in Wordpress<br />
<a href="http://tozny.com/wp-content/uploads/2015/02/2015-02-23-wordpress-identity.pdf">Download the Slides</a><br />
<br />
The other day Isaac gave a talk at the <a href="http://www.meetup.com/pdx-wp/events/220270290/">Portland WordPress Developers Meetup</a> about authentication in enterprise and web environments and how WordPress fits into the Identity Management alphabet soup. At the end, I showed off <a href="https://wordpress.org/plugins/toznyauth/">our WordPress Plugin</a>, which can be used for <a href="http://tozny.com/documentation/integration/wordpress-integration/">easy and secure login</a> to WordPress instances.<br />
<br />
Abstract: Your users’ experience during account creation and login is one of the first and most important ways they interact with your web site. Passwords are by far the most common authentication factor, but they are extremely unfriendly for users: Good passwords are hard to remember, and bad passwords are easy to guess. In this talk, we will explain the trade-offs among various types of authentication: passwords, mobile login, social login, two-factor auth, single sign-on, SAML, and OAuth. Finally, we’ll discuss the impact these choices have on your development process and your users.<br />
<div>
<br /></div>
<div>
<a href="http://tozny.com/blog/user-identity-and-authentication-in-wordpress/">More on the Tozny Blog</a>.</div>
SyntaxPolicehttp://www.blogger.com/profile/06723575952831652031noreply@blogger.com0