Top threats for cloud computing

Posted on by
Reply

The Cloud Security Alliance released a document listing the nine top threats of cloud computing: “The Notorious Nine”.  The top nine threats are:

  1. Data breaches; an attacker may access your data
  2. Data loss; the loss may result either from an attack, a technical problem or a catastrophe.   The document wisely highlights the issue raised by encryption (to protect against threat 1)
  3. Account hijacking
  4. Insecure APIs;  this one is extremely important, especially for system designers.  It is not necessarily unique to the cloud, but it is clearly exacerbated with a cloud infrastructure.
  5. Denial of service
  6. Malicious insiders
  7. Abuse of cloud services;  using the cloud for nefarious actions such as password cracking. Well, every coin has two sides.
  8. Insufficient due diligence; jumping in the cloud wagon without enough preparation may be an issue.  This is not proper to the cloud. It is true for any new paradigm.  BYOD (Bring your own device) is a perfect illustration of such problem.
  9. Shared technology vulnerability; As you share components, pieces of software with not necessarily enough isolation, a single vulnerability may impact many players.

Each threat is described and illustrated by a real world example of an attack.  A risk matrix allows to compare them.

This list has been established by conducting a survey of industry experts.  Unfortunately, the document does not give details about the number of surveyed experts, their locations, and their qualifications.

Good document to read.

Is French HADOPI law dead ? (11)

Posted on by
Reply

Pierre Lescure, former CEO of French broadcaster Canal +, has delivered  to the French minister of culture and communication his report “Contribution aux politiques culturelles à l’ère numérique” (i.e. contribution to cultural policies in the digital area).  Obviously, among the 88 recommendations, numerous proposals tackle copyright issues.  These recommendations got the headlines of French press.

 

Pierre Lescure and his team have deeply analyzed the current French graduated response, its organization HADOPI, and its efficiency.  Let’s navigate among the 700 page document and highlights some interesting points.

In section A-5: The release window

The report highlights that the audience wants the pieces of content as early as possible.  furthermore, VOD is drastically increasing.  Thus, they propose to reduce the current release window  of VOD by one month.  Interestingly, they would offer this earlier release only to “good citizen” operators.

Plus précisément, il est proposé d’avancer la fenêtre de la vidéo à la demande, éventuellement en réservant cette mesure aux services les plus vertueux, c’est-à-dire à ceux qui acceptent de prendre des engagements volontaristes en termes de financement de la création et d’exposition de la diversité.

Furthermore, they propose the concept of premium week end when a piece of content would be available as VOD one or two weeks after theatrical release for 30€ (40$).

 

Section A-14 tackles the issue of DRM.  They propose to extend the scope of the DAVDSI law to games and public domain content.  They recommend also to create an open standard for DRM.

Personal note:  the problem with open standard is that it cannot enforce a compliance and robustness regime that is mandatory for any DRM to be efficient Sad smile.

They highlight that DRM and French right to private copy are not well co-existing.

Section B-7 tackles the issue of the private copy levy.

As cloud computing is becoming more and more present, storage in the cloud will become prevalent.  Therefore, the current private copy levy will become useless.   Thus, the report suggests to create a levy for every connected device regardless of its internal storage capabilities.

In section C2: “Appraisal of the graduated response”.

La réponse graduée (articles L.331-24 et suivants du CPI) a pour fondement non pas l’acte de contrefaçon en lui-même, mais le  manquement à l’obligation de surveillance  du titulaire de l’abonnement Internet de son poste d’accès …
La notion de  négligence caractérisée permet ainsi, au terme de la procédure de réponse  graduée, de sanctionner le titulaire de l’abonnement sans avoir la preuve qu’il est bien l’auteur du délit de contrefaçon, dès lors qu’il n’a pas pris les dispositions pour sécuriser sa ligne.

They highlight that the cornerstone of the French graduated response is not the counterfeiting act but the fact of characterized negligence to secure his/her Internet access.  Being negligent to secure the network does not mean the owner of the network was the infringer.

 

At February 2013, content owners detected 35 millions  for 4.7 millions IP addresses.  1.6 millions first warning and 139,000 second warnings were issued with 29 cases passed to the Court.  Only two cases were sentenced with a 150€ fine.    In 2012, the direct cost of the graduated cost was 6M$, with an additional bill of 2.5Me from the three main ISPs.  This evaluation does not include the cost of TMG detecting the supposed infringing IP addresses that is bared by the content owners.

They must conclude that the efficiency is mixed.  The use of P2P has visibly declined by 40% in three years.  Nevertheless, this may just mean that the traffic moved to direct download/streaming sites that HADOPI does not monitor.

In section C-3: “Lightening the graduated response”

The report acknowledges that suppressing the graduated answer would have many advantages.  nevertheless, the disadvantages are more important.  The report proposes to clarify the concept of “characterized negligence”.  You would have to put something in place, you not to be successful. They propose also to rather focus on the counterfeiting rather than on the negligence.  The counterfeiting act should be proven and for monetary gain.

Dans l’immédiat, il pourrait être demandé aux Parquets de n’engager des poursuites pour contrefaçon que lorsqu’ilexiste des  indices sérieux et concordants tendant à prouver l’existence d’un enrichissementpersonnel ou collectif, dans le cadre d’un réseau contrefaisant.

The educational element of the graduated response should be enhanced.  Thus, the ultimate punishment, i.e. suppression of Internet access, should be replaced by throttling.  Furthermore, the fine should be reduced from 1,500€ to 60€.

The report proposes to close the HADOPI organization and forward its mission to the Conseil Supérieur de l’Audiovisuel (High Council of Audiovisual).  We anticipated that in August 2012.

Section C-4: “the fight against online commercial piracy” is going in the right direction.  It clearly highlights that direct download, streaming and referee sites are making money through piracy, estimated between 52 to 71M€ each year in France.  According to the report, these sites are the real money makers of digital piracy.  Despite the laws exist, suing these site owners is difficult. The State should be proactive in this fight.

Section C-5: “The responsibility of hosting sites”.   Currently, European and French laws imply that the hosting site cannot be responsible:

  • if it was not aware that content was infringing
  • if it did not take down infringing content once notified.

La  responsabilitécivile ou pénale des hébergeurs ne peut être engagée « s’ils n’avaient pas effectivement connaissance » du caractère illicite des contenus stockés ou « si, dès le moment où elles en ont eu cette connaissance, elles ont agi promptement pour retirer ces données  ou en rendre l’accès impossible ».

The report does not recommend to modify this status.  Nevertheless, it recommends to facilitate good practices such as using fingerprint to detect illegal content (The French INA signature is highlighted).  The report recommends that the French State support a common initiative to set up an organization that would create a database of reference fingerprints and send take down notifications to sites.

In Section C-6, the report recommends that search engines should present the legal offers in a predominant position compared to counterfeiting offers.  Currently, search engines have in Europe light responsibilities in this field.

Section C-7 highlights the role of payment organizations and advertisement agencies.  they indirectly facilitate and benefit from digital piracy.  The report calls these intermediaries to be good citizens.  Google has already proven that it may accept to play this game.

Section C-8 tackles the issue of blocking a site and domain names.  Although possible with French regulation, the report does recommend to use them only as ultimate solution.

 

Conclusion:

  • Is HADOPI dead?   It seems that this time, it is a serious blow against it.  It is only  a report, not a set of decisions.   We know the French minister of culture is not HADOPI-friendly.   Thus the likelihood of its near death is high.
  • Is the French graduated response dead?   It will continue, in its current form or in a new way, regardless of its future hosting organization.

French Graduated Response: some figures

Posted on by
Reply

As I am currently reading in details the 478 page report “Culture-acte 2” from Pierre Lescure, I found an interesting pointer.   The data published by HADOPI concerning its activity related to the graduated response.  http://www.hadopi.fr/actualites/reponse-graduee/chiffres-cles.

Following is the evolution of the number of first notification.

image

Since the beginning of 2013, the activity is stable with around 80,000 first notifications.   Since the beginning of the graduated response, HADOPI sent more than 1,700,000 such notifications.

Following is the evolution of the number of second notifications

image

Since last summer, it seems that the trend is to have a growing number of second notifications.

I will come back soon on this report with a future post.  The recommendations are interesting.  I need to read the detailed chapters before reporting about it.

Game hacks and malware

Posted on by
Reply

AVG’s Insight April issue focuses on game hacks.  AVG is a Czech anti virus and security solution provider.   Without surprise, it claims that 90% of game hacks are infected with malware.

Unfortunately, this assertion is not backed-up by factual data, at least AVG did not publish them. 

AVG’s researchers analyzed scores of such hacks and cracks found through metasearch services such as FilesTube and FileCrop, and discovered that more than 90% of them contained some form of malware or malicious code.

To illustrate the issue, the document describes a real example using Diablo III.  They downloaded a hack that generates items and gold.  AVG anti virus immediately spotted a virus: ILCrypt. 

Why should hackers attack gamers?  In the paper, AVG focuses on threats related to gaming: theft of account, theft of virtual items and gold.  For more details about these threats see Blizzard and the hackers or Gold farming.  But malwares could also juts try to take control of the gamer’s computer.   The threats are real.

What should we think about this publication?  In my opinion, it is merely a piece of advertisement for installing anti virus packages. There are no real published, and the publication lacks consistency and also knowledge of the gaming world.  For instance, AVG totally misses the world of mods.   Mods are part of many games today.  Some mods are fantastic add-ons to renowned games.  Nevertheless, AVG’s concerns are valid.

Let’s remind their valid suggestions:

  • Have the latest security products installed
  • Do not download cracks, hacks, trainers or unofficial patches
  • Do download patches only form the official game provider’s website
  • Do vary your login details.  Use different usernames and passwords for every game account, even for game forums.

Hadopi, VLC and BluRay (2)

Posted on by
1

Following French Hadopi’s public consultation, this institution has given its analysis about the request of VideoLan.  VideoLAN is the “publisher” of the open source  player VLC. Its advice is extremely interesting as it sheds some lights on the French official vision of handling of DRM secrets and open source.

Before jumping to the final conclusion, it is worthwhile to detail some articles.

27. En outre, cette exception porte exclusivement sur des logiciels. Elle ne saurait ainsi concerner les parties non-logicielles des mesures techniques de protection considérées. En particulier, les secrets, au nombre desquels figurent les clés de chiffrement, ne constituent pas par eux-mêmes des instructions de commandes informatiques et ne peuvent être considérés comme des éléments de logiciel.

27. Besides, this exception concerns exclusively software. It would not concern the non-software elements of the technical protection measures (TPM).  Particularly, The secrets, amongst which appear the encryption keys, are not software instruction and thus are not part of the software  (approximate personal translation)

As keys are extremely important for TPMs, this is an interesting conclusion.

33. Il résulte de ce qui précède que l’association VideoLAN ne peut se fonder ni surl’exception d’ « ingénierie inverse », ni sur l’exception de « décompilation » prévues àl’article L. 122-6-1 du code de la propriété intellectuelle pour mettre à la disposition des utilisateurs un logiciel contournant, sans autorisation des titulaires de droitconcernés, l’intégralité des mesures techniques protégeant les disques « Blu-Ray»

Here, HADOPI decides reverse engineering and decompilation are not part of the authorized exception by the law.

34. Il résulte de l’instruction que l’association VideoLAN n’a pas entrepris de solliciter, auprès des titulaires de droits sur les mesures techniques de protection « AACS » et BD+ », les informations essentielles à l’interopérabilité de ces mesures. Si toutefois elle se voyait opposer, à l’issue d’une telle demande, un refus, elle serait recevable à saisir la Haute autorité dans le cadre d’une procédure de règlement des différends sur le fondement de l’article L. 331-32 du code de la propriété intellectuelle.

Article 34 states that following the enquiry, VideoLAN has not asked to the owners of the TPM AACS and BD+ information needed for interoperability. Would it be denied this information after the request, then VideoLAN could file a procedure for litigation for disagreement at HADOPI.

35. …
En vertu de la jurisprudence du Conseil Constitutionnel, la communication de ces informations ne pourrait intervenir que contre le versement d’une indemnité appropriée.

Here, HADOPI states that receiving this information form AACS and BD+ would require to pay a proper fee. So long for free open source.

38. Dans le cadre d’une procédure de règlement des différends, l’association VideoLAN ne pourrait être contrainte de renoncer à la publication de son code source que si les titulaires de droit sur les mesures techniques AACS et BD+ étaient en mesure de démontrer que cette publication porterait gravement atteinte à la sécurité et à l’efficacité de cette mesure.

38. As part of the procedure of litigation for disagreement, the VideoLAN association could be forced to abandon the publication of its source code only the owners of AACS and BD+ could demonstrate that this publication would gravely undermine the security and the effectiveness of this TPM. (approximate personal translation)

As a conclusion, HADOPI considers that VideoLAN cannot request the secrets of AACS and BD+ under the exceptions for reverse engineering and decompilation.   Nevertheless, VideoLAN could request HADOPI to analyze against the case if VideoLAN would have requested information from AACS and BD+ and if AACS and BD+ would have not favorably answered.

Will VideoLAN ask information to AACS and BD+?   Your guess?    To be followed

Resale of digital songs: the new Eldorado?

Posted on by
2

At least, until last week.  Last week, a US court decided that the first sale doctrine was only valid for physical goods and not for digital goods.  It was bad news for ReDigi.   It may also be bad news for Apple and Amazon.  Both companies recently filed patents for a market place of used digital songs.  Interestingly, their respective approaches are different.

Amazon filed on May 5, 2009, a patent entitled “Secondary market for digital objects”. Claim 1 is extremely broad.  It is mainly the idea that the digital object to be sold is stored in a first personalized data store, and once the transfer requested, transfer it to a personalized data store for the new owner and then deleting the initial instance from first data store. 

This is rather basic.  It describes a kind of direct transfer.   The patent becomes more interesting with claim 2 and following ones.  The piece of content has a counter of authorized transfers.  Once the threshold reached, the digital object cannot be anymore exchanged/sold.

2. The system of claim 1, wherein the one or more business rules comprise a move limit business rule, and wherein authorizing transfer of the used digital object further comprises: initializing an object move counter to count a number of moves of the used digital object between personalized data stores; setting an object move threshold, the object move threshold defining a number of times the used digital object can be moved; applying the move limit business rule stored in memory to determine whether to authorize or deny the request for transfer of the used digital object, application of the move limit business rule comprising: querying the object move counter to determine a number of times the used digital object has been moved; comparing the object move counter to the object move threshold; denying the request for transfer of the used digital object as impermissible when the object move counter of the used digital object exceeds the object move threshold; and authorizing the request for transfer of the used digital object to the second personalized data store when the object move counter of the used digital object is within the object move threshold.

On June 22, 2012, Apple filed a patent entitled ‘”Managing access to digital content items”.   Its approach is different.  Apple handles ownership data (license?) and transfers the ownership data between the users.  Interesting Apple introduces the notion of track usage data that will determine the remuneration of the user.

1. A method comprising: storing, at a particular entity, first ownership data that authorizes a user to access a digital content item; storing, in association with the digital content item, track usage data that indicates how much the user used or could have used the digital content item; receiving, at the particular entity, from a device operated by the user, relinquish request data that indicates that the user wishes to relinquish authorized access to the digital content item; in response to receiving the relinquish request data, the particular entity identifying one or more conditions associated with the digital content item; based on the one or more conditions and the track usage data, determining whether to provide remuneration to the user; in response to determining to provide remuneration to the user, storing second ownership data that revokes authorization of the user to access the digital content item; and based on the second ownership data, the particular entity preventing the user from further accessing the digital content item; wherein the method is performed by one or more computing devices.

Interestingly, both approaches introduce a notion of obsolescence or loss of value to partly mimic physical objects.  It attempts artificially to limit one of the fears of content owners.   As a digital object copy remains pristine, it could be indefinitely resold without loss of “quality”, thus undermining the primary market (and thus loosing money for content owners).  Physical objects are degrading with time.  With these tricks, digital objects would also “degrade” with time.

Will these approaches be more acceptable for a judge?  Will Apple and Amazon open such market place?

Court rules against ReDigi

Posted on by
Reply

The resale locker, ReDigi, has been convicted of copyright infringement by the US District Court of New York in its case with Capital records.   ReDigi proposes to the user to sell the digital audio tracks that they do not want anymore, as if they would resale a CD.  On January 2012, Capitol Records filed a suit against ReDigi.

On 30 March 2013, the District Judge, Richard Sullivan, granted Capitol’s motion and denied ReDigi’s one.  His memorandum and order document is extremely interesting as it sheds some light on the rationales behind his decision.  He summarizes the question: Can a digital music file, lawfully made and purchased, be resold by its owner?  The Court determines that it cannot.

The first issue was to know if ReDigi violates Capitol Records’ reproduction rights.  According to the Court, the transfer of a music file to a new hard drive is equivalent to a physical copy.

Because the reproduction right is necessarily implicated when a copyrighted work is
embodied in a new material object, and because digital music files  must be embodied in a new material object following their transfer over the Internet, the Court determines that the embodiment of a digital music file on a new hard disk is a reproduction within the meaning of the Copyright Act.

According to the judge, any transfer from one computer to another computer or server is a reproduction, regardless that the initial one has been erased and does not anymore exist.

The second issue was about the applicability of fair use.   As the operation is related to a sale, according to the judge, it falls out of the scope of fair use.  Furthermore, this sale may be slightly detrimental to the initial market.

In sum, ReDigi facilitates and profits from the sale of copyrighted commercial recordings, transferred in their entirety, with a likely detrimental impact on the primary market for these goods. Accordingly, the Court concludes that the fair use defense does not permit  ReDigi’s users to upload and download files to and from the Cloud Locker incident to sale.

The third issue was about the first sale.  In a nutshell, if you have purchased a physical item, you can resale it.  ReDigi defends that it is applying the first sale doctrine.   The judge believes that the first sale is only applicable to physical goods.

… the first sale defense is limited to material items, like records, that the copyright owner put into the stream of commerce. Here, ReDigi is not distributing such material items; rather, it is distributing  reproductions  of the copyrighted code embedded in new material objects, namely, the ReDigi server in Arizona and its users’ hard drives.

ReDigi complained that the law was not taking into account technological changes and became ambiguous.  the judge estimates that it is still not ambiguous.  Although technical changes may render a law unsatisfactory to consumers is not an argument.  Furthermore, changing it is a legislative prerogative.

The judge decided that ReDigi directly infringed Capitol distribution and reproduction rights.  The judge decided that ReDigi was not liable for its users’ direct infringements.

Thus, some interesting outcomes to keep in mind.

  • Transferring a digital from a copyrighted piece of content is a reproduction, even if the source piece of content has been deleted.  This may be extremely controversial, for instance when buffering a file during progressive download are you making a reproduction?   Have you the reproduction rights?  I am sure that we will have additional debates on this topic.
  • First sale doctrine is only valid for physical goods.   Will the US Congress propose an evolution to cover digital goods?

This is a serious stroke against ReDigi but also to a potential new market of “digital” songs.   We will wait for its reaction.  Next post, I will examine the ideas of two big players who wanted to enter this arena: Apple and Amazon.