Is French HADOPI law dead? (9)

Posted on June 15, 2009 by wunderbarb

Despite the negative ruling of the French Constitutional Council, the French government has decided to launch the HADOPI. Thus, this authority may use the first two levels of the graduated response:

sending mails to supposed infringers
sending registered letter for cease and desist in the event of second offence.

Of course, HADOPI will not be able to escalate to the last level: banishing from the Internet. For this last level, there were mainly two choices (if resuming the same repressive strategy):

Ask a judge to pronounce the Internet banishment. This track would have been more time and money consuming.
Define another penalty

The government has chosen this second strategy. It will propose new penalties for the infringers. I am not sure that it solves the second issue presented by the French constitutional Council, i.e., that HADOPI has to prove the guilt.

Until the penalties are defined (and approved by the Chambers), the French graduated riposte may not frighten many P2P sharers.

Thus, the story continues…

Is French HADOPI law dead? (8)

Posted on June 10, 2009 by wunderbarb

Last month, the French Chambers approved the law “Internet et Création”. This law defines the HADOPI that is the administrative authority to handle French graduated response.

About 60 deputies referred to the French Constitutional Council. Was the law constitutional? The council provided the answer today.

In short, the articles 5 and 11 are unconstitutional. There are mainly two reasons:

The French declaration of Human Rights requires that the citizen has free speech rights. The Council estimates that today the Internet is one of the mandatory means of free speech. Only a judge can restrain this right and not an administrative authority.
The French Constitution requires presumption of innocence. It means the court has to prove the guilt. The law inverted this principle. The Netsurfer had to prove his/her innocence. This is unconstitutional.

In view of these two points, the French Constitutional Council ruled that articles 5 and 11 were unconstitutional.

Thus, the story continues…

Ten laws of security

Posted on June 4, 2009 by wunderbarb

You may know that my team has defined ten laws of security. This is an extremely useful tool. We use it daily as heuristics. Of course, we are not the only ones to have such rules. Thus, I decided to start to collect the sets of 10 security rules.

Here is my first set.

1. Technology is not a panacea
2. If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore.
3. If a bad guy can alter the operating system on your computer, it’s not your computer anymore.
4. If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
5. If you allow abad guy to upload programs to your web site, it’s not your website anymore.
6. Weak passwords trump strong security
7. A machine is only as secure as the administrator is trustworthy
8. Encrypted data is only as secure as the decryption key
9. An out-of-date virus scanner is only marginally better than no virus scanner at all
10. Absolute anonymity is not practical in real life or on the web.

I found there in a tutorial about ethical hacking. In fact, it seems that they come from Microsoft. Thus, if somebody can provide me with a pointer to the original source, I would be glad.

These rules are clearly with a computer and IT scope. They are interesting. Some rules have similarities with ours. Their law 1 looks like our law 10 (Security is not a product but a process). Law 6 is a case of our law 7 (Security is not stronger than its weakest link). Law 7 is an example of our law 6 (You are the weakest link). Law 8 is an illustration of Kerckoff’s law.

Law 2 to 5 are true. It nicely describes the extreme context as defined in software protection. Unfortunately, it is too often the reality. This is why software protection is difficult. Law 3 and Law 4 are the basic environment of any DRM system. The possible bad guys owns and controls the host (in fact, it is his machine).

If you know other sets of 10 rules of security, please forward them to me to complete my collection.

New succesful media = new threats

Posted on June 1, 2009 by wunderbarb

The web2.0 is extremely active. Very quickly new usages and new tools appear. Some of them are extremely successful. One of the most currently successful one is Twitter. If you do not have both a Facebook/mySpace account and a twitter, you’re a dinosaur. (This is my case :Wink: )

Thus, Web 2.0 is evolving extremely fast. The only thing that evolves faster is the cracking community. The more successful the new service, the more attractive target for crackers.

There are already some worms dedicated to Twitter. The latest one (30 may) is the “best video” from http://juste.ru. The twittee who clicks on this link inside the message connects to this site. This site then infects the host computer and steals Facebook and Twitter credentials. With these credentials, it sends the spam message to your friends who trust you. It is spreading fast. Here are the recommendations of Twitter.

No matter how good that “best video” looks, don’t go to any juste.ru domains. We’re aware of the situation and are working on it.

Update: We do not believe that anyone’s personal information was compromised as a result of this outbreak; suspended accounts should be cleaned and restored soon.

Once more, the same old tricks based on social engineering. It is not because it comes from twitter that a site is not nefarious. People should stop to click on any links without knowing what is behind (as they should not open files they do not know).

The new medias just open new highways for attacks. And the crackers immediately use these nice unprotected avenues.

SF: L’agent des ombres

Posted on May 24, 2009 by wunderbarb

I started this saga from Michel Robert. It is awfully deceptive. The hero is a super hero with super power and extremely powerful in the middle of battle between the forces of Light, forces of Darkness and forces of Chaos. No main default. I hate this type of heroes. They are not interesting.

As super hero working for the chaos, I prefer Elric of Menilboe the Necromancer. Funnily, the hero has a dagger with special power that he does not control. This looks far too much to Stormbringer the evil magic sword of Elric.

My advise, don’t start this saga. Read (or re-read) rather Moorcock’s saga of Elric.

The saga is only available in French.

Sims 3 leaked out

Posted on May 22, 2009 by wunderbarb

The long awaited Sims 3 were expected to be officially worldwide launched on 2nd June. Electronic Arts, following the outcry against DRM within Spore, decided to stay with its usual disc activation without online authentication.

It seems that this gesture of good will was not sufficient. The game is already available on P2P networks. It leaked beginning of this week. The version seems to work (at least when reading the comments) and is delivered with the crack. Three versions seem available. The 5.6Gb Iso file has already more than 3.000 seeders. No doubt that it will be a success in the download top ten.

After the leak of “Wolverine”, it is the turn of EA. Unfortunately, this is a final version. Will that impact the sales? It is sure that this game was waited for a very long time by aficionados. It became even worse when EA announced a multi-month delay. For sure, eagerness to get the hand on the game asap will push people to download it. How many of them will turn back to the official version once available?

The game industry has the same issue than the movie industry with the leak before release. Finding efficient solutions is probably more difficult for games. Date enforcement and traitor tracing should be interesting topics to investigate.

Let’s wait the 2nd July to see the impact. By the way, the comments of downloaders are extremely positive on the game itself. :Happy:

Duplicating remotely physical keys

Posted on May 20, 2009 by wunderbarb

We all protect our house with keys and locks. We are most probably all aware that locks will not resist to an expert locksmith using lock picking or lock bumping. Last year, three US students demonstrated that we should perhaps also fear our neighbors.

They demonstrated that with some minor signal processing tools, it is easy to extract all the needed information from a digital picture to reproduce the key. The steps are rather simple:

Take one picture
Using reference points (from the given type of key, compensate distortion through homography
Normalize the picture to get a reference size
measure the pits and valleys
reproduce the key

They experimented using normal digital cameras, cell phones. the most impressive one is using a 5000mm focal to capture pictures from up to 100 feet. And it worked!

Funny paper that once more demonstrates that the frontiers of security are always moving back.

The blog of content protection

A site managed by Eric Diehl

Author Archives: wunderbarb