Abstract: An electronic device.

Abstract: A system and method for providing shortened network resource identifier service to computing devices uses a link translating technique to replace at least some of the links in network resources requested by the computing devices using shortened network resource identifiers so that network activities of the computing devices can be monitored or controlled.

Abstract: An apparatus and method are described for implementing a trusted dynamic launch and trusted platform module (TPM) using a secure enclave. For example, a computer-implemented method according to one embodiment of the invention comprises: initializing a secure enclave in response to a first command, the secure enclave comprising a trusted software execution environment which prevents software executing outside the enclave from having access to software and data inside the enclave; and executing a trusted platform module (TPM) from within the secure enclave, the trusted platform module securely reading data from a set of platform control registers (PCR) in a processor or chipset component into a memory region allocated to the secure enclave.

Abstract: A branch auditing system can be automatically injected into a computer program, in one embodiment, in response to a programming call provided in source code by a programmer who has selected a particular branch, in a set of possible branches, for auditing. The branch auditing system can record, in an obfuscated data structure, a path taken at the particular branch and the parameters associated with the branch and later an auditor can determine whether the path taken was valid, and if the path taken was invalid, operations can be performed to protect the program, system and/or user.

Abstract: Systems and methods for providing content items to users. A computer system may provide to a first user an indication of a plurality of available content items. The computer system may receive from the first user an indication of a first content item selected from the plurality of content items. The computer system may determine whether a content provider service associated with the computer system is authorized to stream the first content item to the first user. When the content provider service is not authorized to stream the first content item to the first user, the computer system may identify an alternate source for the first content item. The computer system may initiate playback of the first content item to the first user from the alternate source.

Abstract: A method for accessing shared memory, the method includes loading a private context ID into a private context ID register, where the first private context ID enables a thread to access a private memory region only accessible by the thread. The method further includes receiving, from the thread, a first request to access a shared memory region, loading a shared context ID into a shared context register, permitting, by a memory management unit (MMU), the thread to access the shared memory region using the shared context ID, and receiving, from the thread, a second request to disable access to the shared memory region. The method further includes removing, in response to the second request, the shared context ID from the shared context ID register, where after removing the shared context ID from the shared context ID register the thread is no longer able to access the shared memory region.

Abstract: Real-time access by a requestor to surveillance video is conditionally pre-authorized dependent on the existence of at least one pre-specified automatically detectable condition, and recorded in a data processing system. A requestor subsequently requests real-time access to the surveillance video (e.g., as a result of an alarm), and if the pre-specified automatically detectable condition is met, access is automatically granted, i.e., without the need for manual intervention. An automatically detectable condition could, e.g., be an alarm condition detected by a sensor at the site of the video surveillance. Alternatively, it could be a locational proximity of the requestor to the site of the video surveillance. Alternatively, it could be a previously defined time interval.

Abstract: A multi-layer USB drive for storing data in a memory has at least two printed circuit board assemblies, each one including a memory for storing data and a control microprocessor controlling the flow of data to and from the memory. The circuit board assemblies are operatively connected to one another in a serial manner for exchange of data between adjacent assemblies upon access by a user and wherein at least one of the control microprocessors is security enabled requiring a user defined security input for accessing the memory of the printed circuit board assembly of that security enabled control microprocessor. A USB connector is for connecting to a USB slot of a device and the USB connector is operatively connected to only one of the printed circuit board assemblies. A USB hub is provided on at least one of the assemblies for recognizing the circuit board assemblies of the USB drive.

Abstract: A system, method, and device includes a platform data storage that stores a wrap that secures an executable controller and executable sensors. The wrap is verified, optionally through a downloaded authentication driver. After verifying the wrap, the wrap is opened and a sister of the executable controller is installed into the platform memory to cooperate with the executable controller. Additionally or alternatively, the authentication driver may cooperate with the executable controller. The executable controller allows the platform processor to access data secured in a vault and/or verify the platform to create a connection to a connection server.

Abstract: An access rights management system is presented in which a mobile device may be allowed to access corporately held data in a flexible manner but in which the security and integrity of the data is maintained. The mobile device is provided with a rights adjustment module which modifies the access rights for locally stored corporate data in dependence on the connectivity of the mobile device with a corporate server.

Abstract: Methods are provided for tracking data corresponding to a mobile device that accesses a web page. Once a mobile device is registered with a network, the mobile device is instructed to request permission before accessing a web page. An access request is received, and based on a user profile, the access request is approved such that the mobile device may access the web page. Access data that corresponds to the mobile device accessing the web page is collected so that it can be added to and stored in a database.

Abstract: An image processing system that executes plural functions with respect to image data, the image processing system including: a decision unit that decides whether or not a function among the plural functions is authorized to be executed with respect to the image data; and a notification unit that identifiably notifies an authorized function, which is authorized to be executed with respect to the image data, and an unauthorized function, which is not authorized to be executed with respect to the image data, decided by the decision unit.

Abstract: Systems and methods for screening applicants are disclosed herein. A method of screening applicants is performed by a screening server. The server begins by receiving a selection of screening services and an applicant profile that identifies an applicant. The screening continues by generating screening results specified by the selection of screening services based on the applicant profile. A property manager is then notified that the screening results are available for the applicant based upon the applicant profile. The screening results are then provided to the property manager based upon the applicant profile. Based on these screening results, the screener or property manager can make a decision about the applicant and communicate a decision action to the applicant.

Abstract: A method and system of providing conditional access to encrypted content includes receiving unsolicited multiply encrypted video content and first decryption data over a broadcast network. Partially decrypted video content is obtained by decrypting a first layer of encryption of the encrypted video content using the first decryption data. The partially decrypted video content is stored. A request for viewing the encrypted video content is transmitted and second decryption data is received. A second layer of encryption of the encrypted video content is decrypted using the second decryption data.

Abstract: A document review and security technique is provided that presents a first portion of a document to a first reviewer, wherein the first portion includes less than the entire document, presents a second portion of the document to a second reviewer, wherein the second portion includes less than the entire document, wherein the second portion is at least partially different from the first portion, and wherein the first reviewer and the second reviewer are different reviewers, receives from the first reviewer a review action input associated with the first portion, receives from the second reviewer a review action input associated with the second portion, and determines a disposition of the document in accordance with the review action inputs.

Abstract: A method uses a firmware interface setup program for a selected compute node (“node”) to cause a firmware interface to enable a trusted platform module (TPM) on the selected node to receive a physical presence (PP) signal. The selected node is selected from a plurality of nodes within a multi-node chassis, wherein each node includes a firmware interface and a TPM. A device within the multi-node chassis is manually actuated to transmit a PP signal to each of the plurality of nodes, such that each node receives the PP signal. The PP signal is asserted to the TPM of the selected node in response to both enabling the TPM of the selected node to be able to receive the PP signal and receiving the PP signal. Still further, the method allows modification of a security setting of the selected node in response to the TPM receiving the PP signal.

Abstract: A method and an apparatus for authenticating location-based services without compromising location privacy, which comprises a comprehensive solution that preserves unconditional location privacy when authenticating either range queries using three authentication schemes for R-tree and grid-file index, together with two optimization techniques, or k-nearest neighbor queries using two authentication schemes for R-tree and Voronoi Diagram index.

Abstract: Various embodiments provide a method and apparatus of providing accelerated encrypted connections in a cloud network supporting transmission of data including per-user encrypted data. Transmission of encrypted data from an application server uses an encryption scheme that encrypts static data using a first encryption scheme that derives keys from the content itself and encrypts dynamic data, such as dynamic website content with personalized user data, using a second encryption scheme.

Abstract: An automated system for signing up users invited to join a site based on their existing identity includes an invitation generator, an invite processor, a federated authentication module, a user information retrieval module, an account population and creation module, and a user interface module. The automated sign up module is responsive to an invite request. The automated sign up module sends an authorization request, receives the authorization response, verifies the response and retrieves user data. The automated sign up module uses the retrieved data to populate a sign up form and initialize an account. The automated sign up module sends new account information to a user for confirmation. Once confirmation has been received, the automated sign up module creates the new account and allows the user to access the system. The present disclosure includes a method for signing up users invited to join a site based on their existing identity.

Abstract: A web browser that includes a network policy enforcement unit, a storage policy enforcement unit, and an ancillary policy enforcement unit is disclosed. The network policy enforcement unit controls communications between application logic of a web application and data communication APIs. The storage policy enforcement unit controls access between the web application logic and persistent storage APIs. The ancillary policy enforcement unit controls user authentication of the web application logic.

Abstract: A method is provided to process data so that the data can be externally stored with minimized risk of information leakage. A framework (virtual execution framework) based on virtual machines (VMs) is utilized as a substitute for a trusted institution. Encryption of consolidated data can reduce risk of information leakage and enhance security. Since the virtual execution framework can control connection and direction of communication, financial institutions are allowed to apply encryption to data on their own, which makes the data further appropriate for external storage. By allowing financial institutions to apply their own decryption, it is possible to prevent one of two financial institutions from retrieving externally stored data into the external execution framework without intervention of the other. Additionally, associated acting subjects can be provided with freedom depending on the degree of information leakage risk.

Abstract: A method and system to warn the user in the event of potential confidential document security violations. The method includes using a computer, electronically embedding a digital marker in an electronic document to create a marked document; storing the document on a non-removable non-transitory computer readable medium of the computer; upon a request for transmission of the marked document from the computer or for copying the marked document to a removable non-transitory computer readable medium, determining that the marked document contains the digital marker and displaying a warning on a display unit of the computer of the request based on the marked document containing the digital marker; and allowing the transmission or the copying only upon approval of release of the marked document by a human user of the computer.

Abstract: A system for document retrieval in a network environment is provided where documents are stored with corresponding privacy codes. A query server computer is in communication with the network and is programmed to generate a privacy index of all documents available on the network indexed by their corresponding privacy codes. The privacy codes define document access permissions that are securely associated with the documents and are assigned by document custodians. A search engine in communication with the network is configured to receive a query from a requester and generate a list of documents from the privacy index which match search parameters of the query and privacy codes of the requester.

Abstract: A method includes receiving an indication of at least one detected security issue at a network device. The indication is received at a security manager processor from a security agent. The method includes selecting, via the security manager processor, at least one executable security object responsive to the indication. The security manager processor verifies compatibility between the at least one executable security object, the network device, and communication media. The method also includes sending the at least one executable security object to the network device via the security manager processor to provide a protective security measure to the network device against the at least one detected security issue upon execution of the at least one executable security object.

Abstract: A method for enforcing digital rights management (DRM) rules in a first device is disclosed. In the method the first device receives a message that includes a rights object (RO) having a digital signature, directly from a source device. The first device determines an identity of a signing entity from the message including the RO having the digital signature. The signing entity is an entity that digitally signed the RO. The first device processes the message including the RO having the digital signature using the identity of the signing entity and an information state to enforce DRM rules in the first device.

Abstract: Autonomous embedded data cognition enables data to perform real-time environmental configuration control, self-manage, perform analysis, determine its current situation, and evaluate behavior to respond accordingly. When created, security measures, and access controls are selected. Highly sensitive data can be extracted and substituted with creator label and/or functional representation. Data-to-data reasoning and analysis can be performed. The processing method comprises autonomous monitoring for a state change and analyzing the current user to determine if the instantiation should exist. If affirmed, the cognition engine automatically configures the computational environment in which it resides. If denied, environmental behavior is further analyzed for security problems or an erroneous situation. If detected, the creator is alerted and provided with incident information enabling remote creator control of the data. Cognitive data can decide to self-destruct mitigating risk of undesirable instantiations.

Abstract: A cryptanalysis method comprising: (A) Performing a ciphertext-only direct cryptanalysis of A5/1 and (B) Using results of Step (A) to facilitate the decryption and/or encryption of further communications that are consistent with encryption using the session key and/or decryption using the session key, wherein the cryptanalysis considers part of the bits of the session key to have a known fixed value, and wherein the cryptanalysis finds the session key. An efficient known plaintext attack on AS/2 comprises trying all the possible values for R4, and for each such value solving the linearized system of equations that describe the output; The solution of the equations gives the internal state of RI, R2, and R3; Together with R4, this gives the full internal state which gives a suggestion for the key.

Abstract: A user's set top box (STB), or other client, executes a shell and has an application program interface (API) by which certain features of the client can be controlled. The client is in communication with a walled garden proxy server (WGPS). The client sends a request to the WGPS to access a service provided by a site in the garden. The site sends the client a message containing code calling a function in the API. The WGPS traps the message from the site and looks up the site in a table to determine the access control list (ACL) for the site. The WGPS includes the ACL in the header of the hypertext transport protocol (HTTP) message to the client. The shell receives the message and extracts the ACL. If the code lacks permission, the shell stops execution.

Abstract: Described herein is a technology for facilitating the integration of a collaboration environment. In some implementations, an activity associated with a business object is accessed via a work center. A request to post the activity is sent to a collaboration application. The collaboration application then returns an activity identifier, and the user is redirected to the activity identifier.

Abstract: Methods and apparatus are provided for providing a DRM service by a user terminal apparatus consuming DRM content in a service environment that provides the DRM content using a plurality of incompatible DRM systems. A license corresponding to the DRM content is acquired from a service providing apparatus that provides the DRM content. It is determined whether the license is a common license having a common DRM interface format. The common DRM interface format of the common license is converted to a format of a first DRM system installed in the user terminal apparatus, when the license is the common license. The license having the format of the first DRM system is applied in reproducing the DRM content. The common license is provided from the service providing apparatus to the user terminal apparatus through a common DRM interface when the service providing apparatus does not support the first DRM system.

Abstract: A method and system for facilitating interaction between an electronic device and a plurality of content provider websites are disclosed. In one embodiment, the method includes receiving at a server a plurality of information portions provided from the websites, where each of the information portions is associated with a respective copy of information that is available at each of the websites. The method also includes aggregating at the server the information portions so that they are combined into an overall grouping, with the respective information portions being maintained respectively as distinct subportions within the grouping. Further, the method includes sending from the server a message for receipt by a part of the electronic device, the primary message including the grouping. The grouping is sent together with an additional copy of the information or with an indication of that information to which the overall grouping relates.

Abstract: A system and method for generating user authentication challenges based at least in part on an account owner's social network activity information. A login request including an account owner's correct username and password as well as additional login information is received from a user. The login attempt is detected as a potentially fraudulent based on the additional login information from the user. The account owner's social network activity information is analyzed. An authentication challenge based at least in part on the account owner's social network activity information is generated and sent for display. The login request is allowed or denied based on the completion on the authentication challenge.

Abstract: Methods and systems for encrypting and decrypting data are described. In one embodiment, a client computing system sends to a server computing system over a network a first network request to perform multiple operations such as a lease operation and a fetch operation. In response, the server computing system performs the operations. Subsequently, the client computing system can send subsequent network requests to write re-encrypted data and to relinquish the lease. The subsequent network requests may also be single network requests that perform lease operations, as well as other operations, such as operations for block alignment purposes. The client computing system can send an actual end of file when relinquishing the lease so that the server computing system can handle a remainder of data that is used for subsequently decrypting the re-encrypted data.

Abstract: A terminal device recording content onto a recording medium device, a permission to record the content onto the recording medium device being granted by a server device, the terminal device comprising: a generation unit generating a value calculated so as to represent subject content for which permission to record is requested; an information transmission unit requesting the permission from the server device by transmitting information indicating the value generated by the generation unit to the server device; a signature reception unit receiving subject content signature data from the server device, the subject content signature data being transmitted by the server device upon granting the permission; and a recording unit recording the subject content onto the recording medium device as one of plain-text data and encrypted data, as well as the subject content signature data received by the signature reception unit.

Abstract: Arrangements described herein relate to accessing a cloud based service. Responsive to a user of a first communication device initiating access to the cloud based service via the first communication device, a prompt for a valid password to be entered to access the cloud based service can be received by the first communication device. Responsive to the valid password required to access the cloud based service not being stored on the first communication device, the first communication device can automatically retrieve the valid password from a second communication device via a peer-to-peer ad hoc communication link between the first communication device and the second communication device. The valid password can be automatically provided, by the first communication device, to a login service for the cloud based service to obtain access by the first communication device to the cloud based service.

Abstract: An approach to multiprotocol ACL implementation with guaranteed protocol compliance is described. In one approach, a method of access rights validation for a multiprotocol supported file server is detailed. The method involves receiving a request to store a file with a security descriptor and storing the security descriptor in an extended attribute associated with the file. Subsequently, the security descriptor is expanded to extract a set of ACEs. Access to the file can then be validated against the ACEs expanded from the security descriptor according to the specifications of the protocol that created the security descriptor.

Abstract: In embodiments, the disclosure provides a method for managing content, including providing an electronic discovery facility of a secure data exchange environment, wherein at least one of a plurality of users of a first entity utilizes a network-based content storage service of a second entity to store content, and wherein the storage and access of the content with the network-based content storage service is tracked by the electronic discovery facility. The method includes receiving, at the electronic discovery facility, a discovery request, the discovery request comprising a request for a legal counsel of a third entity to access content stored on the network-based content storage service, the discovery request being, for example, in association with a litigation discovery action in relation to the first entity.

Abstract: In order that even a wireless terminal whose an unique ID is not registered in the filter list can use simply the access point without a prior setting task by user, a communication device includes access point means, filtering disabling means, unique ID registration means and filtering enabling means. The access point means connects a wireless terminal with at least one of a lower network and an upper network. The filtering disabling means disables a filtering which prevents connecting with an unregistered wireless terminal whose an unique ID is not registered in a filter list. The unique ID registration means acquires the unique ID of the wireless terminal and registers the acquired unique ID in the filter list, upon a state where the filtering is disabling, if a connection request is received from the wireless terminal. The filtering enabling means enables the filtering after the unique ID of the wireless terminal is registered in the filter list.

Abstract: Techniques are described herein that are capable of enforcing conditions of use associated with disparate data sets. For example, content may be published. Conditions of use that are associated with the published content may be specified. The published content may include disparate data sets. Each data set may be associated with its own condition(s) of use. The condition(s) of use associated with each data set may be enforced.

Abstract: A breathalyzer system for use with a computer consisting of a breathalyzer, computer software and hardware, an interface and method for delaying posts by persons who cannot prove sobriety upon initial posting. The breathalyzer registers the level of sobriety, and the result is sent through an interface to the software. If the alcohol level is below an acceptable threshold, unencumbered access to the social media is granted. If the alcohol level is above an acceptable threshold, access to websites, posting on social media websites, uploading videos, online gambling, or making large purchases is restricted.

Abstract: An access system including a storage medium and a host is disclosed. The storage medium includes an identification code. The host includes a processor, at least one connection port and an identification port. The processor executes a mass-production application program. The connection port is coupled to at least one electronic product. The identification port is coupled to the storage medium. When the mass-production application program is executed, the processor determines whether the identification code matches a key code. When the identification code matches the key code, the processor writes mass-production data to the electronic product.

Abstract: An information processing system includes an external system having an external server managing public information, and an internal system having an internal server managing secure information and a terminal outputting information. The external server sends an information generating module to the terminal at an acquisition request source, and the terminal executes the received information generating module, in order to generate information to be provided, using the public information acquired from the external server and the secure information acquired from the internal sever.

Abstract: A system and method for controlling access to private information over a network is provided including a privacy preference repository accessible by one or more subjects of the private information and by a private access bureau. The privacy preference repository stores privacy preferences configured by the subjects to indicate conditions for disclosure of said private information. A policy repository that stores legal criteria for accessing the private information is also accessible by the private access bureau. The private access bureau is configurable to receive requests from privacy-enabled systems for privacy directives that take into account the privacy preferences and legal criteria required to release particular documents on said privacy enabled system in response to the privacy-enabled systems.

Abstract: Embodiments are directed towards communicating using a mobile device that performs actions including. A mobile device may be provisioned with an access point such that a provisioning key and a provisioning token for each of the provisioned access points may be stored on the mobile device. The mobile device may be determined to be in the presence of a provisioned access point based on the provisioning key and an advertising nonce. The advertising nonce may be encrypted with the provisioning key. A communication channel between the mobile device and the access point may be established based on a session nonce, the advertising nonce, and the provisioning key. A session key may be generated based in part on the advertising nonce and a message counter. And, encrypted message packets that include a message and a message authentication tag may be communicated to the access point.

Abstract: Methods and systems for providing access to content are disclosed. The method is performed at least in part at a client computer system having a processor and memory. The method includes executing a host application associated with a first party. In some implementations, the host application is a media player. The method further includes initiating a secure communication channel between the host application and a server associated with the first party. The method further includes executing a supplemental application associated with a second party. The method further includes accessing, with the supplemental application, content licensed to the first party, wherein the licensed content is accessible to the supplemental application via the secure communication channel subject to terms of a licensing agreement. In some implementations, the content is media content, such as music, movies, and the like.

Abstract: A data storage system includes a storage device and a data handler that receives an object, creates metadata for the object that includes a key and an authorization, stores the object on the storage device, receives a request for the object, determines if the request includes the key, and, if the request has authorization information, permits access to the object. The data handler receives another request for the object, determines if the request includes the key, and, if the request does not have the authorization information, denies access to the object.

Abstract: A system administrator of a wireless LAN 100 manipulates a personal computer PC1 to change a WEP key. The personal computer PC1 authenticates a memory card MC as genuine under management of the system administrator. In the case of the authenticated memory card MC, changed setting information, as well as a previous WEP key before the change of the setting information, is written into the memory card MC. The system administrator then inserts this memory card MC into a memory card slot of a printer PRT1. The printer PRT1 authenticates the memory card MC as genuine under management of the system administrator. In the case of the authenticated memory card MC, the setting information is updated. This arrangement effectively relieves the user's workload in setting wireless communication devices, while ensuring the sufficiently high security.

Abstract: Various systems, computer-readable media, and computer-implemented methods of providing improved data privacy, anonymity and security by enabling subjects to which data pertains to remain “dynamically anonymous,” i.e., anonymous for as long as is desired—and to the extent that is desired—are disclosed herein. Embodiments include systems that create, access, use, store and/or erase data with increased privacy, anonymity and security, thereby facilitating the availability of more qualified and accurate information. When data is authorized by subjects to be shared with third parties, embodiments may facilitate sharing information in a dynamically controlled manner that enables delivery of temporally-, geographically-, and/or purpose-limited information to the receiving party. In one example, anonymity measurement scores may be calculated for the shared data elements so that a level of consent/involvement required by the Data Subject before sharing the relevant data elements to third parties may be specified.

Abstract: A technique for distributed management of attributes includes propagating attributes based upon attribute-granularity permissions. An example of a system according to the technique may include a server, coupled to a first client and a second client, that includes a module that receives attribute data from the first client; a permissions database where first permissions associated with the first client are set at the individual attribute level for the second client; an engine for updating the permissions database and for validating the first permissions for the second client; and an engine for distributing first client updates based on validated permissions to destinations associated with the one or more second destination stores.

Abstract: Preventing changes to computing devices in a computing system servicing a critical job, including: identifying, by a job protection module, a critical job executing in the computing system; identifying, by the job protection module, one or more computing devices in the computing system utilized during execution of the critical job; and locking, by the job protection module, each of the one or more computing devices in the computing system utilized during execution of the critical job from undergoing a configuration change during execution of the critical job.