Filed under CPR, Certichron by Todd Glassey on August 13, 2010 at 9:29 am
no comments
SecureNTP DES for Cities™ and the vLEO™ Evaluation Program
As a part of Certichron’s new vLEO working group efforts Certichron is pleased to announce the availability of DES for a 90 day trial period for Cities using secure time services as a new evidence anchor for the Law Enforcement and City Operations services.
SecureNTP for Cities program
SecureNTP for Cities profides a secure source of time for City IT Operations which is provable. SecureNTP for Cities provides a City Manager with a secure source of time which is provable to the point of court admissibility. With this service the City Manager working to produce a court-admissible evidence workflow will have the time-base trust anchor to prove the synchronization of the local time service as well as any servers which peering was setup for.
SecureNTP with DES
Additionally DES offers the City Manager the ability to create their own Digital Evidence Policy and IT Practice for its creation in the form of NTP based content-timestamps. Most IT people are unaware that NTP has two optional payloads which can be used to carry additional hashes which can be used to represent events in time. Certichron’s SecureNTP DES does exactly this and allows for the time-stamping and archival storage through the Peering Program component of SecureNTP.
DES provides its adopters an unprecedented Audit and Evidence Practice Enablement
This capability allows a City Manager and IT Director to provide a Time-stamping practice which can be used like a Cash Register Receipt only one which can contain any number of event or practice types. The service is an audit designers dream because they can create third-party timestamps which are provably created through the use of the NIST(UTC) time standard itself. No other time management and evidence creation/management process offers this level of capability.
DES for Cities is a new program to implement new digital evidence practices atop existing and emerging city-operations work flows. This key practice adds supporting value to existing work flows and can be used as the basis of a virtual Law Enforcement Operations (vLEO) system.
vLEO and Law Enforcement or Court Practices
vLEO uses Certichron’s patent applied for OpenTDI and Ceremonies in Software™ process which allows for the virtualization of a Law Enforcement Officer’s commission through the NCCSL eNotary Provisions now on the books in all fifty states. If your Camera System or Redlight Service is down now, this vLEO service may be just what you need. Call Certichron at 800−511−2301 or email us at Sales@Certichron.COM
Filed under Digital Evidence, Khaled by Todd Glassey on August 8, 2010 at 10:18 am
no comments
Filed under Certichron, Digital Evidence by Todd Glassey on July 23, 2010 at 10:54 am
no comments
Police and Sheriff’s Departments have a new hurdle to leap and that is in meeting the new constraints Khaled placed against their existing evidence capture and management practices
To make it possible for Law Enforcement (LE) to protect our culture and to deal with the rising costs of insuring that security Law Enforcement processes are turning to both outsourced or remotely operated surveillance systems which depend on virtualization of internal LE and many of the field-based LE Data Capture Operations which would ultimately lead to some form of prosecution and settlement-fine.
Traditional Evidence has been first-person in form
Traditionally in these matters any citations issued through those processes would generally need to be issued by the Police Officer or Sheriff’s Deputy who was operating that system under the commission of their office as a law enforcement officer. Some States actually have law limiting the issuance of citations to requiring the office of a commissioned Law Enforcement Officer to issue which complicates many surveillance and automated traffic management practices.
Certichron’s “Ceremonies in Software” allows for the virtualization of Law Enforcement Functionality
Certichron’s Virtualized Law Enforcement Officer, a Ceremony in Software Practice based on already-approved eNotary practice addresses this requirement fully meaning with Certichron’s system existing Law Enforcement Agencies are ‘good-to-go’ to restart their traffic enforcement practices immediately.
The use of the Notary statures amplifying the Law Enforcement commission creates a new and powerful electronic signing resource with the integrated $15,000 bond all notarized signings create. This system fully meets California and other State requirements since these states already ratified the specific portions of the Notary Practices Act’s as UCC making the Certichron model already approved for rollout across all 50 states.
In fact with proper implementation of a new evidence-capture mindset, many if not all existing systems can be brought into alignment with the new control requirements to maintain their admissibility into US and California Courts.
The Virtualized LEO
The virtiualized LEO allows for Intentional Evidence from each stage of each process to be created under the commission of the officer attesting to the issuance of the citations. The capture of the data can be certified by adding a hashing timestamp for each event. The reporting or containment receipt can be properly acknowledged with a timestamp request showing each component movement of evidence content, and when that content is ephemeral in form this is the only way to properly document controlled management of that data.
With this system any existing system can have transparency and the certifying process added to the process by the LEO signing into the Session Manager and attesting that they are applying their commission as a LEO to that operating session. The practice also can be facilitated against the Camera Operations Models today for any and all systems (RedFlex and Lockheed, or ATS operated in form). For all of these control practices the Certichron DES infrastructure allows the creation and application of the human commission in a virtual sense
to these existing systems.
For more information on our services and technologies, please email Certichron with your requirements or contact the sales office directly at 800−511−2301 (9−5 PST). Certichron, Inc. © 2009, 2010
Filed under Certichron, Gaming by Todd Glassey on July 17, 2010 at 1:33 pm
no comments
The Khaled ruling has unique impact on Orange County businesses and campus-security operations for commercial, medical and educational center operators.
The issues with the creation and management of trustworthy surveillance data is directly an issue with Orange County courts meaning now to reduce risk, operating groups need to create reliable evidence of their actions.
Most processes which only include two parties are inherently weak, those with a trusted third party. Now there is a real requirement to create the Trustworthiness of the Digital Evidence they in all systems capturing or containing it for the Risk Mitigation Model that allows those entities to obtain insurance for their operations.
Certichron’s SecureNTP and the DES timestamping technology is exactly what the doctor ordered in that it allows a law enforcement or civic operator to provide court admissible evidence. Adding DES with its SecureNTP completely meets the existing requirements and when coupled with our Ceremonies in Software service model, can set up a notarial control service on RedLight Camera and other systems designed to automate law enforcement activities.
Filed under Digital Evidence, GPS by Todd Glassey on July 16, 2010 at 5:53 pm
no comments
For those following this matter, the filing of the petition for the amendment of the California Utility Code to reflect the digital evidence requirements is in. The docket number is P1007015 and we invite any and all responses.
The vision behind this effort is to bring evidence-competence to the California Utility Grid as a part of Critical Infrastructure Protection efforts in the State of California.
Orange County
While this ruling is initially specific to the County of Orange and its Appellate Court District, it also impacts any electronic messaging or energy controls which flow through this area as electronic media of any form.
Khaled — as a standard or the collection o surveillance data of any form now creates a level-of-competence for any and all data used in surveillance or controlling systems which would come to be used as part of a Court process, whether Civil or Criminal in nature. Khaled then has wide sweeping impact in that all systems and processes, including contract disputes and other civil matters which the Superior Court would come to resolve or which would be tried in Superior Courts as part of a State lead prosecution in any matter, or a locally lead prosecution in any matter must also meet this new “trustworthiness”.
The “I Said So” Evidence Model
The days when it was just blindly accepted that the systems worked as the man in the White Coat said they do are over. Proof and reliable proof are now needed for all digital capture systems or data control models which the courts will accept as factual or at least reviewable and authenticated to one level or another. Without this data is just that unsupported and unprovable data.
It is Certichron’s intention to foster a better understanding of the needs or forensic controls in all systems which are intended to create what we call “Intentional Evidence”, that which is pre-approved court-admissible content. The California Power Grid is the most granular place to enforce that and is the basis of a model which touches us all and as such is a very important part of upgrading the US and California Utility Grid infrastructure.
The Certichron CPUC filing can be seen at
Filed under CTO's Blog, Hotel Surveillance by Todd Glassey on July 16, 2010 at 5:23 pm
no comments
California’s Orange County sets formal standard for court admissibility of digital surveillance data.
The term Trustworthy was used in numerous barbs in the ruling with establishes a legal-compliance hurdle for any commercial entities doing business in the Orange County area including as it happens, any and all control processes in the used in administering since “surveillance data” is in fact just the output of a set of processes which are accorded specific status in the real world.
So what does this mean with systems or entities delivering electronic services of any type to Orange County Entities? Since they are required to produce evidence models compliant to levels which meet the Khaled standard any services which they purchase, use, resell, or produce in Orange County must meet those.
This then means any and all Energy, Water or other utilities or for that matter any operating data which produces reports on what other systems or controls including surveillance data (digital video) and integrated electronic surveillance (systems which watch other systems or process flows) are controlled by Khaled.
For the rest of the State of California, it means Khaled is now the interoperability goal for other counties. The ruling is also driving other States to turn off their Red-Light Camera systems (15 of them to date) so it is an important one.
Our analysis
Certichron believes that control and certified surveillance systems which add the legally defined minimums must be available everywhere. To enable this successful deployment on secure time as a trust-anchor of regulatory mandated evidence trustworthiness Certichron’s regional service centers provides access to the NIST time sources as the evidence-source for all forensic controls contemplated for in-place operations.
Adding secure time-stamping to existing processes provides all the required evidence-readiness and Certichron’s vision is a unified evidence model everywhere, one which allows mechanical review of its integrity and events.
Stay tuned for more information on Khaled and its applicability in the use most of SoCalEdison’s area of the County of Orange.
Filed under Certichron, Hotel Surveillance by Todd Glassey on July 9, 2010 at 7:08 pm
no comments
Certichron and Relify Security annoucnce the availability of Certichron’s SecureNTP services to Relify Security customers.
Certichron announces its partnership with Relify Security. Relify is a well established provider of commercial consulting and security review services for banking, credit union and other PCI-DSS type clients as well as other Financial Providers.
To quote Relify Security’s managing partner:
“Relify Security has recently launched a partnership to deliver what Relify believes is a pretty unique and needed service. It address a problem that we often don’t think about… Where do you get your time?”…
“Today the global evidence requirements create new levels of provable integrity that must be demonstrated continuously to meet today’s compliance requirements. For example, one of the primary goals of PCI DSS 10.4 is to ensure a strong and reliable evidence model that can be used to prove the timing of transactions. In most instances log management or SIEM vendors will not tell you if the time on your critical devices is out of sync. Even though every record they process has a time stamp, they do not analyze this data to identify anomalies, because most of the detailed time stamps are unreliable or inconsistent.”
“However, accuracy is not the only attribute you should be concerned with when it comes to time, especially in the commercial context. Time needs to be reliable and always available. Your time source is like any other third party that provides critical services to your organization. Time distributed over NTP without other controls is not provable and is subject to any number of attacks that make it impossible to rely on NTP as a control resource.”
Relify Security has partnered with Certichron to deliver SecureNTP Time cloud services. SecureNTP is a NIST(UTC) service provided from Certichron and Relify Security operations centers as a Trusted Digital Intermediary. The SecureNTP’s delivery service is based on a fully integrated suite of NTP, logging, packet filtration and log-event validation services, and the related system and network integrity tools needed to create a complete evidence model in the sourcing, transfer and tracking of time.
“SecureNTP provides one time source for all uses: What this means is that there is one time source for everything finally — from Building, Power, Security, IT Operations and at last uniform evidence across the entire entity. In most cases SecureNTP requires no installation of hardware or software, since your business is likely already running the NTP protocol. Once you have registered with Certichron, it only takes a few minor configuration changes and installation of the digital key, along with setting up audit logging and key management practices.”
Mike Pearson, CISSP
Managing Partner
For more information contact Relify Security, LLC
O/F: 866.897.6900
M: 813.523.0151
www.relifysecurity.com
Reliable and Verifiable Advanced Security Solutions
Filed under CTO's Blog, Certichron by Todd Glassey on June 21, 2010 at 8:28 am
no comments
For those of you not aware — there was a very important ruling out of the Orange County Appellate called California v Khaled which set new evidence standards for “Unattended evidence collection devices and systems” in use as to what is admissible before California Courts.
While the core focus on this would be speed-trap type cameras this also clearly applies to “any and all devices which would collect evidence which would be used in a criminal or civil prosecution” which means SmartGrid too… yeah that’s right, since a power meter is used to produce evidence before the Public Utilities Commission or the California Court’s it means the SmartGrid and in particular the meters are themselves covered as Evidence Collection Devices too.
Certichron serves CPUC notice of Khaled Ruling
To help support the immediate adoption of this same ruling in California Utility Law, Certichron served the California PUC formal (electronic) notice that this precedent pertains to “any and all systems used in energy or utility operation, delivery of service, or through which a service controlled under the PUC’s charters, were directly controlled under this same precedent because they produce content-records which are used in reconcilliation of financial matters which are formally regulated at the State and Federal level, and for which that content would come to be admitted as evidence formally before a Arbitration, Mediation in civil matters, or Court proceeding in both civil and criminal matters pertaining to the operations of those publicly regulated services”
The effect of this filing
What this posting to the CPUC does today is supports a formal motion to the Administrative Law Judges of the California PUC that any and all SmartGrid operations must meet minimum Digital Evidence standards for their operation and have public structure/architecture models per sections 10.3 and 10.4 of the PUC service code.
This formal motion was filed last Wednesday and the posting this AM served as a supporting brief and Memorandum of Points and Authorities filing as a supplement to the original motion and also noticed that one of the core technologies being used to create this evidence today, that being the unauthenticated L1 GPS service is easily spoofed and jammed, and that as such it fails the evidentiary tests now mandated by Khaled.
See this related post for more information.
Why?
The intent is to set a stake in the ground for the basic level of competence that any evidence should meet to be considered ‘provable’ and for admissibility to State and Federal Courts. The Federal Courts have rulings like Lorraine v Markel to support real world controls under the Federal Rules of Evidence but after the fiasco of the oversight in the San Francisco DA’s Forensic Laboratory, any device producing testimony which is used to prosecute anything, whether civil or criminal must meet a minimum standard of competence or be relegated as hear-say and inadmissible.
The implications have broad reaching impact on all regulated communications, utilities, and media-delivery rules as well so it will be interesting to see how the court’s react to these mandates and motions to create responsible evidence rules.
Filed under Frequently Asked Questions, Gaming by Todd Glassey on January 24, 2010 at 9:38 am
no comments
Q: The staged or delayed deployment practice model enumerated in the PCI DSS Prioritized Approach implies I can put 10.4 compliance off until later in the compliance practice — is that true?
A: This is a really good question and from my perspective I understand the intent in the prioritized approaches language in making it easier for smaller Merchants and lower-volume entities to comply, but I think there are other underlying issues which make it imperative to address time management in the security model and control/default service/password changes in the configuration report process of Requirements 1 and 2. Let me explain this logic… the Payment Industry Council (www.pcissc.org) only controls the use of the PCI DSS standard within the Payment Industry. That use of the PCI DSS is contractually controlled by the CARD Brands themselves as partners and founding members of the PCI SSC. Any use of the PCI DSS standard then outside of that narrow contractual use would be constrained by whatever other constraints control that other model.
PCI DSS is a standard — The Prioritized Deployment Approach is an Consortia Opinion, and the two are separate
The same technical standard is now referenced under Law in several States in the US most prominently Nevada which functionally took the Payment Counsel’s ability to allow parties to only meet parts of the Data Security Standard (now a part of Law and Practice therein) is moot, since those same parties must meet all of the DSS and that is based in Privacy Law and not the contractual controls of the Payment Counsel’s member credit/payment card brands.
It’s not true!
Before arguing this isn’t true, lets walk the walk. Take the perspective that the PCI SSC is an industry consortia and not a Legislative Body so the first thing to do is to perfect the question so we can come to a real answer.
Perfecting the right question
The real question here to answer is “are there any legislative or regulatory requirements which are codified in Law or practice which would make me implement the Time Management Solution portion of the PCI DSS (section 10.4) immediately rather than second or third year as the Prioritized Approach guide implies???” and in my opinion there is an answer and its YES.
Operating in a manner which ensures (and insures) Court Admissibility of Digital Data.
My assertion is that the compliance with the PCI DSS is not the core compliance issue here because you have to operate legally. Because of this you cannot wait until the third year to implement a practice which insures court admissibility of your data records because you have a legal obligation which extends beyond the PCI DSS requirements to insure your records are court admissible,
Follow the logic — Because this is above and beyond what the PCI DSS requirements may put in place, while the PCI compliance process may defer proper time management you cannot because you must always operate your business or digital transaction systems in a manner which makes them provably controlled under the local or specific Jurisdiction’s requirements. No contract with any other party (including the CARD Brand Provider you do business with can eliminate that need, nor can the PCI DSS requirements either.
Nevada Compliance tops it all
Likewise if those records have Nevada State Resident Personally Identifiable Information in them then they likewise would also need to comply to the controls of the PCI DSS and that also cannot be delayed. Nevada State Privacy requirements mandate the use of the PCI DSS process control technology and more importantly not its recommended low-effort roll out timeline for easy merchant acceptance and this is important to understand the immediate implication of. I am not a lawyer and you should get real good legal advice on this but I am betting that the Payment Counsel cannot absolve you of any legal responsibilities to implement controls to address keeping privacy impacted information as well as your financial controls. The PCI SSC lost control of how the DSS controls are rolled out when they allowed the State of Nevada to write them into law meaning that State of Nevada pushed the roll out as a national standard therein.
Now everyone with online services or national operations which may include Nevada State protected information must immediately meet those Nevada State Legal requirements to insure their data is both secure and is Court Admissible. Those issues are now are defined in before higher tribunals than an Industry Consortia like the PCI SSC. The real question is how you comply. I suggest you send us email to EvidenceNow@certichron.com and Certichron will send you back a package on making your infrastructure evidence ready in today’s newly emerged digital integrity world.
Filed under CTO's Blog, Gaming by Todd Glassey on January 13, 2010 at 9:17 pm
no comments
NGC Regulations say Gambling Systems need secured time services
In today’s gambling terminals and area controllers the time management services need special attention. Linux and other systems which run NTP natively are more easily configured but many of them only run SNTP meaning that they are not capable of reasonable strength authentication in their time-setting process and as such the evidence value of the time setting event is questionable.
In infrastructure where distributed or group gaming practices are run, this has direct implications especially in instance or reaction based games where the when of &9;when’ an event happens is measured in an instance locally and generally transferred into a multi-event scheduler which is the core of the multi-terminal gaming system. There are of course many variants, but the goal and the real win is in unifying the evidence model such that real-automated inline controls are effective.
The following are examples of the language (comments are in italics):
Regulations:
http://gaming.nv.gov/stats_regs/all_regs.pdf
Operation of Gaming Establishments 5.108.2.(f) At the request of the chairman, an operator shall provide and maintain, at its sole expense and at such location as the chairman may designate, a terminal and printer for the purpose of monitoring information regarding the system including, but not limited to, the current progressive payoff schedules, reset funds, the real-time date and time, the number and location of gaming devices and games connected to the system, the names of persons accessing the main computer or data communication components of the system, the identification of functions being performed by such persons, the audible notification of any progressive payoff schedule won, and the identification of the location, machine number, and amount of any progressive payoff schedule won.
5.200.3.(b) Establish a log that contains the name of each salon patron of the gaming salon, as well as the times each salon patron enters and leaves the gaming salon. The log shall be maintained for a period of not less than two years.
Surveillance Standards 2.010.7. The surveillance system must include date and time generators which possess the capability to display the date and time of recorded events on video tape recordings. The displayed date and time must not significantly obstruct the recorded view.
Digital Video Recording Standards: 5. All digital video disks or other storage media produced from the DVR system must contain the data with the time and date it was recorded superimposed, the media player that has the software necessary to view the DVR images, as well as a video verification encryption code (also known as a watermark).
Technical Standards for Gaming Devices and On-Line Slot Systems: 1.050.2.(b) For the system portion of the system supported game, gambling event server or system component must reside in a secure area where access is limited to authorized personnel. Logical access to the system supported game shall be logged on the server component and remotely on a logging device which resides outside the secure area and is not accessible to the individual accessing the secure area. Logged data shall include: time and date of the access and the identification of the accessing individual(S). The resulting logs shall be retained for a minimum of 90 days.
1.066.5. A system supported or system based game must log each remote access on the server or system part of the gaming device and on the secondary logging device. The log must include time and date of the access and a list of programs transferred or changed.
1.084.5. System supported games must provide a log entry anytime an individual causes a software component to be added, removed or altered in the server or system portion of the device. Each log entry must contain the date and time of the action, identification of the component affected, the identification of the individual performing the modification, the reason for the modification and any pertinent validation information. (See similar language in 1.084.6, 1.086.5 and 1.086.6,)
The requirements are likewise enumerated throughout all of the NGC Standard for all other devices in the Casino or Gambling Terminal operations. L1 GPS systems alone don’t cut it anymore, proof demands evidence which will stand the test of time.
Certichron’s SecureNTP anchor’s gambling networks so that their timestamps are provable. Self-attested timestamps are no longer provable and since fraud in eTransactions happens in an instant, the proper timeline correlation in prosecutions and surveillance systems is key.
See also Certichron’s press release about the new Las Vegas SecureNTP™ service center opening up there.
