Category Archives: Technology

MSN music will not deliver new licenses

Posted on by
Reply

On November 2006, MSN music closed its service. The service was not successful at competing with Apple’s iTunes. Recently, Rob BENNET, Microsoft, announced that they will not deliver anymore keys after 31 August 2008.
Why would you need new keys although MSN music does not sell anymore new songs? MSN music sold songs to be consumed on a given computer. Thus, the license containing the decryption key is linked to the targeted computer. The linking uses unique characteristics of the computer, such as configuration, or hard disk identifier. These characteristics are sometimes called computer fingerprinting. Therefore, there are two legitimate conditions to ask for new key (or more precisely new license) for an already purchased song:

  • The configuration of the computer evolved, for instance adding a new piece of hardware, or maintenance
  • The consumer replaces the old computer and transfers her songs to a new one.

In other words, after August 2008, consumers will not anymore be able to listen to their legally purchased song if they change computer. Rob BENNET announced that Microsoft did not succeed to negotiate DRM free songs with studios. It is surprising that the merchant of the songs is Microsoft, and the supplier of the DRM technology is Microsoft. And Microsoft did not find a solution? Perhaps, it is a strategy of Microsoft to get DRM free content. An interesting question: is MSN music liable? Is a class action possible by fooled consumers?

Unfortunately, this story gives new strong arguments to the DRM opponents. The problem is not too much about the DRM. The problem is that the song is linked to a computer rather than to a “larger” entity. Would the song be linked to the customer rather than to her computer, this problem would be solved. Would Microsoft DRM be interoperable with another DRM, this problem would be solved.

An example of solution is the domain. A domain is the set of devices belonging to a person, or a family. Would the song be attached to a domain, it would not be managed by a merchant. Currently, two systems support domain based DRM: DVB-CPCM and Coral. Unfortunately, they are not yet implemented in consumer devices. This story may be a booster for these solutions.

Wide distribution of fingerprints

Posted on by
Reply

In issue 92 of “die Datenschleuder”, the official magazine of Chaos Computer Club (CCC), on a plastic foil, you may find the fingerprint of German interior minister Wolfgang Schlauble. According to CCC, applying the foil on the biometrics reader to be used for German passport may impersonate the minister. CCC could not test it. Nevertheless, the hackers claim that they experimented with them.

One of the challenges of biometrics is to verify that the measured biometrics are from a living principal. For instance, new generation of fingerprint measures temperature of the finger, blood pressure, or resistivity of the skin. This may allow to detect fake fingers. Of course, another potential weakness is impersonation after the physical capture. In this case, all the additional measurements are useless.

This story, regardless of its potential veracity, highlights the inherent limitations of biometrics. It is possible to revoke a compromised key. It is impossible to revoke a compromised biometrics identity. If your fingerprint is available for a given technology, there is noway to stop it.

If this risk of capturing biometrics is real, then biometrics should be used only on two-factor authentication. In this configuration, the compromise of biometrics identity can be partly compensated by the second factor. In fact, in this case, the authentication is reduced (for the compromised identities) to a one-factor authentication. This is better than nothing. An upgrade of the biometrics method that would cope with the attacks would allow to re-validate the value of the biometrics.

In any case, generalization of biometrics will open a new black market: forged biometrics identity.

PS: “Die Datenschleuder” could be translated as “the data sling”.

The crusade: DRM sucks

Posted on by
Reply

There is a terrible crusade against DRM. Many bloggers try to illustrate that “DRM sucks”. As for all crusades, arguments are sometimes true, and sometimes wrong.

A famous blogger claimed that he had a perfect example of why DRM sucks. Following the death of HD DVD, it seems that the newest version of Cyberlink’s PowerDVD, one of the most used DVD software player, does not anymore support HD DVD. That was fast. According to the blogger that was the fault of DRM.

Unfortunately, this is the worst example. HD DVD and BluRay share the same basic DRM: AACS. Of course BluRay has in addition BD+. Nevertheless, the basic DRM is identical. The lack of interoperability is due to intrinsically different formats at every level (physical, organization, coding) except for DRM.

I suggest a better historical example of sucking DRM: VHS and Betamax  :Wink:

P2P: is giving access illegal?

Posted on by
Reply

Two US judges gave a different answer to the question: “Is putting a copyright content in a folder accessible to P2P share illegal?” According to Judge Kenneth Karras of New York, it is illegal, whereas for Judge Nancy Gertner of Boston it is not an infringement until the content has been downloaded by someone. Nevertheless, both judges agree that downloading copyright content is an infringement. The judgments are not final.

Would Judge Nancy Gertner confirm her decision, then it would open new perspectives in future trials.

  • Content owners will not have to prove the exposure of copyrighted content, but would have to prove the actual download of the exposed content by someone else.
  • Content owners should probably also have to proof that the exposure was deliberate. Known examples have illustrated that people may inadvertently expose data to peer to peer networks. See Confidential data and P2P

An interesting issue to be followed.

RFID to stop theft

Posted on by
Reply

SimplyRFID provides a system NOX to detect theft that is not simple at all. It is the combination of three techniques:

  • RFID tags are glued on items to be protected. The RFID tag provides the identity of the item, and through readers its location.
  • Optically charged dust is spread on restricted area, for instance in secure vaults.
  • Video surveillance has two roles. First it monitors the people. Second it detects presence of dust that is illuminated by a laser. The dust glows. It is thus possible to detect intrusion in sensitive area. Automatic software may detect the glowing dust and trigger an alarm.

The interesting part is that the RFID readers are hidden to the users. They are not aware of their existence. This is perhaps the “smarter” part of the concept.

How does it work? When a RFID tag passes near a hidden detector, it is triggered. It is then easy to discover the potential thief using the video surveillance. Of course, if the thief is aware of the location (or even of the presence) of hidden RFID tags, then he will be more cautious. The system targets insiders. Thus, the thief has time; He will first shield the tag. Then, he will pass through the detectors without triggering them. We assume that he hides the stolen device from the spying cameras. It is even better if there are several days between the shielding and the actual theft. It will require many hours to visually monitor the video tapes and if several people meanwhile handled the item, it is even better.

Interestingly, these hidden readers are violating privacy because employees are not informed of their presence.

KeeLoq hacked

Posted on by
Reply

KeeLoq is a RFID system that protects many anti-theft cards, and garage openers. Already some published cryptanalysis highlighted the weaknesses of the cipher. But the attack were not practical. A group of six German and Iranian researchers designed a set of very practical attacks.

Using Differential Power Attack (DPA), they were able to extract the device key . What is impressive is that they did the attack without the knowledge of the chip. They were working with a black box. For instance, they had to guess when the encryption process occurred. They extract the device key in less than one hour Of course, DPA required physical access to the emitting device. The performed a similar attack to extract the manufacturer from the receiver. It took less than one day.

With this information, by eavesdropping a receiver, it is possible to impersonate it. They extract the seed, the secret and the current counter value. The counter value has to been “loosely” synchronized with the one of the receiver. Of course, by impersonating the emitter, it is easy to desynchronize the receiver from the genuine emitter. The owner of the genuine emitter will have to push his key 2^15 times to open his door. Nice denial of service.

This is the second hack of RFID security in a month. Recently it was NXP Mifare that was hacked. Once more, the security of a RFID was too weak. It has at least two types of known flaws:

  • a weak LFSR based cipher
  • No protection against side channel attacks.

The industry of secure processors is aware of these types of weaknesses for about one decade and fights them. It is time, that RFID industry adapts also to them. Is it compatible with the price constraints.

A paper at Eurocrypt08 will present this attack. The details of the attacks are available on Ruhr University site

TorrentSPy: one round for studios

Posted on by
Reply

On Friday 28th March, TorrentSpy, one of the main torrent tracker sites definitively closed. According to the site, the legal burden was becoming too heavy. Having the feeling that they could not preserve the interests of their users, they closed their site. Since 2006, MPAA was suing TorrentSpy for facilitating piracy.

Will it change something? Probably not much. Many tracker sites are available. TorrentSpy will disappear from toolbars and from filters of tools such as BitChe.

A theoretical interesting question: does the closing of a major site help or reduce piracy. On one hand, a wealth of torrent trackers have vanished. On the other hands, more people will connect on the currently available torrents thus making them more efficient in terms of sharing.