Abstract: The present invention contemplates a variety of improved methods and systems for providing an experience platform, as well as sentio or experience codecs, and experience agents for supporting the experience platform. The experience platform may be provided by a service provider to enable an experience provider to compose and direct a participant experience. The service provider monetizes the experience by charging the experience provider and/or the participants for services. The participant experience can involve one or more experience participants. The experience provider can create an experience with a variety of dimensions and features. As will be appreciated, the following description provides one paradigm for understanding the multi-dimensional experience available to the participants. There are many suitable ways of describing, characterizing and implementing the experience platform contemplated herein.

Abstract: A system and process for identifying a client, comprising a client device having a video camera and a voice transmitting and receiving device capable of transmitting a client's image and voice via a communication carrier system and a communications network to a user terminal, whereby the user terminal permits an authentication of the client's image and voice in real time. Another aspect of the present invention includes a method of identifying a fraudster, comprising the steps of using a client device having a video camera and voice transmitting and receiving device to initiate an authentication of a client's identity, transmitting the fraudster's image and voice over a communication carrier system and a communications network to a user terminal, comparing the fraudster's image and voice to client data, and storing the fraudster data.

Abstract: This invention is a method and a system for accessing medical records of an injured party by an emergency responder through a secure website, utilizing a portable emergency access card provided with at least one item of information of the victim, while offering safeguards for the confidentiality of the victim's information and records.

Abstract: A communication system exchanges key generation parameters for secure communications. An internet service and communications device of a user are in communication with each other. The internet service includes an account authentication mechanism for a user and includes a database having stored cryptographic keys and key generation parameters. A device client operates on the communications device and initiates a request to the internet service that authenticates the user and establishes a secure communications channel between the internet service and communications device and determines key generation parameters based on an authenticated user identifier and transmits the key generation parameters for initiating key generation and securely establishing a cryptographic key between the internet service and communications device.

Abstract: In a multitenant service, security of the entire service is guaranteed by logically separating data for each tenant, and performing control to prevent access to data of another tenant. In an operation of the multitenant service, there are some special cases in which an access to data of another tenant becomes necessary. Further, processing executable across tenants needs to be subjected to restrictions on an executor of the processing and a processing target in addition to restrictions on a processing content. In data access control of the multitenant service, a control operation to determine whether processing is executable across tenants for each API and a control operation to determine whether processing is executable across tenants according to tenant categories of the executor and the processing target are performed.

Abstract: Cross-site request forgeries (“XSRF”) can be prevented using a client-side plugin on a client computer. The client computer accesses a content provided by a third party host via a network and generates a request to a web application as directed by the content. The client-side plugin determines whether the request is associated with suspicious activities based on the content, a source of the request and a list of approved hosts associated with the target host. In response to a determination that the request is associated with suspicious activities, the plugin removes authentication credentials from the request and sends the request to the web application.

Abstract: When objects are shared by one user with another user, objectionable content, if identified as such, can be blocked from being shared, while the remainder of the shared objects can be accessed by the other user. Functions that allow sharing of content are implemented so as prevent sharing of objectionable content with another user, while allowing other content to be shared. If a group of files or objects is shared, then the presence of objectionable content in one object in the group results in that objectionable content not being shared, but the remaining files or objects are still shared. A graphical user interface for accessing the storage system, whether by providers or recipients of shared content, can selectively render information about objects with objectionable content.

Abstract: A computer-implemented method is provided for controlling use of a file on a user device. The method includes transmitting authentication information to a system and downloading the file from the system over the network upon successful authentication by the system. The method also includes limiting access of the file to a client application of the user device and preventing altering of the file, printing of the file and opening of the file outside of the client application. Notes corresponding to the file can be stored in a local storage area.

Abstract: A method for controlling access to protected computer resources provided via an Internet Protocol network that includes registering identity data of a subscriber identity module associated with at least one client computer device; storing (i) identity data of at least one access server, (ii) the identity data of a subscriber identity module, and (iii) authorization data regarding the protect computer resources; receiving the identity data of a subscriber identity module, and a request for the protected computer resources; authenticating (i) the identity data of the at least one access server, and (ii) the identity data of a subscriber identity module; authorizing the at least one client computer device to receive at least a portion of the protected computer resources; and permitting access to the at least the portion of the protected computer resources (i) upon successfully authenticating the identity data of the at least one access server and the identity data of a subscriber identity module associated with

Abstract: The present invention relates to using digital certificates to allow network devices to authenticate themselves upon being accepted into and forming part of a communication network.

Abstract: An information processing system includes: a client executing acquisition and reproduction of contents; a management server providing the client with content selection information applied for acquisition of contents; and a content providing server receiving the content selection information from the client and providing the content selected in accordance with the content selection information, wherein the content selection information includes content identifiers as identifiers of encrypted contents respectively encrypted by different encryption keys and range information indicating data areas of range data which is configuration data of respective encrypted contents, and the content providing server provides the client with an encrypted content formed by combining range data as partial data of the encrypted contents specified by the content identifiers and the range information.

Abstract: Access to digital content may be controlled by determining a digital content specification and associated authenticated rights locker access request, sending the authenticated rights locker access request and the digital content specification, and receiving a new authenticated rights locker access request and a Web page with clickable links in response to the sending, where at least one of the clickable links is associated with an authenticated digital content request. When an indication of a user selection of one of the clickable links is received, an authenticated digital content request associated with the user-selected clickable link is sent to a digital content repository. The digital content is received in response to the sending of the authenticated digital content request.

Abstract: A registration flow to facilitate lending of digital content at an authorized location to an authenticated electronic device.

Abstract: A controller (900) for transferring media content rights between media devices comprising a memory (906), a user interface (910) and a transceiver (902). The memory (906) stores a list of media devices (914) capable of receiving the permissions associated with the media content from an originating device and an encryption key (920) that may be used to encrypt the permissions. The user interface (910) detects a user selection of a target device from the list of media devices (914). The transceiver (902) communicates an address (916) associated with the target device and the encryption key (920) to the originating device. Thus, the originating device is able to encrypt the permissions using the encryption key (920) and send the encrypted permissions to the address (916) associated with the target device.

Abstract: Embodiments are directed to allowing a user to store encrypted, third-party-accessible data in a data store and to providing third party data access to a user's encrypted data according to a predefined policy. A data storage system receives encrypted data from a user at a data storage system. The data is encrypted using the user's private key. The data storage system stores the received encrypted data according to a predefined policy. The encryption prevents the storage system from gaining access to the encrypted data, while the policy allows the encrypted data to be released upon receiving a threshold number of requests from verified third parties. The data storage system implements a verifiable secret sharing scheme to verify that the encrypted data can be reconstituted without the data storage system accessing the encrypted data. The data storage system synchronously acknowledges that the received encrypted data has been verified and successfully stored.

Abstract: A method is disclosed for quarantining digital content data for a service in a terminal device. In an embodiment, the method includes creating a digital content data item, e.g.

Abstract: A method for administering object-based multi-level security in a service oriented architecture includes: (a) defining a plurality of multi-level security attributes for each of selected respective life-cycle states of a plurality of life-cycle states of a service object; (b) receiving a request from a requestor for the service object; (c) determining permitted actions for the service object based upon at least one selected multi-level security attribute of the plurality of multi-level security attributes, and based upon at least one life-cycle state of the plurality of life-cycle states of the service object; and (d) generating a quality of service security contract based upon the determination of permitted actions.

Abstract: The invention is an apparatus that facilitates access to a data source to accept verification and authentication from an enabler using at least one token and at least one reference. The at least one reference could be a device serial number, a networking MAC address, or a membership ID reference from a web service. Access to the data source is also managed with a plurality of secondary enablers.

Abstract: A method and system for validating a form, that includes providing, to a client, the form comprising a primary token, receiving, in response to the client loading the page form, a request for a secondary token, providing the secondary token in response to receiving the request, and receiving the form comprising the primary token and a secondary token from a client. The method further includes validating the form, where validating the form includes obtaining a first primary token hash from the secondary token, applying a first hash function to the primary token to obtain a second primary token hash, and determining that the first primary token hash and the second primary token hash match. The method further includes accepting the form upon validating the form.

Abstract: The invention relates to a method and apparatus of processing at least one multimedia document, comprising the steps of determining at least one segment of the document, and assigning at least one type of permission to said at least one segment, wherein the type of permission assigned to a segment of the document is available for later use when processing the document.

Abstract: One or more techniques and/or systems are disclosed for mitigating machine solvable human interactive proofs (HIPs). A classifier is trained over a set of one or more training HIPs that have known characteristics for OCR solvability and HIP solving pattern from actual use. A HIP classification is determined for a HIP (such as from a HIP library used by a HIP generator) using the trained classifier. If the HIP is classified by the trained classifier as a merely human solvable classification, such that it may not be solved by a machine, the HIP can be identified for use in the HIP generation system. Otherwise, the HIP can be altered to (attempt to) be merely human solvable.

Abstract: A medical device customization system and method comprising medical device that receives signals from a biological probe having an operational parameter and that stores data based on the signals in a memory. The medical device receives a custom application and establishes a virtual machine to run the custom application.

Abstract: Secure functions may be accessed via an authentication process utilizing a password that may be generated within a chip integrated on a device. The password may be unique per chip location, per challenge and/or per chip. The location of the chip may be determined based on GPS information and securely stored and securely communicated to an external entity. Two or more of the chip location, a generated random number sample and a key from a table of keys may be passed to a hash function that may generate a password. An external entity attempting access may be challenged to respond with a password that matches the password generated by the hash function. The response may be compared with the password generated by the hash function and access to one or more secure functions may be granted based on the comparison.

Abstract: Methods for preventing the transmission of sensitive information to locations outside of a secure network by a person who has legitimate access to the sensitive information are described. In some embodiments, in order for an end user of a computing device to establish a secure connection with a secure network and access data stored on the secure network, a client application running on the computing device may be required by the secure network. The client application may monitor visual cues (e.g., facial expressions and gestures) associated with the end user, detect suspicious activity performed by the end user based on the visual cues, and in response to detecting suspicious activity may perform mitigating actions to prevent the transmission of sensitive information such as alerting human resources personnel or requiring authorization prior to sending information to locations outside of the secure network.

Abstract: A processing system includes a memory module that includes a register space for storing a plurality of register data in a plurality of registers and secure access data corresponding to the register space. A register arbitration module operates to receive a request to access one of the registers from a client module; retrieve secure access data corresponding to the client to determine if the client is trusted; and to grant the request to access the register if the client is trusted. If the client is not trusted, the register arbitration module retrieves secure access data to determine if the register is non-secured for the client. The register arbitration module grants the request to access the register when the register is non-secured for the client.

Abstract: An Extensible Markup Language (XML) document management method includes: receiving an XML document management operation request sent via an XCAP protocol, by an XML Document Management Server (XDMS); determining that the XML document management operation request is in an entrustment mode, and determining whether to perform an operation described in the XML document management operation request in accordance with access permission information corresponding to an XML document, by the XDMS.

Abstract: According to some embodiments, an electronic file security management platform may receive a request from a user to access a first electronic file associated with a first application, such as a word processing document. A security characteristic associated with the user may be determined, and an encrypted version of the first electronic file may be decrypted in accordance with the security characteristic. The electronic file security management platform may then arrange for the user to access the first electronic file via the first application such that: (i) a first portion of the first electronic file is available to the user based on a first security requirement associated with the first portion and the security characteristic, and (ii) a second portion of the first electronic file is not available to the user based on a second security requirement associated with the second portion and the security characteristic.

Abstract: An architecture and techniques to facilitate lending of digital content at an authorized location to an authenticated electronic device.

Abstract: Techniques for automatically performing one or more actions responsive to a successful login. In one embodiment, an action automatically performed responsive to the login uses content created prior to the login.

Abstract: An approach for authorizing access to computing resources (e.g., electronic files) based on calendar events (e.g., meetings of a user) in a networked computing environment (e.g., a cloud computing environment) is provided. A portion/segment (e.g., private cloud) of the networked computing environment may be designated for storing at least one electronic file to be shared (e.g., as stored in a computer storage device associated with the portion). The portion of the networked computing environment may then be associated (e.g., graphically) with an electronic calendar entry (e.g., a meeting having a set of attendees). Based on the calendar entry, a set of users (e.g., the meeting attendees) authorized to access the at least one electronic file may be determined based on the electronic calendar entry. Thereafter, access (e.g., a related permissions) to the at least one electronic file may be authorized for the set of users.

Abstract: In one illustrative example, a method in a mobile communication device operating in a wireless local area network (WLAN) involves performing, via a wireless AP of the WLAN, a first authentication procedure with an authentication server for obtaining a first session key and a key lifetime value associated with the first session key; establishing a first secure connection with the wireless AP based on the first session key; setting a timer with an initial value that is less than or equal to the key lifetime value, and running the timer; communicating in a media session over the first secure connection with the wireless AP; and in response to an expiration of the timer during the media session: performing, during the media session, a second authentication procedure with the authentication server for obtaining a second session key; and establishing, during the media session, a second secure connection with the wireless AP using the second session key; and communicating in the media session over the second secure

Abstract: A method of maintaining a version counter indicative of a version of memory content stored in a processing device. The method comprises selectively operating the device in a first or second mode. Access to the first mode is limited to authorized users and controlled separately from access to the second mode. In the first mode at least an initial integrity protection value is generated for cryptographically protecting an initial counter value of said version counter during operation of the processing device in the second mode; wherein the initial counter value is selected from a sequence of counter values, and the initial integrity protection value is stored as a current integrity protection value in a storage medium. In the second mode, a current counter value is incremented to a subsequent counter value; wherein incrementing includes removing the current integrity protection value from said storage medium.

Abstract: A method of controlled access to content, comprising joining an access sharing network, obtaining a content item from the access sharing network which requires access control data to enable playback, obtaining the access control data, determining from the access control data that a particular other device is authorized to play back the content item, and enabling playback of the content item in accordance with the access control data upon a positive determination that said other device is a member of said access sharing network. Preferably the access control data is used also during a predetermined period of time after making a determination that said other device has ceased to be a member of the access sharing network. Also a device (101) configured to carry out the method.

Abstract: In certain embodiments, an information obfuscation service may be incorporated directly into the main applications processor of a portable computing device such that the applications processor and its relevant storage peripherals may be securely shared via a virtualization firmware module, avoiding the use of specialized hardware or major modifications of the operating system. The virtualizing and obfuscating storage firmware module may enable a much higher level of assurance in information-at-rest protection while using only the memory protection and privilege mode facilities inherent in common portable device applications microprocessors. The virtualizing and obfuscating storage firmware may interpose storage accesses originating from the operating system. This interposition may be performed seamlessly, without explicit knowledge of the operating system.

Abstract: Techniques involving detection of misuse of digital licenses pertaining to application use. An identification of unsigned applications or other use-protected applications enabled for use at a user device is obtained. The identification of such applications is directed to a licensing authority to seek digital license renewal for using the applications. A renewed digital license is received if the provided identification of use-protected applications corresponds to what is authorized by the licensing authority for use at the user device. In other embodiments, verification information may be provided to protect the identification of unsigned applications from tampering, such as information indicative of whether the identification of unsigned applications originated at the user device in which the use-protected applications are used, and indicative of whether the identification of the unsigned applications is a copy of a previous identification of the unsigned applications.

Abstract: A client device (100) determines whether or not access is allowed, based on security levels that are set for an application program and data held in a server device (200), and performs authentication with the server device (200) based on a challenge code generated using packet data from the application program. The server device (200), when the challenge code is transmitted thereto, transmits a preset response code to the client device (100), and permits access by the client device (100) if the server device (200) receives a set response to the response code from the client device (100).

Abstract: Devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, and detecting a possible attacker. The methods include monitoring of user-side input-unit interactions, in general and in response to an interference introduced to user-interface elements. The monitored interactions are used for detecting an attacker that utilizes a remote access channel; for detecting a malicious automatic script, as well as malicious code injection; to identify a particular hardware assembly; to perform user segmentation or user characterization; to enable a visual login process with implicit two-factor authentication; to enable stochastic cryptography; and to detect that multiple users are utilizing the same subscription account.

Abstract: An encryption key module in a content providing server receives a request to stream electronic media data to the user device. The encryption key module identifies a predefined shared secret key corresponding to a key in a subscriber identity module (SIM) in the user device. The predefined shared secret key is used for encryption of data. The encryption key module encrypts the requested electronic media data based on the shared secret key and provides the encrypted electronic media data to the user device over a wireless network.

Abstract: This disclosure relates to systems and methods for enabling the use of secret digital or electronic information without exposing the sensitive information to unsecured applications. In certain embodiments, the methods may include invoking, by a client application executing in an open processing domain, a secure abstraction layer configured to interface with secret data protected by a secure processing domain. Secure operations may be securely performed on the secret data by the secure abstraction layer in the secure processing domain based on an invocation from a client application running in the open processing domain.

Abstract: A method and system for instant personalization security are provided. The system includes a platform for a user to open applications and/or access web sites. When an application is integrated with the platform, the identification of the application can be combined with the ID of the user and encrypted into a hashed ID. The application does not have access to the user's fully identifying profile (e.g., UID or other public information). Instead, the application only has access to a pseudonymous profile (e.g., the hashed ID, first name, last initial, small profile pictures, and/or other non-fully identifying profile information) of the user. One or more options are then provided for the user to authorize or reject the application to access the user's fully identifying profile. Upon the user's authorization, an access token is provided to the application to access a subset of the user's fully identifying profile.

Abstract: A method of presenting content, in accordance with one embodiment of the present invention, includes receiving a request for an item of content and selectively verifying ownership of the requested content. If verification of ownership is not to be performed for the particular request, the item of content may be served. If ownership is substantiated for the particular request, the content may also be served. If ownership is not substantiated for the particular request, the content may be purged. Ownership verification may be by access to a physical copy of the content (e.g., DVD, CD or the like).

Abstract: Example embodiments provide a Shipment Preparation System (“SPS”), which facilitates the preparation of shipments, such as by producing shipping labels. In one embodiment, the SPS is configured to receive shipment preparation information from a bar code or other machine-readable data block in a packing list. The shipment preparation information identifies a uniform resource identifier (“URI”) that identifies a code module that is remote from the SPS. The shipment preparation information and/or the URI further includes an access token. The SPS then uses the URI to communicate with the code module in order to access shipment information (e.g., to read a read a shipping address, to store an indication that a shipment is ready for pick up). The code module restricts access to the shipment information based on the access token, such as by only allowing a limited number or duration of access via the token.

Abstract: Methods and apparatus for providing media content offered by media content subscription service to portable media player devices associated with subscribers of the service are described herein. In various embodiments, particular fulfillment module, request module and media player are provided to fulfillment server(s) of the subscription service, request client devices, and portable media player devices, respectively.

Abstract: A system for automatically updating personal consumer and business contact information is disclosed. A server located “in the cloud” automatically controls a database of contact data elements, some of which have preferred privacy protocol. These protocols may restrict some data elements from being shared unless a data-owner's explicit permission is obtained. When the server receives a request for such a restricted data element, the server issues an email or text message in order to obtain the necessary permissions. If permission is granted, the server then supplies the requested data.

Abstract: A computer-implemented method may include maintaining a set of password-protection policies configured to prevent unauthorized access to a mobile device at different physical locations. The computer-implemented method may also include identifying a current physical location of the mobile device and searching a database that stores the set of password-protection policies for a particular password-protection policy that corresponds to the current physical location of the mobile device. The computer-implemented method may further include identifying, based on the search of the database, the particular password-protection policy that corresponds to the current physical location of the mobile device and then implementing the particular password-protection policy on the mobile device in response to the identification of the particular password-protection policy. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A web services hub receives a request from a data source system, transforms the request, and transmits the transformed request to an external system. A secure service router is coupled to the web services hub. The secure service router authenticates the data source system and locates a transformation service to transform the request.

Abstract: A method may include storing user information associated with a first user, where the user information includes at least two of location information, presence information, address book information or calendar information. The method may also include storing access control information identifying criteria for allowing parties to access the user information and receiving, from a first party, a request for access to at least a first portion of the user information. The method may further include determining, based on the access control information, whether the first party is authorized to access the first portion of the user information and providing access to the first portion of the user information, when it is determined that the first party is authorized to access the first portion of the user information.

Abstract: Embodiments of the invention are directed to systems, methods and computer program products for using a device identification program. In some embodiments, a system is configured to: receive device identification information from a mobile device, search a database of records based on the identification information, and in response to determining a match between information associated with a record in the database and the identification information, enable first access to an application initiated on the mobile device.

Abstract: A broadband gateway, which enables communication with a plurality of devices, handles at least one physical layer connection to at least one corresponding network access service provider. Security boundaries such as conditional access (CA) and/or digital right management (DRM) boundaries associated with the broadband gateway are identified based on security profiles associated with the plurality of devices and/or a service from networks. The identified security boundaries are utilized to determine or negotiate CA information for content access for the service. The received content may be distributed according to the determined CA information and the security profiles of the corresponding devices. The broadband gateway may be automatically and dynamically configured based on the identified security boundaries to secure content distribution to the devices.

Abstract: A method for using time from a trusted host device is disclosed. In one embodiment, an application on a memory device receives a request to perform a time-based operation from an entity authenticated by the memory device, wherein the entity is running on a host device. The application selects time from the host device instead of time from a time module on the memory device to perform the time-based operation and uses the time from the host device to perform the time-based operation. Other embodiments are disclosed, and each of the embodiments can be used alone or together in combination.