A cloud over ownership

Posted on by
Reply

This is the title of an excellent article of Simson Garfinkel in Technology Review.  He explores the consequences of the switch from physical cultural goods to digital cultural goods stored in the cloud.  It is nothing really new but it has the advantage to be clearly stated.

The first point is about privacy.  When you purchased a physical book or a CD, the merchant has no way to profile you.  Of course, if you purchase it on  a digital store such as Amazon, the merchant will be able to profile some of your preferences.  but with a digital good stored in the cloud, the merchant will be able also to analyze how you consume this digital good.  And this is even more interesting.  he will know what is you prefered book among the ones you purchased.  For the same result with a physical book, you need to look for the more worned book in my library.

The second point is really about persistence.  When I purchase a book, it is mine until I destroy it, or give it away.  With a e-book in the cloud, it is mine as long as the cloud operator accepts (or survives).  This si a massive difference.  I am not sure that the legislation has taken into account this shift.   I do not even tackle the issue of DRM that may shape the ways I can consume the digital good.

Thus, the notion of ownership of a digital cultural good is changing.  As the good itself, the ownership seems to become more ethereal.  Is it good or bad?  I don’t know.  It is most probably useless to look for the answer, I’m afraid it is an unavoidable shift.  We will have to adapt for the best and the worst.

 

 

Lessons from RSA hack

Posted on by
1

It is now six months since RSA suffered from the hack that compromised secureID.  RSA had a positive attitude regarding the hack by providing some details and good visibility.  Thus, we can learn many things about it.

We know now how RSA was penetrated.  It was through a targeted email using an excel file.  The excel file had an embedded flash object inside.   The object, using a zero-day vulnerability, installed Poison Ivy Backdoor.  For more details see F-secure’s analysis.  The attacker used the backdoor to get access to the sensitive data to break SecureID.  The mail was addressed to four members of RSA, thus a targeted attack.  Once SecureID compromised, the attackers could access Lockeed Martin.

This is the first publicly known instance of Advanced Persistent Threat (APT).   This corresponds to extremely targeted attack that works stealthily, slowly in order not to be detected, and performed by extremely skilled attackers.  It was currently reserved to warfare.   As the final target was Loockhed Martin, we may believe that it as a high-profile attack.  They used a zero-day exploit which passed under the radar of any anti-virus scanner.

RSA and Kapersky Labs presented an interesting analysis of the attack.

What can we conclude:

  • The perimetric defense is not anymore sufficient, at least in a professional environment.  Skilled hackers will try to attack from inside.  We need new tools to detect suspect behaviour within the enterprise network.  For instance, an alert should be triggered when a device communicates with “exotic” IP addresses.  Unfortunately, they will be more complex to administrate and probably need more manual monitoring. :Weary:
  • Targeted attacks will be more and more used against industrial targets.  Security awareness will become key.  People must also be aware of business intelligence.  It is a reality that is too often downplayed by people.
  • I will rant against all these software that are used for other purposes than the initial ones.  How often did I see Excel used for other things than calculating!  For instance, to display tables of text.   As a result, software editors add new features.  Why should we have to add flash object in calculus?  In security, KISS (Keep It Simple & Stupid) is a golden rule.  The more features, the more potential  vulnerabilities.

 

 

 

 

SF: Unseen Academicals

Posted on by
Reply

You may know my “addiction” to Pratchett’s disc world.  Thus, you may be not be surprised by this post.

Unseen academicals is the latest opus (June 2010).  Once more, it is a great book.  As usually, we find the usual members of Ankh Morpok.  In this book, the focus is on the UU (Unseen University).  You will discover that Ponder Gibbons is taking an increasing position within the University.

Terry Pratchett adds new interesting characters (and even a species that was missing (or lost)).  I am sure that we will see them again in next books.

You know my passion for  Lord Vetinari.  In this book, you will discover that he may even sometimes have some human feelings :Wink:

Read it!!  If don’t think that the book is available in French.

To pay, show me your credit card

Posted on by
Reply

The company Jumio proposes a new system to pay on line: netSwipe.   It uses the usual credit card for payment.  Rather than entering your credit card number, your name, and the expiration date, the netSwipe applet asks to present your credit card to the webcam.  The system is supposed to extract the data by visually scanning the image.  The process is remotely done.  The applet should securely stream the output of the webcam to the remote server.

You still have to dial in the CV2, i.e. the 3 digits at the back of the card, or the 4 digits in the case of AMEX).

Impact for the merchant:

  • The fee is 2.75% of the transaction.
  • The usual PCI-DSS security requirements

Note: Security Requirements

Using Netswipe Scanning or Netswipe Recycle Swipe to capture credit card data means that you will be capturing, transmitting and possibly storing card data. The Card Schemes, Visa and MasterCard, have never permitted the storage of sensitive data (track data and/or CVV2) post-authorization, and it is prohibited under ‘Requirement 3′ of the Payment Card Industry Data Security Standard (PCI DSS). Merchants who store Sensitive Authentication Data (SAD) are being fined by the Card Schemes.

Consequently, if you use Netswipe Scanning or Netswipe Recycle Swipe you will need to demonstrate that your system can handle this data securely and that you are taking full responsibility for your PCI DSS compliance. One part of this is the need for us to see a clean Vulnerability scan being made on your systems.

There are two interesting questions:

  1. Is it more user-friendly than the current method?  If the recognition is accurate, probably yes.
  2. Is it more secure than the current method?  Depending on what the scanning method actually detects, it may increase the security.  Imagine that the system does not only extract the three semantic data but would also validate the hologram, and  check whether the graphical layout of the credit card is the one expected for this customer (and that it is also a plastic card).   Then, the system would near an approximation of proving the presence of the actual card.   I was not able to find the corresponding patent.
    Nevertheless, at the end the “ultimate” defense is the CV2.
    As a conclusion, provided that the streaming is secure, which may be tested, then it is probably not less secure than usual manual acquisition.

YouTube and US music publishers reach an agreement

Posted on by
Reply

In 2007, the US music publishers, together with other content owners, launched a class action against YouTube.  At the same period, Viacom launched its suit against Google.  The two cases were concurrently treated with obviously some interferences.  The case with Viacom is not yet settled, although the last round benefited to YouTube.  In August 2011, YouTube and the US music publishers (at least the ones affiliated to the National Music Publishers Association (NMPA)) reached an agreement.

Some details on the settlement are available on YouTube’s blog: “Creating new opportunities for publishers and songwriters“.  YouTube will share some part of the advertising revenues when the content uses one of the registered songs.  YouTube’s content identification technology (ContentID) should detect any occurrence of a song.  No financial details are publicly available.

This is another step of Google, YouTube’s parent company, towards the normalization of its relationship with content owners.  YouTube may become one major legal distribution platform in the future…  Will the free model win?  Or will we see a YouTube++ with paid content?  Your guess?

 

 

Android Movie Rental and rooted devices

Posted on by
Reply

In May 2011, Google launched its new service of Video rental market for Android phones.  Soon, people discovered that the service was not available for rooted devicesRooting an Android device means giving yourself root permissions on the device.  In other words having FULL control of your phone.  This is not often the case with phones provided by operators.  Rooting is  equivalent to jailbreaking a device.  As Android is an open source system, very attractive to homebrew lovers, it is often the first thing they do to be able to create new apps.

The video app checks if the device is rooted and then refuses to play the content.  Why does Google do such a limitation?   The Video Rental Market uses a DRM to enforce the rental conditions.  One of the strong assumptions of software based DRM is that it runs in a rather trusted environment.  It is obvious that a rooted device does not fit with the definition of a trusted environment.  For instance, the app has no way to be sure that its system calls are not hijacked, or even if the system calls will act as expected.  Thus, it was obvious that Google had to take this measure.

Nevertheless, this limitation does upset the users who believe that open source means full control of their device.  Unfortunately, Open source and DRM are antagonist concepts.

As we could expect, the cat and mouse race has started.  It seems that a patched version of the app is available.  This version may not check the rooted device and accept to play the movie.  The movie is still protected by the DRM and you need a proper license to access your rented movie.

 

 

An iPhone that may refuse to record illegal content?

Posted on by
Reply

Apple filed in 2009 an interesting patent called “Systems and methods for receiving infrared data with a camera designed to detect images based on visible light.”  In a nutshell, the camera captures a picture or a video, attempts to detect the presence of an infrared signal.  If present the camera decodes the payloads and acts correspondingly.  This is what claim 1 protects.

Claim 1. A method for using a camera, comprising: using the camera to detect an image based on at least visible light; determining whether the image includes an infrared signal with encoded data; in response to determining that the image includes an infrared signal with encoded data, routing at least a portion of the image to circuitry operative to decode the encoded data in the infrared signal; and in response to determining that the image does not include an infrared signal with encoded data, routing the image to a display operative to display the image.

The obvious application is to block the capture, or decrease the quality, in presence of such signal.  For instance, a movie theater (or a classified facility) could beam such infra-red signal.  The compliant camera/phone would then block the capture.    The claims 4-7 clearly highlight this feature.

4. The method of claim 1, further comprising: decoding the encoded data in the infrared signal; and modifying a device operation based at least on the decoded data.

5. The method of claim 4, wherein modifying a device operation comprises applying a watermark to a detected image.

6. The method of claim 4, wherein modifying a device operation comprises disabling a device function.

7. The method of claim 6, wherein the device function is a record function.

 

Another usage, which is not related to content protection, is that the payload is analysed by an application that may display specific information on the screen.  The typical example would be a museum which would provide an application.  Each room or specific item would beam a code, the application would use this code to ask a server contextual information to display.  Obviously, if you would combine captured video + contextual display, you have an augmented reality device :Happy:

8. The method of claim 1, further comprising: decoding the encoded data in the infrared signal; displaying information on the display based at least on the decoded data.

Potential applications are numerous as described in subsequent claims.

Is this the solution against camcorders in theaters?  I don’t think so.  According to me, there are at least two issues:

  • It requires the camera to be equipped with the system.  Unless all manufacturers of cameras would adopt it, which is highly unlikely, there will be models without this system.  Pirates will use these ones.
  • Infra-red can be filtered by correctly tuned IR filters.  Soon the pirates would find the frequency of IR, and use the corresponding filter.  This is why IR jamming in theater did not work.  Some companies tried to blast IR beams towards the audience to blind cameras.  It was not a success.

The patent is available at http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PG01&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.html&r=1&f=G&l=50&s1=”20110128384″.PGNR.&OS=DN/20110128384&RS=DN/20110128384