INA versus YouTube

Posted on December 17, 2010 by wunderbarb

A French court has condemned YouTube to pay INA 150,000€ to INA because YouTube did not put in place any filtering system that would deter posting INA copyrighted content. INA is the French National Institute of Audiovisual. Its mission is to archive all broadcast content from French TV and radio stations.

Interestingly, INA hopes that YouTube will install an efficient fingerprint system to detect INA’s content. INA has developed its own fingerprinting technology: Signature. YouTube uses its own fingerprint technology: ContentID.

Thanks OC for the pointer

Google acquired Widevine

Posted on December 10, 2010 by wunderbarb

Last Friday, Google acquired Widevine for an unknown sum . Widevine is one of the many DRM technology vendors. Widevine was the first company to coin the concept of Virtual Smart Card, which was just a tamper resistant based software.

Clearly, Google is moving in the direction to deliver copyrighted content. Several security-related clues show that:

Google announced an initiative for faster action on copyright infringement on YouTube.
Yesterday, Google has relaxed the limitations of 15mn for the clips uploaded on YouTube. This limitation was to satisfy the content owners. It was expected that having the movie in slices would be a deterrent. Google announced that their proprietary fingerprinting tool Content ID was becoming better and better. Thus, they were confident to spot illegal content on upload link.
Widevine provides Google with a DRM technology, approved by studios, for the delivery of movie. Furthermore, Widevine is one of the DRM technologies approved by UltraViolet (aka DECE). The other approved DRMs are Adobe Flash Access, Marlin, Microsoft PlayReady, and OMA.
It was wiser to purchase an approved technology rather than build their own because it already got the studios’ blessing.

All these hints show that Google attempts to be nice to content owners. The next NetFlix?

Google looks for a better balance with copyright

Posted on December 3, 2010 by wunderbarb

Yesterday, Google announced an initiative: “Making Copyright Work Better Online”. Google announced that in the coming months:

They expect to reduce the average answer to legitimate takedown notices to less than 24 hours.
In order to balance the two sides of the equation, Google will enhance the “counter notice” procedure that allows users to contest a takedown notice. Google does not give any details on the foreseen enhancements. The “counter notice” procedure of DMCA safe harbor is rather complex.
The autocomplete feature should ban any suggestion that would favor piracy. Make the following experiment. Type in the Google research bar HARR. I got as 8th suggestion “Harry Potter 6 streaming”. Of course, it pointed to MegaUpload. That should not happen anymore.
Violators of copyright will be baned form AdSense.

It will be interesting to monitor this initiative in the coming months.

Windows Phone 7 jailbreaked

Posted on December 1, 2010 by wunderbarb

On November 25, Rafael Rivera, Chris Walsh, Long Zheng published an application, ChevronWP7, that unlocked Windows Phone 7. The objective was to be able to install homebrew applications on this platform. The news very quickly was all over the world.

Today, they have removed ChevronWP7 from the distribution. According to their blog,

Earlier today, we were contacted by Brandon Watson, Director of Developer Experience for Windows Phone 7, to discuss the ChevronWP7 unlocking tool.

Through this discussion, we established a mutual understanding of our intent to enable homebrew opportunities and to open the Windows Phone 7 platform for broader access to developers and users.

To pursue these goals with Microsoft’s support, Brandon Watson has agreed to engage in futher discussions with us about officially facilitating homebrew development on WP7. To fast-track discussions, we are discontinuing the unlocking tool effective immediately.

It is the second time that Microsoft is hit quickly after the launching of their products. Beginning of the month, it was for the Kinect, now for WP7. The reaction of Microsoft is interesting. They started discussion before threatening with DMCA (I am not sure that this type of unlocking would be a safe harbor for the recently granted jailbreaking exception. Any lawyer to give an opinion)

One more exploit on the already long list of unlocked devices! We have a tough job!

Security Newsletter #17 is out

Posted on November 29, 2010 by wunderbarb

It is available here.
In this issue, you will find an interview of Ari TAKANEN. He is the CTO of Codenomicon, a compay which is specialized in fuzzing-based tests. A good insight in Fuzzing.

This issue is more network oriented with the analysis of some XSS vulenrabilities, a new method of TCP connection that brings its vulnerabilities and of course Hole196 the latest weakness in WPA2.

I hope you’ll enjoy it and don’t hesitate to comment.

Open API to Kinect

Posted on November 16, 2010 by wunderbarb

It did not took long for the hacking/hobbyist community to reverse engineer the API with Microsoft’s Kinect. Kinect device is the new gizmo for Xbox which uses the body as an input device.

Adafruit, a US company, offered a $3,000 bounty to the first developer who would provide a library to connect to the Kinect. Hector Martin is the winner. His library gives access the RGB data from the camera together with the depth map.

The first person who reported to be able to connect to Kinect was alexP from NUI. Nevertheless, he did not publish his drivers. He works with the open source group Natural User Interface (NUI). At the contrary,Hector Martin has published them as open source under the name LibFreenect. Meanwhile, Theo Watson has adapted this library to work on Mac OS X.

The initial reaction of Microsoft to Adafruit’s challenge was to threaten of legal suite in case of hacking.

With Kinect, Microsoft built in numerous hardware and software safeguards designed to reduce the chances of product tampering. Microsoft will continue to make advances in these types of safeguards and work closely with law enforcement and product safety groups to keep Kinect tamper-resistant

Microsoft has smoothened its position. It does not claim that this library is a hack (which stricto senso may be true).

Kinect for Xbox 360 has not been hacked–in any way–as the software and hardware that are part of Kinect for Xbox 360 have not been modified. What has happened is someone has created drivers that allow other devices to interface with the Kinect for Xbox 360. The creation of these drivers, and the use of Kinect for Xbox 360 with other devices, is unsupported. We strongly encourage customers to use Kinect for Xbox 360 with their Xbox 360 to get the best experience possible

The position of Microsoft is very smart. In no way does this library harm Microsoft business. Soon, hobbyists will use the Kinect and create most probably applications extending further than game. They may even come with some ideas that Microsoft’s engineers will be able to exploit. This may be even good advertisement for Kinect.

It reminds the use of Sony’s PS3 in fields unrelated to games. See security Newsletter #9.

Another winner is Adafruit, for $5,000, they made the headlines worldwide! and with the role of good guys!! That is cheap.

Les nouveaux pirates de l’entreprise

Posted on November 9, 2010 by wunderbarb

Bertrand Monnet and Philippe Véry published a book entitled “Les nouveaux pirates de l’entreprise: Mafias et terrorisme“, i.e. “The new pirates of the enterprise: Mafia and terrorism”.

They clearly highlight the new risks that a company may face in front of organized crime and terrorist organizations. Organized crime is like the enterprise, it looks to maximize its revenue. The difference is that it does not care about regulation and ethics. Thus, they are in competition with legitimate business (parasitism, extortion, counterfeiting, direct investment…) Terrorist organizations look for means to finance their activities. The enterprise and its collaborators are nice targets. Many conclusions are similar to the one issued by the RAND see “Film Piracy, Organized crime and Terrorism“.

The bibliography is frustrating because not very precise. Of course, in this field, there are not a lot of available public data.

The conclusion of the authors is that every body in the enterprise should be concerned by these risks. According to me, the most important recommendation is that the Chief Security Officer (CSO) should be both security aware and BUSINESS aware. To cope with this type of risks, many decisions may have deep business implications.

As you may have guessed, the book is in French. For French readers, a point of vocabulary 🙂
J’ai découvert que je confondais depuis des années sécurité et sûreté. La sûreté s’applique à la protection contre des actions malveillantes. Étais je le seul dans l’erreur ?

The blog of content protection

A site managed by Eric Diehl