Industry Events Archives | SafeLogic

All posts in Industry Events

23 Nov 2016

Inauguration to Bring Spike in Federal IT Spending

inauguration to bring spike in federal IT spendingLast week, I was part of SafeLogic’s delegation to the Immix Federal IT Sales Summit. This event is in its third year and has already become a must-attend for any company that wants to get a piece of the government money pie in the year ahead. (If you’d like to attend next year, drop me a note. We will have some complimentary passes available.)

I’d like to share details about one session in particular, a panel led by Allan Rubin, titled Taming the Transition: Marketing & Sales Tactics for a Year of Turnover. Five experts weighed in on the impending ‘Trumpification’ of the U.S. government and there were some key strategic insights that you may find interesting.

First of all, the focus is on January 20, 2017. That’s the inauguration, of course. We are firmly in ‘lame duck’ territory at the moment, but the new administration of Mr. Trump, Mr. Pence, and their slate of appointees is lurking on the sidelines. We have a little more than 8 weeks from now to prepare for transition day and to determine how best to benefit from the change in power.

(Yes, 8 weeks from now. Do I need to point out that our target delivery for RapidCerts is 8 weeks, often less? Good fortune indeed!)

Panelist Frank McDonough pointed out that the hiring freeze can produce erratic purchasing behavior. The election year has already disrupted the traditional ‘use-up-the-end-of-year-remaining-budget’ spending spree. Our customers have reported varying behavior from agencies – some accelerated their buying cycles before the ballots were cast, while others tried to conserve resources to be used during the anticipated hiring freeze at inauguration. Unpredictable is the best way to describe what we saw this fall.

Mark Amtower, Kris van Riper, and Barbara Austin joined McDonough on the panel and echoed him on one major point in particular – incoming appointees will be under pressure to make their mark. They will be ready to spend money and will assert themselves with an immediate splash. McDonough said that in the past, appointees averaged approximately two years in office. I don’t think anyone, including the newly tapped leaders themselves, will expect President Trump to have ‘average’ patience for his team. We are all accustomed to his catchphrase “You’re fired!” and why would that change? They will all be on the hot seat from Day One at the inauguration.

Federal appointees will be now, more than ever before, aware that they are serving at the pleasure of the President, and appearances will be extremely important. When they make major purchasing decisions, they will be highly concerned with how it will look to the White House. Will they be willing to ignore mandates, such as FIPS 140-2? What if it comes back to bite them? As it appears many appointees will be coming from the private sector, will they even have the bureaucratic expertise to successfully dodge regulations, as they have in the past? Oversight from FITARA (the Federal IT Acquisition Reform Act) looms larger than ever before, and federal procurement officers may be held to tighter standards than in the past. Sole source contracts may be seen as too risky, potentially removing a once-popular method for agencies to defy NIST and acquire unvalidated products. Nobody will want to put their job on the line to procure a piece of software, no matter how great it is. The ever-present threat of Trump’s chopping block will drive a renewed devotion to compliance… and that’s not a bad thing, unless you have been trying to skate by without certification.

By achieving FIPS 140-2 validation with SafeLogic, you are creating a very tangible competitive advantage. The new culture in D.C. will provide huge opportunities to those who embrace it, because agencies will have big incentives to spend significantly front-loaded budgets on splashy new technology that meets regulatory compliance mandates.

If you already have a current and valid certificate, go ahead and pat yourself on the back. If you’re not certified, what are you waiting for? Contact us immediately so we can help you assess compatibility for CryptoComply and set a target completion date for FIPS 140-2 validation in your company’s name.

Don’t wait too long… January 20th is approaching fast! If we move quickly, your certificate will be completed by Inauguration Day, perfect timing for the impending spike in federal IT spending.


30 Sep 2015

Recap: CTIA 2015

CTIA Super Mobility 2015Ever notice that when you go to Las Vegas, the flight there is always faster than when you’re coming home?  Or worse, if you’re driving back to California, you start to lose the will to live somewhere between Stateline and Baker on the I-15 South.  It doesn’t matter if you won or lost, the journey home is usually brutal.

This was different.  As the SafeLogic team parted ways on the last day of Super Mobility, there was an electricity in the air.  Sure we were tired; it was a long week.  We were excited, too, and for good reason.  With some time to catch up and reflect, here are my thoughts on CTIA’s flagship conference.

1) The Good

CTIA remains one of the best places to network.  We got to spend quality time with delegates from customers, partners, analyst firms… some planned meetings, some spontaneous.  The Sands Expo at the Venetian and Palazzo resorts is a strong draw, especially for the west coast folks, so there were a lot of people in attendance that we wanted to see.  That was great.

Our CEO, Ray Potter, was featured as a speaker at the 151 Advisors’ App-Solutely Enterprise seminar, providing a solo talk on mobile security, setting the tone before joining the panel discussion on the same topics.  It was a lively session, to say the least, with five opinionated panelists and frankly not enough time for everyone to put in their piece.  Luckily, the discussion was carried forward down the hallway and into cocktail hour.

Ray was also invited to speak at Wireless U., a co-located event coordinated by CTIA and the NCSL (National Conference of State Legislatures).  So Friday morning, Ray presented to a room full of State Senators and Representatives.  While not directly fueling SafeLogic’s efforts, the feedback and questions from the group were invaluable.  Attendees were insightful and curious, despite their candid and often refreshingly self-deprecating general lack of expertise in technology.  The fact that these state congressmen and congresswomen were investing their time to better understand the hurdles facing their constituents and our nation as a whole was very encouraging as well.

2) The Bad

The downside is that the event is becoming increasingly saturated with cellular retailers and accessory vendors.  Somewhere along the line, the complementary industry of rhinestone-encrusted cases and external battery packs became a primary draw for the CTIA exhibit hall instead.  Add in the hands-free Segways, and you have the definition of “mobile” stretched a bit thin.

The MobileCon section of years past was essentially disbanded, incorporated into the rest of the exhibit floor.  I preferred the designated area of enterprise-focused software vendors who could focus their message on the enablement and empowerment of mobile workers.  Now, it is much more of a free-for-all (which is tougher for my marketing peers).  Gone along with it was the App-Solutely Enterprise stage, which was central to the exhibit floor in 2014.  Plenty of folks complained about the noise and bustle inherent to locating the stage directly on the main floor, but it was preferable to this year’s isolated ballroom on the second floor.

3) The [Not-So] Ugly

Maybe it’s Vegas, maybe it’s because CTIA is starting to converge on CES as a consumer-driven show, or maybe it’s just in contrast to the more buttoned-up atmosphere found at both security conferences and government-related events… Super Mobility really knew how to throw a party though!

Between the rave music punctuating attendee hangovers with serious subwoofers in the hallways and the efforts of the exhibitors, you definitely knew that this was an event to be explored.  We counted not one, but two BMW i8’s, as well as several non-electric supercars (Ferrari and Audi convertibles spring to mind), countless hired guns working the booths (not just babes, but Booth Bros as well), and a ridiculously talented balloon artist.

If the goal was to make a splash, then mission definitely accomplished.

The Bottom Line

While CTIA’s national conference is not what it used to be, it remains a strong destination for mobile security folks.  Would it be better if it was spun back out to a stand-alone event that caters better to enterprise technology?  Yeah, probably.  But until they do that, you’ll still see plenty of SafeLogic at Super Mobility.

Share your thoughts on the conference with us on Twitter!



8 Feb 2015

On Encryption Keys (and Anthem) – Part 2 of 2

SafeHealth_option2_orangeThe Anthem breach encouraged me to wrap up this blog series and talk about key management in a genuine security context. When the Anthem breach first was public, it looked as if patient records were accessed because of lack of data encryption. Then Anthem stated the real reason for the breach: they only encrypt data in flight to/from the database(s) and rely on user credentials for access to data in the database. Why didn’t they encrypt the data in the database? Well, per Health Insurance Portability and Accountability Act (HIPAA) requirements, they don’t have to as long as they provide protection of the data via other means. Like elevated credentials.

That worked well, didn’t it?

They were compliant, but obviously not secure. To add more security to compliance programs like HIPAA, there have been some cries for enterprises to implement encryption. So how do you encrypt data properly? Well, it all depends on your environment, the sensitivity of the data, the threat models, and any tangible requirements for regulatory compliance. Here are some general guidelines:

  • Use validated encryption.
  • Use strong, well-generated keys.
  • Manage the keys properly.

Use validated encryption. Federal Information Processing Standard (FIPS) 140 is the gold standard. The Advanced Encryption Standard (AES) is one of the FIPS-approved algorithms for data encryption, and it is a better encryption algorithm than what Joe the Computer Science Intern presented in his thesis project. It just is. Plus, part of the FIPS 140 process involves strenuous black box testing of the algorithms to ensure they’re implemented properly. This is crucial for interoperability, and proper implementation of the AES standard also provides a measure of confidence that there aren’t leaks, faults, etc. Always look for the FIPS 140 certificate for your encryption solution.

Use well-generated keys. A password-based key (PBK) is crap. Here a key is derived from a password after it’s hashed with a message digest function. PBKs are crap because most passwords are crap. They’re subject to brute-force attack and just should not be used. Password-Based Key Derivation Function v2 (PBKDF2) makes password-based keys a bit stronger by conditioning the digest with random elements (called salt) to decrease the threat of brute force. But the threat is still there.

Keys should be as unpredictable and “random” as possible. Unfortunately in software environments it’s difficult to obtain truly random data because computers are designed to function predictably (if I do X, then Y happens). But let’s say you can get provable random data from your mobile device or your appliance. Use that to feed a conditioning algorithm and/or pseudorandom number generator. Then use that output for your key.

Use strong keys. The strength of a key depends on how it’s generated (see above) and how long the key is. For example, the AES algorithm can accommodate key sizes of 128-bits, 192-bits, or 256-bits. Consider using a key size that correlates to the overall sensitivity of your data. In Suite B, 256-bit keys can be used to protect classified data at the Top Secret level. Is your data tantamount to what the government would consider Top Secret?

Also consider the environment. Constrained and embedded environments (think wearables) may not have the processing power to handle bulk encryption with 256-bit keys. Or maybe data is ephemeral and wiped after a few seconds and therefore doesn’t need “top secret level” encryption. Or maybe there’s just not enough space for a 256-bit key.

Use a key that is strong enough to protect the data within the constraints of the environment and one that can counter the threats to that environment.

Manage your keys properly. You wouldn’t leave the key to your front door taped to the door itself. Hopefully you don’t put it under the doormat either. What would be the point of the lock? The same applies to information security. Don’t encrypt your data with a strong, properly generated data encryption key (DEK) then leave that key under the doormat.

Consider a key vault and use key encryption keys (KEK) to encrypt the data encryption keys. Access to this key vault or key manager should also be suitably locked down and tightly controlled (again, many different ways to do this). Otherwise you might as well just not encrypt your data.

While we’re at it: rotate your keys, especially your KEKs. Key rotation essentially means “key replacement” … and it’s a good idea in case the key or system is compromised. When you replace a key, be sure to overwrite with Fs or 0s to reduce any chance of traceability.

Store those DEKs encrypted with KEKs and protect those KEKs with tools and processes. And remember to balance security with usability: rotating your KEK every 2 seconds might be secure, but is your system usable?

Anthem wanted the data to be useful, which is why it wasn’t encrypted at the database. But that usability came at a high cost. The good news is that it is possible to encrypt data and have it be usable.


Encryption is a critical, necessary piece of a system’s overall security posture. But it’s not the sole answer. In Anthem’s case, records were accessed via those “elevated user credentials” … which means that malicious hackers were able to get in to the authentication server and raise privilege levels of user credentials (usernames/passwords) that they either knew or gleaned from the auth server. So in this case, it’s irrelevant if the breached data was encrypted; the hackers had authenticated and authorized access to it.

So what’s the answer?

When this was first reported I tweeted this:

Editing_Encryption_Keys — Part_1__What_Are_Keys_Exactly_

Defense in depth means providing security controls to address all aspects of the system: people, process, and technology. Technology is the most difficult pillar to lock down because there are so many layers and threats, hence so many products such as firewalls, IDP, APT, IDS, SIEM, 2FA, AV, smart cards, cloud gateways, etc.

Encryption is a fundamental element for security of data at rest and data in motion (control plane and data plane). Even the strongest encryption with proper key management won’t protect data that is accessed by an authorized user, because it has to be usable. However, encrypted data and tight management of keys provides a critical, necessary piece to a robust security posture.

I hope this provides some guidance on how to think about encryption and key management in your organization.



6 Oct 2014

It’s Q4 Already?

It’s hard to believe we are in Q4 already. If you’re in the Bay Area, it still feels like summer!  But here we are, rapidly approaching Halloween and the holidays, watching football and playoff baseball.

I don’t really do quarterly company updates on the blog; in fact, I think Walt would argue I don’t write enough blog posts in general. But I’m just too excited. SafeLogic has had a great year and I’m really proud of the work that the team is done. A more detailed recap will happen towards the end of the year – Walt will be sure of that!

I’m on the way to Orlando now to talk at Gartner Symposium about security and compliance with Paul DePond of Globo, one of our customers in mobility. If you follow us on Twitter (and why wouldn’t you?), you’ll notice that I’ve been on the road speaking quite a bit recently. The content has been a blend of education and evangelism. I’m trying to get developers in emerging areas of technology to think about building security in to their solutions. I know it’s no easy task but I want to be sure folks are thinking about emerging threats. It’s easier with SafeLogic, but that’s another story. I want folks to understand the need for and value of strong encryption built with compliance in mind.

We have talked to customers and potential clients in some very cool new spaces, and it’s encouraging to see a more mature comprehension of the advantages offered by validated crypto.  Questions from analysts and press are becoming more sophisticated, and end users are really adapting to the landscape.  It’s gratifying to see folks genuinely care about how their data is being protected.

It’s been a very fun and very busy year… and we have some cool surprises in store, in both the short and long term. I can’t wait to share more.


30 Sep 2014

CTIA and the Quantified Self

logo_ctiaA few weeks ago, Ray and I attended CTIA’s Super Mobility Week in Las Vegas. We won, we lost, we had some laughs, we had some drinks, he gave some talks. Overall, it was a very good trip.

The conference was huge, full of fascinating products and interesting people, and SafeLogic was proud to be a part of the Appsolutely Enterprise agenda in the MobileCON area. Ray’s keynote primer before the security panel was well received, which was very encouraging. Folks really seemed to understand why they should care about validated encryption. Between showing support for our customers on-site, meeting with potential new CryptoComply users, and evangelizing the virtues of RapidCert, we were definitely productive.


That’s really just part of the story, however. I was in the midst of field testing the Jawbone UP24 activity tracker bracelet when I hitched a ride with Southwest to McCarran Airport. This was just a terrible idea. In general, I exercise and I sleep because I should. I took care to specifically prioritize both when I hit 30, along with a consistent emphasis on healthy, organic, often vegetarian meals. I honestly had no idea that Brussels sprouts were so tasty. But the quantified self movement has no place in Las Vegas, no matter how sleek and sexy the wristband is.

In a city where there are no clocks and you can order a Moscow Mule at anytime and anywhere, information that leads to self-examination is practically banned. Forget about processing the proper amount of guilt that normally influences whether I would have another drink, or stay out for another hour. All that goes out the window in Sin City, yielding a Jawbone activity report that looks like this:WaltJawbone

You read that right. Instead of sleeping, I was doing laps around the casino floor of the Palazzo. Remind me not to track myself again in this city.

og_apple_watchIn all seriousness, the bigger disruption to my Jawbone UP24 experiment was the announcement of the Apple Watch. It’s finally been revealed, and it’s coming soon-ish. Probably Q1 of 2015, but they weren’t very clear (not even in Mandarin). To me, it really looks like a 1.0 effort from the esteemed 1 Infinite Loop engineers – too thick, too limited in features, too gimmicky (yes, I’m talking about that extensive demo of the Astronomy mode) – but I’m optimistic for future versions and I’m looking forward to trying one out. It really needs to incorporate technology similar to what Healbe is promoting, to track true cardio activity and caloric burn.  Then I will be much more interested.

That was the real nail in the coffin for the Jawbone – thinking about everything that it doesn’t do. I must have been asked a dozen times what my heart rate was. “I have no idea,” I’d reply, before explaining that the Jawbone only tracks activity, not biometrics. Even the sleep tracker is iffy. I didn’t find the results of the in-sleep motion monitor to be particularly accurate, and it was self-reported for start and stop times. This left me with a very trendy pedometer. I downloaded an app instead and called it a day.

So the Jawbone is gone and not a moment too soon, since I’m returning to Vegas for a 22-hour bachelor party excursion this weekend. This time, I’ll be unplugged and deliberately unquantified.


27 Aug 2014

Vegas is Scary

Vegas is scary. Well, not the city itself.  I love Las Vegas!  (And I’ll be there again soon for CTIA’s Super Mobility Week. Ping me to meet up.)  The hackers that descended upon the desert oasis for Black Hat and DEFCON are the scary ones.  Their bag of tricks, more specifically.

I was on a mission to find and pick the brains of the most interesting attendees.  I came away somewhat traumatized, since I knew just enough to be truly disturbed by how many vulnerabilities were discussed.  Here are just a few, with links to more commentary by PC Mag. Max Eddy and Fahmida Rashid both did a stellar job and should be followed on Twitter.

Nest is Cracked

Saw it, wrote about it, followed Yier Jin on Twitter (and he followed me back. Very cool.)  Bottom line – Internet of Things devices should not be a doorway into your entire home network.  Consumers should consider setting up a quarantine, at least until these manufacturers figure it out.

Side note: what the hell, Nest? You’re part of Google now. You’re commonly considered some of the best and brightest. Shouldn’t you be setting a better example for the IoT vendors to come?

Airport Security Scanners Are Vulnerable

I’m not sure this is a great classic hack, per se, but it’s definitely a candidate for the Darwin Awards.  Who are the geniuses that are hardwiring login credentials into TSA-issue airport security scanners?  And to make it better, connecting them to the public internet?  Billy Rios, director of threat intelligence at Qualys, successfully identified two such systems.  He located 6,000 connected scanners, two of which were at airports.  PC Mag reported that one has been decommissioned since.  I want to know where this last rogue system is located… and I’m considering not flying until it is removed.

Satcom Links Become Slot Machines

IOActive’s Ruben Santamarta was able to hack the satellite communications systems used in airliners, cruise ships and other remote deployments.  Again, using hardcoded credentials and backdoors, Santamarta proved that several methods of alternate communications are vulnerable.  Making matters worse, the use cases when these devices are in play are exactly the situations that you don’t want to be hacked.  If you’re hitting SOS on a plane or a boat, the last thing you want to see is a Black Hat video slot machine!

Google Glass Steals Passwords

Ok, that one looks like click bait. In a way, it is. Qinggang Yue demonstrated that an iPhone or even a traditional camcorder would still do the trick, but the popular wearable poster child is the most sneaky.  He was stealing Android users’ PIN codes at an alarming rate – even 100% of attempts from 44 meters away, albeit with a camcorder on the fourth floor of the building to achieve an advantageous angle.  The upshot? Randomized keypads can’t become ubiquitous fast enough. They will negate the advantage of most PIN-stealing techniques, including this voyeur strategy. Without a direct and clear angle, Yue’s model was built to make assumptions about the location of each button.  By randomizing the location, users will not be able to rely on muscle memory to unlock their phone, access the ATM, enter their front door, etc., but hackers will have to work much, much harder.

Photo by Ryan Clarke

Photo by Ryan Clarke

Bonus Story – The Puzzle Mastermind Behind DEFCON’s Hackable Badges

Ryan Clarke aka LostboY aka LosT has a really cool gig. Wired’s Kim Zetter has the story, and while it’s not about a vulnerability, impending danger or security, I highly recommend taking a couple minutes to read it. Clarke designs seven badge types each year: attendees (humans), goons (conference volunteers), vendors, speakers, contest leaders, the press, and the Uber badge. Players have to collect each of them to decipher part of a math-based challenge. The lanyards holding the badges also contain puzzles. This level of creativity and craftsmanship is not commonplace, and it makes you want to attend DEFCON just to get one of these sophisticated works of art. And it makes me want to watch a movie like The Game again, just to get that thrill. Well done, LostboY, well done.


7 Aug 2014

Nest: Hacked or Just Jailbroken?

It is here, somewhere in the middle of the desert, among the inexplicably massive resort hotels that have risen from the sand over the years, that the experts have gathered.  First it‘s Black Hat, then it will be ITexpo.  Right now is the lull between the storms.
Not much of a lull, though, to be honest.  After Yier Jin, a researcher and assistant professor at the University of Central Florida (go Knights!), blew the doors off of the poster child for the Internet of Things at Black Hat, the hype machine has grabbed hold of the discussion and we’re in full swing.

One camp points to the discovered vulnerability in the Nest thermostat as proof positive of our future destruction.  The other takes it with a grain of salt, reassured by Nest Labs’ assertion that the unauthorized control requires physical access and should be considered a ‘jailbreak’, not a true hack.

I would fall somewhere in between the two schools of thought.  The latter doesn’t take the hack seriously enough, while the former is just a bit too convincing as Chicken Little.  But let’s take a closer look at the situation.

Sean Michael Kerner’s article at eWeek quotes Nest Labs’ statement.  “It doesn’t compromise the security of our servers or the connections to them and to the best of our knowledge, no devices have been accessed and compromised remotely.

Jin, the researcher, didn’t claim to hack Nest’s servers or control any remote devices… what he did say is that he could theoretically interfere with future firmware updates, rendering a particular thermostat helpless to potential bugs, hacks and loopholes that will doubtless be discovered later.  In addition, Jin points out that by forcing his way onto the device, he would have access to network credentials.  Now we’re talking about a clear and present threat.

So perhaps the bigger problem here is not the hack of the thermostat – it’s that the network credentials are accessible from the device.  As Seth Rosenblatt points out at CNET, Black Hat has pivoted this year to a true discussion of security, leaving the topic of privacy for another time.  Jin clearly uncovered a distinct security issue, and I’m excited to see how the industry responds.  In the meantime, we’ll see what ITexpo brings to town.
In the immortal words of Hunter S. Thompson, “Buy the ticket, take the ride.”  IoT is here, and we are all along for the ride.  Let’s make the most of it.  Drop me a note if you’re here in Las Vegas for the conferences, I’d love to hear your opinions.


18 Jun 2014

Tizen, Connected Cars and Buggy Whips

Two weeks ago, I had the privilege of giving a presentation at the 2014 Tizen Developer ConferenceSafeLogic_Tizen_Logos

The first thing that you should know is that this was a fantastic event.  Most of us will hear “user group” or “developer conference” and reminisce about our own early experiences, the coffee-and-donuts geek meetups, complete with a folding chair for each wannabe Wozniak.  This was much more.  With a variety of speakers tackling an equally diverse set of topics over a three day stretch, and a significant investment of time, money and energy from Intel and Samsung, I highly recommend attending in 2015 if possible.  It was a very smooth and well-coordinated conference, for speakers, attendees and exhibitors alike.

The second thing that you should know is that my session rocked.  ‘Security-Centric Development for IoT and Wearables’ was one of the few talks that had a specific focus on data protection.  My hope is that I was able to influence attendees to consider security as a non-negotiable aspect of their development efforts, and maybe next year we will see more like-minded sessions on the agenda.  At the very least, I had fun launching SafeLogic footballs into the audience and nobody got a concussion.

To be honest, I was blown away by the ideas bouncing among the audience.  There were developers from seemingly every corner of technology, all with a vision of success based on the same operating system.  It was inspiring to see how many different folks saw potential in the same place.  Since the conference, it has felt like everywhere I look, there is another potential application for Tizen, another opportunity to join the Internet of Things and another chance to connect.  The scary part is that it all has to be secured.  Remember, IoT is only as strong as the weakest link.

One session at the Tizen Developer Conference included a discussion of the connected car collaboration efforts of the Linux Foundation, IBM, Intel and Local Motors.  It made me think of the article I had just read on CNN, aptly titled ‘Your car is a giant computer – and it can be hacked’.  Scary stuff, and spot on.

GoogleCarThe Toyota Prius has solidified its place in the garage of everyday Americans based upon efficiency, not horsepower, and has been immortalized as the test mules for Google’s self-driving car project.  Tesla’s fully electric Model S was the top selling full-sized luxury sedan in 2013… not bad for a vehicle designed by tech geeks.  Google has pushed the envelope even further now, internally developing prototypes for an all-new self-driving vehicle that incorporates features of both.  The landscape is clearly changing – and quickly.

Steering wheels are the next buggy whip, and data security will be more important to safe transportation than seatbelts.  Driver error will be replaced by the threat of compromised communications.  Could you imagine arriving at your destination, only to find yourself at a location chosen by a malicious hacker?  Or having your vehicle overridden and driven into a wall, off a cliff, or into a lake?  There is serious potential in self-driven cars, but even more serious potential for disaster.

The Tizen platform is not uniquely vulnerable to these threats.  All of IoT inherently is.  A smart toaster in your kitchen has to be as secure as your car, even though it isn’t 3000 pounds of metal going 70 miles per hour.  Until developers begin treating all devices with the same level of respect, I encourage all of us to tread carefully.  Hackers relish the challenge of creating mischief as much as they value the results, so assume that you may be a target.  We all are.

If you are a developer in IoT, please check out CryptoCompact.  We have begun our pilot program, so consider it an open invitation to integrate military-grade encryption within your project.  We’re all in this together, so let’s stay safe.


10 Mar 2014

What a Week: Part Two

Last week, I had the honor of talking security at the first ever Wearables DevCon. After my successful presentation on security in constrained devices at the RSA Conference with Whit Diffie, I was excited to focus specifically on wearables.  It was an excellent show, and I want to summarize a few key points.


This conference was very well attended. I’m not always the best judge of numbers, but there had to be a couple hundred people there easily. It’s very cool to see that kind of energy and traction, especially for a first-time conference.

Consumer vs. Enterprise. That seemed to dominate a lot of hallway discussions. Certain sessions focused on developing wearable apps that consumers would embrace, while others talked about solving challenges in the enterprise. As the race for finding and building the “killer app” for Glass heats up, it’ll be interesting to see in which area it falls. One thing that was accepted across the board:  the wearable and IoT market will be HUGE; it’s just a bit nascent at this point.

There was only one session focused on security. I have to admit, I’m happy that we had a chance to speak at this event. Not just for press or publicity, but because I want to get the community thinking about security from the beginning. It’s not as glamorous as UI design, API leverage, etc., but it needs to be  a core component, especially concerning the enterprise and other data-sensitive verticals.

I really enjoyed my talk, mainly because of the excellent engagement from the audience. It was a very interactive session, and I loved the energy in the room! We talked about compliance, risks, CryptoCompact, the need for security in different verticals, why the wearable market will face challenges when it comes to security, and what we can do about it. We talked about lessons learned from the mobility side and how we can apply them in wearables and IoT early on… before we potentially see a BYOW movement take root.  (Yes, that’s ‘Bring Your Own Wearable’.) We covered a lot of ground in an hour!

Thank you to the conference organizers for putting on a great show and giving us the opportunity to speak. And thanks again to everyone in our session! I’m looking forward to continuing the discussion.


3 Mar 2014

What a Week!

On Friday, I headed home.  The lobby at the St. Regis was eerily quiet and the hotel staff looked rather relieved to see all the conventioneers gone.

I learned a few key things at the RSA Conference this year.


1)   Even when Mobile World Congress and HIMSS are scheduled at the same time, we can still get a ridiculous number of security-conscious folks to assemble in San Francisco.

2)   Corporate acquisitions inspire equal parts excited speculation and cynical skepticism.

3)   People are tired of hearing the same spiel from familiar faces, but the new exhibitors got a ton of exposure.

4)   The NSA booth was an extremely popular photo location… and the various “Booth Babes” really weren’t. People seemed to care more about content than flash.

5)   Between the Snowden controversy, RSA-NSA cooperation, and now the Apple TLS/SSL snafu, people just don’t know where to turn.


The latter is an issue that will require more attention next week and will be addressed in this space.  Right now, it’s time to decompress and process everything.  The names, the faces, the suggestions and requests for our product roadmap, the potential partnerships – I can’t articulate how excited we are for the coming weeks.  The feedback at the conference was spectacular.

Thanks to all of you who shared your time with us, whether talking on the expo floor, having a drink with us at the SafeLogic hospitality suite at the St. Regis, or even just chatting in the elevator.  We know how valuable every minute is while on site, so thank you.  Your insight and perspective is a huge part of how we continue to refine our roadmap and goals.

If you missed my presentation with Whit Diffie on ‘Crypto for Constrained Devices’, stay tuned for the video on demand.  Or if you are local to the Bay Area, come see my related talk ‘Security Challenges in Wearables’ this Thursday at Wearables DevCon.