Abstract: An architecture is presented that facilitates secure token generation and transmission capabilities in a mobile device. The system comprises at least one software application that includes a secure token assigned to a specific user and a memory module that communicates with an external processor. A security processor, non-volatile memory component and volatile memory component are integrated to form the memory module that communicates with the external processor. The memory module creates a secure execution environment for the execution of application agents associated with the software application and the secure token. The security processor of the system communicates with the software application and external processor to manage generation, authentication, confidentiality, and transmission of the secure token. And, the non-volatile memory allows the introduction of new tokens and the removal of old tokens.

Abstract: A network switch automatically detects undesired network traffic and mirrors the undesired traffic to a security management device. The security management device determines the source of the undesired traffic and redirects traffic from the source to itself. The security management device also automatically sends a policy to a switch to block traffic from the source.

Abstract: A security system for a computer operating system comprising a processor (37) that is independent of the host CPU (13) for controlling access between the host CPU (13) and a security partition formed in the storage device (21) for storing the operating system. A program memory (41) that is independent of the computer memory and the storage device (21) unalterably stores and provides computer programs for operating the processor (37) in a manner so as to control access to the security partition in the storage device (21). All data access by the host CPU (13) to the data storage device (21) is blocked before initialization of the security system and is intercepted immediately after the initialization under the control of the processor (37). The processor (37) effects independent control of the host CPU (13) and configuration of the computer (11) to prevent unauthorised access to the security partition on the storage device (21) during the interception phase.

Abstract: A method and system for securing a handheld computing device is described. A personal encryption device may be physically connected to a handheld computing device. Responsive to the connection, a main screen user interface may be displayed on a display of the handheld computing device. The main screen user interface may include at least one cryptography option for a user of the handheld computing device. A user-defined input representative of selection of a first cryptography option of the at least one cryptography option may be received, and at least one cryptography process associated with the selected first cryptography option may be implemented by the handheld computing device and personal encryption device. The cryptography options may include encryption, decryption, digital signatures, and digital signature verification.

Abstract: Methods and systems for binding a removable trusted platform module (TPM) subsystem module to an information handling system to provide a core root of trust for the information handling system without requiring soldering down or other hard and permanent (non-removable) attachment of a TPM device to the information handling system planar (e.g., motherboard). The removable TPM subsystem module may be a plug-in module that may be removed from the information handling system planar (e.g., motherboard), while at the same time maintaining the transitive chain of trust, and being capable of remotely attesting its trusted state. An information handling system platform may be provided that has the capability and flexibility of supporting multiple TPMs on the same system planar.

Abstract: An encoder according to the present invention embodiments employs a key expansion module to expand an encryption key by using logic and available clock cycles of an encryption process or loop. The key expansion module generates control signals to enable key expansion data to be injected at appropriate times into the encryption loop (e.g., during available clock cycles of the encryption loop) to perform the key expansion, thereby utilizing the resources of the encryption loop for key expansion. The key expansion module dynamically accounts for varying key lengths, and enables the encryption loop to combine the data being encrypted with proper portions of the expanded key. The use of encryption logic and available clock cycles of the encryption loop for the key expansion reduces the area needed by the encoder on a chip and enhances encoder throughput.

Abstract: An intrusion detection system (IDS) comprises a network processor (NP) coupled to a memory unit for storing programs and data. The NP is also coupled to one or more parallel pattern detection engines (PPDE) which provide high speed parallel detection of patterns in an input data stream. Each PPDE comprises many processing units (PUs) each designed to store intrusion signatures as a sequence of data with selected operation codes. The PUs have configuration registers for selecting modes of pattern recognition. Each PU compares a byte at each clock cycle. If a sequence of bytes from the input pattern match a stored pattern, the identification of the PU detecting the pattern is outputted with any applicable comparison data. By storing intrusion signatures in many parallel PUs, the IDS can process network data at the NP processing speed. PUs may be cascaded to increase intrusion coverage or to detect long intrusion signatures.

Abstract: A method for accessing data in a data storage system is presented. The method includes supplying a host computer that is in communication with the data storage system, where the data storage system includes a data storage medium and a holographic data storage medium. A first request is generated to access a directory encoded in the data storage medium and includes a first encryption key. The requested directory recites a listing of data files encoded in the holographic storage medium. If the first encryption key decrypts the directory, the directory is read and a data file encoded in the holographic data storage medium is identified. A second request is then generated to access the data file and includes a second encryption key. Finally, if the second encryption key decrypts the data file, then it is read.

Abstract: A method and apparatus are provided for combating malicious code. In one embodiment, a method for combating malicious code in a network includes implementing a resource-limiting technique to slow a propagation of the malicious code and implementing a leap-ahead technique in parallel with the resource-limiting technique to defend against the malicious code reaching a full saturation potential in the network.

Abstract: Database management and security is implemented in a variety of embodiments. In one such embodiment, data sets containing sensitive data elements are analyzed using aliases representing sensitive data elements. In another embodiment, the sensitive data elements are stored in an encrypted form for use from a secure access, while the alias is available for standard access.

Abstract: Various embodiments of a system and method for providing protection against malicious software programs are disclosed. The system and method may be operable to detect that a first window of a legitimate software program has been replaced by a second window of a malicious software program, e.g., where the second window includes features to mimic the first window in an effort to fool the user into inputting sensitive information into the second window. The method may operate to alert the user when the window replacement is detected.

Abstract: The present invention provides systems and methods for providing distributed, adaptive IP filtering techniques used in detecting and blocking IP packets involved in DDOS attacks through the use of Bloom Filters and leaky-bucket concepts to identify “attack” flows. In an exemplary embodiment of the present invention, a device tracks certain criteria of all IP packets traveling from IP sources outside a security perimeter to network devices within the security perimeter. The present invention examines the criteria and places them in different classifications in a uniformly random manner, estimates the amount of criteria normally received and then determines when a group of stored classifications is too excessive to be considered normal for a given period of time. After the device determines the criteria that excessive IP packets have in common, the device then determines rules to identify the packets that meet such criteria and filters or blocks so identified packets.

Abstract: A memory controller for a smart card including a non-volatile memory can include an internal circuit that is configured to perform cryptographic key processing responsive to a first clock and a non-volatile memory interface circuit for transferring/receiving a signal to/from the internal circuit in synchronization with the first clock and transferring/receiving the signal to/from an external device in synchronization with a second clock that is asynchronous relative to the first clock.

Abstract: A telephone conversation between one or several first telecommunication terminals in a packet oriented data network and telecommunication terminals in an analog and/or digital network is encrypted by a module which enables the use of protocols from a LAN network to a TDM network to carry out end-to-end encryption.

Abstract: The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node.

Abstract: A key terminal apparatus includes a crypto-processing LSI that performs predetermined crypto-processing. Unique information identifying the crypto-processing LSI is embedded in the crypto-processing LSI. A predetermined master key corresponding to a predetermined key is embedded in the crypto-processing LSI. The crypto-processing LSI (a) receives an encrypted manufacturer key from the manufacturer key storage unit, (b) decrypts the encrypted manufacturer key using the predetermined master key to generate a manufacturer key, (c) generates a unique manufacturer key identical to the predetermined unique manufacturer key, based on the unique information embedded in the crypto-processing LSI and the generated manufacturer key, and (d) decrypts the received encrypted device key using the generated identical unique manufacturer key to generate a predetermined device key.

Abstract: The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node.

Abstract: Systems and methods for secure program execution are described. At least one embodiment includes a system for securely executing software comprising a host configured to accept a disc containing encrypted content to be accessed and store an encrypted program used to access the content on the disc. The system further comprises a secure coprocessor communicatively coupled to the host and configured to receive the encrypted program, decrypt and execute the encrypted program, and communicate an output generated by the program back to the host.

Abstract: A Personal Computer Memory Card International Association (PCMCIA) card is disclosed. The PCMCIA card may include a cryptographic module, a communications interface, and a processor. The cryptographic module may perform Type 1 encryption of data received from a computer into which the card is inserted. The cryptographic module may support High Assurance Internet Protocol Encryption (HAIPE). The communications interface may provide connectivity to a network adapter. The communications interface may include a Universal Serial Bus (USB) interface. The processor may detect whether a network adapter is coupled to the communications interface, identify a device driver that corresponds to the network adapter, and employ the device driver to provide operative communication between the cryptographic module and the network adapter. The PCMCIA card may contain a datastore that maintains a plurality device drivers. For example, the plurality of device drivers support any one of IEEE 802.x, Ethernet, V.

Abstract: In the field of computer software, obfuscation techniques for enhancing software security are applied to compiled (object) software code. The obfuscation results here in different versions (instances) of the obfuscated code being provided to different installations (recipient computing devices). The complementary code execution uses a boot loader or boot installer-type program at each installation which contains the requisite logic. Typically, the obfuscation results in a different instance of the obfuscated code for each intended installation (recipient) but each instance being semantically equivalent to the others. This is accomplished in one version by generating a random value or other parameter during the obfuscation process, and using the value to select a particular version of the obfuscating process, and then communicating the value along with boot loader or installer program software.

Abstract: Method for embedding a session secret, within an application instance, comprising the steps of generating an ephemeral session secret by a master application. Embedding, by master application, secret bytes, within application bytes of a slave application. Calculating said ephemeral session secret, by slave application, from said embedded secret bytes, when slave application is executed.

Abstract: Secure memory controlled access is described. In embodiment(s), memory stores encrypted data and the memory includes a secure memory partition to store cryptographically sensitive data utilized to control access to the encrypted data stored on the memory. Controller firmware can access the encrypted data stored on the memory, but is precluded from access to the secure memory partition and the cryptographically sensitive data. Secure firmware can access the cryptographically sensitive data stored on the secure memory partition to control access by the controller firmware to the encrypted data stored on the memory.

Abstract: An encryption device, a decryption device, an encryption method, and a decryption method effectively perform encryption and decryption by using a packet type judgment result. An encryption/decryption device includes a packet reception unit that acquires a packet, a first encryption engine that is formed by hardware and encrypts or decrypts a packet; and a second encryption engine that encrypts or decrypts a packet by using software. The encryption/decyption device also includes a head data identification unit that judges the real time feature of the acquired packet according to the header information on the acquired packet, and an encryption/decryption process judgment unit that decides the acquired packet encryption destination or decryption destination in accordance with the real time feature from the first encryption engine and the second encryption engine.

Abstract: A security device including a first external interface; a second external interface; and a security controller connected to said first external interface and said second external interface, said security controller being adapted to validate an access right based on a codeword received via said first interface to perform an encrypted memory access via said second external interface to an external memory coupleable to said second external interface, and to prevent that encrypted memory access via said first external interface or prevent any output of data via said first external interface depending on data received via said second external interface in case of a negative validation.

Abstract: A method and apparatus for enabling a licensed end user to record digital data as described is particularly useful to the music industry as it enables them to make audio data available over the internet but to retain control of the uses to which that audio data can be put. Thus, upon completing a financial transaction to pay for the required audio tracks, the end user is enabled to download and decrypt encrypted music tracks and to play them on the end user's personal computer. The end user can also be allowed to burn a CD including the downloaded music tracks. However, the end user is only enabled to decrypt and record the music tracks onto the CD if the music tracks are recorded together with copy protection.

Abstract: A method, computer program product, and data processing system are disclosed for ensuring that applications executed in the data processing system originate only from trusted sources are disclosed. In a preferred embodiment, a secure operating kernel maintains a “key ring” containing keys corresponding to trusted software vendors. The secure kernel uses vendor keys to verify that a given application was signed by an approved vendor. To make it possible for independent developers to develop software for the herein-described platform, a “global key pair” is provided in which both the public and private keys of the pair are publicly known, so that anyone may sign an application with the global key. Such an application may be allowed to execute by including the global key pair's public key in the key ring as a “vendor key” or, conversely, it may be disallowed by excluding the global public key from the key ring.

Abstract: Method for storing data in the memory (1.2) of an electronic device (1), wherein the data to be stored is encrypted with an encryption key (Ks). The electronic device (1) is provided with an identification card (2) equipped with a cryptographic algorithm and an individual identifier (ID). In the electronic device (1), at least one seed value (RAND1, RAND2, RAND3) is generated, and the at least one seed value is transmitted to the identification card (2). The cryptographic algorithm is performed on the identification card (2), with the seed value (RAND1, RAND2, RAND3) being used as the input, wherein at least one derived value (Kc1, Kc2, Kc3) is produced in the algorithm. The at least one derived value (Kc1, Kc2, Kc3) is transmitted to the electronic device (1), wherein the at least one derived value (Kc1, Kc2, Kc3) is used in the formation of the encryption key (Ks). The invention also relates to an electronic device (1), module, and computer software product.

Abstract: An intrusion detection system for a computer network includes a knowledge database that contains a baseline of normal host behavior, and a correlation engine that monitors network activity with reference to the knowledge database. The correlation engine accumulating information about anomalous events occurring on the network and then periodically correlating the anomalous events. The correlation engine generates a worm outbreak alarm when a certain number of hosts exhibit a role-reversal behavior. It is emphasized that this abstract is provided to comply with the rules requiring an abstract that will allow a searcher or other reader to quickly ascertain the subject matter of the technical disclosure. It is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims. 37 CFR 1.72(b).

Abstract: A data file reproduction system has a data file supplying apparatus that extracts video data and audio data from a received data file, compresses the extracted video and audio data and produces a compressed data file containing the compressed audio and video data together with meta data or navigation data determined from the received data file for enabling navigation of the original data file. The compressed data file is then copy-protected. Upon request, the copy-protected compressed data file is communicated to a reproduction apparatus.

Abstract: An identification system 1 used for authenticating a user at a user station 30 requesting access to secure information at a base station 20, wherein the system 1 includes one or more base stations 20, one or more user stations 30, and one or more identification devices 10 used for authenticating the user of the user station 30. The identification device 10 is coupled to a user station 30. The device 10 includes a plurality of device codes and identity data, to receive an identification request from the base station 20, generate an identification response including an identification code using the plurality of device codes and a plurality of algorithms, and, transfer the identification response back to the base station 20. The base station 20 authenticates the user's request for secure information by using the identification response.

Abstract: A method for authenticating and deciphering an encrypted program file for execution by a secure element includes receiving the program file and a digital certificate that is associated with the program file from an external device. The method stores the program file and the associated certificate in a secure random access memory disposed in the secure element and hashes the program file to obtain a hash. The method authenticates the program file by comparing the obtained hash with a checksum that is stored in the certificate. Additionally, the method writes runtime configuration information stored in the certificate to corresponding configuration registers disposed in the secure element. The method further generates an encryption key using a seed value stored in the certificate and a unique identifier disposed in the secure element and deciphers the program file using the generated encryption key.

Abstract: The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node.

Abstract: A method for interacting with a memory device is provided. In this method, a cryptographic communication application is registered to be associated with a protocol type in a web browser. A message encapsulated in the protocol type from the web browser is received and thereafter transmitted to the memory device. Here, the message is associated with a cryptographic operation.

Abstract: An electronic device includes a power supply unit, a control unit, a first boot circuit, and a data encryption unit. The control unit outputs a boot signal for causing the power supply unit to start supplying power. The first boot circuit interconnects the power supply unit and the control unit for transmitting the boot signal. The data encryption unit is for interconnecting the power supply unit and the control unit so as to form a second boot circuit through which the boot signal is transmitted and for cutting off the first boot circuit.

Abstract: A system and method of recovering encoded information contained in a device by storing and retrieving at least part of the necessary decoding data by setting and measuring the physical characteristics of the device. Storage and recovery options include, but are not limited to, measurement of electronic or optical characteristics of electrically or optically conductive portions of the device using a range of measurement techniques that include, but are not limited to, time-domain reflectometry.

Abstract: Systems and apparatuses disclosed herein provide for a tamper resistant electronic device. The electronic device can include a circuit board, housing, a security shield, one or more pressure sensitive switches, and security electronics. The security shield can cover a first area of the circuit board and be configured to sense tampering. The security shield can also be integrated into the first part of the housing, wherein a second area of the circuit board is covered by the housing and is outside of the security shield, both the first area and the second area having electronics therein. The security electronics on the circuit board can be coupled to the security shield and the one or more pressure switches, and can be configured to zeroize data stored on the circuit board if the security shield senses tampering or if one or more of the one or more pressure sensitive switches is disengaged.

Abstract: A system and method for coding data to help resist differential attacks. Data in m columns may be initialized to an initialized value. One new column of data may be mixed with a new input word and input to an advanced mixer. The advanced mixer may include linear mixing having indexed bytes and performing of exclusive-OR operation and transposing. An output of the advanced mixer may be a new m column state. A value of m could be 0 through 30. The value of m may have a preferred range of 27 through 36. Systems to implement the foregoing method are also described.

Abstract: A system and method for data processing for coding. The method may include providing a first plurality of bytes of data, non-linearly transforming the first plurality of bytes into a second plurality of bytes, multiplying each of the second plurality of bytes of data by a predetermined constant of a plurality of constants to generate a third plurality of bytes, and organizing in use the third plurality of bytes as a plurality of output bytes. Systems to practice the foregoing methods are also described.

Abstract: Systems and methods consistent with the present invention encode a list so users of the list may make inquiries to the coded list without the entire content of the list being revealed to the users. Once each item in the list has been encoded by an encoder, a bit array with high and low values may be used to represent the items in the list. The bit array may be embodied in a validation system for allowing users to query the list to determine whether an inquiry item is on the list. The validation system determines which bits to check by executing the same coding process executed by the encoder. If all the bits are high, then the inquiry item is determined to be part of the list, if at least one of the bits is low, then the inquiry item is determined not to be part of the original list.

Abstract: To provide a content playback device capable of protecting content according to DRM, when decrypting encrypted content recorded on a recording medium and playing the decrypted content. If key generation information is “00”, a key control unit 104 concatenates a decrypted media key and content information in this order, and applies a one-way function to the concatenation result to generate a content key. If the key generation information is “10”, the key control unit 104 sets a rights key as the content key. If the key generation information is “01”, the key control unit 104 concatenates the decrypted media key and the rights key in this order, and applies a one-way function to the concatenation result to generate the content key.

Abstract: An integrated circuit (IC) includes a demodulator for receiving encrypted information data and a hardware unit that enables conditional access to the information data. The hardware unit includes a processing unit, a RAM, a ROM, multiple non-volatile registers, and an interface unit for transferring an attribute to the demodulator. The non-volatile registers may include an IC identification and an encryption key. In an embodiment, the ROM includes a boot code that causes the processing unit to fetch a code from an external memory and store the fetched code in the RAM. The fetched code may include a certificate that ensures the authenticity of the code. The fetched code may be encrypted and decrypted by the ROM using the IC identification and the encryption key. The demodulator includes a descrambler for decrypting the received information data using the attribute. The information data may include digital radio or television content.

Abstract: Methods and devices for increasing or hardening the security of data stored in a storage device, such as a hard disk drive, are described. A storage device provides for increased or hardened security of data stored in hidden and non-hidden partitions of a storage medium in the device. An algorithm may be utilized for deriving a key that is used to encrypt or decrypt text before it is read from or written to the hard disk. The algorithm accepts as input a specific media location factor, such as an end address or start address of the block where the text is being read from or written to, and a secret key of the storage component. The output of the algorithm is a final key that may be used in the encryption and decryption process. Thus, in this manner, the final key is dependent on the location of the block where the data is being written or read, thereby making it more difficult to tamper with the data, which may be stored in a hidden or non-hidden partition of a hard disk.

Abstract: An electronic circuit (200) includes one or more programmable control-plane engines (410, 460) operable to process packet header information and form at least one command, one or more programmable data-plane engines (310, 320, 370) selectively operable for at least one of a plurality of cryptographic processes selectable in response to the at least one command, and a programmable host processor (100) coupled to such a data-plane engine (310) and such a control-plane engine (410). Other processors, circuits, devices and systems and processes for their operation and manufacture are disclosed.

Abstract: A viewer for displaying electronic books and having various features for restricting access to their content. A user may assign ratings to stored electronic books, or use standard ratings, and assign access levels to potential users. The ratings and access levels determine which electronic books, or portions of the electronic books, a particular user may access on the viewer.

Abstract: A gaming machine comprises a gaming board and a mother board. The gaming board comprises a boot ROM and a card slot. The boot ROM stores therein an authentication program for authenticating a gaming program and a gaming system program stored in a memory card. The card slot receives the memory card therein. The mother board comprises a main CPU and a RAM. The main CPU reads the authentication program from the boot ROM and the gaming program and gaming system program from the memory card received in the card slot. The main CPU executes an authentication process for the read gaming program and gaming system program according to the read authentication program. The main CPU writes the authenticated gaming program and gaming system program to the RAM. The main CPU controls a game proceeding according to the written gaming program and gaming system program.

Abstract: A system consisting of a memory storage unit in which the licensed audio files are stored. The function of this device is to recognize the requested data and thereby allow the audio file contents from the memory storage unit according to the instructions set to this device. It is an effective means for protecting the audio files in the device from duplication.

Abstract: To provide a program conversion device capable of executing a program that includes a secret operation using secret information without exposure of the secret information in a memory. In an execution program generation device, with respect to an original program that includes the secret operation, a combining function generation unit generates combining function processing for applying a bitwise self-dual function to an input value, a split secret information generation unit generates pieces of split secret information by performing an inverse operation of the self-dual function, a program conversion unit generates pieces of split secret operation processing each for performing the operation between each bit value of the operand information and a corresponding bit value of a different piece of the split secret information, and replaces the secret operation processing with the pieces of the split secret operation processing and the combining function processing.

Abstract: At a seller, an encryption device encrypts content data stored in a content server using an encryption key generated by an encryption key generation device, and records the encrypted content data and a communication program on a recording medium. A paper indicating an identification code unique to each recording medium is attached to the recording medium. A decryption key corresponding to the encryption key and the identification code are registered in a managing database. A user terminal sends the identification code to a decryption key managing server apparatus via Internet in accordance with the communication program, in a case where the user terminal is to copy or install or reproduce the content data stored on the recording medium. The decryption key managing server apparatus sends a decryption key corresponding to this identification code to the user terminal. The user terminal decrypts the content data using the decryption key sent thereto.

Abstract: A display device includes a processor, a memory, an interface and a keypad. The keypad, separably connected to the interface, includes a signal generator. When the display device is connected to a power source, the processor sends a first signal to the interface. The signal generator generates a second signal in response to the first signal. The processor determines whether the second signal is correct based on data stored in the memory. If yes, the display device may be activated. A method for activating the display device via the separable keypad comprises the steps of: connecting the display device to the power source; the display device sending the first signal to the interface; determining whether the second signal is correct; and if yes, activating the display device.

Abstract: A method is provided for implementing a mandatory access control model in operating systems which natively use a discretionary access control scheme. A method for implementing mandatory access control in a system comprising a plurality of computers, the system comprising a plurality of information assets, stored as files on the plurality of computers, and a network communicatively connecting the plurality of computers, wherein each of the plurality of computers includes an operating system that uses a discretionary access control policy, and wherein each of a subset of the plurality of computers includes a software agent component operable to perform the steps of intercepting a request for a file operation on a file from a user of one of the plurality of computers including the software agent, determining whether the file is protected, if the file is protected, altering ownership of the file from the user to another owner, and providing access to the file based on a mandatory access control policy.