Category Archives: Uncategorized

The Challenges and Pleasures of Working for a Growing Software Company

My name is Rachel Steger, Office Manager for TrustBearer.  As a newcomer to the world of start-ups and software development last summer, my first six months with TrustBearer have been hugely enlightening.  With a background only in medium to large-sized corporations, I have found that I had a few misconceptions about what my professional life would look like once employed by an early-stage start-up company.  I never realized how non-existent bureaucracy could be within a hugely successful company, or how much of a relief it would be to not have to wear a suit and heels for my first day in the office.

TrustBearer life is about as casual as it gets – which is pretty typical for a small software company, from what I understand.  We all appreciate the flexibility of tracking our own hours and coming to work in shorts in the summer, if we want to.  Work hours are often long, but we all have a good time while we’re here.

The casual environment should not be confused for a slow-paced work day, however, or a lack of professionalism.   Work pours in and we pour it back out.  Projects show up with short deadlines, customers on other continents need immediate attention and assistance, and our office in D.C. keeps us hopping with an ever-growing list of government sales.

As Office Manager, I’ve been tasked with adding structure to this small company as it quickly outgrows its start-up status – as well as just about anything else that needs done (OK, so we’re not quite out of the start-up phase yet).  I would have to say that one of the joys of my job is that there are very few of us who have to come to consensus on how this should be done, which simplifies the process immensely.  The challenge has been to figure out how to grow without killing the great environment that has been built here over the past five years — how to add policies and procedures without completely annihilating the freedoms that we all appreciate on a daily basis.

When I joined the company last year, I didn’t quite anticipate the types of clients that a company of a dozen people would be working with on a daily basis – large enterprise customers and government clients such as SSA, FAA, Air Force, and others, to name a few.  As the smallest company in the smart card/middleware market, it has been exciting to see us build important relationships with large-scale companies, and to understand that even a small company in Fort Wayne, Indiana can make a world-wide impact in the security industry.

2009 was a great year for TrustBearer!  For the first time we have formal, dedicated 24-7 customer support; we helped rollout a healthcare product and obtained an exclusive American Hospital Association (AHA) endorsement; we expanded to a second location in downtown Washington, D.C.; we made an appearance on the GSA schedule; and we forged exciting partnerships with companies from all over the world.  It will be interesting to see what 2010 looks like.

Stay tuned…..

Zittrain on Privacy and Security in the Chrome OS

What happens to  consumers’ privacy and security when the web is their operating system?

In the New York Times this week, Jonathan Zittrain, professor of Internet Law at Harvard Law School, co-director of the stopbadware.org effort, and author of The Future of the Internet— and How to Stop It, offers a forward-looking, non-technical review of the Google Chrome OS, which was officially announced last week.

Many people consider this development to be as sensible and inevitable as the move from answering machines to voicemail. With your stuff in the cloud, it’s not a catastrophe to lose your laptop, any more than losing your glasses would permanently destroy your vision. In addition, as more and more of our information is gathered from and shared with others — through Facebook, MySpace or Twitter — having it all online can make a lot of sense.

The cloud, however, comes with real dangers.

Zittrain's 2008 book about the transformation of PCs to portable, web appliances.

Zittrain's 2008 book about the transformation of PCs to portable, web appliances.

The danger Zittrain foresees is manifold. As he expressed in The Future of the Internet, Zittrain worries that we-as-users will hastily adopt portable, ‘connected’ computers, like Apple’s iPhone, potentially forgoing much of the software and services offered by today’s Internet.

To further facilitate glitch-free operation, devices are built to allow no one but the vendor to change them. Users are also now able to ask for the appliancization of their own PCs, in the process forfeiting the ability to easily install new code themselves. In a development reminiscent of the old days of AOL and CompuServe, it is increasingly possible to use a PC as a mere dumb terminal to access Web sites with interactivity but with little room for tinkering. (“Web 2.0” is a new buzzword that celebrates this migration of applications traditionally found on the PC onto the Internet. Confusingly, the term also refers to the separate phenomenon of increased user-generated content and indices on the Web—such as relying on user-provided tags to label photographs.) New information appliances that are tethered to their makers, including PCs and Web sites refashioned in this mold, are tempting solutions for frustrated consumers and businesses.

But we have to expect that the Chrome OS will a fundamentally open system, allowing user’s to install any software and get pretty much anywhere on the web. The danger then, in Zittrain’s view, with the Chrome OS, is more an issue with the current state internet: The Internet was not designed with privacy and security in mind:

Some [dangers] are in plain view. If you entrust your data to others, they can let you down or outright betray you. For example, if your favorite music is rented or authorized from an online subscription service rather than freely in your custody as a compact disc or an MP3 file on your hard drive, you can lose your music if you fall behind on your payments — or if the vendor goes bankrupt or loses interest in the service. Last week Amazon apparently conveyed a publisher’s change-of-heart to owners of its Kindle e-book reader: some purchasers of Orwell’s “1984” found it removed from their devices, with nothing to show for their purchase other than a refund. (Orwell would be amused.)

Worse, data stored online has less privacy protection both in practice and under the law. A hacker recently guessed the password to the personal e-mail account of a Twitter employee, and was thus able to extract the employee’s Google password. That in turn compromised a trove of Twitter’s corporate documents stored too conveniently in the cloud. Before, the bad guys usually needed to get their hands on people’s computers to see their secrets; in today’s cloud all you need is a password.

Thanks in part to the Patriot Act, the federal government has been able to demand some details of your online activities from service providers — and not to tell you about it. There have been thousands of such requests lodged since the law was passed, and the F.B.I.’s own audits have shown that there can be plenty of overreach — perhaps wholly inadvertent — in requests like these.

Now, Zittrain points out that consumer laws can regulate many of these sort of problems. But he’s arguing the gate-keepers of the net (i.e. Mircrosoft, Amazon, Google), will improve security and privacy for only select applications, leaving the rest of the web in the dust.

TrustBearer Software Gains US Government Approval

The full article is below. This is very important as it means that the TrustBearer software has been approved for use within the U.S. government. It also means that anyone with a PIV or CAC card can leverage it and use the TrustBearer OpenID and SAML service to authenticate to third party applications.

>>>>>>>>

TrustBearer Desktop provides the middleware interface between the PIV compliant card and the applications utilizing the digital certificates stored on the card to perform cryptographic operations for authentication, encryption and signatures. The PIV credentials can be used for network authentication, SSL client authentication, document signatures, email signatures and encryption, virtual private networks and remote access.

“The government has recognized that critical and sensitive data must be protected using secure methods,” says TrustBearer Labs founder and CEO David Corcoran. “Hardware-based PKI authentication is widely known as the strongest form of security available. TrustBearer Labs is proud to have achieved the FIPS 201 validation for our TrustBearer Desktop product, and we look forward to serve the U.S. federal government.”

Unlike other PIV middleware, TrustBearer Desktop enables strong authentication to rich, Web 2.0 Internet applications using the government issued PIV credential through TrustBearer’s OpenID platform. Using OpenID and SAML, TrustBearer provides Single Sign-On support for online applications such as Salesforce.com, the market-leading online customer relationship management service with over 1 million subscribers, and Google Apps, a business productivity and communications platform managed by Google.

“TrustBearer not only provides the middleware to utilize PIV credentials locally on client computers, but also combines the strength of hardware-based PKI authentication with the simplicity and ease-of-use that web users expect with online applications,” says Mr. Corcoran. “This is a tremendous example of how government issued PIV credentials can be leveraged in online applications and improve both security and convenience.”

About HSPD-12 and the Approved Products List: A recent report issued by the White House Office of Management and Budget showed that over 1.5 million out of a total 5.5 million Personal Identity Verification (PIV) compliant cards have been issued in response to HSPD-12. HSPD-12 mandates all government employees and contractors to carry a secure form of identification. The GSA maintains a FIPS 201 evaluation program and provides an Approved Products List (APL) of products meeting the guidelines and technical specifications. The APL governs which products and services may be purchased by government agencies. The full list of approved products available for purchase by US government agencies can be found at http://fips201ep.cio.gov/apl.php.

About TrustBearer OpenID:
TrustBearer OpenID is a federated digital identity web platform. The service provides users with hardware-based, multi-factor authentication to websites that have implemented the OpenID or SAML standards. TrustBearer supports a variety of hardware tokens, including many smart-card based federal identity cards such as the U.S. Government PIV, CAC and TWIC cards. Sign up for a free account at https://openid.trustbearer.com.

January Calendar

On behalf of TrustBearer, we would like to wish you a bright, secure new year.

To keep track of the opening days of the encroaching year, download a copy of our January 2009 desktop calendar.

Select the appropriate version of the wallpaper for your desktop below.

1024 x 768px | 1280 x 800px | 1280 x 960px | 1440 x 900px | 1680 x 1050px | 1920 x 1200px

TrustBearer OpenID selected as HealthVault provider

As a conference last week, it was announced that TrustBearer OpenID will be one of two OpenID providers for the Microsoft HealthVault platform:

TrustBearer Labs’ OpenID service will allow HealthVault users to login securely to their account using multi-factor hardware authentication devices, such as smart cards, biometric readers, or security-enhanced mobile phones. The service uses challenge-response authentication to prevent common phishing and man-in-the-middle attacks, which are a growing concern of online service providers.

“Our objective is to give our customers choice and make their web experience easier, while helping them safeguard their privacy,” said George Scriban, senior product manager, Health Solutions Group, Microsoft. “We’re happy to be working with TrustBearer to give HealthVault users the option of using OpenID with their HealthVault account.”

A full story about the announcment can be found here.

New devices to be supported soon

We have a growing feature list from users of our OpenID by TrustBearer.  If you have a feature you would like to see – send us an email at: info@trustbearer.com  We’re really excited about our TrustBearer platform and how quickly and easily we can support new devices.  We will soon be releasing support for Advanced Card Systems (ACS) cards and tokens as well as a couple of others that we will announce later.  Stay tuned.  

TrustBearer Thwarts Phishing & Man-In-The-Middle Attacks

We designed TrustBearer OpenID to thwart phishing and man-in-the-middle attacks.  We do this through a site verification scheme that occurs in the plugin.  It is done with PKI and also allows the issuer to delegate trust to other third parties.  Ultimately you get the best of all scenarios – simpler usage by reducing passwords, strong user authentication, and reduced phishing and man in the middle.