Ten security concerns on cloud

Posted on May 12, 2011 by wunderbarb

Cloud computing becomes the hot buzz topic. We will all migrate to cloud computing, sooner or later. Although it is extremely attractive from the financial point of view, it raises extremely serious concerns about security.

Global knowledge has issues a white paper that provides a kind of check list for selecting your provider, or to decide if it is wise to switch to the cloud.

Where’s the data?
Who has access?
What are your regulatory requirements?
Do you have the right to audit?
What type of training does the provider offer their employees?
What type of data classification system does the provider use?
What are the service level agreement (SLA) terms?
What is the long-term viability of the provider?
What happens if there is a security breach?
What is the disaster recovery/business continuity plan (DR/BCP)?

By the way, many of these questions are equally valid with an internal/outsourced IT traditional service. For instance, 1 or 2. have you asked yourself these questions for your current system. What is the answer for 5 in your company?

The document is here.

Glider versus WoW

Posted on April 21, 2011 by wunderbarb

Many years ago, company MDY issued the Glider Bot for World of Warcraft (WoW). The Glider Bot allowed to automatically do mandatory routine tasks in the (which are not thrilling but simulate “real” life). Using the bot allowed you to accelerate your progression by earning experience without in fact being in front of your screen. An alternative is gold farming, i.e., you pay somebody to take care of your character while you’re not playing, thus also gaining experience.

As you may guess, Blizzard, the editor of WoW, does not like the bots. It has even installed a tool, called warden, that attempts to detect such bots. Glider passes under the radar of the warden.

Thus, Blizzard sued MDY for copyright infringement because it violated the EULA (End user License Agreement). In February, the Ninth Court of appeals ruled that MDY did not infringe copyright (under some complex difference between covenant and condition, for more legal details see the blog “Lawyers in a Gamer’s World”).

But the court ruled that indeed MDY infringed DMCA’s circumvention of technical prevention measure (the other TPM) although it did not bypass it!

As usual, copyright and DMCA issues are awfully complex.

PS3 jailbroken v(3)

Posted on April 20, 2011 by wunderbarb

As I reported, the hacker George Hotz, aka GeoHot, was sued by Sony under DMCA for having leaked the private signing key of PS3.

Sony and GeoHot have settled down an agreement. Under this agreement, GeoHot will never again hack any Sony product. See the official press release by Sony.

Interestingly, during this fight in March, Sony succeeded to get a subpoena that allowed them to have access to every IP address that visited GeoHot’s blog since January 2009.

Anonymity Loves Company

Posted on April 13, 2011 by wunderbarb

It is the title of an interesting paper by Roger Dingledine and Nick Mathewson. They are members of the Free Haven project. This project studies topics such us onion routing (technology used by TOR), or Mixminion an anonymous email network.

The paper presents two challenges: usability and network effect.

Usability is a typical challenge of security solutions. The authors show that often privacy setting requires technological skills that are opposed to ease of use for everybody. The easy solution is often to delegate security decision to the user, who is not necessarily the best person to decide. This reminds me the security model of Android, where you have to decide (too) many parameters.
Network effect; efficient anonymity requires to have a lot of traffic to hide within. This rises the problem of bootstrapping. And here is a nice tradeoff. If your system is extremely secure, it will most probably be difficult to use, thus attract fewer people, thus reducing the strength of anonymity. On the other hand, if the system is easy to use, thus less secure, it may attract more users, thus strengthening anonymity.
For instance, in the design of Mixminion, they had to answer the following tradeoff:

Since fewer users mean less anonymity, we must
ask whether users would be better off in a larger network where their messages
are likelier to be distinguishable based on email client, or in a smaller network
where everyone’s email formats look the same.

The three described use cases, Mixminion, TOR, and JAP, are excellent illustrations of the issues. An excellent paper.

Citation: N. Mathewson and R. Dingledine, “Anonymity Loves Company: Usability and the Network Effect,” Proceedings of the Fifth Workshop on the Economics of Information Security WEIS 2006, pp. 547-559.

SF: Neuromancer

Posted on April 10, 2011 by wunderbarb

Back to the past, sometimes it is nice to read again “oldies but goldies”. I read back Gibson’s Neuromancer (En français, Neuromancien). This book is considered as the genesis of the cyberpunk culture. There are all the components cyber space, drugs, and hackers.
The book was written in 1984. When reading the book, you have to remember how the computer world was in 1984. At that time, I was toying with Sinclair’s ZX81 and HP100. Only two years later did I get my first Apple II. Microsoft had not yet generated Windows 3, the first PC was yet available… Gibson already puts in place all the components of the future cyberspace. At that time, Artificial Intelligence (AI) was a promising field.

I first read it around 1988 in French. I was not yet aware that I will later work in computer security. But I already loved the book. When I have read back the book, I discovered that Gibson called microsoft the electronics implants that contains information. Microsoft company was not yet here! Thus, this name was not a tribute to Gates. I don’t remember what is the French term. Can a French reader tell me the answer?

I think that Neuromancer, together with Stephenson’s Snow Crash, are the roots of the matrix trilogy and of our cyber culture.

A must read for all SF fans.

Alea Jacta Est

Posted on April 4, 2011 by wunderbarb

The die has been cast. I did not go across Rubicon. Nevertheless, this Sunday, I finalized one achievement: my first book. After more than two years of work, I have sent the final version of the manuscript to Springer.

The title is Securing Digital Video: Techniques for DRM and Content Protection. I give a detailed overview of the current landscape of content protection. If you’re interested to know how PlayReady, Fair Play, AACS, DTCP, or DVB-CPCM works, this book may be of interest. I consistently describe many systems. The book highlights the similarity of all these systems.

I will describe its content more in details later.

The book should be available this summer.

A Taxonomy of Social Networking Data

Posted on March 31, 2011 by wunderbarb

In July 2010’s issue of IEEE Security & Privacy, Bruce Schneier in a one-page paper presented his taxonomy. It is extremely interesting. My comments are in italics.

1. Service data is the data used to manage the service such as your name.
You have control on the creation, although you may be obliged to give sometimes real data.
2. Disclosed data is what you post on your own pages.
You normally have full control on it.
3. Entrusted data is what you post on other people’s pages.
You have control on the creation, but lose control on its life.
4. Incidental data is what other people post about you.
You do not have control on the creation, nor on its life. Of course, your entrusted data are incidental data for other people.
5. Behavioral data is data the site collects about your habits by recording what you do and who you do it with.
This is the “raison d’être” of many social networks. Never forget that there is no free lunch. Most of the business models are based on “selling/using” your profile. You have no control, excepted that you may try to control your behavior.
6. Derived data is data about you that is derived from all the other data.
This is where the social networks are polishing your profile and thus increasing its value. The more they know you, the more valuable ads/personalized services they will be able to offer. You have definitively no control.

Category 5 and 6 are the most interesting ones from the privacy point of view. How can you control what the social network provider will infer from your activity on the social network.

The reference of the paper is
B. Schneier, “A Taxonomy of Social Networking Data,” IEEE Security and Privacy, vol. 8, 2010, p. 88.

The blog of content protection

A site managed by Eric Diehl