Author Archives: wunderbarb

Will Quantum cryptography become mainstream?

Posted on by
Reply

Siemens SIS has teamed up with Swiss ID quantique company to propose quantum cryptography protected key exchange over dark fiber. (See id Quantique and Siemens collaborate to commercialize Quantum Key Distribution in the Netherlands)

Quantum cryptography has the intrinsic propriety to be robust against eavesdropping. According to Heisenberg, when observing an electron, you change its spin. This makes (in theory) its interception impossible, thus extremely secure.

It is one of the first large scale commercial initiative. The offer is currently limited to Netherlands and costs about 80,000$ for a pair of boxes. Thus, it is not yet to protect your personal mails.

But, the future is coming nearer.

Rovi

Posted on by
Reply

Macrovision changed its name. It is now ROVI. But the commercial offer did not change. Historically, macrovision started with an analog copy protection scheme. The objective was to avoid duplication of tapes or DVD by analog recorders. They added many other new systems.

See Rovi

Seven good security questions

Posted on by
Reply

We just received the Autumn issue of 2600 The Hacker Quarterly. I love this magazine for two reasons. Some of the articles are good. But the more important, this magazine gives a vision of the mindset of hackers, or at least I should say the Hackers. By Hackers with a H capital, I mean the guys who want to use the gimmick in a way different from the one that was intended by the designers. Sometimes, you discover also some security vulnerabilities that seem so obvious that you would not dare to test them (See the short paper Free DirecTV on by outlawyr)

Sometimes, you also find papers written by authors without warnames pseudonyms and who dare to give their email address. These papers have another tone (the type of tone you would find in French Misc magazine)

In this issue, John Bayne presented a comparison between SSL and DNSSec. At least, he compared just the management of certificates. The interesting part was not too much on the result of the match (SSL won!), but on the set of criteria, he used.
He asked interesting questions that could be used for evaluating any IT security system.

  • 1- How is trust implemented?
  • 2- How strong are the algorithms that are in use?
  • 3- Does the technology provide true end to end security?
  • 4- How clear is the warning that the technology presents to the users?
  • 5- How easy is it to implement a centralized policy for the technology?
  • 6- How widespread is the technology?
  • 7- How broadly will the technology protect you?

Gold farming

Posted on by
Reply

Tuesday, October 6, 2009

Gold farming is one of the worst plagues of online games. Gold farming is the generic name for techniques used to generate real money from services or sales of virtual goods in metaverses and online games such as World Of Warcraft (WoW).

An example of services is eastern players who foster a player’s character in order to increase his/her experience. This allows the characters to grow even when his actual “owner” is not connected.

For most online games, the rules of conduct do ban these practices. Nevertheless, a very active ecosystem has grown around these games.

Why is gold farming forbidden? Several reasons:

  • Some people worry about the possibility to use it for money laundering.
  • Some countries are nervous about the importance of a unregulated virtual currency that would compete with real currency. This is the case for instance for China.
  • It is unfair for players. It is considered as a form of cheating. If you can purchase a valuable artifact for real money, you twist the game.
  • It consumes many resources. As an illustration, in June Eve online cut off 2% of the accounts that were participating to gold farming. It resulted in a drop of 30% of the server resources. The automatic tools behind the accounts were not anymore active.

Gold farming has a strong impact on the future of an online game. Too much gold farming may increase the feeling that the game was not anymore fair (thus making it less attractive), and clogging the servers (thus reducing the quality of user experience). This may drastically reduce the profitability of the game. Thus, the game providers will fight it by all means.

Unfortunately, there is a lot of money at stake. Thus gold farmers will be creative to “survive”. Money is a strong incentive for piracy. Furthermore, I’m not sure that it is illegal (excepted as a violation of rules of conduct).

VC2 and AMEX

Posted on by
Reply

The Visual Cryptogram 2 (VC2) was created by VISA in 2005 to protect against online fraud. The VC2 code is the three-digit number printed at the back of your credit card. The rationale of VC2 is that to access this code, you need to have the card insight. I always thought that the rationales to print it at the back was to avoid camera capture used with card skimmers (see for instance http://www.darknet.o … ut-atm-hacking-tips/).

It seems I was wrong, or at least that AMEX does not fear this type of skimmers. AMEX uses also a visual cryptogram. But AMEX’s VC is four-digit long and printed on the front side of credit card. I do not understand the rationale for using a different scheme (Different size, different location). In fact, I learned it the hard way. When using the first time my AMEX online, I used the three digit at the back of the card. There was one! And of course, it did not work. :Sad:

Has somebody a clue?

Ustream sued by boxing star

Posted on by
Reply

The live streaming site Ustream has been sued by Black Ring Inc, the company owned by boxer Roy Jones Jr. Black Ring claims that Ustream allowed about 2,377 person to view a boxing event free of charge. The event was available in live as pay per view event. Furthermore, Black Ring complains that Ustream did not collaborate to collect information about claimed infringement.

According to Techcruch, Ustream believes that it makes the right effort to comply to copyright rules.

Detecting in real time, live rebroadcast of live events is a tough work. To be efficient, it requires several elements:

  • 1- A way to monitor most of the live streaming sites and also P2P streaming torrents
  • 2 – A way to detect the infringing content
  • 3 – A way to notify in real time a take down notice to the site
  • 4 – A procedure at the streaming site to quickly check the legitimacy of the take down notice
  • 5 – Take down the stream

Element 2 is a tough issue. Watermarking may be a solution if the watermark is unique for the event. But you cannot expect to pass the detector on all currently streaming events. You have to make a first selection.

Element 4 is also tough. As an operator you’d rather be sure not to take down legitimate streams.

But the worst is that what prevents the pirate to start a new stream once the first one has been took down and notify the viewers of the new “coordinates”. For instance, Indian pirates play that cat and mouse game during broadcast of cricket games. Pirates have several Set Top Boxes ready. They use a first one to illegally rebroadcast. Once the broadcaster identified the box, displaying the ID of every box and blacklisting the infringing one, the pirates switch to a new set top box. It is a nice business.

Thus, stopping in real time, rebroadcast of live events may be a tough challenge.

Amazon apologies

Posted on by
Reply

In July, Amazon erased some instances of Orwell’s books for copyright issues. Immediately after, the CEO apologized. One step further in mea culpa, Amazon is offering to download a new version of the erased books (which this time proper copyrights) or refund 30$. The people who had their book erased received the following mail:

As you were one of the customers impacted by the removal of ‘Nineteen Eighty Four’ from your Kindle device in July of this year, we would like to offer you the option to have us re-deliver this book to your Kindle along with any annotations you made,” read an e-mail letter to affected Kindle users late last week. “You will not be charged for the book. If you do not wish to have us re-deliver the book to your Kindle, you can instead choose to receive an Amazon.com electronic gift certificate or check for $30.

Two persons are already suing Amazon for this deletion. They claimed that they will not drop the case.

Amazon has just done the right smart thing. Nevertheless, I have no doubts that this event will often illustrate the grievances of DRM opponents.