Category Archive: Products

May 01 2015

Smart Bottle

JW_Blue_Smart_Bottle_3Diageo and Thin Films have recently demonstrated a smart bottle.   The seal of the bottle contains a NFC tag.  This tag not only carries unique identity of the bottle, but it detects also whether the seal was opened or is still closed.  This smart tag allows interesting features:

  • As for traditional RFID tags, it enables the follow up of the bottle along the delivery chain.
  • As it uses NFC, the seal allows a mobile phone app to identify the bottle, and thus create a personalized experience (interesting features for privacy: it is possible to track who purchased the bottle (at the point of sale with the credit card) and see who actually drinks it (was it a gift?))
  • As it detects if the seal has been broken, it is a way to detect tampering of the bottle during the distribution chain.  This may thwart some forms of piracy and counterfeiting.
  • The tag is also a way to authenticate the origin of the product.  It may have interesting application for expensive rare bottles to verify counterfeiting.
  • It does not yet tell if you drank too much.  This will be the next application associated to the smart glass that will detect what you drink and how much 

See thinfilm brochure opensense

Jan 08 2015

Tribler: a (worrying) P2P client

triblerTribler is a new P2P client that made the headlines last month.   It was claimed to make bitTorrent  unstoppable and offer anonymity.   I had a look at it and played with.

This is an open source project from the University of Delft.  It has been partly funded by the Dutch Ministry of Economic Affairs.  The project started in January 2008.  Tribler is worrying to both content owners and users.

To content owners, Tribler is worrying with its features.

  •  Tribler is more convivial than other P2P clients.   It integrates in the client several functions.  First, it allows to search torrents from the client user interface within its currently connected clients.  In other words, it does not need a central tracker to keep the torrents pointers.   Thus, it is more robust and also easier to use than other clients.  If the expected content is popular, the likelihood to find it within the connected community is high.  Thus, it is unnecessary to leave the application to find torrents on trackers. Of course, it can import torrents from any external trackers such as mininova.  Thus, when content is not available in the community, the user may use traditional trackers.
    The second interesting feature is that it emulates video streaming using standard torrents.  In this mode, it buffers the video and starts to play it within the application after a few seconds.  From the user point of view, it is similar to streaming from a cyberlocker (with the difference that, once viewing completed, there is a full copy of the content on the user’s computer).
    These features are not new (emule allowed to search within it, Bittorrent Pro offers an HD player inside it…).  However,  Tribler nicely packages them.  The user experience is neat.
  • Tribler promises anonymity.  It uses a Tor-like onion structure to access the different peers.  Or at least, it should do in the future.  With the current version, it is clearly announced that it is still beta.   Furthermore, all the current peers were directly connected.  Only an experiemental torrent used the feature.  However, once validated and activated, it should become harder to trace back the seeders.

To users,Tribler is worrying for its security.  Tribler promises anonymity.  Unfortunately, this is not the case.  “Yawning angel” analyzed the project.  Although his analysis was not thorough, it highlighted several critical flaws in the used protocol.  As it is possible to define circuits of arbitrary length, it would be possible to create congestion and thus create a kind of DoS.  More worrying there are several severe cryptographic mistakes such as improper use of ECB mode, fixed IV in OFB…  His conclusion was:

For users, “don’t”. Cursory analysis found enough fundamental flaws, and secure protocol design/implementation errors that I would be reluctant to consider this secure, even if the known issues were fixed. It may be worth revisiting in several years when the designers obtain more experience, and a thorough third party audit of the improved code and design has been done.

Lessons:

  • P2P seems not yet dead.  Streaming emulation may change the balance with streaming cyber lockers.
  • Be very cautious about claimed anonymity.  Developing a robust Tor-like solution requires an enormous effort and deep knowledge of cryptography and secure protocols.  Tor is continuously under attack.
  • Universities may finance projects that will facilitate piracy.  “Openess of the Internet” to fight censorship does not mandate to watch content within the client.  The illustrating screenshot of Tribler on the Delft university page clearly shows some copyrighted movies offered to sharing.

Jul 24 2014

Unlocking the phone with a tap on your wrist

This is the new phone unlocking mode that vivalnk designed for Moto X phone.  The system is rather simple.   YScreen Shot 07-24-14 at 11.33 AM 001ou stick an NFC-based skin temporary tattoo on your wrist.   Once the tattoo is paired with your phone, to unlock the phone you just need to bring the phone in the range of the tattoo.  It is possible to unpair a tattoo if it was lost or stolen.

According to vivalnk, the tattoo’s adhesive lasts about five days, even under water.   It costs one dollar per tattoo.  Currently, it is only available for the Moto X.

This tattoo is a wearable authenticator.   I forecast that we will see this kind of authentication method using an NFC start to spread.   It may come in ewatches, rings, or key rings.  I believe that the ring would be a good device.  The mere fact to take your phone in your hand may unlock it.

Mar 20 2014

Target and FireEye

Beginning of December 2013, US retail Target suffered a huge leak of data: 40 million valid credit card information were sent to Russian servers. This leak will have serious financial impact for Target as there are already more than 90 lawsuits filed against Target.

Target is undergoing deep investigation to understand why this data breach occurred. Recently, an interesting fact popped up. On the 30th November, a sophisticated, commercial, anti-malware system FireEye detected the spreading of an unknown malware within Target’s IT system . It spotted the customized malware that was installing on the point of sales to collect the credit card number before sending them to three compromised Target servers. Target’s security experts based at Bangalore (India) reported it to the US Security Operation Center in Minneapolis. The alert level was the highest from FireEye. The center did not react to this notification. On 2nd December, a new notification was sent without generating any reaction.

The exfiltration of the stolen data started after the 2nd December. Thus, if the Security Operation Center would have reacted to this alert, although it may not have stopped the collection but at least it would have stopped the exfiltration to Russian servers.

As we do not have the details on the daily volume of alerts reported from Bangalore to the Security Operation Center, it is difficult to blame anybody. Nevertheless, this is a good lesson with the conclusions:

  • Law 10: Security is not a product but a process. You may have the best tools (and Fire Eye is an extremely sophisticated one. It mirrors the system and runs the input data within the mirror and analysis the reactions in order to detect malicious activities). If you do not manage the feedback and alerts of these tools, and take the proper decision, then these tools are useless. Unfortunately, the rate of false error is too high to let current tools take such decisions
  • Law 6: You are the weakest link; The Security Operation Center decided not to react. As FireEye was not yet fully deployed, we may suppose that the operators may not fully trust it. The human decision was wrong this time.

Mar 11 2014

The war between Digital Rights Locker starts

The Walt Disney Studios Announces Disney Movies AnywhereIn 2010, two initiatives around Digital Rights Locker (DRL) were bubbling.  On one hand, DECE was a large consortium of companies that created UltraViolet (UV).  On the other hand, Disney was designing its own solution KeyChest.

During these four last years, UV has started to have mild adoption and deployment.  The latest news is that UV is available in more European countries. For instance, in France, we start to see on TV advertisement the presence of the UV logo for new titles.  Nevertheless, UV did not make an awareness campaign (at least in France).  Most French customer have no clue of what UV is.

Meanwhile, Disney did not join UV, neither promote KeyChest.   Some people thought KeyChest to be dead.  Since February 2014, the situation has changed.   Disney launched a new service: Disney Movie Anywhere.  User can open a KeyChest account to access the DRL and also use her iTunes account (Remember that Disney and Apple have very close connection).  The service is currently only available in the US.  It is said that other content owners may join.

Of course, currently UV and KeyChest are not interoperable, meaning that users should have both a UV account and a KeyChest account to access a large catalog.  Is a new war of standard starting?   DIsney, with its interesting catalog (cartoons, movies, Marvel, Star Wars…) and Apple are serious opponents.

A little bit of auto-congratulation:my book describes in details both UV and KeyChest.   Not a bad decision.

Jan 14 2014

A graphical password solution: PixelPin

Graphical passwords are an alternative to usual textual passwords. They use an image as main support and image handling such as pointing position in the picture as entry mode. They can be convenient on tactile screens, more difficult for robots to mimic human behavior, and claimed to offer better memory resilience.

Since early 1990s, the literature has been rather extensive in the field. Technicolor published several papers in the field (search for Maetz and Eluard). But we rarely see a product that implements such a solution.

UK-based company, PixelPin offers such a solution. It is based on Bonder’s seminal patent (5559961). When registering, you select one image as a support and four points in the image in a given order. When answering the challenge, you have to select the four points in the initial order. To limit risks of shoulder surfing, the precision of positioning is rather fine (at least on a computer). After 5 attempts, the account is locked for 15 minutes. Reset sends a reset token via the email used to register.

To increase memory resilience, and to ease the positioning you should select a picture with clear identified salient points else you will be quickly locked out. Of course, using too obvious salient points reduces the space of “keys” to explore.

The main issue is the network effect needed for such solution. It will be efficient if the sites are common and often visited, else your memory will fade. Unfortunately, I did not find many sites using PixelPin. The startup was launched beginning last year.

Jul 24 2013

And if you would authenticate by touching your mobile device?

We are not yet there.   Nevertheless, Christian Holz and Patrick Baudisch, two German researchers seem to have made some progress towards this dream.  They designed a tabletop system with a touch screen that allows fingerprint detection.  

The magic comes from the screen material.  it uses a new fiber optical plate.  The plate is made of million highly reflective fibers.   Infra red lights is reflected back to the emitter.  When infra red lights exits the plate through skin, it reflects less light back.   Thus, an high resolution infra red camera can capture highly contrasted fingerprints.   This allows to authenticate the user who is using the touch screen.

image

Unfortunately, the current system requires a projector and a camera.  Thus, it is suitable for table top solution with enough room beneath the screen.   Not yet ready for small portable devices.

In any cases, it opens many interesting use cases.  They will present a paper at UIST’13.

Older posts «