tag:blogger.com,1999:blog-10106546010008280402023-07-07T03:13:22.070-07:00Enterprise WebApps: Security, digital signatures and workflow onlineTeam Yozonshttp://www.blogger.com/profile/16980555188790679891noreply@blogger.comBlogger22125tag:blogger.com,1999:blog-1010654601000828040.post-88040022747634420142019-03-11T14:32:00.000-07:002019-03-11T14:32:12.808-07:00Google's SSL certificate stanceThis is just a quick post to point out some inconsistent logic from Google as it becomes ever more powerful over the lives of people and businesses across the world. And yes, we understand the irony as we post this using Google's blogging site.<br />
<br />
Google is keen on ensuring all web sites use SSL/TLS (sites starting with the "https://" prefix) encryption, even when the content of a web site is not sensitive. Google's search product gives "rank" preference to web sites using HTTPS, even though HTTPS has nothing to say about the trustworthiness of those site owners or their content. While HTTPS does increase network security a tiny bit, Google also operates its own Public Key Infrastructure (PKI) Certificate Authority (CA) which it uses to sign all of its SSL certificates.<br />
<br />Why is that a problem? It's not.<br />
<br />
But it is inconsistent and hypocritical in Google's imposition of ever more control over all web sites and ever more tracking of the actions of billions of people. Of course, Google's tracking software works just fine over HTTPS, ensuring no network monitoring can access or alter any of Google's omnipresent tracking communications.<br />
<br />
The problem is its Chrome browser disparages web sites using self-signed certificates. Yet the reality is that all Google properties (google.com, blogger.com, youtube.com...) are effectively using self-signed certificates.<br />
<br />
For many entities, of course, SSL certificates are expensive, need constant renewals, and are "approved" by self-proclaimed "Certificate Authorities" that really know nothing about you or the web sites to suggest any actual trust is involved. CAs don't offer any assurances about any of the web sites they approve, after being paid their fee of course. This is the reason why PKI in general has failed to be adopted much outside of its use for HTTPS-enabled web sites.<br />
<br />
Secure communications is great and necessary, but there's no actual trust granted to a web site by purchasing a CA-approved certificate. There is really little evidence theses CAs provide useful services, or that any people actually have any trust whatsoever in those CAs pre-approved in web browsers. That pre-approved "trust" is actually just between the browser vendor and those CAs who have paid the browser vendors to be so pre-approved, not between any of the actual human beings who use the browser and any of those so-called CAs or the web sites they subsequently say you can trust. Yet Google still maintains that self-signed certificates are untrustworthy and will instill fear in users that the security is no good.<br />
<br />
Of course, the security of the SSL connection (actually, more likely TLS 1.2 or better if you want reasonably good security) is identically strong regardless of how much money is given to CAs.<br />
<br />
This is the sort of anti-trust activity of overly powerful and expansive corporations that needs to be tamed. <br />
<br />
Google started off with search and "Don't be evil," then over the years it created its own browser and its own mobile platform, then created its own SSL CA where it pre-trusts itself for you, then modified its search results to give preference to CA-approved web sites without regard to the actual trust of those web sites or CAs, all while suggesting a self-signed certificate is not secure and you should alarmed at finding one. <br />
<br />
All except for Google signing its own web site certificates.Team Yozonshttp://www.blogger.com/profile/16980555188790679891noreply@blogger.com0tag:blogger.com,1999:blog-1010654601000828040.post-28469826418137426902017-04-27T12:33:00.002-07:002017-04-27T12:39:37.891-07:00HR Onboarding Solutions wins business plan competitionYozons is proud that one of its resellers, HR Onboarding Solutions, LLC, has won a business plan competition in San Angelo, Texas.<br />
<br />
<a href="http://www.gosanangelo.com/story/news/local/2017/04/26/local-entrepreneurs-win-big-business-competition/100925592/" target="_blank">Read more in their local newspaper.</a><br />
<br />
Brent Jameson, founder of <a href="https://www.hronboardingsolutions.com/" target="_blank">HR Onboarding Solutions</a>, started reselling <a href="http://www.yozons.com/" target="_blank">Yozons Open eSignForms</a> in 2014 after being a long-time customer of Yozons HR systems at multiple times at various companies in Texas, including a bank and a large chemical company.<br />
<br />
Brent started out reselling our HR applicant tracking and onboarding product (previously called My HR eSignForms Suite) that he calls HROS, and quickly partnered to co-develop a DOT onboarding package of documents to track DOT drivers that can be deployed standalone or integrated into HROS.<br />
<br />
With his ever growing list of clients, he now not only offers his customers solutions built on our <a href="https://esign-hr.com/" target="_blank">https://esign-hr.com servers</a>, but he also operates two independent private web servers for his larger "multi-client systems" where large numbers of his smaller clients share a single, yet customizable and brandable, service with a shared, outsourced HR management team.<br />
<br />
Brent didn't stop with HROS and DOT. He now has two additional products he developed entirely on his own. <br />
<br />
The first is his Student Onboarding Service (SOS) for accepting applications for families with 1-7 children and then providing student registration for those accepted applications. Often, applications must first go through a lottery to determine who is offered the opportunity to attend a given Texas charter school. SOS is primarily offered now as a multi-client service in partnership with the largest charter school organizations in Texas.<br />
<br />
The second and most recent product offering is his Leave of Absence (LOA) system used by companies and financial/insurance providers related to employees who need to take leave based on the <a href="https://en.wikipedia.org/wiki/Family_and_Medical_Leave_Act_of_1993" target="_blank">Family and Medical Leave Act of 1993 (FMLA)</a> or <a href="https://en.wikipedia.org/wiki/Disability_insurance" target="_blank">Short-Term Disability (STD)</a>.<br />
<br />
All of his products and services run on Yozons Open eSignForms. Please contact <a href="mailto:sales@hronboardingsolutions.com">Brent by email</a> for a demo of his rapidly expanding services.<br />
<br />
<br />Team Yozonshttp://www.blogger.com/profile/16980555188790679891noreply@blogger.com0tag:blogger.com,1999:blog-1010654601000828040.post-35777810135347248942017-01-09T21:30:00.003-08:002018-04-12T09:15:55.294-07:00Why Yozons left social media -- Taking control of your life by not giving it away to enrich others as your friends' expenseYozons has always been an independent company, one that leads in innovation, prides itself on customer privacy, and openly shares the wealth of its technologies and services to the world. The advent of social media -- which we distinguish as corporate-provided tools for continuously communicating with your social or business circles such as Twitter, Facebook, Snapchat and Instagram -- seems a great idea that revolutionizes business and personal interactions. But our gut suggested this just was not the case. Our brains finally told us it's time to quit this nasty habit and the purveyors of fake news that latch on to our trusted social connections.<br />
<br />
There is irony in the millennials and Occupy Wall Street protesters using Twitter and Facebook to spread their economic message while massively <a href="http://www.usatoday.com/story/news/world/2017/01/15/global-inequality-oxfam-report/96545438/" rel="nofollow" target="_blank">enriching the one percent</a> via the over-sharing by the 99 percent. The same for the Arab Spring and the spring of Daesh (ISIL) using "free media" to spread hatred, violence and denounce actual freedom and replace reason with nonsense.<br />
<br />
The final nudge for Yozons came after watching the <a href="https://www.youtube.com/watch?v=3E7hkPZ-HTk" rel="nofollow" target="_blank">TEDx presentation </a><a href="https://www.youtube.com/watch?v=3E7hkPZ-HTk" rel="nofollow" style="font-style: italic;" target="_blank">Quit social media with Dr. Cal Newport</a>; this final straw encouraged us to leave social media behind forever. We encourage you to consider doing so as well. Many of the reasons cited in the TEDx presentation are far more troublesome for those who become addicted to social media, something we hadn't even considered ourselves.<br />
<br />
While we never use Snapchat or Instagram, we closed our Facebook account a few years ago after using it's system for our own advertising. The level of targeting was tremendous, though quite frankly not well suited to our needs for finding companies that are looking to contract online and go paperless. It was clear that such refined targeting will lead to the decline of actual social bonds, the antithesis of the World Wide Web's open information model. <br />
<br />
What was clear to us then is that Facebook had convinced billions of people to provide their personal information, often intimate details about family, friends, marriages, divorces, dates, vacations, schools, parties, etc., and to share it widely. Those who didn't manage their ever-changing privacy settings often shared to an unknown "public" that couldn't easily be retracted. This information was even abused by some employers and universities who thought it okay to demand access to social media accounts as a way to judge a prospect, the very definition of thought crimes and totalitarianism, a mingling of free expression with a demand to break the social contract regarding Liberty and Privacy and Human Decency. <br />
<br />
But mostly it was abused by Facebook itself. Facebook, the company, effectively displays content you create and freely, if not thoughtfully, give to them so it can offer it as entertainment to others. It combines actual postings from "friends" with other targeted postings (aka "fake news" and "paid advertising posing as news") that often carries your friend's names even if they never intended to have their trusted names abused in this way. This is the subversive power of the 'like' button. If you like McDonalds or <i>The New Yorker,</i> then postings by those companies often appear in the "news feed" of your friends with a comment suggesting you like the posting itself, regardless of the content.<br />
<br />
It may not feel that way to you, that you are just sharing photos of a recent marriage or birth with family and friends. But Facebook is monetizing your content. It is monetizing your family and friends using your as bait. And, of course, we all can see well that our Facebook "friends" have became a hodgepodge of actual family and actual friends, but also neighbors, acquaintances, classmates, business associates, and a slew of others who asked to become an online friend, making you appear to be mean to deny such a nice sounding request.<br />
<br />
Well, Facebook the company isn't making money on your content itself so much as it causes more people to stay on Facebook the web site longer and across more devices in order to sell advertising to other corporations that attempt to sell their products and services to your so-called family and friends. All of their wealth is created based on your "sharing" that lures your family and friends to visit Facebook to see what you could have shared with them directly and privately and without advertising. The details you provide, and the social connections you share with a for-profit, super rich corporation, allows it to become richer still. You enrich them, but your compensation is primarily trivial entertainment that sucks a lot of your time via constant interruptions in your real life, often at the expense of being sold and marketed to on a constant basis, and worse, causing that to be foisted upon those you know.<br />
<br />
We've finally decided to close our last remaining social media account, Twitter, as the last step to free ourselves from this grip and abuse of trust. Like Facebook, our early Twitter followers were actually interested in Yozons, often business partners, prospects and customers. But over time, our followers seem more like robot accounts that are themselves just trying to sell back to us (i.e. "Bob Jones the Real Estate agent liked your tweet about rising property taxes"). We'd post some link about encryption, or privacy, or tips on using the service, or own own bragging about record revenues or the millions of transactions handled through our service in 2016, and then we'd get "liked" or "followed" by odd accounts that were unrelated to our posting. They didn't appear to like or be interested in us at all, but were designed to broadcast a "new friend/follower" message that served their interest to sell us on them.<br />
<br />
Previously, we had noted that a competitor was basically paying its customers, by providing a small discount to their service, if their customers agreed to have a tweet sent out every time they completed a contract online. It seemed bizarre to us, as none of our customers since 2000 have ever requested the ability to share details about their contracting with the world. Adding a Twitter hook is trivial, yet it is clear that this served nobody's actual interests -- well, the competitor that gave the discount no doubt hoped it could latch on to your social network to drive more sales of its service -- and is simply selling yourself cheap to benefit yet another corporation. Yozons is a corporation, and we enjoy the profits of our hard work, but we've never thought it ethical to make money indirectly by selling our customer information, who they interact with, the types of deals they do, or to show advertising to them all. We simply do not want to be a part of that, and never did and never will play in that game. <a href="http://www.yozons.com/Privacy/" target="_blank">Privacy matters to us by policy</a>. We sell our services directly to accomplish useful tasks that our customers want, and we sell nothing more or on the side. <br />
<br />
Data mining other people's data is wrong without absolutely clear consent. Too often, the consent is hidden behind unclear language. How many people understand that when they 'like' something that it's then used to sell that product to your expansive social net by saying that you like it over and over again regardless of whether you agree with any of the content. We may like <i>The New York Times</i>, but it's weird to see a posting by them such as "ISIS kills 35 in a market blast" coupled with "Yozons likes..." above it?<br />
<br />
Don't get us wrong. If you really like Twitter and Facebook, and you don't mind that they monetize your content and connections, and you don't mind the never-ending cycle of interruptions to see "what's happening," we hold no grudge. Everyone gets to make up their own minds. We just no longer wish to participate.<br />
<br />
Our experience is that most of our real interactions with actual customers and business associates are still best handled with direct communications rather than relying on third party entertainment providers who will do anything to keep you hooked and using their stuff. Email is the primary method and is a private message between directed parties. It's real communications rather than a simple bragging post thrown out there for some to see and most never to notice. It's real sharing in that we are sending you information, or a photo or link, because you are important and meaningful to us, or you are asking a question that we try to answer as honestly as possible. Conversation is much better when it's directed and bi-directional. And email -- other than perhaps those who use Gmail or similar corporate-provided free email services -- is almost never data mined or used to sell advertising to you and those you communicate with. Like a text message, it's generally private and no solicitations or personal data mining typically takes place. Even with Gmail, any ads are only shown to you as a user, not to those you send emails to and suggesting you approve of those ads.<br />
<br />
Some old school people still prefer to talk over the phone, and yet again this is a direct, two-way conversation. It's often the best method when face-to-face is not possible. It's private and doesn't enrich the provider by selling your conversation to others or just advertising junk to those you talk to. Technologies like GoToMeeting serve an online version of this, providing a real conversation among a limited group in a way that doesn't result in your content being processed to aid advertising to those you communicate with.<br />
<br />
Of course, we still have a <a href="http://www.yozons.com/" target="_blank">web site</a> as it's a great way for us to provide information about our products and services, pricing, links to online documentation, and to remind people of how to contact us directly when that's best. We do have <a href="https://enterprise-webapps.blogspot.com/" target="_blank">this blog</a> and <a href="http://www.yozons.com/Learn/" target="_blank">helpful YouTube videos</a> and even a <a href="https://groups.google.com/forum/#!forum/openesignformsdev" target="_blank">Google Group for a public technology discussion forum</a>, and those suffer some of the issues of a Twitter or Facebook, but we find they are much less constant and don't really create a social graph that serves the interest of unknown advertisers. In fact, we don't buy any Google or other social media advertising either, a truly rare trait among vendors who care more about your dollars than your success.<br />
<br />
We trust you won't miss our Tweets and Facebook postings, and we look forward to continued direct conversations with your prospects, customers and business partners.<br />
<br />
Happy New Year and we wish you all the best for 2017. <br />
<br />
------------<br />
<br />
Updated 7/18/2017 -- FAKE NEWS: <a href="https://www.washingtonpost.com/news/the-switch/wp/2017/07/17/spreading-fake-news-becomes-standard-practice-for-governments-across-the-world/" rel="nofollow">More troubles with believing the nonsense posted in social media</a>.<br />
<br />
Updated 11/10/2017 -- MANIPULATED: <a href="http://www.washingtonpost.com/news/the-switch/wp/2017/11/09/facebooks-first-president-on-facebook-god-only-knows-what-its-doing-to-our-childrens-brains/">Facebook’s first president, on Facebook: ‘God only knows what it’s doing to our children’s brains’</a><br />
<br />
Updated 11/20/2017 -- NONSENSE ECHO CHAMBER: <a href="https://www.seattletimes.com/business/expert-on-bots-and-social-media-manipulation-hopes-people-are-finally-listening/">Expert on bots and social-media manipulation hopes people are finally listening</a><br />
<br />
Updated 4/12/2018 -- FACEBOOK PRIVACY SELLOFF: <a href="https://www.seattletimes.com/nation-world/what-you-dont-know-about-how-facebook-uses-your-data/">What you don’t know about how Facebook uses your data</a><br />
<br />Team Yozonshttp://www.blogger.com/profile/16980555188790679891noreply@blogger.com0tag:blogger.com,1999:blog-1010654601000828040.post-11373920446588583532016-08-03T11:20:00.003-07:002016-08-03T11:20:27.507-07:00Patent licensing updates: 11 licensees and growingIn our previous installment "<a href="https://enterprise-webapps.blogspot.com/2014/06/patents-and-small-business-inventor.html" target="_blank">Patents and the small business inventor</a>," we noted the high cost of acquiring a patent, maintaining it with the patent office, fighting off ex-parte re-examinations, and then enforcing the granted legal rights to your intellectual property (IP) against companies that are often much richer than you are as a small inventor. With the advent of the <a href="https://en.wikipedia.org/wiki/Alice_Corp._v._CLS_Bank_International" target="_blank">Alice ruling</a>, some even hope your patent will fail this legal challenge, though all such challenges to our patent have been dropped or lost.<br />
<br />
Competitors will threaten you with counter lawsuits. Competitors will threaten you with high legal fees needed to protect your IP as they play linguistic games around the meaning of "is" (no actual confusion) and "publishing house" (means nothing without context) and present straw man arguments. They will say what you invented was obvious, a conclusion they wish to reach by discounting the truly obvious fact that sufficient technology existed for decades under public key infrastructure (PKI), yet not a single vendor or academic offered the new approach before. And once you did offer the approach along with a publicly available patent disclosing it, everyone followed this "now obvious" solution.<br />
<br />
Fortunately, Yozons has been working with our law firm to iron out patent license agreements with various parties. We now have 11 companies covered by our patent license, from the largest to the smallest of competitors in the <a href="http://www.yozons.com/ElectronicSignatures/" target="_blank">e-signature</a> space, as well as PDF vendors and real estate vendors. It is a slow moving process involving lawyers, bean counters and sometimes the courts themselves.<br />
<br />
Two companies we approached had suggested they would cease operations rather than acquire the license, but in the end, both ended up purchasing the license rather than closing shop. This is good as competition is much needed, and our license fees are most reasonable. <br />
<br />
<a href="http://www.yozons.com/Patents/" target="_blank">Our '079 patent</a> works well in the United States, Canada, Australia and New Zealand. We have some success in the U.K., but as the E.U. moves itself backwards with it's updated (they had a previously sound <a href="https://en.wikipedia.org/wiki/Electronic_Signatures_Directive" target="_blank">e-signature directive</a>) Advanced Electronic Signature regulation called <a href="https://en.wikipedia.org/wiki/EIDAS" target="_blank">eIDAS</a>, our invention cannot work. Our IP has no place in a PKI world, and that's a good thing.<br />
<br />
In fact, no web-based solution will work easily with eIDAS, and it's just silly to suggest that end users will be better suited to keeping <a href="http://www.yozons.com/DigitalSignatures/" target="_blank">digital signature</a> keys and documents secure on their own. Security is hard, and end users are known for skipping anything hard. Click here? Looks legit to me? Gotta see this? Pretending that infected PCs and misplaced laptops, phones and tablets is the route to "advanced" electronic signatures misunderstands that adjective, as if going back to 1990s failed PKI via committee-generated standards will ever work in practice.<br />
<br />
There is a reason why e-signatures in the U.S.A. have taken off compared to other countries and the E.U. We invented it!Team Yozonshttp://www.blogger.com/profile/16980555188790679891noreply@blogger.com0tag:blogger.com,1999:blog-1010654601000828040.post-74242551230370686202015-02-14T18:53:00.003-08:002015-02-14T18:53:35.403-08:00HTML-based documents are compact and readable, and allow for a flexible, responsive designSome have asked why Yozons Open eSignForms doesn't work with uploaded documents like those of most every other competing web-based contracting system. These people point out that they already have legacy systems that produce PDFs or Word documents and they'd like to drive those through a modern workflow, often mostly for electronic signatures.<br />
<br />
Of course, there is a need for such a requirement, and it's pretty common for those who work with older applications created before e-signatures grew in popularity. Previously, those PDF documents were printed for a wet signature. Yozons believes that this sort of capability is already well provided by competitors, almost all of which take the approach of accepting PDF, Word or other types of files. Yozons' original <i>Signed & Secured</i> allows for signing of any type of file since 2001, but this approach was deprecated by Yozons in favor of HTML documents starting back in 2004, which eventually lead to the eSignForms in 2005 predecessor to Open eSignForms in 2011.<br />
<br />
Open eSignForms is designed to use HTML-based documents. Sure, with Open eSignForms you can attach PDFs and other types of files with ease, and you can even export signed HTML documents in PDF format to produce legal copies (the legal original remains the digitally signed HTML version), but we don't allow them become the primary document to be filled out and signed. There is an image overlay scheme that provides something similar for filling out an inflexible document that must maintain its exact layout, but this has all of the same limitations of using uploaded PDFs.<br />
<br />
A big benefit of HTML documents over PDFs and Word is that they are typically much smaller in size. If you do only a few contracts, size may not matter, but if you do hundreds or thousands per day, size matters, and this gets more important if you need to store those documents for many years or decades. Long term viability of a document format is important for e-signatures, and anybody who has done word processing for a long time can point out how older file formats are no longer useful because of software version changes. HTML has always been supported by many different browsers, so no one vendor controls HTML to produce vendor lock-in.<br />
<br />
PDFs do have advantages, of course, such as being able to create a document that will render and print just as it was laid out, including working with fonts that the reader may not have available. But font availability is changing with the web open font format (<a href="http://en.wikipedia.org/wiki/Web_Open_Font_Format" target="_blank">WOFF</a>) that allows fonts to be downloaded from the Internet even if the user's browser doesn't support that font directly. We won't mention the ongoing and myriad security issues related to Adobe Reader and the need to have that troublesome plugin updated regularly to avoid putting your computer at risk.<br />
<br />
PDF and Word files require special software to view them in any meaningful way. If you open either in a text editor, it's pretty hard to read the content or make any sense of it. However, with HTML, a document is still pretty readable. The contractual terms can be seen even if no web browser were available, but of course web browsers are not only available, they are appearing in more and more places.<br />
<br />
With HTML, Open eSignForms is able to do things that fixed documents in PDF or Word format simply cannot match. With HTML, whole sections of a document can be replaced at run-time based on which party is working the document, or based on data values, etc. You just can't make a PDF document hide a paragraph or swap out some language based on data in a transaction. And of course a PDF cannot natively support data entry over the web.<br />
<br />
HTML also supports form input natively, so using HTML documents to allow for data entry is built-in and understood by all Internet users.<br />
<br />
Also, as the mobile web has most recently demonstrated, the Internet will continue to change over time and gain more powers that are available via HTML. The mobile web has introduced the concept of <a href="http://en.wikipedia.org/wiki/Responsive_web_design" target="_blank">responsive design</a> so that a page renders well on a small phone screen as well as on a large monitor. HTML is suited for all of these ever-changing needs.<br />
<br />
HTML is a very good format for documents. It is standardized internationally, can be read even without special software (at least when it's HTML and not a Web 2.0 document where most of the rendering is done via Javascript and thus is no longer readable without a browser, making them suffer some of the same issues that PDF and Word documents already have), is compact, and supports screens of all sizes without the need for any special plug-ins.<br />
<br />
Lastly, those with disabilities can have HTML documents read to them or shown in braille, etc. HTML is the new international, interoperable document format, whereas PDF and Word are old, proprietary formats that continue to morph as they try to remain relevant for those who are locked in and cannot yet migrate to the HTML standard.Team Yozonshttp://www.blogger.com/profile/16980555188790679891noreply@blogger.com1tag:blogger.com,1999:blog-1010654601000828040.post-3958475213668491072015-01-20T12:30:00.002-08:002015-01-20T12:44:48.047-08:00Untrustworthy electronic signaturesEileen Y. Chou, of the Frank Batten School of Leadership and Public Policy at the University of Virginia, <a href="http://spp.sagepub.com/content/early/2014/11/13/1948550614558841.abstract" target="_blank">published a study on how people perceive electronic signatures over traditional handwritten signatures</a>. It appears in the December 2, 2014 issue of <u>Social Psychological and Personality Science</u>.<br />
<br />
We find the study fascinating because the usage of e-signatures has exploded in the past decade, indicating growing acceptance and preference, while the study
suggests such e-signatures are viewed by some as less trustworthy. No doubt there is both a generational as well as a business-versus-consumer difference in perception. And of course the breadth of implementations of e-signatures truly does mean that some are indeed more trustworthy than others. Some suggest checkboxes are valid e-signatures, but we wouldn't bet that the courts will side with you if that's all you can present as evidence of a signed contract. We know there are even e-signature vendors that provide no credible proof, such as via digital signatures, that electronic documents or their signatures are valid.<br />
<br />
Then again, this is true for wet signatures, too. Most people just don't think about them. For example, signatures on checks and credit card receipts are effectively <i>never</i> checked for validity. The cost of comparing handwritten signatures is just too high and few can do it well. Fewer still have a sample wet signature on file to compare against, and of course handwritten signatures change over the course of time, the type of writing implement used, whether it's cold or hot or damp, etc. As a leftie, far too many of my signatures ended up smeared. <br />
<br />
Wet signatures also come with built-in delays and expenses for printing and delivery, and all returned documents have to be checked to ensure nothing has been altered since it was originally provided. Paper faxes are often impossible to read, especially when receiving a fax of your fax, and few users have a fax machine handy these days as they require a both a device and a landline. In the days of cell phones and Internet browsers and email, paper is not as easily processed as it once was. <br />
<br />
The study discusses the idea of "presence," indicating that most felt a handwritten signature indicated greater presence of the signer. Of course, there is no basis for this belief, it's just something most do not take time to consider. Sure, if you get a notarized signature in which both parties present valid identification and the signing takes place in front of each other, there is substantial presence involved. Naturally, it's precisely this sort of presence -- including its hassle and expense -- that most drives the adoption of e-signatures. Every time a paper letter arrives in my mailbox for my son who is now at the university, it is clear how much trouble paper is, presence is, and of course the privacy issues it raises. Did I open the letter? Toss it? Did it arrive in my neighbor's box yet again so they had possession before me? Did they toss it or tell me "they didn't notice" it was misdelivered until after they opened it? Am I traveling? Even if I'm home, must I wait several days to receive it? Will I have to drive to the post office to return it should it require a response?<br />
<br />
If a signed paper document arrives by mail or fax, the recipient has no idea about any presence involved in the signing. In fact, we all know from daily experience that even legitimately signed signed documents are often actually signed by spouses and admins. Most "handwritten" signatures you see were created by a machine, such as those on business checks or mass mailings. Even the President uses a machine to sign most documents sent out.<br />
<br />
The study abstract does not discuss how the signed documents were presented to subjects for their gut reaction. Were e-signed documents presented
on paper or electronically? Were paper documents presented on paper or
electronically (most businesses end up scanning paper records for long
term storage and to provide availability anyway)? How did the perceived validity change for those with familiarity and general acceptance of technology?<br />
<br />
Presumably, there was no education provided to participants about
handwritten signatures or electronic signatures before undergoing the experiment, so we are left with gut feelings that rarely are correct. After all, validating a handwritten signature based on whether it
looks right is the very basis for most scams because looks are deceiving. All phishing attacks work because everything looks correct. Signature verification is more art than science even for those few who have a previous sample
signature on file to compare against?<br />
<br />
Do subjects know that paper
documents created with high resolution scanners and printers make the
creation of fraudulent documents easier than ever before? Does Ms. Chou know that if she writes a letter of recommendation once, the holder can change the letter or make it so she's written similar letters for anybody else using simple copy/paste operations on a computer? Or simply lift her signature image and put on any other document. Or that a forged paper document could just be created with a forged ink signature because nobody else knows what Ms. Chou's signature looks like.<br />
<br />
Was there any
discussion about the powers of a digital signature to detect any change
to a document after it was signed? Or that e-signatures, when done correctly, come with accurate timestamps, IP address tracking, etc., and that all parties can have an immediate copy for their records? For example, with Open eSignForms, we digitally sign the document and embedded data at each step of the process, so we can show you how it looked as it was originally sent out, and how it looked as each signature was applied. And of course many documents with signatures have more data to be provided (good old forms!), and trying to read handwritten data is often tricky and generally requires re-keying to get that data into business applications. Try adding data validation to a paper form!<br />
<br />
Are the results of this study any different than those about paper correspondence being more meaningful to some than email? Some prefer paper books to ebooks too, and some prefer dirty newsprint to online reading. How about ATMs versus cashing checks? How about cash over cards and smart phones? Every new
innovation goes through a transition period as people adjust.
E-signatures are very new to most people, so the fact that some hold to
the idea that the old ways are better is fully expected.<br />
<br />
Heck, even autographs are giving way to selfies with the celebrity.Team Yozonshttp://www.blogger.com/profile/16980555188790679891noreply@blogger.com0tag:blogger.com,1999:blog-1010654601000828040.post-67924512799996967122014-10-15T17:10:00.003-07:002014-10-15T17:17:13.430-07:00SHA-1 is considered insecure while the EU pretends to legislate "advanced" e-signaturesGoogle announced that it is updating its Chrome browser to display warnings on web sites that use HTTPS (SSL/TLS) backed by a digital certificate signed with SHA-1. In <a href="https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1" target="_blank">Why Google is Hurring the Web to Kill SHA-1</a>, Eric Mill gives many reasons why Google is pushing ahead of schedule to rid the web of SSL certs that are considered less secure because they are signed by a Certificate Authority (CA) using SHA-1.<br />
<br />
While it's true that SHA-1 is approaching the end of its useful life, it's stubbornly present in many systems and applications. Getting rid of it isn't easy. But we have to start sometime!<br />
<br />
Of course, creating useful collisions in SHA-1 is still mostly an uncertain game. We have not heard of any actual SHA-1 collisions that are useful. "Useful" is a key consideration in that creating a second set of data the hashes to the same SHA-1 hash as some "real" document is hard enough, but doing so in which that second data is a meaningful replacement for the first is even harder. If a collision could change "$100" to "$200," you'd have a real problem (of course this is just a short text example to illustrate the point, not a real scenario). But if "x4z]" ended up hashing to the same as "$100", it would be less interesting because the replacement is not meaningful and thus would not be a realistic spoof.<br />
<br />
While the Google announcement surrounds SSL certificates, digital signatures for e-signatures are likely a bigger problem. SSL certificates tend to be renewed every 1 to 3 years, so they do not last very long, and most new certificates issued will use SHA-2 instead of SHA-1.<br />
<br />
Digital signatures on documents tend to be "forever." They do not expire. While the user's signing keys may change from time to time, once a digital signature is applied to a document, it remains that way going forward. Since most e-sign vendors use SHA-1 in their digital signatures (aside from the few odd players that don't appear to use any digital signatures at all like Sertifi and AssureSign), all documents being signed may be forged in the future. Fortunately, most documents become somewhat obsolete after years go by (that is, few want to forge a 5-year sales agreement for example).<br />
<br />
In the EU, they promote word play like "advanced" and "qualified" for electronic signatures based on digital signatures created using a typical PKI in which the signer has been issued a digital certificate (no doubt signed with SHA-1!) for a private key the user keeps secure. This sounds good, but of course has serious flaws:<br />
<ol>
<li>Users cannot deny an electronic signature created using their "advanced/qualified" signature. The EU law says these are guaranteed to be valid. No wet signature ever had such an absurd notion attached to it; that's why we have courts to decide based on evidence.</li>
<li>Users may in fact not keep their private keys secure. Users are famous for being unable to keep such stuff secure because they really have no idea what their encryption keys are or how exploits can take place. Every virus and hack attack is a potential theft of a user's encryption keys.</li>
<li>All encryption requires software and hardware, and all software and hardware is vulnerable to attack. Thus, your keystore can be hacked. The device the key is stored on can be hacked. The device (like a PC, phone or tablet) the key is used on can be hacked. Any network connections involved can be hacked. As the various credit card hacks have shown, devices can be hacked, replaced or have another device put in the middle of the communications cable (or wireless).</li>
<li>The user may forget the password related to securing their private key. While this would prevent future signing, it could also mean that all data encrypted for storage would no longer be accessible. There will be millions of users who will lose a lot of their data because it's encrypted using a key they no longer have access to.</li>
<li>Users can be tricked into using their keys insecurely, including phishing attacks and social engineering attacks.</li>
<li>What happens to all digitally signed documents done between the loss of control of a user's keys and detection that the keys were lost? A user can revoke his keys, but only once he knows something has gone wrong. But that user will not know what, if anything, was ever forged.</li>
<li>How can a user know where his forged credentials are being used? Cannot!</li>
<li>Once a digital signature is applied by a user, that document will remain secure only for as long as the digital signature is valid. If the digital signature uses SHA-1, that may only be a few years away.</li>
</ol>
With services like Yozons Open eSignForms, many of these issues do not exist. When a credit card number and information is stolen, a user eventually finds out because invalid charges appear on his or her statement. The credit card company can go back and find all fraudulent charges and reverse them. Something similar happens when using an e-signature service -- the only signed documents you have can be found in the service. Any fraudulently signed documents can be discovered and invalidated. There is recourse to such a loss that is guaranteed to happen frequently across a large pool of users.<br />
<br />
Documents digitally signed using Yozons Open eSignForms employ a 4096-bit RSA keypair with SHA-512. This is <i>not </i>the norm among esign vendors who generally use much less secure technologies (including those absolutely worthless vendors/products that don't digitally sign at all). While the greater security provided by Yozons is powerful today, eventually it will no longer be considered secure just like SHA-1's fate today and MD5 before.<br />
<br />
Unlike "advanced" e-signatures created by users for themselves, a service can ensure documents are secure going into the distant future. For example, if a digitally signed document in Yozons previously used 1024-bit RSA with SHA-1 (a very typical scenario still in practice today), our technology could easily retrieve that document, ensure the older digital signature is still valid, and if so, then re-digitally sign the document using 4096-bit RSA with SHA-512. Such a document can remain secure for as long as necessary.<br />
<br />
It is time for SHA-1 to be retired. Yozons has updated all of its server SSL certificates to ensure they are protected with SHA-2. But what about all those web sites and users who do this for themselves? They most likely will not be on top of security issues like this, and that's the very problem we solve for our customers and their users. Team Yozonshttp://www.blogger.com/profile/16980555188790679891noreply@blogger.com0tag:blogger.com,1999:blog-1010654601000828040.post-66597344293946043492014-10-08T11:09:00.002-07:002014-10-08T11:09:38.310-07:00Shared web services can cost your businessOne of the great things about the Internet and the advent of web services (shared software as a service or SaaS) is the ability for businesses to jump into new technologies with relatively low barriers for entry.<br />
<br />
For many large enterprises, deploying and managing hardware servers inside a data center for new services desired by a particular department is a death sentence for the project. The teams are understaffed and overwhelmed supporting the myriad systems already deployed. There is no operational expertise in-house for the new services. For small companies, such deployments are often cost prohibitive because they lack the technical skills and resources to make it a success.<br />
<br />
Purchasing web services has solved these problems very well. Departments in enterprises and small businesses can essentially rent time on a large shared service, often paying for resources consumed (transactional) or users per month (subscription). The cost of entry is low, and deployment tends to be quick. It's a real benefit.<br />
<br />
However, when the service offered is a core competency, using third party services is often undesirable and more costly than the price tag may suggest. Web contracting and electronic signature services fit this bill for many companies. Most companies realize that it is a trap to store key documents and contracts and allow customer interactions to be performed by a third-party vendor. Of course, those service providers that offer "free tiers" tend to be the worst. Instead of monetizing their purported service, you, their customer, is the actual product and they monetize you and your interactions with your customers instead.<br />
<br />
With Yozons Open eSignForms, you have ultimate flexibility and complete brand control. Each customer deployment is always an independent system: independent database and independent web application. Even our lowest cost "shared hosting" only shares the physical server, but each customer running on that hardware has its own independent web application and database, keeping its users away from those of all other customers we service. <br />
<br />
Most SaaS vendors put millions of unrelated customers into a single huge system. This makes migration away much harder, and of course creates a huge target for hackers who boast about big exploits and cause millions of user records to be stolen and sold on the black market.<br />
<br />
Over time, the cost of paying a vendor to handle your contracting, your documents and the interactions with your customers, employees and business partners grows substantially. Losing touch with your customers by using a third-party service is a cost few estimate correctly. <br />
<br />
Many companies initially jump on the SaaS bandwagon, giving them a leg up on the competition and providing services quickly at a low cost of entry. But these companies ultimately ditch those early efforts and deploy their own services, which turns out to be more profitable for them and allows them to control their customer relationships and control their important business documents.<br />
<br />
With Yozons Open eSignForms, you can easily migrate from shared hosting, but with fully independent customer systems, to private hosting, to bringing it all in-house. You maintain full control over your independent system no matter how it's deployed, and that flexibility is what motivates companies to eventually abandon their forays into shared SaaS and instead take care of their own business themselves.Team Yozonshttp://www.blogger.com/profile/16980555188790679891noreply@blogger.com2tag:blogger.com,1999:blog-1010654601000828040.post-80856620970384516732014-08-26T15:47:00.000-07:002014-08-26T15:47:00.885-07:00Have Internet, will travelAs I write this blog, sipping a cool rosé wine just outside of Walla Walla on an impressive compound once owned by a cell phone magnate, I cannot help but think how wonderful it is to have a job that allows me to work anywhere in the world almost as easily as when I'm home.<br />
<br />
With a laptop, my new Asus second full HD monitor that is not any thicker than an iPad, and seemingly ubiquitous fast Internet/WiFi, working on the road is both comfortable, productive and liberating.<br />
<br />
Summertime in Walla Walla is hot, in the 90s today, but all of the wineries and tasting rooms make you forget about the ever present sun beating down on your head. This is a special place, so close to the Oregon border, but with rivers and mountains (mostly high hills for those who live near the Cascades and Olympics around Seattle), you almost forget that most of the land is flat and dry. Walla Walla is home to their namesake sweet onion, but wineries have taken over. You can't take a step without coming across another winery's tasting room.<br />
<br />
I drove south today to see where the grapes are grown, and the vineyards are impressive. It seems this has been a good summer and will yield a bumper crop. The grapes are smaller compared to those we snack on, but they pack a powerful punch in the hands of talented vintners. Amazingly, I've not tasted a "bad" wine, with whites, rosés and reds all in great form. <br />
<br />
It's a real shame that this part of my trip was marred by the tragic news of the earthquake in Napa that did considerable damage, including the oddity of seeing red wine flowing freely -- sadly down the gutters -- the result of broken barrels that tumbled. The losses to Napa businesses and families is felt here in Walla Walla, showing that competition doesn't have to trump compassion.<br />
<br />
<br />
<br />
<br />Team Yozonshttp://www.blogger.com/profile/16980555188790679891noreply@blogger.com0tag:blogger.com,1999:blog-1010654601000828040.post-77688353540146583332014-07-17T16:16:00.004-07:002014-07-17T16:16:54.435-07:00Physical therapy is hard work made easier with secure online recordsOne of our earliest customers on Open eSignForms is a physical therapy office run by a woman and her small team of PTs. She has studied myriad forms of physical therapy and massage, including quite a bit of advanced training in Kauai. Nothing like a business need to study for three weeks on the garden isle!<br />
<br />
One of the biggest pains for PTs is the need for accurate record keeping, especially when needed for audits by insurance companies and other legal proceedings as some of her customers were hurt in accidents that resulted in seeking her care. <br />
<br />
With Open eSignForms, she and her staff are able to record their findings on their Physical Therapy Initial Evaluation form, recording the patient's information, type of injury, current health condition, symptoms, medications and to note how well the patient is able to perform various activities. They can also create PT Treatment Notes that correspond with insurance billing codes, as well as Progress Notes to record changes in patient's health and functional activities as well as to record impressions and treatment plans. Lastly, they can enter their Discharge Summary Note to track the various activities their patients were seeking treatment for, recording their goal at initial evaluation, and then recording their status at the time of discharge.<br />
<br />
With these secure patient records maintained in her own independent system, there is no lost paperwork, access is restricted to authorized personnel, and all records can be reviewed even while traveling on business, or when in Kauai for more training!Team Yozonshttp://www.blogger.com/profile/16980555188790679891noreply@blogger.com0tag:blogger.com,1999:blog-1010654601000828040.post-25239527633923700992014-06-12T09:35:00.003-07:002014-07-17T15:54:49.065-07:00Patents and the small business inventorPatents are often described as as useful tool for small inventors and businesses to protect their intellectual property. While not limited to small players, this is true, but only to a point and at a price.<br />
<br />
Competitors with patents that may or may not apply to you can sue you over infringement. The cost of defending patent lawsuits is high and time consuming. In our case, before our own patent application was approved, we were sued for infringement by a competitor who came to market years after us. Even though it seemed obvious to us that the patent did not apply, the legal language of patent claims were challenging and imprecise.<br />
<br />
Patent claims are legal claims, not technical specifications, and the patent itself describes a "preferred embodiment," so many other implementations that differ from the details of the patent, but provide similar functionality, are likely covered under the legal rule called the doctrine of equivalents. The advice of a neighbor, who is an IP attorney for a large software company, was to settle. While he said it might be distasteful, defending against infringement claims can be tricky, seemingly fickle, and surely will be expensive. Winning may by pyrrhic victory at best, or a crippling loss at worst. The suing company tends to have more time and money than small inventors running small businesses. We've read of defenses costing $500,000 to $1 million, and can be $100,000 just to reach a settlement. Our decision, bitter as it was, was to settle after spending what we'd consider two years of our own salary on lawyers and expert witnesses, and spending hours gathering documents and specifications and revenue numbers that had to be turned over during discovery. Had the suing company offered us the terms we eventually settled on from the start, we'd have negotiated a license long before spending any money on lawyers and going through the hassles of discovery, preparing patent claims responses, etc. But we were never afforded that courtesy, presumably because they just wanted to put us out of business with a lethal, legal blow. We survived, but much less money and lots of wasted time and energy.<br />
<br />
The cost of acquiring your own patent can be high, and often can take a long time. The <a href="http://www.yozons.com/patents.jsp" target="_blank">Yozons '079 patent</a> took 6 years before it was awarded and issued. Legal fees tend to mount as time seems to work to the advantage of lawyers more than inventors. And you will need lawyers. Remember that you will need to devote a lot of your own time and energy to acquire your patent as your lawyers will need a lot of information from you so they can understand it in detail. Also, you'll need to be sure to keep up on the various maintenance fees the patent office requires after issuing your patent, though it's not clear how the USPTO is maintaining anything on your behalf. It seems that you, the small inventor, are maintaining the patent office instead.<br />
<br />
Even after you earn your patent, unexpected expenses and issues can crop up. In our case, an unknown law firm filed an <i>ex parte </i>reexamination request, challenging the validity of our patent, even though we hadn't ever attempted to enforce our rights on anybody. For a big corporation, this may be business as usual, but for a small business, you will find it takes a lot more time to read other patents and help your lawyers defend your invention, the one you thought you already had and earned when the USPTO granted it. Of course ever more legal fees will apply.<br />
<br />
We were fortunate that our patent is strong, and we survived with all of our legal claims intact, without any modifications. But we did spend a lot of time and money that could have been better used to run our business and pay salaries. On a happier note, that big competitor who sued us years before for patent infringement was itself a target of a similar <i>ex parte</i> reexamination from the same firm that challenged ours. In their case, it didn't turn out well as their patent was gutted, leaving only the final dependent claim that nobody likely infringed (including their own technology!).<br />
<br />
But having a patent is not the same as being protected by the patent. The USPTO won't help you defend what you might assume it asserted when it issued your patent in the first place, that your patent and legal claims are valid. That's left to you to do.<br />
<br />
You can, of course, request that competitors and others who make, use or sell your invention acquire a license to your patent, or that they should cease doing whatever it is that infringes. But that's easier asked than done. If you are a small inventor, most likely they will simply say they do not infringe. Some will not even respond at all. They probably won't give you any details on why they don't infringe, even if you provide details on why you think they do. They know that your bark is likely worse than your bite because defending your patent means more lawyers, and that means more time and money when you'd likely prefer to run your business to feed your family, pay your workers and serve your customers.<br />
<br />
If you have a good idea, getting a patent is probably a wise move. But remember that you need to expect to spend a lot of your time and your money acquiring, keeping and defending your patent.<br />
<br />
Having a patent doesn't mean a thing if you cannot defend it, and most small inventors are up against better funded corporations that will use the legal system to their advantage, to dissuade you from moving forward because you fear you cannot afford the legal costs of securing your rights. Others will use their patent portfolio against you, suggesting you may infringe any of a number of their patents even though they would never have suggested infringement if you didn't attempt to defend your own against them.<br />
<br />
The patent system is flawed and doesn't serve the small inventor as much as you might think, but it really is your best hope in defending yourself from competitors who otherwise will make use of your invention, challenging you to an expensive legal fight. When you are in a position to be up to that challenge, we wish all small inventors the best of luck. Yozons is only now in a position to begin to defend its patent with the help of a law firm that believes enough in the strength of our case to partner with us. Wish us luck!Team Yozonshttp://www.blogger.com/profile/16980555188790679891noreply@blogger.com0tag:blogger.com,1999:blog-1010654601000828040.post-74388759027572235612014-06-08T17:31:00.000-07:002014-06-08T17:31:13.364-07:00Going Postal Prevented: Multi-deployments for an international corporationThe term "going postal" may have bad connotations, but for our S&P 500 customer, the post office has provided a huge opportunity that has spanned many decades and has led to myriad related products, services and software solutions.<br />
<br />
Yozons has developed and deployed more than a handful of enterprise web applications for this customer, including divisions in the United States, Canada and Europe. The web deployments are distinct geographically and by type of web contracting that takes place, mirroring the specialized divisions and needs of this international company.<br />
<br />
They also have deployed our <a href="http://www.yozons.com/patents.jsp" target="_blank">patented e-signature software</a> on our managed private web server offering, complete with a warm standby operating in another state, freeing up their internal IT resources. The private web server gives them the advantage of complete branding using their domain name and SSL certificate, custom secured FTP access to their back-end systems, as well as isolation of their data from our many other customers. Furthermore, Yozons provides 24x7x365 monitoring and daily encrypted off-site storage of backups.<br />
<br />
Several of their web applications involve multiple forms in a package, with a multi-step process involving their customers who sign the agreements, as well as outside third-parties who approve and authorize their customers’ applications. Reports keep them current on the status at all times.<br />
<br />
Though Yozons generally discourages printing documents, signing and then faxing or mailing them back, a couple of deployments had this requirement as an option. Regardless, Yozons delivered on time and within budget. Yozons built into the web contracting process a fax processing step so that returned signed agreements can be uploaded, annotated and stored with the electronic version. Having this feature ensures all agreement packages signed online and on paper are kept in the single encrypted repository with powerful search capabilities to find their agreements. Team Yozonshttp://www.blogger.com/profile/16980555188790679891noreply@blogger.com0tag:blogger.com,1999:blog-1010654601000828040.post-36072183546069517392014-06-02T12:02:00.000-07:002014-06-02T12:02:32.525-07:00Web-based e-signature vendor acquires patent licenseYozons recently signed yet another licensee to the <a href="http://www.yozons.com/patents.jsp" target="_blank">Yozons '079 patent</a>. We expect more to come as vendors realize the reach of our patent's web-based, secure document delivery and optional electronic signature system and method, and support and acknowledge how Yozons has changed the landscape from a user-controlled PKI-based signature model to a lighter-weight server-controlled signature model.<br />
<br />
This U.S.-based competitor develops and operates various web and mobile apps, and negotiated a patent license that fits their particular needs and ensures their thousands of daily clients are protected when using their online document signature service.<br />
<br />
While the negotiations lasted over a month, we applaud the decision they reached after discussing the details with their attorney. Because they were quick to understand the depth of our patent and how it applied to their technology, we were able to negotiate favorable terms. Yozons prefers to have competitors so long as we are compensated for our invention that has created a healthy marketplace for web-based document processing services throughout the United States.<br />
<br />
Their e-signatures service is typical of competitors who make use of our patent's teachings:<br />
<ol>
<li>Documents are stored online in a centralized server.</li>
<li>Documents are transferred between parties securely, typically over HTTPS, in order to effect secure document delivery that ensures the privacy of the business communications. HTTPS makes use of a traditional PKI in which the browser uses the web server's SSL digital certificate to establish a secure link using the web server's asymmetric public key, and then generates a unique symmetric encryption key that's shared only between the user and the server for the purpose of encrypting the document and related data transferred over that link. But the key is that previously, end-users created and exchanged their own keys, as well as performed their own encryption and digital signatures.</li>
<li>The entire process makes use of a web application, giving them the ability to communicate and e-sign with a myriad of devices connected over the Internet, including PCs, start phones and tablets.</li>
<li>The e-signing ceremony typically involves typing their name, drawing their signature or clicking in the relevant areas to indicate their agreement. </li>
<li>Typical routing of documents is handled using the e-mail address of the parties involved, generally sending a unique ID that links the user to the correct document and party in the online process. Some users, typically customers of the service, authenticate using traditional username and password, and can initiate transactions, track them, download completed agreements, etc.</li>
<li>Users can add their electronic signatures quickly and easily, without requiring special client-side software, digital certificates, and/or key management. </li>
<li>The server provide an audit trail including IP addresses and timestamps.</li>
</ol>
A quick overview of the general breadth of the Yozons '079 patent, which has been practiced by Yozons since 2001, can be found in its FIELD OF INVENTION:<br />
<blockquote class="tr_bq">
<i>In general, the present application relates to computer software,
hardware and communication networks, and in particular, to a system and
method for securely processing digital documents, including appending
digital signatures, without requiring pre-established individual
identity verification, digital certificates, end-user cryptography, key
management or key exchange.</i></blockquote>
<br />
<br />
<br />Team Yozonshttp://www.blogger.com/profile/16980555188790679891noreply@blogger.com0tag:blogger.com,1999:blog-1010654601000828040.post-28974537646602066292014-05-27T14:58:00.003-07:002014-05-30T17:28:24.335-07:00Surprise! Big vendors don't keep your data particularly secureAs Yozons talks with various companies regarding our <a href="http://www.yozons.com/patents.jsp" target="_blank">U.S. Patent No. 7,360,079</a>, we were surprised to learn how many vendors do not treat their customers' data securely.<br />
<br />
I suppose after decades of viruses targeting Microsoft products, <a href="http://www.infoworld.com/d/security-central/hackers-used-malicious-pdfs-attack-google-and-adobe-750" target="_blank">Adobe PDF exploits</a> -- heck <a href="http://money.cnn.com/2013/10/08/technology/security/adobe-security/" target="_blank">Adobe's products in general</a> -- <a href="http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data" target="_blank">Target losing 40 million+ of its customers' credit cards numbers</a> and other personal information, it shouldn't really be a surprise. We just thought that web contracting vendors would be different. We were wrong.<br />
<br />
Some vendors claim they encrypt their customer data and documents using impressive sounding things like 256-bit AES, but if you read the details, you will find they only do so using HTTPS when your data is transferred over the Internet. Yes, HTTPS is a key starting point and is fundamental to our patent, but once they store your data on disk, all bets are off.<br />
<br />
Some do not make any attempt at encrypting your data when stored. I guess they just take the "trust us" or "what? me worry?" attitude and are exceedingly cavalier with regard to your data. Laws surrounding health information (HIPAA), financial information (GLB, PCI) and just plain common sense regarding any sensitive business information (NDAs, trade secrets, competitive advantage) should make data encryption the standard for any service provider that deals in web contracting and electronic signatures. Rather than let their servers do a few extra calculations to keep your data secure, these vendors choose not to.<br />
<br />
Others do at least encrypt the data on disk, but if you read carefully, you'll learn many are using what's known as <a href="http://en.wikipedia.org/wiki/Disk_encryption" target="_blank">disk encryption</a> and/or <a href="http://en.wikipedia.org/wiki/Filesystem-level_encryption" target="_blank">filesystem encryption</a>. That is certainly a step up over those who don't encrypt at all, but such encryption makes the most sense on laptops and other portable electronics. That's because those portable devices tend to be lost or stolen. But larger servers in a secure data center generally don't suffer issues with disk theft.<br />
<br />
So what's wrong with such disk/filesystem encryption? Well, disk/filesystem encryption typically is unlocked during the server boot process. It's also fully automatic, meaning that when a file is read, it is automatically decrypted, and when a file is written, it is automatically encrypted. If your database stores its tables and indexes on such an encrypted disk, the data is encrypted automatically when stored, but also decrypted automatically when read.<br />
<br />
This means that your data is only secure against physical theft of the disks. If a hacker gets access to the server, every file the hacker reads will automatically be decrypted. If a hacker exploits an SQL injection or other web site vulnerability, when it requests data from the database, it's all automatically decrypted. There's no run-time security whatsoever. Heck, if they implant a virus on the server, such a setup will dutifully encrypt it just like your sensitive data.<br />
<br />
Unfortunately, far too much theft occurs from insiders -- think Edward Snowden for a particularly egregious example against an agency that takes encryption and security seriously. With disk encryption, system administrators can easily view your data just by running queries or reading files.<br />
<br />
While Yozons may be small, we're at least smart enough to keep customer data encrypted before storing it to disk or into the database. The advantage is that database queries and reading files will return only encrypted data. If the disks are stolen, the data is encrypted. Backups are automatically encrypted. The use of disk encryption helps, but only in limited, far less likely scenarios.<br />
<br />
When dealing with sensitive information like Yozons does on a daily basis for its hundreds of thousands of users, Yozons practices what it preaches when it comes to privacy. Customer documents are alway stored encrypted, as is all of the data populated into forms. Some of the data may not need special security, but we also handle a lot of financial information, human resource information, and other sensitive business communications.<br />
<br />
As a vendor, we don't keep your private data "in the clear" to save a few computing cycles. As a customer, you shouldn't have to worry if hackers or system administrators can sift through your data. Don't be surprised: read the details and ask questions of your vendors.Team Yozonshttp://www.blogger.com/profile/16980555188790679891noreply@blogger.com0tag:blogger.com,1999:blog-1010654601000828040.post-79569683091131080422014-05-04T15:40:00.001-07:002014-05-30T17:27:39.250-07:00Security theater is neither secure, nor entertainingBruce Schneier is known for coining the term "<a href="http://en.wikipedia.org/wiki/Security_theater" target="_blank">security theater</a>" to describe security procedures that "look" like something is being done, when in fact, no actual security is provided.<br />
<br />
On a recent trip with my family, we saw this yet again with the TSA agents at the airport. My wife, son and I all have Nexus IDs issued by the border patrol. To get such an ID, we had to pass a security background check, had our fingerprints taken, and they did an iris scan (biometrics of the eyes). The TSA now offers a "<a href="http://www.tsa.gov/tsa-precheck" target="_blank">TSA Precheck</a>" program for travelers who have such IDs to expedite travel through the security lane at participating airports and airlines.<br />
<br />
This program is pretty nice, making air travel nearly as easy as before the 9/11 changes that have done little to improve actual security. (It's recognized that securing the cockpit doors and general passenger awareness have been the true security improvements despite the billions spent on other things.) We no longer have to remove our laptops or take off our shoes, and we generally only have to pass through a metal detector. It is a breeze.<br />
<br />
What I didn't realize is that the nonsense about "3 ounce fluid" limits is still in place. We bought two jars of blueberry preserves from <a href="http://www.peasoupandersens.net/" target="_blank">Andersen's</a> in Buellton, California, one for ourselves, and one as a gift. Since <a href="http://www.alaskaair.com/" target="_blank">Alaska Airlines</a> charges $25 per checked bag, we skipped this convenience that was once the norm and is still practiced by a few better run airlines. The TSA agent gave us the option to return to the counter and check our bags, but it wasn't worth $25 to bring two jars of blueberry preserves home in one bag while the other two bags would still have to be carried on lest we pay $75 for them all.<br />
<br />
Who even thought preserves were a fluid? We thought they were fruit.<br />
<br />
The TSA confiscated the jars and, knowing that they could very well be a blueberry bomb, tossed them into a plastic bin right behind them. They are so concerned about the safety of the airplane that they make no effort to secure confiscated items where they work all day and thousands of passengers pass by, proving that there is no actual security concern. I mean, they even offered that I could check my bags as if a blueberry bomb is secure in the cargo hold, but not in the cabin.<br />
<br />
Was the TSA really concerned that blueberry preserves, carried by a family all with their sophisticated IDs, after returning from a weeklong trip to a robotics competition, visiting our 80-year old aunt and uncle, and then visiting friends we've had since the mid-1980s when we worked together at a bank? Did they make any attempt to think about anything? Ask us any probing questions about where we got them like Customs would do for international travelers? The answer to all is "no."<br />
<br />
That's security theater.<br />
<br />
Ironically enough, while waiting at the gate, Alaska Airlines offered to check our bags for free <i>and </i>give us priority boarding to do so. All of the passengers that simply paid $25 to check their bag paid too much and never received preferential boarding. We saved $75 and boarded early. How's that for a nonsensical policy?<br />
<br />
There are other examples of poor security in the name of usability, including "link/URL shortening," those links that Twitter, Google, Bit.ly, Facebook, LinkedIn and others send out that essentially hide the true nature of a link behind a name like "http://t.co/aFKZJ9rTlM". This makes it much easier for spammers and virus writers to distribute their payloads because you cannot determine the validity of the web site you will be visiting. This is a "convenience" that only increases the likelihood that more victims will suffer.<br />
<br />
Before link shortening, Microsoft did something similar with Windows when it decided to hide file suffixes. We all learned early on that files that end in .EXE, .COM and .BAT could be run on your PC, and we later learned that .PIF, .ZIP and .PDF were also often dangerous and could be used to carry malicious content. Then Microsoft decided that helpful information like this was "too long" and started to hide them by default. So now files like Resume.doc.exe were shown to users as Resume.doc, making a malicious executable appear to be a Word document. Not showing a few characters may have seemed a good idea, but there are untold numbers of users who suffered because of this security mistake.<br />
<br />
We see this also in mobile browsers, both on phones and tablets, where the browser hides the details about links in the location field and just shows the domain name. Once again, this user interface convenience just allows for hiding details that are useful to those who are security conscious and show some interest in the data being sent in link parameters.<br />
<br />
The Firefox browser has taken to showing a warning icon next to secure web sites using HTTPS if they only secure the domain name rather than the company that owns the domain name. This makes perfectly secure web sites appear to be less than secure, adding no real benefit except to vendors who sell more expensive web site SSL certificates. The problem is that many web sites are service providers, so trust shouldn't just be placed in the vendor operating the web site, but the customer who is using that service to send you information, take your order, etc. If you are buying from Vendor A, but they use Provider B's web service, you will see Provider B's domain name and "verified" certificate status, but there's no reason to misplace trust in Vendor B because you may trust Provider A who has been vetted only slightly more.<br />
<br />
Sadly, this lack of security understanding goes to many well established e-signature/web-contracting vendors. It seems that many such vendors, despite their fancy web sites and millions of investor dollars, do not even take the basic security precaution of encrypting your documents and data when stored on their systems. They proudly proclaim they use 2048-bit encryption, but this only is for the short HTTPS transfer of data over the Internet. Once stored for a much longer time in their system or database, your data is entirely exposed to system administrators and potentially to hackers who constantly find ways to steal such data through other sloppy coding. This happens repeatedly, yet such "well known" vendors often do not take the simple precaution of securing your data for you and helping you comply with laws and regulations surrounding securing financial and personal information. <br />
<br />
We have also discovered that quite a few e-signature vendors don't even apply digital signatures when you sign. This seems most unusual since digital signatures are the tech standard for this purpose and long pre-date the vendors who are offering e-signature services.<br />
<br />
Trust is misplaced when you realize that your e-signature vendor neither secures your data nor digitally sign the documents when you apply your electronic signature. Such sloppy security practices only serve to save them a few dollars while putting their entire customer base at risk.<br />
<br />
Security theater is neither secure, nor entertaining.<br />
<br />
Yozons has the right solution for your enterprise as we understand security, keeping your data secure at all times and applying a digital signature at every step of your online process.Team Yozonshttp://www.blogger.com/profile/16980555188790679891noreply@blogger.com2tag:blogger.com,1999:blog-1010654601000828040.post-77301819651612323502014-04-06T16:48:00.004-07:002014-05-30T17:26:36.286-07:00The EU's "advanced" electronic signature is retrogradeLike the term "Big Brother," the European Union's (EU) "advanced" electronic signature is an oxymoron designed to impress you with self-proclaimed goodness, but is in fact retrograde and certainly not advanced. Adoption and interoperability remain poor and put too much onus on individuals and trusting unknown entities.<br />
<br />
English author George Orwell wrote all about such government Newspeak in his famous novel, <u>1984</u>. Committees, governments and big corporations try these FUD tactics (fear, uncertainty and doubt) all the time because they work more often than not. It's your advantage in life to see through the blather.<br />
<br />
<h3>
Public key infrastructure (PKI)</h3>
<br />
PKI has been around since the early 1970s, a product of British intelligence. It's useful in many scenarios, and the world wide web relies on it for the HTTPS protocol, though even that would work well for most without a PKI requirement.<br />
<br />
RSA and other PKI vendors have led "<a href="https://blogs.rsa.com/the-year-of-pki-is-here/">Year of PKI</a>" celebrations at least since 1996. It's been declared "<a href="https://www.thales-esecurity.com/blogs/2011/april/pki-is-dead--again--apparently">dead</a>" just as many times and such declarations of death are often interwoven with declarations of its grand dominance. Renowned cryptography expert Bruce Schneier provides good insights in his <a href="https://www.schneier.com/paper-pki.pdf"><u>Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure</u></a>.<br />
<br />
There are numerous reports of stolen digital certificates, stolen private keys, hacked certificate authorities, after-the-fact certificate revocation lists, etc., <a href="http://www.theregister.co.uk/2014/04/05/digitally_signed_zeus/">including a long-lived Windows trojan called ZeuS that now makes use of "stolen" digital certificates assigned to Microsoft</a>. Of course, a digital certificate is supposed to be public, so stealing one should have little value whatsoever. I mean, every HTTPS web site gives you it's certificate freely and your browser comes pre-loaded with many "trusted" certificate authorities (if you've never heard of them, how can you trust them?). But PKI relies on a chain of trust, so it's only as trustworthy as its weakest link, and there are innumerable weak links as recently demonstrated by the ZeuS exploit.<br />
<br />
Unlike a certificate, if your private key itself is compromised, all bets are off, which is precisely why it's so odd that some large e-signature vendors put their entire customer base at risk by using a single signing key for every document signed by every person. One large vendor just uses a salt+message digest of your document instead of a digital signature even though a simple database update of the document with the newly computed message digest would make the so-called "authoritative copy" a fraud.<br />
<br />
Bad security remains the norm at loud companies (i.e. big spenders on marketing and freebies) that demonstrably value profits and market share over quality and customer concern. Say it loudly and often and hope people come to believe it's true. We continue to read about competitors, even those built on a PKI, that don't even encrypt your private documents containing personal and private information when stored, leaving them open to perusal simply by querying for it.<br />
<br />
Despite the reality of PKI issues, vendors, EU committees and international standards bodies (how many of you use their "advanced" OSI model of networking rather than the Internet?) continue to claim that you need a PKI in order to have an "advanced" electronic signature. If it weren't so real for millions, the best advice would be to ignore it until it goes away. It's really a shame, too, because the EU has a perfectly good electronic signature law modeled on the U.S. E-Sign Act of 2000. Some just cannot believe that their technobabble isn't required by law and are trying to trick you into thinking you have to be old school in order to be advanced. It's not just the EU either: before the U.S. E-Sign Act, very few e-signatures were performed in the United States because state laws also mandated a PKI. <br />
<br />
For e-signatures, PKI just hasn't been workable. The costs of deployment are high. Scaling and interoperability are hard. The issues of trust remain unresolved. Most computers and networks are notoriously insecure. Users are often clueless about such details -- and rightly so. Even so-called secure cards have to be connected to these very computers and networks and be operated by these very users. (<a href="https://www.youtube.com/watch?v=4ddUdEQjrOo" target="_blank">Just watch President Clinton look over the shoulder to see the short PIN entered by Prime Minister Ahern and then exchange their "smart" cards</a>. If leaders of nations can't be trusted to do this correctly, you are right to wonder if any other folks will be better at it.)<br />
<br />
<h3>
Most prefer service providers </h3>
<br />
Would you consider getting rid of banks because they are too insecure? I mean, clearly you should keep your money in a safe in your home and transport it using armed couriers all controlled solely by yourself. Why would you trust an intermediary like a bank to keep your money safe and allow simple transactions by check, ATM, debit card or wire transfer when it doesn't even keep your deposited money in that very bank's vault?<br />
<br />
How about credit card companies? Clearly they are not secure, again allowing money to move easily just by entering some numbers into an online store or providing it to other merchants for payment processing. <br />
<br />
The post office, FedEx and UPS certainly cannot be trusted. You should delivery your packages directly, keeping them in your sole custody to ensure nothing goes amiss until you have handed to your intended recipient.<br />
<br />
Obviously, few consider using cash and delivering your own mail and packages to be more "advanced" than banks, credit cards and delivery services. But some do.<br />
<br />
For most, the use of an intermediary with the special skills and technology, system monitoring and forensic capabilities for troubleshooting should problems arise is the most advanced way to go. We place trust in banks, credit card companies and FedEx not because they prevent all thefts of cash, prevent all fraud and never lose a package, but because they do a very good job, are cost effective, reliable, easy to use, and when things do go wrong, they have mechanisms in place to resolve them.<br />
<br />
<h3>
Advanced web-based electronic signatures</h3>
<br />
If you want a <a href="http://www.yozons.com/patents.jsp" target="_blank">truly advanced e-signature system</a>, we recommend using a proven technology that puts your privacy and data security ahead of making money and growth at all costs, and certainly ahead of requiring retrograde technology. Such an e-signature system can remove a rogue user simply by deactivating his/her account to prevent ongoing problems, not punt the issue by putting the bad actor's certificate into a revocation list and hoping you checked it before, during and after every transaction. <br />
<br />
Such an e-signature company likely does not give you freebies to induce you to sign up. Such a company will keep your data encrypted better than you can, while also making it available to you using any of your web-capable devices at any time from any location. Such a company will use advanced digital signature technologies to ensure documents can be verified as authoritative for the foreseeable future. Such a company will allow for performing transactions easily and quickly with billions of people across the world. Such a company will use standards where they make the most sense from a practical perspective to protect your investment and avoid vendor lock-in. Such a company will not keep its technology proprietary and hidden from review. Such a company is unlikely to be built by a committee.<br />
<br />
Yozons is such a company.<br />
<br />
Don't let words fool you. A truly advanced electronic signature can be had today, and it most certainly does not rely on retrograde PKI.Team Yozonshttp://www.blogger.com/profile/16980555188790679891noreply@blogger.com2tag:blogger.com,1999:blog-1010654601000828040.post-39724390370181546152014-04-04T14:24:00.000-07:002014-05-30T17:25:45.404-07:00High volume seasonal hiring made easy, well, easier<span style="font-family: inherit;">For this installment, I'd like to discuss a large merchandising company that does high volume seasonal hiring, mostly to meet the demands of the large retails they service. </span><br />
<span style="font-family: inherit;"><br />During peak hiring, over 500 people on any given day are in some stage of the online hiring process, from initial filling out a job application, to interviewing, through internal approval, store assignment, completing various new employee documents, I-9 and e-Verify, and finally payroll setup. Much of the rest of the year, volumes are lower as they do maintain an ongoing hiring process year-round.<br /><br />This company's web-based onboarding package of documents consists of over 25 forms and includes the job application, questionnaire, EEO survey, background check authorization, and various government forms like the W-4, I-9 and state tax withholding forms.<br /><br />A powerful routing capability was custom developed for their hiring process on top of the Yozons e-signature platform. Based on the applicant’s geographical location, the package of documents is assigned to an area manager. The area manager does the initial review and then assigns the package to a specific store manager to determine whether to hire the candidate or not. Alternatively, the area manager can override the area manager step and simply send the hiring package directly to the applicant. Once hired, the package of documents is sent to the employee to complete all of the onboarding paperwork. The package is then routed to the store manager to verify the employee's identity for the Federal Form I-9, and then it's routed to payroll.<br /><br />With government and legal compliance concerns (i.e. “Failing to comply with Form I-9 requirements” is $110 to $1100 fine per employee -- see http://www.uscis.gov/i-9-central/penalties), this customer’s core requirement is to ensure legal compliance, to decrease the time to process all of the hiring paperwork, as well as the ability to search for onboarding packages from the past and to keep up-to-the-minute status of ongoing new hires.<br /><br />Yozons rapidly built a custom HR onboarding system using our enterprise web service software. This customer has been using their system since 2007, and they have yearly requirements to keep their system modern, useful and up-to-date with HR laws and regulations. With this custom solution they are able to coordinate their hiring with over 100 HR staff spread across a large multi-state region.</span>Team Yozonshttp://www.blogger.com/profile/16980555188790679891noreply@blogger.com0tag:blogger.com,1999:blog-1010654601000828040.post-29120143309074343362014-04-01T17:24:00.003-07:002014-04-02T10:12:03.115-07:00PKI Digital Signature company acquires patent licenseIn a <a href="http://enterprise-webapps.blogspot.com/2014/03/instant-income-verifcation-yozons-079.html">prior blog posting about our patent licensee who is in an unrelated marketplace of instant income verification</a>, we discussed much about how patent law works.<br />
<br />
Today, we will discuss a "tangentially related" competitor in the marketplace. In the European Union (EU), so-called "advanced" electronic signature laws tend to favor solutions built on public key infrastructure (PKI), just like myriad antiquated U.S. state laws prior to the U.S. E-Sign Act of 2000. Adoption of electronic signatures has suffered in the EU because such solutions are harder to deploy, just as they are in the U.S.<br />
<br />
The EU has an advantage in that many of its countries are much smaller than the U.S., and they are able to roll out government-based electronic IDs that are built around a PKI. This more closely mirrors how our states are able to issue driver's licenses, though no state offers an eID. Of course, the EU still suffers with interoperability across national boundaries and other issues in this regard, but the U.S. is unlikely to adopt a federal eID anytime soon as we've never had a national ID.<br />
<br />
Our recent patent licensee is a software vendor in the United Kingdom that offers a PKI-based server platform with a web front end for the purpose of electronically signing documents.<br />
<br />
While they make use of a PKI, their web users in particular are able to effect electronic signatures built on digital signatures on the server alone, without the users on their web browsers having to download software, generate/manage encryption keys, exchange keys, etc. Under that scenario, <a href="http://www.yozons.com/patents.jsp">our patent came into play</a>, and so they purchased a license that covers both their server product and the web-based front-end product that is also operated as a service (SaaS, web site).<br />
<br />
With the patent license, the company, its investors and all of its customers are fully protected. That's a smart business decision.<br />
<br />
We were able to negotiate a fair one-time royalty on favorable terms to them because they approached Yozons and concluded a license agreement quickly and professionally. Naturally, royalty rates are higher for those who do not willingly purchase a license, with the highest rate for those who must be sued into compliance.<br />
<br />
<br />Team Yozonshttp://www.blogger.com/profile/16980555188790679891noreply@blogger.com1tag:blogger.com,1999:blog-1010654601000828040.post-346492215523573712014-03-24T16:22:00.000-07:002014-04-02T09:16:58.740-07:00Instant income verification - a Yozons '079 patent licenseeSome customers of Yozons have never used our technology and services directly, though many thousands have.<br />
<br />
Nor have these customers necessarily used us through a reseller.<br />
<br />
No, these customers are licensees of the Yozons '079 patent -- <a href="http://www.yozons.com/patents.jsp">U.S. Patent No. 7,360,079</a> -- and they protect their businesses and investors, and more importantly, protect the interests of their customers by purchasing a license at a fair royalty amount. We offer two tiers of patent licenses: 1) for those who use our patent in non-competitive markets; and 2) for those who are competitors and have directly built their businesses on top of our intellectual property. We offer paid-up licenses as well as revenue-based royalties.<br />
<br />
A recent example of such a patent licensee is a company in California that offers instant income verification, primarily for mortgage lenders. Using its own web-based technologies, our licensee is able to review an applicant's tax returns, paystubs and bank statements by getting appropriate authorization online. This then allows them to provide instant delivery of the applicant's income rather than waiting even one or two days, all with tax confirmation provided directly from the IRS.<br />
<br />
Intellectual property laws can be complex, but patent law is pretty straightforward in that those who make use of the teachings of a patent are infringing even if they've never heard of the inventor or the patent before. As the Yozons '079 patent was filed in 2002, an infringer today could easily have accumulated 12 years of ongoing infringement. <br />
<br />
Even if you don't know you are infringing on a patent, you are legally responsible and can face damages if you do not remedy the situation. If you do know about a patent and are found to infringe, it becomes willful and you become liable for treble damages (3 times the amount) and reimbursement of all legal expenses incurred by the patent owner to bring you into compliance. Several direct competitors fall into this camp.<br />
<br />
More confusing is that even if you are a customer of another product or service, and the vendor who offers it infringes on a patent, you also infringe it. It is Yozons' belief that millions have infringed our patent using competing technologies as well as unrelated technologies that perform web-based electronic signatures and secure storage in which the keys and encryption are managed by the server rather than the parties themselves as was the industry norm before the '079 patent.<br />
<br />
Of course, Yozons does not generally bring legal action against people regarding it's patent, but those who likely do infringe and refuse to purchase a license do set themselves and their customers up for a willful patent infringement lawsuit in federal court. Attempts to defend yourself can be very expensive, often costing $100,000 just to reach a first round settlement. Most find that if there is sufficient reason to believe you <i>may </i>infringe, it's often dramatically cheaper to acquire a license than to fight it in court. Even if you win the lawsuit, you'll likely have spent considerable money and time on top of being compelled to divulge lots of private information via interrogatories and "requests for production" including software code, design specification, customer lists, revenue models and financial statements going back years.<br />
<br />
Smart vendors protect their interests and the interests of their customers by acquiring rights to our '079 patent rather than leave themselves and their customers vulnerable. <br />
<br />
Yozons offers a reasonable royalty program that provides a fair price for use of our important patent. If you think you may infringe, we hope you do the right thing and join our many other patent licensees.<br />
<br />
<br />
<br />
<br />Team Yozonshttp://www.blogger.com/profile/16980555188790679891noreply@blogger.com2tag:blogger.com,1999:blog-1010654601000828040.post-37414052680719413172014-03-20T21:04:00.000-07:002014-04-02T09:16:27.354-07:00Home security requires good web securityA large, nationwide, home security firm uses Yozons to securely deliver signed copies of their sales agreements that they otherwise process using their existing CRM and order processing systems.<br />
<br />
Of course, they also keep their official, legal copy permanently stored in our encrypted repository as well.<br />
<br />
When they started back in early 2006, they were sending out roughly 1,500 agreements per month. By 2009, they were up to 2,000 per month, and then 2,500 monthly agreements in 2010. During this time, they were running our web services on their own internal server running in their data center.<br />
<br />
By 2013, they were doing 3,500 monthly transactions, with occasional monthly peaks over 4,000, now using a private web server operated by Yozons on their behalf.<br />
<br />
All told, Yozons is now managing nearly half a million signed sales agreements on a private web server running our technology branded for their needs.<br />
<br />
Their private web server allows them to operate our technology as if were entirely their own, using their domain name and SSL certificate for the web contracting web site, yet still having Yozons perform the 24x7x365 operations, monitoring and maintenance in our data center. This has relieved their internal IT department from the tasks of managing an additional server so they can focus on their core mission of supporting their in-house applications, PCs and networks.Team Yozonshttp://www.blogger.com/profile/16980555188790679891noreply@blogger.com0tag:blogger.com,1999:blog-1010654601000828040.post-83861992752498872612014-03-16T13:38:00.000-07:002014-03-16T13:59:02.309-07:00If the shoe fits, wear it proudly and with styleThere's an old expression that the cobbler's children have no shoes. There is some truth to the idea that those who work hard producing a product rarely have the time and energy to do similar, but uncompensated, work for themselves.<br />
<br />
At Yozons, while it's true that we've built many far more complex systems for our customers than we ever did for ourselves, we are not cobblers, and we've always lived with the contrary motto that we should "eat our own dog food." And we do, though we think it's way cooler than dog food.<br />
<br />
Here at Yozons, we use our technologies in myriad ways: <br />
<ol>
<li>Our secure document delivery capabilities are used to communicate updates with investors. On occasions, it's also use to transfer sensitive information that doesn't fit the solutions listed below, including credit card information, SSNs/EINs, etc.</li>
<li>Our main sales agreement and invoice incorporates a 7-step workflow that starts with the sales rep, goes to the order reviewer only if there is custom forms development, is approved by a sales manager, can optionally be approved by a customer reviewer for technical and pricing correctness, is then signed by the customer, countersigned, and finally processed by accounting to reconcile payments by checks or those automatically charged when a credit card payment is used.</li>
<li>We have an online sign-up form that customers can use to purchase directly using a credit card, which is then routed to technical support for installation and then accounting for payment reconciliation.</li>
<li>We use e-Docs to store files and scanned images (such as -- thankfully rarely received -- faxes) in our secure repository.</li>
<li>We have an individual contributors license agreement for those who help provide software code and/or documentation assistance.</li>
<li>A mutual NDA is used when dealing with parties who need private details about our company, and more often, so those parties can divulge private details about their projects and plans with us.</li>
<li>We have a sales agent and reseller agreement for engaging sales representatives and resellers.</li>
<li>A partner developer agreement for those who help build custom solutions for our customers.</li>
<li>A patent license agreement with royalty provisions for those who purchase a license to our U.S. Patent No. 7,360,079.</li>
<li>And finally, a credit card authorization form mostly for those whose credit cards on file need to be updated.</li>
</ol>
In subsequent postings, we'll describe briefly how our various customers use our technologies, as they seem to handle a wide variety of tasks that differ dramatically from our own cobbler's needs.<br />
<br />
<br />Team Yozonshttp://www.blogger.com/profile/16980555188790679891noreply@blogger.com2tag:blogger.com,1999:blog-1010654601000828040.post-84812468214085269762014-03-13T16:37:00.000-07:002014-03-13T16:37:03.576-07:00Welcome to Enterprise WebAppsWelcome to our new Enterprise WebApps (web applications) blog that will discuss how secure, scalable, modern business web applications are developed.<br />
<br />
Previously, large teams of programmers were needed to develop business applications. Some very large and sophisticated applications still are produced this way. But the vast majority of business applications built today are no longer monolithic systems. Such older systems took too long to develop, tended to be hard to use, cost more than was budgeted, and of course were expensive to operate and maintain over the years.<br />
<br />
Also, with the advent of web-based computing, businesses started to reduce the need for such big, centralized systems that are cost prohibitive for many and rarely show a good ROI. Theses companies understood that employees, partners and customers are often located throughout the world, and being "in corporate headquarters" was becoming a thing of the past.<br />
<br />
Many companies now look to acquire point technologies that solve specific needs rather than the all-encompassing super software of yesteryear. And many of those want web-based solutions, often provided as a service (SaaS), allowing them a lower cost of entry, but also relieving them of the details of software development, maintenance and operations that were overloading internal IT.<br />
<br />
Companies like Salesforce.com showed the power of a vertical solution for dealing with CRM. <br />
<br />
Yozons Open eSignForms is an enterprise webapp that's both a business transaction execution engine, as well as an application development tool that requires basic HTML expertise, and serves a horizontal market across most industries. Yozons develops point solutions on top for resale, and we also build turnkey solutions for some of our customers, while others build their own systems -- all without traditional software programming expertise needed.<br />
<br />
Unlike software of old, though, users of Open eSignForms build their own point solutions that come with enterprise-grade capabilities like scalability, segmentation of users into groups, branding libraries to handle multiple companies/divisions, data encryption, digital signatures for XML and PDFs, HTML documents that render correctly on all devices (PCs, tablets, phones) and don't require special hardware or software to view, electronic signatures for authorization and agreement, and basic workflow to ensure processes run smoothly and no work is lost or misplaced.<br />
<br />
We will present the myriad enterprise webapps our customers have built for themselves, as well as those Yozons has built as separate products. As the underlying customer-branded technology for many large and small companies, Yozons is often the most used, but never heard of, technology company out there. Our customers are essentially getting a custom solution to meet their needs quickly at the same price as pre-built enterprise software that never quite fits right (and the cost of modifying them is usually prohibitive) and often takes years to implement. <br />
<br />
Nimble businesses simply cannot move that slowly, and there's really no reason to do so.Team Yozonshttp://www.blogger.com/profile/16980555188790679891noreply@blogger.com4