“Securing Digital Video” is now available!

Posted on July 9, 2012 by wunderbarb

My book, “Securing Digital Video: Techniques for DRM and Content Protection” is now available on sale. It can be found directly at Springer (about one week delay), from US amazon (2-4 weeks delay) and from French Amazon (available only in August).

This is the last step of a long process. I hope that the reader will enjoy it and that it will be useful to the community. More details on the book are available here.

I would be glad to hear your suggestions, appreciations (even negative ones), and answer any question. For that, use preferably the address book@eric-diehl.com. I will always answer.

HADOPI: a little insight view

Posted on July 4, 2012 by wunderbarb

In may 2011, French HADOPI mandated an expert, Dadid Znaty, to evaluate the robustness of the system that tracks infringers on P2P. The objectives were:

Analyze the method used to generate fingerprints
Analyze the method used to compare sample candidates with these fingerprints
Analyze the process that collects the IP addresses
Analyze the workflow

On January 16, 2012, Mr Znaty delivered his report. A version without the annexes was published on HADOPI site for public dissemination. The report concluded that the system was secure.

Conclusion : en l’état, le processus actuel autour du système TMG est FIABLE. Les documents constitués du procès verbal (saisine), et si nécessaire du fichier complet de l’oeuvre (stockée chez TMG) associé au segment de 16Ko constituent une preuve ROBUSTE.

Le mode opératoire utilisé permet donc l’identification sans équivoque d’une oeuvre et de l’adresse IP ayant mis à disposition cette oeuvre.

An approximate translation of this conclusion is

Conclusion: The current process of TMG’s system is RELIABLE. The documents, the minutes, and if necessary the complete opus (stored by TMG) associated to the 16K segment are a ROBUST proof.

The workflow allows unambiguous identification of a piece of content and the IP address that made it available.

Quickly, content owners complained that sensitive information may leak from this report. Therefore, it was interesting to have a look to this report.

The report is not anymore available on the HADOPI site. The links are present, but there is no actual download. Sniffing around, you may easily find copies of the original report (for instance here). Once we have it, what is leaking out?

Most probably for the experts, nothing really interesting. We learn a lot on the process of identification of the right owners of a content. This part is well described in the document. When we look on the technical side, no details. the expert was always answered that the technology providers will not give any details on the algorithms. Therefore, to validate the false positive rate, the expert checks if there is any content inside the reference database that share the same fingerprint. The answer is no (excepted for one case where they fed twice the same master :Pondering: ). Conclusion: no false positive! I let you make your own conclusion.

The annexes that may have some details were not published. I have not found a copy on the net. What bit of information could we grasp:

There are two technology providers for the fingerprint. They are “anonymized” in the document for confidentiality (sigh! ) We can guess that the audio fingerprint provider is not French as a quote of an answer was in English. This is not a surprise as to the best of my knowledge there is no French technology commercialy available.
They look for copyrighted content on P2P networks using keywords. Once a content is spotted, its fingerprint is extracted and compared to the master database. If the content fits, its hashcode is recorded (most probably the md5 code). Then, TMG can look for this md5 sample and record the IP address.
The content is recognized if there is a ordered sequence of fingerprints. The length of the sequence seems to depend of the type of content and the rights owner. For audio, 80% of the duration. For video, in the case of ALPA, 35 minutes…

In conclusion, no a great deal…

Securing Digital Video: one step more

Posted on May 22, 2012 by wunderbarb

I received yesterday the page proof edition of my book. I have to review it for the final modifications. Here is an example (first page of the introduction)

Once reviewed, we are set. Springer will then print it and it should be soon available. In other words, it should be out before August.

Secure Data Management 2012

Posted on May 10, 2012 by wunderbarb

The ninth workshop on secure data management (SDM’12) has extended its submission deadline to June 1, 2012.

The topics of interest are:

Secure Data Management
Database Security
Data Anonymization/Pseudonymization
Data Hiding
Metadata and Security
XML Security
Authorization and Access Control
Data Integrity
Privacy Preserving Data Mining
Statistical Database Security
Control of Data Disclosure
Private Information Retrieval
Secure Stream Processing
Secure Auditing
Data Retention
Search on Encrypted Data
Digital and Enterprise Rights Management
Multimedia Security and Privacy
Private Authentication
Identity Management
Privacy Enhancing Technologies
Security and Semantic Web
Security and Privacy in Ubiquitous Computing
Security and Privacy of Health Data
Web Service Security
Trust Management
Policy Management
Applied Cryptography

MegaUpload effect: is technology evil?

Posted on April 5, 2012 by wunderbarb

My editorial of the last security newsletter provoked many reactions. It could have been expected because I reported about MegaUpload’s shutdown. The typical reaction was the tricky question: how do you decide that a cyber locker is acting evil? Is the cyber locker operator liable for its users to store illegal contents? We’re back to the safe harbor issue.

who-owns-the-rain-a-discussion-on-accountability-of-whats-in-the-cloud posted on http://parasam.me/ blog nicely presents the problem. In a nutshell, why only megaUpload? Most of the other cyber lockers will probably host illegal content.

The issue of cyber lockers is similar with the situation of Peer To Peer. The technology is not to be blamed, it is its misuse that is to be blamed. How often did we see people automatically identifying P2P to piracy? And too often, even us, the specialists, oversimplify communication by identifying the technology with its use. P2P and cyber lockers are valuable technology and have many legitimate use. Therefore, we must be very careful about breaking the identification of cyber locker to piracy harbors.

Now why striking MegaUpload? Of course, there were non-infringing content stored on MegaUpload, as there may be illegal content stored on DropBox (choose any other name). I am sure that I will certainlyfind legitimate content on The Pirate Bay (both on there P2P service and their own cyber locker). When closing MegaUpload, most probably some people did loose legitimate content. Now, why would MegaUpload be evil and not DropBox? Most probably, the difference between bad/good comes from the actual behavior of the site owners. For instance, YouTube answers to cease and desist notice. According to the US justice, MegaUpload did not have such a clean behavior. An extract of the FBI announcement about MegaUpload.

The indictment states that the conspirators conducted their illegal operation using a business model expressly designed to promote uploading of the most popular copyrighted works for many millions of users to download. The indictment alleges that the site was structured to discourage the vast majority of its users from using Megaupload for long-term or personal storage by automatically deleting content that was not regularly downloaded. The conspirators further allegedly offered a rewards program that would provide users with financial incentives to upload popular content and drive web traffic to the site, often through user-generated websites known as linking sites. The conspirators allegedly paid users whom they specifically knew uploaded infringing content and publicized their links to users throughout the world.

The reward program was most probably a good indicator as well as a red rag under the nose of MPAA. The frontier is most probably in the applied business model. Does most of your money come from “legitimate” business? But even that is a difficult test. If your business model is purely based on advertisement revenue, then you should try to increase the traffic, thus the number of eye balls. Free copyright content is one of the categories that attracts visitors.

As for all ethical matters, it is not Manichean. And the grey scale is large.

What is your opinion?

Securing Digital Video: the text is final and frozen

Posted on April 4, 2012 by wunderbarb

About one year ago, I informed you that the final draft of my book was sent to Springer, my editor. Today, a new step: after several copy edit rounds, the text is final. We enter now the final stage: layout and printing. In other words, the book should be now soon available in the stores (before end of this quarter).

The book will have inserts entitled “Devil’s in the Details”. These short sections will deeply dive in some naughty details highlighting the difference between theoretical schemes and actual robust security. For instance, you will learn some details on the Black Sunday, or on how AACS was hacked.

I will keep you informed about the next steps.

Online video security 101

Posted on March 28, 2012 by wunderbarb

Brightcove proposes an interesting whitepaper describing the spectrum of solutions available to secure video. The section describing the security spectrum is a good high-level introduction to the existing problems. It tackles:

Unlimited access
Watermarking (both visible burn-in and invisible forensics watermark)
Geo-restriction; you limit the geographical zone where your content may be viewed. This is why non-US residents cannot access the free episodes on sites such as ABC
Domain restriction
IP restriction
RTMPE for protecting video during transfer
Protected page; the usual restriction by an access control to the web page
SWF restriction; this is a characteristics of Flash Access, Adobe’s DRM, where you can define the list of AIR players allowed to access a content
Anonymous DRM; using a dedicated mode of Flash Access
Advanced DRM; using more complex features of Flash Access
Secure HLS; the format defined by Apple to securely stream content to an iOS device.
User authentication

The beginning of the list is well done. They are generic enough to be able to extrapolate to other solutions than the ones proposed by Brightcove. The last ones (in italic in this post) are very specific either to a solution, or to the offer of Brightcove. They are mostly based on the use of Adobe Flash Access for non-Apple devices, and HLS for Apple devices.

The last section, Security across channels, is not focusing on security challenges in the different environments and may be confusing for the non-specialists.

The document is available here and requires registration.

The blog of content protection

A site managed by Eric Diehl

Category Archives: Technology