A Milestone in AI: a computer won against a Go champion

I usually only blog about security or Sci-Fi. Nevertheless, I will blog about an entirely unrelated topic as I believe we have reached an important milestone. Artificial Intelligence (AI) is around for many decades with various successes. For several years, AI, through machine learning, has made tremendous progress with some deployed fascinating products or services. For instance, Google Photo has leap-frogged the exploitation of databases of images. It can automatically detect pictures featuring the same person over decades! Some friends told me that it even differentiated natural twins.

Nevertheless, I always believed that go game was out of the reach of AI. Go is a multi-millennial ancient game with extremely simple rules (indeed, only three rules). It is played on a go ban of 19 x 19 positions. Each player adds a stone (white or black) to create the largest territory. The game is extremely complex not only because of the number of possible combinations (it is said to be greater than the number of atoms in the universe) but also by the infinite possible strategies. It exceeds by several amplitudes the complexity of chess. A great game!!!

On January 27, 2016, Google made my belief wrong. For the first time, their software, AlphaGo, won five games to zero against a professional go player. AlphaGo was first trained with 30 million moves. Then, it has been self-reinforced by playing against itself thousands of times. The result is a software at the level of a professional go player. Evidently, AI passed a milestone.

Machine learning will smoothly invade security practices. Training software through logs to detect incidents will be a good starting point.

DMCA triennial exemptions

Every three years, the Librarian of the Congress revisits the exemptions to the Digital Millennium Copyright Act (DMCA). These exemptions list the cases when circumventing technological measures that protect copyright works is not illegal. On October 28, 2015, the Librarian has issued the new list valid for three years. The new exemptions (compared to six years ago) are:

  • The jailbreaking of cellphones to be used on other carrier networks has been extended to tablets, wearable devices, and connected TVs.
  • Jailbreaking portable devices to execute lawfully acquired software
  • Owners can circumvent diagnosis and repair software for cars and farm equipment
  • For research purpose on consumer devices, medical devices, and cars
  • For sourcing ink for 3D printers from alternative suppliers

The previous exemptions are still valid.

Some notes on the Content Protection Summit 2015

These motes are personal and reflect the key points that raised my interest. They do not report the already known issues, already approved best practices and security guidelines.

The  conference was held on 7th December at Los Angeles. The audience was rather large for such event (more than 120 attendees) with representatives of content owners, service and technology providers and a few distributors. CPS is becoming the annual event in content protection. The event was as interesting as last year.

A special focus has been placed on cyber security rather than purely content protection.

Welcome remarks (ROSE M.)

The end of EU safe harbor is an issue.

CDSA: A focus on the right things at the right time (by ATKINSON R.)

A set of work streams for 2016 with nothing innovative. Some focus on training and education. A second focus on opportunity versus piracy.

IP security the creative perspective (by McNELIS B.)

An attack against YouTube that does not have in place a strong enough position against piracy. Google does not play the game despite it could (for instance, there is no porn on YouTube, proving the efficiency of curation). The difference between Apple and Google is the intent.

Creators do usually not want to bother about content protection. They want to communicate directly with consumers. The moderator explained that indie filmmakers are far more concerned as piracy may be more impacting their revenue stream. The middle class of creators is disappearing.

The BMG / Cox communication legal decision is a good promising sign.

Breakthrough in watermark (by OAKES G.)

NNSS (Nihil Nove Sub Sole, i.e., nothing new under the sun)

The move to digital pre-release screeners: DVD R.I.P. (panel with ANDERSON A., TANG E., PRIMACHENKO D.)

Pros:

  • Nobody any more uses exclusively DVD at home, they use additional media. The user experience of DVD is bad (dixit Fox).
  • E-screener is more eco-friendly than DVD distribution.
  • Less liability due to no need to dispose of the physical support.
  • Higher quality is possible.
  • According to Fox, on-line screeners are intrinsically more secure than DVD screeners.

Cons:

  • The challenge is the multiplicity of platforms to serve. Anthony pleads for 2FA.
  • Some guild members want to build a library.
  • Connectivity is still an issue for many members.

Suspicious behavior monitoring is a key security feature.

The global state of information security (by FRANK W.)

Feedback on the PcW annual survey of 40 questions.

  • Former employees are still the most cited sources. Third party related risk is rising.
  • Theft of employee and customer records raised this year.
  • 26% of increase of security budget over 2014.
  • ISO27001 is the most used framework. 94% of companies use a security framework.
  • Top Cyber threats: vulnerabilities, social engineering and zero-day vulnerabilities.
  • Data traversal becomes a visible issue with leaks via Dropbox, Google Drive…)

Would you rather be red and blue, or black and blue (by SLOSS J.)

A highlight on high-profile attacks. A plea for having an in-house red team (attack team)

He advocates the stance of assuming that you’re already penetrated. This requires:

  • War game exercises
  • Central security monitoring
  • Live site penetration test (not really new)

Secrets to build an incident response team (panel with RICKELTYON C., CATHCART H., SLOSS J.)

An Incident Response Team is now mandatory together with real-time continuous monitoring.

Personalize the risk by making personal what the consequences of a breach would be.

Hiring experts for a red team or IRT is tough.

Vulnerability scanning penetration testing (panel with EVERTS A., JOHNSON C., MEACHAM D., MONTECILLO M.)

NNSS.

Best practice for sending and receiving content (by MORAN T.)

Taxonomy

  • Consumer grade cloud services: Dropbox, etc
  • Production. Media deal, signiant, mediafly, etc
    • Usually isolated system within a company
    • Owned by production rather than IT
  • Enterprise: Aspera
    • Owned by IT

Cooperation between IT and production staff is key.

Don’t tolerate shadow IT. Manage it

Monitor the progress of Network Function Virtual (NFV)and Software Defined Network (SDN) as they may be the next paradigms

Production in the cloud (panel with BUSSINGER B., DIEHL E., O’CONNOR M., PARKER C.)

CDSA reported about this panel at http://www.cdsaonline.org/latest-news/cps-panel-treat-production-in-the-cloud-carefully-cdsa/

Production security compliance (panel with CANNING J., CHANDRA A., PEARSON J., ZEZZA L.)

It is all about education. The most challenging targets are the creatives

New Regency tried on a production of a TV show to provide all creatives with the computer, tablet, and phone. They also allocated a full-time IT guy.

Attackers are smart

In 2010, Steven MURDOCH, Ross ANDERSON, and their team disclosed a weakness in the EMV protocol. Most Credit / Debit card equipped with a chip use the EMV (Europay, MasterCard, Visa) protocol. The vulnerability enabled to bypass the authentication phase for a given category of transactions. The card does not condition transaction authorization on successful cardholder verification. At the time of disclosure, Ross’s team created a Proof Of Concept using an FPGA. The device was bulky. Thus, some people minored the criticality.

The team of David NACCACHE recently published an interesting paper disclosing an exemplary work on a real attack exploiting this vulnerability: “when organized crime applies academic results.” The team performed a non-destructive forensic analysis of forged smart cards that exploited this weakness. The attacker combined in a plastic smart card the chip of a stolen EMV card (in green on the picture) and an other smart card chip FUN. The FUN chip acted like a man in the middle attack. It intercepted the communication between the Point of Sales (PoS) and the actual EMV chip. The FUN chip filtered out the VerifyPIN commands. The EMV card did not verify the PIN and thus was not blocked in case of the presentation of wrong PINs. On the other side, the FUN chip acknowledged the PIN for the PoS which continues the fraudulent transaction.

Meanwhile, the PoS have been updated to prevent this attack.

This paper is an excellent example of forensics analysis as well as responsible disclosure. The paper was published after the problem was solved in the field. It discloses an example of a new potential class of attacks: Chip in The Middle.

Law 1: Attackers will always find their way. Moreover, they even read academic publications and use them.

Cloud Security: a Metaphor

Last year, at the annual SMPTE Technical Conference, I presented a paper “Is the Future of Content Protection Cloud(y)?”  I explained that the trust model of public cloud was theoretically inherently weaker than the trust model of private cloud or private data center.  The audience argued that at the opposite, the security of public cloud may be better than the security of most private implementations.  As usual in security, the answer is never Manichean.

Metaphors are often good tools to introduce complex concepts.  Analogy with the real world helps to build proper mental models.  The pizza as a service metaphor that explains the IaaS, PaaS and SaaS is a good example.  In preparation of the panel on cloud security at the next Content Protection Summit, I was looking for a metaphor to illustrate the difference between the two trust models.  I may have found one.

On one side, when using a private cloud (or a private data center), we can likened the trust model to your residential house.  You control whom you invite into your home and what your guests are allowed to do.   You are the only person (with your family) to have the keys.  Furthermore, you may have planted a high hedge to enforce some privacy so that your neighbors cannot easily eavesdrop.

CloudMetaphor1

On the other side, the trust model of the public cloud is like a hotel.  You book a room at the hotel.  The concierge decides who enters the hotel and what the hosts are allowed to do.  The concierge provides you with the key to your room.  Nevertheless, the concierge has a passkey (or can generate a duplicate of this key).  You have to trust the concierge as you have to trust your cloud provider.

CloudMetaphor4

The metaphor of the hotel can be extended to different aspects of security.  You are responsible for the access to your room.  If you do not lock the room, a thief may enter easily regardless of the vigilance of the hotel staff.  Similarly, if your cloud application is not secured, hackers will penetrate irrespective of the security of your cloud provider.  The hotel may provide a vault in your room.  Nevertheless, the hotel manager has access to its key.  Once more, you will have to trust the concierge.  The same situation occurs when your cloud provider manages the encryption keys of your data at rest.  The hotel is a good illustration of the risks associated to multi-tenancy.  If you forget valuable assets in your room when leaving the hotel, the next visitor of the room may get them.  Similarly, if you do not clean the RAM and the temporary files before leaving your cloud applications, the next user of the server may retrieve them.  This is not just a theoretical attack.  Multi-tenancy may enable it.  Clean your space behind you, the cloud provider will not do it on your behalf.  The person in the room next to your room may eavesdrop your conversation.  You do not control who is in the contiguous rooms.  Similarly, in the public cloud, if another user is co-located on the same server than your application, this service may extract information from your space.  Several attacks based on side channels have been demonstrated recently on co-located server.  They enabled the exfiltration or detection of sensitive data such as secret keys.  Adjacent hotel rooms have sometimes connecting doors.  They are locked.  Nevertheless, they are potential weaknesses.  A good thief may intrude your room without passing through the common corridor.  Similarly, an hypervisor may have some weaknesses or even trapdoors.  The detection of colocation is a hot topic that interests the academic community (and of course, the hacking community).  My blog will follow carefully these new attacks.

Back to the question whether the public cloud is more secure than the private cloud, the previous metaphor helps to answer.  Let us look more carefully at the house of the first figure.   Let us imagine that the house is as the following illustration.

CloudMetaphor2

The windows are wide open.  The door is not shut.  Furthermore, the door has cracks and a weak lock.  Evidently, the owner does not care about security.  Yes, in that case, the owner’s assets would be more secure in the room of a hotel than in his house.  If your security team cannot secure properly your private cloud (lack of money, lack of time, or lack of expertise), then you would be better on a public cloud.

If the house is like the one of the next image, then it is another story.

CloudMetaphor3

The windows have armored grids to protect their access.  The steal door is reinforced.  The lock requires a strong password and is protected against physical attacks.  Cameras monitor the access to the house.  The owner of this house cares about security.  In that case, the owner’s assets would be less secure in the room of a hotel than in his house.  If your security team is well trained and has sufficient resources (time, fund), then you may be better in your private cloud.

Now, if you are rich enough to afford to book an entire floor of the hotel for your usage, and put some access control to filter who can enter this level, then you mitigate the risks inherent to multi-tenancy as you will have no neighbors.  Similarly, if you take the option to have the servers of the public cloud uniquely dedicated to your own applications, then you are in a similar situation.

This house versus hotel metaphor is an interesting metaphor to introduce the trust model of private cloud versus the trust model of public cloud.  I believe that it may be a good educational tool.  Can we extend it even more?  Your opinion is welcome.

A cautionary note is mandatory: a metaphor has always limitation and should never be pushed too far.

 

The illustrations are from my son Chadi.

Alea Jacta Est (2)

Four years ago, I sent the manuscript of my first book to Springer.   This weekend, it was the turn of my second book: “Ten laws of security.”    It covers the ten laws.  Now, Springer will start the copy editing and once approved by me, it will go to print.  I hope that it should be available for the first semester 2016.

I will keep you informed of the progress.