Ray Potter | SafeLogic

All posts by author

3 Jul 2014

Happy Independence Day!

Stars and StripesWow.  It feels like just yesterday that I blogged about the importance of our freedom and opportunity, and how thankful I am to be thriving in the USA.  That was a year ago.  In ‘SafeLogic Time’, where we try to compress a month’s work into a week, and a year into a month, this feels more like a decade!

Much has happened since the summer of ’13.  I encourage you to go back and re-read some of our blog posts to recap.  It’s really pretty interesting to harken back to the challenges that we were facing last year and how we have solved some, while others are very much still threatening.  We will be selecting certain posts as suggested reading for what the Twitterverse likes to call #ThrowbackThursday… although I know that Walt really enjoyed X-Men: Days of Future Past, so that might be contributing to the retro theme too.

Some things have definitely remained the same.  SafeLogic still pursues innovation in security and encryption, prioritizing the safety, privacy and liberty of our customers, and our customers’ customers.  I’m still thankful and proud to be an American, and I’m still planning to grill, watch fireworks and put away a few cocktails.

In a landscape strewn with failed companies, startups deeply in the red, and ousted executives, I’m excited for Independence Day.  I have a lot of pride as I continue to lead this company, as SafeLogic continues to operate independently, at a profit, and with no venture debt.  It’s the most clear, direct way that I can say definitively that we will be here when you need us.  Next month, next year, or whenever you’re ready.

Happy Independence Day!

BlogFooter_Ray

18 Jun 2014

Tizen, Connected Cars and Buggy Whips

Two weeks ago, I had the privilege of giving a presentation at the 2014 Tizen Developer ConferenceSafeLogic_Tizen_Logos

The first thing that you should know is that this was a fantastic event.  Most of us will hear “user group” or “developer conference” and reminisce about our own early experiences, the coffee-and-donuts geek meetups, complete with a folding chair for each wannabe Wozniak.  This was much more.  With a variety of speakers tackling an equally diverse set of topics over a three day stretch, and a significant investment of time, money and energy from Intel and Samsung, I highly recommend attending in 2015 if possible.  It was a very smooth and well-coordinated conference, for speakers, attendees and exhibitors alike.

The second thing that you should know is that my session rocked.  ‘Security-Centric Development for IoT and Wearables’ was one of the few talks that had a specific focus on data protection.  My hope is that I was able to influence attendees to consider security as a non-negotiable aspect of their development efforts, and maybe next year we will see more like-minded sessions on the agenda.  At the very least, I had fun launching SafeLogic footballs into the audience and nobody got a concussion.

To be honest, I was blown away by the ideas bouncing among the audience.  There were developers from seemingly every corner of technology, all with a vision of success based on the same operating system.  It was inspiring to see how many different folks saw potential in the same place.  Since the conference, it has felt like everywhere I look, there is another potential application for Tizen, another opportunity to join the Internet of Things and another chance to connect.  The scary part is that it all has to be secured.  Remember, IoT is only as strong as the weakest link.

One session at the Tizen Developer Conference included a discussion of the connected car collaboration efforts of the Linux Foundation, IBM, Intel and Local Motors.  It made me think of the article I had just read on CNN, aptly titled ‘Your car is a giant computer – and it can be hacked’.  Scary stuff, and spot on.

GoogleCarThe Toyota Prius has solidified its place in the garage of everyday Americans based upon efficiency, not horsepower, and has been immortalized as the test mules for Google’s self-driving car project.  Tesla’s fully electric Model S was the top selling full-sized luxury sedan in 2013… not bad for a vehicle designed by tech geeks.  Google has pushed the envelope even further now, internally developing prototypes for an all-new self-driving vehicle that incorporates features of both.  The landscape is clearly changing – and quickly.

Steering wheels are the next buggy whip, and data security will be more important to safe transportation than seatbelts.  Driver error will be replaced by the threat of compromised communications.  Could you imagine arriving at your destination, only to find yourself at a location chosen by a malicious hacker?  Or having your vehicle overridden and driven into a wall, off a cliff, or into a lake?  There is serious potential in self-driven cars, but even more serious potential for disaster.

The Tizen platform is not uniquely vulnerable to these threats.  All of IoT inherently is.  A smart toaster in your kitchen has to be as secure as your car, even though it isn’t 3000 pounds of metal going 70 miles per hour.  Until developers begin treating all devices with the same level of respect, I encourage all of us to tread carefully.  Hackers relish the challenge of creating mischief as much as they value the results, so assume that you may be a target.  We all are.

If you are a developer in IoT, please check out CryptoCompact.  We have begun our pilot program, so consider it an open invitation to integrate military-grade encryption within your project.  We’re all in this together, so let’s stay safe.

BlogFooter_Ray

8 Apr 2014

SafeLogic Responds to Heartbleed

We just issued an advisory notice for customers regarding the recent Heartbleed vulnerability in OpenSSL.

The issue doesn’t reside within our CryptoComply module; it’s in the higher level OpenSSL libraries that (can) call into our CryptoComply module. This means there is no FIPS impact to our customers… however, there is a security impact.

Folks, this is serious stuff. Key material is subject to being disclosed to attackers. Even if you’re using another crypto module with your vulnerable OpenSSL implementation, patch it immediately. But just patching it isn’t enough. Consider this the right time to update your keys and certificates. You should assume that an attacker knows them by now. 

I have to say that I’m very proud of the SafeLogic team here. We responded and had new builds commencing within a few hours of the notice. We provide upstream OSSL stack as a value to our customers, and it’s important to all of us that they run securely. Builds run through smoke testing and functional testing to ensure proper operation for FIPS, and builds are available on our support portal.

We’ll continue to stay on top of this. We’re not only looking to help our customers… we want to help protect the industry at large. This is that big of an issue. Security awareness becomes key, so let’s keep this at top of mind.

26 Mar 2014

Are We Ready for IoT?

As an industry, we’re not over the hump for mobile security yet. We’ve gone from protecting the device to protecting the app to protecting the data. We’ve come a long way in terms of security for mobility, and we still have a long way to go.

And yet a new challenge looms.

I’m talking about the Internet of Things (IoT).  IoT is a connected, well, everything. Cars, wearables, home automation, industry-specific devices, etc. It will all be connected. The Internet of Things market will be huge. Even data centers are prepping for its rise. Some folks have justifiably begun calling it the Internet of Everything.

So are we ready for IoT? Well, at SafeLogic, we are. Over the next few weeks you’re going to see some new blog posts and an exciting announcement. We’re going to talk about risks, challenges, and solutions. Because after all, we are only as secure as our weakest link.  In IoT, there are so many links that we don’t have a choice – we have to get it right from the start.

10 Mar 2014

What a Week: Part Two

Last week, I had the honor of talking security at the first ever Wearables DevCon. After my successful presentation on security in constrained devices at the RSA Conference with Whit Diffie, I was excited to focus specifically on wearables.  It was an excellent show, and I want to summarize a few key points.

WearablesDevCon

This conference was very well attended. I’m not always the best judge of numbers, but there had to be a couple hundred people there easily. It’s very cool to see that kind of energy and traction, especially for a first-time conference.

Consumer vs. Enterprise. That seemed to dominate a lot of hallway discussions. Certain sessions focused on developing wearable apps that consumers would embrace, while others talked about solving challenges in the enterprise. As the race for finding and building the “killer app” for Glass heats up, it’ll be interesting to see in which area it falls. One thing that was accepted across the board:  the wearable and IoT market will be HUGE; it’s just a bit nascent at this point.

There was only one session focused on security. I have to admit, I’m happy that we had a chance to speak at this event. Not just for press or publicity, but because I want to get the community thinking about security from the beginning. It’s not as glamorous as UI design, API leverage, etc., but it needs to be  a core component, especially concerning the enterprise and other data-sensitive verticals.

I really enjoyed my talk, mainly because of the excellent engagement from the audience. It was a very interactive session, and I loved the energy in the room! We talked about compliance, risks, CryptoCompact, the need for security in different verticals, why the wearable market will face challenges when it comes to security, and what we can do about it. We talked about lessons learned from the mobility side and how we can apply them in wearables and IoT early on… before we potentially see a BYOW movement take root.  (Yes, that’s ‘Bring Your Own Wearable’.) We covered a lot of ground in an hour!

Thank you to the conference organizers for putting on a great show and giving us the opportunity to speak. And thanks again to everyone in our session! I’m looking forward to continuing the discussion.

3 Mar 2014

What a Week!

On Friday, I headed home.  The lobby at the St. Regis was eerily quiet and the hotel staff looked rather relieved to see all the conventioneers gone.

I learned a few key things at the RSA Conference this year.

RSAConference

1)   Even when Mobile World Congress and HIMSS are scheduled at the same time, we can still get a ridiculous number of security-conscious folks to assemble in San Francisco.

2)   Corporate acquisitions inspire equal parts excited speculation and cynical skepticism.

3)   People are tired of hearing the same spiel from familiar faces, but the new exhibitors got a ton of exposure.

4)   The NSA booth was an extremely popular photo location… and the various “Booth Babes” really weren’t. People seemed to care more about content than flash.

5)   Between the Snowden controversy, RSA-NSA cooperation, and now the Apple TLS/SSL snafu, people just don’t know where to turn.

 

The latter is an issue that will require more attention next week and will be addressed in this space.  Right now, it’s time to decompress and process everything.  The names, the faces, the suggestions and requests for our product roadmap, the potential partnerships – I can’t articulate how excited we are for the coming weeks.  The feedback at the conference was spectacular.

Thanks to all of you who shared your time with us, whether talking on the expo floor, having a drink with us at the SafeLogic hospitality suite at the St. Regis, or even just chatting in the elevator.  We know how valuable every minute is while on site, so thank you.  Your insight and perspective is a huge part of how we continue to refine our roadmap and goals.

If you missed my presentation with Whit Diffie on ‘Crypto for Constrained Devices’, stay tuned for the video on demand.  Or if you are local to the Bay Area, come see my related talk ‘Security Challenges in Wearables’ this Thursday at Wearables DevCon.

Cheers!

12 Feb 2014

Lee Kestler Joins SafeLogic Advisory Board

I’m very pleased to announce that Lee Kestler has joined the SafeLogic advisory board.

If you’re looking for the official statement, you should check out the press release. These are my thoughts, unfiltered, about bringing Lee into the fold.photo

I’ve known Lee for over 10 years, going back to my days at Cisco. Since then he’s been a trusted colleague.  He’s one of the most honest and humble people I know, and he’s one of my Go-To guys when it comes to business development, building relationships, and asking tough questions.

Above all that, he’s a friend. Always willing to help, give advice, be a mentor, and share thoughts without asking for anything in return. I’ve always enjoyed our business conversations, and each one has given me something to ponder. I’m so happy we could make this advisory position official!

Lee, it’s great to have you on the team. Thank you for everything that you’ve already contributed, and I’m looking forward to growing SafeLogic, disrupting new areas, and kicking ass with you.

Let’s do this!

 

 

30 Jan 2014

The Internet of Things (To Protect)

SmartFridgeThe Internet of Things is under attack already, say researchers.  A smart refrigerator was hacked and used to disperse malicious code, for example.  So why are we not properly teaching folks that devices are vulnerable immediately upon connection?  Education on these topics will save us a lot of heartache and headlines in the next few years… and it might even save some lives.

In recent posts, Symantec’s Vince Kornacki and Bob Shaker point to some disturbing potential outcomes from building the connected home without properly factoring in security.  Sure, the hacked toaster oven is fairly innocuous, but burglars really could case entire neighborhoods by tracking homes’ thermostat activity.  Hackers more interested in anarchy and panic really could manipulate fridges to spoil food and use unsupervised ovens to start fires.  Kornacki points out that by simply disabling a home’s heater could produce disastrous effects in frigid climates, and the inverse is true as well.  Denying air conditioning to a desert dweller in August could quickly turn cruel or even fatal.

We have seen what happens in other sectors when we let technology develop too far without factoring in security.  Unfortunately, many manufacturers will ignore security as long as possible, until their consumer audience demands it.  So let’s stop, take a deep breath, and educate the public.

Rules to Remember

  • If it’s connected to the internet, it can be hacked.
  • If it can be hacked, it can be manipulated.
  • Everything that has data in transit or at rest should be encrypted.
  • Encryption is not all created equal, so it should be verified.
  • If it has a camera, someone might be watching you.
  • If it has a camera, someone might be watching your internet traffic instead of you.
  • If it has a password, change it to a strong code.
  • If it doesn’t have password protection available, ask why not.

 

Manufacturers will drag their feet until we, as buyers, make it clear that we want secure devices.  We should not be buying any connected devices that do not have privacy safeguards available.  Speak with your wallet and be patient until viable options are on the market.  And then, it will be game on for the Internet of Things!

8 Jan 2014

Encryption Becoming Mainstream

forresterEncryption specifically described as mainstream?  By a Forrester analyst??  Now that is a warm welcome to 2014!

I enjoy reading New Year’s predictions.  While security is definitely a trendy topic, one statement recently caught my eye.  James Staten’s 8th prediction in his blog at Forrester:

 Bring-your-own-encryption will dominate the security discussion in 2014. One of the top trending inquiry topics hitting our cloud and security analysts lately are about cloud encryption solutions for AWS and Salesforce.com. You can thank the US NSA for popularizing this trend. Clients are asking for recommendations on offerings that encrypt data before it hits the cloud service and lets the enterprise control the keys. Encryption covers a multitude of sins, and by encrypting the data before it hits the cloud, companies effectively strip the toxicity (and the liability) from the data.

Nailed it.  Staten absolutely nailed it.

There is so much going on in security right now. It’s such an interesting and dynamic space. The latest and greatest products are hitting the market now, from policy-based containers to persistent threat detection and from cloud isolated networks to identity management.  Why?  Because stakeholders are finally focusing on the protection of data.  That’s truly what matters.

There are lots of means to that end, but these exciting new solutions have one thing in common.  They are all leveraging encryption.

Encryption has not been at the forefront of security technology discussion for quite some time.  It’s not glamorous, but it’s the foundation for everything we’re trying to accomplish as an industry.  I’m glad it’s trending and getting some recognition, because that’s exactly why we’re here, providing strong encryption for multiple environments that meets strict standards and is easy to implement.

With encryption, data can be protected in a variety of ways, with a vast array of solutions and strategies.  SafeLogic is working on behalf of the end user, helping developers maximize the power of cryptography and tailor every product to be as secure as possible on each platform.  This is our goal and it’s stellar to see it reflected in the writings of other thought leaders in the industry.  Now let’s get to work and make it a reality!

30 Dec 2013

Thank You for an Amazing 2013!

RayPotter

Ray Potter

This is not your typical “CEO’s year end blog post with predictions.” This is more about introspection and gratitude. And don’t worry… I promise not to use terms like ‘synergy’ or ‘bleeding edge.’

2013 has truly been an amazing year. SafeLogic’s performance exceeded my (already very high!) expectations, which just raises the stakes for next year. We’re ready, and I’m excited. In addition to our traction with customers, here’s some other cool stuff that happened this year:

  • Launch! It’s hard to believe, but we only just came out of stealth in early March.
  • We established a rocking advisory board.
  • We participated in a number of events, including speaking at the first ever International Cryptographic Module Conference.
  • Our blog posts were relevant and published consistently. (Let’s face it, it’s easy to procrastinate those.)
  • I was interviewed by Forbes.
  • Our ‘Crypto for Constrained Devices’ talk was accepted for RSA 2014.
  • We launched a cool new product ahead of the incumbents.
  • We became the first third-party vendor to get FIPS-tested on both iOS 6 and iOS 7 (again, bye bye incumbents).

Three very simple factors brought us here:

Our awesome customers. You put your reputation in the hands of a start-up, and you built our solution into your products. Not only have you helped drive development and features, but you’ve also referred us to your colleagues and counterparts. Your feedback has been extremely valuable, and we feel lucky to work with you and help push your business forward. Thank you!

The amazing SafeLogic team. I’m impressed by all of you. You’ve worked so hard and you each bring special skills that push this company forward. Our team is driven, talented… and FUN! I really do love my SafeLogic family.

Incredible allies. I’ve been blown away by the number of folks who have helped us grow, without anything to gain personally. Complete strangers have introduced us to customers; others have offered insight on our roadmap and goals. The common theme is that they have contributed with no strings attached. Especially in the competitive landscape of Silicon Valley, it’s just stellar to see such selflessness and genuine desire to help.

2014 is right around the corner, bringing an aggressive roadmap, lots of goals, higher expectations, major productivity, and a whole lot of synergy energy. Dammit! That was close…

Let’s do this!!

- Ray