Haventec December 2016 newsletter

Discover what is happening at Haventec as we head into a new year, including:

  • our recent partnership announcements with AMP Technologies, Alpha Payments Cloud and Fastlane Solutions
  • Rob Morrish’s presentation at Tech23
  • a lesson on patents from inventor Ric Richardson
  • tech insights from our chief architect Vernon Murdoch.

[Approximate reading time: 10 minutes]

29995400840_7a98815740_k

ROB MORRISH AT TECH23

“We’re not paying for trust: we’re earning it,” explained Rob Morrish, CEO of Haventec in is presentation to technologists, investors and media at the Tech 23 2016 event in Sydney “Celebrating Australian Innovation” on 11 October 2016.

Watch Haventec’s CEO Rob Morrish talk about the future of online security

Haventec won the Tyro Fintech Award during the event.

“Authenticate is a truly password-less system with a set of evolving security keys. It decentralises authentication,” said Morrish. “We believe that decentralising authentication builds trust. And you’re giving people back the rightful ownership of their information and their data privacy.

“Plus, as you’re massively reducing risks, you can save your organisation a lot of pain… and money. And that’s a combination that makes sense commercially.”

Read a full transcript of Rob’s presentation: “Haventec and the future of online security”

 

PASSWORDS ARE AN ANCIENT CONCEPT

The first logins were set up for MIT’s Computer Time Sharing System in 1960.

Back then, sys admins wanted simple authentication, so they chose username and password.

“Nobody wanted to devote machine resources to this authentication stuff,” explained Professor Fred Schneider of Cornell University’s Computer Science faculty in an interview with Wired magazine in January 2012.

Early sys admins could have used a knowledge-based system like mother’s maiden name, first pet, first school… but Schneider said “that would have required storing a fair bit of information about a person”, while a simple login only needed a few bits or bytes.

The concept of a password had its roots in armies and secret clubs, but as the inventor of the computer password Prof Fernando Corbato of MIT admitted to the Wall Street Journal in May 2014:

“Unfortunately it’s become kind of a nightmare with the World Wide Web. I don’t think anybody can possibly remember all the passwords that are issued or set up. That leaves people with two choices. Either you maintain a crib sheet, a mild no-no, or you use some sort of program as a password manager. Either one is a nuisance.”

Haventec’s Authenticate is a third method that is more secure, easier to manage and does away with the ancient form of authentication altogether.

 

Breakthrough: Ric Richardson is working on a new security solution. Photo: Louise Kennerley

A PATENTLY GOOD LESSON

Ric Richardson, inventor and co-founder at Haventec shares the patent lessons gained during his Uniloc days.

Anyone that knows my story usually thinks of the $300 million dollar headline, but I think about the things learned leading up to that. One of those lessons is very counter intuitive. When I first went for the Uniloc 216 patent I was extremely paranoid that someone else, somewhere in the world must have done this before… it just seemed so simple to me… But that’s how most of my inventions are. They are really obvious after the fact.

More than a decade after filing for that patent we were in court proving no one else had done software activation before us. I realised then that the paranoia I had back in 1992 really worked against us.

Not for us.

If you look at the act of filing for a patent, you are actually laying your invention on the line — and very publicly. Inevitably within a few years everyone will know what you are doing, so there is no use in trying to be secretive or obfuscative.

Your patent will stand or it won’t.

In either case it’s to your advantage to go public as soon as patent protection is in place. This way everyone is put on notice that you have claimed a space in your field of technology.

No one can say you lay in wait for other innocent technologists with the aim of making them pay up in court years later. Additionally, if someone has done something like it before, while you may risk looking a bit silly you will not have wasted your time, your effort and money or your investors’ support and funds.

So, for Haventec, we are exploring the idea of provisionally patenting all important new technologies and then pretty much immediately publishing an example of our concept for peer review.

This sounds counter intuitive.

It sounds dangerous.

But the question is: if the patent is being published in another year or two then isn’t it better to go public as soon as you can while still being protected?

We’ll soon publish our technology for cloud-based random number generation.

While it’s not a front page breakthrough, among security and enterprise technologists it may prove to be a very important technology.

Random number generation is the backbone of most security and encryption operations. And currently the only way to reliably provide random numbers is to use expensive customised random number generator hardware.

Going forward, with the blessing of Rob Morrish and Tony Castagna, we will be researching new technology then patenting it, then coding an example of the code and then publishing.

And if the new technology survives some scrutiny from our growing circle of expert supporters we may even release it to the media for review by the general public.

So keep an eye on the media for something about cloud based random number generation. Let’s see if the lessons learned bare fruit.

 

TECH INSIGHTS: THE POWER OF RANDOM NUMBERS

Vernon Murdoch, Chief Architect, Haventec, explains the power of random numbers for security and fun.

Random numbers generated by software shouldn’t make sense. Whether they’re used in cryptography or to add extra fun to a game, they’re meant to be unsystematic, unpredictable.

Programmers traditionally rely on external sources to generate seeds and salting to make it more difficult to predict the next number in the random sequence.

These unpredictable sources are known as ‘entropy inputs’. As more random data is required these entropy sources become depleted. This then means programmers have to wait until the entropy sources are replenished so they can get the seeds they need.

System entropy is actually a scarce resource on most computers. So to ensure the numbers are less predictable, we use cryptography to generate ‘secure’ random numbers.

If the seed is known, we have problems, because the supposedly random numbers become easier to guess if someone captures the output and analyses it.

On a non-compromised system the secure random stream is much more difficult to guess by just capturing the output.

There are a few major problems with random numbers being generated by computers:

(1)   Reliance on system entropy to seed and salt the number generation. Checking for randomness is difficult and there is no way to know if the seed has been compromised (the numbers have become guessable).

(2)   System entropy is always going to be a problem if it is just software based. Using hardware number generators can help. Cryptographers have created a secure number generator – Fortuna – which minimises the reliance on system entropy using seed pools and cryptography. Fortuna also has recoverable algorithms built into the randomness generation that stops compromised seeds from polluting the stream and making all future numbers guessable.

(3)   Testing a number generator’s output stream for randomness isn’t easy. Ideally you want to check that the random stream is still random and hasn’t become highjacked or entered a state where it is repeating sequences. The industry standard tool is “Dieharder” and is supported in the package management system of all Unix operating systems. This tool gives an indication of how random the data looks but provides no guarantees. The other problem with this tool is it takes a lot of CPU power to run all the tests needed to confirm that a sample of the stream is random. “Dieharder” is used to test random number generators when systems and software is being built but is never used during production random number generation, for obvious reasons.

In comparison a very quick and simple way to look for repeated sequences would be to use a compression tool, like gzip, to check the stream’s compression ratio.

A high compression ratio would indicate the stream is not random. A low compression ratio does not guarantee a random stream but it does give an indication the stream is still random. This requires much less compute time than running a full sequence of “Dieharder” tests.

Using all this new knowledge it becomes obvious that we are no longer blocked on waiting for system entropy and are now CPU bound, making the pseudo random number generation a solvable issue through scaling.

AMP Technologies

AMP SECURES COMMERCIAL REAL ESTATE WITH AUTHENTICATE

Haventec entered an agreement with US-based commercial real estate management technology provider AMP Technologies in October 2016.

AMP has licensed Haventec’s password-less Authenticate as a premium product for clients on its platform.

Haventec’s robust user authentication and network security technologies will help businesses protect their corporate assets online, whether they’re accessing them via ubiquitous mobile and cloud or on a corporate network.

“We’re focused on making secure transactions easier and safer for everyday people and the organizations that serve them,” said Rob Morrish, CEO, Haventec. “Our partnership with AMP allows us to now serve the Commercial Real Estate industry just as we serve other key industry segments, with the highest dedication to building a network of trust by using the most advanced capabilities available.”

“The Commercial Real Estate community has the opportunity to harness the power of intelligent security from Haventec, who is internationally recognized as a leader and industry game changer,” noted Neel Naicker, Co-Founder and CEO, AMP Technologies. “Integration between AMP and Haventec will predict and prevent future risk for our Users and Partner Network, quickly identifying and eliminating network breaches that could potentially harm an organization and its customers.

“This partnership introduces a new way of managing real estate assets at all levels, in a safe and protected environment, across all devices and from anywhere in the world.”

AMP Technologies’ platform was built to simply asset management across the commercial real estate sector, while reducing running costs and increasing revenue.

It offers a smart collection of digital tools for managers at every level including business intelligence, valuations, debt management, leasing, social and asset management all designed to deliver real time information to support effective analysis and decision making.

Alpha Payments Cloud

ALPHA PAYMENTS CLOUD INTRODUCES HAVENTEC TO ITS COMMERCE CLIENTS

Alpha Payments Cloud, a global payments integration solution provider with offices in Singapore, Ireland and the United States will serve as Haventec’s preferred integration partner for Authenticate and Sanctum.

Alpha Payments Cloud delivers highly secure payment and authentication solutions for international banks, payment service providers and merchants through the AlphaHub platform.

Timmy Alassad, Head of Business Australia at Alpha Payments Cloud, said the firm is delighted to partner with Haventec, noting that the young Australian business is revolutionising online security and network trust:

“Trust is a major differentiator between one company and the next, but it can’t simply be bought,” said Timmy. “You gain trust by consistently proving your integrity and reliability in each interaction with your customers.”

“Trust is an essential component of modern commercial relationships – and protecting sensitive user data is paramount in creating and maintaining that trust,” added Robert Morrish, CEO of Haventec. “Every data security risk you can remove can help build up a customer’s confidence in doing business with you.”

AlphaHub’s single ecosystem seamlessly connects each stakeholder through a single interface:

  • Payment Providers use AlphaHub to promote and provision their solutions;
  • Banks and other Financial Institutions use AlphaHub to access and sell these solutions; and
  • Merchants access it to use and customise the most relevant solutions for their locations and customer bases.

Fastlane Solutions

HAVENTEC PRODUCTS IN THE FASTLANE FOR RESILIENCE

Fastlane Solutions, a Sydney-based professional services company that provides rapid delivery capabilities to its clients has been testing the resilience of Haventec’s products prior to release.

“Haventec appointed Fastlane as an Integration Partner of its portfolio of products at the Tech23 Australian Innovation Forum,” explained Egor Cole, founder and principal consultant at Fastlane.

Cole noted that Fastlane’s mission is to take organisations from good to enterprises capable of continuous delivery and improvement beyond expectations using its seamless agile solutions.

“Our core expertise is in enabling smarter enterprises through continuous integration, agility and delivery,” added Den Burykin, Director of Fastlane Solutions. “Fastlane Solutions tailored its Continuous Integration and Continuous Delivery framework and used it to automate performance testing and benchmark the resilience of Haventec products.”

Fastlane Solutions worked extensively with Haventec’s in-house development team to ensure Authenticate product performance, resilience and scalability.

“After an extremely successful marketing campaign, our team designed and implemented a suite of automated load tests,” said Cole. “These tests simulated real users’ behaviour in various realistic scenarios, such as:

  •    ‘normal use’,
  •    ‘peak use’ and
  •    ‘system overload’.

This enabled Haventec’s team to optimise the Authenticate solution to scale up to potentially hundreds of millions of users.”

Fastlane takes a lean approach to project management, which Burykin explained empowers enterprise level performance and efficiency:

“Our uniquely developed framework of integrated Agile and automation systems then provides rapid delivery across any technological landscape,” Burykin said. “The rollout of the framework was delivered in the shortest timeframes to the highest expectations of the customer.

“We are extremely proud to be involved in the new success story in the Australian startup world that is making a real difference and redefining the landscape of digital security and identity/authentication management.”