Abstract: Techniques for managing access to content are provided that include receiving a first signal requesting an indication whether a user has an access privilege to access to a resource associated with a first tenant of an access management service or perform an operation by a data processing system using the resource, determining that a first user account associated with the user does not have an access privilege to access the resource; performing a nested access privilege check to determine whether the user is associated with a second user account that has the access privilege to access the resource; and granting via the communication network access to the resource responsive to the nested access privilege check determining that the user is associated with the second user account and the second user account is associated with the access privilege to access the resource.

Abstract: Systems and methods to enable on-the-fly modification of running processes on a webserver more quickly and efficiently are discussed herein. A code vault is used to store binaries for use in production code running on a server, which are downloaded and implemented in the running process when authorized by developers. The process retrieves the binaries from the code vault to deploy the modifications to a specified audience without having to re-instantiate or run a parallel process with the new binaries. Binaries for different audiences or subsequent experiments may be downloaded onto the same machine, but remain isolated. Control of the deployments may require multi-factor or multi-user authentication and are logged for change control.

Abstract: Predictive rendering (also referred to herein as speculative rendering) is disclosed. The predictive rendering is performed by an endpoint browser in response to a user input made by a user. The predictive rendering is verified using a surrogate browser that is executed on a remote server. The verification can be performed asynchronously.

Abstract: Methods, systems, and devices for enabling and validating data encryption are described. A data storage system (e.g., including a database and validation server) may receive an encryption request indicating a data object or data field. Prior to performing encryption, the validation server may perform one or more validations to determine whether the system supports encrypting the indicated data. The validation server may identify any formula fields that directly or indirectly (e.g., via other formula fields) reference the data object or field, and may determine whether each of these formula fields is encryption compatible. In some cases, the validation process may involve synchronously executing a first set of validators, marking the data as pending encryption, and asynchronously executing a second set of validators. Based on the results of the validation process, the system may or may not encrypt the indicated data, and may transmit an indication of the validation results.

Abstract: A client device includes an operating system that lacks an application native to the operating system for remotely effecting a complete data wipe of a storage device of the client device. The client device determines a status of the client device violates a compliance rule associated with operation of the client device. In response to determining that the client device violates the compliance rule, the client device sends the status to a server. The client device initiates execution of an operating system kernel call to remotely effect a complete data wipe of a storage device of the client device.

Abstract: A method for automatically supplying a secure connection proxy with remote targets on the basis of privileged account data, includes a step of exploring, by a robot program, at least one domain for identifying the privileged accounts; a step of filtering the privileged accounts on the basis of criteria; steps of extracting characteristics from identified privileged accounts; and a step of supplying the proxy with the gathered data.

Abstract: A method, computing device, and non-transitory machine-readable medium for detecting malware attacks and mitigating data loss. In various embodiments, an agent is implemented in the operating system of a storage node to provide protection at the bottommost level in a data write path. The agent intercepts write requests and observes file events over time to detect anomalous behavior. For example, the agent may monitor incoming write requests and, when an incoming write request is detected, determine whether the file is associated with a malware attack risk based on an analysis of an encryption state of data in the file. If the file is associated with a malware attack risk, an entry for the file is added to a file log. The agent may analyze the chi-square values for data written to the files, the file log, and the file format to determine whether a malware attack is underway.

Abstract: Disclosed is a system for managing trust. The system comprises at least one wearable device, at least one terminal device and a server arrangement. The server arrangement is configured to determine occurrence of a first type of event between a wearable device and another wearable device or a second type of event between the wearable device and a terminal device; receive a device ID and a class of each of the at least one wearable device and the at least one terminal device; receive a rating and process the rating to generate updated activity information for each of the wearable device, and the other wearable device or the terminal device; update a profile corresponding to each of the at least one wearable device or the at least one terminal device with the updated activity information and allocate an incentive for the profile based on the updated activity information.

Abstract: Methods, apparatuses, and systems are described for provisioning access rights in a computing system. A data structure may be created that corresponds to the access rights of a computing system. The data structure may be traversed to identify candidate bundles of access rights that correspond to patterns of access rights in the computing system. The candidate bundles of access rights may be evaluated to select one or more bundles to define as one or more roles in the computing system. The defined roles may then be provisioned to the users of the computing system as a replacement for the individual access rights. Various constraints may be applied to reduce the number of candidate bundles of access rights to evaluate.

Abstract: The disclosed embodiments include a method performed by a wireless network to mitigate a security risk arising from an application-layer transaction and contextual scenario of a wireless device (WD). A security resource can be maintained inactive by default and configured for on-demand activation in response to a security risk associated with the WD. The method can include monitoring the WD for application-layer transactions and contextual scenarios, and detecting a security risk relative to a particular type of a application-layer transaction and a contextual scenario of the WD. In response to detecting the security risk, the security resource is activated to support the application-layer transaction while safeguarding the entire wireless network. In response to detecting a change to the application-layer transaction or the particular contextual scenario, the security resource for the WD can be deactivated.

Abstract: A computer-based method of analyzing a business-critical application computer system includes extracting a plurality of software objects from the business-critical application computer system, storing the extracted software objects in a computer-based search platform, finding relationships between the extracted software objects that are stored in the computer-based search platform, and creating a database that represents the extracted software objects and the relationships between the extracted software objects. Each software object (a unique piece of code, a file, a data string, or other aspect of the business-critical application computer system) may represent an element of the business-critical application computer system whose graphical representation as a node connected to another node based on relationships, functional or otherwise, between the corresponding elements is desirable in view of a particular goal of the analysis.

Abstract: A method and device for protecting encrypted data are disclosed. In an embodiment an integrated circuit includes a secure module including a first register containing a first mask and a second register containing masked data, the first mask and the masked data forming a secret key and a processor configured to generate a second mask and mask the secret key with the second mask when the secret key is not used for an encryption operation and during reception of a validation signal, wherein the first and second registers are disposed in the secure module so that the outputs of the registers are not simultaneously optically viewable.

Abstract: In one embodiment, a computer-implemented method of a data processing (DP) accelerator obtaining a watermark of an artificial intelligence (AI) model includes receiving, from a host device, the AI model to execute on the DP accelerator, and receiving input data that triggers output from the AI model on the DP accelerator. The DP accelerator calculates AI model output, in response to the received input and provides the output to the host device. The output can be a watermark extracted from the AI model. DP accelerator can call a security unit of the DP accelerator to digitally sign the output. In an embodiment, the security unit digitally signs the output from the AI model using a key that is retrieved from, or is derived from, a key stored in a secure storage on the security unit.

Abstract: An example system with a pre-OS (Operating System) environment, the pre-OS environment includes a private memory that is isolated from a processor of the system. The pre-OS environment also includes an embedded controller (EC) coupled to the private memory, where the EC includes an embedded key. The EC is to execute instructions to generate an encryption key based on the embedded key; generate a signature key; obtain data; produce an integrity-verification tag based on a hash of the obtained data, where the hash employs the signature key; encrypt the obtained data based on the encryption key; store the encrypted data in the private memory; and store the integrity-verification tag in the private memory in association with the stored encrypted data.

Abstract: A security device to support secure communication via a field bus, has a connecting apparatus for the direct coupling of the security device to a network interface of a field bus subscriber, which is formed for connecting to a field bus and which is not formed for secure communication via the field bus. In the coupled state, there is a link between the security device and the field bus subscriber such that, if the link is disconnected or damaged, proper operation of the security device is reversibly or irreversibly blocked. Further, a transmitting and receiving apparatus is provided which is formed to securely transfer data coming from a directly coupled field bus participant, which is not formed for secure communication, via the field bus according to a predetermined security protocol, and which is further formed to receive data transferred via the field bus and intended for the field bus participant according to the predetermined security protocol and to deliver them to the field bus participant.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for managing user authorizations for blockchain-based services. One of the methods includes: at a service platform, receiving, from a computing device associated with a user, an encryption key and data for storage on a blockchain, wherein the data includes public data and private data, and the encryption key encrypts the private data; storing the encryption key and an identifier (ID) of the data in a cache storage dedicated to storing smart contract data for executing a smart contract; and invoking an application programming interface (API) to enable a blockchain node to initiate a consensus algorithm to record the data and the ID of the data on a blockchain.

Abstract: A method comprises: receiving, at a first device, a request to decrypt data encrypted with a symmetric key, the encrypted data stored on a memory device; retrieving shards of the symmetric key, the shards encrypted with public keys from a plurality of devices, wherein decryption of the data requires reconstituting the symmetric key from a threshold number of the shards; determining a priority to request decryption of the shards with private keys from the plurality of devices; requesting decryption by the plurality of devices of the shards in the determined priority until the threshold number of shards is reached; reconstituting the symmetric key from the decrypted shards; and decrypting the encrypted data with the symmetric key.

Abstract: Systems and methods for secure collaboration of intellectual property are provided. By way of introductory example, a cloud environment may store a session descriptor indicative of an executable, an input parameter for the executable, and a target recipient. The cloud environment may receive a first and second authorization of the session descriptor from the respective proprietors of the input parameter and the executable. The cloud environment may verify, based on the first authorization and the second authorization, the session descriptor is authorized. The cloud environment may generate, in response to the session descriptor being authorized, a collaboration result based on the executable and the input parameter. The cloud environment may control access to the collaboration result based on the target recipient.

Abstract: A source device being associated with an account uses playback of a media content item to cause a target device to become associated with the account. The target device enters an association mode and records a portion of the playing content. The target device provides the recording to a server that identifies the song (e.g., using a music fingerprint service) and uses the identification of the song to find the account that caused playback of the identified song. With the account identified, the server provides credentials of the account to target system. The target device accesses content or services using the account. As confirmation of receiving the credentials, the server causes playback of the content to transition to from the source device to the target device.

Abstract: The present disclosure relates to an integrated circuit and a method of using the integrated circuit used to perform authentication using a challenge-response method. The challenge-response method includes an internal challenge generator, a physically unclonable function (PUF) block, and a response generator. The internal challenge generator is configured to receive a challenge, generate a plurality of internal challenges corresponding to the challenge, and generate at least one valid internal challenge among the plurality of internal challenges using screen information. The physically unclonable function (PUF) block is configured to generate a plurality of valid internal responses respectively changing according to the plurality of valid internal challenges. The response generator is configured to output a response generated using the plurality of valid internal responses.