A few weeks ago I gave a presentation at OTTCon (the Over The Top Conference) in San Jose, California. What is "over the top"? The purest definition is multi-media (HD video, "television", and other media) delivered to your home through the internet. Over the top refers to working "around" the traditional "television" delivery channels to your home (broadband cable, airwave broadcast, and satellite).
The conference was over-subscribed and indicative of the tremendous foment in this technology, product and service area. As with any market with such dynamics and growth, the business opportunities are tremendous.
This market has large, well established vendors operating "walled garden" solutions with strong interest in expanding out from their now traditional music or DVD quality video distribution to high definition content. There are a large number of smaller niche players, and new entrants of varying types almost every day. Of course all the major consumer electronic brands and consumer media sales brands are jockeying for position as well.
The cable companies are highly involved, particularly as they strive for a larger business role than just as a bandwidth provider for "the last mile", which in turn has been and will continue to raise net neutrality issues.
There is tremendous product crossover, with gaming boxes serving as internet connected media access devices, smart phones and tablets operating as media access devices, set-top box functionality being integrated into traditional TV's and monitors, not to the mention the evolving role of the traditional PC as a multi-media hub.
There are platform wars erupting. The most interesting is Google's promotion of Android and Chrome as ubiquitous platforms to be used by all media oriented product vendors...which just happen to very easily integrate with Google's services and advertising.
Standardization is a major market force. Ultraviolet is an open standard in development with huge industry participation working to define and create a uniform and compatible system for purchasing, renting, accessing and viewing high definition video content on all owned Ultraviolet compatible devices.
Behind all of this are the studios, with their content and in particular with their high definition content, which they are being extremely careful with relative to distribution and monetization.
Overall, this is an incredibly complicated business and technology ecosystem, with participation by telcos, cable companies, satellite companies, consumer electronics companies, cell phone companies, microprocessor companies, computer companies, bricks and mortar and web only consumer sales companies, studios, and security companies. The corporate membership list of Ultraviolet, for example, is stunning in its breadth.
Michael Porter of the Stanford Business School is famous for (among other things) his promotion of a "force analysis" of industries. A comprehensive force analysis of the "over the top" market would be fascinating, revealing and extremely complex and rich.
I can't use the term "force" without bringing to mind the meme introduced into our social consciousness by George Lucas, "the Force". As we all know the Force has a light side and a dark side, and in this market area, the dark side centers around (no surprise!) digital media piracy.
Digital media piracy requires a legal basis for defining digital media as proprietary assets. This basis was all but non-existent only a few short years ago, as our large body of property law was primarily concerned with the physical plane. The Digital Millenium Copyright Act (DMCA) is now the foundation on which digital media as proprietary property rests.
Intellectually, most of us understand and agree that media in digitized form is still property. However, sadly, our moral structure and cultural attitudes have not kept pace with the advancement of technology. There are huge numbers of people who would not steal a pack of gum from a store who can and do routinely access pirated digital content.
Why is that? I believe there are two fundamental reasons. The first is the lack of perception of "theft", because there is no overt loss of goods to the owner when the piracy occurs. The second is what I call "second order access": if it's available for free or low cost download, then "I am not stealing it". This is analogous to buying the fancy new watch from the back trunk of someone's car; we know they stole it, yet we are tempted to make the purchase of the stolen goods.
Morality in a society is nurtured and supported by simple acts of peer pressure, and I urge readers to engage in this relative to digital piracy: do not allow this to occur in your home, refuse to support it by saying "no" to offers to enjoy "free" movies by friends and neighbors, and in general stand up at the critical times for the property rights of those who labored to create the content that has been stolen. All the technology in the world will not make us a moral society and protect our interests from ourselves. Only we as a society can do that, and it truly starts with each of us taking simple daily stands on the issue.
There is an incredible essay written in the early 1990's by John Barlow (who later became a co-founder of the Electronic Frontier Foundation) called "Selling Wine Without Bottles: The Economy of Mind on the Global Net". In this essay Barlow poses the following riddle: "if our property can be infinitely reproduced and instantaneously distributed all over the planet without cost, without our knowledge, without it's even leaving our possession, how can we protect it?", which in turn leads to a fascinating observation: "A lot of protection technologies will develop rapidly in the obsessive competition which has always existed between lock makers and lock breakers."
Here at Arxan Technologies, we are deeply involved in this "obsessive competition" in the arena of propriety digital content lock making and breaking. Consistent with the vastness of the ecosystem involved in "over the top" media distribution is an alarmingly complex delivery value chain for the actual content. This in turn presents a vast "attack surface" for those who wish to steal the digital assets in motion. And the problem doesn't stop with merely the protection of the digital content: other elements of the environment are subject to tampering to effect different forms of piracy. For example, tampering with a retail node to enable "purchases" without any actual financial transaction, or tampering with policy code to disable the time period restrictions on content.
We at Arxan are members of the Ultraviolet organization and are deeply involved in protecting digital assets in both Ultraviolet and many other "over the top" media distribution channels through Digital Rights Management software protections, key hiding technologies and node locking technologies.
Wednesday, April 6, 2011
Thursday, March 3, 2011
Android Marketplace Apps Removed by Google
For quite some time now I and others have been speaking out regarding the risks of the Android application marketplace, as an un-vetted "wild west" for software.
The essence of the problem is simple: any one can post software there, without any review of actual content and behavior. The overarching security model is that applications on installation must request and the user must approve certain capabilities (for example the right to access address book information, or to send text messages), and this then gives the user security control. The problem with this model is that broad capability requirements are very common on legitimate applications, and users become assumptive that the capabilities requested are both needed and will be used "appropriately" by the application. Neither is necessarily true, particularly with applications that are intentionally malignant.
Today we have the news of a significant number of applications with large #'s of download being, in fact, malware attempting to get device access at the root level, and stealing confidential information off the phone.
http://www.cnn.com/2011/TECH/mobile/03/02/google.malware.andriod/index.html?hpt=T2
It's important to keep in mind that there are three types of parties involved in Android security issues. The first is of course the consumer and individual business user, and their concern is the ability to utilize applications that provide incremental value without concerns about malware. The second is businesses themselves who must field these devices with their staff for productivity reasons, and have to balance between the need to enable them with productivity applications, while still ensuring device security. This is particularly needful given the business data likely to reside on the device. Lastly, there is the application developers (sometimes these same businesses fielding such devices), who have to be concerned about the risk of their software being compromised with malware, and potentially their brand compromised as a result of re-distribution with malware injected into their application.
The heart of the problem leading to this action by Google is first, the lack of any review practices for the Android marketplace. Some are suggesting a "vetted" Android marketplace as a solution; meanwhile, some larger enterprises are constructing their own "vetted and approved" download areas for Android applications for employee business devices. It's not hard given this recent action to see why such a methodology is needed for large corporate deployments of Android devices into the work force.
The second problem is the lack of any software protections in the application software itself. We at Arxan have been ringing this bell for some time, and while those with obvious code security concerns do take active steps to secure their application code with intrinsic security (media players, payment system software, banking software, etc.), others do not. This enables exactly the above situation to occur: hackers can casually lift an application, reuse/modify the binary level code, and republish. The result: rapid and effective malware distribution to a huge base of Android device users.
The solution isn't overly difficult: protect your applications from reverse engineering and tampering! Arxan and others provide powerful technologies to accomplish this. While this won't secure the Android marketplace itself, it will help to assure that YOUR software isn't cloned and published under a similar function or brand name with malware inserted.
Thursday, January 6, 2011
A New Decade of Computing!
2010 is over, and a new decade is beginning to unfold. We have a tidal wave of computing change occurring, indeed it is really just getting started.
"Smart phones", which I prefer to think of as hand held computers with cellular I/O support, are by far the fastest growing class of computer systems today. I've suggested it before and I'll suggest it again: what we are witnessing is the rise of a "fourth wave" of computing. The first wave was the mainframe, the second was the minicomputer, the third wave was the PC. Interestingly, the "personal" computer was personal only in the sense that you, as an individual, had your own. The rise of the truly "handheld" computing device, which also adds cell phone I/O (for both data and voice transmission, thus making them "smart phones"), is more accurately a "personal" computer, in that the computer generally stays in contact with your body. However, since "personal computer" isn't available as a moniker, I've suggested "intimate computer" as a more accurate and expansive name for this new computing class.
What can we learn from history, from the forces we see at work, from our own logical assessment, and even perhaps from our intuition, about how this new intimate computing wave will unfold?
First, as to form factor: I do not think we are anywhere near "done" with evolution of form factor in these new intimate computing devices. Just as the desk-side/desk-top PC fairly quickly evolved into a wildly popular "laptop" form, I predict that the current form factor of a rectangular hand held "bar" will evolve into yet more intimate forms. Generally I'd call this "wearable computers" and all that that implies. The specific forms that will be successful are hard to predict, but it's sure to be a fascinating arena with multiple audio and visual possibilities!
The challenge of new form factors will of course be I/O between us and the computer. While voice is an obvious possibility for input, voice strikes me as being problematic for the innumerable times you want to "use the computer" but speaking extensively is inappropriate or just not comfortable. Audio output is easily dealt with via the current forms of ear based speakers, but perhaps during the decade we will some something more subtle, a la bone induction or some other means of bypassing the need for external speaker based output.
Visual output requirements would seem to take us back to some kind of "hand held screen" form factor, but I think this leads to a very likely "wearable" form factor that can address multiple needs in an integrated manner. Glasses. Yes, glasses, where visual output is projected onto the inside of the glass and is seen as an "overlay" on the outside visible world, similar to heads up displays in aircraft. Such a form factor can easily include audio output via integrated ear buds. Voice input is obvious but as I said, not ideal, and the human input side is probably the area I am least able to see what innovations might develop. Sensors on finger tips that allow some kind of finger movement based textual input? Perhaps we'll get to internet access and general computing paradigms where textual input is generally obsolete! Or perhaps some kind of "sub-vocal" input means will be created, allowing "voicing" that is performed silently relative to the outside world!
If you think that I am alone or far fetched in my thinking, then perhaps you were not at the Open Mobile Summit late last year in San Francisco. I heard a few companies talking about these trends and sharing thoughts on concept products that might one day appear. One company showed a "mirror mirror on the wall who is the fairest of them all" concept where as you brush you teeth in the morning, you engage in I/O activites from getting the weather, news and sports, and sending them on to friends. Another company decryied the current "heads down" paradigm of smart phone usage, promising to lift up the heads of people everywhere with use of their future products. I don't believe my ruminations are entirely speculative!
Of course where innovation goes, crime is sure to follow. It's an immutable law of nature. What might be the evolution of "computer viruses", and more generally, the entire arena of "cybercrime"? As noted in prior blogs, this area isn't just kid stuff or even just "malicious people" stuff anymore. This is hard core major organized crime stuff! Billions of $'s are being stolen, every year, both in outright cash and in more subtle economic forms (intellectual property in particular).
Even today, we already have examples of viruses infecting intimate computing devices. We have an example of malware hiding under a veneer of a legitimate application (watching a new movie trailer) directly monetizing its infection by making toll calls charged to the service plan of the owner of the smart phone. It's a safe bet that ALL the forms of viruses, malware, bots and botnets, and the like will move through the intimate computing landscape.
Do the specifics of intimate computers enable new and different forms of malware? Note: I'm not referring to the detailed level of "yes there will be differences because it's Linux or Symbian or XX underneath not Windows or OS/X". Are there new and unique attributes of intimate computers that will enable whole new classes of malware? If so, what are those unique attributes?
First, the "universal" connectivity of intimate computing devices to the cellular infrastructure is a unique attribute. Second, the popularity of mobile apps (downloaded to and run as independent programs) as the basis for functionality extension is rather unique. Yes we all have loaded applications onto our PC's, but in general we are rather selective and judicious about that, loading those apps from large well established and recognized legitimate vendors, and we generally load relatively few in number. The intimate computer world is shaping up very differently where loading many tens and even hundreds of little apps from all kinds of no-name vendors is business as usual!
Do the apps represent a new means of malware infection? Well, to a large extent the same issue was present in PC's. However, what we have here is a huge different in SCALE. BILLIONS of apps are being downloaded; Gartner is projecting approximately 30 BILLION app downloads into intimate computers by 2013. Is the opportunity for large scale infection substantially higher for these intimate computers? Clearly, it is.
What about the cellular I/O that is fundamental and pervasive on these devices? What can malware do with that? I truly don't know, but one thing I'm 100% certain of: there are some very smart minds out there, with advanced technology knowledge, getting paid by very evil minds with lots of money and no compunctions or morals, thinking about this as a tremendous (criminal) revenue generating opportunity. And that puts intellectual property at risk, not to mention business models and privacy.
So, how do we move forward in our mobile, connected, app-loaded world? With excitement and innovation, but also with consideration for the defenses required to safeguard assets in this brave new world (apologies to Aldous Huxley). If this stirs your thinking a little as we march into the madness of a new decade, I've accomplished my goal for today. Happy New Year, and here's to an exciting second decade of the millenium!
"Smart phones", which I prefer to think of as hand held computers with cellular I/O support, are by far the fastest growing class of computer systems today. I've suggested it before and I'll suggest it again: what we are witnessing is the rise of a "fourth wave" of computing. The first wave was the mainframe, the second was the minicomputer, the third wave was the PC. Interestingly, the "personal" computer was personal only in the sense that you, as an individual, had your own. The rise of the truly "handheld" computing device, which also adds cell phone I/O (for both data and voice transmission, thus making them "smart phones"), is more accurately a "personal" computer, in that the computer generally stays in contact with your body. However, since "personal computer" isn't available as a moniker, I've suggested "intimate computer" as a more accurate and expansive name for this new computing class.
What can we learn from history, from the forces we see at work, from our own logical assessment, and even perhaps from our intuition, about how this new intimate computing wave will unfold?
First, as to form factor: I do not think we are anywhere near "done" with evolution of form factor in these new intimate computing devices. Just as the desk-side/desk-top PC fairly quickly evolved into a wildly popular "laptop" form, I predict that the current form factor of a rectangular hand held "bar" will evolve into yet more intimate forms. Generally I'd call this "wearable computers" and all that that implies. The specific forms that will be successful are hard to predict, but it's sure to be a fascinating arena with multiple audio and visual possibilities!
The challenge of new form factors will of course be I/O between us and the computer. While voice is an obvious possibility for input, voice strikes me as being problematic for the innumerable times you want to "use the computer" but speaking extensively is inappropriate or just not comfortable. Audio output is easily dealt with via the current forms of ear based speakers, but perhaps during the decade we will some something more subtle, a la bone induction or some other means of bypassing the need for external speaker based output.
Visual output requirements would seem to take us back to some kind of "hand held screen" form factor, but I think this leads to a very likely "wearable" form factor that can address multiple needs in an integrated manner. Glasses. Yes, glasses, where visual output is projected onto the inside of the glass and is seen as an "overlay" on the outside visible world, similar to heads up displays in aircraft. Such a form factor can easily include audio output via integrated ear buds. Voice input is obvious but as I said, not ideal, and the human input side is probably the area I am least able to see what innovations might develop. Sensors on finger tips that allow some kind of finger movement based textual input? Perhaps we'll get to internet access and general computing paradigms where textual input is generally obsolete! Or perhaps some kind of "sub-vocal" input means will be created, allowing "voicing" that is performed silently relative to the outside world!
If you think that I am alone or far fetched in my thinking, then perhaps you were not at the Open Mobile Summit late last year in San Francisco. I heard a few companies talking about these trends and sharing thoughts on concept products that might one day appear. One company showed a "mirror mirror on the wall who is the fairest of them all" concept where as you brush you teeth in the morning, you engage in I/O activites from getting the weather, news and sports, and sending them on to friends. Another company decryied the current "heads down" paradigm of smart phone usage, promising to lift up the heads of people everywhere with use of their future products. I don't believe my ruminations are entirely speculative!
Of course where innovation goes, crime is sure to follow. It's an immutable law of nature. What might be the evolution of "computer viruses", and more generally, the entire arena of "cybercrime"? As noted in prior blogs, this area isn't just kid stuff or even just "malicious people" stuff anymore. This is hard core major organized crime stuff! Billions of $'s are being stolen, every year, both in outright cash and in more subtle economic forms (intellectual property in particular).
Even today, we already have examples of viruses infecting intimate computing devices. We have an example of malware hiding under a veneer of a legitimate application (watching a new movie trailer) directly monetizing its infection by making toll calls charged to the service plan of the owner of the smart phone. It's a safe bet that ALL the forms of viruses, malware, bots and botnets, and the like will move through the intimate computing landscape.
Do the specifics of intimate computers enable new and different forms of malware? Note: I'm not referring to the detailed level of "yes there will be differences because it's Linux or Symbian or XX underneath not Windows or OS/X". Are there new and unique attributes of intimate computers that will enable whole new classes of malware? If so, what are those unique attributes?
First, the "universal" connectivity of intimate computing devices to the cellular infrastructure is a unique attribute. Second, the popularity of mobile apps (downloaded to and run as independent programs) as the basis for functionality extension is rather unique. Yes we all have loaded applications onto our PC's, but in general we are rather selective and judicious about that, loading those apps from large well established and recognized legitimate vendors, and we generally load relatively few in number. The intimate computer world is shaping up very differently where loading many tens and even hundreds of little apps from all kinds of no-name vendors is business as usual!
Do the apps represent a new means of malware infection? Well, to a large extent the same issue was present in PC's. However, what we have here is a huge different in SCALE. BILLIONS of apps are being downloaded; Gartner is projecting approximately 30 BILLION app downloads into intimate computers by 2013. Is the opportunity for large scale infection substantially higher for these intimate computers? Clearly, it is.
What about the cellular I/O that is fundamental and pervasive on these devices? What can malware do with that? I truly don't know, but one thing I'm 100% certain of: there are some very smart minds out there, with advanced technology knowledge, getting paid by very evil minds with lots of money and no compunctions or morals, thinking about this as a tremendous (criminal) revenue generating opportunity. And that puts intellectual property at risk, not to mention business models and privacy.
So, how do we move forward in our mobile, connected, app-loaded world? With excitement and innovation, but also with consideration for the defenses required to safeguard assets in this brave new world (apologies to Aldous Huxley). If this stirs your thinking a little as we march into the madness of a new decade, I've accomplished my goal for today. Happy New Year, and here's to an exciting second decade of the millenium!
Subscribe to:
Posts (Atom)
