Author Archives: wunderbarb

The economics of information security

Posted on by
Reply

Ross ANDERSON and Tyler MOORE wrote an interesting state of the art about economics of information security. Why does economics matter? The obvious answer is that it is about money. And money is one major driving factor of the software industry. This paper highlights a more compelling argument: many security failures come from unaligned incentives rather from bad design. For instance, I will suffer of the inadequacy of the Operating System to prevent a virus to crash my computer and not the OS’s editor (especially if it is in a dominant portion). Another example, the editor of a player reading AACS protected content does not suffer from the loss due to content piracy.

The survey explores many fields of information security and shows how economic analysis can help to understand failure or can strengthen security. For instance, to trigger network effect, it may be economically wise to lower security (at least security should not get in the way of potential customers) to become more attractive. Once the threshold passed, then too strong security can be a good way to lock in the market (second part of a good network effect). Another interesting topic is secure software development. It seems that should have few but extremely competent developers (in security) and have a lot of testers.

I am not fully aligned with the conclusions on DRM and Trusted Computing. But, here we may object that we do not have the same incentives :Happy: .

Definitively, a paper to read. Furthermore, taking into account economics in the design is probably a good thing. I will have to dive in game theory.

The paper is available here

Compliance rules?

Posted on by
Reply

HDCP strippers are devices that input an HDCP/HDMI signal and output a non-HDCP signal. Many such devices are available on the marker. I just went across a product called HDfury. It looks like a dongle with on one side a HDMI connector and on the other side a VGA-like connector. Gold plated connectors for the quality!

What I find interesting was the section dedicated on HDCP compliance in the product definition.

HDCP rules compliant: no end-user easy access to decrypted analog video.
Once screwed, this module becomes “a part of the display itself”.
The HDfury module is DIRECTLY screwed to the back of the RGB display (where SUB-D15 VGA port stand).

What about screwing it on a video acquisition card? I am not sure that the lawyers who drafted HDCP compliance and robustness rules did expect this understanding of their rules. The no easy access to analog video was for internal video. If I remember well the compliance rules, the analog output should be both resolution downsized (not 1080p) and also copy protected.

Nevertheless, they at least addressed the problem. To make the consumers feel happy? or to calm lawyers? :Wink:

Michael Moore, rights and P2P

Posted on by
Reply

Michael Moore, the brilliant provocative essayist, wanted to provide for free his latest documentary “Slacker Uprising.” Thus, he offered it on the Net at http://www.slackeruprising.com/. Unfortunately, the download does only work for US and Canadian citizens. Michael Moore does only hold rights for US Canada, but not for the rest of the world.

Without surprise, soon “Slacker Uprising” was available on P2P sites. Rumors claimed that the leakage was perhaps not unintentional. In a recent interview for TorrentFreak, he seems to confirm the rumors. In any case, Michael Moore is happy of these torrents.

This is not a surprise. If your objective is to denounce a problem (as claimed by Michael Moore), then your goal is to get the largest audience possible (and not to make the largest earning possible). Then P2P is a channel of distribution that you must not avoid. P2P offers both a large audience and a defense against censorship.

Would Emile Zola have made a video version of his famous “J’accuse” and distributed over YouTube and BitTorrent?

VOD before DVD in Korea

Posted on by
Reply

Movie delivery is ruled by a strategy called “release windows”. It means that a movie is not available at the same time for all distribution channel. The traditional sequence is “Theater – Hospitality (airplanes, hotels, …) – DVD/rental – VOD – Premium channel – Pay TV – Fre To Air.”

It is believed that one of the reason of the slow take off of VOD is the availability of illegal DVDs before VOD. People are willing to pay a few dollars (euros or whatever money in their country) to get an earlier access even if an illegal one. In theory, offering VOD before DVD should thwart this type of behaviour.

Thus, Warner Bros announced the release of VOD before DVDs in Korea. If successful, this strategy may be generalized to China. Why Korea? Because Korea is probably the country with the best broadband network and the higher penetration of broadband. Thus, download times should be negligible and potential customers larger. Will it work? I am not sure. According to me, two conditions have to be simultaneously present:
1- The VOD release occurs at the same time than “release” of illegal DVDs. Currently, illegal DVDs pop up soon after (if not before) the first worldwide theatrical release.
2- The price of VOD has to be near the price of an illegal DVD.
Another solution could be that VOD offers attractive goodies not available on illegal DVDs (this is less obvious)

I find the strategy used in China more interesting. Warner and Paramount offer legit DVDs at a price near the price of illegal DVDs. Customers may be ready to pay a little more to have a guaranteed quality product.

For sure, the traditional release windows will drastically change in the coming years. We already see a sever shrinking in the duration of the different phases. The delay between theatrical release and legit DVD constantly erodes.

Financial crisis

Posted on by
1

This morning in my my car I listened to Christian de Boissieu, a French economist. He explained that this crisis was different from previous ones do to a problem of lack of trust. Trust? as in our preferred topic?

The current crisis is due to banking organisms that took too high risks. Nobody was either seriously evaluation the acceptability of the risks, or worse they did not care. In other words the aversion to risks was extremely low. And of course, as we all know. The higher the risk, the higher the probability that the corresponding threat will be true. Here we are.

De Boissieu highlighted that the world had already many severe crisis. Just remember the deflating Internet bubble. Nevertheless, it never shook so much the world. Massive attempt to inject money by Central Banks have no serious impact. According to him, the banks do not anymore trust each others. This means that they do not anymore lend money each other. This lack of trust is such that they do not even dare to borrow money from central Banks. Their aversion to risk from extremely low jumped to extremely high. Thus, this lack of trust freezes money, and there is not enough available liquidity. Thus, companies have trouble to reimburse. Vicious circle.

It is strange that institutions such as banks which are among the ones that master the best security through the notion of risk management and trust fall in that deadly pitfall. Once behind us, security specialists should study this crisis to learn about mistakes. They were all about risk management (the crux of security)

Cracked quantum cryptography?

Posted on by
Reply

[Edit] [Delete]
Wednesday, October 8, 2008

Many media are currently reporting that a Norwegian student, Vadim Makarov, cracked quantum cryptography. According to them, he has broken the unbreakable cryptosystem.

Let’s investigate a little bit. The easiest is to go on his personal site. There is a link to a poster session from SECOQ conference. This poster session of course explains the hack. He found a weakness in the implementation of the photonics receiver. This allows him to setup a Man In the Middle attack. He can then impersonate Alice.

Thus, it is a good piece of reverse engineering and hacking. It highlights that often flaws come from implementation and that Law 1 is always true. Nevertheless, quantum cryptography is not yet broken. It would be equivalent to state that AES broken because AACS was broken:-(

Once more, media are using appealing titles. Unfortunately, they are misleading. In some cases, it is that the journalist does not understand what he is writing about. In other cases, it is to be more attractive.

Is French Hadopi law dead? (2)

Posted on by
Reply

On 24th September, by voting the amendment 138 proposed by Daniel Cohn Bendit, European Parliament strongly hit the French initiative HADOPI for flexible response (see Is French HADOPI Law dead?. in a letter (pdf) , French president, Nicolas Sarkozy asked José Manuel Barosso (President of the European Commission) to drop this amendment.
It seems that yesterday José Manuel Barroso rejected the possibility for the Commission to reject it. It is not the role of EC to censorship a decision voted by 90% of the European deputies, unless democracy is at stake. It will be up the European Council of Ministers to promulgate or drop amendment 138.

[Edition 13-oct]: Here is a link to the press release by the Commission.