Author Archives: wunderbarb

Are watermarked screeners too expensive?

Posted on by
Reply

Screeners are copies of a movie that are sent to reviewers or members of an award jury. The favored format is DVD. Unfortunately, DVD are not protected against piracy. Thus, typical procedure is to watermark each screener with an individual invisible mark. Thus, if ever there is leakage, it should be possible to trace back to the originator.

According to /Film, Sony pictures considered this operation too expensive and thus decided not to support its movie “Moon” for the Oscars. Funnily, the movie is already available as DVD and BluRay.

Is the story finished?

Thanks to Olivier for the pointer.

Rights Locker

Posted on by
Reply

CES period is always interesting time because many initiatives are disclosed or present their progress. In the field of DRM, two interesting news:

Disney starts to unveil more about its KeyChest technology. CNBC presented the following spot.

At the same time, DECE made a press release presenting their latest milestones. In a nutshell, DECE has:

  • defined a common file format In the FAQ, it seems that it is compliant with Microsoft’s PIFF,
  • selected a company that will host the rights locker,
  • and announced that five DRMs will support it (Adobe, Marlin, Microsoft PlayReady, OMA and Widevine

Both KeyChest and DECE use the new concept of rights locker. In very simplistic terms, a rights locker is a database that stores the usage rights that a customer purchased. This database should be shared by content distributors. The promise is that if you purchase one piece of content, it may be played back (if you paid as such) on any of your devices (or at least on the devices compliant with this rights locker) independently of the DRM used by the device. In other words, the usage rights will be linked to a customer rather than to his/her devices.

This is a great progress in electronic content distribution. One of the strongest complains of customers is the lack of interoperability of DRMs. This is an answer.

Without doubt, this blog will come back on the topics of rights locker in the future.

An original way to mark text

Posted on by
Reply

Amazon has filed an interesting patent titled System and method for marking content. The idea is rather simple. Create a dictionary of synonyms. To uniquely mark a piece of textual content, permute a set of defined words by selected synonyms. Of course, the patent explores all the alternatives, but in a nutshell this is the main idea.

For the fun, here is the first claim

1. A system, comprising: a processor; and a memory comprising program instructions, wherein the program instructions are executable by the processor to: receive a request for particular content; extract a copy of the requested particular content from a content collection, wherein the particular content includes textual data; substitute a synonym for each of one or more selected words in the textual data of the copy, wherein to substitute a synonym for each of one or more selected words, the program instructions are further executable by the processor to: access a synonym database comprising a plurality of key words, wherein each key word is associated with one or more synonyms in the synonym database; and select a particular synonym to substitute for a particular selected word in the textual data of the copy from one or more synonyms associated with a key word in the database that matches the particular selected word in the textual data of the copy; and return the copy with the substituted synonyms in response to the request.

Does it work? For watermark, there are typically three parameters to examine:

  • • Transparency: There are some issues. First of all, it probably is not applicable to literature. Synonyms are rarely perfect and authors may not accept modifications of their text. Nevertheless, for many texts, and for non-purists, it may be rather transparent. Although I’m not sure that there may not be some readable artifacts.
  • • Robustness: It is obvious that it is easy to detect some substitutions. If the content is not protected in integrity, it is rather easy to wash or forge a new marked content. If the purpose is to fight piracy (such as illegal redistribution), it will not work. The hacker will remove the integrity protection and substitute.
  • • Payload: This depends of the text’s length and the variety of the used vocabulary.

It is an interesting approach although not robust. In some specific contexts, it may have some interest.

Thanks to JJQ for pointing to this patent. :Happy:

Bourse aux Technologies 2009

Posted on by
Reply

IE club (a network of entrepreneurs), Seventure Partners (VC) and Institut Telecom (group of schools) organize each year a technology fair. This year’s theme was security.

I was invited to make the opening presentation for the panel. My presentation was ”Sécurité et Success Stories : quelques leçons” (Sorry, it is in French).

Of course, the key event is the demonstration of a set of technologies. The goal is for entrepreneurs to possibly find a technology to promote/use in their products.

Many demonstrators were promising. My selection:

  • Analysis of vulnerabilities in software; all demonstrated technologies were limited to static analysis
  • Analysis of information flow for embedded devices
  • Secure storage of files using P2P based on control access
  • Hardware based real random generator
  • Smart card emulation for simulation of fault injection

The two last ones were extremely technical but have probably a very narrow possible market (secure IC manufacturers that were not present)

Both the panel and the demonstrations demonstrated that France is still one of the homes of serious security.

Articulating The Business Value Of Information

Posted on by
Reply

I read a recent report from Forester research: “Articulating The Business Value Of Information” by Khalid Kark

According to this report, security adds value in five sectors:

  • Reputation: Security protects your brand equity
  • Regulation: Security reduces the cost of meeting IT regulatory mandates
  • Revenue: Security protects existing revenue streams nnd helps generate new ones
  • Resilience: Security ensures your business functions even during adverse conditions
  • Recession: Security affects the top line and the bottom line of the business

Khalid proposes ten tricks to change the security’s image. Following are my favorites:

  • • Redirect the conversation away from threats and toward risks
  • • Make security processes transparent
  • • Focus more on value articulation and less on return on investment (ROI)

The report has nothing revolutionary. It is well known for practitioners, but it has the advantage to list and present them. Hoping that you may find some more arguments next time you have to negotiate a security related budget.

H1N1 and social engineering

Posted on by
Reply

The spammers become extremely good at social engineering. The latest one I received is very clever.

From: Centers for Disease Control and Prevention [674651373med@cdcdelivery.gov]
To: *Security Reporting
Subject: Create your personal Vaccination Profile

You have received this e-mail because of the launching of State Vaccination H1N1 Program.
You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for the vaccinated people and the not-vaccinated ones. This profile is used for the registering system of vaccinated and not-vaccinated people.
Create your Personal H1N1 Vaccination Profile using the link:

create personal profile

This mail is damned clever.

  • First of all, it uses basic fear motivation: the swine flu and the current actuality: vaccination.
  • Then a pinch of truth “The Vaccination is not obligatory” and then the trick “every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site” That you vaccinate or not, you have to register!!
  • Of course, the CDCs exist and the site cdc.gov also. The address inside the link of course does not point to cdc.gov but to an .im This extension belongs to the Isle of Man but can be used by any individual.
  • Grammar and orthography are OK (at least for me 🙂 ) which is often not the case

When such a mail arrives in a non personal mailbox, there is no doubt that it is a malware. But, will Joe Average detect it as such? Will he not follow the initial reactions of his reptilian brain (flu = fear, CDC = authority…)?

Social engineering is definitively a dangerous weapon.

[update: 3-dec The news about this malware is every where on the blogosphere. Here are more technical details http://blog.appriver … tribute-malware.html ]