Abstract: User accounts can be linked together to form a group of linked user accounts that can access content items assigned to the other user accounts in the group. A user can download content items assigned to their user account, as well as shared content items assigned to one of the other user accounts in the group of linked user accounts. Use of shared content items can be restricted to client devices running specified versions of an operating system. The key ID tagged to a shared content item can be altered such that the key ID no longer correctly identifies the corresponding DRM key that enables use of the shared content item. Client devices authorized to use shared content items can be configured to recognize that a content item is a shared content item and generate the original key ID form the altered key ID.

Abstract: Systems and methods are described for rate-limiting a message-sending client interacting with a message service based on dynamically calculated risk assessments of the probability that the client is, or is not, a sender of a spam messages. The message service sends a proof of work problem to a sending client device with a difficulty level that is related to a risk assessment that the client is a sender of spam messages. The message system limits the rate at which a known or suspected spammer can send messages by giving the known or suspected spammer client harder proof of work problems to solve, while minimizing the burden on normal users of the message system by given them easier proof of work problems to solve that can typically be solved by the client within the time that it takes to type a message.

Abstract: A content request communication, e.g., generated using a first processor of a device, can be transmitted to a web server. A response communication including content identifying a first value can be received from the web server. The first processor can facilitate presentation of the content on a first display of the device. A communication can be received at a second processor of the device from a remote server. The communication can include data representing a second value and can be generated at the remote server using information received from the web server. Further, the second processor can produce a secure verification output that can be presented on a separate, second display, representing at least the second value. The presentation on first display can at least partially overlap in time with the presentation on the second display.

Abstract: Systems, methods, and computer-readable media for validating online access to secure device functionality are provided that may use shared secrets between different subsystems and limited use validation data.

Abstract: A software version control system manages versioned applications in a client-server computing system environment. Thereby this is a management system for computer application (software) distribution where a number of client devices coupled to a server may be executing different versions of a particular computing application. The system manages updates to the applications and enforces rules or policies to use the most recent version whenever possible.

Abstract: The embodiments set forth systems and techniques to activate and provide other device services for user devices. An activation manager is configured to activate a user device by receiving an activation request for the device, accepting previously stored and encrypted trusted data for the device, getting current data for the device, determining whether the current data compares with the trusted data, and sending an authorization to activate the device when the current data compares favorably with the trusted data. Data can include a seed component divided into seed segments that are each combined with a unique device identifier using varying cryptographic primitives. Each encrypted seed segment and unique device identifier combination can be dedicated to a different device use or service, and can be used separately for device identification for that use or service.

Abstract: This application relates to embodiments for providing a content stream to a device from a content server based on a protocol that is established between the device and an account server. The account server can initiate a session with the device and provide the device with a list of channels available for a user account associated with the device. When a channel is selected at the device, conditional access information can be provided from the account server to the device, which can thereafter relay the conditional access information to the content server. The content server can use the conditional access information to verify that the device has the appropriate permission to receive streaming content. In this way, because the conditional access information originates at the account server, permission to access streaming content can be managed by correspondence between the account server and the device, rather than the content server.

Abstract: Methods, media and systems that use an encoded opaque pointer in an API between a client process and a library process. An encoded opaque pointer, in one embodiment, can be received by the library process from the client process, and the library process can decode the opaque pointer to obtain an address in memory containing a data structure pointed to by the opaque pointer. The library process can operate on the data structure to create a revised or processed data structure, stored in the same or different address in heap memory or stack memory, and the library process can encode and return a new opaque pointer, for the processed data structure, to the client process.

Abstract: Some embodiments of the invention provide a content-distribution system for distributing content under a variety of different basis. For instance, in some embodiments, the content-distribution system distributes device-restricted content and device-unrestricted content. Device-restricted content is content that can only be played on devices that the system associates with the particular user. Device-unrestricted content is content that can be played on any device without any restrictions. However, for at least one operation or service other than playback, device-unrestricted content has to be authenticated before this operation or service can be performed on the content. In some embodiments, the system facilitates this authentication by specifying a verification parameter for a piece of device-unrestricted content.

Abstract: Some embodiments of the invention provide a content-distribution system. In some embodiments, the content-distribution system distributes device-restricted content and device-unrestricted content. Device-restricted content is content that can only be played on devices that the system associates with the particular user. Device-unrestricted content is content that can be played on any device without any restrictions. However, for at least one operation or service other than playback, device-unrestricted content has to be authenticated before this operation or service can be performed on the content. In some embodiments, the system facilitates this authentication by specifying a verification parameter for a piece of device-unrestricted content.

Abstract: User accounts can be linked together to form a group of linked user accounts that can access content items assigned to the other user accounts in the group. A user can download content items assigned to their user account, as well as shared content items assigned to one of the other user accounts in the group of linked user accounts. Use of shared content items can be restricted to client devices running specified versions of an operating system. The key ID tagged to a shared content item can be altered such that the key ID no longer correctly identifies the corresponding DRM key that enables use of the shared content item. Client devices authorized to use shared content items can be configured to recognize that a content item is a shared content item and generate the original key ID form the altered key ID.

Abstract: One or more user accounts can be linked together to form a group of linked user accounts to access content items assigned to the other user accounts in the group of linked user accounts. Prior to completing a purchase for a content item, a requesting user can be alerted that a member of the group of linked user accounts has access to the content item. Content items assigned to a member of a group of linked user accounts can be downloaded by one or more other members of the group of linked user accounts along with a Digital Rights Management (DRM) key that enables use of the content item. The DRM key can represent the group relationship between the downloading user account and the content owner's user account to which the content item is assigned.

Abstract: In a Digital Rights Management (DRM) system, cryptographic keys for decrypting distributed assets (such as audio or video media) are distributed using an offline (e.g., non-Internet) method for distribution of the key generation process, with an implicit authorization to use the distributed key generation process. This is used to update an asset key for use by a client such as a media player when a key formula for generating the key for decrypting an asset has been compromised, such as by hackers.

Abstract: In one embodiment, non-transitory computer-readable medium stores instructions for establishing a trusted two-way communications session for account creation for an online store, which include instructions for causing a processor to perform operations comprising retrieving and verifying a signed configuration file from a server, requesting a communication session using the configuration file, receiving a payload of account creation forms from a network client, signing the payload according to the server configuration file, and sending the signed payload containing account creation information to the server. In one embodiment, a computer-implemented method comprises analyzing timestamps for requests for data forms for supplying account creation information for evidence of automated account creation activity and rejecting the request for the locator of the second account creation form if evidence of automated account creation activity is detected.

Abstract: In the context of a computer client-server architecture, typically used in the Internet for communicating between a server and applications running on user computers (clients), a method is provided for enhancing security in the context of digital rights management (DRM) where the server is an untrusted server that may not be secure, but the client is secure. This method operates to authenticate the server to the client and vice versa to defeat hacking attacks intended to obtain confidential information. Values passed between the server and the client include encrypted random numbers, authentication values and other verification data generated using cryptographic techniques including double encryption.

Abstract: Method and apparatus to prevent hacking of encrypted audio or video content during playback. Hackers, using a debugging attachment or other tools, can illicitly access encrypted data in memory in a playback device when the data is decrypted during playback and momentarily stored in digital form. This hacking is defeated here by methodically “poisoning” the encrypted data so that it is no longer playable by a standard decoder. The poisoning involves deliberate alteration of certain bit values. On playback, the player invokes a special secure routine that provides correction of the poisoned bit values, for successful playback.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for obfuscating data via a pseudo-random polymorphic tree. A server, using a seed value shared with a client device, generates a tag stream according to a byte-string algorithm. The server passes the tag stream and the data to be transmitted to the client device through a pseudo-random polymorphic tree serializer to generate a pseudo-random polymorphic tree, which the server transmits to the client device. The client device, using the same seed and byte-string algorithm, generates the same tag stream as on the server. The client passes that tag stream and the received pseudo-random polymorphic tree through a pseudo-random polymorphic tree parser to extract the data. Data to be transmitted from the server to the client device is hidden in a block of seemingly random data, which changes for different seed values. This approach obfuscates data and has low processing overhead.

Abstract: A method and associated apparatus for use in a data distribution process to allow an untrusted intermediary to re-encrypt data for transmission from an originator to a message receiver without revealing the data (message) or the cipher to the intermediary. This method uses a composition of two ciphers for re-encrypting the message at the intermediary, without revealing the plain text message or either cipher to the intermediary.

Abstract: In one embodiment, non-transitory computer-readable medium stores instructions for establishing a trusted two-way communications session for account creation for an online store, which include instructions for causing a processor to perform operations comprising retrieving and verifying a signed configuration file from a server, requesting a communication session using the configuration file, receiving a payload of account creation forms from a network client, signing the payload according to the server configuration file, and sending the signed payload containing account creation information to the server. In one embodiment, a computer-implemented method comprises analyzing timestamps for requests for data forms for supplying account creation information for evidence of automated account creation activity and rejecting the request for the locator of the second account creation form if evidence of automated account creation activity is detected.

Abstract: Some embodiments of the invention provide a content-distribution system. In some embodiments, the content-distribution system distributes device-restricted content and device-unrestricted content. Device-restricted content is content that can only be played on devices that the system associates with the particular user. Device-unrestricted content is content that can be played on any device without any restrictions. However, for at least one operation or service other than playback, device-unrestricted content has to be authenticated before this operation or service can be performed on the content. In some embodiments, the system facilitates this authentication by specifying a verification parameter for a piece of device-unrestricted content.