Abstract: Disclosed are various examples for deploying applications on client devices through a management service. A client device can be enrolled with a management service. The management service can determine application settings that are associated with an application and generate an application profile for the application. The application profile can be used to deploy the application to client devices and provision the application with the appropriate application settings.

Abstract: A method for limiting execution of an encrypted computer program on a secure processor includes executing a first set of instructions encoding a test for determining whether a value of a register of the secure processor belongs to a set of valid register values encoded in the encrypted computer program. Execution of the first set of instructions causes the secure processor to read a first register value from the register of the secure processor, the register of the secure processor preventing repeated reads of a same value of the register, and determine whether the first register value belongs to the set of valid register values encoded in the encrypted computer program. Execution of further instructions of the encrypted computer program is prevented if the first register value does not belong to the set of valid register values encoded in the encrypted computer program.

Abstract: Described are methods, systems, and apparatus, including computer program products for de-duplicating access control lists (ACLs). A first ACL associated with a first computer file is received. A first checksum based at least in part on the first ACL is calculated. One or more directory entries based on the first checksum are retrieved from a de-duplication directory, wherein each directory entry of the one or more directory entries comprises a reference to an ACL and a name comprising the first checksum. A directory entry of the one or more directory entries is identified that references a second ACL that specifies the same permissions as the first ACL. A reference to the second ACL of the directory entry is added to the first computer file.

Abstract: Techniques for establishing entitlement to a computer program product are provided, and include providing a client identity in a registration process to produce an entitlement file, obtaining an encoded version of a computer program product, and transforming the computer program product into an installation product in a computer storage medium, wherein the installation product comprises the entitlement file to establish entitled use of the computer program product.

Abstract: To grant or deny access rights to a user attempting to access a protected system or secured electronic data, an access right evaluation process is carried out among all applicable policies including those embedded in the secured electronic data. In a preferred embodiment, the access right evaluation process is invoked only when a system being accessed is protected or a file being accessed is detected to be in a secured format. Further, the access right evaluation process is configured preferably to operate transparently to the user. The access right evaluation may be advantageously used in systems or applications in which devices, mediums or electronic data are secured and can be restrictively accessed by those who are authenticated and have proper access privilege.

Abstract: Methods, non-transitory computer readable media and application management apparatuses, and application management systems that secure one or more entitlement grants includes transmitting a registration license request encrypted with a first public key to a license server. The registration license request comprises a registration identifier and a second public key. A registration license response is received from the license server. The registration license response comprises one or more license entitlement grants, the second public key, and a first secure signature encrypted with a first private key. The one or more license entitlement grants are authenticated when the first decrypted secure signature matches the first check signature.

Abstract: Techniques for establishing entitlement to a computer program product are provided, and include providing a client identity in a registration process to produce an entitlement file, obtaining an encoded version of a computer program product, and transforming the computer program product into an installation product in a computer storage medium, wherein the installation product comprises the entitlement file to establish entitled use of the computer program product.

Abstract: System and methods for manipulating rights expressions for use in connection with a rights management system include one or more tokenized templates. Each tokenized template includes one or more rights expression language statements and one or more tokens associated with at least one of the rights expression language statements. Further, the tokens can be place holders for data items or rights expression elements. The system further includes a license template module that creates the tokenized templates, and a license instance creation module that replaces at least one of the tokens in one or more selected license templates with one or more of the data items or rights expression elements to generate a license instance. Additionally, the system includes a license instance analysis module having sub-modules for validating and interpreting license instances, and a data parsing module for extracting data from created license instances.

Abstract: A DRM technique involves packaging an advertisement using a data structure that encapsulates a number of advertising segments along with signed information, such as a table of hashes, associated with some of the advertising segments. In one scenario, the data structure and the signed information are separately protected using public key and/or digital signature cryptographic schemes. The advertisement is delivered to a user of a consumer electronic device (CED) separately from delivery of a digital license, which governs user consumption of the advertisement. The digital license includes keys used in connection with the cryptographic scheme, and references a condition to be satisfied with respect to consumption of the advertisement. As advertising segments are verified and consumed by the user/CED, information is recorded and used to determine whether the license condition was satisfied. Satisfaction of the license condition may result in access to program content or additional licenses.

Abstract: A method and system for verifying integrity of a software package in a mobile terminal is provided. The method includes receiving a catalog of available software packages from a distributor and displaying the catalog, if a desired software package to be installed is selected from the displayed catalog, acquiring a software package IDentifier (ID) corresponding to the selected software package from the catalog, transmitting the software package ID to the distributor to receive the selected software package corresponding to the software package ID and to transmit the software package ID to a verification authority, receiving, from the verification authority, integrity evidence information corresponding to the software package ID and verifying the integrity of the selected software package, and outputting a notification for notifying a user of a result of the verification and managing the selected software package according to a received user selection.

Abstract: Techniques enable creation of a preview license for digital content. In some instances, the preview license indicates that it allows a content-consuming device to consume less than all of the content. This preview license may create a list specifying multiple portions of the digital content that the content-consuming device may consume. These techniques may also present to a device user an offer to purchase rights to consume all of the digital content after consumption of the preview-licensed portion(s). In other instances, a content server may embed the preview license into a content package that contains the digital content, allowing the server to distribute the package to multiple devices. In still other instances, the preview license may be bound to a domain rather than to individual devices. This allows member devices to share the digital content and the preview license, such that each member device may enjoy the preview experience.

Abstract: An intelligent system and a method in a packet network to utilize the radio network resource and the core network resource in an optimized way so that more high priority, critical devices are granted access to the network while throttling the low priority, non-critical devices with the same given resource. The system collects all the necessary information from the signaling exchange between the radio access network and the core network and takes the device subscription characteristics and statically or dynamically defined throttling behavior rules into consideration to choose the optimal behavior to handle the requests from devices at any given time including deciding to reject the requests for certain types of devices under certain network conditions while granting the requests for other types of devices.

Abstract: Systems and methods to automatically activate distribution channels to be provided by potential business partners are disclosed. An example method to enable activation of a distribution channel provided by a client company for a host company disclosed herein comprises obtaining information concerning the client company, automatically triggering at least some of a plurality of host company departments to process the information to evaluate at least one of the client company or the distribution channel, and automatically processing machine readable evaluation indicators provided by the at least some of the plurality of host company departments and representative of respective evaluation decisions associated with the at least some of the plurality of host company departments to determine an overall evaluation result.

Abstract: Various computer-implemented systems and methods are provided here for purposes of intelligent predictive messaging. An exemplary system can be operated to obtain message context data associated with a messaging session, process the message context data to obtain suggested message content for the messaging session, and automatically populate a message field of a user device with at least some of the suggested message content. The system may proceed by sending a message from the user device, where the message includes content of the message field.

Abstract: Techniques are described for analyzing user-supplied information, including in at least some situations to predict future aspects of additional related information that will be supplied by users. The user-supplied information that is analyzed may, for example, include distributed group discussions that involve numerous users and occur via user comments made to one or more social networking sites and/or other computer-accessible sites. The analysis of user-supplied information may, for example, include determining particular topics that are of interest for a specified category during one or more periods of time, quantifying an amount of user interest in particular topics and the category during the period of time, predicting future amounts of user interest in the particular topics and the category during one or more future period of times, and taking one or more further actions based on the predicted information.

Abstract: There is provided an information processing device including a communication unit configured to receive editing information of content data, an accumulation unit configured to accumulate the editing information, and a control unit configured to control whether to return the editing information to an external device in accordance with a right to use content corresponding to a requestor's identification information included in request information for requesting the editing information, the request information being received from the external device via the communication unit.

Abstract: There is provided an information processing apparatus including a distribution information acquisition section which acquires distribution information indicating that content-related data is distributed from a first user to a second user through a social network to which the first user and the second user belong, and a route information generation section which generates route information based on the distribution information, the route information indicating a route through which the content-related data is distributed among users belonging to the social network.

Abstract: An information handling system includes a processor and a configuration detection and error handling module operable to read a first tag data file from a first storage volume, read a second tag data file from a second storage volume, and determine that the first storage volume and the second storage volume are configured as mirrored storage volumes based upon the first tag data file and the second tag data file.

Abstract: Segmentation messages indicative of locations of upcoming events, such as the start and end of programs and program portions, and/or rights related to the programs and program portions, are used by cable systems and the like to store programs and program portions for later retrieval and transmission to customers on request. Storage, retrieval and management of programming is thereby facilitated. Methods and systems are disclosed.

Abstract: A bit level file comparison system compares two file systems, each of which includes any number of individual files, to determine whether the file systems are identical at a bit level. A hashing function is applied to each file in the first file system to generate a hash value that is logically associated with the respective file in the first file system. The hashing function is applied to each file in the second file system to generate a hash value that is logically associated with the respective file in the second file system. The hash value associated with a file in the first file system is compared with the hash value associated with the corresponding file in the second file system to determine whether bit level differences between the respective file in the first file system and the second file system.

Abstract: Segmentation messages indicative of locations of upcoming events, such as the start and end of programs and program portions, and/or rights related to the programs and program portions, are used by cable systems and the like to store programs and program portions for later retrieval and transmission to customers on request. Storage, retrieval and management of programming is thereby facilitated. Methods and systems are disclosed.

Abstract: Data storage and access systems enable downloading and paying for data such as audio and video data, text, software, games and other types of data. A portable data carrier has an interface for sending and receiving data, data memory for storing received content data, and payment validation memory for providing payment validation data to an external device. The carrier may also store a record of access made to the stored content, and content use rules for controlling access to the stored content. Embodiments store further access control data and supplementary data such as hot links to web sites and/or advertising data. A complementary data access terminal, data supply computer system, and data access device are also described. The combination of payment data and stored content data and use rule data helps reduce the risk of unauthorized access to data such as compressed music and video data, especially over the Internet.

Abstract: An image processing apparatus includes a reception unit that receives a login request from a wireless terminal apparatus and an execution unit that executes different login processing according to whether the wireless terminal apparatus from which the login request was received has a display.

Abstract: An apparatus according to the present disclosure may comprise a secure zone configured to execute a task having a subtask. The task and subtask may have respective executable code and may be digitally signed by respective code providers. The secure zone may be further configured to apply respective sets of permissions while the respective executable code of the task and subtask are executed. The respective set of permissions for the task may be based on at least one of information associated with the signed task and information in a digital certificate of the respective code provider for the task. The respective set of permissions for the subtask may be based on at least one of information associated with the signed subtask and information in a digital certificate of the respective code provider for the subtask.

Abstract: At least one content publishing server having a memory storing a map data structure configured by a content author which defines relationships among plural resources and thereby define an informational item of higher granularity content. Each of the plural resources are associated with a first electronic file linked to said map data structure and configured to store information about the usage of the associated resource. Higher granularity content is associated with a second electronic file linked to said map data structure configured to store information about the usage of the higher granularity content. The server which delivers the informational item to a computer gathers feedback usage information reflecting how the higher granularity content and individual ones of the plural resources are used by users. The server updates the electronic files in accordance with the feedback usage information.

Abstract: In embodiments of the present invention improved capabilities are described for the steps of receiving an indication that a computer facility has access to a secure data store, causing a security parameter of a storage medium local to the computer facility to be assessed, determining if the security parameter is compliant with a security policy relating to computer access of the remote secure data store, and in response to an indication that the security parameter is non-compliant, cause the computer facility to implement an action to prevent further dissemination of information, to disable access to network communications, to implement an action to prevent further dissemination of information, and the like.

Abstract: Systems and methods for managing a system of heterogeneous workloads are provided. Work that enters the system is separated into a plurality of heterogeneous workloads. A plurality of high-level quality of service goals is gathered. At least one of the plurality of high-level quality of service goals corresponds to each of the plurality of heterogeneous workloads. A plurality of control functions are determined that are provided by virtualizations on one or more containers in which one or more of the plurality of heterogeneous workloads run. An expected utility of a plurality of settings of at least one of the plurality of control functions is determined in response to the plurality of high-level quality of service goals. At least one of the plurality of control functions is exercised in response to the expected utility to effect changes in the behavior of the system.

Abstract: A mobile application management through policy inclusion using centralized enforcement libraries is disclosed. The method includes storing independently developed mobile applications on at least one server. The method further includes storing independently developed policies associated with each of the independently developed mobile applications on the at least one server. The method further includes associating a policy of the stored independently developed policies with any of the mobile applications of the independently developed mobile applications. The method further includes providing the associated policy and mobile application to a mobile device where the enforcement libraries restrict the app as instructed by the policy.

Abstract: A DRM packager has a programmed processor for receipt of licensing information including a plurality of encryption keys for a corresponding plurality of DRM encryption algorithms and for receipt of content from a content provider. An encrypter encrypts the content under each of the plurality of DRM algorithms to produce multiple DRM selectively encrypted content, where the multiple DRM selectively encrypted content has segments of the specified content that are unencrypted, and selected segments of the content which are duplicated to produce one copy of the selected content for each of the DRM algorithms with each duplicate copy of the selected segments encrypted under a different one of the DRM algorithms, and where the unencrypted segments of content are assembled together with each of the DRM encrypted duplicate selected segments to produce a single unified content assembly that can be played on any of the player devices.

Abstract: A garbled circuit is generated for a client in a leakage-resilient manner with a reduced memory requirement. The garbled circuit is used for secure function evaluation between the client and a server. The garbled circuit is generated with a reduced storage requirement by obtaining a token from the server; querying the token gate-by-gate, wherein for each gate of the garbled circuit, the token generates new wire garblings and stores them with the client using a Stream Cipher and interacts with the leakage-protected area to generate a garbled table for the gate; and receiving the garbled circuit from the token. The token comprises a leakage-protected area. The Stream Cipher is leakage-resilient and can be a symmetric-key cryptographic primitive that has a secret key as an input and generates an unbounded stream of pseudorandom bits as an output. The number of evaluations of the Stream Cipher is kept to a substantial minimum.

Abstract: A system and method are disclosed for analyzing transfer of data over at least one network, including a device configured to select a subset of users from a user base of at least one network. The system can include a device configured to analyze data relating to potential unlicensed data transfer by the subset of users, and a device configured to generate an estimate of unlicensed data transfer by the user base based on the analysis of data of the subset of users.

Abstract: An example embodiment includes a distributed file management system. The distributed file management system includes a central storage device that is communicatively coupled to data repositories configured to store one or more files. The central storage device includes a processor and a tangible computer-readable storage medium. The tangible computer-readable storage medium is communicatively coupled to the processor and has computer-executable instructions stored thereon that are executable by the processor to perform operations. The operations include receiving file access requests from the data repositories. The operations also include transmitting location information of files requested in the file access requests. The location information includes internet protocol (IP) addresses of the data repositories on which the files are stored.

Abstract: The subject disclosure pertains to systems and methods that facilitate managing access control utilizing certificates. The systems and methods described herein are directed to mapping an access policy as expressed in an access control list to a set of certificates. The set of certificates can be used to grant access to resources in the manner described by the ACL. The certificates can be distributed to entities for use in obtaining access to resources. Entities can present certificates to resources as evidence of their right to access the resources. The access logic of the sequential ACL can be transformed or mapped to a set of order independent certificates. In particular, each entry, position of the entry in the list and any preceding entries can be analyzed. The analysis can be used to generate order independent certificates that provide access in accordance with the access policy communicated in the ACL.

Abstract: The effort of changing an application in conjunction with a change in process content or change in the type or specifications of a receiver can be reduced, and a cooperative process involving a plurality of receivers without going through an application can be achieved. An integrated device control service acquires output data, information related to the address of a first receiver and a first style sheet for the first receiver, and information related to the address of a second receiver and a second style sheet for the second receiver from an application and a style sheet database that stores a plurality of style sheets describing information conversion rules. In accordance with the success or failure of first conversion data distribution, the integrated device control service sends second conversion data, which is the output data converted according to the second style sheet, to the second receiver.

Abstract: A system may be configured to receive an upload, from a first user device, of a basis content item that includes first content; determine whether a first user of the first user device has a right to restrict a use of the first content in an in-use content item uploaded by a second user device when the in-use content includes the first content; in response to determining that the first user has the right, store the basis content in the system; in response to determining that the first user does not have the right, discard the basis content; receive an upload, from a second user device, of a first in-use content item; and determine whether the first in-use content item matches the basis content item.

Abstract: A classification method and system for possible content alteration of a media work may include criteria regarding content that is feasible for alteration. Such criteria may be maintained in records that are accessible to an interested party. Some embodiments may include a record of primary authorization rights applicable to a possible content alteration. A further embodiment feature may include a record of secondary authorization rights applicable to substitute altered content incorporated in a derivative version. Various exemplary identifier markup schemes indicative of a location or category of an alterable media content component may be implemented for audio, visual, and audio/video alterable content.

Abstract: A dialog system is accessed by a remote user and is typically configured to receive a natural language query from the user and return a natural language answer to the user. Dialog systems can be copied without authorization or can become an out-of-date version. A dialog system with a signature, referred to herein as a “signed” dialog system, can indicate the signature without affecting usage by users who are unaware that the dialog system contains the signature. The signed dialog system can respond to input such that only the designer of the dialog system knows the signature is embedded in the dialog system. The response is a way to check the source or other characteristics of the dialog system. A designer of signed dialog systems can prove whether an unauthorized copy of the signed dialog system is used by a third party by using publically-available user interfaces.

Abstract: A method, apparatus, and manufacture for content protection for HTML media elements is provided. A client media player is employed to determine whether media content is protected. The client media player includes an application, and further includes a media engine that is a distinct program from the application. Upon determining that the media content is protected, the application is employed to get a key and/or a license for the protected media content. The application is employed to instruct the media engine to play the media content. The key and/or the license is sent from the application to the media engine.

Abstract: Various hardware and software configurations are described herein which provide improved security and control over protected data. In some embodiments, a computer includes a main motherboard card coupled to all input/output devices connected to the computer, and a trusted operating system operates on the main motherboard which includes an access control module for controlling access to the protected data in accordance with rules. The trusted operating system stores the protected data in an unprotected form only on the memory devices on the main motherboard. The computer may also have a computer card coupled to the main motherboard via a PCI bus, on which is operating a guest operating system session for handling requests for data from software applications on the computer.

Abstract: Secure computation environments are protected from bogus or rogue load modules, executables and other data elements through use of digital signatures, seals and certificates issued by a verifying authority. A verifying authority—which may be a trusted independent third party—tests the load modules or other executables to verify that their corresponding specifications are accurate and complete, and then digitally signs the load module or other executable based on tamper resistance work factor classification. Secure computation environments with different tamper resistance work factors use different verification digital signature authentication techniques (e.g., different signature algorithms and/or signature verification keys)—allowing one tamper resistance work factor environment to protect itself against load modules from another, different tamper resistance work factor environment.

Abstract: A digital content protection apparatus and method for digital rights management (DRM) are provided in which a content file including a plurality of content parts is imported such that a header is included which stores location information required for decoding each of the content parts. Therefore, the number of content parts constituting the content file can be recognized, and a license that is required for the use of each of the content parts can be acquired by analyzing header information without necessitating the parsing of the transport packets of the content file. Accordingly, preparation time for using content can be reduced.

Abstract: A computer readable storage method and system allowing any artist to upload media, including images, video and music, to a server, have that media uploaded in a system of internet jukeboxes placed in establishments for instant playback of media by paying customers. The system of internet jukeboxes programmed to maintain an account for the artist allowing the artist to earn fees and royalties from playback of the media and to provide for automated payment of rent, and other fees due the establishment and the service provider.

Abstract: The various embodiments include methods, computers and communication systems for establishing a closed feedback loop across multiple heterogeneous networks within a telecommunications system, which may include measuring a first attribute of a communication in a first telecommunications domain and sending a first request message including information relating to the measured first attribute to a server. The server may receive the first request message, identify a second telecommunications domain involved in the communication based on information in the first request message, generate a second request message that includes information for adjusting a second attribute of the communication, and send the second request message to the second telecommunications domain. A computing device in the second telecommunications domain may receive the second request message and adjust the second attribute of the communication to alter the first attribute of the communication in the first telecommunications domain.

Abstract: Per process networking capability techniques are described. In one or more implementations, a determination is made as to whether access to a network capability is permitted for a process that is executed on the computing device based on a token that is associated with the process. The token has one or more security identifiers that reference one or more network capabilities described in a manifest. The access to the network capability is managed based on the determination.

Abstract: Systems, apparatus, methods and articles of manufacture provide for the distribution of a payout amount associated with a lottery ticket being conditioned or otherwise based on the payout amount. Some embodiments provide for determining a positive payout amount associated with a lottery ticket and determining at least one recipient and/or beneficiary of the positive payout amount based on (i) the positive payout amount and/or (ii) a recipient or beneficiary associated with the lottery ticket and/or the payout amount. In one embodiment, larger prizes (e.g., a jackpot prize, a prize greater than a predetermined threshold payout amount) are awarded to the player(s) of a virtual lottery ticket (e.g., shared by the players), and smaller prizes are distributed to a charitable organization (e.g., other than any of the players) selected by one or more players of the lottery ticket.

Abstract: An Enterprise Network includes a master data management (MDM) system that is linked to two or more data sources each of which include means for storing local management information. The MDM system builds a master management information database that is comprised of some or all of the management information stored by the data sources. The master database in the MDM includes master records each of which is comprised of one or more attributes. The MDM system is configured to only update particular master record attributes with selected management information received from a trusted data source.

Abstract: Systems and methods are disclosed for protecting a computer program from unauthorized analysis and modification. Obfuscation transformations can be applied to the computer program's local structure, control graph, and/or data structure to render the program more difficult to understand and/or modify. Tamper-resistance mechanisms can be incorporated into the computer program to detect attempts to tamper with the program's operation. Once an attempt to tamper with the computer program is detected, the computer program reports it to an external agent, ceases normal operation, and/or reverses any modifications made by the attempted tampering. The computer program can also be watermarked to facilitate identification of its owner. The obfuscation, tamper-resistance, and watermarking transformations can be applied to the computer program's source code, object code, or executable image.

Abstract: An Enterprise Network includes a master data management (MDM) system that is linked to two or more data sources each of which include means for storing local management information. The MDM system builds a master management information database that is comprised of some or all of the management information stored by the data sources. The master database in the MDM includes master records each of which is comprised of one or more attributes. The MDM system is configured to only update particular master record attributes with selected management information received from a trusted data source.

Abstract: A “Bring Your Own License” (BYOL) service can convert users' “off-the-shelf” (OTS) software licenses for use in public clouds according to rules provided by independent software vendors (ISVs). The BYOL service can offer additional license terms to the users during conversion of the OTS software license on behalf of the ISVs. The additional license terms can be an expansion of the use of the software, an expansion of the technical support offer by the new cloud license, and expansion of the duration of use.

Abstract: Cross-domain security for data vault is described. At least one database is accessible from a plurality of network domains, each network domain having a domain security level. The at least one database includes at least one partitioned data table that includes at least two partitions. Each partition has a security level. Each partition is configured to store data records. Access control security is operable to provide, to a selected network domain, access to a selected data record in the at least one database based on a domain security level of the selected network domain and a security level of a selected partition storing the selected data record.