Is French HADOPI law dead (13)?

Posted on by
Reply

We know now for sure that HADOPI will be dead in 2022. On 27 April 2016, The French National Assembly approved an amendment that decrees that the HADOPI will expire on 4th February 2022.

ARTICLE 43 BIS

Compléter cet article par l’alinéa suivant :

« II. – La même soussection est abrogée à compter du 4 février 2022. Par dérogation à l’article L. 33116 du même code, la durée du mandat des membres nommés après la publication de la présente loi expire le 4 février 2022. »

EXPOSÉ SOMMAIRE

Comme le proposait le rapporteur en commission, cet amendement inscrit dans la loi la fin de vie de la Haute Autorité pour la diffusion des œuvres et la protection des droits sur internet (HADOPI) à compter de l’expiration du mandat en cours du dernier de ses membres nommés, soit le 4 février 2022.

It is a far milestone. Nevertheless, since a few months, HADOPI is in turmoil. In October 2015, the French Senate issued a report about the creation and management of the independent administrative authorities. The HADOPI is such authority. At page 70 of the report, the commissioner proposed to suppress the HADOPI as it has not proven its efficiency as the policeman of the Internet and that the graduated response is not operative to fight piracy.

Votre rapporteur propose ainsi la suppression de la Haute autorité pour la diffusion des œuvres et la protection des droits sur internet (HADOPI), considérant que cette autorité n’a pas apporté la preuve de son efficacité en tant que gendarme de l’internet et que les moyens de lutte contre le piratage à travers le mécanisme de la réponse graduée sont inopérants. En cas de réorientation de cet organisme, pour en faire un outil parmi d’autres de la lutte contre la contrefaçon culturelle et de la protection du droit des auteurs sur internet, il pourrait subsister sous forme de commission spécialisée voire d’établissement public.*

When will its actual death be?

 

* Therefore
your rapporteur proposes the deletion of the high authority for the dissemination of works and protection of rights on the internet (HADOPI), considering that this authority provided no proof of its efficiency as a Constable of the internet and the means of fighting piracy through graduated response mechanism are inoperative. If reorientation of this organization, to make one tool among others cultural counterfeiting and protection of the right of the authors on the internet, it could subsist in the form of commission or public institution. (draft translation from French to English)

Shared Responsibilities on the Cloud

Posted on by
Reply

Microsoft recently published a paper titled “Shared Responsibilities For Cloud Computing.” The aim is to explain that when migrating to the cloud not everything relies on the lapses of the cloud provider to reach a secure deployment. This reality is too often forgotten by cloud customers. Too often, when assessing the security of systems, I hear the statement, but cloud provider X is Y-compliant. Unfortunately, even if this declaration is true, it is only valid for the parts that the cloud provider believes are under its responsibility.

The golden nugget of this document is this figure. It graphically highlights the distribution of responsibilities. Unfortunately, I think there is a missing row: Security of the Application executing in the cloud. If the application is poorly written and riddled with vulnerabilities, then game over. In the case, of SaaS, this security is the responsibility of the SaaS provider. For the other cases, it is the responsibility of the entity who designed the service/application.

The explanations in the core of the document are not extremely useful as many elements are advertising for Microsoft Azure (it is fair as it is a Microsoft document).

The document can be used to increase the awareness of the mandatory distribution and sharing of responsibilities.

Hacking reCAPTCHA (2)

Posted on by
Reply

In 2012, the hacking team DefCon 949 disclosed their method to break Google’s reCaptcha. They used weaknesses in the version dedicated to visually impaired persons. End of 2014, Google replaced its letter-warping version with a user-friendlier version. It is based on the recognition of a set of images illustrating an object within a set of nine images.

At Black Hat Asia 2016, S. Sivakorn, J. Polakis and A. Keromytis from Columbia disclosed a method to break this visual captcha. They used many tools, but the core of the attack is the use of image annotation services, such as Google Reverse Image Search (GRIS) or Clarifai. These tools return a best guess description of the image, i.e., a list of potential tags. For instance, for the picture of a go-ban illustrating the blog post about AlphaGo, Clarifai returns chess, desktop, strategy, wood, balance, no person, table, and game, whereas GRIS returns go game. They use many tricks to increase the efficiency. My preferred one is to use GRIS to locate a high-resolution instance of each proposed challenge. They discovered that the accuracy of these annotation services decreased with the resolution of the submitted image.

They obtained a 70% accuracy for Google reCaptcha and 83.5% for Facebook’s version.

Sivakorn, Suphannee, Jason Polakis, and Angelos D. Keromytis, “I’m Not a Human: Breaking the Google reCaptcha” presented at Black Hat Asia, Singapore, 2016.

 

Easier fingerprint spoofing

Posted on by
Reply

In September 2013, the German Computer Chaos Club (CCC) demonstrated the first hack of Apple’s TouchID. Since then, they repeatedly defeated every new version both from Apple and Samsung. Their solution implies to create a dummy finger. This creation is a complex, lengthy process. It uses a typical photographic process with the copy of the actual fingerprint acting as the negative image. Thus, the master fingerprint is printed onto a transparent sheet at 1,200 dpi. This printed mask is exposed on the photosensitive PCB material. The PCB material is developed, etched and cleaned to create a mold. A thin coat of graphite spray is applied to improve the capacitive response. Finally, a thin film of white wood glue is smeared into the mold to make it opaque and create the fake finger.

Two researchers (K. CAO and A. JAIN) at the Michigan State University disclosed a new method to simplify the creation of the fake finger. They use conductive ink from AgIC. AgIC sells ink cartridges for Brother printers. Rather than making a rubber finger, they print a conductive 2D image of the fingerprint. And, they claim it works. Surprisingly, they scan the user’s fingerprint at 300 dpi whereas the CCC used 2,400 dpi to defeat the latest sensors.

As fingerprint on mobile devices will be used for more than simple authentication but also payment, it will be paramount to come with a new generation of biometrics sensors that also detect the liveliness of the scanned subject.

Alea Jacta Est (3): Ten Laws of Security

Posted on by
Reply

Once more, the die has been cast. Yesterday, I sent the final version of the manuscript of my second book to Springer.

The title is Ten Laws of Security. For 15 years, together with my previous security team, I have defined and refined a set of ten laws for security. These laws are simple but powerful. Over the years, when meeting other security experts, solution providers, potential customers, and students, I discovered that these laws were an excellent communication tool. These rules allowed benchmarking quickly whether both parties shared the same vision for security. Many meetings successfully started by me introducing these laws, which helped build reciprocal respect and trust between teams. Over time, I found that these laws were also an excellent educational tool. Each law can introduce different technologies and principles of security. They constitute an entertaining way to present security to new students or to introduce security to non-experts. Furthermore, these laws are mandatory heuristics that should drive any design of secure systems. There is no valid, rational reason for a system to violate one of these rules. The laws can be used as a checklist for a first-level sanity check.

Each chapter of this book addresses one law. The first part of the chapter always starts with examples. These anecdotes either illustrate an advantageous application of the law or outline the consequences of not complying with it. The second part of the chapter explores different security principles addressed by the law. Each chapter introduces, at least, one security technology or methodology that illustrates the law, or that is paramount to the law. From each law, the last section deduces some associated rules that are useful when designing or assessing a security system. As in my previous book, inserts, entitled “The Devil is in the details,” illustrate the gap between theory and real-world security.

The book should be available this summer.

Sound-Proof: an interesting authentication method

Posted on by
Reply

Four researchers of ETH Zurich (KARAPANOS N., MARFORIO C., SORIENTE C., and CAPKUN S.) have disclosed at last Usenix conference an innovative two-factor authentication method which is extremely user-friendly. As many current 2FA, it employs the user’s cell phone. However, the interaction with the phone is transparent to the user.

The user initiates the login with the typical login/password process on her or his device. Then, both this device and the user’s cell phone record the ambient sound. The two captured tracks are compared to verify whether they match. If they match, the authentication succeeds. The user’s cell phone captures the sound without the user having to interact with it. The phone may even be in the user’s pocket or shirt.

Obviously, this authentication does not prevent co-localized attacks, i.e., the attacker has the victim’s credentials and is near his victim. As the victim is not aware of the audio capture, the attack would succeed. Nevertheless, many scenarios are not vulnerable to co-localized attacks.

In the proof of concept, the cell phone performs the verification and returns the result to the login server. I do not find a reason this check could not be varied out by the server rather than by the phone. This modification would eliminate one security assumption of the trust model: the integrity of the software executing on the phone. The comparison would be more secure on the server.

A very interesting concept.

Karapanos, Nikolaos, Claudio Marforio, Claudio Soriente, and Srdjan Capkun. “Sound-Proof: Usable Two-Factor Authentication Based on Ambient Sound.” In 24th USENIX Security Symposium (USENIX Security 15), 483–98. Washington, D.C.: USENIX Association, 2015. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/karapanos.

Diffie and Hellman received the ACM Turing Award

Posted on by
Reply

Yesterday, the Association for Computing Machinery (ACM) granted their most prestigious award the Turing award to Whitfield DIFFIE and Martin HELLMAN. If you read regularly this blog, you know probably them. In their seminal 1976 paper, they launched the foundations of asymmetric cryptography. Previously, only symmetric cryptography was known. Two years later, Rivest, Shamir and Adleman published the RSA algorithm based on these principles. Without public key cryptography, modern security would not be possible. We still use the DH protocol.

A well-deserved prize.

  • Diffie, W., and M. Hellman. “New Directions in Cryptography.” IEEE Transactions on Information Theory 22, no. 6 (1976): 644–54.
  • Rivest, R. L., A. Shamir, and L. Adleman. “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems.” Communications of the ACM 21, no. 2 (1978): 120–26.