Amazon’s PayPhrase

Posted on January 27, 2010 by wunderbarb

On November 2009, Amazon launched a new payment mode so called PayPhrase. The idea is simple. You associate to your profile a passphrase, i.e. a sentence with at least two words (more than four characters) and a 4-digit PIN. The payphrase is linked to a shipping address and a payment method. Would you like another shipment address, use a second payphrase.

Amazon offers this service for other sites. The other sites will validate the information through Amazon but will never have access to your personal data neither to your credit card data. The basic assumption is that you trust Amazon to make a clean work in securing your personal data (which seems a reasonable assumption)

Of course, Amazon expects to become a competitor to established payment methods such as PayPal.

Is it serious? Well, I have spotted one funny issue. How do I define a payPhrase?

Create an original PayPhrase yourself, or choose one of our suggestions. Once you have claimed a particular PayPhrase, it can’t be claimed by anyone else.

The unicity of the payPhrase shows that the idea is that you replace your identity by the payPhrase and the authentication is the PIN. This means two things:

The latest incomers may have some trouble to set up an easy to remember payPhrase because the most trivial will be used.
People will use the most trivial ones

And this last one is the fun part of the game. Try to find a trivial payPhrase and check if it is active. Then, you may try a DOS for this person by trying many PINs until it is blacklisted.

I tried my favorite trivial passphrase “Trust no one”. Guess what? It belongs to somebody of Portland paying with Visa! I did not try the PIN.

Lesson: Some design decisions may have “funny” side effects.

Ten ways hackers breach security

Posted on January 25, 2010 by wunderbarb

I have decided to launch a new category: “the ten …” In this category, I will put the classifications and lists that we find around the net about security, such as the top 10 vulnerabilities in software.

Of course, the first one of the category is the Technicolor Ten Security Laws of my team.

I found this “Ten ways hackers breach security“ as a white paper from global knowledge. The paper is clearly not revolutionary. Nevertheless, it is another ten laws…

Here are the ten ways:

1- Stealing Passwords
2- Trojan Horses
3- Exploiting Defaults (a cruel one but awfully true. How many people do change the default password of their admin in the gateway?)
4- Man In The Middle Attacks (more sophisticated, but at the heart of some recent wireless attacks)
5- Wireless Attacks
6- Doing their homework; what was meant here was to collect information about the target. This of course is one of the first stages for social engineering.
7- Monitor Vulnerability Research (!!!)
8- Being patient and Persistent
9- Confidence Games; this is where they present social engineering
10- Already Being on the Inside; the usual insider

Nice introduction paper, but not interesting if you’re already security aware.

Free: The future of a radical price

Posted on January 18, 2010 by wunderbarb

Monday, January 18, 2010

This book seems to have been one of the best sellers of 2009. Chris Anderson is known for many reasons. He is editor at Wired but also the person who launched the famous concept of “the long tail”. Today, I am not sure that the long tail made anybody rich. Some recent studies from Harvard seemed to contradict this theory.

Nevertheless, reading this new book was mandatory for me. One of the popular beliefs is that Internet is free. It is often claimed that DRM is useless because Free is the future of media (or at least supported by some means).

The book clearly shows that there is no free lunch and it describes the economical mechanisms behind “Free”. Anderson provides an interesting taxonomy of the different forms of cross subsidies. Then, he illustrates them.

For instance, why is interesting for Google to promote the free use of online activities on almost everything? It allows to better profile the users and better place advertisements.

Every click in Google Maps is more information about consumer behaviour, and every mail in Gmail is a clue to our human network of connections, all of which Google can use to help invent new products or just sell ads better

The explanation of the attraction of free by human factors is great. According to him, people are wired to understand scarcity better than abundance. Because we are afraid of loss, free is attractive. We do not take any perceptible risk.

He also explains why Internet will be free:

TV is a scarcity business (there are only so many channels), but the Web is not. You can’t change scarcity prices in an abundant market, nor do you need to, since the costs are lower too.

Now, does he present solutions? The examples of audio seem promising. Nevertheless, I have many doubts about the portability to video market. Would ads be able to support a movie such as “Avatar” whose cost exceeded $300M?

Nevertheless, this book is mandatory to read if you want to better understand some of the big waves of the Internet and the entertainment world. This may help you to build your own opinion.

Do you believe that the Future is Free?

Refence: Anderson C., Free: the future of radical price, Hyperion, 2009

Oh, by the way, you can download the book for free and legally!

SF: L’accroissement mathématique du plaisir

Posted on January 16, 2010 by wunderbarb

Unfortunately for English readers, this book is only available in French. The author, Catherine Dufour, is a young promising French writer.
It is a long time since I was not such delightfully surprised by a French SF author. This book is a collection of twenty short stories. She is brilliant, provocative and politically incorrect. She reminds me Philip K. Dick with a little of Pierre Pelot (French writer of the 80’s) and Edgar Allan Poe.

In “L’accroissement mathématique du désir” (The mathematical growth of desire) my preferred short stories are “Je ne suis pas une légende” (I’m not a Legend) which is obviously a tribute to Matheson, “L’mmaculée Conception”, “Confession d’un mort” (Confession of a Dead) and the hilarious “Une Troll d’histoire” another tribute to a series of French comics.

Thus, if ever you find her books in a library, run and read.

Are watermarked screeners too expensive?

Posted on January 8, 2010 by wunderbarb

Screeners are copies of a movie that are sent to reviewers or members of an award jury. The favored format is DVD. Unfortunately, DVD are not protected against piracy. Thus, typical procedure is to watermark each screener with an individual invisible mark. Thus, if ever there is leakage, it should be possible to trace back to the originator.

According to /Film, Sony pictures considered this operation too expensive and thus decided not to support its movie “Moon” for the Oscars. Funnily, the movie is already available as DVD and BluRay.

Is the story finished?

Thanks to Olivier for the pointer.

Rights Locker

Posted on January 7, 2010 by wunderbarb

CES period is always interesting time because many initiatives are disclosed or present their progress. In the field of DRM, two interesting news:

Disney starts to unveil more about its KeyChest technology. CNBC presented the following spot.

At the same time, DECE made a press release presenting their latest milestones. In a nutshell, DECE has:

defined a common file format In the FAQ, it seems that it is compliant with Microsoft’s PIFF,
selected a company that will host the rights locker,
and announced that five DRMs will support it (Adobe, Marlin, Microsoft PlayReady, OMA and Widevine

Both KeyChest and DECE use the new concept of rights locker. In very simplistic terms, a rights locker is a database that stores the usage rights that a customer purchased. This database should be shared by content distributors. The promise is that if you purchase one piece of content, it may be played back (if you paid as such) on any of your devices (or at least on the devices compliant with this rights locker) independently of the DRM used by the device. In other words, the usage rights will be linked to a customer rather than to his/her devices.

This is a great progress in electronic content distribution. One of the strongest complains of customers is the lack of interoperability of DRMs. This is an answer.

Without doubt, this blog will come back on the topics of rights locker in the future.

Happy new year

Posted on January 5, 2010 by wunderbarb

I wish you all a happy Secure new year. I hope that you will enjoy reading my blog and do not hesitate to react.

Eric (aka wunderbarb)

The blog of content protection

A site managed by Eric Diehl