Abstract: One embodiment provides a process which will limit multiple active sessions of the same e-mail account to be active in multiple computers. Moreover, this embodiment allows the user of the email system to query the active session on the network with the ability to disable the active session in order to have the ability to open a new session from the user's present location. The process is done by querying a session database to find the state of the e-mail account if the first login attempt fails because of another open session. These safeguards are introduced to prevent multiple login sessions to an Internet Browser based email service for given login credentials.

Abstract: In an authentication system, a first computer system provides a desired service and a second computer system provides a dialog-based interactive protocol service (e.g., an instant messaging service). Users of a second computer system can be authenticated by the first system using a mechanism separate from the dialog based interactive protocol system, so the users can then access the first system using the dialog based interactive protocol systems (even though the systems are not owned or necessarily trusted by the first system). The authentication system enables communication between the first and second computer systems by establishing the dialog session between the computer systems and transmitting to the second computer system a link to a site used to authenticate this computer system. The authentication system associates authentication information (e.g., a unique identifier and/or an authorization token, etc.

Abstract: A media player manages and controls rights to playback of media content by the media player, which stores, during a registration process in which the media player need not be connected to an external computing system, information used by the media player to control playback. A minimal amount of the media player's memory is used to store the information used to control playback.

Abstract: The present invention provides a system and method for providing certified voice and/or multimedia mail messages in a broadband signed communication system which uses packetized digital information. Cryptography is used to authenticate a message that has been compiled from streaming voice or multimedia packets. A certificate of the originator's identity and electronic signature authenticates the message. A broadband communication system user may be provisioned for certified voice and/or multimedia mail by registering with a certified mail service provider and thereby receiving certification. The called system user's CPE electronically signs the bits in received communication packets and returns the message with an electronic signature of the called system user to the calling party, along with the system user's certificate obtained from the service provider/certifying authority during registration. The electronic signature is a cryptographic key of the called party.

Abstract: In a wireless network communication device, multiple items of network identification information, which are for identifying wireless network systems, are read out of a memory and displayed on a display unit. Network identification information of a wireless network system, which is capable of being constructed anew, is selected from the multiple items of network identification information displayed and a wireless network system corresponding to the network identification information selected is constructed.

Abstract: Systems and methods for providing network access, e.g. Internet access, are described. An architecture includes a host organization network through which network access is provided. The host organization network can be advantageously deployed in public areas such as airports and shopping malls. An authentication/negotiation component is provided for authenticating various users and negotiating for services with service providers on behalf of the system users. The authentication/negotiation component can include one or more specialized servers and a policy manager that contains policies that govern user access to the Internet. An authentication database is provided and authenticates various users of the system. An access module is provided through which individual client computing devices can access the Internet. In one embodiment, the access module comprises individual wireless access points that permit the client computing devices to wirelessly communicate data packets that are intended for the Internet.

Abstract: Systems and methods for providing network access, e.g. Internet access, are described. An architecture includes a host organization network through which network access is provided. The host organization network can be advantageously deployed in public areas such as airports and shopping malls. An authentication/negotiation component is provided for authenticating various users and negotiating for services with service providers on behalf of the system users. The authentication/negotiation component can include one or more specialized servers and a policy manager that contains policies that govern user access to the Internet. An authentication database is provided and authenticates various users of the system. An access module is provided through which individual client computing devices can access the Internet. In one embodiment, the access module comprises individual wireless access points that permit the client computing devices to wirelessly communicate data packets that are intended for the Internet.

Abstract: A technique for self-isolation of a network device that has been identified as potentially harmful. The network device may be isolated from the network except for an out-of-band communication channel that can be used for management purposes to restore or repair the device prior to the network connection being re-established.

Abstract: Propagation of viruses in a network having a plurality of hosts is restricted. Network activity of a first host of the plurality is monitored, and a first record established which is at least indicative of identities of hosts within the network contacted by a first host. Contact of the first host to other hosts within the network is limited over the course of a first time interval, so that during the first time interval the first host is unable to contact more than a predetermined number of hosts not in the first record. The method further includes an additional selection process for determining hosts of the plurality the first host is allowed to contact.

Abstract: An apparatus, system, and method for avoiding unexpected exposure of important data in a storage system include a table that contains permission and conversion information regarding data transfer. When a storage system transfers a certain set of data from one logical device or volume to another area, e.g., a host, a tape storage or another logical device or volume inside or outside of the storage system, the storage system refers to the table to determine if transfer is permitted and whether conversion of the data is required before transfer. A storage controller converts the data if necessary, and transfers the data to the target destination if permitted. Keys are maintained within the storage system so that the management of securing data is centralized.

Abstract: An AV stream processing system includes an AV stream input unit which receives an AV stream having an AV content information field including first copy control information, and an AV content field including second copy control information, a determination unit which extracts the first and second copy control information from the received AV stream and determines whether the first copy control information has been modified, and an AV stream decryption unit which processes the received AV stream according to predetermined criteria, when the first copy control information has been modified.

Abstract: In accordance with certain aspects, data is received from a calling program. Ciphertext that includes the data is generated, using a symmetric cipher, in a manner that allows only one or more target programs to be able to obtain the data from the ciphertext. In accordance with other aspects, a bit string is received from a calling program. An identifier of the calling program is checked to determine whether the calling program is allowed to access data encrypted in ciphertext of the bit string. The integrity of the data is also verified, and the data is decrypted using a symmetric key. The data is returned to the calling program only if the calling program is allowed to access the data and if the integrity of the data is successfully verified.

Abstract: An apparatus, method, and system to seal a data repository to a trusted computing platform is described. The data repository may be sealed by encrypting the data on the repository and sealing a cryptographic key to a specific set of platform resources. With the data repository sealed to the platform, the system boot sequence will fail if the system configuration is compromised, for example by insertion of “snoopware” or a modified BIOS. Additionally, if the computer containing the data repository is lost or stolen, the encrypted data remains secure even if the repository is attached to a system modified to bypass normal safeguards.

Abstract: In order to provide an information security policy evaluation system in which information security policies can be efficiently and appropriately defined and operated in an organization, such as a corporation, treated threats operated on a second site are transmitted from a second information processing apparatus on the second site to a first information processing apparatus on a first site, threat information is transmitted from a third site collecting information on threats to the first information processing apparatus on the first site. The first information processing apparatus extracts treated threats which have been effective for threats having occurred actually, and untreated threats, out of the received treated threat and generates an evaluation report in which these are described. Moreover, a compensation amount of insurance against threats is changed based on the generated evaluation report.

Abstract: A cryptographically signed filesystem provides a central database resident on a server that contains database objects. The server creates startup software to be installed in a client system's read only memory. The startup software contains a hash value for a second stage loader. The server also creates software for a bootstrap loader object which typically contains the operating system for a client system and also the bootstrap loader's hash value and a digital signature that is unique to the server. A root filesystem object is also created containing operational code and data for the client system's functionality. A hash table file is stored in the bootstrap loader that contains the names of each file in the root filesystem along with their corresponding hash values. The startup software and objects created by the server are initially installed on a client device at the time of manufacture.

Abstract: A digital contents distribution system has a multi-layered structure including a server device (CS device) of one or a small number of managers which are each to be a manager main body, a plurality of server devices (DS devices) of middle managers, and client terminal devices (SC terminal devices) of a large number of users. Accesses from the respective users are processed in the server devices of respective ones of the middle managers. It is therefore possible to prevent an inconvenience in which the accesses from a large number of users concentrate on the CS device of the manager. As a result, it is possible to reduce the load imposed on the CS device, and to perform a smooth distribution service of digital contents.

Abstract: A method of protecting application program software includes steps of (a) actuating a tracer function to copy 21 to n instructions from the API code; (b) storing and executing the instructions; and (c) returning to the next instruction (2(1 to n)+1) of the API code, where 21 to n represents the number of instructions and n is the maximum number of instructions describing the API code.

Abstract: A method and mechanism for enabling access to a protected register in a client. A system including multiple clients, such as components and devices, is coupled to a service processor which is configured to manage the system. Clients which are managed by the service processor include control and status registers which are protected from access by unauthorized entities. Access rights for particular registers may be restricted to only the service processor. Clients include a timer which the service processor periodically updates. In the event communication is lost between the service processor and a client, the timer is not updated. In response to detecting the timer was not updated, the client is configured to alter the access rights of the register in order to permit an alternate entity to access the protected register. The service processor may then utilize the alternate entity as a proxy in order to transfer the client state to another client and configure the affected client out of the system.

Abstract: Systems and methods for providing network access, e.g. Internet access, are described. An architecture includes a host organization network through which network access is provided. The host organization network can be advantageously deployed in public areas such as airports and shopping malls. An authentication/negotiation component is provided for authenticating various users and negotiating for services with service providers on behalf of the system users. The authentication/negotiation component can include one or more specialized servers and a policy manager that contains policies that govern user access to the Internet. An authentication database is provided and authenticates various users of the system. An access module is provided through which individual client computing devices can access the Internet. In one embodiment, the access module comprises individual wireless access points that permit the client computing devices to wirelessly communicate data packets that are intended for the Internet.

Abstract: In a device having data communication capability, a security method dynamically detecting a control connection, which originates from the device, and detecting a negotiation of a related connection within the control connection. The negotiation comprises at least defining a port of the device for said related connection. The method further checks if relationship between said port of the device and the control connection fulfills predefined criteria, and conditionally blocks said related connection, if said port of the device does not fulfill said predefined criteria. The method can be used for suppressing a vulnerability related to applets.