Abstract: A maintenance system includes an image forming apparatus that performs image formation by a setting depending on the replacement part using a replaceably configured replacement part and a portable terminal that performs near field communication with the portable terminal. The portable terminal includes an image reading part that reads part information of the replacement part from a printed part affixed to the replacement part and a near filed communication part that transmits the part information read by the image reading part via the near filed communication. The image forming apparatus includes a non-contact IC tag in which the part information is written based on power generated from the near filed communication and an reflection processing part that reads the part information from the IC tag at the time of power on and reflects the part information in the setting.

Abstract: Secure electronic access may be provided by receiving at least one electronic certificate from an electronic device seeking to access a secure resource at a device under protection including at least one security processor, the at least one certificate providing device information related to the security of the electronic device, and comparing with at least one autonomous processor of an autonomous system the device information to the security requirement information. The at least one autonomous processor may instruct the at least one security processor to provide the secure resource to the device when the device information meets the security requirement information. The device under protection may provide the secure resource to the electronic device in response to the instruction.

Abstract: A method for verifying the integrity of platform software of an electronic device is provided, the method comprising accessing a module of said platform software, obtaining a signature (S), obtaining a verification key (VK), said verification key (VK) corresponding to a signing key (SK), verifying if said signature (S) was derived by signing said platform software module with said signing key (SK), by using said verification key (VK), and establishing a positive verification of said platform software module if said verification is successful. The invention also provides a method for providing a platform software module to perform the aforementioned method, and a device on which the aforementioned method can be performed.

Abstract: A first device may receive a request from a second device. The request may include a device identifier associated with the second device. The request may be transmitted by the second device to obtain a signature, based on which to access a third device. The first device may determine that the device identifier is associated with a secure authentication service. The first device may generate a signature based on determining that the device identifier is associated with the secure authentication service. The first device may provide the signature to the third device. The signature may permit the third device to selectively permit or deny access by the second device based on a result of authenticating the signature. Access may be permitted when the third device successfully authenticates the signature, and access may be denied when the third device fails to authenticate the signature.

Abstract: A method for authorizing an electronic device to perform an action includes detecting interaction data from an interaction between a hardware sensor and an identity-augmented tangible object; wherein data of the first set of interaction data is intrinsically dependent on physical characteristics of the identity-augmented tangible device; computing parametric descriptors from the interaction data; transmitting the parametric descriptors and supplementary data to a remote database system; generating, on the remote database system, identity data from a comparison of parametric descriptors with a known set of parametric descriptors; and authorizing, in response to both of the identity data and the supplementary data, the electronic device to perform a first action.

Abstract: A computer extracts traffic data from one or more traffic servers and stores the traffic data in a database. The computer also extracts and stores customer wait time, resource management, and point of sale (POS) data from one or more retail store servers in the database, and each of the retail store servers can correspond to a retail store. Extract and store subroutines may be executed in parallel using multithreading. Upon achieving synchronization of the parallel subroutines, the computer transforms the traffic, customer wait time, resource management, and POS data from the database by determining one or more metrics for each of the retail stores. Next, the computer loads the one or more determined metrics into the database. Finally, the computer aggregates the one or more determined metrics on at least one of a district level, region level, area level, and nation level to determine one or more aggregated metrics.

Abstract: Conventional wireless interface (WiFi) controllers cannot resolve authentication for trusted client devices without calculation from a host processor. Leaving the host processor on or awaking it from a sleep state each time a non-authenticated trusted client device attempts to connect wastes power. A hostless authenticated wake service allows a host controller to enter a sleep state while the WiFi controller responds to multicast domain name service-service discovery (mDNS-SD) queries from trusted client devices. Once a client device is authenticated, the WiFi controller may respond to a trusted client request to awake the host processor for further command processing and service provision. Not only does this approach reduce power consumption by allowing the host processor to remain in the sleep state, it allows trusted client devices to discover its presence while ensuring security.

Abstract: A system includes one or more processors to receive a registration request, the registration request comprising a representation of a username and a password, verify the username and the password and transmit a one-time-use password, receive the one-time-use password and first device identifier information from a mobile computing device, receive an access request from the mobile computing device comprising the representation of the username and the password, second device identifier information, and application key information, verify the username, the password, the second device identifier information, and the application key information, and transmit a token to the mobile computing device, and receive a resource request from the mobile computing device comprising the token and third device identifier information.

Abstract: The invention relates to a method for signing a message (m), implemented by processing means of a user device of a member (Mi) belonging to a group of members (G), said user device having a secret signature key (ski), said method including a step of generating (E301) a group signature (?) for the message (m), enabling said member (Mi) to prove his membership in the group (G), and a step of generating (E302) a pseudonym (nymij) identifying the member (Mi) within a domain (Dj) of a service provider (SPj), said domain including a set of terminals in communication with a server of said service provider, said signature (?) being designed such that said member (Mi) can prove, by signing the message (m), his knowledge of said secret signature key without disclosing it, said group signature (?) being designed such that the membership of the member (Mi) in the group is verifiable independently from the pseudonym (nymij), said pseudonym and said signature being a function of a portion (xi) of said secret signature k

Abstract: The invention relates to a method of signature with pseudonym ? of a message m by a user device storing a secret signature key sk dependent at least on a first part of key f, on a second part of key x and on a third part of key A equal to (g1hf)1/(x+y) and comprising the following steps: —generation of a pseudonym nym equal to hf dpkx, with dpk a public domain parameter, —determination of random numbers a, r_a, r_f, r_x, r_b, r_d, —calculation of signature coefficients R1 equal to hr_Jdpkr_x, R2 equal to nymr_ah?r_ddpk?r_b, R3 equal to Zr_x Va?r_x?r_f?r_b W?r_a, with Z, V and W respectively equal to e(A, g2), e(h, g2) and e(h,w), —obtaining of a first signature parameter T equal to Aha, —calculation of a second signature parameter c by applying a cryptographic hash function H, to the public domain parameter dpk, to the pseudonym nym, to the first signature parameter T, to the signature coefficients R1, R2, R3 and to the message m, —calculation of signature parameters s_f, s_x, s_a, s_b, s_d, respectively equa

Abstract: A method of authenticating the legitimacy of a request for a resource from a resource provider by a user, including providing an authentication process in which a resource provider message is received and de-assembled, the integrity of the user request message is confirmed, a result indicator as to the legitimacy of the resource provider message is created by performing two or more authenticity checks, and an authentication result is sent.

Abstract: An electronic document signature system preserves the security of an electronic document while tracking a signature process corresponding to the electronic document. In particular, using a client application on a client device, an originating user can protect an electronic document and send the protected electronic document to a tracking server. The tracking server receives only a protected document such that the security the electronic document is preserved. Using a client applications on client devices, one or more participating users can subsequently receive the protected document from the tracking server, access the contents of the electronic document, and sign the electronic document. The tracking server can record events that occur with respect to the protected document to create an event log.

Abstract: Systems and methods provide for optimizing transactions on digital documents between remote client devices. A digital document having one or more electronically annotatable objects resides on a host client device. A request is received to enable the digital document for cross-device transactions. Based on the request, a piece of metadata associated with the digital document is sent to a remote server device configured to host, among other things, the metadata associated with the digital document residing on the host client device. The metadata includes information about the digital document, some corresponding to electronically annotatable objects provided therein. A remote client device accessing the remote server device can view, among other things, the metadata associated with the digital document residing on the host client device. The remote client device obtains, in accordance with the metadata, one or more electronic annotations for transmission to the remote server device.

Abstract: A device receives instructions to record particular content and repeatedly play the recorded particular content. The device records the particular content based on the instructions, and repeatedly plays the recorded particular content based on the instructions. The device performs fraud checks based on the instructions, and determines whether the instructions are fraudulent based on the fraud checks. The device selectively provides, based on whether the instructions are fraudulent, viewership information for the particular content to a ratings device associated with a ratings entity. The viewership information for the particular content is provided to the ratings device when the instructions are not fraudulent, and is discarded when the instructions are fraudulent.

Abstract: A system of delivering data content with hardware assisted provenance proof in named data networking (NDN). The system comprises a data content server with a trusted security zone enabled that is configured to receive the first request message from the first client, and transmit the desired data content based on the name comprised in the first request message and a determination that the first client is trusted and that the routing path from the first client to the data content server is trusted. The system further comprises a signature server with a trusted security zone enabled that is configured to receive the first request message from the first client, generate a digital signature based on the desired data content, and transmit the corresponding digital signature based on a determination that the first client is trusted and that the routing path from the first client to the signature server is trusted.

Abstract: Disclosed are methods and systems for generating digital memorabilia including: providing a digital memorabilia signor with a digital photograph, a digital sports jersey, or a combination thereof; receiving at least one of an electronic signature or an electronic written message from the digital memorabilia signor to be embedded in the digital photograph, the digital sports jersey, or the combination thereof; embedding the at least one of an electronic signature or an electronic written message from the digital memorabilia signor into the digital photograph, the digital sports jersey, or a combination thereof to form the generated digital memorabilia; sending the generated digital memorabilia including the electronic signature and the electronic written message to a verification service to verify authenticity of the electronic signature and electronic written message in the generated digital memorabilia; and delivering the generated memorabilia to a digital receiver.

Abstract: Among other things, this document describes a computer-implemented security method such as for authenticated selection of security countermeasures and for reliable identification of computing devices. The method can include receiving, by a computing system, a request from a computing device for an electronic resource. The computing system can identify a security token received from the device that made the request. Based on the security token, particular security countermeasures can be selected that are to be applied to the electronic resource to be served in response to the request. The countermeasures can be operable to interfere with an ability of malware to interact with the served electronic resource when the served electronic resource is on the computing device. Portions of the electronic resource that are to be executed on the computing device can be re-coded using the selected particular security countermeasures.

Abstract: Digital content, such as video, audio, multimedia, and similar files may be associated with metadata that is in some manner descriptive of the content by means of a unique identifier generated based on the content or a portion of the content. The two may be packaged in a wrapper. If the content is separated from the metadata, such as by circulation in a non-compliant environment, the content may be recognized by a regeneration of the identifier. Based upon the re-created identifier, the metadata may be re-associated with the content. Other scenarios may include generation of compilations for files that are not included in a wrapper with content and metadata, content that becomes dissociated with metadata by transcoding, and so forth.

Abstract: A system and method of performing date shifting with randomized intervals for the de-identification of a dataset from a source database containing information identifiable to individuals is provided. The de-identified dataset is retrieved comprising a plurality of entries or records containing personal identifying information. Date quasi-identifiers in the dataset for the entries can be identified within the data set which may be used potentially identifiable for a patient. Date events are consolidated in the date quasi-identifiers and connected dates in the dataset. The date events are moved relative to an anchor date in a longitudinal sequence of the date events. De-identification of the entries in the dataset including the date quasi-identifiers is performed to meet a risk metric defining risk of re-identified patients associated with the records.

Abstract: Disclosed in one example is a method of authenticating with multiple social network services. The method may include storing first authentication information associated with a user for a first social networking service using at least one computer processor, receiving second authentication information associated with the user for a second social networking service from a social networking application, and sending to the social networking application the first authentication information. The first authentication information may enable the social networking application to utilize a protected application programming interface call for the first social networking service and the second authentication information may enable the social networking application to utilize a protected application programming interface call for the second social networking service.

Abstract: Generally discussed herein are systems, apparatuses, and methods for data storage. In one or more embodiments, a method can include parsing a file of a first node connected to a network into payloads of a plurality of Internet Protocol (IP) packets, adding a specified number of random IP headers from a list of IP headers to each of the IP packets, and communicating the IP packets including the IP headers to a second node on the network as determined by a first IP header of a respective IP packet so as to store the packet on the network buffer of the second node.

Abstract: An apparatus for validating entitlement capabilities, and determining, based on the entitlement capabilities, whether an account request associated with the entitlement capabilities qualifies for Straight Through Processing is provided. The apparatus may include a receiver. The receiver may receive entitlement authorization for a signatory and a client request to open an account. The apparatus may also include memory configured to: store, in a centralized repository, entitlement capabilities for the authorized signatory. The centralized repository may provide access to one or more signature documents associated with the authorized signatory. The centralized repository may link the signatory to one or more signature documents associated with the signatory's authorization. The apparatus may also include a display configured to display a hierarchal map of the one or more authorized signatories.

Abstract: A computer encrypts only a restricted tag element from among a plurality of content elements to be electronically published as a message for access by a plurality of users, wherein decryption of the encrypted restricted tag element is limited to a selection of at least one user from among the plurality of users. The computer outputs the plurality of content elements for electronic publication through an interface accessible to the plurality of users, wherein the plurality of users are enabled to access the plurality of content elements of the message published through the interface, wherein only the selection of at least one user is enabled to decrypt the encrypted restricted tag element in the plurality of content elements to access the underlying restricted tag element within the message published through the interface.

Abstract: An information administration system configured of: a component information management apparatus (4) including a component information storing unit (41) storing component information after sectionalizing the component information into public information and non-public information, and also sectionalizing the non-public information into information for designing and information for manufacturing, and an encryption processing unit (42) encrypting the non-public information; a designing information management apparatus (2) including a first component information receiving unit (24) receiving the component information, a first decryption unit (25) decrypting non-public component information for designing, and a designing information storing unit (22) storing designing information that is designed by adding the received component information thereto; and a manufacturing apparatus (3) including a second decryption unit (33) decrypting the received non-public component information for manufacturing, and a drive cont

Abstract: A system configured to compute match potential between first data and second data is provided. The system includes data storage storing the first data and the second data, and at least one processor coupled to the data storage. The at least one processor is configured to identify a first sequence of fingerprints characterizing a first plurality of sections of the first data, the first sequence being ordered according to an order of the first plurality of sections within the first data; identify a second sequence of fingerprints comprising fingerprints that match fingerprints within the first sequence, the second sequence of fingerprints characterizing a second plurality of sections of the second data, the second sequence being ordered according to an order of the second plurality of sections within the second data; quantify a similarity between the first sequence and the second sequence; and adjust the match potential based on the similarity.

Abstract: An electronic device configured for encoding a watermarked signal is described. The electronic device includes modeler circuitry. The modeler circuitry determines parameters based on a first signal and a first-pass coded signal. The electronic device also includes coder circuitry coupled to the modeler circuitry. The coder circuitry performs a first-pass coding on a second signal to obtain the first-pass coded signal and performs a second-pass coding based on the parameters to obtain a watermarked signal.

Abstract: Embodiments of the present invention provide an approach to repair vulnerabilities (e.g., security vulnerabilities) in images (e.g., application images) in a networked computing environment (e.g., a cloud computing environment). Specifically, an image is checked for vulnerabilities using a database of known images and/or vulnerabilities. If a vulnerability is found, a flexible/elastic firewall is established around the image so as to isolate the vulnerability. Once the firewall has been put in place, the vulnerability can be repaired by a variety of means such as upgrading the image, quarantining the image, discarding the image, and/or generating a new image. Once the image has been repaired, the firewall can be removed.

Abstract: Systems and methods for validating and applying modifications to a policy control function (PCF) of a station. The methods include generating a PCF package including a modification to a PCF, and determining whether the PCF package is to be transmitted to the station by a first or second entity. The methods further include when the PCF package is to be transmitted by the first entity, including a first signature of the first entity in a deliverer field of the PCF package, and when the PCF package is to be transmitted by the second entity, including the first signature in an owner field and a second signature of the second entity in the deliverer field. The methods further include receiving the PCF package from the first or second entity, determining whether the PCF package is valid, and applying the modification to the PCF when it is determined the PCF package is valid.

Abstract: A method, system, and apparatus are provided for controlling encrypted data stored on a remote device. In particular, a remote device includes a storage controller device that can receive a “secure hide” command from an administrator device via a cloud server. If the storage controller device determines the “secure hide” command is validly signed, then the storage controller device executes the secure command by erasing the end user's public decryption key from the storage controller device. At that point, end user access to the encrypted data on the remote device is highly improbable.

Abstract: Checking the layout integrity includes the steps of receiving inputs defining a plurality of devices for a layout, generating a signature for each device in the layout, when created, from one or more parameters of the device, storing the generated signatures with the layout, receiving the stored layout and signatures, regenerating each signature for each device in the stored layout, and comparing each regenerated signature with the corresponding stored signature.

Abstract: An information management system provides a data deduplication system that uses a primary table, a deduplication chunk table, and a chunk integrity table to ensure that a referenced deduplicated data block is only verified once during the data verification of a backup or other replication operation. The data deduplication system may reduce the computational and storage overhead associated with traditional data verification processes. The primary table, the deduplication chunk table, and the chunk integrity table, all of which are stored in a deduplication database, can also ensure synchronization between the deduplication database and secondary storage devices.

Abstract: The disclosure relates to processing content with watermarks to generate watermarked versions. In some aspects, each version may be different. Groups of fragments may be combined to generate a unique stream by pulling fragments from two or more of the groups of fragments. Further, fragmenting may be performed before watermarking, and fragments may be pulled and watermarked upon request.

Abstract: A system and method can support across-domain messaging in a transactional middleware machine environment. A gateway server in a transaction domain operates to provide a notification of an update in one or more services to one or more gateway servers in one or more remote transaction domains. Furthermore, the gateway server can receive an inquiry for said one or more services from a remote transaction domain, and send a response to a gateway server in the remote transaction domain, wherein the response contains information that allows a client in said remote transaction domain to invoke said one or more services.

Abstract: Computer systems and applications are provided for encrypting data that preserves the ability to process the encrypted data. The method includes receiving data in unencrypted form. The method further includes encrypting the data in accordance with an encryption dictionary generated by arranging the plurality of plaintext symbols in lexicographical order; defining a first subset comprising a first plurality of the lexicographically arranged symbols; defining a second subset comprising a second plurality of the lexicographically arranged symbols; defining a first set with a first plurality of unique random tokens within a first token space for use with the first plurality of symbols; and defining a second set with a second plurality of unique random tokens within a second token space for use with the second plurality of symbols such that the second plurality of unique random tokens is non-linear with respect to the first plurality of unique random tokens.

Abstract: A system and method of detecting and limiting unsolicited data uploads. Downloaded content such as web pages and emails are scanned for web forms and/or links. A watermark is added where appropriate and the modified downloaded content is forwarded to the person who requested the content. A check is made to determine whether information received from a user includes appropriate watermarks. If so, the watermark is removed and the information is forwarded to its destination.

Abstract: Data storage operation commands are digitally signed to enhance data security in a distributed system. A data storage client and a compute-enabled data storage device may share access to a cryptographic key. The data storage client uses the cryptographic key to digitally sign commands transmitted to the data storage device, which can use its copy to verify a digital signature of a command before fulfilling the command. The storage device can also determine whether to perform a transformation, such that requests authenticated to a first identity might receive cleartext while a request authenticated to a second identity might receive ciphertext. The compute-enabled storage device can also receive unauthenticated calls and attempt to retrieve the appropriate key from a key management service or other such source.

Abstract: Logic on a first remote device receives a first transaction number and personal data transmitted from a second remote device. The first transaction number was received from a distributed public database in response to a transmission, from the second remote device, of a signed hash value and a first public key associated with a first private key on the second remote device. The signed hash value was created by signing a hash value with the first private key and the hash value was generated by hashing the personal data with a hashing algorithm on the second remote device. The logic uses the first transaction number to retrieve the signed hash value and the first public key from the distributed public database. The logic hashes the personal data using the hashing algorithm to create a generated hash value and verifies the signed hash value against the generated hash value.

Abstract: The present disclosures relates generally to digital watermarking and data hiding.

Abstract: Approaches to managing a composite, non-volatile data storage device are described. In one embodiment, a method for managing a composite storage device made up of fast non-volatile storage, such as a solid state device, and slower non-volatile storage, such as a traditional magnetic hard drive, can include maintaining a first data structure, which stores instances of recent access to each unit in a set of units in the fast non-volatile storage device, such as the SSD device and also maintaining a second data structure that indicates whether or not units in the slower storage device, such as the HDD, have been accessed at least a predetermined number of times. In one embodiment, the second data structure can be a queue of Bloom filters.

Abstract: A method and device for selectively securing records in a Near Field Communication Data Exchange Format (NDEF) message in a Near Field Communication (NFC) device are provided. The method includes generating a record by setting a first field to ‘0’ and setting a second field to a predefined value, wherein the record indicates a beginning of at least one record to be secured in the NDEF message; and placing the record in the NDEF message, wherein, at least one record preceding the record is unsecured and at least one record following the record is secured.

Abstract: Example methods, apparatus, systems and articles of manufacture to implement down-mixing compensation for audio watermarking are disclosed. Example watermark embedding methods disclosed herein include determining a first attenuation factor associated with a first audio channel of a multi-channel audio signal based on first down-mixed audio samples obtained from down-mixing the first audio channel and a second audio channel of the multi-channel audio signal, determining a second attenuation factor associated with a third audio channel of the multi-channel audio signal based on second down-mixed audio samples obtained from down-mixing the second audio channel and the third audio channel of the multi-channel audio signal, selecting one of the first attenuation factor or the second attenuation factor to be a third attenuation factor associated with the second audio channel of the multi-channel audio signal, and embedding a watermark in the second audio channel based on the third attenuation factor.

Abstract: A method for managing virtual machine policy compliance. The method for restoring compliance of a virtual machine found to be non-compliant to a compliance rule may comprise detecting non-compliance of a virtual machine using a compliance agent, detaching the virtual machine from a network, creating a copy of a compliance repository volume, mounting the newly requested disk resource having stored the copy of the compliance repository volume, applying a remediation action to the virtual machine, and triggering by the compliance agent a compliance scan for ensuring that the virtual machine complies to the compliance rule.

Abstract: This specification describes technologies relating to applying electronic signatures to content items. In general, one aspect of the subject matter described in this specification can be embodied in methods that include receiving a content item and receiving a request to electronically sign the content item by a user by associating the content item with a credential associated with the user, the request comprising data identifying the credential from among a set of credentials that are associated with the user. The method may further include generating a package comprising the content item and data for the identified credential.

Abstract: Methods, systems, and computer programs for user experiencing monitoring for application remoting. One of the methods includes receiving a request to provide an application to a remote client. The application is executed to generate one or more application windows. A watermark window that includes a watermark is generated. Display data for the application is, generated, including the watermark window and the one or more application windows. The display data for the application is provided to the remote client for presentation on the remote client. Data identifying an operation to be performed by the application is obtained. The watermark is updated to encode information identifying the operation and information identifying an initialization of the operation by the application. Data identifying a completion of the operation is received by the application. The watermark is updated to encode information identifying the completion of the operation.

Abstract: A pool of public keys, having a pool size, is received from a first device. The pool size reflects a target number of keys to be included in the pool. One of the received public keys included in the pool of keys is designated as a reserve key. A public key is selected from the pool of received public keys for use in conjunction with encrypting a communication to the first device. The selecting includes preferentially selecting a public key that is not designated as a reserve key, if at least one such key is present in the pool in addition to the reserve key. The size of the pool can be dynamically adjusted.

Abstract: Program code is modified to execute correctly only when code and data memory accesses/fetches are synchronised, i.e. data and code accesses/fetches are routed to identical physical addresses in computer memory. This indirectly defeats the MMU attack, in which code and data memory accesses/fetches to the same logical address are routed to different physical addresses. The program code is modified such that one or more sections of the code (“repair targets”) are deliberately broken so that the program code will not execute correctly, the repair targets being replaced at run time with correct code before the repair targets are executed.

Abstract: An information element, uniquely related to a media fingerprint that is uniquely derived from a media content portion during play out thereof, is provided to a first web page. The first web page stores the information element with an associated first information set, which relates to one or more media fingerprints. One or more second web pages store at least a second information set, which relates to one or more media fingerprints. The first and at least second web pages are accessed and crawled in relation to the first and the at least second information sets. One or more information elements, which are common to the first and the at least second information sets, are indexed. The first web page and the at least one of the second web pages are related based on the indexed common information elements.

Abstract: Systems and methods for multi-hop service discovery within a mobile device cluster are disclosed. A seeker station may be seeking or may have found a desired service available from a provider station. The seeker station may receive the service announcement from the provider station, and become a proxy station, expanding the service area of the provider station. The proxy station may selectively transmit services and advertisements for services on behalf of the provider station based on restrictions placed on selection as a proxy station. Restrictions or conditions may be placed on the proxy station limiting the number of stations that may become proxy stations, limiting traffic within the cluster. Some restrictions may require a proxy station to be a member of the cluster or a member of a group within the cluster.

Abstract: A method comprises signing boot code with a public/private cryptographic key pair, and writing to storage the boot code, the public cryptographic key, and the signed boot code.

Abstract: Image recognition and augmented reality experiences utilize auxiliary data extracted from an image or video, or image fingerprints, or a combination of both. One claim recites a method comprising: receiving a plurality of imagery frames captured by a device sensor; identifying a plurality of key points in each of the plurality of imagery frames; resolving image pose by utilizing relative relationships of the key points between different frames of the plurality of frames; modifying imagery of at least one of the plurality of frames based on resolved image pose; and deriving a fingerprint from modified imagery. Of course other claims and combinations are provided as well.