Abstract: System and method for creation and use of an agreement object having content packages and a transportable agreement, including both the content of the agreement and data used to validate the signatories and an audit trail for the agreement.

Abstract: Multiple peer domain name system (DNS) servers are included in a multi-master DNS environment. One of the multiple peer DNS servers is a key master peer DNS server that generates one or more keys for a DNS zone serviced by the multiple peer DNS servers. The key master peer DNS server can also generate a signing key descriptor that identifies the set of one or more keys for the DNS zone, and communicate the signing key descriptor to the other ones of the multiple peer DNS servers.

Abstract: Various embodiments enable detection of third party content sources that may pose a privacy risk to a user. In at least some embodiments, webpages navigated to via a browser can be processed to identify third party content sources that provide content for the webpages. Data may be stored to relate the third party content sources to webpages in which the third party content is encountered. The data may then be analyzed to determine when a particular third party is in a position to observe browsing habits of a user. Responsive to determining a privacy risk, notification may be output in a variety of ways to inform a user of potentially risky content. In at least some other embodiments, notification can be made by way of a user interface instrumentality that is automatically presented to a user to inform the user of a potentially risky third party content source.

Abstract: A network based installation management system that dynamically manages secure software installation on a client. The server is configured to determine the software required and prepare an appropriated response containing the list of software and an information file containing the respective attributes of the list of software. The server encoded this response and the encoded response is transmitted to the client. The client on receiving the response is configured to authenticate the response and install the encoded response after authentication. Highly accurate and reliable software installation using the network based installation management system may be achieved using a respective hardware element on the client and the server, which is configured to encode and decode a request and/or response suitably thereby providing a high level of security and trust in an un-trusted network environment.

Abstract: A method for authenticating the identity of a client device that is attempting to establish a communications link with a remotely located system server over a network. The method involves initially generating a unique registration ID code by inputting information pertaining to hardware characteristics of the client device itself, and a network address of the client device, into a cryptographic hash function. The hash function generates the unique registration ID hash code and presents it to the system server. The system server uses this registration ID hash code to authenticate the identity of the client device making the call. The system server then generates a pseudo random number (PRN), and transmits it to the client device. The PRN is used the next time the client device makes a call to the system server to generate a unique, client-side hash code, which is used by the system server to authenticate the identity of the client device.

Abstract: Method, device, and computer program product are provided for differentiated treatment of incoming and outgoing emails based on a network server. A server receives a query from a gateway, and the query includes information about an email received by the gateway. The server obtains rules for processing the email of the query. The server determines an identity for the email based on the rules for processing the email. The server transmits the identity to the gateway to cause the gateway to send the email having the identity to a post office server. The email having the identity is configured to cause the post office server to process the email based on the identity.

Abstract: Community based defense, in which multiple security devices operate as a part of a single community in providing security defense i.e. avoiding redundant security checks and enables efficient deployment and utilization of resources. The devices in a community communicate with each other to determine their roles and the security policies to enforce, based on the specific role they have undertaken. Thus primary player may operate with a larger set of security policies. However, the secondary players (operating on smaller policy sets) may periodically check the operational status of the primary player and assumes the role of primary, if needed. Later, it may gracefully relinquish the temporary role back to former primary, once the primary is up and operational.

Abstract: The invention relates to a method of allowing access to an authorized domain (100), the authorized domain (100) being managed by a domain manager (210), comprising a step in which a user authentication device (220), which user authentication device is linked to a foreign device (201), asserts to the domain manager that a local link (205) between the user authentication device and the foreign device is limited in distance, and a step in which the domain manager allows the foreign device to operate as a member of the authorized domain if the assertion is accepted as accurate.

Abstract: A method of authenticating a client to two or more servers coupled together via a communications network, wherein the client and a first server possess a shared secret. The method comprises authenticating the client to a first server using said shared secret, signalling associated with this authentication process being sent between the client and said first server via a second server, generating a session key at the client and at the first server, and providing the session key to said second server, and using the session key to authenticate the client to the second server.

Abstract: The present invention provides systems and methods for adding voice annotations to CCTV video to aid in incident reporting and investigation. Reviewers and investigators are provided with the ability to record their impressions of an incident by encoding overlapped audio tracks on to a video clip. These overlapped tracks could be multiple in number, enabled or disabled by the listener or subsequent reviewer, without tampering with the content of the originally recorded video or audio. Each audio track represents a voice annotation, and may be assigned to a hierarchical level. The reviewer is provided with the ability to review the video clip along with existing voice annotations while recording the new voice annotation. The resultant overlapped clip file could be made proprietary or stored using a common-codec (like MPEG, MJPEG, AVI, etc) and may be stored on a computer-readable medium.

Abstract: A data encryption device is connected between an HDD and an HDD controller that controls the HDD. The data encryption device encrypts data that is stored from the HDD controller to the HDD, and decrypts data that is read from the HDD. A CPU of the data encryption device receives a command issued from the HDD controller to the HDD, and determines whether the command is executable at the HDD. When it is determined that the command is executable, the command is issued to the HDD. On the other hand, when it is determined that the command is unexecutable, the CPU prohibits issuance of the command to the HDD. Furthermore, when a command issued to the HDD is a specific command, the CPU bypasses data transferred between the HDD controller and the HDD without encryption or decryption.

Abstract: Methods and apparatus, including computer program products, implementing and using techniques for protecting data residing in a repository of an electronic product code information service against undesired data disclosure. One or more disclosure policies are defined for an item tagged with an electronic product code. The item has associated data stored in the repository. The disclosure policies describe one or more of: who is permitted to query the repository for information, what type of information is permitted to be obtained from the repository in response to a query, and under what condition the repository can be queried. The disclosure policies are enforced in response to a received query from a party by only disclosing a subset of the data from the repository, the subset being determined in accordance with the defined one or more disclosure policies. A web-based tool for defining disclosure policies is also described.

Abstract: An apparatus and method for preventing virus code execution through buffer overflow management are provided. When buffer overflow occurs during execution of a kernel module or application program, the apparatus and method may perform virus inspection on a program execution region moved by the buffer overflow.

Abstract: A program verification mechanism includes an external call reference verification mechanism that verifies external call references in a computer program. The external call reference verification mechanism checks the computer program after the computer program has been loaded by a loader/linker. The loader/linker stores a list of trusted entry points that specifies a trusted entry point for each external call reference, along with a list of allowable caller code for each trusted entry point. The external call reference verification mechanism determines the entry point for each instruction that is an external call reference, determines whether the entry point is listed as the trusted entry point for the external call reference, and whether the external call reference instruction is in the list of allowable caller code for the trusted entry point. If so, the computer program is verified. If not, verification of the computer program fails.

Abstract: A method and computer program product for detecting a policy conflict in a managed system includes examining a plurality of policy rules for overlapping policy targets, in response to finding no overlapping policy targets, reporting that the policy rules do not conflict, and in response to finding overlapping policy targets, examining the plurality of policy rules for at least two rules having a same condition and a same event, and, in response to not finding at least two rules having a same condition and a same event, reporting that the policy rules do not conflict.

Abstract: An image processing device includes: a reading unit to read information stored in a detachable storage medium; a transmission unit to transmit image data outwardly; a determination unit to determine, in a case where the transmission unit transmits the image data, whether or not the information stored in the detachable storage medium is necessary; and a control unit to execute, in a case where the determination unit determines that the information stored in the detachable storage medium is necessary, control to maintain a state capable of reading the information stored in the detachable storage medium until the reading unit reads from the detachable storage medium the information necessary to transmit the image data.

Abstract: A system (and a method) evaluates raw data from an application prior to modification of the raw data. The system inserts injection code into an application. The injection code is configured to hook an application. The application is configured to allow modification of the raw data. Modification includes encryption and/or compression. The system analyzes the raw data in a context of a predefined policy in response to the executing application reaching the injected code during execution. The system instructs the application to cease operating on the raw data in response to the predefined policy prohibiting further processing of the raw data or instructs the application to bypass the injection code in response to the predefined policy no prohibiting processing of the raw data.

Abstract: A method of embedding information in a computer program code, including a plurality of program statements. The method comprises: inserting a conditional program statement in the computer program code, the conditional program statement including a condition and a plurality of alternative program statements, the conditional program statement being adapted to cause a data processing system to evaluate said condition and, responsive to a result of said evaluating step, to selectively execute one of said plurality of alternative program statements; wherein said condition is indicative of at least a part of said information; and wherein the plurality of alternative program statements are adapted to cause the computer program code to produce the same program output irrespective of which of said alternative program statements is executed.

Abstract: An embodiment of the present invention provides a method that minimizes the number of entries required in a garbled circuit associated with secure function evaluation of a given circuit. Exclusive OR (XOR) gates are evaluated in accordance with an embodiment of the present invention without the need of associated entries in the garbled table to yield minimal computational and communication effort. This improves the performance of SFE evaluation. Another embodiment of the present invention provides a method that replaces regular gates with more efficient constructions containing XOR gates in an implementation of a Universal Circuit, and circuits for integer addition and multiplication, thereby maximizing the performance improvement provided by the above.

Abstract: Techniques are provided for securing instant communications, such as text, audio, and video. A tunnel management module is included in an instant communication suite that comprises one or more instant communication applications. Any communication between a user of the instant communicate suite and a contact passes through the tunnel management module, which may use TLS (or IPSec) technologies to ensure security of the instant communications. Each contact of a user may be associated with a different set of security mappings, which may be specified by the user. A tunnel configuration file is generated from a security mapping and is used to create a tunnel through which secure instant communications may pass.