Abstract: A sampling device includes a priority assignment method that assigns higher priority to units with more remaining workload, a priority-aware scheduling method that enables units with higher priority to do the sampling and model update when a conflict happens, a modified priority-aware scheduling method that reduces scheduling overhead by re-assigning priority every several iterations, and another modified priority-aware scheduling method that explores different priority re-assignment frequencies and stores the sorted sequences in memory.

Abstract: Provided herein are compositions, devices, systems and methods for the generation and use of biomolecule-based information for storage. Additionally, devices described herein for de novo synthesis of nucleic acids encoding information related to the original source information may be rigid or flexible material. Further described herein are highly efficient methods for long term data storage with 100% accuracy in the retention of information. Also provided herein are methods and systems for efficient transfer of preselected polynucleotides from a storage structure for reading stored information.

Abstract: A technology related to a method and apparatus for providing a relation note using correlation is disclosed. The method for providing the relation note, which is performed by a relation note providing server interworking with a user terminal, comprises the steps of: receiving one or more generated notes from the user terminal; updating, according to a configurable reference, correlation between notes indicating a relation between the one or more notes; and providing the one or more notes to the user terminal on the basis of the correlation between the notes. Therefore, the method may provide a user interface which is intelligent and smart to enable a plurality of notes to be more effectively identified and managed on the basis of the correlation.

Abstract: This invention pertains to protecting communications between multiple sensors and emitters or securing data transmission between multiple computers or multiple vehicles. This invention provides a secure method for two or more parties to communicate privately, even when the processor has malicious malware or there is a backdoor in the main processor. In some embodiments, the energy received by the sensor is encrypted before it undergoes an analog to digital conversion. In some embodiments, the encryption occurs inside the sensor. In some embodiments, the encryption hardware is a part of the sensor and creates unpredictable energy changes that interact with the sensor. In some embodiments, there are less than 40 sensors in a communication system and in other embodiments there are more than 1 billion sensors. In some embodiments, the invention provides a method for the sensors of a network of self-driving cars to communicate securely.

Abstract: Out-of-bounds recovery circuits configured to detect an out-of-bounds violation in an electronic device, and cause the electronic device to transition to a predetermined safe state when an out-of-bounds violation is detected. The out-of-bounds recovery circuits include detection logic configured to detect that an out-of-bounds violation has occurred when a processing element of the electronic device has fetched an instruction from an unallowable memory address range for the current operating state of the electronic device; and transition logic configured to cause the electronic device to transition to a predetermined safe state when an out-of-bounds violation has been detected by the detection logic.

Abstract: Provided herein are compositions, devices, systems and methods for the generation and use of biomolecule-based information for storage. Additionally, devices described herein for de novo synthesis of nucleic acids encoding information related to the original source information may be rigid or flexible material. Further described herein are highly efficient methods for long term data storage with 100% accuracy in the retention of information. Also provided herein are methods and systems for efficient transfer of preselected polynucleotides from a storage structure for reading stored information.

Abstract: Systems and processes are described for establishing and using a secure channel. A shared secret may be used for authentication of session initiation messages as well as for generation of a private/public key pair for the session. A number of ways of agreeing on the shared secret are described and include pre-sharing the keys, reliance on a key management system, or via a token mechanism that uses a third entity such as a hub to manage authentication, for example. In some instances, the third party may also perform endpoint selection (e.g., load balancing) by providing a particular endpoint along with the token.

Abstract: A system, device, and method for creating widgets presentable in an image are disclosed. The widget creating system may include a system configuration file, one or more definition files, and a windows generator (WG). The WG may be configured to perform definition and run-time operations. The definition operation may include loading the system configuration file; loading first definition file(s) owned by a first user application and include at least one first-layer widget defined by a set of widget parameters, where each set may include contents corresponding to a second definition file of a second layer; and creating one or more first-layer widgets. The run-time operation may include loading one or more first-layer widget data parameter sets, where the contents corresponding to the second definition file are loaded and at least one second-layer widget is created during run time.

Abstract: Several embodiments of memory devices and systems with command and control access are described herein. In one embodiment, a memory device includes a controller having a processor and a memory component operably coupled to the processor. The controller is configured to receive at least one command and control (C2) packet from a remote computer associated with a device vendor. The C2 packet includes a request for the controller to perform a restricted command, and a vendor signature. The memory component stores instructions executable by the processor to determine if the vendor signature is valid and to direct the controller to perform the restricted command if the vendor signature is determined to be valid.

Abstract: Identifier dependent operation processing of packet based data communication is provided. A natural language processor component can parse an input audio signal to identify a request and a trigger keyword. A content selector component can select, based on the request or trigger keyword, a content item. A link generation component can determine whether the client computing device has an account or a record in a database associated with the service provider device. In the absence of the record or account, the link generation device generates and sends a virtual identifier to the service provider device with instructions to generate an account in the database using the virtual identifier. Once the account is created, the service provider device can communicate with the client computing device.

Abstract: One or more communication interfaces of a first application may be scanned. In response to the scanning, it may be determined that at least a first component of the first application is subject to public access from any application. One or more public access features associated with the first component may be removed, wherein the first component is no longer subject to public access from any application. A first module may be added to the first application to control access to data to or from the first component via one or more security rules.

Abstract: In one embodiment, a system comprises a processor to, in response to a determination that a write command is suspect, identify a logical address associated with the write command; and send a checkpoint command identifying the logical address to a storage device to preserve data stored in the storage device at a physical address associated with the logical address.

Abstract: A system configured to detect a threat activity on a network. The system including a digital device configured to detect a first order indicator of compromise on a network, detect a second order indicator of compromise on the network, generate a risk score based on correlating said first order indicator of compromise on the network with the second order indicator of compromise on said network, and generate at least one incident alert based on comparing the risk score to a threshold.

Abstract: Several embodiments of memory devices and systems with command and control access are described herein. In one embodiment, a memory device includes a controller having a processor and a memory component operably coupled to the processor. The controller is configured to receive at least one command and control (C2) packet from a remote computer associated with a device vendor. The C2 packet includes a request for the controller to perform a restricted command, and a vendor signature. The memory component stores instructions executable by the processor to determine if the vendor signature is valid and to direct the controller to perform the restricted command if the vendor signature is determined to be valid.

Abstract: The present invention provides methods and apparatuses that utilize a portable apparatus to securely operate a host electronic device. Typically, each portable apparatus includes a data storage unit which stores an operating system and other software. In one example, a portable apparatus can provide a virtual operating environment on top of a host's operating system for a host device. In another example, a portable apparatus containing its operating system can directly boot a host device with one or more hardware profiles. Furthermore, a device-dependent protection against software piracy, a user-dependent protection against sensitive data leaks, a controllable host operating environment to prevent unwanted information exposure, and a secure restoration procedure to prevent virus infection between the host device users may be incorporated. Moreover, a pre-defined information may also be utilized to authorize a connected-state guest operation environment in the host device.

Abstract: Several embodiments of memory devices and systems with command and control access are described herein. In one embodiment, a memory device includes a controller having a processor and a memory component operably coupled to the processor. The controller is configured to receive at least one command and control (C2) packet from a remote computer associated with a device vendor. The C2 packet includes a request for the controller to perform a restricted command, and a vendor signature. The memory component stores instructions executable by the processor to determine if the vendor signature is valid and to direct the controller to perform the restricted command if the vendor signature is determined to be valid.

Abstract: Methods, computing systems and computer program products implement embodiments of the present invention that include defining a first multiple of software container configurations and a second multiple of permission sets, and receiving, by a first computer, a request to perform a service operation on a second computer having multiple resources. Upon identifying one or more of the resources that are required for the service operation, a given software container configuration and a given permission set are selected based on the identified one or more resources, and the given software container configuration and the given permission set are conveyed to the second computer. Upon the second computer receiving the given software container configuration and the given permission set, a software container is generated. The software container is opened on the host computer prior to performing the service operation, and closed upon completing the service operation.

Abstract: A system for integrating modules of computer code may include a sandbox validator for receiving a first module and verifying that the first module complies with one or more sandbox constraints. A computing device may execute the first module within a runtime environment. A module integrator may operate within the runtime environment for receiving a request from the first module to access a service provided by a second module and only allowing the first module to access the service when the first module is authorized to access the service according to a service authorization table. The sandbox validator may ensure the first module correctly identifies itself when requesting a service provide by another module and that the first module includes runtime policing functions for non-deterministic operations. A service authorizer may generate an authorization policy for the first module, which is sent to the computing device along with the first module.

Abstract: Techniques for encryption key destruction for secure data erasure via an external interface or physical key removal are described. Electrical destruction of key material retained in a memory of a storage device renders the device securely erased, even when the device is otherwise inoperable. The memory (e.g. non-volatile, such as flash) stores key material for encrypting/decrypting storage data for the device. An eraser provides power and commands to the memory, even when all or any portion of the device is inoperable. The commands (e.g. erase or write) enable zeroizing or destroying the key material, rendering data encrypted with the destroyed key material inaccessible, and therefore securely erased. Alternatively, the memory is a removable component (e.g. an external security device or smartcard) coupled to the device during storage operation. Removing and physically destroying the memory renders the device securely erased. The device and/or the memory are sealed to enable tamper detection.

Abstract: A method and apparatus are proposed for cryptographic computations implemented in an electronic component. The method includes determining the cofactor of an elliptic curve E defined over a finite field Fq with q elements, the elliptic curve comprising a base point P having an order equal to n. The step of determining includes determining a value of floor((q+2ceil(b/2)+1+1)/n) when n>6?q, where the function ceil corresponds to the ceiling function, floor corresponds to the floor function, and b corresponds to the size q in number of bits of q.

Abstract: Techniques for encryption key destruction for secure data erasure via an external interface or physical key removal are described. Electrical destruction of key material retained in a memory of a storage device renders the device securely erased, even when the device is otherwise inoperable. The memory (e.g. non-volatile, such as flash) stores key material for encrypting/decrypting storage data for the device. An eraser provides power and commands to the memory, even when all or any portion of the device is inoperable. The commands (e.g. erase or write) enable zeroizing or destroying the key material, rendering data encrypted with the destroyed key material inaccessible, and therefore securely erased. Alternatively, the memory is a removable component (e.g. an external security device or smartcard) coupled to the device during storage operation. Removing and physically destroying the memory renders the device securely erased. The device and/or the memory are sealed to enable tamper detection.

Abstract: Described are a secure geo-location obscurity network and ingress nodes, transit nodes and egress nodes used in such a network. In particular, a novel device is provided and comprises: a node for a network, the node comprising: a private portion for allowing high bandwidth secure private traffic to be received and transmitted by the node on a private pathway through the node; and a public portion for allowing low bandwidth secure public traffic to be received and transmitted by the node on a plurality of public pathways through the node.

Abstract: A computer a network interface and a central processing unit. The network interface communicates with a network. The central processing unit (CPU) is operable to receive a networked file system access request packet and to identify a root directory based on the networked file system access request packet. The CPU then identifies a file directory based on the root directory and the networked file system access request packet. The CPU then identifies file object metadata based on the file directory and identifies a set of slice servers based on the file object metadata and the networked file system access request packet. The CPU then issues, via the network interface, a set of commands to a set of slice servers regarding the networked file system access request packet.

Abstract: Systems and methods for encrypting a plaintext logical data object for storage in a storage device operable with at least one storage protocol, creating, reading, writing, optimization and restoring thereof. Encrypting the plaintext logical data object comprises creating in the storage device an encrypted logical data object comprising a header and one or more allocated encrypted sections with predefined size; encrypting one or more sequentially obtained chunks of plaintext data corresponding to the plaintext logical data object thus giving rise to the encrypted data chunks; and sequentially accommodating the processed data chunks into said encrypted sections in accordance with an order said chunks received, wherein said encrypted sections serve as atomic elements of encryption/decryption operations during input/output transactions on the logical data object.

Abstract: A method is provided for electronically masking the geographic location of a client device in a communication network comprising the following steps: (a) mapping a communication from a first diverter node at a first location to a second diverter node at a second location, and (b) causing the communication to appear as originating from a client device at the second location when the communication is received by a destination device, wherein the second location is different from the first location. Also provided is a device that may be used to implement such a method.

Abstract: Systems and methods for encrypting a plaintext logical data object for storage in a storage device operable with at least one storage protocol, creating, reading, writing, optimization and restoring thereof. Encrypting the plaintext logical data object comprises creating in the storage device an encrypted logical data object comprising a header and one or more allocated encrypted sections with predefined size; encrypting one or more sequentially obtained chunks of plaintext data corresponding to the plaintext logical data object thus giving rise to the encrypted data chunks; and sequentially accommodating the processed data chunks into said encrypted sections in accordance with an order said chunks received, wherein said encrypted sections serve as atomic elements of encryption/decryption operations during input/output transactions on the logical data object.

Abstract: Systems and methods for encrypting a plaintext logical data object for storage in a storage device operable with at least one storage protocol, creating, reading, writing, optimization and restoring thereof. Encrypting the plaintext logical data object comprises creating in the storage device an encrypted logical data object comprising a header and one or more allocated encrypted sections with predefined size; encrypting one or more sequentially obtained chunks of plaintext data corresponding to the plaintext logical data object thus giving rise to the encrypted data chunks; and sequentially accommodating the processed data chunks into said encrypted sections in accordance with an order said chunks received, wherein said encrypted sections serve as atomic elements of encryption/decryption operations during input/output transactions on the logical data object.

Abstract: Embodiments of the present invention provide a method and apparatus, including a client and security token, for managing cryptographic objects, such as public key cryptography standard (PKCS)#11 objects, in a computer system. A storage table for the cryptographic objects is established including rows for the cryptographic objects and columns corresponding to available attributes capable of being associated with the cryptographic objects. Actual attributes of the cryptographic objects are stored in ones of the plurality of columns corresponding to respective ones of the available attributes. The storage table is extensible such that additional columns are added corresponding to new attributes capable of being associated with the cryptographic objects.

Abstract: Various embodiments are described herein for a mobile communication device that utilizes a smart battery. The mobile device includes a main processor for controlling the operation of the mobile communication device. The smart battery is coupled to the main processor and provides supply power. The smart battery includes a battery processor for controlling the operation of the smart battery and communicating with the main processor, and a battery module having one or more batteries for providing the supply power. A battery interface is provided for coupling between the main processor and the battery processor for providing communication therebetween. The battery interface comprises a data communication line and protection circuitry for protecting the main processor from electrostatic discharge. A communication protocol is also provided for communication between the main processor and the battery processor.

Abstract: The method comprises, in an electronic component, carrying out a cryptographic calculation that includes the step of obtaining points P on an elliptic curve following the equation Y2+a1XY+a3Y=X3+a2X2+a4+X+a6 (1) where a1, a2, a3, a4 et a6 are elements of a set A of elements; where A is a ring of modular integers Z/qZ where q is a positive integer resulting from a number I of different prime numbers strictly higher than 3, I being an integer higher than or equal to 2, where A is a finite body Fq with q the power of a prime integer; where X and Y are the coordinates of the points P and are elements of A. The method comprises determining a diameter (11), and obtaining the coordinates X and Y of a point P (13) by applying a function (12) to said parameter. The Euler function ? of A corresponds to the equation ?(A) mod 3=1.

Abstract: A system and method for implementing the Elliptic Curve scalar multiplication method in cryptography, where the Double Base Number System is expressed in decreasing order of exponents and further on using it to determine Elliptic curve scalar multiplication over a finite elliptic curve.

Abstract: The invention relates to a product protection system, whereby a product piece is provided with a product-specific identification sequence (K) which is converted into a coded check sequence (C), by means of an encoding method (F1) using a secret encoding sequence (B). A product control sequence is applied to or on the product piece which comprises the coded check sequence (C), or a sequence derived therefrom. In order to check the authenticity of the product piece, the product control sequence is recorded by a control requester and transmitted by internet to a product protection server structure. A decoded check sequence is derived therein from the product control sequence by means of a decoding method using a decoding sequence. The authenticity of the decoded check sequence, or a sequence derived therefrom is checked and the result of the authenticity check transmitted by internet to the control requester.

Abstract: A method and system for maintaining privacy for transactions performable by a user device having a security module with a privacy certification authority and a verifier are disclosed. The system includes an issuer providing an issuer public key; a user device having a security module for generating a first set of attestation-signature values; a privacy certification authority computer for providing an authority public key and issuing second attestation values; and a verification computer for checking the validity of the first set of attestation signature values with the issuer public key and the validity of a second set of attestation-signature values with the authority public key, the second set of attestation-signature values being derivable by the user device from the second attestation values, where it is verifiable that the two sets of attestation-signature values relate to the user device.

Abstract: A method and system for maintaining privacy for transactions performable by a user device having a security module with a privacy certification authority and a verifier are disclosed. The system includes an issuer providing an issuer public key; a user device having a security module for generating a first set of attestation-signature values; a privacy certification authority computer for providing an authority public key and issuing second attestation values; and a verification computer for checking the validity of the first set of attestation signature values with the issuer public key and the validity of a second set of attestation-signature values with the authority public key, the second set of attestation-signature values being derivable by the user device from the second attestation values, where it is verifiable that the two sets of attestation-signature values relate to the user device.

Abstract: A method is provided for processing a digital information set having a plurality of information bytes. The method comprises receiving the information set, determining a set of initialization parameters, initializing a set of state variables using the set of initialization parameters, and generating a plurality of cryptors, each cryptor being a virtual dynamic array containing a monoalphabetic cipher. The method further comprises modifying the state variables and one or more of the cryptors, setting the index value for each cryptor in the plurality of cryptors; and selecting an ordered cryptor subset to be applied to an information byte. The information byte is processed using the ordered cryptor subset to produce a processed information byte. If the information byte is a plaintext byte, the processed byte is an encrypted byte, and vice versa. The actions of modifying, setting, selecting, and processing are then repeated for each remaining information byte.

Abstract: A garage management and monitoring system defines and manages each operational event in a parking facility. Access events, management events, equipment operation events, equipment malfunction events, security events and defined anomaly events are labeled and parsed into a relational database, which is used for generating reports, creating logs, making management decisions, reconstructing accidents, and so on. The equipment includes a computer terminal, a reader, an identifying item or code capable of being read by the reader to control access to the facility, an IP camera, and a garage door or vehicle gate with safety sensors. Each defined event can be codified on the server and/or local controller to create an event library that is downloaded to the controller.

Abstract: A system includes at least one telecommunications terminal having data processing capabilities, the telecommunications terminal being susceptible of having installed thereon software applications, wherein each software application has associated therewith a respective indicator adapted to indicate a level of security of the software application, the level of security being susceptible of varying in time; a software agent executed by the at least one telecommunications terminal, the software agent being adapted to conditionally allow the installation of software applications on the telecommunications terminal based on the respective level of security; a server in communications relationship with the software agent, the server being adapted to dynamically calculate the level of security of the software applications, and to communicate to the software agent the calculated level of security of the software applications to be installed on the telecommunications terminal.

Abstract: A configurable logic component is shown with a signature generator, responsive to a commanded configuration information signal from a processor, for providing a signed commanded configuration information signal, and with a memory device, responsive to the signed commanded configuration information signal from the signature generator, for storing the signed commanded configuration information signal in the configurable logic component for use by the processor in checking a current configuration of the configurable logic component against a trusted signed configuration file to ensure the current configuration matches the commanded configuration and allowing use of the configurable logic component in case of a match.

Abstract: A method is provided of authenticating a digitally signed message. A chain of messages is generated. A Winternitz pair of keys is generated for each respective message. A sequence number is assigned to each of the messages. Each of the sequence numbers cooperatively identify an order of Winternitz verifiers assigned to each of the messages. A signature to a first message in the chain of messages is signed using a digital signature algorithm private key. Signatures to each of the following messages in the chain of messages are signed using both Winternitz private keys and digital signature algorithm private keys. The signed messages are broadcast from a sender to a receiver. The first signed broadcast message is authenticated at the receiver by verifying the digital signature algorithm signature. At least some of the following signed broadcast messages are authenticated at the receiver by verifying only the Winternitz signature.

Abstract: Systems and methods for correlating and distributing intrusion alert information among collaborating computer systems are provided. These systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.

Abstract: The present invention is a device for and method of language processing that includes a communication database of communications, a transcription database of transcripts for the communication, an extractor for extracting a visual representation of each communication, a first displayer for displaying a visual representation of a communication and its transcription, a segmentor for segmenting a visual representation, a media player, a first editor for blanking portions of a transcription and adding text, a second editor for filling in blanks and adding text, a second displayer for displaying a transcription that were blanked along with the corresponding entries made by the second editor and adding textual information, and a third displayer for providing feedback.

Abstract: Systems and methods utilizing the network layer and/or application layer to provide security in distributed computing systems in order to thwart denial of service attacks. The systems and methods of the present invention utilize puzzles placed at the network layer level and/or application layer level to protect against denial of service attacks. Further, the systems and methods of the present invention advantageously provide a robust and flexible solution to support puzzle issuance at arbitrary points in the network, including end hosts, firewalls, and routers and thereby a defense against denial of service attacks.

Abstract: When a potential consumer finds a product catalog on the monitor of the consumer's PC showing digital images of products, the potential consumer orders a desired product from a vendor, at least after selecting a desired product from the digital image of the product catalog in a recognized condition by naked eye observation that the color of the digital image of a basic color reference involved in the product catalog is substantially identical to a color reference owned by the potential consumer.

Abstract: Various embodiments are described herein for a mobile communication device that authenticates a smart battery prior to use. The mobile device includes a main processor and a device memory. The device memory stores first and second portions of security information used for authentication. The smart battery includes a battery processor and a battery memory. The battery memory stores a third portion of security information used for authentication. The main processor sends an authentication request including the first portion of security information to the battery processor, and the battery processor generates a response based on the first and third portions of security information and sends the generated response to the main processor. The smart battery is authenticated if the generated response matches the second portion of security information.

Abstract: A power supply that can be authenticated is disclosed. An apparatus according to aspects of the present invention includes an external power supply of an electronic product that modulates an output of the power supply with information encoded to identify the power supply to the product.

Abstract: For achieving the protection of copyright, by suppressing illegal copy production thereof, in particular, when transmitting contents with using a wired or wireless LAN, as well as, for preventing the transmission of contents from deviating from a range of a personal use thereof, a contents transmitter apparatus and a contents receiver apparatus make an authentication, mutually, before transmitting contents therebetween.

Abstract: A method according to one embodiment includes defining a new encryption band with a length that is consistent with a redundant array of inexpensive disks (RAID) parity strip; freeing a working extent in a working stride on the RAID. In an iterative process until each stride in a source band is depleted of data: marking a source extent in a source stride from which to gather data to be re-encrypted; marking parity inconsistent in the working stride in the new encryption band; performing a second iterative process; and freeing the working extent. The second iterative process is performed until each extent in a source stride is depleted of data. Additional systems, methods and computer program products are also presented.

Abstract: A key terminal apparatus includes a crypto-processing LSI that performs predetermined crypto-processing. Unique information identifying the crypto-processing LSI is embedded in the crypto-processing LSI. A predetermined master key corresponding to a predetermined key is embedded in the crypto-processing LSI. The crypto-processing LSI (a) receives an encrypted manufacturer key from the manufacturer key storage unit, (b) decrypts the encrypted manufacturer key using the predetermined master key to generate a manufacturer key, (c) generates a unique manufacturer key identical to the predetermined unique manufacturer key, based on the unique information embedded in the crypto-processing LSI and the generated manufacturer key, and (d) decrypts the received encrypted device key using the generated identical unique manufacturer key to generate a predetermined device key.

Abstract: Method and apparatus are described wherein, in one example embodiment, there is provided one or more policy templates that may define a set of policy permissions or other attributes that may be desirable to specify in a policy. One or more policy templates may be specified in a user interface of a policy creation and maintenance program that may run oh the policy server and/or run on a workstation computer. Each policy template specified by a user may include permissions for how a user may access and use a document. The maintenance program may, in one embodiment, associate both templates to a policy used for a specific unit of digital content, or, for example, an electronic document. The permissions for the policy are determined by aggregating the permissions associated with each respective templates chosen by the user. According to another example embodiment, a user selects a policy template and defines one or more additional permissions to form an augmented policy.

Abstract: Provided are methods, apparatus and computer programs for tracking the origins of data and controlling transmission of the data. In one embodiment, transmission of sensitive data by script operations is limited, to prevent transmission to any network location other than to the source of that sensitive data, by a new function within a scripting engine of an HTTP client that is responsive to origin tags placed within the data. Origin tags that are associated with data inputs are propagated to any output data items, so that transmission of derived information can also be controlled.