Tag Archives: security

OLCC-Logo

Audit Finds Oregon Lacking Regulatory Oversight and Proper Security

By Aaron G. Biros
No Comments
OLCC-Logo

Last week, Oregon Secretary of State Dennis Richardson published his office’s audit of The Oregon Liquor Control Commission (OLCC). The audit uncovered a number of inadequacies with the regulatory agency, most notably the problems with their tracking system, designed to prevent cannabis form being sold on the black market.

The report highlights the need for Oregon to implement a more robust tracking system, citing reliance on self-reporting, overall poor data quality and allowing untracked inventory for newly licensed businesses. The audit also found an insufficient number of inspectors and unresolved security issues. According to The Oregonian, the OLCC only has 18 inspectors, roughly one for every 83 licensed businesses.

Auditors also found inadequacies in the application system, saying the OLCC doesn’t monitor third-party service providers and doesn’t have a process in place for reconciling data between the licensing and tracking systems. The audit found there is a risk that decisions made for the program could be based on unreliable data. It also found a risk of unauthorized access to the systems, due to a lack of managing user accounts.

Oregon Secretary of State Dennis Richardson
Oregon Secretary of State Dennis Richardson

This audit’s publication is very timely. Most notably because U.S. Attorney Billy Williams, who called Oregon’s black market problem “formidable,” convened a summit this week to examine how Oregon can prevent cannabis being exported to other states. According to the Oregonian, Williams said Oregon has an “identifiable and formidable overproduction and diversion problem.” The audit’s findings highlighting security issues are also very timely, given that in the same week, Oregon’s neighbor to the North, Washington, experienced a security breach in its own tracking system.

The problems with the Oregon tracking system’s security features are numerous, the audit says. They found that the OLCC lacks a good security plan, IT assets aren’t tracked well, there are no processes to determine vulnerabilities, servers and workstations not using supported operating systems and a lack of appropriately managing antivirus solutions. “Long-standing information security issues remain unresolved, including insufficient and outdated policies and procedures necessary to safeguard information assets,” reads the report’s summary.

The audit proposes 17 recommendations for the state to bolster its regulatory oversight. Those recommendations intend to address undetected compliance violations, weaknesses in application management, IT security weaknesses and weaknesses in disaster recovery and media backup testing. You can read the full audit here.

Washington Security Breach Delays Traceability System Rollout

By Aaron G. Biros
No Comments

On February 8th, Peter Antolin, the deputy director for the Washington State Liquor and Cannabis Board (WSLCB), sent an email to licensees explaining why the transition to their new traceability system was disrupted. Last Saturday, someone gained access to the sensitive information in Leaf Data Systems, the state’s traceability software that is powered by MJ Freeway.

“A computer vulnerability was exploited on Saturday, allowing unauthorized access to the traceability system,” Antolin told licensees in the email. “There are indications an intruder downloaded a copy of the traceability database and took action that caused issues with inventory transfers for some users. We believe this was the root cause of the transfer/manifest issue experienced between Saturday and Monday.”WSLCB

The email goes on to say that no personally identifiable information was available to the ‘intruder,’ but some sensitive information was clearly accessed. That data includes route information of manifests filed between February 1st and 4th as well as transporter vehicle information including VIN, license plate number and vehicle type, according to the email.

That email leaves much to be desired. For one, they do not exactly have a solution, instead trying to alleviate licensees’ worries with a hollow inanity full of meaningless jargon: “The WSLCB and MJ Freeway continue to implement several strategies to prevent future vulnerabilities to future intrusions,” reads the email. “This includes full logging and monitoring and working with third-party entities. Since this remains an active investigation, details on security are not publicly available.” However, today the WSLCB is hosting a webinar where Peter Antolin, their IT division, the MJ Examiners unit and enforcement will be available to answer questions, according to the email.

WSLCB emailThis is by no means the first security breach that Washington and MJ Freeway have suffered. In May of 2017, Washington originally selected Franwell’s METRC as the contract partner for their traceability software system. Less than a month later in June of 2017, after a mistake in the selection process, Washington selected MJ Freeway instead of Franwell for the traceability contract. Three days later, MJ Freeway’s source code was stolen and published online. Then in September, Nevada cancelled their contract with MJ Freeway after a security breach, their services crashed in Pennsylvania and Spain, and in October it became clear that the company could not meet the October 31 deadline for their new Washington contract.

In November of 2017, BioTrackTHC, the company that held the previous contract for Washington’s traceability software, helped the state through the transition period with a temporary Band-Aid solution to hold the state over until January of 2018. A month after they expected to implement the new MJ Freeway system, the latest security breach occurred this week and disrupting the rollout yet again.

At the end of the email Antolin sent to licensees yesterday, he says there will continue to be attempts to breach the system’s security. “The bottom line is that this incident is unfortunate,” says Antolin. “There will continue to be malicious cyberattacks on the system. This is true of any public or private system and is especially true of the traceability system.” This begs a few questions: why aren’t we hearing about this kind of security breach in other states’ traceability systems? What are other companies doing that prevents this from happening? Why does this keep happening to MJ Freeway?

Soapbox

Digitalization Begins To Innovate Insurance Industry: What Does That Mean For Cannabis?

By Marguerite Arnold
No Comments

Munich, Germany- In a darkened movie studio on the east end of town, the Digital Insurance Agenda or DIA, the largest insurtech conference in the world, kicked off its annual event in mid-November. The sold-out event attracted about 1,000 top insurance executives from 40 countries and all six continents.

CannabisIndustryJournal attended from the perspective of investigating the overall status of digitalization in the industry. However, there were a couple of things we were on the hunt for. The first was to see how and where blockchain has begun to penetrate the industry. This revolutionary processing and identification layer of digital communications is coming – and fast – to the insurance industry everywhere.

All image credits: MedPayRx (Instagram)

We were also there of course to see if cannabis was anywhere on the agenda. Digitized or not.

By way of disclosure, I am also a high tech entrepreneur with my own insurtech, blockchain-based start-up that we are in the process of launching. MedPayRx is intended to be the first insurance product that will help patients access their meds facing nothing but their co-pay and help insurers automate the approvals process for all prescription drugs and medical devices.

By definition, in Germany, this includes medical cannabis.

Ultimately, our mission is to take the paper and the pain of all reimbursement out of the prescription process. At present, as anyone with a chronic condition knows, many medications and medical devices must be paid for out of pocket first and then reimbursed via a claims process that is paper-based, laborious and expensive. This is not a model that works for anyone. Certainly not poor and chronically ill patients who face this process at least monthly. And certainly not insurers who are now facing higher drug costs if not more claims reimbursements for the same from an aging population.

In a country like Germany where 90% of the population is covered by public health insurance, the situation also poses quandaries of a kind that are rocking the fundamental concept of inclusive public healthcare.

The Impact of Digitalization On The Insurance Industry

As one insurance executive and speaker mentioned from the stage during DIA, there are few industries that are more universally despised than insurance in general. And few verticals where the existing mantra is “you cannot do it worse.” The insurance industry is well aware of that. Further, for all insurances that are not “mandatory” the competition is fierce for consumers’ bucks. Particularly in places like Europe where insurance is also seen as a kind of savings scheme.

If you are a private insurer, of any kind, or offering services to both end consumers and B2B services, you are out of the game if you are not now thinking how to streamline and upgrade all aspects of your business in the digital era. There are many start-ups now tackling what is euphemistically called “cloud2cloud” integrations.

What does that mean?

According to DIA co-founders Reggy de Feniks and Roger Peverelli, the influence of tech in general is here to stay and is now driving widespread innovation across the industry. “The DIA line-up and the massive response among the audience show that insurtech is now mainstream,” says de Feniks. “This edition clearly showed the…ever growing attention for artificial intelligence, machine learning and other shapes of advanced analytics.”

“Platform thinking, thinking beyond insurance and creating new insurtech enabled services will be the next challenge for insurers,” added Peverelli.

Subtext? Insurers want your data. They want to use tech to analyse and understand it. The technology is here. But is the regulation? Specifically, in an industry that wants to know everything about you, how is privacy understood and implemented with revolutionary tech?

A Cloud-Based Future

Paper is rapidly becoming an old-fashioned concept in insurance, much like it has in banking. And like banking, insurance has a strong “financial” side to it. Germans, for example, tend to use insurance policies as retirement accounts, (the idea of a 401K is almost unheard of here). And by far, the most dynamic and digitalized part of the industry tends to be in areas unrelated to healthcare.

Some of the most interesting start-ups at DIA were actually weather-based.

The challenges of these types of insurtechs of convincing both regulators and the industry that such services are not only feasible but needed, pale in comparison however, to the challenge now facing all public health insurers.

And while they were certainly present at DIA, this industry segment was underrepresented at the November gathering. There is a reason for this. The real threat to consumer medical privacy is only growing, not receding in an era where data can be seamlessly transferred globally and digitally.

For that reason, blockchain has many uses and applications in this part of the vertical.

MedPayRx – even as a pre-seed start-up, was not, even this year, the only blockchain-based service we found in attendance at DIA. Next year look for even more.

Blockchain might be the next new “buzzy” tech, but in the insurance industry, there is a real reason for it.

What Was The Response To A Cannabis-Themed “Insurtech?”

As readers in the United States know, health insurance and cannabis is a loaded subject. And while insurance services are beginning to be available as high-risk commercial services for the industry, inclusive health insurance is still off the table because of the lack of federal reform.

Other places, however, the issue is taking a fascinating turn. And in Germany, right now, the situation so far has shaped up to be cannabis vs. public health insurance. It is a mainstreaming trial drug in other words. For that reason, beyond any lingering but rapidly fading stigma, it is a fertile time to be in the middle of it, with a tech solution.

It is also perfect timing from the digitalization and privacy perspective. Unlike the U.S., Germany in particular has tended to keep its insurance services, certainly on the health front, undigitalized because of privacy concerns. That is no longer feasible from a cost perspective. It is also increasingly one that has to be dealt with from a tech and regulatory one.

Why Is CannabisIndustryJournal At DIA?

My nametag identifying me as both “media” and of a certain green source, was the source of endless discussion with everyone I talked to. Many attendees were extremely curious about why a cannabis industry publication was at an insurance conference. And most people, certainly the non-Germans in attendance, were unaware that per federal law, cannabis is now, at least in theory, covered by public health insurance here.

Medical insurance that treats cannabis just like “any other drug” is a discussion at the forefront of the medical community in Europe. Even if not at health insurance industry events like DIA. Yet. In the last year, in fact, Dutch insurers have started refusing to cover the drug as the German government moved forward on mandating coverage.

In other places, like Australia, Israel and Canada, the conversation is also proceeding, albeit slowly within the context of public health coverage.

However compliance and tracking of the drug itself, not to mention the need for research on how cannabis interacts with other drugs mandates a consideration of how digital health records, privacy and tracking can exist in the same conversation. And further, can be accessed by the insurance industry, the government and policy makers as reform moves into its 2.0 iteration – namely federal recognition of the drug as a legitimate medicine.

We at MedPayRx think we have one answer. And next year, we hope to present from the stage as we continue to move forward with engaging the insurance industry here on all such fronts. Not to mention helping move the conversation forward in other places. And of course, launching services.

BioTrackTHC To The Rescue: Contingency Plan for Washington

By Aaron G. Biros
1 Comment

According to a press release published this morning, BioTrackTHC successfully implemented their Universal Cannabis System (UCS) in Washington State, a temporary solution for the state’s seed-to-sale cannabis tracking system, while the new system is yet to be deployed.

BioTrackTHC had a contract with Washington State for four years, which expired just weeks ago at the beginning of November. Back in June, after a few minor hiccups, the state announced that MJ Freeway would be the successive software platform used for the state’s seed-to-sale traceability system.

The deadline for the new software to be ready for deployment was set for November 1st, when the BioTrackTHC contract would expire and the MJ Freeway contract would begin. Between when the contract was awarded and the deadline for implementation, MJ Freeway made headlines for a series of security hacks and systems failures. Subsequently, MJ Freeway said they could not deliver the software platform until January of 2018, leaving a two-month gap where businesses have no state-mandated software to use for the tracking system.

The contingency plan that the state laid out consisted of business owners manually inputting data in excel spreadsheets. When first pressed for a Band-Aid solution, representatives of BioTrackTHC cited security concerns related to MJ Freeway’s hacks as reason for being hesitant to extend their contract through the interim period.

In an open letter to the Washington cannabis industry back in October before the end of their contract, Patrick Vo, president and chief executive officer of BioTrackTHC, laid out an explanation for what went wrong and provided an alternative solution, essentially a private sector version of their government-mandated traceability software system.

The open letter to the Washington cannabis industry, written by Patrick Vo

Announced this morning, the new system, UCS, is being used by over 1,600 of the 1,700 cannabis licensees in Washington. The UCS has so far submitted 39,000 individual excel spreadsheets to the Washington State Liquor and Cannabis Board (WSLCB). “After the WSLCB announced that their replacement system would not be ready in time and that the only other option was for all 1,700 licensees to submit their seed-to-sale data via manual spreadsheets, BioTrackTHC created the UCS—a privatized clone of the government system—within a few days and deployed it minutes after the termination of the old system to minimize the impact on all licensees,” reads the press release.

The UCS allows business owners to streamline data recording, instead of manually entering information into spreadsheets. It is also integrating with 3rd party software competitors such as WeedTraQR, GrowFlow, Mr. Kraken, TraceWeed, GreenBits, S2Solutions and DopePlow. “After the WSLCB’s announcement, we knew that we had only a few days to provide a universal system to which the whole industry could submit compliance data and enable communication across the supply chain between licensees and their seed-to-sale system,” says Vo. “Our priority was to ensure that licensees could continue to operate in the absence of a government seed-to-sale system. Not having that system in place could have left Washington licensees vulnerable to noncompliance in a variety of ways, not to mention the potentially crippling volume of extra work needed to manually track a business’ entire inventory.”

Washington State’s new traceability software system by MJ Freeway is expected to deploy in January of 2018.

KIND Financial Launches Canadian Payment Solution

By Aaron G. Biros
1 Comment

KIND Financial, a technology and compliance software solutions provider in the cannabis industry, is launching a new e-commerce and payment processing platform in Canada. According to the press release, they are partnering with a Canadian bank to launch the KIND Seed to Payment platform, which is essentially an e-commerce gateway integrated with their compliance software, KIND’s RegTech platform.

David Dinenberg, founder and CEO of KIND Financial

David Dinenberg, founder and CEO of KIND Financial, says this is an approach to help alleviate the cannabis industry’s banking woes. “We’ve been very focused on a global vision and taking a strategic approach towards solving the cannabis industry’s largest problem – banking,” says Dinenberg. “Not only have we built a broad portfolio of finance and compliance solutions with a high-level of technical sophistication, but we’ve made a strong commitment to security and compliance, which is evident through our partnership with Microsoft.” A little over a year ago, they entered a partnership with Microsoft to utilize their cloud-based solutions for government traceability software.

According to the press release, the software has regulatory and security features built in, such as age and identity verification, which can help companies comply with security and chain of custody regulations. “Our mission is to ensure business and technological growth for all constituencies within the cannabis industry while ensuring full compliance with evolving regulations, and that’s why we’re thrilled to make these services available to our great neighbors in the north,” says Dinenberg. “We understand compliance will be a critical issue for some time to come, but with our solution, all providers and their partners can focus on the job at hand while keeping in line with regulatory mandates.”

KIND Financial has not done much work in Canada previously, but this could be a sign of a greater push for international expansion. “We’re excited to be working in a new country to boost the Canadian cannabis industry in a safe and regulated manner, and we look forward to expanding into other markets overseas,” says Dinenberg. The press release says the new platform is designed to work with different languages and foreign currencies, including the euro and Australian dollar, which could help Canadian producers enter emerging markets.

In addition to their announcement of the KIND Seed to Payment platform, the company also announced they will be rolling out a mobile payment system called KIND Pay, a digital payment option for consumers that will accept Visa and MasterCard. They anticipate that KIND Pay will launch before the end of this year.

How To Select The Best Monitoring System For Your Cannabis Greenhouses

By Rob Fusco
1 Comment

Maintaining an environment that supports cultivation and keeps plants healthy is not an easy task. In cannabis growing, there are a variety of factors that greenhouse managers and personnel must monitor to ensure that their plants are in a healthy environment that fosters growth and development. Temperature, humidity, lighting and CO2 levels are a few of the conditions that need to be tailored to each cannabis greenhouse operation. However, it can be difficult to constantly monitor the status of your equipment and the greenhouse environment, especially after hours or during the off-season.

A remote monitoring system that’s properly selected and installed can help greenhouse managers keep their cannabis plants healthy, multiply their yields and increase return on investment. This type of system also helps operators identify patterns and trends in environmental conditions and get insight into larger issues that can prevent problems before they arise.

Cloud-based monitoring system base unit in weatherproof enclosure

Here are some tips on key conditions to monitor and what you need to consider when selecting a monitoring system for your cannabis greenhouse operation:

Temperature

Temperature plays a crucial role in any cannabis grow operation. The climate in your greenhouse must be warm enough to nurture photosynthesis and the growth of cannabis plants. Setting the incorrect temperature will significantly impact the potential yield of the plant and the rate at which it develops. A temperature too low will slow the growth of the cannabis, but too hot can lead to heat stress for your plants. The ideal temperature for a standard greenhouse is between 70 and 80 degrees Fahrenheit. However, depending on the stage of plant and desired growth densities, the temperature of the greenhouse needs to be adjusted accordingly.

Humidity Levels

Humidity directly affects plant photosynthesis and transpiration, so controlling humidity is vital in greenhouse growing. The ideal relative humidity (RH) for cannabis growth is around 60%. A low humidity level can cause water to evaporate too quickly for photosynthesis, while a humidity level that is too high can cause poor growth and possible mold and fungal disease. Monitoring the moisture content in the air of your greenhouse will help the plants during the transpiration process, increasing absorption of nutrients and overall health of the cannabis. 

Lighting

Your cannabis may be getting an abundance of natural light during the summer months, but maintaining adequate sunlight during the winter months can be a challenge. As a solution to this, many greenhouse managers equip their facilities with additional lights to supplement natural light during off-seasons or off-hours. To achieve the best possible yield, a cannabis plant in the budding stage should receive twelve hours of light each day, while other stages could require additional lighting. For example, the growth stage could require your cannabis to be exposed to sunlight for up to eighteen hours a day.

CO2 Levels

Like any other plant, cannabis requires CO2 to breathe. Greenhouse managers must set and monitor the CO2 levels in their facility to make sure that there is an adequate amount for the plants to develop, grow and be healthy. The amount of carbon dioxide required for your cannabis depends of the size of the facility and the amount of light the plants are receiving. However, a standard grow area for cannabis can maintain a CO2 range from 1000 to 1500 parts per million (PPM). A level below that threshold can result in slower growth of the plants, while a level above would lead to unused and wasted CO2.

Soil moisture sensor

Irrigation and Soil Moisture

One way to ensure a good yield from your cannabis is to water it regularly and monitor your soil moisture. Overwatering your plants can have the same effect, if not worse, than letting the soil become too dry. Plants’ roots need oxygen to survive, unlike leaves that breathe CO2, and when the soil is waterlogged the roots can’t provide their function. The lack of oxygen interferes with the roots’ nutrient uptake and photosynthesis causing the cannabis plant to wilt. The exact moisture content of the soil depends on the size of your greenhouse, temperature and humidity. Whether you hand water or are using a drip irrigation system, being aware of your soil moisture is vital to the long-term health of your cannabis.

Air Circulation

Your greenhouse environment should mimic the ideal conditions in which cannabis plants flourish. With an indoor facility, you have the ability to control air circulation by venting hot air out and blowing fresh air in. Creating a circulation of air inside your greenhouse will increase your cannabis plant’s growth speed and yield. Additionally, an exhaust system helps control the temperature and humidity, while also preventing the invasion of mold and pests that thrive in hot, stagnant air.

Greenhouse Security

When growing something of value, like cannabis, there will always be a threat of intruders. Whether your greenhouse is in a populated area or around hungry wildlife, any intruder could be detrimental to your overall yields and profit. Remote monitoring systems can give you peace of mind and instantly alert you when there is an unwanted presence in your greenhouse.

Knowing all the possible threats to your cannabis greenhouse helps you evaluate your specific needs, and ultimately identify the proper remote monitoring system.

Selecting the Right Monitoring System

Other factors to consider when choosing a monitoring system right for your operation include:

  • Base unit and sensors
  • Wireless or hardwired sensors
  • Communications to your site (Phone, cellular, Wi-Fi, etc.)
  • Alarm notification
  • Programming and status checks
  • Data logging
  • Return on investment

Base Units and Sensors

Each condition in your greenhouse that you want to monitor requires its own input on the base unit of the monitoring system. You must match your needs with the number of inputs available. A good fit for a smaller cannabis greenhouse may be a lower-cost, non-expandable monitoring system. However, larger facilities have many monitoring points and more people to alert when there’s a problem. If your cannabis operation is poised for growth, purchasing an expandable system could add value to the initial purchase because you wouldn’t have to replace your entire system in the future.

Your monitoring system should also have an internal rechargeable battery backup to ensure continuous monitoring and alerts in the event of a power outage. It is also recommended to have each base unit in a sheltered enclosure to protect it from moisture, dirt and other hazards.

Placement of sensors is also crucial. For example, temperature sensors in your greenhouse should be placed throughout the facility. They should be next to your thermostat and in the center of your greenhouse, preferably away from direct sunlight.

Wireless or Hardwired Sensors

Remote monitoring systems offer the option to have sensors hardwired directly to the base unit or sensors wirelessly connected. A hardwired monitoring system connects the sensors to the base device with wires. Generally, trenching long distances for wires is time consuming and costly. So alternatively, a wireless system uses built-in radio transmitters to communicate with the base unit. Some monitoring systems can accommodate a combination of hardwired and wireless sensors.

Communications to Your Site

Monitoring devices that use cellular communications must be registered on a wireless network (like Verizon or AT&T) before you can send or receive messages. Because cellular devices perform all communications over a wireless network, it is important that there be sufficient signal strength at the greenhouse. It is a good idea to check the signal quality in the area before purchasing a cellular product. If the cellular network has less than desirable coverage, it is possible to install an external antenna to help increase cellular signal.

Alarm Notifications

When monitoring systems identify a change in status, they immediately send alerts to people on the contact list. If you don’t want all of your personnel to receive notifications at the same time, certain devices can be programmed to send alerts in a tiered fashion. It is important to consider the reach of the communications, so that you’ll be notified regardless of your locations. Multiple communications methods like phone, email and text provide extra assurance that you’ll get the alert. Also, note of the number of people the system can reach and if the system automatically cycles through the contact list until someone responds. Make sure the system allows for flexible scheduling so that it doesn’t send alarms to off-duty personnel.

Programming and Status Check

If you’re responsible for maintaining a commercial greenhouse facility, you want a system that will provide real-time status of all monitored conditions on demand. There are a few different ways to access your sensor readings. Options include calling to check status, viewing a web page, either on a local network or on the cloud, or accessing the information via an app on your mobile device. With a cloud-based system, the devices supervise themselves. This means if the internet or cellular connection goes down, the device will send an alarm to alert the appropriate personnel.

If you don’t select a cloud-based system, you will be limited to logging in through a local area network, which will allow you to make programming changes, access status conditions and review data logs. If internet connectivity is not available at your location, you will want to choose a cellular or phone system rather than Ethernet-based option.

Data Logging

Sample greenhouse monitoring data log

Data history is valuable in identifying patterns and trends in your cannabis greenhouse conditions. Manually monitoring and recording environmental parameters takes a significant amount of personnel time and detracts from other important workplace demands. However, many monitoring systems automatically save information, recording tens of thousands of data points, dates and times. Cloud-based logging provides an unlimited number of records for users to view, graph, print and export data trends.

Analyzing data samples may lend insight to larger issues and prevent problems before they arise. For example, if the data log shows power fluctuations occurring at a regular time, it could be indicative of a more serious problem. Or, if the data shows signs of a ventilation fan or supplementary lighting beginning to malfunction, they can be repaired or replaced before total failure occurs.

Return On Investment

When deciding how much you should pay for a remote monitoring system, tally up the entire cost, fully installed with additional peripherals and sensors and any labor fees for installation. Then consider the value of your cannabis plant inventory and greenhouse equipment. Finally, factor in the cost of downtime, should an environmental event shut down your operation for a period of time.

Final Thoughts

Choosing the right greenhouse monitoring system and sensors could mean the difference between life and death for your cannabis plants. Understanding the conditions you need to watch and monitoring systems’ capabilities are they best way to protect your investment.

 

MJ Freeway’s Source Code Stolen & Published Online

By Aaron G. Biros
9 Comments

Portions of MJ Freeway’s source code were reportedly stolen and posted in Reddit threads as well as on Gitlab.com, a source code hosting website. On June 15th, the account “MJFreeway Open Source” was made on Gitlab.com, and portions of the source code were posted, but have since been taken down. Source code is essentially a list of commands of a program, the basis for making improvements and modifications to a software system. Source code can sometimes contain sensitive information. To be clear, MJ Freeway does not use an open source model; their source code is the basis of their traceability software. Open source is a tool that fosters public collaboration on software development, helping identify weaknesses or areas for improvement.

When asked to comment on the matter, MJ Freeway issued the following statement:

“Last week we discovered that someone had obtained an outdated portion of MJ Freeway’s source code. This incident has absolutely no impact on our systems or MJ Freeway services, and client and patient data is not at risk. While this theft poses no risk to our clients, patients, or business operations, we take any incident involving unauthorized access very seriously and have reported it to the Colorado Bureau of Investigation.

Unfortunately, it has come to our attention that our competitors are spreading inaccurate information about the incident, including baseless claims about SSL info and the potential for client data being compromised – neither of which is true. We encourage our customers to contact us directly with any questions they may have.

We follow or exceed all relevant industry security standards and are confident that we have the most robust security measures in our industry. None of our peers come close. However, we live in a world of determined cyber-criminals and we operate in a competitive environment. Success and size makes a company a bigger target for malicious actors, as other large companies also know. We will continue to investigate and take follow-up action as we learn more about this incident.”

On Sunday, June 18th, a user by the name of ‘techdudes420’ posted in the subreddit, r/weedbiz, a thread titled “MJFreeway goes open source.” The link for that post was the Gitlab.com page where MJ Freeway’s source code was published briefly. The same user then published a second reddit post the following day with the same link to the stolen code, but this time in the r/COents, a subreddit for the Colorado cannabis community. MJ Freeway is based in Denver. That post claimed the user found the stolen source code with a quick search and that the user was banned because of that. The moderator of the thread chimed in, saying they banned the user for posting the stolen code. “We received a takedown request from the software owner stating the code had been stolen and released without permission,” says the moderator. “After investigating the matter I reached the same conclusion and removed the thread.” The moderator then updated the comment shortly after: “Edit: As for OP [original poster] ‘finding’ the code, if that were true I don’t know why he or she would have created a new Reddit account just to post the link.”

In addition to their own cybersecurity analysis, a spokeswoman for MJ Freeway says they will be performing a third party audit and analysis this week as well. When that information becomes available, we will update this article.


Update: Multiple sources have reported that portions of MJ Freeway’s source code are still available online on torrent sites like PirateBay.

Ask the Expert: Straight Talk on Safety, Defense and Security, Part II

By Aaron G. Biros, Bruce E. Lesniak, Lezli Engelking
1 Comment

In this week’s Straight Talk on Safety, Defense and Security, we answer a reader’s question about traceability in quality processes and offer some practical advice for building a safety and security strategy. Travis Lodolinsky from Gleason Technology submitted this week’s question. For a response, we sit down with Lezli Engelking, founder of the Foundation of Cannabis Unified Standards (FOCUS), to help answer your questions. If you have questions about safety, defense and security in cannabis, please ask them in the comments section below and we will address them in the next edition of Straight Talk on Safety, Defense and Security.

T. Lodolinsky: How are safety processes being tracked in the industry to ensure regulations and quality assurance are being uniformly enforced throughout?

Lezli Engelking: In related industries, such as herbal products or pharmaceuticals, the FDA has created guidelines, or current good manufacturing processes (CGMP) that control for the quality, consistency and safety of the products being produced. Businesses must be certified by independent third parties to demonstrate they are following CGMP to protect public health and consumer safety. CGMP is a proactive approach to quality assurance. A basic tenant of CGMP is that quality cannot be tested into a product after it is made; quality must be built into the product during all stages of the manufacturing process. One common misconception is that CGMP only covers the process of manufacturing itself. CGMP actually covers all aspects of the production process including materials, premises, equipment, storage, staff training and hygiene, how complaints are handled and record keeping.

Because cannabis is federally illegal in the US, the FDA has not developed cannabis-specific CGMP guidelines, so lawmakers do not have the benefit of having those guidelines available to base regulations on. So to answer your question, state cannabis regulations do not track processes and procedures used by cannabis businesses to control for safety or quality because they do not have the federal guidelines. Instead, most state cannabis regulations currently take a reactive approach to safety, mandating only for testing of the final product. While testing is an extremely important and valuable part of any quality management program, just analytics is not enough.

This is precisely why FOCUS was created and how they assist business owners and regulators, while fulfilling the mission of protecting public health, consumer safety and safeguarding the environment. The FOCUS standards are a cannabis-specific system of guidelines (cannabis-specific current good manufacturing practices) to ensure products are consistently produced according to quality standards. FOCUS provides detailed guidance and independent, third party auditing services for all key aspects of the cannabis industry including cultivation, extraction, infusion, retail, laboratory, security, packaging, labeling and sustainability.

CannabisIndustryJournal: What advice can you offer to cannabis businesses for product safety, defense and security prior to standardization?

Bruce E. Lesniak: Businesses that make products infused with cannabis (I call these businesses “plus one” companies because they produce products that include one more ingredient than traditional food products), require a carefully written master plan that specifically addresses the unique qualities, sensitivities and critical areas of the business. When building a comprehensive plan I address three questions:

  • Why (identify the why, this is your preventative, overarching strategy)?
  • How (addresses the “why question” with products, services and training)?
  • What (what is your reactive strategy that addresses actions and activities to be performed in the event of a breech)?

First and foremost, consumer-facing businesses must safeguard their products to the public. One product recall or illness related incident could spell disaster. Build your plan correctly the first time. Contact an industry expert to review your facility and help build and implement your plan. This will save you money by quickly exposing vulnerabilities and providing corrective measures specific to your business needs and requirements. Even though product safety and defense are closely related to security and should share a complementary strategy, product safety and defense are unique (due to standards and regulations), and should be treated as such.

Banks not accepting industry money complicates normal business operations and security planning, causing retail operations to handle and store large sums of cash. I asked industry expert and security professional, Tony Gallo of Sapphire Protection LLC, what is the single most important piece of security equipment you are currently providing for the retail and dispensary owner? “Design an air tight policy of handling money,” says Gallo. “Remove money often from cash registers and place it into the best safe for your application!”

Spend time familiarizing yourself with all things product safety and defense (there are volumes written on food safety and food defense, thus the “plus one” reference). This a great starting point and protecting the consumer protects your business. When it comes to designing your security application, consult an expert! Take into account that the cannabis industry is unique due to its “plus one” ingredient. Therefore you need to build your security systems, applications and policies to systematically protect your employees, facility, suppliers, transportation, manufacturing, distribution, warehousing, supply chain and brand.

Ask the Expert Series: Straight Talk on Safety, Defense and Security with Bruce Lesniak

By Aaron G. Biros, Bruce E. Lesniak
3 Comments

This is the first part of a series dedicated to understanding more about defense, security and safety as they relate to the cannabis industry, the importance of having standards and some tips for cannabis business plans. Over the next few weeks, we will hear from multiple industry pioneers discussing those topics and offering practical solutions for problems that many cannabis businesses face daily.

Inconsistent laws across multiple states created a fragmented network of regulations for cannabis. Some third parties are filling the gaps between the industry standards and state regulations. The Colorado Marijuana Enforcement Division (MED) and the Washington Liquor and Cannabis Board’s i-502 rule provide guidance on regulations surrounding packaging and labeling, advertising, pesticide use, retail and other areas.

Still there are many opportunities to fill the gaps. The Foundation of Cannabis Unified Standards (FOCUS), is an independent non-profit founded to develop some consistency in standards governing public health, consumer safety and the environment. In cultivation, the third party certification, Clean Green Certified, works to provide some guidance for growing cannabis organically based on USDA organic standards. For laboratories, Washington’s regulations provide some guidance, but organizations like FOCUS, the American Association for Laboratory Accreditation (A2LA) and the Cannabis Safety Institute seek to fill the gaps in laboratory standards along with the ISO 17025 requirements.

Security and defense is one particular area of the cannabis industry that still needs a benchmark for businesses to follow. In this series, we sit down to discuss security, defense and safety with Bruce Lesniak, president of the Food Safety and Defense Institute and member of the oversight committee for the establishment of standards in the cannabis industry in conjunction with FOCUS.

Cannabis Industry Journal: What changes do you see coming to the cannabis industry related to product safety, defense and security? 

Bruce Lesniak: As in every industry that provides a public consumable product, the primary objective is to protect the consumer by providing products that are consistently safe. The largest change coming to the cannabis industry will be the implementation of enforceable, nationally uniform standards across all states and all product lines. I believe that the standards and regulations developed for the cannabis industry will mirror those of the food industry. Companies are already busy working to develop this uniform standard, one such group is FOCUS. Founded by Lezli Engelking, FOCUS works with diverse professionals from regulatory, quality assurance, medical, law enforcement, business, research, and the government officials, medical and research professionals along with subject matter experts from numerous business disciplines across the industry to develop impartial, comprehensive, cannabis specific standards that will be presented for adoption by state and federal governing bodies. Lezli summarizes the FOCUS Mission as “ To protect public health, consumer safety, and safeguard the environment by promoting integrity within the cannabis industry.” Look for more on this in our next Ask the Expert update, on CannabisIndustryJournal.com or you can contact Lezli Engelking at FOCUS here: 866-359-3557 x101.


This series will highlight important issues involving security, defense and safety in the cannabis industry. Next week, Bruce, along with cannabis security professional, Tony Gallo of Sapphire Protection, will provide some advice on what companies can do to improve their master business plan. Stay tuned for next week’s Part II of Ask the Expert: Straight Talk on Safety, Defense and Security with Bruce Lesniak.