DVD Jon launches doubleTwist

Posted on March 20, 2008 by wunderbarb

Jon Lech JOHANSEN, together with Monique FARANTOS launched doubleTwist, a controversial software and service. Jon is better known as DVD Jon. In 1999, he wrote DeCSS, the software decrypting protected DVDs. DeCSS spread over the Internet despite the efforts of studios to stop it. The source code was even available on printed T-shirts. In 2006, he authored software defeating Apple’s DRM FairPlay. DoubleTwist seems to be a sequel of this early hack.

DoubleTwist allows sharing your contents on all your devices and sharing your contents with your friends on social networks such as FaceBook. Currently, doubleTwist supports a limited number of devices through iTunes synchronization: Nokia phones, Sony Walkmans, Sony PSP and Windows Mobile 6.0 platforms. Nevertheless, traditional USB download is valid. DoubleTwist is only available for Windows. The Mac version is under way.

Does doubleTwist infringe copyright laws? According to Electronic Frontier Foundation (EFF), it does not. To by pass FairPlay, doubleTwist uses the analog hole, i.e. it records content while played by iTunes. Thus, EFF claims that it does not circumvent any protection scheme and thus falls out of the scope of DMCA. Will this argument hold in front of a court?

Nevertheless, doubleTwist limited the duration of the shared video to ten minutes and the duration of shared audio to twenty minutes per file. This policy reminds the limitations of User Generated Content sites.

The launch of doubleTwist on 18th February raised a flurry of news. The personality of DVD Jon is probably one explication of such media interest. Since then, no news. Surprisingly, there is no known public reaction of Apple. Would a negative reaction be coherent with Steve Jobs advocating DRM-free content?

Nagra reinforces its secure coding capacities

Posted on March 19, 2008 by wunderbarb

Kudelski group announced that it acquired EDSI. Kudelski is better known in the world of security as NAGRAVISION. Nagra is one of the main Conditional Access provider. EDSI is a small French company, based at CESSON SEVIGNE.

Since 1990, EDSI specialized in the development of software for smart card dedicated to Pay TV or banking applications. EDSI acquired a strong expertise in security for these smart cards. It has also a certification laboratory assessing the robustness of smart card implementations.

Through this acquisition, NAGRA provides a strong positive message of a capacity to fight piracy. Another potential message is that smart card based Conditional Access Systems are not dead. A current trend, coming with IP delivery, was to promote card less solutions (Verimatix, Widevine, …). None of these card less solution has not yet had a large scale deployment as card based Conditional Access had. Thus their actual robustness against piracy has not been assessed. I will come back to the card less topic in one of my future post.

The corresponding press release is available at http://www.nagra.com/pressreleases/view_release.php?id=583〈=e

NXP enhances the security of its chip

Posted on March 17, 2008 by wunderbarb

NXP, the RFID manufacturer, has announced the launching of new generation of mifare RFID chips: mifare plus. This new version has enhanced the security comared to previous mifare classic. For instance, it implements 128-bit AES, and more diversity for the identification. Mifare Plus seem to have an easy migration path from mifare clasic.

For memory, it was the NXP mifare classic that was recently hacked. This is a nice timely answer to this hack. How long will the new generation resist?

Babel tower

Posted on March 16, 2008 by wunderbarb

I am currently reading the last book of Olivier BOMSEL: “Gratuit, du déploiement de l’économie numérique”. This book is extremely interesting, as the previous essays of Olivier. Olivier BOMSEL is a French economist who focuses on the economy of the digital industry. His opinions are often provocative. I will probably come back to this book several times.

This book illustrates the network effect on digital economy. He presents an interesting biblical example: the tower of Babel. By introducing new languages, God broke the network effect that made the building of the tower possible.

This raised a question: Is Babel tower better for security or bad? The answer is difficult. There are arguments for both positions.

On one hand, the more a secure system is deployed, the more it may be studied by the community. Thus, we may expect to have a more secure system.
On the other hand, the more a secure system is deployed, the more it may be attacked. Furthermore, the attackers may have access to better documentation and have a deeper knowledge. Thus be more efficient
Another negative argument is that if there would one unique secure system, then a class attack would affect a complete ecosystem. This may be extremely dangerous.

Thus, once more, no Manichean answers.

By the way, according to Olivier BOMSEL’s book, the incident of the tower of Babel may be a good thing for humanity. It obliged mankind to spread all over the world. :Wink:

Switching to Web 2.0

Posted on March 15, 2008 by wunderbarb

I updated my blog with a new package that features a full package of blog tools. I step in the Web 2.0 world. In other words you will be able to post comments.

Do not hesitate.

Eric

RFID and weak security

Posted on March 14, 2008 by wunderbarb

NXP Mifare Classic RFID chips are widely used in transportation or access control in Europe. NOHL Karsten, a researcher, publishes a cryptanalysis of this chip (the paper). His analysis demonstrates that the design was extremely weak. The cipher uses a LSFR and a 48-bit key.

It is obvious that the design was weak. Nevertheless, the main design constraint was probably to have a small number of gates for the implementation to reduce the cost. The security assumed that this algorithm would stay secret, in other words violating the principle of Kerckoffs. Furthermore, using a 48 bit key was inadequate. Currently, it is recommended to have at least a 90 bit key. With 48 bit key, it is easy to have a brut force attack.

Is it a problem? It depends on the application using the chip and its security assumptions. If the hypothesis is that the chip is extremely secure, than the answer is that it is an error. If the goal is to protect low cost assets, then the answer is right solution. As always, security is not simple and Manichean.

Forecasts: RFID will spread. Due to this massive use, cost constraints will be such that we will anticipate that many RFID chip will implement weak algorithm but with low cost. I will surely report many such events.

Launching my blog

Posted on March 12, 2008 by wunderbarb

I make the move. I open my blog. You will find news, analysis on these news and thoughts about topics related to security.
To start, it will be Web 1.0. You will not be able to directly edit your comments. Nevertheless, do not hesitate to share them with me through mail. I will switch to Web 2.0 as soon as possible.
The blog will be both in English and French.
I hope you will enjoy it.