Abstract: Systems and methods are provided for securely providing a media stream from a server device to a remote player via a communications network. A request for a connection is received from the remote player at the server device via the communications network. In response to the request for the connection, an authorization credential is requested from a central server via the communications network. Further, in response to the authorization credential received from the central server, the media stream between the server device and the remote player can be established over the communications network. At least a portion of the media stream may be encrypted based upon the authorization credential.

Abstract: Systems and methods are provided herein for automatically overriding an auto-skip command embedded in a media asset annotation when a user profile indicates a preference for content that is to be auto-skipped. To this end, a media guidance application may play back a media asset to a user, and detect therein a skip annotation that corresponds to a portion of the media asset that is to be played back. The media guidance application may, in response to detecting the skip annotation, access metadata indicating content of the portion, compare the metadata to entries of a profile of the user, and determine whether the user prefers the content based on the comparing. If the user prefers the content, the media guidance application may refrain from executing a skip command indicated by the skip annotation.

Abstract: Systems and methods for providing one or more secure services are disclosed. One method can comprise authenticating and/or authorizing a user device to receive a security token. A request for information can be processed using the security token to facilitate the secure provision of services to the user device.

Abstract: Methods, systems, and devices are disclosed for providing control of an unmanned aircraft (UA). A server may receive an indication from a UA that a transition from autonomous flight to pilot controlled flight is required while the UA is in autonomous flight. The server may select a pilot station for providing pilot controlled flight of the UA. Selecting a pilot station for providing pilot controlled flight of the UA may be based on a pilot criterion associated with the pilot station. A UA may detect a condition that requires a transition from autonomous flight to pilot controlled flight and establish a pilot criterion for pilot controlled flight based on the detected condition. The UA may send a request for a pilot that includes the pilot criterion and information about the condition.

Abstract: Approaches for operating a network personal video recorder operated by a content provider. The network personal video recorder may be located at a head-end of a digital content provider. A network personal video recorder receives, from a user, authentication credentials that provide the network personal video recorder access, via the Internet, to a storage medium belonging to or associated with the user. After the user instructs the network personal video recorder to record a video program, the network personal video recorder stores a copy of the video program on the user's storage medium using the user-provided authentication credentials. Thereafter, when the user wishes to view the video program, the user can instruct the network personal video recorder to read the copy of the video program from the storage medium and play the video program on a device of the user.

Abstract: Technologies to provide a secure data storage service in a cloud computing environment are generally disclosed. In some examples, a method comprises: partitioning a data resource into data particles, assigning logic groups to the data particles, assigning physical storage groups to the data particles, and/or storing each physical storage group at corresponding storage resource, receiving a request for the data resource, determining whether the request for the data resource is valid, and if the request is valid, transmitting the data particles of the data resource to the client. The method enables improved security for accessing data, and also improves the user experience in cloud computing environments.

Abstract: This disclosure relates generally to multi-factor authentication, and more particularly to method and system for multi-factor authentication. In one embodiment, the method includes receipt of an audio input at a device, and a plurality of authentication parameters from at least one of the device and a server communicably coupled to the device. The plurality of authentication parameters are encrypted to generate a plurality of encrypted authentication parameters. The plurality of encrypted authentication parameters are embedded as watermarks into the audio input to generate a watermarked audio signal. The watermarked audio signal are encrypted to generate an authentication audio signal. The authentication audio signal is transmitted to an authentication server over an audio communication channel to authenticate the access at the device.

Abstract: A system that incorporates the subject disclosure may perform, for example, receiving an over-the-air programming message that includes programming data for use by the mobile communication device, decrypting the over-the-air programming message utilizing a first keyset to generate a decrypted over-the-air programming message, determining a schedule for providing messages from a secure device processor to a secure element of the mobile communication device where the secure device processor is separate from the secure element and in communication with the secure element, and providing the decrypted over-the-air programming message to the secure element according to the schedule. Other embodiments are disclosed.

Abstract: Techniques for encrypting the data in the memory of a computing device are provided. An example method for protecting data in a memory according to the disclosure includes encrypting data associated with a store request using a memory encryption device of the processor to produce encrypted data. Encrypting the data includes: obtaining a challenge value, providing the challenge value to a physically unclonable function module to obtain a response value, and encrypting the data associated with the store request using the response value as an encryption key to generate the encrypted data. The method also includes storing the encrypted data and the challenge value associated with the encrypted data in the memory.

Abstract: Technologies for managing network privileges of members of graft-network include detecting a computing device in physical presence with a network infrastructure, determining whether the computing device is a member of the graft-network, and establishing initial network privileges for the computing device if the computing device is not a member, without direct programming of the member. The network privileges of members of the graft-network are updated over time as a function of the length of time for which the computing device is in physical presence of the network infrastructure. A computing device may be in physical presence of the network by physical contacting a communication bus of the network infrastructure or being within a limited communication range of the communication bus. New members to the graft-network may be quarantined to reduce risk to the network.

Abstract: Techniques are disclosed for secure playback of protected multimedia content on a game console using a secret-less application. An SSO model can be used for client authentication at a key server, which eliminates the need of storing or using any secret information in the client application. Further, an encrypted content key generated by a content packager using a public key can be deployed in the key URI of a playlist file, which is sent to the key server. The key server can be configured to decrypt the content key using a corresponding private key. Further, the content key and unencrypted samples are protected in the game console client application from debugging and replay attacks by using additional security checks at both the client and key server. By storing secret information remotely from the game console and using the SSO model, DRM policies can be enforced on an untrusted client application.

Abstract: An intermediary system reduces a delay associated with the compression and transmission of content resources to a user's device. For example, the intermediary system compresses a first content resource, generates a signature of the first content resource, stores the compressed first content resource and the generated signature, and transmits the compressed first content resource to the user's device. When the user's device or another user's device requests a second content resource at a later time, the intermediary system generates a signature of the second content resource and compares it with the signature of the first content resource. If the signatures match (meaning the first and second content resources are very likely identical), then the intermediary system merely transmits the compressed first content resource to the appropriate device instead of first compressing the second content resource and then transmitting the compressed second content resource to the appropriate device.

Abstract: Methods, systems, and apparatus, including computer program products, for assuring application performance by matching the supply of resources (e.g., application resources, VM resources, or physical resources) with the fluctuating demand placed on the application. For example, the systems and methods disclosed herein can be used to ensure that the application is allocated sufficient resources when it is initially deployed to handle anticipated demand; dynamically alter the resources allocated to the application during operation by matching the resource requirements to the actual measured application demand; and predict future resource requirements based on planning assumptions related to future application demand.

Abstract: Methods, systems, and apparatus, including computer program products, for regulating access of consumers (e.g., applications, containers, or VMs) to resources and services (e.g., storage). In one embodiment, this regulation occurs through the use of access or action permits, referred to as permits that the consumer acquires from an intermediate entity—an Action Manager (AM)—prior to accessing the resource or service. Regulating access includes, for example, controlling one or more of the number of concurrent accesses to a particular resource, the rate at which consumers access the resource, the total number of consumers in a group of consumers accessing the resource, and the total rate at which a group of consumers accesses a resource. According to various embodiments, similar regulation is applied to a group of resources (rather than a single resource).

Abstract: Secure content transfer systems and methods to operate the same are disclosed. An example system includes a content server to encrypt content according to an encryption key, and to transfer the encrypted content, the encryption key and a license to a client that supports a digital rights management technology. The example system further includes a broadcast system headend to determine the encryption key, wherein the broadcast system headend is physically separate from the content server, and a digital rights management license server to provide the license.

Abstract: Techniques are described for providing functionality to allow a viewer of a television show to watch a “previously on” segment of an episode of the television show and be able to watch the scenes from prior episodes referenced in the “previously on” segment.

Abstract: According to an embodiment, an image erasing apparatus includes an accessory information acquiring unit and an execution availability determining unit. The accessory information acquiring unit acquires accessory information related to security of the sheet based on attribute data of a sheet on which an erasable image is formed. The execution availability determining unit each determines execution availability of erase processing for the image on the sheet and execution availability of preservation processing for the image data generated by the readout unit, based on the accessory information.

Abstract: Services from domainless machines are made available in a security domain under a virtual name. Each machine is not joined to the domain but can reach a security domain controller. The controller controls at least one security domain using an authentication protocol, such as a modified Kerberos protocol. One obtains a set of security domain credentials, generates a cluster name secret, gives the cluster a virtual name, and authenticates the machines to the domain controller using these items. In some cases, authentication uses a ticket-based protocol which accepts the cluster name secret in place of a proof of valid security domain membership. In some, the domain controller uses a directory service which is compatible with an active directory service; the cluster virtual name is provisioned as an account in the directory service. The cluster virtual name may concurrently serve clients on different security domains of the directory service.

Abstract: To provide for security and robustness in distribution of high value video content such as UHD video, a white list is provided that does not grant default access to content like a revocation listing does, but rather forces a software update on potentially compromised devices to bring them back into copy protection compliance, eliminating, e.g., the use of certain outputs that have been compromised. Prior to outputting content, a source device determines whether the receiving device is on a white list, whether the output is still valid, whether the version number of the receiving device is still valid, and that the receiving device does not have insecure outputs on which it could re-output content.

Abstract: A network information system, and a method of operation thereof, includes: an extraction module for extracting a unique device identification for sending to an e-commerce server, wherein the unique device identification is extracted from a network-connected device with a software application installed and not activated on the network-connected device; a settlement process module, coupled to the extraction module, for generating a notification based on the unique device identification for sending to a license server; and a key generation module, coupled to the settlement process module, for generating a product key for the unique device identification based on the notification for activating the software application to run on a computing device.

Abstract: Systems and methods are disclosed for registering a host computing device at a server and registering a lock device at the server via an application running on a mobile computing device, each being provided host keys from the server that allow communication between the host computing device the lock device. Further, the lock device can only be registered with the server if a current registered device count is less than a maximum registered device threshold.

Abstract: A method begins by a dispersed storage (DS) processing module selecting storage pools within the DSN with available capacity for storing data of a storage group. The method continues by selecting one or more dispersed storage (DS) units within each of the selected storage pools based on a selection criteria and mapping the one or more DS units to the storage group. The method continues by receiving a write request to store a data object to the storage group and by storing the data object in at least one of the mapped one or more DS units. The method continues with the DS processing module issuing an indication unutilized storage space calculated on a proportionate basis based on storage utilized for the storage group as a percentage of total storage utilized and updating a write proportion value based on received storage utilization responses.

Abstract: According to an embodiment, an information processing device is connected to a management apparatus via a network. The device includes a receiver, an acquisition unit, an MKB processor, and an authentication unit. The receiver is configured to receive communication information. The acquisition unit is configured to acquire a media key block from the management apparatus, in response to receipt of the communication information from a first external device not belonging to a group previously classified on a management unit basis by the management apparatus, the first external device and the information processing device being enabled to derive a first group key based on the media key block. The MKB processor is configured to generate the group key from a device key of the information processing device and the media key block. The authentication unit is configured to perform encrypted communication with the external device based on an authentication method using the group key.

Abstract: Provided are techniques to enable, using broadcast encryption, a device to locate a service offered by a server with the knowledge that the service offered by the server is a trusted service. A signed enhanced Management Key Block (eMKB) includes a trusted service locator (TSL) that includes one or more records, or “trusted service data records” (TSDRs), each identifying a particular service and a corresponding location of the service is generated and transmitted over a network. Devices authorized to access a particular service parse the eMKB for the end point of the service, connect to the appropriate server and transmit a request.

Abstract: The present document relates to transcoding of metadata, and in particular to a method and system for transcoding metadata with reduced computational complexity. A transcoder configured to transcode an inbound bitstream comprising an inbound content frame and an associated inbound metadata frame into an outbound bitstream comprising an outbound content frame and an associated outbound metadata frame is described. The inbound content frame is indicative of a signal encoded according to a first codec system and the outbound content frame is indicative of the signal encoded according to a second codec system. The transcoder is configured to identify an inbound block of metadata from the inbound metadata frame, the inbound block of metadata associated with an inbound descriptor indicative of one or more properties of metadata comprised within the inbound block of metadata, and to generate the outbound metadata frame from the inbound metadata frame based on the inbound descriptor.

Abstract: A wireless station receives a message broadcast by a string broadcast station, which message includes a network information string. The wireless station generates an identifier comprising a tag component and a content component and sends the identifier and the network information string to a datastore. The identifier is stored in association with the network information string in the datastore.

Abstract: An information processing apparatus, which connects to at least one client apparatus via a first network and is connectable to an external apparatus via a second network, includes first and second receiving units, a specifying unit, first and second switching units, and a transmitting unit. The first receiving unit receives client information from the client apparatus via the first network. The specifying unit specifies a device connected to the first network and controllable by the client apparatus. The first switching unit switches connection from the first network to the second network. The second receiving unit receives, based on the client information and the specified device, a control program for controlling the device from the external apparatus via the second network. The second switching unit switches connection from the second network to the first network. The transmitting unit transmits the received control program to the client apparatus via the first network.

Abstract: A media sharing system identifies fingerprints that represent an uploaded video and generates a digest based on the fingerprints. The media sharing system searches for digests of previously processed videos whose digests match the digest of the uploaded video. A previously processed video whose digest matches the digest of the uploaded video is identified as a matching video. For each matching video, the media sharing system retrieves policy information that describes whether the video was found to violate one or more policies of the media sharing system. The media sharing system determines whether to halt processing of the uploaded video based on the retrieved policy information.

Abstract: An information processing apparatus includes: application execution means for executing an application program; metadata storage means for storing metadata corresponding to the application program; input means for receiving a message input by a user based on an operation of the user; selection means for selecting the metadata stored by the metadata storage means, in accordance with an operation of the user; transmission means for transmitting the message received by the input means and the metadata selected by the selection means to another information processing apparatus; reception means for receiving a message and metadata corresponding to an application program from said another information processing apparatus; and information output means for outputting the message and the metadata received by the reception means.

Abstract: A method for preventing photographic capture of a displayed image on an electronically controlled screen using a photographic capture device is provided. The method includes intercepting an image for display; generating a plurality of subset frames based on the intercepted image; dividing the intercepted image into a plurality of subsections; generating a pseudo random number on each of the subsections within the plurality of subsections using a pseudo random number generator; mapping, on each of the subset frames within the plurality of subset frames, a group of subsections within the plurality of subsections that share a common generated pseudo random number; determining a frame rate value for displaying the plurality of subset frames, which enables human visualization of the plurality of subset frames as a single perceived frame; and displaying each subset frame consecutively on the electronically controlled screen based on the determined frame rate.

Abstract: A physical, non-human readable representation of a digital key may be in a physical key article. The key article may enable a person to generate a signal representing the digital key from a user interface device in communication with a computer by physical manipulation of the key article. Access to digital content via the computer may be unlocked in response to receiving the signal. In addition, a key may be represented by a pattern of unreadable errors in a computer-readable medium.

Abstract: An HSM management hub coordinates the distribution and synchronization of cryptographic material across a fleet of connected hardware security modules (“HSMs”). Cryptographic material is exchanged between HSMs in the fleet in a cryptographically protected format. In some examples, the cryptographic material is encrypted using a common fleet key maintained by the HSMs in the fleet. In other examples, the cryptographic material is protected using asymmetric cryptographic keys that are associated with the members of the HSM fleet. The HSM management hub may be used to divide the HSM fleet into subdomains by providing domain keys to subsets of HSMs within the HSM fleet. Cryptographic information that is encrypted with particular domain keys can be distributed across the entire HSM fleet, and restricted to use by authorized HSMs that are in possession of the particular domain keys.

Abstract: The subject matter described herein includes methods, systems, and computer readable media for combating mobile device theft with user notarization. One method includes providing a supplicant video notarization system application executable on a supplicant device for initiating an interactive video call between a supplicant and a notary as a condition to the supplicant accessing a protected electronic resource. The method further includes providing a notary video notarization system application executable on a notary device through which the notary receives the interactive video call and interacts with the supplicant via the interactive video call to confirm the identity of the supplicant and that video of the supplicant provided in the call is live.

Abstract: In a method for controlling a device requiring user-related permissions via a mobile terminal using a local data connection between the mobile terminal and the device to be controlled, the control commands requiring user-related permissions for the device to be controlled are generated by means of an interaction between the mobile device and an authentication server and/or a device management server and are transferred to the device to be controlled from the authentication and/or device management server via the mobile terminal. The control commands requiring user-related permissions for the device to be controlled are received by the mobile terminal and are thereafter transferred to the device to be controlled for the purpose of controlling the same and are not stored in the mobile terminal. The control commands received by the device to be controlled are not verified as to the permission of the user to utilize these control commands.

Abstract: Techniques for compressing and decompressing license information for Digital Rights Management are described. A method implementation of a technique of creating for a plurality of client devices or client device groups compressed license information comprises the steps of creating a template and a table. The table comprises at least one first license part common to licenses for the plurality of client devices or client device groups and one or more placeholders for one or more second license parts specific for a dedicated client device or client device group. The table comprises, for each client device or client device group and for a given placeholder, replacement information specific for that client device or client device group. The method further comprises sending the template and table for delivery as compressed license information to the client devices or client device groups.

Abstract: Systems and methods may provide for receiving a first request from a remote device for access to content on a second remote device, and invoking a proxy server embedded in an HTML5-compliant browser on a local device. Additionally, the first remote device may be provided with access to the content on the second remote device via the proxy server. Moreover, input may be received from a user interface of the local device, wherein a second request may be transmitted to the first remote device for access to content on a third remote device. In one example, the first remote device is unauthorized with respect to the content on the second remote device, and the local device is unauthorized with respect to the content on the third remote device.

Abstract: The technology described in this document can be embodied in a computer implemented method that includes receiving, at a processing device, information about one or more assets associated with a network of devices. The method also includes generating, for at least one of the assets, a security token that is based at least on a portion of the received information about the corresponding asset. The security token can be configured to identify a home network defined for the asset, and to restrict access to the corresponding asset upon detecting an occurrence of an unauthorized activity involving the asset. The method further includes storing, in a storage device, information about the security token and information linking the security token to the corresponding asset, and initiating integration of the security token with the corresponding asset.

Abstract: Methods, devices, and computer program products facilitate the application of a content use policy based on watermarks that are embedded in a content. Watermark extraction and content screening operations, which can include the application of content usage enforcement actions, may be organized such that some or all of the operations can be conducted at different times by different devices. These operations can be conducted by one or more trusted devices that reside in a networked environment. The authenticity of various devices can be verified through the exchange of certificates that can further enable such devices to ascertain capabilities of one another. Based on the ascertained capabilities, an operational configuration for conducting watermark extraction and content screening can be determined.

Abstract: A method of providing encryption and decryption of plaintext strings in a program file, includes: at a device having one or more processors and memory: marking each of a plurality of plaintext strings in a source file with a respective marking macro (e.g., Decrypt); scanning (e.g., using a reflection tool) for the respective marking macros to identify the plurality of plaintext strings in the source code; generating a respective ciphertext string for each of the plurality plaintext strings that have been identified; and storing the plurality of plaintext strings in a dictionary file, where each plaintext string is indexed by a respective hash value computed from the plaintext string, and where the respective hash value for each of the plaintext strings is used to retrieve the respective ciphertext string of the plaintext string from the dictionary during program execution.

Abstract: The technology described in this document can be embodied in a computer implemented method that includes receiving, at a processing device, information about one or more assets associated with a network of devices. The method also includes generating, for at least one of the assets, a security token that is based at least on a portion of the received information about the corresponding asset. The security token can be configured to identify a home network defined for the asset, and to restrict access to the corresponding asset upon detecting an occurrence of an unauthorized activity involving the asset. The method further includes storing, in a storage device, information about the security token and information linking the security token to the corresponding asset, and initiating integration of the security token with the corresponding asset.

Abstract: A method, a system, and a non-transitory storage medium for storing user preferences pertaining to a data encryption service that provides on-demand encryption for data in-flight and at rest; receiving data from a user device; determining whether to invoke the data encryption service based on the data and the user preferences; generating a key to encrypt the data based on determining that the data encryption service is to be invoked; generating a first message that includes the data, the key, and data indicating where encrypted data is to be stored; establishing a secure connection with a device; and transmitting the first message to the device via the secure connection.

Abstract: The present disclosure is directed to application integrity protection via secure interaction and processing. For example, interaction with a user interface in a device may result in input information being generated. Following encryption, the input information may be conveyed to an application executing in a secure processing environment. The encrypted input information may be received, decrypted and processed by the application. An example application may include a secure controller component, a secure model component and a secure view component. The secure controller component may, for example, provide change instructions to the secure model component based on the decrypted input information. The secure model component may then, if necessary, provide a change notification to the secure view component based on the change instructions.

Abstract: Provided is a technology for improving the efficiency and the accuracy of data security. To this end, protection information provided to data is maintained correct even when it becomes necessary to change the necessity/non-necessity to protect the data depending on the content of a process performed on the data. More specifically, primitive data with protection attributes set thereon is read as the original data, and an operation is performed on the original data to generate derived data. Then, whether to make the derived data inherit the protection attributes of the original data is determined on the basis of a content of the operation performed on the original data.

Abstract: A network information system, and a method of operation thereof, includes: an extraction module for extracting a unique device identification for sending to an e-commerce server, wherein the unique device identification is extracted from a network-connected device with a software application installed and not activated on the network-connected device; a settlement process module, coupled to the extraction module, for generating a notification based on the unique device identification for sending to a license server; and a key generation module, coupled to the settlement process module, for generating a product key for the unique device identification based on the notification for activating the software application to run on a computing device.

Abstract: The disclosed computer-implemented method for securely accessing encrypted data stores may include (1) receiving, from a data storage service, a request to permit authenticated access to an encrypted data store administered by the data storage service, the request including a cryptographic element associated with the encrypted data store that has been encrypted using a public key associated with the authentication device, (2) decrypting the cryptographic element associated with the encrypted data store using a private key associated with the authentication device, (3) encrypting the cryptographic element associated with the encrypted data store using a public key associated with a cryptographic client, and (4) transmitting the encrypted cryptographic element to the cryptographic client to enable the cryptographic client to perform cryptographic operations on the encrypted data store. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Systems and methods are provided for securely providing a media stream from a server device to a remote player via a communications network. A request for a connection is received from the remote player at the server device via the communications network. In response to the request for the connection, an authorization credential is requested from a central server via the communications network. Further, in response to the authorization credential received from the central server, the media stream between the server device and the remote player can be established over the communications network. At least a portion of the media stream may be encrypted based upon the authorization credential.

Abstract: In one embodiment, a computer-implemented method includes, in response to an attempt by a user to perform a transaction using a computing device, accessing a communication device connected to the computing device. A presence of one or more nearby devices, with respect to the computing device, is detected through use of the communication device connected to the computing device. A mapping of nearby devices to trust levels may be applied to the one or more nearby devices. In the mapping, each group of one or more nearby devices maps to a trust level of two or more trust levels. An assigned trust level for the transaction is determined, by a computer processor, based on applying the mapping of nearby devices to trust levels. The mapping of nearby devices to trust levels is modified based on the one or more nearby devices detected. The modified mapping is used for future transactions.

Abstract: A method, system and computer program product for protecting access to a computer file are disclosed. In embodiments, the method comprises a user, employing a user computer, selecting a file, and creating a reference file to protect access to this selected file. When a requester uses a computer device to request access to the protected file, the reference file initiates a procedure to determine if the computing device is entitled to access the protected file by validating a series of computer components that uniquely identify the computing device. In embodiments, a set of specified computer configuration data is stored in a specified storage location; and the series of computer components that uniquely identify the computing device are validated by comparing this set of computer configuration data with the series of computer components that uniquely identify the computing device.

Abstract: A printing server includes a registration request reception unit, a registration unit which allocates connection information for connection with the transmission origin of the registration request and an electronic mail address for receiving a printing request to the transmission origin of the registration request, a registration information transmission unit which transmits the registration information which has been allocated, a connection unit which receives the connection information and starts connection, a printing data generation unit which generates printing data, a printing waiting information transmission unit which transmits printing waiting information to the transmission origin of the XMPP connection request using XMPP when the printing data is generated, and a printing data transmission unit which receives an acquisition request for the printing data and transmits the printing data to the transmission origin of the acquisition request for the printing data according to the acquisition request fo

Abstract: Data security jurisdiction zones are identified and data security policy data for the data security jurisdiction zones is obtained. The data security policy data for the data security jurisdiction zones is then automatically analyzed to determine allowed secrets data with respect to each of the identified data security jurisdiction zones. The allowed secrets data with respect to each of the data security jurisdiction zones is then automatically obtained and provided to resources in the respective data security jurisdiction zones, either from a central secrets data store or from an allowed secrets data store associated with each data security jurisdiction zone.