Amazon Cloud Player and Cloud Drive

Posted on by
Reply

Is the launch of Amazon Cloud Player one of these events that will change the world? Yesterday, Amazon launched two new services: Amazon Cloud Drive and Amazon Cloud Player.

Amazon Cloud Drive is a service that offers 5GB of free storage. For that, you just need an Amazon account. It is always interesting to read the Terms of use.

Amazon put some safeguards to avoid (or at least give Amazon a way to stop) any attempt to use it as “Direct Download Site”. Thus in clause 1,

You agree not to use the Service in any other way, including to store, transfer or distribute files of or on behalf of third parties, for any form of file sharing, to operate your own file storage service or to resell any part of the Service.

In clause 5.1

You must ensure that you have all the necessary rights in Your Files that permit you to use the Service without infringing the rights of any copyright owners, violating any applicable laws or violating the terms of any license or agreement to which you are bound. You must ensure that Your Files are free from any malware, viruses, Trojan horses, spyware, worms, or other malicious or harmful code.

Not bad, the liability against the malware. About liability, what is the liability of Amazon? All is said in the clause 5.3.

5.3.Security. We do not guarantee that Your Files will not be subject to misappropriation, loss or damage and we will not be liable if they are. You’re responsible for maintaining appropriate security, protection and backup of Your Files.

And of course, if you believe in Amazon’s altruism, read clause 6.4

6.4.Information Provided The Service and the Software may provide Amazon with information relating to your use and performance of the Service and the Software, as well as information regarding the devices on which you download and use the Software and the Service. For example, this information may include the device type, mobile network connectivity, location of the device, information about when the Software is launched, individual session lengths for use of the Service, or occurrences of technical errors. Any information we receive is subject to the Amazon.com privacy notice located at www.amazon.com/privacy.

Amazon Cloud Player is more interesting. When you buy a song on Amazon store, you’ll be able to upload it to your Cloud Drive. Using the software Amazon Cloud Player, you may listen to your library from any devices that supports Amazon Cloud Player (It seems that it is only available for Windows OS, and Android). Amazon is the second larger seller of digital music behind Apple. Of course, you may also upload songs not purchased at Amazon and still listen them, as long as they are not DRM-protected).

Thus, Amazon Cloud Player combined with Amazon Cloud Drive is an instance of Digital Locker for music. It is not a Digital Rights Locker (DRL, such as UltraViolet or KeyChest) because there is no notion of usage rights associated. Furthermore, there is no notion of content protection.

Will it change something? Most probably yes. Apple and Google will react, most probably with a similar offer. Will the content owners like it? I am not sure. it may depend on the conditions that were negotiated for selling songs. In any case, I am sure that we will see many ripples around this launch.

PS: Amazon Cloud Player is only available for US customers. Amazon Cloud Drive has not such limitation.

Serious Captcha!!!

Posted on by
Reply

The Croatian Ruder Boskovic Institute proposes the services of a quantum random bit generator. We often insisted on the importance of high randomness in secure protocols.

But this institute has also find an extremely “funny” why to limit the access to its service to a limited set of knowledgeable people with its captcha. Captcha is a set of technique that attempts to discriminate humans trying to sign in from automatic machines. It usually requests people to dial in a set of characters which readability has been decreased. The Institute succeeded to discriminate between different categories of human. It requires to solve mathematical problems (and not simple arithmetic calculus :) ). Definitively, not a place to sign in after an exhausting day.

Have a look at the registration page, and look for several challenges. :)

ICE strange logic

Posted on by
Reply

One of the roles of the US Immigration and Custom Enforcement (ICE) is to seize the Internet domains that violate the laws. ICE recently made the headlines with a mistake that seized 84,000 of sites for child pornography whereas these sites were in no way concerned by this awful topic. OK, this type of action is out of the scope of this blog.

Recently, I revisited a site called torrent-finder. Torrent-finder is a site that aggregates the research of torrents among many torrent sites. When reaching torrent-finder.com, I got this screen.

OK. The law won. But funnily, guess what happens when visiting torrent-finder.info? This domain has not been seized whereas it is the same tool. Sometimes the decisions are not logical.

Predictably Irrational

Posted on by
Reply

“Predictably Irrational” from Dan Ariely is not a book about security (neither Sci-Fi). Thus, why do I report about it?

“Predictably Irrational” highlights that many of our reactions are not rational. Every body knows that it is true in extreme conditions. Dan Ariely demonstrates that it is also true in our daily reactions. To prove it, he describes some of the many experiments that he run.

Law 6: You’re the weakest link reminds us that human behaviour is key for security. This book helps to better understand human behaviour. For instance, a full chapter is about honesty. Great to read. This book is a tool to better understand some tricks used by social engineer.

This is related to the latest Bruce Schneier’s pet’s subject societal security.

A book to read.

SF: Timeline

Posted on by
Reply
Timeline is a book from Michael Crichton. Michael Crichton is the author of the best seller “Jurassic Park”. In Jurassic Park, time and science were already key elements of the novel. Scientists brought dinosaurs back from the past.

In “Timeline”, science and time are once more key elements. Scientists have found the way to travel to the past. Scholars will be sent in a thrilling adventure in the French Middle Age. The book gives a realistic vision of this period.

As “Jurassic Park”, it is written like a movie with the same kind of rhythm and cuts. A good book which I read in one strike.

I am not sure that there is an available French translation.

Stealing cars without difficulty

Posted on by
Reply

In the trend to be always more user-friendly, car manufacturers have introduced a new breed of keys : Passive Keyless Entry and Start (PKES) systems. The idea is that the car detects the right key and acts correspondingly. For instance, if your key is in the range of 2 m if will allow to open the door with the handle, if you are inside the car, it will allow to start the engine. And that, of course, with the key in your pocket. you don’t have to push any button. Awfully convenient.

Unfortunately, three researchers from ETH Zürich, Aurélien Francillon, Boris Danev and Srdjan Capkun, have demonstrated a simple attack: a classical relay attack. In PKES, the car is at the initiative of the challenge. They take a first antenna that captures the emission of the car (as the antenna of the key would do) and relay it to a second antenna close to the key (8-10m). The second antenna will act as the car antenna would act. And this is independent of any logical protocol. The two antennas are linked by a cable of RF transmission for longer range. Thus, if you know where the owner of the car is, and can come reasonably near from this owner, you may steal the signal of the key, and thus your accomplice can steal the car. They successfully experimented on real cars.

The recommended countermeasures are to deactivate the key with a switch. This is the worst scenario of countermeasure. You may be sure that people will forget to deactivate the key when leaving their car, or they will forget that they will had deactivated the system and thus will struggle. In nay case, adding a button would annihilate the perceived benefit of this system: being button less. And here is the problem. Unlocking is done without any conscious action of the user.

They propose another countermeasure that is far more complex to implement because it requires to accurately measure the trip time to detect the presence of the relay. And we know how difficult it is (we struggled on that with local control on content in DVB-CPCM).

The problem is that the action is done without the consent of the user, assuming that his presence means access granted. But the car cannot be sure of the actual physical presence.

Ten ways the IT department enables cybercrime

Posted on by
Reply

This is the provocative title of latest Kapersky lab’s white paper. This document lists some of the usual mistakes that are encountered in the today protection. It is mainly focused on the mandatory adaptation due to mobile devices. The paper is not mind-breaking. Nevertheless, it gives some true statements, such as

  • Enabler #1: assuming the data is in the data center.
    Of course today, data is redundantly stored in the laptops and even smart phones. They need protection
  • Enabler #3: Treating laptops and mobile devices as company assets that are never used for personal use…
    Awfully true.
  • Enabler #5: Adoption of Social Media without protection
    Social media and Web 2.0 are here to stay. furthermore, they are becoming part of the business tools. They create a new kind of risks.
  • Enabler #10: Assuming everything is OK.
    Remember our law 1: Attackers will always find their way.

As usual in this type of document, the first items are extremely relevant, whereas the last ones are less. it is always difficult to end up with 10 valid items. Nevertheless, 10 is the golden number in communication.

As a good citizen, I put the link to Kapersky lab. You’ll need to register to download the white paper. Nevertheless, you may easily find pdf versions on the Net without having to register :)