The S.978 bill

Posted on June 22, 2011 by wunderbarb

On May 12, 2011, senators KLOBUCHAR, CORNYN, and COONS introduced the S.978 bill to amend the criminal penalty provision for criminal infringement of a copyright such as:

‘‘(2) shall be imprisoned not more than 5 years, fined in the amount set forth in this title, or both, if—
‘‘(A) the offense consists of 10 or more public performances by electronic means, during any 180-day period, of 1 or more copyrighted works; and
‘‘(B)(i) the total retail value of the performances, or the total economic value of such public performances to the infringer or to the copyright owner, would exceed $2,500; or
‘‘(ii) the total fair market value of licenses to offer performances of those works would exceed $5,000;’’

which means that this type of acts are clearly a felony. In the United States, felony is for serious crimes whereas misdemeanor is for lesser crimes. Felony risks more than one year of jail. (It is similar to the French distinction between crime and délit). It provides also some minimal thresholds…

The second set of changes is the systematic addition of public performance to the litigious conditions. Currently, streaming illegal content was not a felony because it was often in the group of public performance rather than reproduction or distribution which were already covered by the law.

In other words, using DDL sites, such as RapidShare or MegaUpload, to illegally stream copyrighted content may become a felony.

The obvious targets are the streaming sites. Nevertheless, the modification may also apply to people who post illegal content on YouTube or to people who would put a link to an illegal YouTube content on their web site/page. Terry HART makes an interesting, well-documented analysis on this “side channel” consequence on copyhype site.

The bill is currently under the scrutiny of the Committee on the Judiciary.

PC game piracy examined

Posted on June 20, 2011 by wunderbarb

Koroush Ghazi maintains a site TweakGuides which purpose is to help to optimize your PC. One of his biggest focus seems to be on PC games.

He publishes a long article “PC game piracy examined”. This paper is excellent. He presents a very balanced, realistic view on piracy, game piracy and especially PC game piracy. His vision encompasses the economical aspects making it realistic. For instance, he explains the lack of games on Mac because initially it was too pirated and the market size was too small to have a ROI.

According to him, piracy harms PC games, because developers may first go to consoles that are less pirated. Clearly, using a hacked game on a console requires either a modchip, or flashing the firmware. All that makes it more difficult for Joe SixPack, and brings some risks (see “Ban under Xray” in security newsletter #18). Therefore, PC became the preferred platform for pirated games.

He also debunks some myths such as DRM generates piracy, or PC games are dead…

If you are interested in game piracy, read it. It is really worthwhile.

Thanks to Yves for the pointer.

North Dakota Security Awareness Training

Posted on June 17, 2011 by wunderbarb

On the site of North Dakota, you may find a security awareness training. It is reasonably good and informative. The targeted audience was North Dakota administration employees. Nevertheless, it can be used by every body.

You may say: “OK, one more”. And you would be right. What I found interesting is the date of this training 2001. It is a jump to the past. And ten years later, it is still valid!!! Of course, there are some missing new threats such as removable storage media (such as USB memories), and the new Internet threats such as phishing, social networks… But the threats that were already present in 2001 are still present in 2011. We have solved none of them , and many new ones appeared.

We rely more on more on IT, and the environment is becoming more and more dangerous. More and more people handle tools that they do neither master, nor understand. We have to make a better training, to increase security awareness. At school, it should be a mandatory training, and that starting at the early age, so that it becomes a pure reflex.

If in 2021, we will look a security awareness training of 2011, will there be at least some old threats that will have disappeared? Medicine succeeded to eradicate some illnesses, why could we not succeed the same in security?

Sanitizing SSD

Posted on June 8, 2011 by wunderbarb

Sanitizing a drive is the action to fully and securely erase the information on a drive so that there is no mean, logical through commands, or analog through examination of stored analog information, to recover any erased data. This action is well-known and mastered for magnetic drives. There are clear documented software methods and even ATA or SCSI dedicated commands.

What about Solid State Drives (SSD)? SSD are becoming mainstream. They offer the benefits of speed and low consumption. Can they be securely erased? WEI, GRUP, SPADA and SWANSON presented at Usenix FAST a study. Their paper, entitled “Reliably Erasing Data From Flash-Based Solid State Drives”, checks whether the methods used for magnetic drives are still valid, and if the ATA and SCSI commands are efficient.

The conclusions are worrying.

For sanitizing entire disks, built-in sanitize commands are effective when implemented correctly, and software techniques work most, but not all, of the time. We found that none of the available software techniques for sanitizing individual files were effective.

In other words, if nobody has done the test before and published it, you cannot be sure. You have to either trust the manufacturer or do the test (which is destructive) yourself.

Funnily, BELL and BODDINGTON published in the The Journal of Digital Forensics, Security and Law, a paper entitled “Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?”. Their conclusion was that because SSD implemented automatic garbage collection that erased unused sectors, remnant data would be erased.

Who is right? I would believe the conclusions of the first team. The second team assumes that the forensics team accesses the data through logical commands or means. In that case, yes, data may be erased. On the other hand, the first team directly accesses the physical flash chips. Thus, they bypass the garbage collection. We may assume, that a serious forensics team, being aware of this problem, would rather directly work on the physical components. By the way, forensics teams are already doing this same type of examination when the hard disk has been voluntarily smashed.

Conclusion: Be aware of this risk at least until SSD manufacturers will have agreed on a certification that would prove the efficiency of the implementation of their sanitizing commands.

iTunes Match: the perfect answer to music piracy?

Posted on June 7, 2011 by wunderbarb

Yesterday, Steve Jobs announced many new things (iOS5, Mac OS Lion, iCloud…). Among them, there is one that interested me: iTunes Match. Here is the description you find on Apple’s site:

If you want all the benefits of iTunes in the Cloud for music you haven’t purchased from iTunes, iTunes Match is the perfect solution. It lets you store your entire collection, including music you’ve ripped from CDs or purchased somewhere other than iTunes. For just $24.99 a year.

Here’s how it works: iTunes determines which songs in your collection are available in the iTunes Store. Any music with a match is automatically added to your iCloud library for you to listen to anytime, on any device. Since there are more than 18 million songs in the iTunes Store, most of your music is probably already in iCloud. All you have to upload is what iTunes can’t match. Which is much faster than starting from scratch. And all the music iTunes matches plays back at 256-Kbps iTunes Plus quality — even if your original copy was of lower quality.

Thus, Apple most probably uses an audio fingerprinting technology that identifies a song, and then Apple proposes in iCloud the same song with top quality. Although the site describes only songs that “you’ve ripped from CDs or purchased somewhere other than iTunes”, in fact it will also work for illegally downloaded songs! In other words, for 25$ per year, you switch to the legal side (at least if I understood well that the service does not oblige you to purchase the songs).

There is no free lunch (or near free lunch). Where are the limitations?

There is an upper limit on the number of songs.

Limit 25,000 songs. iTunes purchases do not count against limit.

This is probably not too constraining. 🙂
The upgraded songs are accessible as long as you subscribe to the service; Would you cancel it, then you will loose all songs that were not purchased through iTunes.
It is not clear to me, if the scanning is done only once when you subscribe to the service, or continuously. If it is the first case, then you will have to purchase new songs through iTunes to enlarge your collection in addition to the subscription. If it is the second case, then there is an obvious method to enlarge your collection with only the price of the subscription. You “just” have to download the illegal version of a song that iTunes Match would then replace by a legal one.

Whatever the answer for the scanning frequency, it is an interesting answer against piracy. Furthermore, it is a marvelous way to lock-in the customers. Once you start to use such a convenient service, you cannot switch back to a less convenient one. In other words, you’re locked in (see Dan Ariely’s book “Predictably Irrational”).

If someone has the answer to my question, please tell it. It makes a serious difference in the cost analysis for customers.

SF: After the Downfall

Posted on June 5, 2011 by wunderbarb

“After the Downfall” is a book from Harry Turtledove. In a nutshell, during the last days of WWII, in Berlin, a German sub-officer is magically transferred to a feudal-magical world. There he saves a goddess and joins a war between a supposedly superior blond nation and a supposedly inferior dark small slave nation. Of course, he starts the war with the Aryan-like nation. But the things are not as simple as they look.

The book is an excuse to be a lesson about tolerance, that we are too often judging people from their appearance, that our opinion is biased by our environment. Of course, the conclusion is going in the right direction.

Nevertheless, the story is simple and you will quickly guess the optimist ending. The most interesting part of the book is the evolving point of view of a German soldier that starts to look back to the Russian campaign with a more open sight. The book is an advocacy against racism. But there a re far better SF books on this topic with better story, for instance Ursula Le Guin’s “the dispossessed.”

I do not recommend this book 🙁 . Turtledove seems a very prolific author. He won a Hugo award. If one of my reader did read a Turtledove’s book that he/she appreciated, please recommend it to me ❓ . Thanks.

Blippy is changing

Posted on May 31, 2011 by wunderbarb

Last year, I spotted a site Blippy that was frightening me (Blippy: Do people care about privacy?). Its purpose was help you to share with others what you purchased with your credit cards. I could not believe that such site existed. What is even worse is that some people used it! They announced 100K subscriber with 30% sharing purchase. They raised up to 13 millions.

Recently, Techcrunch announced that Blippy changed its product offer. Blippy does not anymore report your purchases but allows you to post recommendations. That is far safer from the privacy point of view, but is is special?

I was hoping that this change was because people were concerned about privacy. It seems more that Blippy did not attract enough activities. Perhaps because people were not ready tho share this type of information?.

PS: In April 2010, Blippy leaked out some credit card numbers of subscribers.

The blog of content protection

A site managed by Eric Diehl

Author Archives: wunderbarb