The JailBreaking race

Posted on August 12, 2010 by wunderbarb

Two weeks ago, two vulnerabilities were disclosed on iPad, iTouch, and iPhones. In a nutshell:

A buffer overflow in FreeType allowed arbitrary code execution from specially crafted pdf files
An integer overflow in IOsource allows gaining system privilege

Combining both exploits, it is possible to take control of the devices. A site JailBreakMe.com used it to easily jailbreak iPhones and iPads. Jailbreaking allows to use a different network operator than the one locked by the manufacturer, in the case of Apple ATT Interestingly, since end of July, jailbreaking is legal in the US.

Apple has just issued new versions that correct these flaws: iOS 3.2.2 for iPads and iOS 4.0.2 for iPhones. It is a good thing because these vulnerabilities could be used for more than jailbreaking (although Apple may not have the same appreciation on jailbreaking)

UltraViolet

Posted on August 11, 2010 by wunderbarb

End of July, DECE made a new move: the creation of a trademark name that should identify the interoperable products defined by DECE. The trademark is UltraViolet.

Since several years, a large consortium of companies known as DECE defines the specifications of an interoperable solution for content delivery based using the concept of digital rights locker. With UltraViolet, DECE starts to educate consumers.

Is UltraViolet already in the shop? No. Will it be soon? I don’t know, but I will let you make your guess with this quote from the official site about the roadmap.

Ambitious undertakings like UltraViolet take time to be fully deployed in the global market. Keep an eye out as key components are introduced on the ”Road to UltraViolet”

The previous site http://www.decellc.com/ points now directly to the new address of UltraViolet

If you want to learn more about Digital Rights Locker, meet me and Arnaud Robert (Disney) at ACM DRM workshop where we will present a paper describing the basics of rights locker.

I publish, I think

Posted on August 10, 2010 by wunderbarb

Je publie, je réfléchis (I publish, I think) is the name of a French Internet site which aims at sensitizing people (mainly young audience) on the risks of publishing things on the Net. It is designed by the CNIL (French authority for IT and liberty)

It provides ten good recommendations before publishing, such as:

Ask yourself if you would do the same in “real” life
read the terms and conditions of social web sites. This is probably the less realistic one. It is a tough job. Did you do it yourself when for instance joining LinkedIn? I confess that I did not
Don’t publish contents that may harm the reputation of somebody else
Use a pseudo that you communicate only to your close friends…

Interestingly, the site is linked to a serious game that describes a realistic scenario and gives some hints to avoid the problems. If you have youngsters, send them to this site.

Unfortunately, the site is only in French. Does somebody know an equivalent site in English?

Thanks to OH to have pointed me to the site.

Updated on 3 Dec 14: The site is not anymore online

Six new exemptions to DMCA

Posted on August 4, 2010 by wunderbarb

[Edit] [Delete]

Wednesday, August 4, 2010

End of July, the US Copyright Office and the Librarian of Congress have announced six new exemptions that authorize circumventing protection measures as defined by the Digital Millennium Copyright Act (DMCA).

It is possible to extract from a DVD (protected by CSS) small video sequences to create a new work, for criticism or education purpose. In other words, DVD is treated like book. Fair use allowed citing extracts of books.
Making mobile phone applications interoperable with other handsets. This was in theory already covered by fair use.
Jail breaking phones in order to be used on other carrier networks.
Circumventing video games for the purpose of good faith testing for, investigating, or correcting security flaws or vulnerabilities; this is good news for security researchers.
Circumventing computer programs protected by dongles if they are bugged or obsolete.
eBooks if no edition allow access to speak aloud function or special formats displaying (in clear for impaired people)

I don’t know enough about the US regulatory system to assess that it is equivalent to an evolution of the DMCA or just a recommendation. IN any case, it is always the judge who has the final words. Any US lawyer who may answer this question?

BOSS

Posted on August 3, 2010 by wunderbarb

The GIPSA lab of INPG Grenoble organizes BOSS (Break Our Stegano System) challenge. Attackers will have access to a database of 1,000 pictures. Half of them are steganoed using a system called HUGO. The payload will be the same for every steganoed picture. Attackers have the source code of HUGO. The objective is to discriminate through steganalysis the stega pictures from the cover pictures.

The challenge is interesting. Regularly, the newspapers disclose story of unlawful people using steganography to hide message on the web. In these stories, the attackers/governmental agencies have not the advantages of knowing the used algorithms.

BOSS should remind you BOWS2. The GIPSA lab organized the same type of challenge but for watermark.

Security Newsletter #16 is available

Posted on August 2, 2010 by wunderbarb

The summer edition of Technicolor Security Newsletter is available.

Our guest is Chris Carey, the CTO of Paramount. He presents the new threats and types of piracy that studio are facing. Extremely interesting.

Stéphane Onno describes some vulnerabilities of deployed embedded devices. Patrice Auffret and Mohamed Karroumi shed some lights on the latest attack on OpenSSL. Olivier Courtay and Antoine Monsifrot will introduce you to the basics of Trusted Platform.

I hope that you will enjoy reading it. Do not hesitate to provide some feedbacks.

To subscribe, send a mail at security.newsletter@technicolor.com

From Pirate Bay to Flattr

Posted on July 7, 2010 by wunderbarb

Flattr is a new Swedish “social network”. The goal of Flattr is to remunerate the creators of content you like on the Net. Our does it work?
You have to register and define a monthly sum that you will distribute. Once registered, you can add a flattr button on any of your content (blog, videos, pictures, songs…). When a flattr member likes your content, he pushes the corresponding button. Of course, you do the same. At the end of the month, your monthly sum will be equally shared between the contents you liked. The corresponding value will be credited on the account of each content owner you liked. Let’s suppose that your monthly sum is 2€. If you clicked on 10 buttons, each creator will receive 0.2€. If you clicked only once, the happy creator will be granted 2€. If you did not click, the 2€ will be given to a charity.

It is a nice business model. Flattr takes a fee of 10%. It uses a kind of micropayment.

Some potential issues:

It will only work if there is a network effect. For that, they need to have attractive content in other words get the buy-in of creators
Attractive content? One of the potential issues is the ownership of a piece of content. How to prove the ownership? How to avoid appropriating copyrighted contents?

Why such cryptic title? Does Sweden not give you a hint? One of the founders is Petter Sunde. Petter Sunde is also one of the founders of The Pirate Bay.

In any case, an interesting initiative to follow up.

The blog of content protection

A site managed by Eric Diehl

Author Archives: wunderbarb