CryptoCompact Archives | SafeLogic

All posts in CryptoCompact

7 Aug 2014

Nest: Hacked or Just Jailbroken?

It is here, somewhere in the middle of the desert, among the inexplicably massive resort hotels that have risen from the sand over the years, that the experts have gathered.  First it‘s Black Hat, then it will be ITexpo.  Right now is the lull between the storms.
Not much of a lull, though, to be honest.  After Yier Jin, a researcher and assistant professor at the University of Central Florida (go Knights!), blew the doors off of the poster child for the Internet of Things at Black Hat, the hype machine has grabbed hold of the discussion and we’re in full swing.

One camp points to the discovered vulnerability in the Nest thermostat as proof positive of our future destruction.  The other takes it with a grain of salt, reassured by Nest Labs’ assertion that the unauthorized control requires physical access and should be considered a ‘jailbreak’, not a true hack.

I would fall somewhere in between the two schools of thought.  The latter doesn’t take the hack seriously enough, while the former is just a bit too convincing as Chicken Little.  But let’s take a closer look at the situation.

Sean Michael Kerner’s article at eWeek quotes Nest Labs’ statement.  “It doesn’t compromise the security of our servers or the connections to them and to the best of our knowledge, no devices have been accessed and compromised remotely.

Jin, the researcher, didn’t claim to hack Nest’s servers or control any remote devices… what he did say is that he could theoretically interfere with future firmware updates, rendering a particular thermostat helpless to potential bugs, hacks and loopholes that will doubtless be discovered later.  In addition, Jin points out that by forcing his way onto the device, he would have access to network credentials.  Now we’re talking about a clear and present threat.

So perhaps the bigger problem here is not the hack of the thermostat – it’s that the network credentials are accessible from the device.  As Seth Rosenblatt points out at CNET, Black Hat has pivoted this year to a true discussion of security, leaving the topic of privacy for another time.  Jin clearly uncovered a distinct security issue, and I’m excited to see how the industry responds.  In the meantime, we’ll see what ITexpo brings to town.
In the immortal words of Hunter S. Thompson, “Buy the ticket, take the ride.”  IoT is here, and we are all along for the ride.  Let’s make the most of it.  Drop me a note if you’re here in Las Vegas for the conferences, I’d love to hear your opinions.


11 Jul 2014

Glass for the Masses

google_glasssWearables and the surrounding culture are evolving to the next generation right before our very eyes and Google is firmly in the vanguard with the notorious Glass.

Just in the beginning of 2014:

– San Diego traffic court heard a case against a Glass-wearing driver

– Homeland Security interrogated Ohio man wearing Glass in a movie theater

– VSP, the #1 vision insurance provider, announced eligibility of Glass for subsidies

– Google added sunglasses and prescription frames to Glass lineup

Do you see a pattern?  I sure do.  Growing pains, and lots more to come.

Google is making a strategic effort to make Glass more accessible, but they have fallen short, yielding a not-quite positive reputation for their early adopters.  Perhaps any press is good press for Google, but I think it says something when “Glasshole” has been an entry in the Urban Dictionary for nearly a year before the device was even available for public sale.  Wearables are clearly poised for mainstream domination, but the public is just as clearly not ready to accept it yet.

The issue is a lack of hands-on experience by the masses.  As Keith Barrett pointed out in his blog, by slashing the price, Google could put the Glass into the hands of millions.  It would no longer be a novelty toy for the elite nerds who want to demonstrate their status.  The average American would become the advocate, knocking down barriers, removing stigma, and encouraging everyone to see the positive applications for the technology.  The everyman is a very powerful demographic, and it’s the only one that can combat the current notoriety of the Glass.

So let’s talk about actual, productive ways to integrate Glass into our normal lives.

Why are we not rolling out law enforcement apps for Glass that include real-time database reference for license plates and facial recognition?  That would be so much more productive than ignoring the topic until traffic cops pull over a blogger looking for publicity.

Why are we not deploying Glass in movie theaters to offer subtitles for deaf or non-English speakers?  That seems like a better option than calling in federal agents to investigate a potential bootlegger.

If we have subsidies to burn with insurance companies, why are we not developing Glass apps to help teachers in the classroom?  Imagine if a teacher could quantitatively measure the attention span of a room of first graders while engaging with them.  How about apps for health inspectors while in a commercial kitchen?  Or taxi drivers?  Or race car drivers?

The potential of Wearables, and specifically heads-up displays and augmented vision such as Glass, is vast.  I just hope that we can begin to truly embrace it as a culture soon.


18 Jun 2014

Tizen, Connected Cars and Buggy Whips

Two weeks ago, I had the privilege of giving a presentation at the 2014 Tizen Developer ConferenceSafeLogic_Tizen_Logos

The first thing that you should know is that this was a fantastic event.  Most of us will hear “user group” or “developer conference” and reminisce about our own early experiences, the coffee-and-donuts geek meetups, complete with a folding chair for each wannabe Wozniak.  This was much more.  With a variety of speakers tackling an equally diverse set of topics over a three day stretch, and a significant investment of time, money and energy from Intel and Samsung, I highly recommend attending in 2015 if possible.  It was a very smooth and well-coordinated conference, for speakers, attendees and exhibitors alike.

The second thing that you should know is that my session rocked.  ‘Security-Centric Development for IoT and Wearables’ was one of the few talks that had a specific focus on data protection.  My hope is that I was able to influence attendees to consider security as a non-negotiable aspect of their development efforts, and maybe next year we will see more like-minded sessions on the agenda.  At the very least, I had fun launching SafeLogic footballs into the audience and nobody got a concussion.

To be honest, I was blown away by the ideas bouncing among the audience.  There were developers from seemingly every corner of technology, all with a vision of success based on the same operating system.  It was inspiring to see how many different folks saw potential in the same place.  Since the conference, it has felt like everywhere I look, there is another potential application for Tizen, another opportunity to join the Internet of Things and another chance to connect.  The scary part is that it all has to be secured.  Remember, IoT is only as strong as the weakest link.

One session at the Tizen Developer Conference included a discussion of the connected car collaboration efforts of the Linux Foundation, IBM, Intel and Local Motors.  It made me think of the article I had just read on CNN, aptly titled ‘Your car is a giant computer – and it can be hacked’.  Scary stuff, and spot on.

GoogleCarThe Toyota Prius has solidified its place in the garage of everyday Americans based upon efficiency, not horsepower, and has been immortalized as the test mules for Google’s self-driving car project.  Tesla’s fully electric Model S was the top selling full-sized luxury sedan in 2013… not bad for a vehicle designed by tech geeks.  Google has pushed the envelope even further now, internally developing prototypes for an all-new self-driving vehicle that incorporates features of both.  The landscape is clearly changing – and quickly.

Steering wheels are the next buggy whip, and data security will be more important to safe transportation than seatbelts.  Driver error will be replaced by the threat of compromised communications.  Could you imagine arriving at your destination, only to find yourself at a location chosen by a malicious hacker?  Or having your vehicle overridden and driven into a wall, off a cliff, or into a lake?  There is serious potential in self-driven cars, but even more serious potential for disaster.

The Tizen platform is not uniquely vulnerable to these threats.  All of IoT inherently is.  A smart toaster in your kitchen has to be as secure as your car, even though it isn’t 3000 pounds of metal going 70 miles per hour.  Until developers begin treating all devices with the same level of respect, I encourage all of us to tread carefully.  Hackers relish the challenge of creating mischief as much as they value the results, so assume that you may be a target.  We all are.

If you are a developer in IoT, please check out CryptoCompact.  We have begun our pilot program, so consider it an open invitation to integrate military-grade encryption within your project.  We’re all in this together, so let’s stay safe.


14 May 2014

The Real Truth About Wearables

I keep reading about Wearable tech’s ‘Dirty Little Secret’… the fact that most Wearable devices are shelved within three months of initial use.

Does this shock you?  No?  Good.  Me neither.
And I’m not worried about it.


If you’re reading this post, you’re no stranger to the phenomenon of the Consumerization of IT, or CoIT.  (It almost looks naked without the hashtag!  #CoIT.  That’s better.)  It’s also referred to as the ITization of Consumers, which doesn’t have the same ring to it, but is actually more accurate when describing the shift towards more sophisticated and savvy users.  Today’s enterprise employees don’t need a designated geek to configure and deploy a piece of equipment.  In fact, they usually prefer to set it up themselves, since nobody knows their needs and preferences better.  Some blame the millenials, but that’s just not the full picture.  This trend was manifesting as Shadow IT since before the millenials went to prom.

I bring up CoIT because it is the embodiment of today’s tech culture.  Everyone wants to use the newest, hottest devices, and they prove it everyday, with or without IT’s help or blessing.  Everyone wants to be an early adopter now.  Everyone wants to try the latest and greatest, which is absolutely stellar.  Not every device is going to be a hit, but we are okay with that.  At this point, a wearable device with strong universal adoption would be the exception to the rule.  So in this period of ‘fail fast’ versions, who better to beta test new wearables and subject them to real world conditions than us?

The same research that presents the three month interval of abandonment also puts forward an estimate that over 10% of adult Americans have purchased at least one of these devices.  If we included Bluetooth devices, you better believe that number would skyrocket.  Subtract the population that is – sorry, I’ll just say it – too damn old to mess with these new-fangled doohickeys, and we are approaching an impressive market penetration for wearables without any delusions that it is a matured technology.  As a culture, we have demonstrated our appetite for wearables by continuing to buy and try them.  There is a certain sense of pride associated with being an Explorer, Pilot, or Kickstarter participant.

Bottom line – I’m not surprised by, or discouraged by, this report.  Wearables are still nascent, like a recent graduate backpacking through Europe, searching for motivation and identity in an existential haze.  We should embrace it as it is formed, molding it to our vision.  We shouldn’t push it away and complain that it is undeveloped.  We need to try every device that we can get our hands on.  We need to speak up and give strong feedback.  Offer opinions publicly, so that others can echo or debate, in the plain view of the innovators who will give us exceptional, can’t-live-without-them wearables one day soon.

And of course, don’t forget to demand strong security in every piece of technology that we carry on our bodies.  Don’t forget how crucial it is to protect ourselves, and that includes our personal data.

We can make a difference in wearables.  Try, test, and critique.  Rinse and repeat.


26 Mar 2014

Are We Ready for IoT?

As an industry, we’re not over the hump for mobile security yet. We’ve gone from protecting the device to protecting the app to protecting the data. We’ve come a long way in terms of security for mobility, and we still have a long way to go.

And yet a new challenge looms.

I’m talking about the Internet of Things (IoT).  IoT is a connected, well, everything. Cars, wearables, home automation, industry-specific devices, etc. It will all be connected. The Internet of Things market will be huge. Even data centers are prepping for its rise. Some folks have justifiably begun calling it the Internet of Everything.

So are we ready for IoT? Well, at SafeLogic, we are. Over the next few weeks you’re going to see some new blog posts and an exciting announcement. We’re going to talk about risks, challenges, and solutions. Because after all, we are only as secure as our weakest link.  In IoT, there are so many links that we don’t have a choice – we have to get it right from the start.


10 Mar 2014

What a Week: Part Two

Last week, I had the honor of talking security at the first ever Wearables DevCon. After my successful presentation on security in constrained devices at the RSA Conference with Whit Diffie, I was excited to focus specifically on wearables.  It was an excellent show, and I want to summarize a few key points.


This conference was very well attended. I’m not always the best judge of numbers, but there had to be a couple hundred people there easily. It’s very cool to see that kind of energy and traction, especially for a first-time conference.

Consumer vs. Enterprise. That seemed to dominate a lot of hallway discussions. Certain sessions focused on developing wearable apps that consumers would embrace, while others talked about solving challenges in the enterprise. As the race for finding and building the “killer app” for Glass heats up, it’ll be interesting to see in which area it falls. One thing that was accepted across the board:  the wearable and IoT market will be HUGE; it’s just a bit nascent at this point.

There was only one session focused on security. I have to admit, I’m happy that we had a chance to speak at this event. Not just for press or publicity, but because I want to get the community thinking about security from the beginning. It’s not as glamorous as UI design, API leverage, etc., but it needs to be  a core component, especially concerning the enterprise and other data-sensitive verticals.

I really enjoyed my talk, mainly because of the excellent engagement from the audience. It was a very interactive session, and I loved the energy in the room! We talked about compliance, risks, CryptoCompact, the need for security in different verticals, why the wearable market will face challenges when it comes to security, and what we can do about it. We talked about lessons learned from the mobility side and how we can apply them in wearables and IoT early on… before we potentially see a BYOW movement take root.  (Yes, that’s ‘Bring Your Own Wearable’.) We covered a lot of ground in an hour!

Thank you to the conference organizers for putting on a great show and giving us the opportunity to speak. And thanks again to everyone in our session! I’m looking forward to continuing the discussion.


3 Mar 2014

What a Week!

On Friday, I headed home.  The lobby at the St. Regis was eerily quiet and the hotel staff looked rather relieved to see all the conventioneers gone.

I learned a few key things at the RSA Conference this year.


1)   Even when Mobile World Congress and HIMSS are scheduled at the same time, we can still get a ridiculous number of security-conscious folks to assemble in San Francisco.

2)   Corporate acquisitions inspire equal parts excited speculation and cynical skepticism.

3)   People are tired of hearing the same spiel from familiar faces, but the new exhibitors got a ton of exposure.

4)   The NSA booth was an extremely popular photo location… and the various “Booth Babes” really weren’t. People seemed to care more about content than flash.

5)   Between the Snowden controversy, RSA-NSA cooperation, and now the Apple TLS/SSL snafu, people just don’t know where to turn.


The latter is an issue that will require more attention next week and will be addressed in this space.  Right now, it’s time to decompress and process everything.  The names, the faces, the suggestions and requests for our product roadmap, the potential partnerships – I can’t articulate how excited we are for the coming weeks.  The feedback at the conference was spectacular.

Thanks to all of you who shared your time with us, whether talking on the expo floor, having a drink with us at the SafeLogic hospitality suite at the St. Regis, or even just chatting in the elevator.  We know how valuable every minute is while on site, so thank you.  Your insight and perspective is a huge part of how we continue to refine our roadmap and goals.

If you missed my presentation with Whit Diffie on ‘Crypto for Constrained Devices’, stay tuned for the video on demand.  Or if you are local to the Bay Area, come see my related talk ‘Security Challenges in Wearables’ this Thursday at Wearables DevCon.



19 Dec 2013

An Early Christmas Gift

It’s that magical time of year… Folks are bundled up to go caroling, there’s a Santa on every corner, and we all feel like kids again, hoping to find that special gift under the tree…

I must have been really good this year.  Because, not to brag, but I got an early present, and I don’t think you get speaking slots at the RSA Conference if you’re on the naughty list!  There wasn’t any wrapping paper, certainly no bow or ribbon, and it wasn’t even remotely close to under the tree, but this may be my best surprise of the season.  Don’t tell my kids I said that!

I am proud to announce that I will be discussing the future of security with the inimitable Whitfield Diffie, my mentor and a member of SafeLogic’s Advisory Board.  Our session is titled Crypto for Constrained Devices, and we’ll talk about unique features of cryptographic use cases for a new generation.  It is scheduled for Wednesday, February 26th at noon as a featured talk on the Security Mashup track.


With innovative designs for powerful yet smaller and more integrated devices, Wearables are just one of the sectors that demand special attention to security.  Mobile health initiatives, industrial embedded devices, and a litany of others ensure that our work with constrained devices will reach every person on the planet and that is simply incredible.

So please mark it on your calendar.  Come to the RSA Conference, February 24th – 28th in San Francisco, and see what we’ve got up our sleeve (and in our watches and glasses, too.)

Happy Holidays!


15 Oct 2013

Announcing CryptoCompact

Somewhere, Sasquatch is crying.  Apologies to the hairy fella.  Bigfoot just isn’t welcome here.


Or here.


Wearables have arrived, but their space and processing constraints have made it extremely challenging to integrate the relatively large footprint of cryptographic modules.  This dilemma has perplexed many, generally resulting in shrugs and lack of action.  ‘Until these devices are more popular, hackers won’t bother.’

Unfortunately, the ostrich approach just isn’t going to work.   The capacity of Wearables is tiny, but the data itself is extremely significant.  Consider all of the highly personal information that is gathered by Wearables – not just location and time, but physical habits.  Some are designed specifically to archive heart rates and diagnostic data.  The sky is the limit here, both for altruistic goals and malicious.  It’s like a 007 movie come to life, and you can bet that the villains will surface now that the technology exists in the mainstream.  We can’t sit and wait for the bad guys to strike first.

Seeing these devices catch traction is very, very cool.  It’s aways amazing to watch new tech develop and be embraced by the masses.  But more importantly, it’s an opportunity and we have a responsibility to ensure that it doesn’t become a nightmare.  Developers are already working on enterprise applications and concepts for mass deployment of these devices.  The data must be secured, and our first challenge is to address the dilemma presented by the device capacity.  Encryption modules carry weight that isn’t factored into the design specifications for these constrained devices, hence the need for a module with a tiny footprint.  The trick is that it still needs to pack enough punch to power the apps and the security solutions that are sure to follow.

Today, I’m speaking at the Silicon Valley Telecom Council’s Wearables event at the CTIA MobileCON 2013, and I’m proud to announce CryptoCompact, only from SafeLogic.

The premise is simple.  We started with the same goals as CryptoComply – unrivaled cryptographic performance with the easiest implementation and best support in the business.  Then, we took out the bells and whistles and streamlined the module to run as fast as possible with the smallest footprint possible, but without sacrificing features needed today and for the future. And rest assured, CryptoCompact will uphold our standards for world class encryption by earning its own FIPS 140-2 validation.

I’m extremely excited about this new product and I can’t wait to share more details.  Check out the CryptoCompact page, including information about our pilot program.  If you’re developing apps for Wearables, definitely send us a submission.  We’ll be providing the CryptoCompact module to select developers during the testing period.  Stay tuned for more details!