Wednesday, October 15, 2014

SHA-1 is considered insecure while the EU pretends to legislate "advanced" e-signatures

Google announced that it is updating its Chrome browser to display warnings on web sites that use HTTPS (SSL/TLS) backed by a digital certificate signed with SHA-1.  In Why Google is Hurring the Web to Kill SHA-1, Eric Mill gives many reasons why Google is pushing ahead of schedule to rid the web of SSL certs that are considered less secure because they are signed by a Certificate Authority (CA) using SHA-1.

While it's true that SHA-1 is approaching the end of its useful life, it's stubbornly present in many systems and applications.  Getting rid of it isn't easy.  But we have to start sometime!

Of course, creating useful collisions in SHA-1 is still mostly an uncertain game.  We have not heard of any actual SHA-1 collisions that are useful.  "Useful" is a key consideration in that creating a second set of data the hashes to the same SHA-1 hash as some "real" document is hard enough, but doing so in which that second data is a meaningful replacement for the first is even harder.  If a collision could change "$100" to "$200," you'd have a real problem (of course this is just a short text example to illustrate the point, not a real scenario).  But if "x4z]" ended up hashing to the same as "$100", it would be less interesting because the replacement is not meaningful and thus would not be a realistic spoof.

While the Google announcement surrounds SSL certificates, digital signatures for e-signatures are likely a bigger problem.  SSL certificates tend to be renewed every 1 to 3 years, so they do not last very long, and most new certificates issued will use SHA-2 instead of SHA-1.

Digital signatures on documents tend to be "forever."  They do not expire.  While the user's signing keys may change from time to time, once a digital signature is applied to a document, it remains that way going forward.  Since most e-sign vendors use SHA-1 in their digital signatures (aside from the few odd players that don't appear to use any digital signatures at all like Sertifi and AssureSign), all documents being signed may be forged in the future.  Fortunately, most documents become somewhat obsolete after years go by (that is, few want to forge a 5-year sales agreement for example).

In the EU, they promote word play like "advanced" and "qualified" for electronic signatures based on digital signatures created using a typical PKI in which the signer has been issued a digital certificate (no doubt signed with SHA-1!) for a private key the user keeps secure.  This sounds good, but of course has serious flaws:
  1. Users cannot deny an electronic signature created using their "advanced/qualified" signature. The EU law says these are guaranteed to be valid.  No wet signature ever had such an absurd notion attached to it; that's why we have courts to decide based on evidence.
  2. Users may in fact not keep their private keys secure. Users are famous for being unable to keep such stuff secure because they really have no idea what their encryption keys are or how exploits can take place.  Every virus and hack attack is a potential theft of a user's encryption keys.
  3. All encryption requires software and hardware, and all software and hardware is vulnerable to attack. Thus, your keystore can be hacked. The device the key is stored on can be hacked. The device (like a PC, phone or tablet) the key is used on can be hacked.  Any network connections involved can be hacked. As the various credit card hacks have shown, devices can be hacked, replaced or have another device put in the middle of the communications cable (or wireless).
  4. The user may forget the password related to securing their private key. While this would prevent future signing, it could also mean that all data encrypted for storage would no longer be accessible.  There will be millions of users who will lose a lot of their data because it's encrypted using a key they no longer have access to.
  5. Users can be tricked into using their keys insecurely, including phishing attacks and social engineering attacks.
  6. What happens to all digitally signed documents done between the loss of control of a user's keys and detection that the keys were lost?  A user can revoke his keys, but only once he knows something has gone wrong.  But that user will not know what, if anything, was ever forged.
  7. How can a user know where his forged credentials are being used?  Cannot!
  8. Once a digital signature is applied by a user, that document will remain secure only for as long as the digital signature is valid. If the digital signature uses SHA-1, that may only be a few years away.
With services like Yozons Open eSignForms, many of these issues do not exist. When a credit card number and information is stolen, a user eventually finds out because invalid charges appear on his or her statement.  The credit card company can go back and find all fraudulent charges and reverse them.  Something similar happens when using an e-signature service -- the only signed documents you have can be found in the service.  Any fraudulently signed documents can be discovered and invalidated.  There is recourse to such a loss that is guaranteed to happen frequently across a large pool of users.

Documents digitally signed using Yozons Open eSignForms employ a 4096-bit RSA keypair with SHA-512.  This is not the norm among esign vendors who generally use much less secure technologies (including those absolutely worthless vendors/products that don't digitally sign at all).  While the greater security provided by Yozons is powerful today, eventually it will no longer be considered secure just like SHA-1's fate today and MD5 before.

Unlike "advanced" e-signatures created by users for themselves, a service can ensure documents are secure going into the distant future.  For example, if a digitally signed document in Yozons previously used 1024-bit RSA with SHA-1 (a very typical scenario still in practice today), our technology could easily retrieve that document, ensure the older digital signature is still valid, and if so, then re-digitally sign the document using 4096-bit RSA with SHA-512.  Such a document can remain secure for as long as necessary.

It is time for SHA-1 to be retired.  Yozons has updated all of its server SSL certificates to ensure they are protected with SHA-2.  But what about all those web sites and users who do this for themselves?  They most likely will not be on top of security issues like this, and that's the very problem we solve for our customers and their users.

Wednesday, October 8, 2014

Shared web services can cost your business

One of the great things about the Internet and the advent of web services (shared software as a service or SaaS) is the ability for businesses to jump into new technologies with relatively low barriers for entry.

For many large enterprises, deploying and managing hardware servers inside a data center for new services desired by a particular department is a death sentence for the project.  The teams are understaffed and overwhelmed supporting the myriad systems already deployed.  There is no operational expertise in-house for the new services.  For small companies, such deployments are often cost prohibitive because they lack the technical skills and resources to make it a success.

Purchasing web services has solved these problems very well.  Departments in enterprises and small businesses can essentially rent time on a large shared service, often paying for resources consumed (transactional) or users per month (subscription).  The cost of entry is low, and deployment tends to be quick.  It's a real benefit.

However, when the service offered is a core competency, using third party services is often undesirable and more costly than the price tag may suggest.  Web contracting and electronic signature services fit this bill for many companies.  Most companies realize that it is a trap to store key documents and contracts and allow customer interactions to be performed by a third-party vendor.  Of course, those service providers that offer "free tiers" tend to be the worst.  Instead of monetizing their purported service, you, their customer, is the actual product and they monetize you and your interactions with your customers instead.

With Yozons Open eSignForms, you have ultimate flexibility and complete brand control.  Each customer deployment is always an independent system: independent database and independent web application.  Even our lowest cost "shared hosting" only shares the physical server, but each customer running on that hardware has its own independent web application and database, keeping its users away from those of all other customers we service. 

Most SaaS vendors put millions of unrelated customers into a single huge system.  This makes migration away much harder, and of course creates a huge target for hackers who boast about big exploits and cause millions of user records to be stolen and sold on the black market.

Over time, the cost of paying a vendor to handle your contracting, your documents and the interactions with your customers, employees and business partners grows substantially.  Losing touch with your customers by using a third-party service is a cost few estimate correctly. 

Many companies initially jump on the SaaS bandwagon, giving them a leg up on the competition and providing services quickly at a low cost of entry.  But these companies ultimately ditch those early efforts and deploy their own services, which turns out to be more profitable for them and allows them to control their customer relationships and control their important business documents.

With Yozons Open eSignForms, you can easily migrate from shared hosting, but with fully independent customer systems, to private hosting, to bringing it all in-house.  You maintain full control over your independent system no matter how it's deployed, and that flexibility is what motivates companies to eventually abandon their forays into shared SaaS and instead take care of their own business themselves.

Tuesday, August 26, 2014

Have Internet, will travel

As I write this blog, sipping a cool rosé wine just outside of Walla Walla on an impressive compound once owned by a cell phone magnate, I cannot help but think how wonderful it is to have a job that allows me to work anywhere in the world almost as easily as when I'm home.

With a laptop, my new Asus second full HD monitor that is not any thicker than an iPad, and seemingly ubiquitous fast Internet/WiFi, working on the road is both comfortable, productive and liberating.

Summertime in Walla Walla is hot, in the 90s today, but all of the wineries and tasting rooms make you forget about the ever present sun beating down on your head.  This is a special place, so close to the Oregon border, but with rivers and mountains (mostly high hills for those who live near the Cascades and Olympics around Seattle), you almost forget that most of the land is flat and dry.  Walla Walla is home to their namesake sweet onion, but wineries have taken over.  You can't take a step without coming across another winery's tasting room.

I drove south today to see where the grapes are grown, and the vineyards are impressive.  It seems this has been a good summer and will yield a bumper crop.  The grapes are smaller compared to those we snack on, but they pack a powerful punch in the hands of talented vintners.  Amazingly, I've not tasted a "bad" wine, with whites, rosés and reds all in great form. 

It's a real shame that this part of my trip was marred by the tragic news of the earthquake in Napa that did considerable damage, including the oddity of seeing red wine flowing freely -- sadly down the gutters -- the result of broken barrels that tumbled.  The losses to Napa businesses and families is felt here in Walla Walla, showing that competition doesn't have to trump compassion.




Thursday, July 17, 2014

Physical therapy is hard work made easier with secure online records

One of our earliest customers on Open eSignForms is a physical therapy office run by a woman and her small team of PTs.  She has studied myriad forms of physical therapy and massage, including quite a bit of advanced training in Kauai.  Nothing like a business need to study for three weeks on the garden isle!

One of the biggest pains for PTs is the need for accurate record keeping, especially when needed for audits by insurance companies and other legal proceedings as some of her customers were hurt in accidents that resulted in seeking her care. 

With Open eSignForms, she and her staff are able to record their findings on their Physical Therapy Initial Evaluation form, recording the patient's information, type of injury, current health condition, symptoms, medications and to note how well the patient is able to perform various activities.  They can also create PT Treatment Notes that correspond with insurance billing codes, as well as Progress Notes to record changes in patient's health and functional activities as well as to record impressions and treatment plans. Lastly, they can enter their Discharge Summary Note to track the various activities their patients were seeking treatment for, recording their goal at initial evaluation, and then recording their status at the time of discharge.

With these secure patient records maintained in her own independent system, there is no lost paperwork, access is restricted to authorized personnel, and all records can be reviewed even while traveling on business, or when in Kauai for more training!

Thursday, June 12, 2014

Patents and the small business inventor

Patents are often described as as useful tool for small inventors and businesses to protect their intellectual property.  While not limited to small players, this is true, but only to a point and at a price.

Competitors with patents that may or may not apply to you can sue you over infringement. The cost of defending patent lawsuits is high and time consuming.  In our case, before our own patent application was approved, we were sued for infringement by a competitor who came to market years after us.  Even though it seemed obvious to us that the patent did not apply, the legal language of patent claims were challenging and imprecise.

Patent claims are legal claims, not technical specifications, and the patent itself describes a "preferred embodiment," so many other implementations that differ from the details of the patent, but provide similar functionality, are likely covered under the legal rule called the doctrine of equivalents.  The advice of a neighbor, who is an IP attorney for a large software company, was to settle.  While he said it might be distasteful, defending against infringement claims can be tricky, seemingly fickle, and surely will be expensive.  Winning may by pyrrhic victory at best, or a crippling loss at worst.  The suing company tends to have more time and money than small inventors running small businesses.  We've read of defenses costing $500,000 to $1 million, and can be $100,000 just to reach a settlement.  Our decision, bitter as it was, was to settle after spending what we'd consider two years of our own salary on lawyers and expert witnesses, and spending hours gathering documents and specifications and revenue numbers that had to be turned over during discovery.  Had the suing company offered us the terms we eventually settled on from the start, we'd have negotiated a license long before spending any money on lawyers and going through the hassles of discovery, preparing patent claims responses, etc.  But we were never afforded that courtesy, presumably because they just wanted to put us out of business with a lethal, legal blow.  We survived, but much less money and lots of wasted time and energy.

The cost of acquiring your own patent can be high, and often can take a long time.  The Yozons '079 patent took 6 years before it was awarded and issued.  Legal fees tend to mount as time seems to work to the advantage of lawyers more than inventors.  And you will need lawyers.  Remember that you will need to devote a lot of your own time and energy to acquire your patent as your lawyers will need a lot of information from you so they can understand it in detail.  Also, you'll need to be sure to keep up on the various maintenance fees the patent office requires after issuing your patent, though it's not clear how the USPTO is maintaining anything on your behalf.  It seems that you, the small inventor, are maintaining the patent office instead.

Even after you earn your patent, unexpected expenses and issues can crop up.  In our case, an unknown law firm filed an ex parte reexamination request, challenging the validity of our patent, even though we hadn't ever attempted to enforce our rights on anybody. For a big corporation, this may be business as usual, but for a small business, you will find it takes a lot more time to read other patents and help your lawyers defend your invention, the one you thought you already had and earned when the USPTO granted it.  Of course ever more legal fees will apply.

We were fortunate that our patent is strong, and we survived with all of our legal claims intact, without any modifications.  But we did spend a lot of time and money that could have been better used to run our business and pay salaries.  On a happier note, that big competitor who sued us years before for patent infringement was itself a target of a similar ex parte reexamination from the same firm that challenged ours.  In their case, it didn't turn out well as their patent was gutted, leaving only the final dependent claim that nobody likely infringed (including their own technology!).

But having a patent is not the same as being protected by the patent.  The USPTO won't help you defend what you might assume it asserted when it issued your patent in the first place, that your patent and legal claims are valid. That's left to you to do.

You can, of course, request that competitors and others who make, use or sell your invention acquire a license to your patent, or that they should cease doing whatever it is that infringes.  But that's easier asked than done.  If you are a small inventor, most likely they will simply say they do not infringe.  Some will not even respond at all.  They probably won't give you any details on why they don't infringe, even if you provide details on why you think they do.  They know that your bark is likely worse than your bite because defending your patent means more lawyers, and that means more time and money when you'd likely prefer to run your business to feed your family, pay your workers and serve your customers.

If you have a good idea, getting a patent is probably a wise move.  But remember that you need to expect to spend a lot of your time and your money acquiring, keeping and defending your patent.

Having a patent doesn't mean a thing if you cannot defend it, and most small inventors are up against better funded corporations that will use the legal system to their advantage, to dissuade you from moving forward because you fear you cannot afford the legal costs of securing your rights.  Others will use their patent portfolio against you, suggesting you may infringe any of a number of their patents even though they would never have suggested infringement if you didn't attempt to defend your own against them.

The patent system is flawed and doesn't serve the small inventor as much as you might think, but it really is your best hope in defending yourself from competitors who otherwise will make use of your invention, challenging you to an expensive legal fight.  When you are in a position to be up to that challenge, we wish all small inventors the best of luck.  Yozons is only now in a position to begin to defend its patent with the help of a law firm that believes enough in the strength of our case to partner with us.  Wish us luck!

Sunday, June 8, 2014

Going Postal Prevented: Multi-deployments for an international corporation

The term "going postal" may have bad connotations, but for our S&P 500 customer, the post office has provided a huge opportunity that has spanned many decades and has led to myriad related products, services and software solutions.

Yozons has developed and deployed more than a handful of enterprise web applications for this customer, including divisions in the United States, Canada and Europe.  The web deployments are distinct geographically and by type of web contracting that takes place, mirroring the specialized divisions and needs of this international company.

They also have deployed our patented e-signature software on our managed private web server offering, complete with a warm standby operating in another state, freeing up their internal IT resources.  The private web server gives them the advantage of complete branding using their domain name and SSL certificate, custom secured FTP access to their back-end systems, as well as isolation of their data from our many other customers.  Furthermore, Yozons provides 24x7x365 monitoring and daily encrypted off-site storage of backups.
 
Several of their web applications involve multiple forms in a package, with a multi-step process involving their customers who sign the agreements, as well as outside third-parties who approve and authorize their customers’ applications. Reports keep them current on the status at all times.

Though Yozons generally discourages printing documents, signing and then faxing or mailing them back, a couple of deployments had this requirement as an option.  Regardless, Yozons delivered on time and within budget.  Yozons built into the web contracting process a fax processing step so that returned signed agreements can be uploaded, annotated and stored with the electronic version.  Having this feature ensures all agreement packages signed online and on paper are kept in the single encrypted repository with powerful search capabilities to find their agreements.

Monday, June 2, 2014

Web-based e-signature vendor acquires patent license

Yozons recently signed yet another licensee to the Yozons '079 patent. We expect more to come as vendors realize the reach of our patent's web-based, secure document delivery and optional electronic signature system and method, and support and acknowledge how Yozons has changed the landscape from a user-controlled PKI-based signature model to a lighter-weight server-controlled signature model.

This U.S.-based competitor develops and operates various web and mobile apps, and negotiated a patent license that fits their particular needs and ensures their thousands of daily clients are protected when using their online document signature service.

While the negotiations lasted over a month, we applaud the decision they reached after discussing the details with their attorney.  Because they were quick to understand the depth of our patent and how it applied to their technology, we were able to negotiate favorable terms.  Yozons prefers to have competitors so long as we are compensated for our invention that has created a healthy marketplace for web-based document processing services throughout the United States.

Their e-signatures service is typical of competitors who make use of our patent's teachings:
  1. Documents are stored online in a centralized server.
  2. Documents are transferred between parties securely, typically over HTTPS, in order to effect secure document delivery that ensures the privacy of the business communications.  HTTPS makes use of a traditional PKI in which the browser uses the web server's SSL digital certificate to establish a secure link using the web server's asymmetric public key, and then generates a unique symmetric encryption key that's shared only between the user and the server for the purpose of encrypting the document and related data transferred over that link. But the key is that previously, end-users created and exchanged their own keys, as well as performed their own encryption and digital signatures.
  3. The entire process makes use of a web application, giving them the ability to communicate and e-sign with a myriad of devices connected over the Internet, including PCs, start phones and tablets.
  4. The e-signing ceremony typically involves typing their name, drawing their signature or clicking in the relevant areas to indicate their agreement.
  5. Typical routing of documents is handled using the e-mail address of the parties involved, generally sending a unique ID that links the user to the correct document and party in the online process.  Some users, typically customers of the service, authenticate using traditional username and password, and can initiate transactions, track them, download completed agreements, etc.
  6. Users can add their electronic signatures quickly and easily, without requiring special client-side software, digital certificates, and/or key management.
  7. The server provide an audit trail including IP addresses and timestamps.
A quick overview of the general breadth of the Yozons '079 patent, which has been practiced by Yozons since 2001, can be found in its FIELD OF INVENTION:
In general, the present application relates to computer software, hardware and communication networks, and in particular, to a system and method for securely processing digital documents, including appending digital signatures, without requiring pre-established individual identity verification, digital certificates, end-user cryptography, key management or key exchange.



Tuesday, May 27, 2014

Surprise! Big vendors don't keep your data particularly secure

As Yozons talks with various companies regarding our U.S. Patent No. 7,360,079, we were surprised to learn how many vendors do not treat their customers' data securely.

I suppose after decades of viruses targeting Microsoft products, Adobe PDF exploits -- heck Adobe's products in general -- Target losing 40 million+ of its customers' credit cards numbers and other personal information, it shouldn't really be a surprise.  We just thought that web contracting vendors would be different.  We were wrong.

Some vendors claim they encrypt their customer data and documents using impressive sounding things like 256-bit AES, but if you read the details, you will find they only do so using HTTPS when your data is transferred over the Internet.  Yes, HTTPS is a key starting point and is fundamental to our patent, but once they store your data on disk, all bets are off.

Some do not make any attempt at encrypting your data when stored.  I guess they just take the "trust us" or "what? me worry?" attitude and are exceedingly cavalier with regard to your data.  Laws surrounding health information (HIPAA), financial information (GLB, PCI) and just plain common sense regarding any sensitive business information (NDAs, trade secrets, competitive advantage) should make data encryption the standard for any service provider that deals in web contracting and electronic signatures.  Rather than let their servers do a few extra calculations to keep your data secure, these vendors choose not to.

Others do at least encrypt the data on disk, but if you read carefully, you'll learn many are using what's known as disk encryption and/or filesystem encryption.  That is certainly a step up over those who don't encrypt at all, but such encryption makes the most sense on laptops and other portable electronics.  That's because those portable devices tend to be lost or stolen.  But larger servers in a secure data center generally don't suffer issues with disk theft.

So what's wrong with such disk/filesystem encryption?  Well, disk/filesystem encryption typically is unlocked during the server boot process.  It's also fully automatic, meaning that when a file is read, it is automatically decrypted, and when a file is written, it is automatically encrypted.  If your database stores its tables and indexes on such an encrypted disk, the data is encrypted automatically when stored, but also decrypted automatically when read.

This means that your data is only secure against physical theft of the disks.  If a hacker gets access to the server, every file the hacker reads will automatically be decrypted.  If a hacker exploits an SQL injection or other web site vulnerability, when it requests data from the database, it's all automatically decrypted.  There's no run-time security whatsoever.  Heck, if they implant a virus on the server, such a setup will dutifully encrypt it just like your sensitive data.

Unfortunately, far too much theft occurs from insiders -- think Edward Snowden for a particularly egregious example against an agency that takes encryption and security seriously.  With disk encryption, system administrators can easily view your data just by running queries or reading files.

While Yozons may be small, we're at least smart enough to keep customer data encrypted before storing it to disk or into the database.  The advantage is that database queries and reading files will return only encrypted data.  If the disks are stolen, the data is encrypted.  Backups are automatically encrypted.  The use of disk encryption helps, but only in limited, far less likely scenarios.

When dealing with sensitive information like Yozons does on a daily basis for its hundreds of thousands of users, Yozons practices what it preaches when it comes to privacy.  Customer documents are alway stored encrypted, as is all of the data populated into forms. Some of the data may not need special security, but we also handle a lot of financial information, human resource information, and other sensitive business communications.

As a vendor, we don't keep your private data "in the clear" to save a few computing cycles.  As a customer, you shouldn't have to worry if hackers or system administrators can sift through your data.  Don't be surprised: read the details and ask questions of your vendors.

Sunday, May 4, 2014

Security theater is neither secure, nor entertaining

Bruce Schneier is known for coining the term "security theater" to describe security procedures that "look" like something is being done, when in fact, no actual security is provided.

On a recent trip with my family, we saw this yet again with the TSA agents at the airport.  My wife, son and I all have Nexus IDs issued by the border patrol.  To get such an ID, we had to pass a security background check, had our fingerprints taken, and they did an iris scan (biometrics of the eyes).  The TSA now offers a "TSA Precheck" program for travelers who have such IDs to expedite travel through the security lane at participating airports and airlines.

This program is pretty nice, making air travel nearly as easy as before the 9/11 changes that have done little to improve actual security.  (It's recognized that securing the cockpit doors and general passenger awareness have been the true security improvements despite the billions spent on other things.)  We no longer have to remove our laptops or take off our shoes, and we generally only have to pass through a metal detector.  It is a breeze.

What I didn't realize is that the nonsense about "3 ounce fluid" limits is still in place.  We bought two jars of blueberry preserves from Andersen's in Buellton, California, one for ourselves, and one as a gift.  Since Alaska Airlines charges $25 per checked bag, we skipped this convenience that was once the norm and is still practiced by a few better run airlines.  The TSA agent gave us the option to return to the counter and check our bags, but it wasn't worth $25 to bring two jars of blueberry preserves home in one bag while the other two bags would still have to be carried on lest we pay $75 for them all.

Who even thought preserves were a fluid?  We thought they were fruit.

The TSA confiscated the jars and, knowing that they could very well be a blueberry bomb, tossed them into a plastic bin right behind them.  They are so concerned about the safety of the airplane that they make no effort to secure confiscated items where they work all day and thousands of passengers pass by, proving that there is no actual security concern.  I mean, they even offered that I could check my bags as if a blueberry bomb is secure in the cargo hold, but not in the cabin.

Was the TSA really concerned that blueberry preserves, carried by a family all with their sophisticated IDs, after returning from a weeklong trip to a robotics competition, visiting our 80-year old aunt and uncle, and then visiting friends we've had since the mid-1980s when we worked together at a bank?  Did they make any attempt to think about anything?  Ask us any probing questions about where we got them like Customs would do for international travelers?  The answer to all is "no."

That's security theater.

Ironically enough, while waiting at the gate, Alaska Airlines offered to check our bags for free and give us priority boarding to do so.  All of the passengers that simply paid $25 to check their bag paid too much and never received preferential boarding.  We saved $75 and boarded early.  How's that for a nonsensical policy?

There are other examples of poor security in the name of usability, including "link/URL shortening," those links that Twitter, Google, Bit.ly, Facebook, LinkedIn and others send out that essentially hide the true nature of a link behind a name like "http://t.co/aFKZJ9rTlM".  This makes it much easier for spammers and virus writers to distribute their payloads because you cannot determine the validity of the web site you will be visiting.  This is a "convenience" that only increases the likelihood that more victims will suffer.

Before link shortening, Microsoft did something similar with Windows when it decided to hide file suffixes.  We all learned early on that files that end in .EXE, .COM and .BAT could be run on your PC, and we later learned that .PIF, .ZIP and .PDF were also often dangerous and could be used to carry malicious content.  Then Microsoft decided that helpful information like this was "too long" and started to hide them by default.  So now files like Resume.doc.exe were shown to users as Resume.doc, making a malicious executable appear to be a Word document.  Not showing a few characters may have seemed a good idea, but there are untold numbers of users who suffered because of this security mistake.

We see this also in mobile browsers, both on phones and tablets, where the browser hides the details about links in the location field and just shows the domain name.  Once again, this user interface convenience just allows for hiding details that are useful to those who are security conscious and show some interest in the data being sent in link parameters.

The Firefox browser has taken to showing a warning icon next to secure web sites using HTTPS if they only secure the domain name rather than the company that owns the domain name.  This makes perfectly secure web sites appear to be less than secure, adding no real benefit except to vendors who sell more expensive web site SSL certificates.  The problem is that many web sites are service providers, so trust shouldn't just be placed in the vendor operating the web site, but the customer who is using that service to send you information, take your order, etc.  If you are buying from Vendor A, but they use Provider B's web service, you will see Provider B's domain name and "verified" certificate status, but there's no reason to misplace trust in Vendor B because you may trust Provider A who has been vetted only slightly more.

Sadly, this lack of security understanding goes to many well established e-signature/web-contracting vendors.  It seems that many such vendors, despite their fancy web sites and millions of investor dollars, do not even take the basic security precaution of encrypting your documents and data when stored on their systems.  They proudly proclaim they use 2048-bit encryption, but this only is for the short HTTPS transfer of data over the Internet.  Once stored for a much longer time in their system or database, your data is entirely exposed to system administrators and potentially to hackers who constantly find ways to steal such data through other sloppy coding.  This happens repeatedly, yet such "well known" vendors often do not take the simple precaution of securing your data for you and helping you comply with laws and regulations surrounding securing financial and personal information.

We have also discovered that quite a few e-signature vendors don't even apply digital signatures when you sign.  This seems most unusual since digital signatures are the tech standard for this purpose and long pre-date the vendors who are offering e-signature services.

Trust is misplaced when you realize that your e-signature vendor neither secures your data nor digitally sign the documents when you apply your electronic signature.  Such sloppy security practices only serve to save them a few dollars while putting their entire customer base at risk.

Security theater is neither secure, nor entertaining.

Yozons has the right solution for your enterprise as we understand security, keeping your data secure at all times and applying a digital signature at every step of your online process.

Sunday, April 6, 2014

The EU's "advanced" electronic signature is retrograde

Like the term "Big Brother," the European Union's (EU) "advanced" electronic signature is an oxymoron designed to impress you with self-proclaimed goodness, but is in fact retrograde and certainly not advanced.  Adoption and interoperability remain poor and put too much onus on individuals and trusting unknown entities.

English author George Orwell wrote all about such government Newspeak in his famous novel, 1984.  Committees, governments and big corporations try these FUD tactics (fear, uncertainty and doubt) all the time because they work more often than not.  It's your advantage in life to see through the blather.

Public key infrastructure (PKI)


PKI has been around since the early 1970s, a product of British intelligence.  It's useful in many scenarios, and the world wide web relies on it for the HTTPS protocol, though even that would work well for most without a PKI requirement.

RSA and other PKI vendors have led "Year of PKI" celebrations at least since 1996.  It's been declared "dead" just as many times and such declarations of death are often interwoven with declarations of its grand dominance.  Renowned cryptography expert Bruce Schneier provides good insights in his Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure.

There are numerous reports of stolen digital certificates, stolen private keys, hacked certificate authorities, after-the-fact certificate revocation lists, etc., including a long-lived Windows trojan called ZeuS that now makes use of "stolen" digital certificates assigned to Microsoft.  Of course, a digital certificate is supposed to be public, so stealing one should have little value whatsoever.  I mean, every HTTPS web site gives you it's certificate freely and your browser comes pre-loaded with many "trusted" certificate authorities (if you've never heard of them, how can you trust them?).  But PKI relies on a chain of trust, so it's only as trustworthy as its weakest link, and there are innumerable weak links as recently demonstrated by the ZeuS exploit.

Unlike a certificate, if your private key itself is compromised, all bets are off, which is precisely why it's so odd that some large e-signature vendors put their entire customer base at risk by using a single signing key for every document signed by every person.  One large vendor just uses a salt+message digest of your document instead of a digital signature even though a simple database update of the document with the newly computed message digest would make the so-called "authoritative copy" a fraud.

Bad security remains the norm at loud companies (i.e. big spenders on marketing and freebies) that demonstrably value profits and market share over quality and customer concern.  Say it loudly and often and hope people come to believe it's true.  We continue to read about competitors, even those built on a PKI, that don't even encrypt your private documents containing personal and private information when stored, leaving them open to perusal simply by querying for it.

Despite the reality of PKI issues, vendors, EU committees and international standards bodies (how many of you use their "advanced" OSI model of networking rather than the Internet?) continue to claim that you need a PKI in order to have an "advanced" electronic signature.  If it weren't so real for millions, the best advice would be to ignore it until it goes away.  It's really a shame, too, because the EU has a perfectly good electronic signature law modeled on the U.S. E-Sign Act of 2000.  Some just cannot believe that their technobabble isn't required by law and are trying to trick you into thinking you have to be old school in order to be advanced.  It's not just the EU either: before the U.S. E-Sign Act, very few e-signatures were performed in the United States because state laws also mandated a PKI. 

For e-signatures, PKI just hasn't been workable.  The costs of deployment are high.  Scaling and interoperability are hard.  The issues of trust remain unresolved.  Most computers and networks are notoriously insecure.  Users are often clueless about such details -- and rightly so.  Even so-called secure cards have to be connected to these very computers and networks and be operated by these very users.  (Just watch President Clinton look over the shoulder to see the short PIN entered by Prime Minister Ahern and then exchange their "smart" cards. If leaders of nations can't be trusted to do this correctly, you are right to wonder if any other folks will be better at it.)

Most prefer service providers


Would you consider getting rid of banks because they are too insecure?  I mean, clearly you should keep your money in a safe in your home and transport it using armed couriers all controlled solely by yourself.  Why would you trust an intermediary like a bank to keep your money safe and allow simple transactions by check, ATM, debit card or wire transfer when it doesn't even keep your deposited money in that very bank's vault?

How about credit card companies?  Clearly they are not secure, again allowing money to move easily just by entering some numbers into an online store or providing it to other merchants for payment processing.

The post office, FedEx and UPS certainly cannot be trusted.  You should delivery your packages directly, keeping them in your sole custody to ensure nothing goes amiss until you have handed to your intended recipient.

Obviously, few consider using cash and delivering your own mail and packages to be more "advanced" than banks, credit cards and delivery services.  But some do.

For most, the use of an intermediary with the special skills and technology, system monitoring and forensic capabilities for troubleshooting should problems arise is the most advanced way to go.  We place trust in banks, credit card companies and FedEx not because they prevent all thefts of cash, prevent all fraud and never lose a package, but because they do a very good job, are cost effective, reliable, easy to use, and when things do go wrong, they have mechanisms in place to resolve them.

Advanced web-based electronic signatures


If you want a truly advanced e-signature system, we recommend using a proven technology that puts your privacy and data security ahead of making money and growth at all costs, and certainly ahead of requiring retrograde technology.  Such an e-signature system can remove a rogue user simply by deactivating his/her account to prevent ongoing problems, not punt the issue by putting the bad actor's certificate into a revocation list and hoping you checked it before, during and after every transaction.

Such an e-signature company likely does not give you freebies to induce you to sign up.  Such a company will keep your data encrypted better than you can, while also making it available to you using any of your web-capable devices at any time from any location.  Such a company will use advanced digital signature technologies to ensure documents can be verified as authoritative for the foreseeable future.  Such a company will allow for performing transactions easily and quickly with billions of people across the world.  Such a company will use standards where they make the most sense from a practical perspective to protect your investment and avoid vendor lock-in.  Such a company will not keep its technology proprietary and hidden from review.  Such a company is unlikely to be built by a committee.

Yozons is such a company.

Don't let words fool you.  A truly advanced electronic signature can be had today, and it most certainly does not rely on retrograde PKI.

Friday, April 4, 2014

High volume seasonal hiring made easy, well, easier

For this installment, I'd like to discuss a large merchandising company that does high volume seasonal hiring, mostly to meet the demands of the large retails they service.

During peak hiring, over 500 people on any given day are in some stage of the online hiring process, from initial filling out a job application, to interviewing, through internal approval, store assignment, completing various new employee documents, I-9 and e-Verify, and finally payroll setup.  Much of the rest of the year, volumes are lower as they do maintain an ongoing hiring process year-round.

This company's web-based onboarding package of documents consists of over 25 forms and includes the job application, questionnaire, EEO survey, background check authorization, and various government forms like the W-4, I-9 and state tax withholding forms.

A powerful routing capability was custom developed for their hiring process on top of the Yozons e-signature platform.  Based on the applicant’s geographical location, the package of documents is assigned to an area manager.  The area manager does the initial review and then assigns the package to a specific store manager to determine whether to hire the candidate or not.  Alternatively, the area manager can override the area manager step and simply send the hiring package directly to the applicant.  Once hired, the package of documents is sent to the employee to complete all of the onboarding paperwork.  The package is then routed to the store manager to verify the employee's identity for the Federal Form I-9, and then it's routed to payroll.

With government and legal compliance concerns (i.e. “Failing to comply with Form I-9 requirements” is $110 to $1100 fine per employee -- see http://www.uscis.gov/i-9-central/penalties), this customer’s core requirement is to ensure legal compliance, to decrease the time to process all of the hiring paperwork, as well as the ability to search for onboarding packages from the past and to keep up-to-the-minute status of ongoing new hires.

Yozons rapidly built a custom HR onboarding system using our enterprise web service software.   This customer has been using their system since 2007, and they have yearly requirements to keep their system modern, useful and up-to-date with HR laws and regulations.  With this custom solution they are able to coordinate their hiring with over 100 HR staff spread across a large multi-state region.

Tuesday, April 1, 2014

PKI Digital Signature company acquires patent license

In a prior blog posting about our patent licensee who is in an unrelated marketplace of instant income verification, we discussed much about how patent law works.

Today, we will discuss a "tangentially related" competitor in the marketplace.  In the European Union (EU), so-called "advanced" electronic signature laws tend to favor solutions built on public key infrastructure (PKI), just like myriad antiquated U.S. state laws prior to the U.S. E-Sign Act of 2000.  Adoption of electronic signatures has suffered in the EU because such solutions are harder to deploy, just as they are in the U.S.

The EU has an advantage in that many of its countries are much smaller than the U.S., and they are able to roll out government-based electronic IDs that are built around a PKI.  This more closely mirrors how our states are able to issue driver's licenses, though no state offers an eID.  Of course, the EU still suffers with interoperability across national boundaries and other issues in this regard, but the U.S. is unlikely to adopt a federal eID anytime soon as we've never had a national ID.

Our recent patent licensee is a software vendor in the United Kingdom that offers a PKI-based server platform with a web front end for the purpose of electronically signing documents.

While they make use of a PKI, their web users in particular are able to effect electronic signatures built on digital signatures on the server alone, without the users on their web browsers having to download software, generate/manage encryption keys, exchange keys, etc.  Under that scenario, our patent came into play, and so they purchased a license that covers both their server product and the web-based front-end product that is also operated as a service (SaaS, web site).

With the patent license, the company, its investors and all of its customers are fully protected. That's a smart business decision.

We were able to negotiate a fair one-time royalty on favorable terms to them because they approached Yozons and concluded a license agreement quickly and professionally.   Naturally, royalty rates are higher for those who do not willingly purchase a license, with the highest rate for those who must be sued into compliance.


Monday, March 24, 2014

Instant income verification - a Yozons '079 patent licensee

Some customers of Yozons have never used our technology and services directly, though many thousands have.

Nor have these customers necessarily used us through a reseller.

No, these customers are licensees of the Yozons '079 patent -- U.S. Patent No. 7,360,079 -- and they protect their businesses and investors, and more importantly, protect the interests of their customers by purchasing a license at a fair royalty amount.  We offer two tiers of patent licenses: 1) for those who use our patent in non-competitive markets; and 2) for those who are competitors and have directly built their businesses on top of our intellectual property.  We offer paid-up licenses as well as revenue-based royalties.

A recent example of such a patent licensee is a company in California that offers instant income verification, primarily for mortgage lenders.  Using its own web-based technologies, our licensee is able to review an applicant's tax returns, paystubs and bank statements by getting appropriate authorization online.  This then allows them to provide instant delivery of the applicant's income rather than waiting even one or two days, all with tax confirmation provided directly from the IRS.

Intellectual property laws can be complex, but patent law is pretty straightforward in that those who make use of the teachings of a patent are infringing even if they've never heard of the inventor or the patent before.  As the Yozons '079 patent was filed in 2002, an infringer today could easily have accumulated 12 years of ongoing infringement.

Even if you don't know you are infringing on a patent, you are legally responsible and can face damages if you do not remedy the situation.  If you do know about a patent and are found to infringe, it becomes willful and you become liable for treble damages (3 times the amount) and reimbursement of all legal expenses incurred by the patent owner to bring you into compliance.  Several direct competitors fall into this camp.

More confusing is that even if you are a customer of another product or service, and the vendor who offers it infringes on a patent, you also infringe it.  It is Yozons' belief that millions have infringed our patent using competing technologies as well as unrelated technologies that perform web-based electronic signatures and secure storage in which the keys and encryption are managed by the server rather than the parties themselves as was the industry norm before the '079 patent.

Of course, Yozons does not generally bring legal action against people regarding it's patent, but those who likely do infringe and refuse to purchase a license do set themselves and their customers up for a willful patent infringement lawsuit in federal court. Attempts to defend yourself can be very expensive, often costing $100,000 just to reach a first round settlement.  Most find that if there is sufficient reason to believe you may infringe, it's often dramatically cheaper to acquire a license than to fight it in court. Even if you win the lawsuit, you'll likely have spent considerable money and time on top of being compelled to divulge lots of private information via interrogatories and "requests for production" including software code, design specification, customer lists, revenue models and financial statements going back years.

Smart vendors protect their interests and the interests of their customers by acquiring rights to our '079 patent rather than leave themselves and their customers vulnerable.

Yozons offers a reasonable royalty program that provides a fair price for use of our important patent.  If you think you may infringe, we hope you do the right thing and join our many other patent licensees.




Thursday, March 20, 2014

Home security requires good web security

A large, nationwide, home security firm uses Yozons to securely deliver signed copies of their sales agreements that they otherwise process using their existing CRM and order processing systems.

Of course, they also keep their official, legal copy permanently stored in our encrypted repository as well.

When they started back in early 2006, they were sending out roughly 1,500 agreements per month.  By 2009, they were up to 2,000 per month, and then 2,500 monthly agreements in 2010.  During this time, they were running our web services on their own internal server running in their data center.

By 2013, they were doing 3,500 monthly transactions, with occasional monthly peaks over 4,000, now using a private web server operated by Yozons on their behalf.

All told, Yozons is now managing nearly half a million signed sales agreements on a private web server running our technology branded for their needs.

Their private web server allows them to operate our technology as if were entirely their own, using their domain name and SSL certificate for the web contracting web site, yet still having Yozons perform the 24x7x365 operations, monitoring and maintenance in our data center.  This has relieved their internal IT department from the tasks of managing an additional server so they can focus on their core mission of supporting their in-house applications, PCs and networks.

Sunday, March 16, 2014

If the shoe fits, wear it proudly and with style

There's an old expression that the cobbler's children have no shoes.  There is some truth to the idea that those who work hard producing a product rarely have the time and energy to do similar, but uncompensated, work for themselves.

At Yozons, while it's true that we've built many far more complex systems for our customers than we ever did for ourselves, we are not cobblers, and we've always lived with the contrary motto that we should "eat our own dog food."  And we do, though we think it's way cooler than dog food.

Here at Yozons, we use our technologies in myriad ways:
  1. Our secure document delivery capabilities are used to communicate updates with investors.  On occasions, it's also use to transfer sensitive information that doesn't fit the solutions listed below, including credit card information, SSNs/EINs, etc.
  2. Our main sales agreement and invoice incorporates a 7-step workflow that starts with the sales rep, goes to the order reviewer only if there is custom forms development, is approved by a sales manager, can optionally be approved by a customer reviewer for technical and pricing correctness, is then signed by the customer, countersigned, and finally processed by accounting to reconcile payments by checks or those automatically charged when a credit card payment is used.
  3. We have an online sign-up form that customers can use to purchase directly using a credit card, which is then routed to technical support for installation and then accounting for payment reconciliation.
  4. We use e-Docs to store files and scanned images (such as -- thankfully rarely received -- faxes) in our secure repository.
  5. We have an individual contributors license agreement for those who help provide software code and/or documentation assistance.
  6. A mutual NDA is used when dealing with parties who need private details about our company, and more often, so those parties can divulge private details about their projects and plans with us.
  7. We have a sales agent and reseller agreement for engaging sales representatives and resellers.
  8. A partner developer agreement for those who help build custom solutions for our customers.
  9. A patent license agreement with royalty provisions for those who purchase a license to our U.S. Patent No. 7,360,079.
  10. And finally, a credit card authorization form mostly for those whose credit cards on file need to be updated.
In subsequent postings, we'll describe briefly how our various customers use our technologies, as they seem to handle a wide variety of tasks that differ dramatically from our own cobbler's needs.


Thursday, March 13, 2014

Welcome to Enterprise WebApps

Welcome to our new Enterprise WebApps (web applications) blog that will discuss how secure, scalable, modern business web applications are developed.

Previously, large teams of programmers were needed to develop business applications.  Some very large and sophisticated applications still are produced this way.  But the vast majority of business applications built today are no longer monolithic systems.  Such older systems took too long to develop, tended to be hard to use, cost more than was budgeted, and of course were expensive to operate and maintain over the years.

Also, with the advent of web-based computing, businesses started to reduce the need for such big, centralized systems that are cost prohibitive for many and rarely show a good ROI.  Theses companies understood that employees, partners and customers are often located throughout the world, and being "in corporate headquarters" was becoming a thing of the past.

Many companies now look to acquire point technologies that solve specific needs rather than the all-encompassing super software of yesteryear.  And many of those want web-based solutions, often provided as a service (SaaS), allowing them a lower cost of entry, but also relieving them of the details of software development, maintenance and operations that were overloading internal IT.

Companies like Salesforce.com showed the power of a vertical solution for dealing with CRM.

Yozons Open eSignForms is an enterprise webapp that's both a business transaction execution engine, as well as an application development tool that requires basic HTML expertise, and serves a horizontal market across most industries. Yozons develops point solutions on top for resale, and we also build turnkey solutions for some of our customers, while others build their own systems -- all without traditional software programming expertise needed.

Unlike software of old, though, users of Open eSignForms build their own point solutions that come with enterprise-grade capabilities like scalability, segmentation of users into groups, branding libraries to handle multiple companies/divisions, data encryption, digital signatures for XML and PDFs, HTML documents that render correctly on all devices (PCs, tablets, phones) and don't require special hardware or software to view, electronic signatures for authorization and agreement, and basic workflow to ensure processes run smoothly and no work is lost or misplaced.

We will present the myriad enterprise webapps our customers have built for themselves, as well as those Yozons has built as separate products.  As the underlying customer-branded technology for many large and small companies, Yozons is often the most used, but never heard of, technology company out there.  Our customers are essentially getting a custom solution to meet their needs quickly at the same price as pre-built enterprise software that never quite fits right (and the cost of modifying them is usually prohibitive) and often takes years to implement. 

Nimble businesses simply cannot move that slowly, and there's really no reason to do so.