Author Archives: wunderbarb

LittleBlackBox project

Posted on by
Reply

The LittleBlackBox project does host 2,000 SSL public-private key pairs extracted from gateways, routers…
It seems that some manufacturers did use the same SSL key pair for all the instances of a given hardware and firmware. The project attempts to collect the largest collection of such keys together with the details of corresponding firmware and hardware. Once you know the used keys, it is possible to mount a man in the middle attack. This is clearly the aim of this project.

What is difficult to believe is that many devices share a single key pair. Good security practice requests to use a unique key pair per device. Why should a manufacturer use only one key pair? Most probably because it simplifies the manufacturing. Providing an individual key pair for each box is complex (especially in a “hostile” environment such as a factory). Nevertheless, it is an incredible wrong design decision not to do so. Furthermore, manufacturers can even not revoke the leaked keys because else they would also revoke genuine devices!

Good news for Technicolor’s customers, our devices do not have such flaw.

Lesson: There are some economic-driven decisions that should not be allowed to have secure solutions. Security has a price.

Thanks Patrice for the pointer

Piracy is the Future of Television

Posted on by
Reply

This is the provocative title of a study conducted by Abigail De Kosnik from the Convergence Culture Consortium. The author compares the advantages for the consumers between legal offers and the pirate “offer”.

The conclusion is that pirate offer is more attractive than the legal ones, and thus not only because it is free. For instance, the legal offer is divided up among many sites. No one merchant does offer the “complete” catalog of video content, whereas sites such as The Pirate Bay do. Pirate content has no limitation (i.e. DRM) and offer codecs that are universally supported. This is not the case for legal offers. And the list is long:

Single search
Simple indexing
Uniform software and UI
File portability
Freedom from Preempting in the US
Commercial-free

The conclusions are that legal services should take some good ideas from the pirate offer, such as standardize the way to get access to or tos earch content, go immediately to global audience, offer a premium service for personal archives, eliminate the TV set, and charge according to volume usage.

Of course, the study is biased. The study clearly forgets that the pirate offer does not have to comply with copyright laws, commercial agreements, and has not to fund creation of content. It does not take into account economics. Nevertheless, some recommendations are interesting (but not necessarily easy to deploy).

EU Conditional Access Convention to be extended?

Posted on by
Reply

In 2008, the European Union (EU) ratified the (Directive 98/84/ECC) that defines a legal protection for Electronic Pay-Services. The objective was to enable a consistent anti-piracy protection in the EU to allow Pay TV, electronic distribution, and VOD services.

The Council of Europe has proposed a new version so called Conditional Access Convention that should extend to all its members. The Council of Europe has 47 members covering the quasi-entire European continent, plus Russia and Turkey. The EU has proposed to all its members to sign it to bootstrap the ratification process.

Such a wide convention would be useful to fight content piracy, at least in Europe.

INA versus YouTube

Posted on by
Reply

A French court has condemned YouTube to pay INA 150,000€ to INA because YouTube did not put in place any filtering system that would deter posting INA copyrighted content. INA is the French National Institute of Audiovisual. Its mission is to archive all broadcast content from French TV and radio stations.

Interestingly, INA hopes that YouTube will install an efficient fingerprint system to detect INA’s content. INA has developed its own fingerprinting technology: Signature. YouTube uses its own fingerprint technology: ContentID.

Thanks OC for the pointer

Google acquired Widevine

Posted on by
1

Last Friday, Google acquired Widevine for an unknown sum . Widevine is one of the many DRM technology vendors. Widevine was the first company to coin the concept of Virtual Smart Card, which was just a tamper resistant based software.

Clearly, Google is moving in the direction to deliver copyrighted content. Several security-related clues show that:

  • Google announced an initiative for faster action on copyright infringement on YouTube.
  • Yesterday, Google has relaxed the limitations of 15mn for the clips uploaded on YouTube. This limitation was to satisfy the content owners. It was expected that having the movie in slices would be a deterrent. Google announced that their proprietary fingerprinting tool Content ID was becoming better and better. Thus, they were confident to spot illegal content on upload link.
  • Widevine provides Google with a DRM technology, approved by studios, for the delivery of movie. Furthermore, Widevine is one of the DRM technologies approved by UltraViolet (aka DECE). The other approved DRMs are Adobe Flash Access, Marlin, Microsoft PlayReady, and OMA.
    It was wiser to purchase an approved technology rather than build their own because it already got the studios’ blessing.

All these hints show that Google attempts to be nice to content owners. The next NetFlix?

Google looks for a better balance with copyright

Posted on by
Reply

Yesterday, Google announced an initiative: “Making Copyright Work Better Online”. Google announced that in the coming months:

  • They expect to reduce the average answer to legitimate takedown notices to less than 24 hours.
  • In order to balance the two sides of the equation, Google will enhance the “counter notice” procedure that allows users to contest a takedown notice. Google does not give any details on the foreseen enhancements. The “counter notice” procedure of DMCA safe harbor is rather complex.
  • The autocomplete feature should ban any suggestion that would favor piracy. Make the following experiment. Type in the Google research bar HARR. I got as 8th suggestion “Harry Potter 6 streaming”. Of course, it pointed to MegaUpload. That should not happen anymore.
  • Violators of copyright will be baned form AdSense.

It will be interesting to monitor this initiative in the coming months.

Windows Phone 7 jailbreaked

Posted on by
Reply

On November 25, Rafael Rivera, Chris Walsh, Long Zheng published an application, ChevronWP7, that unlocked Windows Phone 7. The objective was to be able to install homebrew applications on this platform. The news very quickly was all over the world.

Today, they have removed ChevronWP7 from the distribution. According to their blog,

Earlier today, we were contacted by Brandon Watson, Director of Developer Experience for Windows Phone 7, to discuss the ChevronWP7 unlocking tool.

Through this discussion, we established a mutual understanding of our intent to enable homebrew opportunities and to open the Windows Phone 7 platform for broader access to developers and users.

To pursue these goals with Microsoft’s support, Brandon Watson has agreed to engage in futher discussions with us about officially facilitating homebrew development on WP7. To fast-track discussions, we are discontinuing the unlocking tool effective immediately.

It is the second time that Microsoft is hit quickly after the launching of their products. Beginning of the month, it was for the Kinect, now for WP7. The reaction of Microsoft is interesting. They started discussion before threatening with DMCA (I am not sure that this type of unlocking would be a safe harbor for the recently granted jailbreaking exception. Any lawyer to give an opinion)

One more exploit on the already long list of unlocked devices! We have a tough job!