Abstract: Subscriber (user) data is encrypted and stored in a service provider cloud in a manner such that the service provider is unable to decrypt and, as a consequence, to view, access or copy the data. Only the user knows a user-specific secret (e.g., a password) that is the basis of the encryption. The techniques herein enable the user to share his or her data, privately or publicly, without exposing the user-specific secret with anyone or any entity (such as the service provider).

Abstract: An end-to-end secure cloud-hosted collaboration service is provided with a hybrid cloud/on-premise index and search capability. This approach includes on-premise indexing and search handling, while relying on the cloud for persistent storage and search of the index. The on-premise indexer receives a copy of an encrypted message from the cloud-hosted collaboration service. The encrypted message has been encrypted with a conversation key. The indexer receives the conversation key from an on-premise key management service, and decrypts the encrypted message with the conversation key. A set of tokens are extracted from the decrypted message, and subsequently encrypted with a secret key, different than the conversation key, to generate a first set of encrypted tokens. The first set of encrypted tokens is transmitted for storage in a search index on the cloud-hosted collaboration service.

Abstract: A mechanism is provided for generating a packet inspection policy for a policy enforcement point in a centralized management environment. Data of a network topology for the policy enforcement point corresponding to a network infrastructure is updated according to metadata of the policy enforcement point, the metadata including a capability of the policy enforcement point. The packet inspection policy for the policy enforcement point is generated according to the data of the network topology and the capability of the policy enforcement point. The packet inspection policy is then deployed to the policy enforcement point.

Abstract: Secret application and maintenance policy data is generated for different classes of data. The class of data to be protected is determined and the secret application and maintenance policy data for the determined class of the data to be protected is identified and obtained. Required secrets data representing one or more secrets to be applied to the data to be protected is obtained and then automatically scheduled for application to the data to be protected in accordance with the secret application and maintenance policy data for the determined class of the data to be protected. Maintenance of the one or more secrets is also automatically scheduled in accordance with the secret application and maintenance policy data for the determined class of the data to be protected.

Abstract: A power grid provides power to one or more modules of an integrated circuit device via a virtual power supply signal. A test module is configured to respond to assertion of a test signal so that, when the power grid is working properly and is not power gated, an output of the test module matches the virtual power supply. When the power grid is not working properly, the output of the test module is a fixed logic signal that does not vary based on the power gated state of the one or more modules.

Abstract: A control module arranged to manage a hosted communications platform, the hosted communications platform being located between a telecommunications network and a subscriber communications network, the subscriber communications network being associated with a subscriber to the hosted communications platform, the subscriber being associated with a plurality of users. The module comprises a first communications interface arranged to interface with the telecommunications network, and processing means arranged to configure the hosted communications platform for use with two or more subscribers, each subscriber comprising a respective subscriber communications network. The module further comprises a second communications interface arranged to interface with the hosted communications platform. For each subscriber, the processing means is arranged to form a partition on the hosted communications platform.

Abstract: A method for testing a new workflowed item associated with a workflow process in a content management system (CMS) is provided. The method may include adding a workflow stage to the workflow process in the content management system (CMS). The method may also include adding a test associated with the workflow stage. The method may further include determining if a criteria threshold is met based on the test associated with the workflow stage. Additionally, the method may include publishing the new workflowed item based on the criteria threshold being met.

Abstract: A method for testing a new workflowed item associated with a workflow process in a content management system (CMS) is provided. The method may include adding a workflow stage to the workflow process in the content management system (CMS). The method may also include adding a test associated with the workflow stage. The method may further include determining if a criteria threshold is met based on the test associated with the workflow stage. Additionally, the method may include publishing the new workflowed item based on the criteria threshold being met.

Abstract: Embodiments are directed towards decrypting encrypted content. A key for decrypting the encrypted content may be provided to a web application executing within a browser. The application may employ a generic cryptography application program interface (GCAPI) to perform actions on the key, including, storing the key, decrypting an encrypted key, generating another key, converting the key to a different encryption type, or the like. The GCAPI may or may not be enabled to explicitly share the key with the browser's media engine. In response to receiving encrypted content, the GCAPI may provide the key to the application, explicitly or inexplicitly to the browser's media engine, or the like. The key may be utilized by the application, the browser, the media element, browser's media engine, and/or the GCAPI to decrypt the encrypted content. The decrypted content may be displayed within the browser to a user of a client device.

Abstract: A system for controlling access to copyrighted data comprises, at least: a plurality of users having computers, each computer being assigned a unique identity and each computer being configured for communicating with external units via a core network; a core network operated by a telecommunications organization; an access handler configured to communicate with the computers via the core network and a communication interface configured for routing incoming data traffic to a first database; wherein the first database includes at least one table, in which table the unique identities of the computers are associated with access rights for each one of the unique identities, and the first database is configured to communicate with a second database and a third database/server; the second database includes copyrighted data material, and the second database is further configured to communicate via the core network with the computers for transferring requested copyrighted data material.

Abstract: Electronic publications are increasingly replacing physical media, where standards have evolved to mimic these physical media. Accordingly it is beneficial to provide electronic publication software systems and/or software applications to enable new paradigms that provide consumers, authors, publishers, retailers, and others with a method of navigating electronic content comprising the ability to generate a user interface that supports individual page turns as well as small, moderate and large adjustments of position within the electronic content, wherein the user interface supports these adjustments in a manner that is consistent.

Abstract: Programmatically reversing numerical line identity presented at a communications services gateway into named IP Telephony users with “prior association”, delivers dynamic “reverse address resolution” switching connections from ground to cloud, permitting any conventional telephone to dial and connect to any associated IP Telephony endpoint in the world, without changes to the conventional telephone. Reversing line identity into associated named users bridges both the addressability and economic divide between mass conventional “paying” (mobile and fixed) and “free”. IP Telephony networks.

Abstract: A method of encrypting information using a computational tag may include, by a mobile electronic device, detecting a computational tag within a near field communication range of the mobile electronic device, identifying a document to be encrypted by the mobile electronic device, transmitting the document to the computational tag by the mobile electronic device, receiving, from the computational tag, an encrypted document, wherein the encrypted document comprises an encrypted version of the document that was to be encrypted, and storing the encrypted document in a memory of the mobile electronic device.

Abstract: The present disclosure provides for methods and devices for enabling distribution of a first security application comprised in the first wireless device to the second wireless device. One method comprises the steps of receiving, in the first wireless device, using a short distance communication technology, a hardware identifier of the second wireless device, sending, from the first wireless device, the hardware identifier and information identifying the first security application to the network node, receiving, in the network node, from the first wireless device, the hardware identifier of the second wireless device and the information identifying the security application and authorizing, in the network node, the second wireless device to receive and/or activate a second security application associated with the first security application of the first wireless device.

Abstract: A resource domain controller in a data processing system stores information that is used to group various resources, such as bus masters and peripherals, into common domains. Each group can be referred to as a resource domain and can include one or more data processor and peripheral devices. The resource domain information is then used to determine whether a particular access request from a data processor is authorized to access its intended target, e.g., one of the peripheral devices, by determining whether the access request and the intended target each belong to a common resource domain. If so, the access request is allowed, otherwise the access request is prevented from being successfully completed.

Abstract: Technology is disclosed herein for licensing applications using a preferred authorization process dynamically identified based on conditions associated with an initiation of an application. Authorization is then attempted using the preferred authorization process. In some examples, the preferred authorization process is selected from at least a keyless authorization process and a key-based authorization process.

Abstract: In a method, system, and computer-readable medium having instructions for providing distributed customer support, a customer care provider for a first business entity receives a request for customer care and the request may be handled by the customer care provider with a remedy, transaction information involving any number of transactions from a repository is accessed using a customer care credential and the repository comprises transaction information for a second business entity, and a limitation on the customer care provider is determined for providing the remedy using the transaction information.

Abstract: One or more elements on a computing device can be selected and locked from use. For example, a first user (e.g., adult) of a computing device can allow a second user (e.g., child) to use the former's device; however, the first user might not want the second user to have access to all of the elements on the device, and so the first user can select which elements he/she wants to share with the second user and which elements he/she does not want to share. For example, the first user can select elements and choose to lock the selected elements, lock all other elements, lock the selected elements for a certain period of time, or lock the selected elements but allow for earned usage, etc. The lock can be removed in response to an unlock event, which can comprise a user-initiated unlock, a timed unlock, or a user-earned locked.

Abstract: A method for preserving data redundancy in a data deduplication system in a computing environment is provided. A selected data segment, to be written through the data deduplication system, is encrypted such that the selected data segment is not subject to a deduplication operation. The method determines and identifies copies of the data segment that are to be precluded from data deduplication. A unique encryption key is used to encrypt the selected data segment to be written through the data deduplication system such that the selected data segment is not subject to a deduplication operation. The data deduplication system is tricked to recognize the encrypted, selected data segment as new, undeduplicated data by the encrypting thereby skipping steps of the deduplication operation that includes fingerprint generation and matching. The encrypted, selected data segment is directly written to a new physical storage location.

Abstract: A method and system for authenticating a user device includes an identity provider reading service and an external service provider receiving a request to access content from a user device and communicating the request to access content from a service provider to the reading service. The request to access content includes cookie data. The external service requests an identity provider token from the cookie data from the reading service based on the request to access. The identity provider reading service communicates the identity provider token to the external service provider. An identity provider communicates with the service provider. The external service generates and communicates an authentication request to the identity provider having the identity provider token and a service provider identifier. The identity provider communicates an assertion signal to the service provider when the cookie data is resolved at the identity provider.

Abstract: One embodiment of the present invention sets forth a technique for identifying active streaming connections associated with a particular user account. Each active streaming connection transmits heartbeat packets periodically to a server that tracks the receipt of the heartbeat packets. If, for a particular streaming connection, the server stops receiving heartbeat packets, then the server is able to infer that the streaming connection has been terminated.

Abstract: A wireless location device comprises a BLUETOOTH beacon configured to emit wireless signals and an electromagnetic shielding cover. The BLUETOOTH beacon is positioned within the electromagnetic shielding cover. The electromagnetic shielding cover comprises an inner surface comprising a plurality of micro-structures, and an opening below the inner surface. The inner surface is configured to reflect towards the opening the wireless signals emitted by the BLUETOOTH beacon which are not directly emitted out of the opening.

Abstract: An execution of a data object is identified by a computing device. In response to identifying the execution of the data object, it is determined that the data object has requested a sensitive action of the computing device before interacting with a user of the computing device. In response to determining that the data object has requested the sensitive action, the data object is classified as a high-risk data object.

Abstract: Methods, devices, and systems are described for enrolling a user's bring-your-own-device for secure connection to a company's enterprise computer network. From her mobile device, user clicks on a uniform resource locator (URL) to connect with the login web page on the enterprise network. After authentication, checks are performed to verify that the user has authorization to enroll the type of electronic device, and the profile is installed on the device. A notification is sent to the device by a server on the enterprise network, and a secure workspace application is pushed to the device along with configuration data that automatically links the workspace with the parent device enrollment. Once the user launches the secure workspace application the workspace access configuration data and initializes enrollment with the enterprise network, resulting in a linking of the secure workspace application with its parent device enrollment.

Abstract: Methods and an apparatus are provided for securely authorizing access to remote resources. For example, a method is provided that includes receiving a request to determine whether a user device communicatively coupled to a resource server is authorized to access at least one resource hosted by the resource server and determining whether the user device communicatively coupled to the resource server is authorized to access the at least one resource hosted by the resource server based at least in part on whether the user device communicatively coupled to the resource server has been issued a management identifier. The method further includes providing a response indicating that the user device communicatively coupled to the resource server is authorized to access the at least one resource hosted by the resource server in response to a determination that the user device communicatively coupled to the resource server is authorized to access the at least one resource hosted by the resource server.

Abstract: An extensible mechanism for providing access control for logical objects in a network environment. A security broker is able to dynamically register one or more claims providers, each of which can assert one or more claims about logical objects. The claims providers may be purpose built or may be third party applications which expose data or business rules for use. Claims may be augmented by additional claims providers after the original claim is asserted. The applicability of claims may be scope limited either at the time the claims provider is registered or when the user requests that a security token be issued.

Abstract: A method implemented by a first client device, the method comprising receiving a media presentation description (MPD) for a media content from a streaming server, receiving a plurality of segments for the media content from one or more streaming servers, and packaging the MPD and at least part of the received segments such that the packaged segments are accessible by a second client device through the packaged MPD.

Abstract: Methods and systems for protecting a virtual machine network are disclosed. In an embodiment, a method involves storing an application whitelist including application-to-user associations in memory such that the application whitelist is immutable by a guest virtual machine, receiving a request to execute an application including an application identifier and a user identifier, comparing the application identifier and the user identifier of the request with the application whitelist, and generating an execution decision indicating whether the requested application can execute on the guest virtual machine.

Abstract: Embodiments of the disclosure provide application management capabilities to enterprises. A computing device of a user, associated with the enterprise, receives an enrollment token signed with a certificate. The enrollment token includes an enterprise identifier associated with the enterprise. The computing device receives a package containing one or more applications. The package also includes an enterprise identifier. Installation and execution of one or more applications from the received package is accepted or rejected based on a comparison of the enterprise identifier from the enrollment token with the enterprise identifier from the received package or application. A web service provides validation services by monitoring the installation and execution of applications on the computing devices associated with the enterprise.

Abstract: In one embodiment, a method includes receiving, from a client device of an author of a message, a request for a restricted ideogram to be inserted into a message; accessing social-networking information for the author; determining, based on the social-networking information for the author, whether the author is authorized to access the restricted ideogram; accessing social-networking information for a recipient user; determining, based on the social-networking information for the recipient user, whether the recipient user is authorized to access the restricted ideogram; and if the author and the recipient user are authorized to access the restricted ideogram, then sending, to the client device of the author, information to insert the restricted ideogram into the message.

Abstract: In at least some embodiments, a system comprises a processor and a direct memory access (DMA) subsystem coupled to the processor. The system further comprises a component coupled to the DMA subsystem via an interconnect employing security rules, wherein, if the component requests a DMA channel, the DMA subsystem restricts usage of the DMA channel based on the security rules.

Abstract: A method, in a network controller of a control plane in a software defined network (SDN) coupled to a network element (NE) of a data plane in the SDN, of resynchronizing forwarding table entries of the NE according to forwarding table entries of the network controller is disclosed. The method includes causing the NE to update a first subset of forwarding table entries from a set of one or more of forwarding table entries to include a post-synchronization indicator. The method continues with causing the NE to delete, following the update of the first subset of forwarding table entries, a second subset of zero or more forwarding table entries from the set of forwarding table entries, where each forwarding table entry from the second subset includes a pre-synchronization indicator.

Abstract: Location, time, and other contextual mobile application policies are disclosed. Access state information associated with a managed set of applications may be determined based at least in part on environmental context data associated with a mobile device and one or more contextual policies associated with the managed set of applications. The access state information may be provided to at least one application included in the managed set of applications, wherein at least one application in the managed set of applications is configured to use the access state information to regulate use of the application in a manner required by the one or more contextual policies.

Abstract: A method for automatic folder ownership assignment, including ascertaining which first folders, among a first multiplicity of folders, have at least one of modify and write permissions to non-IT administration entities, adding the first folders to a list of candidates for ownership assignment, defining a second multiplicity of folders which is a subset of the first multiplicity of folders and not including the first folders and descendents and ancestors thereof, ascertaining which second folders among the second multiplicity of folders, have permissions to non-IT administration entities, adding the second folders to the candidates, defining a third multiplicity of folders, which is a subset of the second multiplicity of folders and not including the second folders and descendents and ancestors thereof, ascertaining which third folders among the third multiplicity of folders are topmost folders, adding the third folders to the candidates, and recommending possible assignment of ownership of the candidates.

Abstract: A method for automatic folder ownership assignment, including ascertaining which first folders, among a first multiplicity of folders, have at least one of modify and write permissions to non-IT administration entities, adding the first folders to a list of candidates for ownership assignment, defining a second multiplicity of folders which is a subset of the first multiplicity of folders and not including the first folders and descendents and ancestors thereof, ascertaining which second folders among the second multiplicity of folders, have permissions to non-IT administration entities, adding the second folders to the candidates, defining a third multiplicity of folders, which is a subset of the second multiplicity of folders and not including the second folders and descendents and ancestors thereof, ascertaining which third folders among the third multiplicity of folders are topmost folders, adding the third folders to the candidates, and recommending possible assignment of ownership of the candidates.

Abstract: A computer network system for posting content at a web site includes computer servers configured to host a web site for a group of users, and a data storage configured to store an email address in association with a destination at the website. The computer servers can receive an electronic message at the email address by the computer servers from a user. A computer processor can automatically extract content from the electronic message. The computer servers can automatically post the content extracted from the electronic message at the destination at the website.

Abstract: A mobile terminal and controlling method thereof are disclosed, by which image data of a counterpart having triggered an event can be displayed. The present invention may include a display unit configured to display information, a wireless communication unit configured to communicate with an external server that stores first image data and to communicate with a counterpart terminal, a memory to store a second image data, and a controller, in response to an event triggered by the counterpart terminal, to extract an image data related to a counterpart from one of the first image data and the second image data, and the controller to output the extracted image data on a portion of the display unit to notify an occurrence of the event.

Abstract: A method includes creating an electronic record of an asset, and automatically associating a predefined data structure with an electronic record of the asset that controls organization and display of user provided metadata describing the asset. The method may also include receiving the metadata describing the asset from a remote computer, populating the predefined data structure with the metadata describing the asset, and generating a graphical user interface corresponding to the electronic record of the asset with active tabs that provide a visual representation of the predefined data structure associated to the electronic record of the asset. The active tabs are respectively associated with predefined displays including the data fields provided by the predefined data structure, enabling a user to navigate through different displays corresponding to the data fields provided in the predefined data structure associated with the asset to view the metadata describing the asset.

Abstract: The disclosed computer-implemented method for evaluating content provided to users via user interfaces may include (1) monitoring, as part of a security application via an accessibility application program interface provided by an operating system of a computing device, accessibility events that indicate state transitions in user interfaces of applications running on the computing device, (2) receiving, at the security application, an accessibility event that indicates that a user of the computing device is viewing a user interface of an application running on the computing device, (3) identifying, as part of the security application via the accessibility application program interface, content that the user is attempting to access via the application, (4) determining, as part of the security application, that the content is harmful, and (5) performing, as part of the security application, at least one security action in response to determining that the content is harmful.

Abstract: One exemplary embodiment involves receiving, at a computer device, packaged content, wherein the packaged content comprises a manifest and assets. The exemplary method further comprises presenting, via a processor of the computer device, the packaged content in a content consumption environment based at least in part upon the manifest, wherein the manifest identifies stacks, each stack comprising one or more of the assets that are logically related to one another, wherein navigation amongst and within the stacks is specified by the manifest.

Abstract: In an example, there is disclosed a computing apparatus, including a processor, including a trusted execution instruction set; a memory having an enclave portion, wherein the enclave is accessible only via the trusted execution instruction set; a swap file; and a memory management engine operable to: allocate a buffer within the enclave; receive a scope directive to indicate that the buffer is in scope; and protect the buffer from swapping to the swap file while the buffer is in scope. There is further disclosed an method of providing a memory management engine, and one or more computer-readable storage mediums having stored thereon executable instructions for providing the memory management engine.

Abstract: A method of renewing a plurality of digital certificates includes receiving, at a first time, a request from a user to renew a first digital certificate and determining an expiration date for the first digital certificate. The method also includes receiving, at a second time, a request from the user to renew a second digital certificate and determining an expiration date for the second digital certificate. The expiration date for the second certificate is later than the expiration date for the first certificate. The method further includes determining a new expiration date occurring after the first time and the second time and renewing the first digital certificate. An expiration date for the renewed first digital certificate is equal to the new expiration date. Moreover, the method includes renewing the second digital certificate. An expiration date for the renewed second digital certificate is equal to the new expiration date.

Abstract: A method is provided for operating a program code object in conjunction with an application context in an application server environment. The method includes identifying a program code object in the application server environment and identifying an application context enabling the provision of a service. The application context is not directly accessible by the program code object. An entry point of the program code object is identified and a tag identifier referencing the application context is associated with the entry point. When executing the program code object in the application server environment, the tag identifier is used to access the application context.

Abstract: A request is received from a security tool, the request relating to an event involving data records in a storage device. An application programming interface (API) is used to interface with secure storage functionality of the storage device, the secure storage functionality enabling a set of secure storage operations. A security operation is caused to be performed at the storage device involving the data records based at least in part on the request. In one aspect, the set of secure storage operations can include a direct read operation, a direct write operation, a copy-on-write operation, and a save-attempted-write operation.

Abstract: System and method for software activation and further tracking of its states on an end-user computing device (computer) was developed to provide software developers a flexible and secure tool for software distribution and gathering statistics of usage of software activation. The method consists of the following logical steps: (a) obtaining an acquisition confirmation; (b) requesting for a license; (c) issuing and delivering the license to End User; (d) verification of license on the User's computer; (e) storing the license on the User's computer; (f) periodic tracking of activation state, (g) another action with the User's license.

Abstract: A user interface display method implemented on a computer-controlled device to allow an operator to define a list of selected items among a plurality of items available for selection. The operator starts by selecting a pre-existing list containing a number of selected items. A modified list is generated which initially contains the same items as the pre-existing list. The device displays all of the items available for selection, as well as first and second indications associated with each item initially in the modified list. Then, in response to operator inputs to add items to (or remove items from) the modified list, second indications are displayed (or removed from display) in association with the items to be added (or removed), without changing the display of any of the first indications and any of the plurality of items. The modified list is saved without changing the pre-existing list.

Abstract: A distributed execution environment provides resources such as computing resources, hardware resources, and software resources. Resource action rules (“rules”) may be defined and associated with resources in the distributed execution environment. The rules may be evaluated based upon resource state data defining the state of one or more resources. The results of the evaluation of the rules may be utilized to take various actions. For example, the results of the evaluation of rules may be utilized to generate a user interface (UI) object for providing information regarding the evaluation of the rule, to initiate a workflow, and/or perform another type of action. The results might also be utilized to prohibit certain types of operations from being performed with regard to a resource. The results might be propagated to other resources. A UI might also be provided for use in defining the rules.

Abstract: An example method includes facilitating installation of a data collector on a media device; collecting, via the data collector, a media identifier indicative of media presented at the media device; encrypting a user identifier that identifies the user of the media device, the encrypting of the user identifier based on a first encryption key corresponding to a first database proprietor having first user information associated with the user identifier; encrypting a device identifier that identifies the media device, the encrypting of the device identifier based on a second encryption key corresponding to a second database proprietor having second user information associated with the device identifier; sending the media identifier to a data collection server; sending the encrypted user identifier to a second server associated with the first database proprietor; and sending the encrypted device identifier to a third server associated with the second database proprietor.

Abstract: Disclosed herein are techniques for use in fraud detection. In one embodiment, the techniques comprise a method. The method comprises receiving an encrypted current location associated with a user. The method also comprises obtaining an encrypted historical location associated with the user and an encrypted location sensitivity metric that relates to a distance within which locations are considered to be the same. The method further comprises performing an authentication operation based on the encrypted current location, the encrypted historical location and the encrypted location sensitivity metric.

Abstract: In a method (300) for applying differential policies on at least one digital document (120a-120n) having a plurality of atomic units (122a-122n) among a plurality of workflow participants (110a-110n), in which the atomic units are assigned with at least one of a plurality of the differential policies, the at least one digital document is tessellated (304) to identify the atomic units and the at least one of the differential policies assigned to the atomic units. In addition, the atomic units are aggregated (306) according to the at least one of the differential policies assigned to the atomic units and respective sets of keys are associated (308) to the aggregated atomic units, in which common sets of keys are associated with the aggregated atomic units assigned with the same policies.