Abstract: Architecture for secure transmission of data from a sender to a receiver can include multiple network server nodes and a processor that contains computer instructions stored therein for causing the processor to accomplish the methods for secure transmission. The methods can include the initial step of generating a nonce at a server node. A copy of the nonce can be securely transmitted to the intended recipient of the information. The nonce can then be encrypted at the server node using an encryption means that is remotely located from the server node. The actual information is then transmitted from the sender to the server node. The server node decrypts the nonce at the server node using the encryption means, and encodes the information using the decrypted nonce, which is then deleted. The receiver then accesses the server node and decodes the information using its last remaining copy of the nonce.

Abstract: An automated test to tell computers and humans apart is disclosed, comprising displaying on a computer screen an animation comprising of a foreground and a background, one of the foreground comprising a plurality of typographical characters and the other comprising partial obstruction of the typographical characters, and wherein the animation comprises relative motion between the background and foreground. The automated test may comprise displaying on a computer screen an image, and requiring the user to perform operation on the image to resolve an encoded solution. The test may also comprise displaying on a computer screen a video clip, and requiring a user to provide an input corresponding to subject matter presented in the video clip.

Abstract: An authorization engine is provided in a remote device for mobile authorization using policy based access control. To ensure that remote devices can enforce consistent authorization policies even when the devices are not connected to the server, the remote device downloads the relevant authorization policies when the business objects are downloaded and enforces the policies when operations are invoked. The memory footprint of downloadable authorization policies is reduced to fit onto a resource-constrained remote device. A policy evaluation engine interprets and enforces the downloaded policies on the remote device using only the limited computational resources of the remote device.

Abstract: In one aspect, the present disclosure provides for the accessing and playing of media files having differing associated rights such as non-DRM media files, purchased and downloaded media files, subscription download files such as tethered downloads, and subscription streamed DRM files. In one embodiment, the present disclosure provides a method and user interface for sharing a media collection among computing devices in communication via a network. In one embodiment, the disclosed method allows access and playback, from each computing device on a network, of all media files in a media collection, regardless of their associated rights.

Abstract: An application executing apparatus includes a connecting unit configured to receive connection of an external storage medium that stores therein an application and first medium identification information unique to the external storage medium. A storage unit stores therein permission information associated with the application and the first medium identification information. The permission information indicates whether execution of corresponding application is to be permitted. A determining unit determines whether to execute the application stored on the external storage medium based on the first medium identification information and the application stored on the external storage medium and the permission information stored in the storage unit. An application activating unit that activates the application when the determining unit determines to execute the application.

Abstract: Access to virtual machine inputs and outputs are controlled. Controlling access to virtual machine inputs and outputs may comprise locking inputs and outputs of a virtual machine from within the virtual machine, other than a predefined limited access input, detecting a request to unlock the inputs and outputs of the virtual machine; determining if a requester is authorized to unlock the inputs and outputs of the virtual machine and unlocking, temporarily, the inputs and outputs of the virtual machine if the requester is authorized. The predefined limited access input is configured to receive an input device with a private secret for unlocking the inputs and outputs of the virtual machine. The inputs and outputs are unlocked when an input device having a shared password is attached.

Abstract: A portable electronic device includes a storage unit in which information indicating correct process contents is stored. A reception unit of the portable electronic device receives a command for requesting a process from an external device, and the portable electronic device determines whether or not process contents to be executed according to the received command are matched with process contents stored in the storage unit. When it is determined that process contents according to the received command are matched with process contents stored in the storage unit, the portable electronic device executes a process according to the command received by the reception unit.

Abstract: A method of enforcing web security, by: (a) receiving an incoming request; (b) applying a plurality of XML customized schemas to the incoming request, and thereby: (c) simultaneously validating the incoming request and determining whether the incoming request is authorized; and then, (d) (i) processing the incoming request if the incoming request is both valid and authorized, (ii) sending the incoming request to an authenticator if the incoming request is valid but not authorized, or (iii) ceasing operation on the incoming request if the incoming request is not valid.

Abstract: A safety controller for controlling an automated installation has a control unit to which a plurality of control input signals are supplied from the sensors of the installation. The control unit produces a plurality of control output signals on the basis of the control input signals in accordance with a user program running in said control unit in an automatic mode. The plurality of control output signals actuate the actuators. The safety controller also has a diagnosis evaluation unit that ascertains which one of a plurality of operating states is present at a defined instant of time and produces an operating state signal which represents the ascertained operating state. A diagnosis selection unit generates a diagnosis report as a function of the operating state signal and as a function of a user access authorization signal and/or a special operating mode signal.

Abstract: Systems and methods to control web scraping through a plurality of web servers using real time access statistics are described.

Abstract: An image processing apparatus capable of reducing the number of processing flows and also reduce time and effort required by a user in searching a desired processing flow. The image processing apparatus including an authentication unit adapted to execute user authentication, and an execution unit adapted to execute processing on image data with a plurality of processes as a sequential processing flow while cooperating a plurality of different functions with one another. Setting data personalized for a user authenticated by the authentication unit is obtained, and the plurality of processes is registered as a sequential processing flow. The processing flow is executed with a part of the processing flow replaced by processing personalized for the user set in the setting data, upon executing the registered processing flow.

Abstract: Auditing a communication is disclosed. Credentials are received from a client. It is determined whether the client is authorized to communicate with a remote resource. If it is determined that the communication with the remote resource is allowed, a communication is forwarded from the local resource to the remote resource.

Abstract: Embodiments of the invention relate to partial authentication to access incremental information. An aspect of the invention concerns a method of authorizing access to information that comprises providing an initial segment of a password wherein the password includes password segments each associated with an incremental portion of the information. In response to the initial password segment satisfying an expected value, the method may authorize access to the information portion associated with the initial password segment. The method may authorize access to other information portions associated with subsequent segments of the password in response to the subsequent password segments satisfying respectively expected values.

Abstract: An operating system of an information handling system (IHS) initializes a security tool to provide security management during user-to-user transactions. The security tool may determine the user's type and invokes a user personal profile and application profile information that pertains to the transaction. The security tool may use the user personal profile and application profile information during user authentications. The security tool determines an initial authentication level and may modify that authentication level during user-to-user transaction operations. The security tool may perform substantially continuous user authentication during transaction operations by employing learned behavior, historical knowledge, and other information that the security tool maintains in a security information store.

Abstract: A mechanism is provided for managing access authorization to forums open to anonymous users within an organization. A token distributor application provides a unique token to each member of a community or organization. The application is trusted by all members to not store an association between the authenticated user and the token when a token is assigned. The only control exerted by the token distributor is to block users who have already obtained a token from receiving another token. The communication tool or collaboration space may accept creation of a new anonymous identity, such as a nickname, to any individual supplying a token assigned by the token distributor application. An administrator may ban users by token. A banned user cannot access the communication tool or collaboration space using a nickname associated with a banned token.

Abstract: Controlling resource access by entities hosted by an execution extension environment via entity identifiers associated with the resources or with the execution extension environment. Policy sets define the access to the resources. Each policy set includes a principal identifier for execution extension environment, a resource identifier for one of the resources, and access rights. The principal identifier or the resource identifier includes one of the entity identifiers. Access requests from entities are evaluated by comparing the entity identifiers to the policy sets. In some embodiments, the policy sets implement access control for web browsers hosting executable code that attempts to access resources on a computing device.

Abstract: A data processing system features a hardware trusted platform module (TPM), and a virtual TPM (vTPM) manager. When executed, the vTPM manager detects a first request from a service virtual machine (VM) in the processing system, the first request to involve access to the hardware TPM (hTPM). In response, the vTPM manager automatically determines whether the first request should be allowed, based on filter rules identifying allowed or disallowed operations for the hTPM. The vTPM manager may also detect a second request to involve access to a software TPM (sTPM) in the processing system. In response, the vTPM manager may automatically determine whether the second request should be allowed, based on a second filter list identifying allowed or disallowed operations for the sTPM. Other embodiments are described and claimed.

Abstract: Embodiments of the present invention relate to a service opening method and system, and a service opening server. The method includes: receiving a service request from a third-party application, where the service request carries type and parameter information of the requested service; querying, according to the type information of the service, a service directory to obtain an access address and authentication type information of the requested service; when it is determined that the invoking of the service needs an authorization of an end user, obtaining an authorization notification message of the end user according to the type information of the service and the parameter information of the service; and forwarding, the service request to a capability server, and forwarding, to the third-party application, a service response message returned by the capability server. The control of the end user on the authorized service is ensured to the greatest extent.

Abstract: Multiple levels of wireless network resource granting. A user who has an authorized key, e.g., an encryption key or a key indicating that they have paid for service, gets a first, better level of access to the network resources. One without the key is granted lesser access, e.g., less total bandwidth, less bandwidth speed, no access to files or the like.

Abstract: The storage unit stores therein authentication IDs that are used for authentication of users and address information in association with one another. The authentication processing unit receives from a PC an authentication message that includes an authentication ID and is used for the authentication of the user of a communication terminal, and performs authentication on the user based on the received authentication message. The SIP address acquiring unit acquires from the storage unit address information that corresponds to the authentication ID included in the authentication message when the user is authenticated. The SIP address registering unit sends the SIP location server a registration request for registering the acquired address information as the address information of the user of the IP telephone terminal associated with the PC that transmits the authentication message.

Abstract: A computing device to enable a feature thereof according to a current location and a control method thereof, the computing device including: a location unit to determine the current location of the computing device; and a licensing unit to determine whether the current location corresponds to a predetermined authorized location, and to enable the feature if the current location corresponds to the authorized location. Accordingly, a permission to use a software feature or a hardware feature of the computing device can be controlled according to the current location of the computing device.

Abstract: A method of providing access to downloadable protected video content includes providing parental controls. The parental controls include a parental control password. Purchase controls are also provided and include a purchase control password. The purchase control password is different from the parental control password. Further, protected video content is downloaded and stored to a memory within a set top box when both the parental controls and the purchase controls are satisfied. A number of attempts to correctly input the parental control password or the purchase control password are monitored. When the number of attempts for either password exceeds a predetermined threshold, a user is prevented from further attempts to input the respective password. Moreover, the attempt to download protected video content is canceled, and further downloads of protected video content are prevented for a predetermined time period.

Abstract: In an example implementation, a bifurcated security scheme has a first level that does not allow usage of negations and a second level that does permit usage of negations. In another example implementation, an authorization query table maps respective resource-specific operations to respective associated authorization queries. In yet another example implementation, authorization queries are permitted to have negations, but individual assertions are not.

Abstract: A cluster of computer system nodes share direct read/write access to storage devices via a storage area network using a cluster filesystem. At least one trusted metadata server assigns a mandatory access control label as an extended attribute of each filesystem object regardless of whether required by a client node accessing the filesystem object. The mandatory access control label indicates the sensitivity and integrity of the filesystem object and is used by the trusted metadata server(s) to control access to the filesystem object by all client nodes.

Abstract: The integrity of a computer may be checked by issuing a command to read data from a hardware component of the computer and retrieving the data from a data transfer buffer. The command may be sent to a secure driver that places the central processing unit (CPU) of the computer in system management mode to trigger execution of a system management interrupt (SMI) handler. The SMI handler may read the data from the hardware component, encrypt the data, and place the encrypted data in the data transfer buffer. A system integrity check application program may read the encrypted data to determine presence of malicious code based on the data. For example, the application program may infer presence of malicious code when the encrypted data does not conform to a particular encryption algorithm or when the data does not appear in the data transfer buffer.

Abstract: Near field communication (NFC) device including a processor and a front end unit (FEU) to communicate with an external reader/writer device. The FEU stores, by first memory, a first number of sets of application parameters, each set including first and second identifiers. The processor stores, by second memory, the application and a second number of the sets. The FEU receives a communication request from the external device, including a certain first identifier. The FEU checks, when the request is received, whether the certain first identifier is stored in the first memory. If yes, a response is sent to the external device, including a respective second identifier, which is in the same set of parameters as the certain first identifier. The FEU sends, each time a request is received, a response to the processor. The processor controls which sets of parameters are stored in the first memory based on the response.

Abstract: A system and method for allowing for distributed interaction in a computing scenario is presented. The system is powered by SandTable software. First and Second items are respectively displayed on interactive screens of first and second surface computers. A first token is configured to be placed on the interactive screen of one of the computers and that computers reads its credentials. The SandTable software determines a first access level of the first token based on the credentials of the first token when it is placed on the surface computer. The first surface computer displays an image of an add item symbol when the first token is authenticated as a valid token. The SandTable software is configured to detect when the add item symbol is selected and to generate a menu of new items. SandTable creates a new item based on the new item selected from the menu.

Abstract: The present invention provides systems and methods for making efficient trust management decisions. A trust management engine is provided that processes requests for system resources, authorizations or certificates, and the identity of one or more root authorities that are ultimately responsible for granting or denying the requests. To determine whether a request should be granted, the trust management engine identifies a set principals from whom authorization may flow, and interprets each of the certificates as a function of the state of one or more of the principals. The processing logic iteratively evaluates the functions represented by the certificates, updates the states of the principals, and repeats this process until a reliable determination can be made as to whether the request should be granted or denied.

Abstract: An embodiment relates generally to receiving a plurality of security certificates for each user of a plurality of users and generating a random renewal period for a selected security certificate. The method also includes associating the random renewal period to the selected security certificate and providing the selected security certificate with the random renewal period to the respective user of the plurality of users.

Abstract: Trust is calculated between persons for purposes of a business transaction. A measure of relative trust is determined for a target user with respect to a source user based on common entities that are related to both the users, for example, common relations, common background, or common preferences. A measure of absolute trust is determined for the target user using factors including financial information, work history, and so on. The absolute trust for the target user is improved using trusts of other users connected to the target user. The absolute trust and relative trusts are combined to obtain an overall measure of trust for the target user. The measure of trust for the user may be used for a business transaction, for example, lead generation, angel investment, equity crowd funding, and sharing of a product or service with another person.

Abstract: Access-control and information-flow integrity policies are enforced in a computing system by detecting security-sensitive sinks in software code for an application running on the computing system and retrieving an access-control policy from a database accessible to the computing system. The access-control policy maps a set of access permissions within the computing system to each one of a plurality of principals. For each detected security-sensitive sink, all principals that influence that security-sensitive sink are detected and an overall access permission is assigned to each security-sensitive sink by taking the intersection of the access permission sets for all influencing principals of that security-sensitive sink. If this permission set is inadequate, an integrity violation is reported. In addition, permission labels are assigned to each value of variables used in the security-sensitive sinks. Each permission label is a set of permissions.

Abstract: This disclosure describes a method of and system for provisioning of shared account credentials to provide authorized access to shared or delegated accounts. Preferably, an enterprise single sign-on (E-SSO) system is used to manage the shared account or control delegation of account access, and preferably the shared or delegated account credential is not exposed to the end user. The described technique enables temporary delegation of account privileges to a member of a shared role. Using the described approach, an information technology (IT) account may be shared so that a user who needs to perform a shared duty can do so in the context of a shared role and without having control over the account itself. The approach facilitates delegating the use of a single account to one of a member of the shared role.

Abstract: Example embodiments relate to initiation of storage device scans based on a record of existing scans of the storage device. In particular, example embodiments include a mechanism that maintains a record of existing scans of the storage device including an entry for each scan initiated by one of a plurality of scanning processes. In some embodiments, the record of existing scans may then be accessed in determining whether to initiate or permit initiation of a new scan.

Abstract: A first server device is configured to receive an authentication request from a second server device; add the authentication request to a queue associated with a user; and provide a representation of the queue to a mobile device of the user. The representation of the queue includes an entry for the authentication request. The first server device is further configured to receive, from the mobile device, authentication information, provided by the user, for the authentication request; determine that authentication, of the user, for the authentication request is successful based on the authentication information; generate an authentication response that indicates that the authentication, of the user, for the authentication request is successful; and transmit, by the first server device, the authentication response to the second server device.

Abstract: A system and method for applying a pre-existing physical seal authorization to documents provides for authentication of electronic documents using physical seals and without interrupting the electronic workflow. The system of the present invention includes a seal capture device coupled to a computer, and the computer coupled by a network to a paper-like document server. The seal capture device detects depression of a seal thereon and outputs the image of the seal and other metadata to the computer. The computer stores the metadata in its local log using a logging module. The computer also adds the image of the seal and other metadata to the electronic document being displayed. Finally, the computer sends the metadata for storage in the global log of the paper-like document server, and the authorized document to the next step in the electronic workflow. The paper-like document server stores the metadata in other servers or entangles the global log with the logs of other servers for additional security.

Abstract: A policy data structure defines predetermined authorizations, each relating to authorization of at least one user to access at least one resource as well as to dynamic access requests. Each dynamic access request indicates a condition to be satisfied by a respective set of attributes associated with a user request to access a resource and for the request to be granted in absence of an authorization determinative of the request. If the structure does not define an authorization for a request to access a resource, it is determined whether the structure defines a dynamic access requirement determinative for the request, and if so, whether to grant the request in accordance with the respective set of attributes associated with the request. For at least one request, after determining whether to grant the request, a dynamic authorization relating to authorization to access the resource within the request is added to the structure.

Abstract: A setting changing device includes a display controller, a receiver, and a changing section. The display controller displays a designation screen for at least one of a first designation that designates a first item and an initial value of the first item; a second designation that designates a second item that prohibits changing via the setting screen by a user; or a third designation that designates a third item that prohibits displaying on the setting screen for users. The changing section, on the basis of the at least one of the first designation, second designation and third designation, (a) changes respective settings of the target device drivers, or, (b) generates for each of changeable setting items of the target device drivers, setting data that is referenced by device drivers when the setting screen is displayed.

Abstract: Systems and methods are disclosed for an appliance to authenticate access of a client to a protected directory on a server via a connection, such as a secure SSL connection, established by the appliance. A method comprises the steps of: receiving, by an appliance, a first request from a client on a first network to access a server on a second network, the appliance providing the client a virtual private network connection from the first network to the second network; determining, by the appliance, the first request comprises access to a protected directory of the server; associating, by the appliance, an authentication policy with the protected directory, the authentication policy specifying an action to authenticate the client's access to the protected directory; and transmitting, by the appliance in response to the authentication policy, a second request to the client for an authentication certificate. Corresponding systems are also disclosed.

Abstract: An authorization system in a home wireless network comprises a communication interface and a processing system, wherein a wireless communication device associated with the home wireless network transfers a request to a visited wireless network for access to an internet. The communication interface is configured to receive an authorization request for the wireless communication device transmitted from the visited wireless network. The processing system is configured to select one of a visited internet connection and a home internet connection for the wireless communication device, wherein the visited internet connection links the wireless communication device to the internet without using the home wireless network and wherein the home internet connection links the wireless communication device to the internet through the home wireless network.

Abstract: To control privileges and access to resources on a per-process basis, an administrator creates a rule that may be applied to modify a process's token. The rule includes an application-criterion set and changes to be made to the groups and/or privileges of a token. The rule is set as a policy within a group policy object (GPO), where a GPO is associated with one or more groups of computers. When a GPO containing a rule is applied to a computer, a driver installed on the computer accesses the rule(s) anytime a logged-on user executes a process. If the executed process satisfies the criterion set of a rule the changes contained within the rule are made to the process token, and the user has expanded and/or contracted access and/or privileges for only that process.

Abstract: An authentication processing apparatus, which includes: an authentication processing section that performs authentication using an authentication method selected from authentication methods provided; a storage section that stores authentication information indicating whether or not the authentication succeeds; a determination section that, when an operation on electronic information associated to one or more authentication methods is performed, determines whether the operation on the electronic information is permitted or not, on the basis of the one or more authentication methods associated to the electronic information and the stored authentication information; and an authentication request section that, when the determination section determines that the operation on the electronic information is not permitted, detects from among the one or more authentication methods associated to the electronic information an authentication methods for which it is not indicated in the authentication information that an au

Abstract: In some embodiments, the invention involves protecting a platform using locality-based data and, more specifically, to using the locality-based data to ensure that the platform has not been stolen or subject to unauthorized access. In some embodiments, a second level of security, such as a key fob, badge or other source device having an identifying RFID is used for added security. Other embodiments are described and claimed.

Abstract: An image reading apparatus, an image information verification apparatus, an image reading method, an image information verification method, and an image reading program are disclosed. The image reading apparatus includes an image acquisition unit for acquiring an image from an image reading unit for reading the image formed on a medium, a medium description receiving unit for receiving a medium description provided by a medium description acquisition unit for acquiring the medium description of the medium, a set generating unit for generating a set of information about the image and information about the medium description, and a set unique value acquisition unit for acquiring a set unique value about the set.

Abstract: Authorizing a user for accessing a system, data, or a physical location is accomplished by receiving an authorization code from the user and determining whether the received code matches a valid authorization code. To relieve the user from the need of memorizing complex authorization codes, the authorizing party presents hints to a valid authorization code. The hints are presented concurrently with the user's entering of the authorization code.

Abstract: Techniques to explain authorization origins for protected objects in an object domain are disclosed. In one embodiment, for example, an apparatus may comprise a processor circuit, a request processor component operative on the processor circuit to receive and process a request for an authorization origin of a resource object, the authorization origin comprising an access control with a permission arranged to control access to the resource object based on an identity, and a resource origin component operative on the processor circuit to identify the authorization origin of the resource object from a set of interrelated resource objects and associated access controls, retrieve authorization origin information for the authorization origin, and present the authorization origin information in a user interface view. Other embodiments are described and claimed.

Abstract: Systems and methods are included for accessing resource objects in a multi-threaded environment. A request is received from a requester to perform an operation with respect to a resource object, where the requested resource object has multiple associations with other objects. A determination as to whether an authorization cache entry corresponding to the requested resource object contains sufficient permission data for granting or denying the request for access to the requested resource object is made. A grant or deny of access to the requested resource object is returned when the authorization cache entry corresponding to the requested resource object contains sufficient permission data.

Abstract: A method to lock an electronic device comprising an operating system comprises placing the electronic device in a disable state in which the processor is blocked from accessing the operating system, receiving a first unlock password from a remote source during a power-up operation of the electronic device, and placing the electronic device in a temporary unlock state which allows the processor to boot the operating system for a predetermined period of time when the first unlock password matches a password stored in the electronic device. Other embodiments may be described.

Abstract: Role-based security architecture that facilitates delegated role assignments where role functionality is monotonically decreasing. In furtherance thereof decreasing monotonicity roles are arranged in a hierarchy. Moreover, delegated roles can be obtained by creating a derived role (from a parent role) and removing entries from the derived role to decrease the permissions for the derived role. Delegated role assignments are scoped (bounded), which automatically applies a given scope to the assignment created by the user receiving the delegation.

Abstract: A Wi-Fi router with an integrated configuration touch-screen, and method to use this integrated touch screen to provide enhanced security features. The Wi-Fi router, which has a wired or optical network interface, may be factory pre-configured with hard to anticipate passwords and encryption codes, thus making even its default Wi-Fi settings difficult to attack. Besides displaying interactive menus on the touch-screen, the router may also generate touch sensitive dynamic alphanumeric virtual keypads to enable administrators to interact with the device without the need of extra computers or software. Inexperienced administrators secure in the knowledge that they may access and change even difficult to remember security settings at any time through the built-in touch-screen controller and simplified user interface, are encouraged to set up secure Wi-Fi systems. The device may optionally include security software that, upon touch of a button, can provide new randomized or otherwise obfuscated router settings.

Abstract: Systems and methods enabling parallel processing of hash functions are provided. A data string including a plurality of pieces arranged in an order is hashed using a hash function to determine a plurality of authentication checkpoint hashes associated with the pieces. To authenticate the data string, the pieces are grouped into sets, and the authentication checkpoint hash associated with the piece following all other pieces of that set in the order is associated with that set. The system simultaneously performs a separate hash process on each set. That is, the system hashes the pieces of that set using the hash function to determine a result hash, and compares that result hash with the authentication checkpoint hash associated with that set. The initial input to the hash function for the hash process for each set includes one of the pieces and either a default seed or an authentication checkpoint hash.