Author Archives: eric

Unlocking phone in the US: is it illegal?

Posted on by
Reply

In 2010, the Librarian of Congress ruled that unlocking a phone to be able to move to another carrier was legal.   On 26th October 2012, the Librarian of Congress has changed his mind.  Unlocking phones purchased after January 2013 will be again illegal.

 

In the same ruling, the Librarian of Congress allowed the jailbreaking of iPhones for interoperability, but did forbid it for iPads!

Wireless telephone handsets – software interoperability
Computer programs that enable wireless telephone handsets to execute lawfully obtained  software applications, where circumvention is accomplished for the sole purpose of enabling interoperability of such applications with computer programs
on the telephone handset.
This exemption is a modification of the proponents’ proposal. It permits the circumvention of computer programs on mobile phones to enable interoperability of non-vendor-approved software applications (often referred to as “jailbreaking”),but does not apply to tablets – as had been requested by proponents – because the record did not support it.

Recently, the White House officially announced that it was

Time to Legalize Cell Phone Unlocking

How the White House will try to revert the Librarian ruling is unclear.

Once more, we see that interpretation of DMCA is complex and evolving with time.  Some decisions may even seem strange: authorizing mobile phone but not tablets (despite they use the same OS, and may act as phones), is difficult to understand for consumers.

Murdoch’s pirates

Posted on by
1

images   In 2008, I wrote a post about “Big Gun”, a hacker who was supposed to have worked for NDS to hack competitors.  It followed a suite of lawsuits against News.

This was only a small portion of the large picture of NDS story.  With Murdoch’s pirates, Neil Chenoweth has just published a detailed description of how NDS acted to “keep ahead” of its competitors.  And the story is as good as a good spying book.  The difference is that this is real.  And unlike in Hollywood movies, morale does not win.

You will discover the dark side of News and NDS. The book is not technical (there are even some inaccuracies).  But the story is based on all the documents that were published during the multiple trials.

I do not like the style of the author.  Despite he uses real information, he is not objective and takes clearly position.  Furthermore, the two first sections are not following a linear narrations.  This makes the introduction of the “heroes” of this book difficult to follow.  Nevertheless, if you are working, or have worked, with Conditional Access providers, you will be thrilled by the book.

From the personal view, as I have met several of the early actors of this book, while we were designing videocrypt, it was a strange experience to discover very dark parts of some of them.   I was not naïve, nevertheless it was worst than my darkest assumptions.

 

CA guys, read this book.

Bit9: when a security company signs malware…

Posted on by
Reply

Bit9 offers security solutions that control which applications are authorized to be executed on a platform. Rather than relying on detecting malicious applications, Bit9 uses an engine that only authorizes a whitelist of trusted applications. Every application that is not part of the whitelist is by default considered as suspect and denied access. Of course, the Bit9 engine considers as trusted every application issued by Bit9. The control is done by verifying whether the application was properly signed by Bit9 signing key.  Bit9 claims that their solution is the ultimate defense, and the only valid answer to Advanced Persistent Threats (APT)

On 2013 February 8 security consultant, Krebs Brian announced that some companies were affected by a malware signed by Bit9. Later ton he same day, Bit9 Chief Executive Officer (CEO), Patrick Morley, acknowledged the problem. Their own solution did not protect some of the Bit9 servers. Among them were servers used to sign digital applications. Attackers were able to penetrate the network and get their malicious code signed by Bit9. Thus, any Bit9 engine would accept these pieces of malware as trusted applications. Bit9 announced that they started to cure the issues. They applied their own solution to their complete infrastructure. They revoked the compromised digital certificate and informed their customers.

According to Bit9, only three undisclosed customers were affected. Due to the high profile of Bit9 customers (defense department, Fortune 100), it may be part of a larger APT targeting some companies.   Was it the same attempt to use a security technology as an entry door like for RSA hack.

Ironically, Bit9 a few hours before bragged that Anti Virus software were old story.  It would be interesting to learn how the attackers penetrated the network.

Two lessons:

  • In depth defense is mandatory;  multiply the number of defense mechanisms.  Relying on one unique mechanism is brittle security.
  • Signature of production code should be supervised by a trusted human operator. You may use automatic signature for the development process, if of course you are using an independent root key just dedicated to development code.  Normally, there are very few pieces of software going out in the field for production.  Thus, using a human operator will not increase the cost.

HADOPI, VLC and BluRay

Posted on by
2

HADOPI, the French law about digital rights has some articles that may allow to facilitate interoperability of copy protection systems.  An editor may request to have access to the APIs and documentation of a copy protection system to implement interoperability.

 

This is what VideoLan, the editor of the famous open-source media player VLC, has just requested to HADOPI.  VLC wants to get access to AACS in order to be able to play BluRay discs. VLC does not yet support BluRay as it is not a licensee of AACS.

 

HADOPI has identified where the real problem is. The documentation and API are not sufficient because AACS requires also cryptographic keys delivered by the licensing authority.  And of course, as in any encryption-based system, keys are the most important asset.

Cette définition des « informations essentielles à l’interopérabilité » ne semble pas permettre d’obtenir, s’agissantd’une mesure technique de protection sous forme d’un algorithme de chiffrement, la communication des clefs de déchiffrement du contenu protégé (et plus généralement les secrets nécessaires), qui semblent n’appartenir ni à la documentation technique, ni aux interfaces de programmation.

Thus, on 6 February, HADOPI launched a public consultation to collect opinions on the topic.  Knowledgeable people may enlighten this institution before 26 February 2013.

… la Haute autorité propose aux personnes, disposant d’une expertise dans ce domaine, de lui soumettre tous les éléments qu’elles jugeraient utiles à sa réflexion, et notamment en répondant à la question de savoir si « la documentation technique et les interfaces de programmation » visés à l’article L. 331-32 intègrent les clefs de déchiffrement d’un contenu protégé et plus généralement les secrets nécessaires.

If you have read my book, then you know that I do not believe in open-source based DRM , at least for B2C.  There is no way tp protect properly the keys.  Thus, the decision of the HADOPI on this topic will be extremely important and scrutinized by the community.  We will follow up.

Snuff

Posted on by
Reply

snuff 

The regular reader of this blog is aware that Terry Pratchett is one of my favorite authors.  He is an extremely prolific author.  Therefore, it is always with high expectations that I read the newest book of the Disc world serie.

This time, it is “Snuff”.  It is a great book.  This time the target of Pratchett’s satirist pen is intolerance, day-to-day racism and slavery.  As for most of his books, he uses his characters to fustigate a problem of our society. 

What is interesting with Pratchett is that he enriches his world with new characters, and concepts or races.  For instance, in “unseen academicals”, he used for the first time a goblin as  of one the main characters.  In this new opus, goblins are the central characters of the story.  Furthermore, second characters gain more visibility.  For instance, Wee Mad Arthur, the gnome we found of “Feet of Clay” is back in “Snuff”.  And we discover new talents of this interesting tiny constable.

If you like the Discworld, and Sam Vimes, then you have to read Snuff.

Mega is running: does it hold its promises?

Posted on by
Reply

King Dot Com, the owner of previous MegaUpload, is back.  And he is making the headlines of the Internet and other medias.  Hiimages new baby is the sharing site Mega.   Since Monday, it is online.  Where is the difference with MegaUpload?   You have noted “the privacy company”.

The uploaded data are encrypted before being sent to the server.  Encryption uses AES 128 bit and the encryption key is protected by a personal RSA 2048 bit key.  Every crypto calculations are done in your browser.   Therefore, Mega does not know what is uploaded.  This is safe harbor for Mega, at least in theory.

Furthermore, the Terms of Services are very clear.

Protection against copyright holders.

17. You can’t:

17.3 infringe anyone else’s intellectual property (including but not limited to copyright) or other rights in any material.

Good faith and will with copyright holders

19. We respect the copyright of others and require that users of our services comply with the laws of copyright. You are strictly prohibited from using our services to infringe copyright. You may not upload, download, store, share, display, stream, distribute, e-mail, link to, transmit or otherwise make available any files, data, or content that infringes any copyright or other proprietary rights of any person or entity.

We will respond to notices of alleged copyright infringement that comply with applicable law and are properly provided to us…

It will be interesting how Mega will handle the cease and desist form content owners.  mega is not supposed to know if the claim is legitimate or not.   Blind obedience or nit picking?   The future will tell.

Furthermore, Mega protects itself from its users.

5. If you allow others to access your data (e.g. by, amongst other things, giving them a link to, and a key to decrypt, that data), in addition to them accepting these terms, you are responsible for their actions and omissions while they are using the website and services and you agree to fully indemnify us for any claim, loss, damage, fine, costs (including our legal fees) and other liability if they breach any of these terms.

 

Of course, with the claims of security, Mega got a lot of attention from the security community.  It seems already that it is possible to get the master key of somebody if you intercept her confirmation email.  Steve Thomas has published a first hack (MegaCracker).  Some other weaknesses seem around.

 

The blogosphere is no claiming that Mega did a bad job.  Is it really true?  I am not sure.  of course, if you believe that Mega’s purpose is to securely store your data, then it may be true.  I would not recommend to use it if confidentiality is at stake.   If you believe that encryption is just a way to claim safe harbor for Mega and build a new MegaUpload (without taking the infringing risk) then it is another story.  Then Mega does not care to be hacked (by the way, the TOS do not guarantee confidentiality of your data).

 

In any case, weak security or not, Mega did already an extremely good job of public relation.   The news of Mega launch is all around the world.

Mail In Black

Posted on by
1

Mail in Black is the name of a French company that provides an interesting anti-spam solution.  Their idea is simple.  Spam is generated by robots.  Thus, if you filter out every communication issued by robots, than you would get rid of spams.   How to detect a robot?  Apply a Turing test.

 

How does it work:

  • You define an initial white list of email addresses or domains.
  • When MailInBlack receives an email, it checks whether the emitter is part of the white list.  If it is the case, then the mail is forwarded to you.
  • If the emitter is not in the white list, MailInBlack returns, on your behalf, a captcha challenge (for instance, type the orange text). 

MIBNuageMots

  • If the challenge is successful, then it forwards the message and automatically adds the recipient to the white list.
  • Else the message is quarantined and the emitter is added to a black list.
  • Of course, if you rescue a message from the quarantine, then the emitter moves to the white list.

According to me, there are some potential hiccups:

  • You may loose messages from automatic systems that are legitimate to receive (and there are many legitimate).  Therefore, the initial building of the white list is important.
  • Some surprised emitters may believe that the challenge is actually a spam or worse, a malware.  This is mitigated as they just sent you a message an d “you” ask the challenge.
  • If they are successful, how long will it take before we will we the first malware spam mimicking a MailInBlack challenge but with a malicious site?

Nevertheless, an interesting approach to anti-spam.