Abstract: Systems, methods, and techniques are disclosed for. An example method of providing code protection includes identifying a set of methods including one or more code portions to extract from an application. The method also includes extracting the one or more code portions from the set of methods. The one or more extracted code portions is executable on a computing device remote from a client. The method further includes inserting an interface into the application. The interface enables the client to remotely execute the one or more extracted code portions. The method also includes transmitting the application including the interface and without the one or more extracted code portions to the client.

Abstract: A system and method relate to a platform for distributing digital contents (digital content) to various client devices. A digital rights management platform allows a content provider to forward digital contents that is automatically ingested and processed in accordance with various requirements associated with providing the digital contents to the client devices. Information regarding the ingested digital contents may be provided to a coordinator device that uses this information to form a digital rights locker associated with the digital contents. A client device accesses the digital rights locker to obtain a rights token, or a proof of purchase, that is used to obtain rights data for accessing the digital contents.

Abstract: A method of providing a receiver with a version of an initial item of software, the method comprising: for each of a plurality of sections of the initial item of software that together form the initial item of software, obtaining one or more respective versions of that section, wherein for at least one of the sections a respective plurality of different versions of that section are obtained; for each of the plurality of sections of the initial item of software, selecting a respective version of that section to be used by the receiver, said selecting being arranged so that the receiver is identifiable from the set of selected versions; and providing the receiver with a version of the initial item of software by providing the receiver with access to the selected versions of the sections of the initial item of software.

Abstract: The invention provide systems and methods for management of digital media objects, comprising first and second client digital data processors (e.g., personal (or private) computers, laptops, dedicated music devices, electronic book readers, and so forth) that are in communications coupling with one or more stores (e.g., dedicated disk drives, flash drives, cloud storage, etc.). At least one digital media object (DMO) or copy thereof is stored in one or more of those stores and is accessible by at least one of the first and second client digital data processors.

Abstract: A first user may provide protected content to a second user. The user accesses the rights required by the protected content and the rights held by the second user. If the rights of the second user are equal or greater to those required by the protected content, the first user may then provide the protected content to the second user. Additionally, methods and systems for presenting information regarding multiple categories of content are provided. In addition, methods and systems that suggest activities by a user in relation to content and determined affinity for content in relation to user contacts are provided. A user interface application is provided that operates to display status and/or historical information regarding content, suggested activities, and suggested contacts. The user can interact with the interface to access detailed information and to act on suggestions.

Abstract: A Multilevel Security (MLS) server provides MLS functionality to single-level applications running on a remote Multiple Independent Level Security (MILS) or MLS client device. More specifically, the MLS server provides a plurality of different security domains in which applications can execute. The client device executes a single-level application in a first security domain, the single-level application not natively capable of communicating with other domains. The single-level application in the first security domain sends a request to the MLS server. The MLS server receives the request, passing it to all applicable domains, including a second security domain, where it is duly executed. The MLS server then provides the results of the request execution—if any—back to an appropriate application on the client device.

Abstract: To protect sensitive data in program code, a method includes providing a programming interface with a capability of allocating a protected region of memory which can only be accessed by authorized code. Sensitive data present in program code is stored in the protected region of memory. The method includes marking parts of code in a program as authorized or not authorized to access the sensitive data, and determining if that part of a program which is executing is authorized to access protected data by reference to the marking.

Abstract: A system and method for realizing specific security features for a mobile device that may store sensitive and private data by providing secured communications to a paired remote device. In this respect, both the mobile device (which may be a mobile phone, for example) and the paired remote device (which may be a keychain, for example) include a SIM card that may have identification data stored therein. Once paired, the two devices may communicate encrypted security messages back and forth in order to implement various security measures to protect data and wireless communications. Such messages may be generated from initial information known only to each respective device such as a randomly generated offset number and a common time reference.

Abstract: Technologies related to contextual use and expiration of digital content are generally described. In some examples, a receiving device may connect with a sponsoring device having the digital content. A relationship property defines a relationship context between the receiving device and the sponsoring device. The receiving device may receive the digital content from the sponsoring device and use the digital content so long as allowed, as determined with reference to the relationship property.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, enable software application transfer among connected computing devices. In one aspect, a method includes receiving a request, corresponding to an application running on a first computer, to operate the application on a second computer; initiating a communication session between the first computer and the second computer over a network; disabling the application on the first computer with respect to one or more operational parameters; and enabling the application on the second computer with respect to the one or more operational parameters. The one or more operational parameters can include a software licensing state of the application, current application data of the application running on the first computer, or both.

Abstract: Disclosed herein are example embodiments for behavioral fingerprinting via derived personal relation. For certain example embodiments, at least one indication of personal relation for at least one authorized user may be derived via at least one user-device interaction, and the at least one indication of personal relation may be incorporated into at least one behavioral fingerprint that is associated with the at least one authorized user, the at least one behavioral fingerprint including one or more indicators of utilization of one or more user devices by the at least one authorized user.

Abstract: A first device establishes a connection with a second device and attempts access, via the connection to an enterprise server of an enterprise. The first device may have a number of security perimeters, ones of which are allowed to use various communications proxies provided by the second device. If the first device and the second device are associated with a same common enterprise, an enterprise perimeter of the first device may be enabled to access the enterprise using an enterprise proxy of the second device.

Abstract: In one embodiment, receiving a notice from a first user associated with a first mobile device indicating that the first user wishes to share information of the first user with one or more second users respectively associated with one or more second mobile devices; accessing information known about one or more users and one or more mobile devices respectively associated with the one or more users; identifying at least one candidate for the first user based on the information known about the one or more users and the one or more mobile devices; and confirming one or more of the at least one candidate as the one or more second users.

Abstract: A method substantially as shown and described the detailed description and/or drawings and/or elsewhere herein. A device substantially as shown and described the detailed description and/or drawings and/or elsewhere herein.

Abstract: The present technology relates to a method for granting a user secure access to one or more resources accessed by a process. The process is defined in a Service-Oriented Architecture (SOA) registry and includes one or more process-steps, where each process-step accesses one or more resources stored in an SOA repository.

Abstract: In an embodiment, communication is controlled between a service provider web application executed in a first web browser instance on a device platform of the device and a partner web application executed in a second web browser instance on the device platform. A signal is received, at a control module at the device, from the partner web application, the signal for initiating communication between the partner web application and the service provider web application. The control module, provided by the service provider and installed on the device, uses technology that is native to the device platform. The control module uses a list of partners approved by the service provider to determine whether the partner web application is approved for communication with the service provider web application. If the control module determines the partner web application is approved, the control module allows communication to proceed.

Abstract: Embodiments of an invention for platform-hardened digital rights management key provisioning are disclosed. In one embodiment, a processor includes an execution unit to execute one or more instructions to create a secure enclave in which to run an application to receive digital rights management information from a provisioning server in response to authentication of the application by a verification server.

Abstract: Described are computer-based methods and apparatuses, including computer program products, for voice over internet protocol (VoIP) phone authentication. In some examples, the method includes receiving an authentication request from a computing device; authenticating the computing device for access to a network based on the authentication request; determining if a VoIP endpoint device is associated with a network address associated with the authentication request; and authenticating the VoIP endpoint device if the VoIP endpoint device is associated with the network address.

Abstract: In an embodiment of the invention, wherein users must be able to access a computer system to perform respective functions, initial data is acquired from data sources, some of the initial data pertaining to previously granted system access rights. The initial data is used to create a crowdsourcing task, which is executed to acquire crowdsourced data from SMEs in an SME population, wherein the crowdsourced data comprises additional data pertaining to previously granted system access. The crowdsourced data is used to create a set of role definitions, wherein the role definitions determine which of the users are assigned to be members of a particular role associated with the system, and further determine the access rights that are granted to each member of the particular role.

Abstract: In an embodiment of the invention, wherein users must be able to access a computer system to perform respective functions, initial data is acquired from data sources, some of the initial data pertaining to previously granted system access rights. The initial data is used to create a crowdsourcing task, which is executed to acquire crowdsourced data from SMEs in an SME population, wherein the crowdsourced data comprises additional data pertaining to previously granted system access. The crowdsourced data is used to create a set of role definitions, wherein the role definitions determine which of the users are assigned to be members of a particular role associated with the system, and further determine the access rights that are granted to each member of the particular role.

Abstract: Techniques for in-app user data authorization are described. An apparatus may comprise a processor circuit, a permissions component, and a token component. The permissions component may be operative on the processor circuit to receive a request from an application to perform a task on a device and to return a response to the request to the application based on active permissions for the application. The token component may be operative on the processor circuit to manage a token database and to determine the active permissions for the application based on the token database. Other embodiments are described and claimed.

Abstract: A server receives a consumer request from a client to access a product repository that is coupled to the server. The consumer request comprises an entitlement certificate and a uniform resource locator (URL). The server identifies at least one extended attribute object identifier in the entitlement certificate to determine whether the client is authorized to access the product repository. The at least one extended attribute object identifier has a corresponding URL in the entitlement certificate that specifies a location of the product repository that the client is authorized to access. The server grants the client access to the product repository based on a determination that the URL in the consumer request matches a URL in the entitlement certificate.

Abstract: To facilitate recording of data received from a non-trusted source entity, a trusted source entity, for example a user terminal or a user interface, sends to an operational center an authorization message authorizing the non-trusted source entity to send specific information messages. In response to the authorization message, the operational center creates an automatically verifiable authorization condition. When an information message arrives to the operational center, it checks, whether the message fulfills the condition, and if yes, records the data.

Abstract: Systems and methods for utilizing a robustness framework to restrict access to digital content distributed via a network in accordance with embodiments of the invention are disclosed. In one embodiment, restricting access to digital content includes loading device robustness information, where the device robustness information includes a device robustness level defined using a set of robustness rules, loading at least one digital rights management (DRM) certificate, where the at least one DRM certificate is utilized to authenticate the device to a DRM server, requesting playback of the content from a content store, where the content store is configured to store the content in at least one content distribution server, receiving the content from the at least one content distribution server upon a verification that the device robustness satisfies a threshold robustness by a computing system, and accessing the received content utilizing the at least one DRM certificate.

Abstract: According to one embodiment, an information processing apparatus includes a nonvolatile semiconductor memory and a processor. The nonvolatile semiconductor memory stores identification information. The processor controls an application which executes authentication processing for authenticating validation of the identification information stored in the nonvolatile semiconductor memory. The processor executes the application to read the identification information from the nonvolatile semiconductor memory, and to execute the authentication processing for determining whether or not the identification information is authentic. When the identification information is authentic, the processor continues at least some processes of the application, and when the identification information is inauthentic, the processor ends at least some processes of the application.

Abstract: A client receives sensitive data to be tokenized. The client queries a token table with a portion of the sensitive data to determine if the token table includes a token mapped to the value of the portion of the sensitive data. If the mapping table does not include a token mapped to the value of the portion of the sensitive data, a candidate token is generated. The client queries a central token management system to determine if the candidate token collides with a token generated by or stored at another client. In some embodiments, the candidate token includes a value from a unique set of values assigned by the central token management system to the client, guaranteeing that the candidate token does not cause a collision. The client then tokenizes the sensitive data with the candidate token and stores the candidate token in the token table.

Abstract: Systems and techniques for managing software licensing are described. When a computing system service request is made, the request is intercepted and software information that may be more or less continuously updated in a managed computing environment is examined to determine the effect of the service request on software usage by the system. The software usage represented by the service request is evaluated based on licensing information to determine license usage by the system and changes in license usage based on the service request, and license usage information is determined based on the software usage and the licensing information. The license usage information may be used in connection with a system of rules to govern actions such as reporting licensing usage or allowing or preventing the use of software based on whether use of the software will violate licensing requirements.

Abstract: Disclosed is a method and system of preventing browser-based abuse. The method of preventing browser-based abuse may include determining whether an access based on a browser function extension module is a malicious access for acquiring data of an Internet browser, and blocking the access based on the browser function extension module when the access is determined to be a malicious access.

Abstract: Methods and systems to allow for the streaming of media from a file server to a client, where the streaming occurs concurrently with the execution of an information security protocol. The security protocol allows the client to securely receive one or more keys that allow the client to access the media. This permits a user to access the media sooner than would otherwise be possible, while allowing timely performance of security related processing.

Abstract: A content encryption device generates encrypted content and an encrypted content copying device copies the encrypted content on an information storage medium. The storage medium is sold at a charge or distributed at no charge. A user gets the storage medium to connect or set it to or in a user terminal device, accesses to a user management device to receive permission by authentication information distributed together with the storage medium and presents a part or a whole of medium information to a content key distribution device. The distribution device makes a content key encryption device issue an encrypted content key on the basis of the presented information and distributes it to the terminal device.

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret. The different server decrypts the encrypted premaster secret, generates the master secret, and transmits the master secret to the server. The server receives the master secret and continues with the handshake procedure including generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

Abstract: An information handling system includes a memory and a detector circuit. The memory is configured to store a first electrocardiogram measurement. The detector circuit is configured to receive a second electrocardiogram measurement in response to a specific combination of keys of a keyboard being pressed for a specific period of time, wherein each key in the specific key combination includes an electrocardiogram sensor on a top surface of the key, to authorize a user and log the user onto the information handling system when the second electrocardiogram measurement matches the first electrocardiogram measurement, and otherwise: to deny access to the information handling system; to increase a counter; to determine whether the counter has exceeded a threshold; and to request that an input window is displayed when the counter has exceeded the threshold.

Abstract: A conditional access system (CAS) computer in a downloadable CAS receives a downloadable management certificate (DMC) and determines, using the DMC, security information including a DMC key size and an expiration time of a DMC subordinate certificate authority (sub-CA) certificate, for the client device. The CAS computer then determines whether the DMC is valid based on the expiration time of the DMC sub-CA certificate. If the DMC is determined to be valid, the CAS server sends a cryptographic identity for the client device and a CAS client to the client device protected using the DMC. At a later time, if the DMC key size is considered to be still sufficiently secure, the validity of the DMC is extended by issuing a new DMC sub-CA certificate with the same public key as the original DMC sub-CA certificate.

Abstract: To prevent gaming of a reputation system, a security token is generated for a security module using metadata about the client observed during the registration of the security module. The registration server selects metadata for use in generating the security token. The generated security token is provided to identify the client in later transactions. A security server may conduct a transaction with the client and observe metadata about the client during the transaction. The security server also extracts metadata from the security token. The security server correlates the observed metadata during the transaction with the extracted metadata from the security token. Based on the result of the correlation, a security policy is applied. As a result, the metadata in the security token enables stateless verification of the client.

Abstract: A computer apparatus and a control method for the ODD are disclosed. The control method includes: providing a user setting interface by the computer apparatus when the computer apparatus is in a user mode; receiving a user instruction through the user setting interface so as to start or close an ODD safety protection mode; and deciding whether or not a position state of a tray of the ODD can be changed according to that whether or not the ODD safety protection mode is started and whether or not the computer apparatus is in the user mode.

Abstract: A managed container may have a managed cache storing content managed by or through an application gateway server computer. The managed container may receive a request for content from an application running in a secure shell provided by the managed container on a client device. The managed container may determine whether the client device is within a specified geographical location. If not, the managed container may deny or restrict the application access to the requested content. The access denial or restriction may continue until a connection is made to the application gateway server computer or until the client device has returned to within the specified geographical location. If the client device is within the specified geographical location, the managed container may provide or restore access to requested content. Embodiments of the managed container can therefore perform geofencing by disabling or limiting access to content based on predetermined secure/insecure designations.

Abstract: Enabling discretionary data access control in a cloud computing environment can begin with the obtainment of a data request and response message by an access manager service. The response message can be generated by a data storage service in response to the data request. The access manager service can identify owner-specified access rules and/or access exceptions applicable to the data request. An access response can be determined using the applicable owner-specified access rules and/or access exceptions. Both the response message and the access response can indicate the allowance or denial of access to the requested data artifact. The access response can be compared to the response message. If the access response does not match the response message, the response message can be overridden to express the access response. If the access response matches the response message, the response message can be conveyed to the originating entity of the data request.

Abstract: A manipulable human interactive proof (HIP) displays at most a portion of verification information. A user performs at least one manipulation on the HIP display to obtain full verification information.

Abstract: Database management and security is implemented in a variety of embodiments. In one such embodiment, data sets containing sensitive data elements are analyzed using aliases representing sensitive data elements. In another embodiment, the sensitive data elements are stored in an encrypted form for use from a secure access, while the alias is available for standard access.

Abstract: A content reception equipment for accessing an in-home content transmission equipment from a remote place executes a first authentication process with the content transmission equipment in advance, executes the remote access information sharing process required for access from a remote place, and causes the information on the content reception equipment and the remote access information to be registered in an equipment information table of the content transmission equipment.

Abstract: The present invention relates to a system and method for remote management of applications downloaded to a personal portable appliance. Applications comprising programs and data structures are updated to include a dummy application that can replace the ordinarily executable application and that manipulates the data structure when invoked, so as to limit it. The dummy application is subsequently reduced to have a limited amount of the original functionality and to prompt the user to delete it.

Abstract: To control privileges and access to resources on a per-process basis, an administrator creates a rule that may be applied to modify a token of a process. The rule may include an application-criterion set and changes to be made to the groups and/or privileges of the token. The rule may be set as a policy within a group policy object (GPO), where a GPO is associated with one or more groups of computers or users. When a GPO containing a rule is applied to a computer, a driver installed on the computer may access the rule(s) anytime a logged-on user executes a process. If the executed process satisfies the criterion set of a rule, the changes contained within the rule are made to the process token, and the user has expanded and/or contracted access and/or privileges for only that process.

Abstract: A client device has one or more processors and memory. An application running on the device obtains a client certificate from a system service running on the device. The certificate includes a public key for the device. The device is authenticated to a remote server using the certificate. The application receives encrypted application identification information and an encrypted access token from the server. The application is authenticated to the device by comparing the received application identification information with corresponding application identification information from the application. The application invokes the system service to unencrypt the access token using the private key corresponding to the public key. The application sends a request for protected information to the server. The request includes the unencrypted access token.

Abstract: A technique involves receiving a request for certain data to be processed by a device and determining, based on an attribute of the device, whether to allow an operation to be performed on the data; after allowing the operation to be performed on the data: sending, to the device, a request for one or more characteristics of the device; in response to the request, receiving the one or more characteristics from the device; storing, based on the one or more characteristics, a second attribute that is associated with the device; after storing the second attribute: receiving a second request for second data to be processed by the device; determining, based on the second attribute of the device, whether to allow an operation to be performed on the second data; determining to not allow the second operation to be performed, wherein the device is capable of processing the second data.

Abstract: Methods and systems are disclosed for providing indirect and temporary access to a company's IT infrastructure and business applications. The methods/systems involve establishing an access control center (ACC) to control the access that technical support personnel may have to the company's IT infrastructure and business applications. Thin client terminals with limited functionality may then be set up in the ACC for use by the technical support personnel. The thin client terminals connect the technical support personnel to workstations outside the ACC that operate as virtual desktops. The virtual desktops in turn connect the technical support personnel to the IT infrastructure and business applications. An ACC application may be used to control the connection between the thin client terminals and the virtual desktops and the virtual desktops and the IT infrastructure and business applications.

Abstract: A computer-implemented method for creating a rights management system (RMS) with superior layers and subordinate layers is described. A separate trust network for one or more layers of the RMS is established. The trust network includes one or more computing nodes within the one or more layers. A data object is created on a computing node that is a member of trust network in a superior layer. The data object is encrypted to a ciphertext data object. A publishing license is created for each of the one or more layers of the RMS. Access rights and attributes associated with the ciphertext data object are controlled within each layer based on the publishing license of each of the one or more layers of the RMS.

Abstract: Access control systems are provided that mediate access to derivatives of sensitive data. A method is provided for processing a data request from a client, the data request comprising a client identifier and an indication of the intended use of the data, by receiving the data request from the client; providing the client identifier and indicated use to an access manager, wherein the access manager assesses a risk of providing access to the data for the indicated use; if the access manager grants access for the indicated use, receiving one or more keys with corresponding computing restrictions from the access manager; computing a result; and providing the result to the client, wherein the provided result comprises the derivative of sensitive data. The access manager grants the access for the indicated use, for example, based on a risk score.

Abstract: Systems and methods for controlling communication systems for the hearing impaired are disclosed. A portable communication device requests control over a plurality of communication devices. The portable communication device connects to and controls the plurality of communication devices. The portable communication device includes a user interface that enables a user to transfer a call from a first communication device to a second communication device.

Abstract: A method and system for Digital Right Management (DRM) enforcement on a client device is provided. The method includes: determining client requested digital content; retrieving DRM data associated with the requested digital content; bundling the associated DRM with the requested digital content; transmitting the bundled DRM and digital content to the client device; and enforcing the DRM on the client device. The system includes: a client device configured to issue a request for digital content; a content review module configured to retrieve DRM data associated with the requested digital content; a bundler module configured to bundle the associated DRM with the requested digital content; a connection module configured to transmit the bundled DRM and digital content to the client device; and an enforcement module configured to enforce the DRM on the client device.

Abstract: System for authorization and authentication comprises a server and at least one level of transit terminals. The server transmits digital content, server's identifier, and business pattern to the transit terminal. The transit terminal transmits to a lower level transit terminal the digital content, the server's identifier, the business pattern, and identifiers of respective transit terminals through which the digital content passes, and returns the above identifiers to the server. The server performs a match verification on the returned identifiers; if matched, the transit terminal is permitted to parse the business pattern and authorize a client to use the digital content based on privilege in the business pattern.