Category Archives: Book/Paper

Piracy is the Future of Television

Posted on by
Reply

This is the provocative title of a study conducted by Abigail De Kosnik from the Convergence Culture Consortium. The author compares the advantages for the consumers between legal offers and the pirate “offer”.

The conclusion is that pirate offer is more attractive than the legal ones, and thus not only because it is free. For instance, the legal offer is divided up among many sites. No one merchant does offer the “complete” catalog of video content, whereas sites such as The Pirate Bay do. Pirate content has no limitation (i.e. DRM) and offer codecs that are universally supported. This is not the case for legal offers. And the list is long:

Single search
Simple indexing
Uniform software and UI
File portability
Freedom from Preempting in the US
Commercial-free

The conclusions are that legal services should take some good ideas from the pirate offer, such as standardize the way to get access to or tos earch content, go immediately to global audience, offer a premium service for personal archives, eliminate the TV set, and charge according to volume usage.

Of course, the study is biased. The study clearly forgets that the pirate offer does not have to comply with copyright laws, commercial agreements, and has not to fund creation of content. It does not take into account economics. Nevertheless, some recommendations are interesting (but not necessarily easy to deploy).

Security Newsletter #17 is out

Posted on by
Reply

It is available here.
In this issue, you will find an interview of Ari TAKANEN. He is the CTO of Codenomicon, a compay which is specialized in fuzzing-based tests. A good insight in Fuzzing.

This issue is more network oriented with the analysis of some XSS vulenrabilities, a new method of TCP connection that brings its vulnerabilities and of course Hole196 the latest weakness in WPA2.

I hope you’ll enjoy it and don’t hesitate to comment.

Les nouveaux pirates de l’entreprise

Posted on by
Reply

Bertrand Monnet and Philippe Véry published a book entitled “Les nouveaux pirates de l’entreprise: Mafias et terrorisme“, i.e. “The new pirates of the enterprise: Mafia and terrorism”.

They clearly highlight the new risks that a company may face in front of organized crime and terrorist organizations. Organized crime is like the enterprise, it looks to maximize its revenue. The difference is that it does not care about regulation and ethics. Thus, they are in competition with legitimate business (parasitism, extortion, counterfeiting, direct investment…) Terrorist organizations look for means to finance their activities. The enterprise and its collaborators are nice targets. Many conclusions are similar to the one issued by the RAND see “Film Piracy, Organized crime and Terrorism“.

The bibliography is frustrating because not very precise. Of course, in this field, there are not a lot of available public data.

The conclusion of the authors is that every body in the enterprise should be concerned by these risks. According to me, the most important recommendation is that the Chief Security Officer (CSO) should be both security aware and BUSINESS aware. To cope with this type of risks, many decisions may have deep business implications.

As you may have guessed, the book is in French. For French readers, a point of vocabulary  🙂
J’ai découvert que je confondais depuis des années sécurité et sûreté. La sûreté s’applique à la protection contre des actions malveillantes. Étais je le seul dans l’erreur ?

ACM DRM 2010

Posted on by
Reply

Thursday, October 28, 2010

The 9th ACM Workshop on Digital Rights Management was held in Chicago on October 4, 2010. The conference was sponsored by Microsoft and Technicolor.

Following is a short highlights of my preferred papers:

  • The privacy of tracing traitors , Moni NaorHe presented mainly issues about privacy in the case of statistical analysis of largely populated databases. He presented his recent works (2008) on how to sanitize such databases while maintaining differential privacy. The idea is to present a fake database that should have the same answers than the real one but without the actual data. This is extremely computing hungry.

    The link with traitor tracing was dim. The conclusion was that traitor tracing is possible if and only if sanitizing is hard. The not surprising conclusion is that traitor tracing and privacy are contradictory.

  • A General Model for Hiding Control Flow, Jan Cappaert (UKL)This presentation was about software tamper resistance, more specifically obfuscation. The idea is to enhance the flattening Control Flow Graph with relative values rather than local values plus the use hash. They propose a switch function as template.
    Worthwhile to read. It was most probably one of the best paper of this workshop (at least according to me).
  • Is the Internet a Foe or a Friend to Theatrical Releases and the Motion Picture Industry?, Warren LieberfarbHe presented the history of the video distribution highlighting that each threat ended up as an opportunity. Then, he pleaded for a standard endorsed by all studios that would encompass a removable tiny storage media (NAND flash based) and a robust DRM with forensics capabilities. In other words, vertical interoperability.
    The audience was captivated. Warren is a pionneer of video and knows perfectly the history of video distribution being one of its early actors. I am sure that many people in the audience discovered several interesting stories.
  • An Interoperable Usage Management Framework, Pramod JamkhedkarA framework that attempts to unify the different RELs independently from the execution platform. It should unify both declarative RELs and logical RELs. The approach is object oriented and focus on the REL and not the enforcement.
    Highly theoretical work.

I presented a paper, co-authored with ROBERT Arnaud (Disney) about Interoperable Digital Rights Locker.

The full program is available here.

The risk of geo-tagging

Posted on by
Reply

Once more, new technology introduced threats on privacy. FRIEDLAND Gerald and SOMMER Robin, in their paper “Cybercasing the Joint: On the Privacy Implications of Geo-Tagging” clearly highlight the new risks.

Many high end phones, such as iPhones, come with GPS. Undoubtfully, GPS is a great feature. Once you used it, you cannot live anymore without. Nevertheless, the combination of GPS and camera is a problem. Currently, all such devices embed a geo-tag, i.e. the precise location, in the metadata of pictures shot by the camera. And many of such pictures end up on Flicker, Facebook and Craig List. This metadata can be easily extracted through standard tools.

In other words, if you publish on Internet a picture of your house taken with your iPhone, it will be extremely easy for anybody to locate you for instance using Google Street View. The paper presents a very illustrative example.

Of course, you can disable the geo-tagging. But, (1) you must be aware of the threat, and then (2) find how to disable it. The solution should be that the manufacturers make this feature as opt-in, i.e. disabled by default. Very unlikely, because manufacturers load the devices with new features ready to work.

If you have a mobile phone with GPS, think about it. Personnaly, I know what I would do.

But(t) Authentication

Posted on by
Reply

No, I’m not turning my blog into a porn site. I just refer to a recent paper from FERRO M., PIOGGIA G., TOGNETTI A., CARBONARO N., and DE ROSSI D. These extremely serious Italian researchers have published “A Sensing Seat for Human Authentication“.

We know many biometrics authentications using voice, finger, palm, or iris. We had recognition through the way you walk, or the way you type. This one is recognition through the way you seat.

The seat is equipped with a set of strain sensors. These sensors show piezoresistive properties that can be turned into a digital fingerprint of the seating person. the paper describes the system, explains the measuring methods. They tested their system on 20 people over a period of 20 days in a truck simulator. The True Acceptance Rate is about 90-95%. The False Acceptance Rate was about 5%.

The researchers acknowledge that there are may parameters in the real world that may impact these rates such as movements and vibrations and changes of the human profile. A wallet in the pocket may derail the system. Too many hamburgers during a long period most probably also  :Wink:

The target is automotive industry. They foresee to couple it with face and voice recognition.

Thanks to BC for the pointer.

Where Do Security Policies Come From?

Posted on by
Reply

In a paper presented at the 6th Symposium on Usable Privacy and Security, DINEI Florencio and CORMAC Herley, Microsoft Research, examined the policy ruling the passwords of 75 Internet sites. The type of websites ranged from very popular sites/services such as Facebook or Paypal to more confidential ones such as governmental agencies.

They evaluated the strength of the enforced policy with the equation N.log2(C) where N is the minimum size of the password and C is the cardinality of the allowed character set. Obviously, this equation is not a perfect evaluation of the constraints because it does not take into account constraints such as mandatory use of digits or special characters. Nevertheless, the result is simple (and perhaps not too surprising)

The size of the site, the number of user accounts, the value of the resources protected, and the frequency of non-strength related attacks all correlate very poorly with the strength required by the site.

In other words, the sites with the most constraining policies are not necessarily the sites which are at most at risks. For instance, Gmail or Paypal do not have strong constraints. Most often, the sites with most constraining policies do have no incentives to have numerous visits or have a captive “audience”. The constraints were more driven by the need to attract visitors than by security itself.

It is the usual trade-off between security and usability. Facebook that is paid by advertising needs frequent visitors. A too complex password policy may rebuke many users and thus make the site less attractive.

The authors advocate that there is most probably no need of strong password policy because strategy to defeat online brute force attack should be deterrent enough. They cite Twitter that recently banned the 370 most common passwords. According to them, strong passwords are most probably only useful in case of an access to the hashed password files. (Remember the use use of rainbow tables)

Their view on the trade-off between usability and security is interesting.

When the voices that advocate for usability are absent or weak, security measures become needlessly restrictive.

I let you savor this statement. Any reactions?

The paper is available here.