Lunch Talk: Jay Kaplan: Crowdsourcing Cybersecurity (at Stanford)

Entrepreneur Jay Kaplan, co-founder and CEO of Synack, describes how the idea of creating a cybersecurity service for enterprise businesses by crowdsourcing hackers went from sounding like a long shot to launching as a venture capital-backed startup. Kaplan, previously a senior analyst at the National Security Administration, talks about the virtues of government work and the nuances of “white hat” hacking.

Direct link to Youtube.

tags:network, security, enterprise, control

Smartphone apps: mobile and insecure.

MIT Technology review writes:

A 2012 study of 13,500 Android apps by researchers in Germany found that only 0.8 percent used encrypted connections exclusively, and that 43 percent use no encryption at all. Last week mobile app security company MetaIntell reported that 92 percent of the 500 most popular Android applications communicated some data insecurely.

To move into the enterprise on scale, mobile devices and apps have to become secure. The same goes for mobile payments and NFC-based apps. Enhanced security requirements will demand more computing power, which many companies would not able to afford. As a result, secure cloud-based services will have an opportunity for long-term growth. Although before that, NSA surveylance issues have to be resolved, so that customers feel comfortable with having their vital data hosted externally.

tags: mobile, security, packaged, payload, control, business, enterprise

Facebook patents secure upgrade of a wireless mobile device.

Facebook got a nice patent (US 8,631,239) that covers a secure software upgrade of a wireless mobile device. According to the specification, the system uses a public key to authenticate the software delivered over the air (OTA).

Wireless connections are notoriously unsafe and prone to hacker interception. The Facebook solution enables a service provider to perform a reliable upgrade over an unreliable channel. It's highly likely that in the future most software upgrades, especially in the enterprise environment, will be done using this approach - simple and powerful!

Unfortunately,  the patent itself has an important flaw: it does not define the term "endpoint", which figures prominently in claim 1. Moreover, in Fig 1B it uses a different term "System Front End (120)."

As I noted several times before, the company's quality control over their patenting process seems to be spotty, at best. A simple document search would allow them to spot and fix the definition problem.

1. A method comprising, by one or more computing systems: executing software from a first partition of system memory; requesting an over-the-air (OTA) software update from an endpoint; receiving a manifest for the OTA update; downloading a payload pursuant to the manifest; installing the payload into a second partition of system memory; and rebooting, pursuant to the manifest, to the second partition of system memory, wherein rebooting to the second partition of system memory comprises authenticating a bootloader signature with a bootloader public key.

Brief system analysis: the manifest represents the "Aboutness"; encrypted software update - Packaged Payload; device  - Tool; a process that runs on the device to verify authenticity - Control; endpoint - Source; over-the-air channel - Distribution. Overall, it's a textbook example of system composition (Scalable Innovation, Chapter 2). To solve the problem, the inventors use Separation in Space - one of the key TRIZ principles.

Model-wise, it is quite similar to my patent US 7,529,806. They have a different payload, but the aboutness is managed and created for the same purpose. I should use the Facebook patent as a system analysis homework assignment in BUS 74 this summer.

In view of the Nortel patent and invention principles listed above, the Facebook patent can be attacked as "obvious."

tags: patent, invention, innovation, security, mobile, enterprise, system, model, aboutness