The blog of content protection

Once more, new technology introduced threats on privacy. FRIEDLAND Gerald and SOMMER Robin, in their paper “Cybercasing the Joint: On the Privacy Implications of Geo-Tagging” clearly highlight the new risks.

Many high end phones, such as iPhones, come with GPS. Undoubtfully, GPS is a great feature. Once you used it, you cannot live anymore without. Nevertheless, the combination of GPS and camera is a problem. Currently, all such devices embed a geo-tag, i.e. the precise location, in the metadata of pictures shot by the camera. And many of such pictures end up on Flicker, Facebook and Craig List. This metadata can be easily extracted through standard tools.

In other words, if you publish on Internet a picture of your house taken with your iPhone, it will be extremely easy for anybody to locate you for instance using Google Street View. The paper presents a very illustrative example.

Of course, you can disable the geo-tagging. But, (1) you must be aware of the threat, and then (2) find how to disable it. The solution should be that the manufacturers make this feature as opt-in, i.e. disabled by default. Very unlikely, because manufacturers load the devices with new features ready to work.

If you have a mobile phone with GPS, think about it. Personnaly, I know what I would do.

No, I’m not turning my blog into a porn site. I just refer to a recent paper from FERRO M., PIOGGIA G., TOGNETTI A., CARBONARO N., and DE ROSSI D. These extremely serious Italian researchers have published “A Sensing Seat for Human Authentication“.

We know many biometrics authentications using voice, finger, palm, or iris. We had recognition through the way you walk, or the way you type. This one is recognition through the way you seat.

The seat is equipped with a set of strain sensors. These sensors show piezoresistive properties that can be turned into a digital fingerprint of the seating person. the paper describes the system, explains the measuring methods. They tested their system on 20 people over a period of 20 days in a truck simulator. The True Acceptance Rate is about 90-95%. The False Acceptance Rate was about 5%.

The researchers acknowledge that there are may parameters in the real world that may impact these rates such as movements and vibrations and changes of the human profile. A wallet in the pocket may derail the system. Too many hamburgers during a long period most probably also

The target is automotive industry. They foresee to couple it with face and voice recognition.

Thanks to BC for the pointer.

For years Sony’s Playstation resisted to hackers. One potential explanation was that when authorizing homebrew applications to execute on PS, Sony removed as attacker the complete homebrew community (which is a large chunk of the reverse engineering community). This is not anymore true.

Since 19 august, the PSjailbreak is available. This USB stick allows to execute duplicate of games. It is a kind of R4 but for PS3. It works for PS3 and PS3 slim. The price is rather high (at least in France around 130€ or $160). Every reports claim that it works.

Sony already claimed that through their network PSN they can detect the presence of the JailBreak and then retaliate. I did not yet find a post that confirmed a counterstrike by Sony on PSN. The current version of PS3Jailbreak does not propose any upgrade feature, thus it may be a weakness.

The funny part of the story is that pirates may soon be pirated. The reverse engineering of the PSJailBreak already started. The hack is based on a standard PIC microcontroller PIC18F. It seems that the code has already been successfully dumped. Some sites are already proposing clones such as PS3stinger, PS3key, X3JailBreak… Clearly, the distributor foresaw this because the site clearly warns about imitators and created a logo for authorized dealers.

Once more, our law #1 “attackers will always find their way” was verified. It took just longer than for the other game consoles. Now, let’s wait the reaction of Sony.

This week end, my family purchased a DVD. When viewing it, what a surprise!! The usual scaring/threatening video sequence which explains that downloading movies fromP2P is bad was absent. It was replaced by a new message telling something like “By purchasing this DVD, you are supporting the jobs for the UK movie industry”. And at the end of the video sequence, a huge/heavy “THANK YOU” falls noisily onto the screen. Very Monty Python like (It is probably because it was a UK movie )

This change is interesting. One of the rules I learnt in Communications was to always favor the positive formrather than the negative one. A positive message goes better through. You should use the negative form if you want to create fear (Lovecraft was very good at that. Sorry I’m digressing).

Will it have an impact on piracy? Probably not. Nevertheless, it may help to restore a little bit the reputation of content owners. This is also part of the battle.

I don’t know if this will be generalized on everyDVD. I think it would be a good idea.

In a paper presented at the 6th Symposium on Usable Privacy and Security, DINEI Florencio and CORMAC Herley, Microsoft Research, examined the policy ruling the passwords of 75 Internet sites. The type of websites ranged from very popular sites/services such as Facebook or Paypal to more confidential ones such as governmental agencies.

They evaluated the strength of the enforced policy withthe equation N.log2(C) where N is the minimum size of the password and C is the cardinality of the allowed character set. Obviously, this equation is not a perfect evaluation of the constraints because it does not take into account constraints such as mandatory use of digits or special characters. Nevertheless, the result is simple (and perhaps not too surprising)

The size of the site, the number of user accounts, the value of the resources protected, and the frequency of non-strength related attacks all correlate very poorly with the strength required by the site.

In other words, the sites with the most constraining policies are not necessarily the sites which are at most at risks. For instance, Gmail or Paypal do not have strong constraints. Most often, the sites with most constraining policies do have no incentives to have numerous visits or have a captive “audience”. The constraints were more driven by the need to attract visitors than by security itself.

It is the usual trade-off between security and usability. Facebook that is paid by advertising needs frequent visitors. A too complex password policy may rebuke many users and thus make the site less attractive.

The authors advocate that there is most probably no need of strong password policy because strategy to defeat online brute force attack should be deterrent enough. They cite Twitter that recently banned the 370 most common passwords. According to them, strong passwords are most probably only useful in case of an access to the hashed password files. (Remember the use use of rainbow tables)

Their view on the trade-off between usability and security is interesting.

When the voices that advocate for usaability are absent or weak, security measures become needlessly restrictive.

I let you savor this statement. Any reactions?

The paper is available here.