Author Archives: wunderbarb

Happy new year 2009

Posted on by
Reply

I wish to all my readers a prosperous and interesting year 2009. I will not take the risk to make some forecasts. Nevertheless, I will share some thoughts with you.

Will 2009 bring new initiatives in content protection? How will evolve music? Totally DRM free at the end of the year? As long as we will not see new business models appear there will be a problem.

The battle will continue between User Generated Content sites (YouTube, WAT, DailyMotion, Tudou, …) and content owners. Everybody has the feeling that the solution is to share the advertising revenues. But who has an idea on how to make a positive business with UGC? Are we sure that advertising revenues will be sufficient? And the fight with be on the ratio between UGC and content owners. Meanwhile, UGC sites will need to filter out copyrighted contents.

It will be interesting to see at which speed some candidates for the succession of SHA will be dismissed.

And you, what do you foresee?

Music industry strikes for revenue

Posted on by
Reply

In these last days, there were two main events in the field of copyright for music industry. First, Warner Music requires YouTube to remove all the music clips that “belong” to Warner music. It corresponds to the artists currently under contracts with Warner, but also songs whose rights belong to Warner although the artist is under contract with another company. Warner Music and YouTube negotiated for a long time. They were not able to converge on a repartition of advertising revenues. Warner Music estimates that the proposed value is ridiculous. This is a blow to the promises of free music through ad revenue sharing. What will be the next move? Another studio that sues YouTube? Another UGC site in target such as DailyMotion? Or an agreement between YouTube on a big music studio?

Second, MySpace has removed all the playlists of its members. RIAA is already suing the PlayList Project (see RIAA attacks project PlayList) Facing legal actions, MySpace stepped back. They removed the PlayList widget without prior notice to their users. FaceBook resists and refuses to remove PlayList. The battle continues.

2009 will be an interesting year. Will it be the year where UGC and studios will find some commercial agreements?

US passport and RFID

Posted on by
Reply

Once more, the use of RFID with ID cards raises many concerns. This time it is for the new US passport cards. These cards are only valid for sea and land travel. It seems that the design was only driven by cost consideration. There are two main characteristics

  • It uses off the shelf standard EPC chips (i.e., low cost tags as used for inventory tracking)
  •   The reading distance is 50 meters!

Being a standard EPC, the card just delivers a unique ID. This unique ID can be eavesdropped and reprogrammed in a blank EPC. Of course, the security relies on the guard who should check that the corresponding record points to the right owner. But we all know that vigilance decreases with time.
The long range of reading is an obvious privacy issue. With such a distance, it is easy to trace somebody. The solution proposed by the Administration is a privacy sleeve! This would never work with me. I would sooner or later forget it or loose it.
But the nicest is the “Kill” command. For privacy issue, EPC have a kill command that mutes definitively the chip. EPC are used for inventory tracking. Once the item sold, it must be possible to desactivate the chip. This command is legitimate for its initial use but not for this one. In a March post, I described a Denial Of Service attack to pass a border. With this type of card, it is extremely easy to mount it.
As usually, Administration downgrades the risks. According to them, the risks are improbable! When security design is driven by money, the result is often a catastrophe.

US passport and RFID

Posted on by
Reply

Once more, the use of RFID with ID cards raises many concerns. This time it is for the new US passport cards. These cards are only valid for sea and land travel. It seems that the design was only driven by cost consideration. There are two main characteristics
– It uses off the shelf standard EPC chips (i.e., low cost tags as used for inventory tracking)
– The reading distance is 50 meters!
Being a standard EPC, the card just delivers a unique ID. This unique ID can be eavesdropped and reprogrammed in a blank EPC. Of course, the security relies on the guard who should check that the corresponding record points to the right owner. But we all know that vigilance decreases with time.
The long range of reading is an obvious privacy issue. With such a distance, it is easy to trace somebody. The solution proposed by the Administration is a privacy sleeve! This would never work with me. I would sooner or later forget it or loose it.
But the nicest is the “Kill” command. For privacy issue, EPC have a kill command that mutes definitively the chip. EPC are used for inventory tracking. Once the item sold, it must be possible to desactivate the chip. This command is legitimate for its initial use but not for this one. In a March post, I described a Denial Of Service attack to pass a border. With this type of card, it is extremely easy to mount it.
As usually, Administration downgrades the risks. According to them, the risks are improbable! When security design is driven by money, the result is often a catastrophe.

Digital Future Symposium (DFS)

Posted on by
Reply

This event organized by the Center for Content Protection was hold with Asia TV at Singapore. Thus, the audience was rather large (140 people) and encompassed broadcasters, producers, and press.
The best presentations were:

  • Brad HUNT (former CTO of MPAA, and now consultant at Digital Media Directions) presented his four major trends in content protection
    • Use of fingerprinting to monetize content
    • Digital copy and managed copy for optical media
    • Domain based DRM
    • DECE with some emphasis on Marlin
  • Fabrice Moscheni (Fastcom) presented an impressive demonstration of DVB-CPCM. The demonstration raised a lot of interest.
  • Yangbin Wang (Vobile) explained how Vobile protected Olympic Games for CCTV

Conax, BayTSP, Verimatrix, Microsoft and Viaccess presented their products. Intertrust made a dull presentation of Marlin. I made two presentations:

  • A global approach of security explaining that using only fingerprint or watermark is insufficient, at least for tightly controlled distribution. The distinction between tightly controlled distribution and loosely controlled distribution was appreciated.
  • An introduction to DVB-CPCM before Fastcom’s demonstration.

Two main messages were conveyed during this symposium. Content Identification Techniques may allow monetization of content. Domain is the next paradigm in DRM.

Is Adobe 9 weaker than Adobe 8?

Posted on by
Reply

Once more Elcomsoft is making the buzz (see post where they claimed to have broken WPA2). Their new target is Adobe 9.

Adobe 9 uses AES-256 to protect pdf files. Unfortunately, calculating SHA256 is faster using Graphical Processor Units (GPU) than calculating MD5 as in previous versions of Adobe. Thus, ElcomSoft claims that is less secure because they can brute force 8 characters passwords with Adobe 9 at the same speed than 6 characters with previous versions of Adobe.

The answer from Adobe is clear and technical (see Security matters: Acrobat 9 and passwords encryption). With the new version, they have allowed passphrases of up to 127 characters!

My comments are:

  • Was is it useful to used AES256? Is it not simply a stupid commercial argument? To use the full benefit of AES256, the passwords should exceed 37 characters (I used 127 bits per character to calculate it). It represents passphrase as long as “Law #1: Attackers will always find th”. Who will
    1. dial such long passphrase?
    2. remember it? especially if not used daily.
  • Would it not be also better for Adobe to come with a more human understandable answer?
  • Once more, Elcomsoft is twisting the information. The only thing they are really demonstrating is that they are able to crack a 8 character password. Wow! :Sad:  But, they succeed to create the buzz in a field that most people do not understand. They are good at that.
  • Password sucks if there is no limitations in the number of trials.

C&ESAR 2008

Posted on by
Reply

I was present only at the last day of this conference. It recently changed its name from former “Journées du CELAR”. It remains mostly a French conference. What did I prefer in this day:

  • A very good introduction to contactless cards (smart card and RFID tags) with a nice list of threats and some countermeasures. The presentation was not highly technical but nevertheless complete. In the future of countermeasures, I loved the idea to embed micro batteries for having some margins for security measures. This will help in solving atomicity problems (a nightmare when designing a secure implementation of communication protocols).
  • LANET (University of Limoges) presented a detailed attack on JavaCard bypassing the sandboxing to dump instructions. Nice work, although not applicable to modern cards
  • DCSSI presented their preferred solution for electronic vote. The speaker clearly stated that he would rather not use electronic vote because it will never be 100% secure. Political pressures require such solutions.

I always thought that security people would be paranoid. It seems I am wrong. As usual in conferences, people use their laptops even to do sometimes mail. I was surprised of the number of people who do not use a confidentiality filter. My direct neighbors were from DGA (Direction Générale de l’Armement). They openly shoulder surfed the mails of person before them. He was not from the DGA. Companies should be default equip the computers from their travelers with such filters. I must confess that THOMSON does not. You have to ask for one.