Security Newsletter #15 is available

Posted on March 30, 2010 by wunderbarb

The new issue of the Technicolor Security newsletter is available. It comes with a new skin that fits our new branding: Technicolor.

I am proud that our guest was Bruce SCHNEIER. I suppose that I do not need to introduce him. As usually, we invite sometimes people who do not totally share our view. Obviously, Bruce’s position on DRM is not aligned with mine. Nevertheless, exchanging points of view is how the world evolves.

The other topics are the TLS renegociation vulnerability, a presentation about free DNS topic and the last part on forensics.

Hoping that you will enjoy reading it.

Next issue is due in June 2010

Do people care about privacy? Blippy

Posted on March 26, 2010 by wunderbarb

Privacy is a hot topic. Many people fight to preserve our privacy. On the other side, many people build services that destroy this privacy. According to me, social networks are among the natural predators of privacy.

I went through a new site: Blippy. First, I thought it was a joke. But no, it is real. And some serious reviewers (such as techcrunch) appreciated it.

Blippy proposes to display every purchase you will do with one credit card. It provides the details of the transaction: when, where, how much and the details of the purchase. The objective is that people discuss with you about your purchases such as asking for evaluation, tips or giving advices.

Where is the problem? Social Engineering!! Tell me what you buy, and I will have a far better knowledge of who you are, a rough estimate of your incomes… If you purchase travel tickets, I will know when you will not be at home… Are people who subscribe to this site aware of this risk?

Of course, the site has a section about privacy. It is worth reading!

Would you enroll on such sites?

Privacy notices as “Nutrition” Label

Posted on March 23, 2010 by wunderbarb

Reading privacy notices on online sites is a difficult task. Currently, they are displayed in lengthy textual pages with legal mambo-jumbo. How many brave people try to complete this unpleasant reading? I suppose that excepted privacy lawyers, quiet nobody.

As a consequence, people give up their privacy and accept the privacy rules without knowing what they are.

Under the lead of Cranor Lorrie, a team of researchers from Carnegie Mellon propose in a paper to be presented at CHI10 an interesting approach: Let’s display the privacy policy in a way similar to nutrition labels.

We are now all familiar with nutrition labels that allow you to have a look at carbs, proteins… (at least if you are concerned about your figure and/or health :Happy: ). They propose a table which rows indicate the potentially collected data whereas each column defines the potential use. The cell has five color codes: Will use, opt in, opt out, will likely not use, will not use.

They compared different forms of policy displays. Guess what? The standardized privacy label won.

This proposal is clearly a progress. Now, a more worrying question: how many people would choose their social network depending on the privacy policy? How many people would not join the latest buzz hot need-to-be social network due to privacy issues? I’m afraid not so many. :Sad:

Nevertheless, people would have at least the possibility to choose. This would be better than the current situation.

Other country, other views

Posted on March 22, 2010 by wunderbarb

Last week, I reported that Nintendo succeeded to sue an Australian retailer of R4.

Unfortunately, for Nintendo, it is not always as straight forward for other countries. Recently, Nintendo experienced a reversal in France. In 2009, Nintendo prosecuted six French retailers among which Assentek. On 3rd December 2009, the Parisian Tribunal de Grande Instance (TGI) nonsuited Nintendo. Thus, this sets a legal precedent making legal the sales of linkers, such as R4.

On 9th December, both Nintendo and the state prosecutor appealed against this decision. Thus, we will have to wait for the final decision.

Assentek provides an interesting press review.

It is always surprising that two countries do not perceive piracy in the same way. One of the difficulties is that there is no harmonization of copyright and trademark laws.

DPA contest V2

Posted on March 19, 2010 by wunderbarb

Since the seminal work of Paul KOCHER (founder of CRI), side channel attacks have challenged many cryptographers and implementers. In a nutshell, side channel attacks use side information to guess secret keys. A simplified explanation: let’s imagine that your AES implementation takes longer when processing a “1” of the secret key than a “0”, by measuring the processing time you may guess the secret keys (without any intrusion). This is called a timing attack. There are other available side channel pieces of information such as power, electro-magnetic … Side channel attacks are devastating.

There is no standard way to compare the efficiency of different side channel attacks. Under the initiative of Telecom Paris Tech, the DPA contest expects to benchmark these attacks.

The second edition, DPA contest V2, allows different teams to compare their respective Differential Power Analysis attacks (DPA) against an unprotected AES implementation. Results will be presented in one coming crypto conference.

Nintendo fights R4 piracy

Posted on March 17, 2010 by wunderbarb

There are many ways to fight piracy: Technical means where you try to design your system to be “unbreakable” or you update it to render current circumventing solutions inefficient. Or you may use the legal means where you sue the pirate.

In its fight against R4, Nintendo uses both methods. R4 cards (and R4i) are among the most popular cards for pirating Nintendo DS (and Nintendo DSi). This card is inserted in the cartridge in place of the legit game. You may download the games (so called ROMs) from the Internet, store them in a standard flash memory, and here you play. In other words, you can find on the Internet, about all (if not all :Sad: ) the published games and run them for free on your DS with the R4. The price of these cards being ridiculous, you may guess the huge success. I must confess, that at least in France, R4 is rather successful.

Nintendo has attempted (and is currently attempting) several ways to thwart R4. Unfortunately, not with great success.
But they are successfully on the legal battlefield. In February, Nintendo got GadgetGear, an Australian company, to pay A$620,000 (about 414K€ or 567K$) by way of damages. Since 2008, Nintendo pursued more than 800 actions against resellers. Fighting local resellers is a good strategy if this generates good frightening examples. With the easiness, to find local resellers on the Internet, it seems that Nintendo needs more successful trials to scare the resellers. Resellers are rather operating openly.

For more details, see the press release.

Game security is really a tough job.

UBISOFT re-torpedoed

Posted on March 15, 2010 by wunderbarb

The use of a new type of DRM for its new games “Silent Hunter 5” and “Assassin Creed II” raised a violent reaction against Ubisoft. The software was cracked in less than 24 hours.

But this time, the story did not stop there. Last week, Ubisoft was under a serious Denial Of Service (DOS) attack. Thus, the legitimate gamers were not able to play! These games require online connection for initial authentication but also to save the game! It seems that this weekend a new salvo of DOS was launched from Russia against Ubisoft’s servers. These DOS attacks make the hacked version more attractive (that’s the limit! :Sad: )

Furthermore, some players confirmed on forums that the hacked game was complete (which initially Ubisoft denied).

Lesson: When designing a DRM, we should check what occurs if some context environments fail (such as network connection. The impact should be minimal for the legit customer.

The blog of content protection

A site managed by Eric Diehl

Author Archives: wunderbarb