Secure Endpoints, Secure Network at NYU-Poly THREADS Conference

Thank you very much to the NYU-Poly THREADS conference organizers for hosting the DARPA Cyber Fast Track presentations yesterday. It was an honor to be among the CFT awardees, and an honor to be on the THREADS list. If you missed my presentation and/or want to review the slide deck, it’s below. Secure Endpoints, Secure […]

Usability and threat modeling: two sides of the same coin

Usability and security are one of the classic tradeoffs in software design: it’s rarely possible to optimize both. But just like a fader on a mixing board, there’s an ideal balance. You just have to take the time to listen and find it. Want to learn more about how to dial in the usability and […]

Protect your data and keep the money flowing

I’ve written before about the importance of protecting data on the move in scenarios such as a traveling executive. Imagine the potential damage to reputation and future revenue if a laptop is left in the back of a taxi, and the hard drive is filled with acquisition plans, product source code, emails to the board […]

Building Plug-ins for Network Access Protection

The sample source code download link at the beginning of this MSDN article, Building Plug-ins for Network Access Protection, unfortunately became broken at some point along the way. You can find the source code here: Registry SHV/SHV reference code for NAP. Disclaimer: that code is not being maintained and has not been updated since the […]

Learning to trust machines, if only briefly

It’s easy to forget that, when we talk about authenticating users on the internet, the two ends of the connection are rarely humans. Instead, it’s one computer talking to another. And while your bank may trust its own servers, why should it trust that the user’s laptop is operating correctly on the user’s behalf? After […]

Strong Authentication Using Your Mobile Phone

Google has been doing it for years, and now companies ranging from 37 Signals to Microsoft are incorporating it into their cloud hosted services: phone-based user authentication. Static passwords – the kind everybody uses to check their email, log into Facebook, etc. – are the weak link in online account security, and replacing them with […]

Using NSA Tradecraft to Protect Data on Mobile Devices

Congratulations to our fellow members at the Trusted Computing Group for a successful Trusted Computing Conference this week in Orlando. I presented Using NSA Tradecraft to Protect Data on Mobile Devices, and I understand from the conference organizers that the video recording and slides will be posted. Hope to see you next year, same time, […]

Check out the new “service capsules” design for

We’ve redesigned the JW Secure home page to focus on our four primary consulting practice areas: Application & Infrastructure Security Systems Engineering & Development Data Protection Network Access & Identity The service capsules on the new page are the four boxes below the main hero. The new design has more vertical elements than the old […]

Secure Time-Bound Data Protection Keys

The TPM 2.0 security chip on most recent mobile devices supports measurement-bound cryptographic keys. Despite the fact that effective data loss prevention (DLP) and digital rights management (DRM) depend on a hardware root of trust, and on the issuance of limited user credentials and content licenses, this feature of the TPM remains relatively untapped. We […]

Trusted Tamperproof Time on Mobile Devices

Data loss prevention (DLP) and digital rights management (DRM) scenarios require a hardware root of trust and a secure time source in order to be effective. Otherwise, DLP and DRM solutions are easily circumvented, and the data they protect are readily compromised. Until recently, such assurance has been prohibitively expensive to achieve on consumer-class hardware. […]