Fighting Jessica

Posted on January 30, 2009 by wunderbarb

In the security newsletter #5, Frédéric Lefebvre presented the research works of Jessica Fridrich. Through analyzing the noise of pictures, she attempts to uniquely fingerprints a camera. Each CCD generates a unique template of noise. Thus, it should be possible to detect if pictures were taken by a given camera.

It seems that this work has been spotted by the community and raised some fears. The site instructables proposes a process “anonymizing” the pictures. Obviously, the author has no serious knowledge of signal processing theory. Some of the tricks are more than questionable. Nevertheless, he is serious. he did not forget the most obvious steps 1 and 6. In step 1, he removes the metadata attached to a picture (How many people ignore or forget that Microsoft documents embed identification metadata?. In step 6, he suggests to use TOR to anonymize the Internet postings.

The lesson is that the community check the latest works of the academic world. Although, they do not necessarily understand the scientific details (thus they may have a wrong estimation of the maturity), they clearly understand the potential consequences and outcomes.

An occasion to read the latest results from Jessica Fridrich? :Wink: Thanks Bertrand

How honest people cheat

Posted on January 15, 2009 by wunderbarb

One of the mottoes of the Copy Protection Technical Working Group (CPTWG) has always been “Keep honest people honest.” But do honest people stay honest?

I have read an old issue of Harvard Business Review (February 2008). There is an interesting paper from Dan Ariely. Its title is “How honest people cheat.” With his team, he experimented the capacity to cheat of thousands of “honest” people. They were paid for each successfully solved simple mathematical problems. There were 20 problems. The average number of solved problems was 4. In a second experiment, people had to report themselves the number of successful solutions. There was no way to verify the assertions (the paper with the answers had been shredded before). The average correct answers jumped to 6! Compared to the potential maximum of 20, an increase of 2 is really not large.

Other experiences showed that the risk of being caught did not affect the level of dishonesty. A more interesting observation, people were more dishonest when the reward was not directly monetary.

The rough conclusions were that most people when tempted are ready to be a little bit dishonest, but never will become fully dishonest. In front of non monetized cases, people are more ready to cheat because they can more easily “rationalize” or “justify” their cheatings. This last founding can partly explain why people may be ready to download an album through P2P and would not be ready to still it in a shop (even without risk). Probably we may have some similarity between demonetization and dematerialization.

Another conclusion. CPTWG was perhaps right when trying to Keep honest people honest.

Veoh versus Universal Music Group

Posted on January 14, 2009 by wunderbarb

The beginning of the 2009 has seen an interesting litigation being closed. Universal Music Group (UMG) was suing the video sharing Veoh for copyright infringement. But Veoh claimed to be protected by the DMCA safe harbor act. The safe harbor act does protect service providers against the illegal doing of its users.

UMG claimed that DMCA safe harbor act does only protect for storing bits, not when manipulating bits. Veoh is transcoding the uploaded content in the exchange format. The court decided otherwise. The main argument was that users “signed” term of contract before uploading content. The terms of contract specified that the user agreed not to upload copyright content.

This court decision sets an interesting legal precedent. Will it have any influence on the current battle Viacom versus YouTube?

Is MD5 certificate attack a lethal hit to SSL?

Posted on January 12, 2009 by wunderbarb

MD5 is known to be a weak hashing algorithms for many years. Thus, it was vanishing from the scope. The scope was more on attacking SHA family. Nevertheless, researchers (Alex Sotirov, Marc Stevens, Jake Appelbaum, Arjen Lenstra, Benne de Weger, and David Molnar) have brightly combined three weaknesses: MD5 collision, the fact the some certification Authorities (CA) still use MD5 to sign SSL certificates, and that browsers poorly manage root certificates. They presented their attack at Chaos Computer Club conference.

The researchers asked a legitimate CA to sign with MD5 a legitimate SSL certificate. Then they forged a root key using the same signature. Bingo! They could now generate and sign “legitimate” SSL certificates.

Is it dangerous? Not really. First of all, the majority CAs are not anymore using MD5. The attack does not work on certificates that were already issued. In other words, when receiving new certificates signed with MD5 (normally very few) be cautious with the issuing date. You can still trust SSL. :Wink:

The cure is extremely simple. No CA should anymore use MD5 to sign certificates. The CA that signed the certificate used for the demonstration announced that it will soon get rid of MD5 :Happy:

Although not lethal attack, the work of the researchers is a an extremely nice and smart attack. The attack will be detailed in Security newsletter #12

DRM free music

Posted on January 9, 2009 by wunderbarb

The movement towards DRM free music continues. The biggest event is of course iTunes that announces that its complete catalog will be available as DRM free songs. iTunes announced also a new price list adding $0.69 songs (in addition to $0.99 and $1.29)

Warner France followed this movement. It announced that its two sites Fnac Music and Virgin Media will sell DRM free songs in 2009. Nevertheless, it is a trial and the final decision will be taken in 2010.

DRM free music is a trend that will not stop. Will it extend to other fields such as games or video? I am not sure. of course, customers would like it. DRM free distribution with a session watermark to detect eventual illegal distribution is promoted, for instance by the Digital Watermark Alliance.. Nevertheless, there are several differences with music. According to me, the biggest one is that the investments are far huger than music. In the case of video, the release windows strategy and commercial agreements are also problems.

We will continue to monitor this trend in 2009.

MediaSentry loses RIAA contract

Posted on January 8, 2009 by wunderbarb

Monday 5 January 2009: RIAA’s spokersperson Jonathan LAMY has officially confirmed that RIAA does not anymore use the services of MediaSentry. He informed that RIAA uses a Danish company DtecNet.

Many reasons may have driven this decision. It seems that the way the supposed infringing IP address were collected may not sustain the non repudiation of illegal sharing. This is an extremely tough issue. How do you legally prove (in an efficient way) that the peer really shared illegal content? MediaSentry was also using techniques to spoil (For an overview, see Fighting piracy in Security Newsletter #11). These techniques are somewhat controversial. This summer, a leakage of emails of MediaDefender, a competitor of MediaDefender, shaded some lights on the types of thwarting techniques. Furthermore, some mails described the results of competitive intelligence on MediaSentry. In other words, MediaDefender’s story generated very bad reputation for the sector. Is MediaSentry a collateral victim of MediaDefender’s leakage?

The toolbox of DectNet, at least as announced on their site, does only offer non controversial techniques: Cease and Desist Letter, Litigation Tools and Evidence, Prerelease Monitoring, and statistics. In other words, they do not announce any throttling or poisoning techniques, only monitoring tools. Far less controversial.

Does it mean a change in RIAA’s strategy? I doubt. It is probably a good communication movement. RIAA will continue to track illegal downloading, send Cease and Desist Letters, and sue infringers. RIAA will not sponsor any borderline activity (at least not openly :Wink: )

DNS weakness starts to be cured

Posted on January 6, 2009 by wunderbarb

In security newsletter #11, Patrice AUFFRET recounted the latest attack on DNS by Dan KAMINSKY. Patrice’s conclusion was that the only cure was wide deployment of DNSSEC. DNSSEC is a secure version of DNS that binds textual internet addresses to actual numerical IP addresses. DNSSEC exists for about 14 years but was not yet seriously deployed.

The cure starts! The Public Interest Registry is deploying DNSSEC for all addresses it handles. The Public Interest Registry handles all the .org addresses. The US government, that handles .gov addresses, will also turn to DNSSEC.

With these two big domain spaces turning to DNSSEC, we may expect a snowball effect with more and more domains switching to DNSSEC. The Internet will become (a little bit) more secure. This is a good news for this new year :Happy:

The blog of content protection

A site managed by Eric Diehl

Author Archives: wunderbarb