Abstract: The systems and methods herein provide for human- and machine-readable cryptographic keys from dice. In one embodiment, the system places a number of dice into an arrangement to fill a dice grid. The number of dice each contains a number of faces, and each of the faces of the dice includes an image. The system then captures, via a client device, an image of the arrangement. The system generates a cryptographic key from the captured image. This cryptographic key is a human-readable and machine-readable representation of the arrangement in a canonical sequence.

Abstract: The systems and methods herein provide for human- and machine-readable cryptographic keys from dice. In one embodiment, the system places a number of dice into an arrangement to fill a dice grid. The number of dice each contains a number of faces, and each of the faces of the dice includes an image. The system then captures, via a client device, an image of the arrangement. The system generates a cryptographic key from the captured image. This cryptographic key is a human-readable and machine-readable representation of the arrangement in a canonical sequence.

Abstract: Techniques which may allow multi-author document collaboration are described. A large number of users, for example, millions of people, may submit proposals for changes to a document. Users may be enabled to vote on one or more proposals, or to vote to keep the document as it is. An algorithm may provide an automatic method to merge two potentially conflicting proposals.

Abstract: Techniques for providing intuitive feedback to a user regarding which applications have access to a data stream captured by a privacy-sensitive device, such as a camera, a microphone, a location sensor, an accelerometer or the like. These techniques apprise the user of when an application is receiving potentially privacy-sensitive data and the identity of the application receiving the data. In some instances, this feedback comprises a graphical icon that visually represents the data stream being received and that dynamically alters with the received data stream. For instance, if an application receives a data stream from a camera of a computing device of the user, the described techniques may display an image of the video feed captured by the camera and being received by the application. This graphical icon intuitively alerts the user of the data stream that the application receives.

Abstract: A backup account recovery authentication of last resort using social authentication is described. The account holder requests trustees who have been previously identified to obtain an account recovery code. The account recovery system sends a communication to the trustee for information to verify the trustee as one of the previously identified trustees. The account recovery system then may transmit a link and code with instructions for the trustee to return the link. The account recovery system then transmits a situational query to the trustee to provide additional security. Finally, if all the communications have been completed for the required level of security, the account recovery code is transmitted to the trustee. The trustee sends the account recovery code to the account holder for access to an account.

Abstract: A Metadata server described herein is configured to generate a metadata table optimized for data durability and recovery. In generating the metadata table, the metadata server associates each possible combination of servers with one of the indices of the table, thereby ensuring that each server participates in recovery in the event of a server failure. In addition, the metadata server may also associate one or more additional servers with each index to provide added data durability. Upon generating the metadata table, the metadata server provides the metadata table to clients or servers. Alternatively, the metadata server may provide rules and parameters to clients to enable those clients to identify servers storing data items. The clients may use these parameters and an index as inputs to the rules to determine the identities of servers storing or designated to store data items corresponding to the index.

Abstract: Techniques to provide evidence-based dynamic scoring to limit guesses in knowledge based authentication are disclosed herein. In some aspects, an authenticator may receive an input from a user in response to a presentation of a personal question that enables user access to a restricted resource. The authenticator may determine that the input is not equivalent to a stored value, and thus is an incorrect input. The authenticator may then determine whether the input is similar to a previous input received from the user. A score may be assigned to the input. When the input is determined to be similar to the previous input, the score may be reduced. Another request for an input may be transmitted by the authenticator when a sum of the score and any previous scores of the session is less than a threshold.

Abstract: Techniques for providing intuitive feedback to a user regarding which applications have access to a data stream captured by a privacy-sensitive device, such as a camera, a microphone, a location sensor, an accelerometer or the like. These techniques apprise the user of when an application is receiving potentially privacy-sensitive data and the identity of the application receiving the data. In some instances, this feedback comprises a graphical icon that visually represents the data stream being received and that dynamically alters with the received data stream. For instance, if an application receives a data stream from a camera of a computing device of the user, the described techniques may display an image of the video feed captured by the camera and being received by the application. This graphical icon intuitively alerts the user of the data stream that the application receives.

Abstract: Systems and methods that regulate range of access to personal information of a mobile unit's owner. The access control component can designate granularity for access levels and/or a spectrum of access modes—(as opposed to a binary choice of full access or no access at all). Such access can be based on a spectrum and/or discrete trust relationship between the owner and user of the mobile unit. A profile definition component can exploit an owner's trust relationships to designate levels of security. The profile definition component can further define a profile based on a set of applications, such as entertainment mode, browser mode, and the like.

Abstract: Techniques for providing intuitive feedback to a user regarding which applications have access to a data stream captured by a privacy-sensitive device, such as a camera, a microphone, a location sensor, an accelerometer or the like. These techniques apprise the user of when an application is receiving potentially privacy-sensitive data and the identity of the application receiving the data. In some instances, this feedback comprises a graphical icon that visually represents the data stream being received and that dynamically alters with the received data stream. For instance, if an application receives a data stream from a camera of a computing device of the user, the described techniques may display an image of the video feed captured by the camera and being received by the application. This graphical icon intuitively alerts the user of the data stream that the application receives.

Abstract: A backup account recovery authentication of last resort using social authentication is described. The account holder requests trustees who have been previously identified to obtain an account recovery code. The account recovery system sends a communication to the trustee for information to verify the trustee as one of the previously identified trustees. The account recovery system then may transmit a link and code with instructions for the trustee to return the link. The account recovery system then transmits a situational query to the trustee to provide additional security. Finally, if all the communications have been completed for the required level of security, the account recovery code is transmitted to the trustee. The trustee sends the account recovery code to the account holder for access to an account.

Abstract: A backup account recovery authentication of last resort using social authentication is described. The account holder requests trustees who have been previously identified to obtain an account recovery code. The account recovery system sends a communication to the trustee for information to verify the trustee as one of the previously identified trustees. The account recovery system then may transmit a link and code with instructions for the trustee to return the link. The account recovery system then transmits a situational query to the trustee to provide additional security. Finally, if all the communications have been completed for the required level of security, the account recovery code is transmitted to the trustee. The trustee sends the account recovery code to the account holder for access to an account.

Abstract: Architecture that implements error correcting pointers (ECPs) with a memory row, which point to the address of failed memory cells, each of which is paired with a replacement cell to be substituted for the failed cell. If two error correcting pointers in the array point to the same cell, a precedence rule dictates the array entry with the higher index (the entry created later) takes precedence. To count the number of error correcting pointers in use, a null pointer address can be employed to indicate that a pointer is inactive, an activation bit can be added, and/or a counter, that represents the number of error correcting pointers that are active. Mechanisms are provided for wear-leveling within the error correction structure, or for pairing this scheme with single-error correcting bits for instances where transient failures may occur. The architecture also employs pointers to correct errors in volatile and non-volatile memories.

Abstract: Techniques are described for device locking with activity preservation at a specified level within a multi-level hierarchy of device states. Such locking enables a user to share a device with another user while specifying a particular level of access to the device, such as access to a particular class of applications, a specific application, or a specific task within an application. Determination of the authorized activity may be based on a currently active application, or on the particular user gesture. The level of functionality made available may be based on the number of times a user gesture is repeated. Gestures may include a selection of a hardware or software control on the device, issuance of a voice command, and the like.

Abstract: Described is a technology directed towards protecting against clickjacking attacks against interactive user interface elements in code that are described by the code author as sensitive to clickjacking attacks. Various defenses are described, including defenses to ensure target display integrity, pointer integrity, and temporal integrity. For example, a browser click on an element/web page may be determined to be invalid if target display integrity is compromised. Also described are defenses that act to increase the user's attention to what is actually being clicked, and defenses that disable or disallow functions and features used by attackers, such as when a sensitive element is being hovered over.

Abstract: Systems and methods that regulate range of access to personal information of a mobile unit's owner. The access control component can designate granularity for access levels and/or a spectrum of access modes—(as opposed to a binary choice of full access or no access at all). Such access can be based on a spectrum and/or discrete trust relationship between the owner and user of the mobile unit. A profile definition component can exploit an owner's trust relationships to designate levels of security. The profile definition component can further define a profile based on a set of applications, such as entertainment mode, browser mode, and the like.

Abstract: Techniques are described for device locking with activity preservation at a specified level within a multi-level hierarchy of device states. Such locking enables a user to share a device with another user while specifying a particular level of access to the device, such as access to a particular class of applications, a specific application, or a specific task within an application. Determination of the authorized activity may be based on a currently active application, or on the particular user gesture. The level of functionality made available may be based on the number of times a user gesture is repeated. Gestures may include a selection of a hardware or software control on the device, issuance of a voice command, and the like.

Abstract: Architecture that implements error correcting pointers (ECPs) with a memory row, which point to the address of failed memory cells, each of which is paired with a replacement cell to be substituted for the failed cell. If two error correcting pointers in the array point to the same cell, a precedence rule dictates the array entry with the higher index (the entry created later) takes precedence. To count the number of error correcting pointers in use, a null pointer address can be employed to indicate that a pointer is inactive, an activation bit can be added, and/or a counter, that represents the number of error correcting pointers that are active. Mechanisms are provided for wear-leveling within the error correction structure, or for pairing this scheme with single-error correcting bits for instances where transient failures may occur. The architecture also employs pointers to correct errors in volatile and non-volatile memories.

Abstract: A Metadata server described herein is configured to generate a metadata table optimized for data durability and recovery. In generating the metadata table, the metadata server associates each possible combination of servers with one of the indices of the table, thereby ensuring that each server participates in recovery in the event of a server failure. In addition, the metadata server may also associate one or more additional servers with each index to provide added data durability. Upon generating the metadata table, the metadata server provides the metadata table to clients or servers. Alternatively, the metadata server may provide rules and parameters to clients to enable those clients to identify servers storing data items. The clients may use these parameters and an index as inputs to the rules to determine the identities of servers storing or designated to store data items corresponding to the index.

Abstract: Techniques for providing intuitive feedback to a user regarding which applications have access to a data stream captured by a privacy-sensitive device, such as a camera, a microphone, a location sensor, an accelerometer or the like. These techniques apprise the user of when an application is receiving potentially privacy-sensitive data and the identity of the application receiving the data. In some instances, this feedback comprises a graphical icon that visually represents the data stream being received and that dynamically alters with the received data stream. For instance, if an application receives a data stream from a camera of a computing device of the user, the described techniques may display an image of the video feed captured by the camera and being received by the application. This graphical icon intuitively alerts the user of the data stream that the application receives.