Free ride

FreeRideDRM bashing is an Internet well-established sport.  Famous web sites, such as TechCrunch, Wired or ZDNet, which are otherwise extremely interesting, have a biased view about copyright, content owner, and copy protection.  The position of lobbying groups, such as EFF, are in the same mood.  In a nutshell, according to them, copyright laws and content owners are killing the Internet.

“Free ride” from Robert Levine is taking the opposite point of view.  He shows that denying copyright on the Internet is actually killing the Internet.

He describes the battle between three giant groups with diverging interests.   On one side, the media industry wants its cultural goods to be paid, even on the Internet.  On the other side, the Internet companies want information freely to flow.    The more information available (even pirated one), the more advertisement revenues for the Internet companies and pirated sites.  In the middle, the telecom companies initially benefited from piracy because it was a strong attractor for broadband adoption.  Now, piracy is claimed to consume a too large part of the available bandwidth, and starts to hurt these telecom companies.

The book clearly highlights these diverging interests. It also draws a landscape of the current lobbying battlefield (by showing who is financing groups such as EFF, who Google finances…).

Levine’s message is that valuable content is costly to create.  He also explains that creation is not sufficient, if not combined with promotion which is also costly (see Should you invest in the long-tail?).  Without such investment, valuable content will disappear.  Free riders (i.e. companies that use the content  without rewarding the creators) and piracy will kill the economical incentive to create.  The result would be a free Internet without valuable content to propose.  In other words, rather than creating the promised bright cultural future, Internet may create a poor cultural future.  The fact that distribution and production has a cost nearing zero on the Internet should not hide the fact that creation has a cost.  Dematerialisation often hides this cost. User generated dontent or crowd-sourced content is not necessarily at the same level of quality than professional created content.

He claims that the business models proposed by the Internet companies do not fit the economical constraints of valuable content.  As such, he is opposed to Free: the future of a radical price.

This book is refreshing because it gives an argumented position against the widely diffused position of the Internet companies.  In a democracy, it is paramount for a sound debate to hear both sides of the story.  Thus, read also this book, and only then, make your own opinion.

Conclusion:  if you regularly visit my blog, then you should read this book.  It is at the heart of our industry.

Ghost in the Wires

Or the official biography of Kevin Mitnick.   In the 90s, Kevin Mitnick was known as the World Most Wanted Hacker.  He is an artist of social engineering.   His book “The Art of Deception” is a reference on the topic.

This new opus tells the history of Kevin from his youth till the day he was free.  Do you remember the “Free Kevin”  protesting movement?  Is this new book interesting?  I read with pleasure “The Art of Deception”.   It is not the case with this book.  It could have been a good thriller, but the style is not right to create suspense.  It could have been a book on the havcking mindset, but the described introspection is too shallow. It could have been  a technical book, but the rare technical descriptions are uninteresti

The main interest of the book is to have an insight of his motivations:  “Getting access to things that he was not authorized”.  Nevertheless,  “The Art of Deception” gives a better view on social engineering.    An unanswered question:  why did he need to go to jail to become an ethical hacker?

We will  keep a good description of ethical hacking.

What I do now fuels the same passion for hacking I felt during all those years of unauthorized access.  The difference can be summed up in one word: authorization.
I don’t need authorization to get in.
It’s the word that instantly transforms me from the World’s Most Wanted Hacker to one of the Most Wanted Security Experts in the world.  Just like magic.

Conclusion: This book is not mandatory on the shelves of security people.  “The Art of Deception” is mandatory.

Reference

[1]
K.D. Mitnick and W.L. Simon, Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker, Little, Brown and Company, 2011

[2]
K.D. Mitnick and W.L. Simon, The Art of Deception: Controlling the Human Element of Security, John Wiley & Sons, 2003.

IRDETO becomes a key actor of B2C content protection

On 24th october, IRDETO announced that it acquired  BayTSP (who was founded by Marc ISHIKAWA).   BayTSP is one of the few companies that are scouting the Net, on behalf of the content owners, to identify illegal copies of content.   IRDETO was initially a Conditional Access solution providers.   For several years, IRDETO has been acquiring some companies to enlarge its offer while staying focused on distributing securely content.

Recently, IRDETO purchased Cloakware, a company specialized in Tamper Resistant Software.  This acquisition allowed IRDETO to promote a more robust software-based solution (card less).  Cloakware would take care of the protection of the software which is the usual weakness point of card less solutions.   More recently, IRDETO acquired the division of Rovi in charge of SPDC.  SPDC is the system that may implement applets to bring additional secuity in BD+.  Rovi acquired this division from Paul Kocher’s CRI (Cryptography Research Inc).

Now with BayTSP, IRDETO can offer, in addition to its protection; a service of investigation.   Nice move.   Is the offer complete?  I would tend to believe that there is a missing piece: forensic watermark.  Next acquisition?

Thanks to Gwen for the pointer.

 

 

Degate

Martin Schobert has designed an open source software, called Degate, to help reverse-engineering hardware components.   The process is the following:

  • You must first take pictures of the layout of the depassivated hip
  • Degate will attempt to recognize standard cells image pattern matching.
  • Degate attempts also to reconstruct the netlist of wires and vias (vias are electronic connection between different layers).
  • Then, it can build the full or partial logical layout.

Of course, the better the quality of the initial pictures (for instance using a Focussed Ion Bean (FIB)), the easier (and better) the automated result.

Degate will not do all the job.  It is a software aid to reverse engineer.  In any case, at the end, you will have to understand what the logic layout does.  Degate is not a tool for script kiddies.  It requires a good knowledge of micro electronics.  You’re working at the transistor/cell level.

The site provides also an interesting repository of documentation related to IC reverse-engineering.

Lesson: As for software obfuscation, the less reused patterns in the design of the chip, the more robust to reverse-engineering.

 

Sony once more under fire, but proper reaction

Philip Reitinger, CISO of Sony, has announced that about 93,000 accounts on Sony’s systems have been compromised.  They monitored a suspect massive set of trials of login/passwords.  Most of them were unsuccessful, but about 93,000 succeeded.  Most probably, the attackers get access to a database of plugin/passwords of another web site (such information is available on the Darknet).

Some people use the same login/password for different sites.  These persons may be the victims of this attack.

We must congratulate Sony for its reaction:

  • Transparency;  they were clear on what happened, and provided the data.  The reaction of customers was extremely positive
  • Monitoring:  this proves that Sony is carefully monitoring activities to detect strange behaviour or patterns.  This is key in security.

Lessons:

  • Customers are ready to hear the truth in case of attack.  I would even guess that they would rather be aware than listen about it once it is far too late.
  • Do not use the same password for all sites, at least not for the critical ones.

NuCaptcha: moving letters

A funny technology where the cat and mouse game is extremely active is the field of Captcha.  Captcha stands for Completely Automated Public Turing test to tell Computers and Humans Apart.   In other words, the objective is to make a test that should differentiate a human operator from a computer.  It is the test of scrambled letters that you have to type to proof that you’re not a robot.  For instance, if you want to add a comment on my blog, you’ll have to answer a captcha.

Captcha initially started with a few letters. OCR solved too easily the problem.  Then, the fonts were distorted, twisted, scratched…  And the attackers refine their detection algorithms.

This summer, NuCaptcha, proposed a new challenge: you had to identify letters of a given color within a moving text on top of a background.  It combined three challenges: identify the color (which may change for each challenge.  Thus, you have to identify where the color to detect is defined), extract the text from the background, and then extract the proper letters.  In some case, the background may be animated like a clip.  Thus, it seems an interesting challenge.

Interestingly, since August, they added a few new solutions which were branded, or advertisement driven.  Unfortunately, although they may bring some revenues, these versions have seriously impaired the difficulty of the challenges (have a look at the demo page, and make your own opinion).  Would you like to use NuCaptcha, I would recommend avoiding the branded or ads versions.  Most of the benefits have vanished (at least as they are presented in the demo)

Nevertheless, Captcha is an interesting tradeoff between security and usability.