ITWeb Security Summit 2014

ITWeb Security Summit in 2009 was my first "industry" security conference, and after a long diet of academic security conferences, ITWeb was a huge let-down. There were some interesting talks - especially the key notes, but a lot of the others were a big waste of time. So much so, I did not bother going again until last year - and even then, it was for half a day.

This year was slightly different - I was presenting in the afternoon, and so took the opportunity to also attend the keynotes in the morning and some of the other topics in my own track. The organisation was a bit sloppy: for a conference in its ninth year, starting late due to traffic is inexcusable - rather start late given that traffic in Sandton at 8am is bad! Likewise, the opening remarks were a long ramble with no particular purpose - especially given that the conference was already behind schedule!

The first keynote  by Jacob Appelbaum's was definitely worth attending; covering a number of interesting topics related to surveillance. A bulk of it related to a primer of the NSA surveillance techniques, and especially on how these techniques are leveraged and integrated to provide a holistic end-to-end capability to intercept, inject and siphon data. His observations were scathing - not only of the US government but also of the general attitudes - and called the European/US/Canadian stance effectively "deep seated racism" - that they see themselves as superior, and thus it is ok to be doing mass surveillance on other people. I particularly enjoyed his argument, that it is not so much the NSA that is wrong - but the fact that this capability is provided for, and accepted. His view that even court authorised targeted surveillance without informing the target should outlawed is extreme - but was logically sound in the context provided. Sadly, he did not have much in the way of solution - and his approach of effectively open source (not necessarily commercially free) software and hardware will take a long time to really mature to be usable by the masses.

 Christopher Soghoian's keynote continued in a similar vein, focusing more on the, almost willing, corporate participation in the NSA programmes. Some of it, such as major service providers like Google and Yahoo not forcing SSL connections for email logins by default inadvertently helped programmes like those run by the NSA. Although he did comment on the business models employed - effectively targeted advertising - I think part of the issue, that these services are free to the user could lead to undue expectations - after all, you do get what you paid for.

Unfortunately, I can't make day 2 - but at least the keynotes were well worth attending. The track I was on was ok overall - a wide diversity in the level of content presented; and was generally well attended.

ZaCon 5

If ZACon 5 was a true representation of the security practitioners in South Africa, it would seem that there are next to no women - after all, only 1 lady in the audience of 100 plus gives a pretty skewed demographic. Perhaps this is a phenomenon more in the hacker community itself? Perhaps it is due to the fact that the event is on a Saturday? I have commented on diversity of ZACon before, and in other respects the audience was far more diversified, be it race, organisations or age - so, it seems like gender is the final frontier :) 

Organisationally, this was the best ZACon yet - better signage, better communication, up to date scheduling (even if it did run late, and the scheduling did changed a lot), AV and sound set-up etc. As Dominic commented, ZACon is growing up, and it seems to be sustainable footing - and this is a local security conference that deserves to continue. The content was also impressive, covering a variety of interests, although there was a strong "electronics" theme. 

Dimitry started off proceedings on the use of Markov chains to create more efficient password attacks. In principle, it is a great idea, but his actual demonstration and training data was did not make sense. Password complexity rules have almost ruled out the use of plain dictionary words as passwords, and thus the solution did not have the gravitas that it could have.

Jason presented the most interesting talk, on Mains Signalling. Basically, Mains Signalling is the use of signalling on the electrical grid, allowing for controlling of electrical systems. The technology is old, undocumented, and very topical with regards to the move to Demand Side Management, across the world. Through literally years of effort, and off the shelf components, Jason managed to decode some of the signal codes - including that of traffic lights, street lights and geysers. Given that there is absolutely no authentication or authorisation built into the system, anyone with the capability to send modulated signals on the electrical grid can cause havoc - and this is something that, to my knowledge, is not addressed as part of next generation grids. Yes, it is a far more local attack - but also far more economically damaging.

Jeremy ("Panda") presented an interesting investigation on the command and control servers for the Poison Ivy botnet (and two others). Through interception of communication, NMAP and tracking IP addresses and domain registration records; and managed to identify a number of additional domains and command and control servers. And amazingly, many command anc control servers are themselves vulnerable to many attacks, due to bad configuration and vulnerabilities within the Poison Ivy system. The approach will not work for all botnets, but this is certainly a good step forward in combating botnets.

Brazilian Marcos (studying at UJ) presented the most complex talk on detecting obfuscated obfuscation routines.  The use case is better detection of malware, but could also be used to attack software that uses obfuscation as a protection mechanism. Detecting and reversing good obfuscation is difficult and although the presentation is very much in initial stages; it does have good promise.

Rhodes MSc student Adam talked about his research on active honeypots. Traditional security technologies, like firewalls and anti-virus systems have high cost in detection, but low cost in carrying out enforcement. Conversely, honeypots have low cost in detection, but high cost in actually carrying out meaningful actions. The presentation was therefore on building a converged system - low cost of detection, and low cost of enforcement. In some respects it is a better IPS - and the approach is interesting; though probably not completely scalable. 

Dave from MWR's UK office gave the scariest talk of the day - on how it is easy to hijack ad networks to infiltrate ad-supported apps on mobile devices; most notably on Androids and jail broken iPhones. Ads are effectively webkit implementation within apps; but through bad design, vulnerable implementations, intentional wish to hijack data, bad sandboxing, and ads inhering permissions of the underlying apps, ad networks are effectively able to pull various types of data, or take actions such as sending messages or making calls. This means that the attacker can effectively hijack legitimate ads for their own purposes (since ad network traffic is often unencrypted) or in an easier (but potentially tractable) attack, launch an ad campaign that sets out to attack their targets. It was  truly fascinating insight into the problems with the current mobile advertising landscape and the lack of real incentives to address the problems.

Mark, also from MWR, but the SA office, gave an insightful overview of Control Area Networks (CAN), specifically in the cars. While there was some exploration on possible vulnerabilities, it was more of a discussion on reverse engineering. There are interesting avenues to pursue - especially remotely via avenues such as keyless entry or telemetry broadcasts for race cars. 

In the past year, Robert, started a conversation on building a data diode - or a one way transmitter of data. Considering the massive cost (some over 100's of thousands of Rands) of commercial systems, Robert's solution, costing less than R5000, is therefore an amazing hack; and one that works as advertised. 

The last talk was by Shcalk, on designing a low-gain directional Wi-Fi antenna; but was really mostly about 3D printing and house-4-hack. The 3D printer itself has got awards, and this is a good showcase of entrepreneurship. It was a good follow up to Roelof's (from Paterva) talk on the basic building blocks for building a successful business. It was a good way to close off a fascinating day.

ZACON IV

The fourth iteration of the local hacker/security conference has grown even larger, and for a change it was not dominated by Sensepost talks (though this was not by design, just impact of the landscape and MWR seems to have taken over somewhat). I missed the bulk of the first talk (as I had some things to do in the morning), and the rest of the program was interesting. More details on the website.

As per previous conferences, ZACON was held once again at UJ's monstrous concrete jungle in Auckland Park. The lecture theatre was quite nice though, with impressive AV facilities. The demographic spread of ZACON is interesting; in terms of gender (the number of ladies in the room could be counted on one hand), age, race etc. There was a distinct lack of corporate guys; a pity in that the forum is great for knowledge sharing. I do know that there were students from UJ and UP, which does skew the demographics a bit.

I have only captured the talks I found interesting.

Glenn Wilkinson's talk mirrored a similar talk at RSA Europe, on exploiting WiFi AP search requests. The differentiator however, was the ability to chain the systems together (instead of offline systems like the Pineapple). There are some interesting applications of the approach - both good and bad; an it was certainly an interesting discussion.

Simeon Miteff's talk on the security challenges on very high speed networks was quite interesting, especially as it has applicability beyond the research network into modern datacentres. I think the solution is really in segregation - not all connectivity is high speed, and it may be better to focus on the interconnects to slower networks and not focus on securing the high speed networks.

Ross Simpson's talk on hacking games focused a lot on memory hacks; but the discussion point was really in client side validation. Whenever the system does client side validation, these values are stored in memory, and thus potentially can be bypassed. What was particular interesting, is that some very popular modern games (examples were shown on iOS) that use a client-server model can be exploited because they use client side validation. It is true that ioS memory hacks for client-server applications would need jail breaking, but there are some interesting attacks exploiting save files on the device that can work on non jailbroken devices.

Andrew MacPherson's talk on physical access control vulnerabilities was amazing. Starting with the traditional locks and lockpicking, the really cools stuff were the demos on magstripes (with a good background on magstripes) and RFID tags. One of the most impressive talks, especially given the widespread use of magstripes as RFID tags - not only for access control but for all sorts of other uses.

Jacques Louw's talk on using software defined radios for attacks was a continuation of the radio theme. The bulk of the talk was rehashing theory from a long time ago, but the application to utility meters and GSM was very cool (and frightening, when considering the social impact for smart metering).

Schalk Heunis' talk was different, focusing on home alarm systems; and reverse engineering the system using Audrino. While there are attack perspective; there are very cool implications for home automation. The House4Hack team have some interesting work in this regard.

Hacking Virtual Worlds

Jason Hart had a brilliant talk on different techniques to hack virtual worlds. His key message was, as virtualization had taken off, the CIA principles for security have been completely ignored and many of the old vulnerabilities have not only resurfaced; they are even easier to exploit.

Not all of the talk was specifically focused on cloud. Using a Pineapple he showed how easy it is to intercept and decode passwords (even when they are encrypted). After that, accessing systems, virtual or not, is not a big issue.

But his attack techniques on virtualization platforms were the most illuminating - from accessing VMWare's vCenter via cracking the MD5 password; to exploiting the fact that robot.txt files aren't respected in public cloud services (and thus susceptible to google hacking).

It was not a failure of technology (although the Pineapple did exploit protocol weaknesses), but failure to follow basic principles.

Active Defense

Another buzzword at the conference is Active Defense. Introduced by Francis deSouza in his keynote on day 1, it is based on the idea that wars are not only won by defending, but also by attacking and eliminating threats. The concept is off course controversial and the legal, technical and ethical challenges have been raised by a number of latter speakers.

This morning, Josh Corman raised the idea of resurrecting Letters of Marque as a means of regulating active defense. I am not convinced that this approach will solve the legal and ethical challenges.

Letters of Marque, were granted by European monarchs to sanction specific pirates and allow them to carry out their piracy (usually as long as it was not in their backyard). Effectively, it was state sanctioned criminals; and the idea to enable Letters of Marque for cyber attacks will open a Pandora's box.

Josh Corman's HD Moore's Law

Since yesterday's keynote by Josh Corman, HD Moore's Law has become some sort of a mantra by the other speakers at the conference.

It's a brilliant argument; instead of focusing on compliance as a minimum baseline, the minimum baseline should be, can you get compromised by default/basic settings of Metasploit? The ease of use of Metasploit and since its widely available, it makes it an easily exploited attack vector. It also aligns to the US RSA Conference talk on metrics that commented that the basic metric of security is "hackability", or how easy is it to hack you.

Live RAT Dissection

Uri Fleyder (RSA) and Uri Rivner (Biocatch)'s presentation yesterday on the use of remote administration tools, coupled with "man in the browser" attacks is probably the most alarming threat exploitation I have seen recently. 

The attack first exploits browser vulnerabilities through drive-by-downloads to infect the target machine. I suppose a drive-by-download is not even necessary - other vectors could also be exploited. Once the target machine is infected, the attacker can make use of a remote administration tool (RAT) to carry out an attack using the target machine. Through the use of "man in the browser" attack, the attacker intercepts browser activities, such as banking (or e-commerce or any other activity), and thus can not only capture data in realtime but can also take control over the browser and show false messages (such as longer login times, false redirections etc). 

The beauty of this attack, is that the attack is completely out of the target user's machine, and tokens are actually also compromised in this attack (through the use of redirections). And there are very few countermeasures ...

RSA Conference Europe: Day 1 Keynotes

There was an overall theme to the first three keynotes - a need to change the security models from (perimeter) defense based to "intelligence based" model. Art Coviello (Chairman, RSA) introduced the theme, with a focus on changing security to be more agile, contextual, risk based and the need to share and analyse information on scale.

Tom Heisner (President, RSA) followed expanding the themes, with an insightful comment on the Moore's law equivalence in security; the cost of attacks have reduced while the complexity of attacks have increased. Both speakers were hugely critical of compliance based regulatory regimes which are sometimes contradictory, and often provide a false sense of security.

Francis deSouza (Symantec) followed the theme with a focus on the need to be more "militaristic" in IT security. His argument was that you can't win a battle on purely defense, and security strategies and solutions need to consider the whole campaign and not just point vectors. In this regard, defense mechanisms also need to be "great" and not just good to be effective.

Adrienne Hall (Microsoft GM for trustworthy computing) focused mainly on cloud adoption, though was a bit out of sync on the earlier theme. Hugh Thompson, was also out of sync, but did raise a different perspective - security solutions currently are a "one size fits all" solution, and are not catered for individuals, so are either too complex or too simple; and are basically both ineffective. To create a security profile that is really personalized will be difficult, but would be a very interesting approach in becoming more secure.

RSA Conference Day 4

I was surprised at the number of people who stayed for the last day, an even more surprised at the high quality of the talks. In the feedback form, I rated very session today highly.

The first two talks I attended revolved around hacking and application vulnerabilities. While I do not work much in the application space, most security attacks are based on application vulnerabilities, and thus highly relevant.

The first speaker, Jeremiah Grossman highlighted a particular issue with security spending in enterprises - the spending does not match the established estates or problem areas. I agree with his assessment and arguments, that it does not make sense to spend on firewalls or anti-virus when most attacks are due to bad coding practices.

The second talk, by Dave Aitel, argued that current arguments (both for and against) on cyberwarfare are misplaced, that it is not only about technology and tools, but about movements like Wikileaks and Anonymous, that the danger of cyberwarfare from non nation states are driven by profit and that the danger of cyberwarfare is not that Internet or power will be shutdown (since that would then stop the war also) but rather impact the logistical and economic infrastructure. And most importantly, Stuxnet was more than just a worm against nuclear infrastructure, it was proof that any industrial infrastructure could be targeted and shut down. It was the most rational discussion on cyberwarfare I have attended in the conference.

The last "talk" was more managerial in nature, looking at priorities of CISO's; I liked the practical nature of the discussion and the acknowledgement, that despite all the issues, only a few can be really addressed at a time due to resource limitations.

Hugh Thompson, hosted a more informal discussion on the psychology of decision making; it was entertaining, it was interesting but not very practical I suppose. Tony Blair gave the final keynote to close the conference; I thought it was too much of a political speech and not really relevant. It was very entertaining though.

The RSA Conference is the biggest information security conference in the world; and was definitely a great learning experience and I would be keen to come back next year.

RSA Conference Day 3

Today was probably the most informative day at the conference for me, with a number of great sessions and speakers. The highlights undoubtedly were the talks by Mikko Hypponen and Sal Khan.

One of the "gurus" of security, Mikko Hypponen (chief researcher at F-Secure) presented a brilliant presentation on terrorism and IT - on the technology platforms used by terror groups to communicate and spread propaganda; on their encryption and steganography techniques and also where their IT system are concentrated. Although he focused on Al Qaeda, this was a sample of what is available and used by other groups including white supremacist etc. While there has been no "real" cyberterrorist activity (e.g. attacks on mass infrastructure, instead of defacement) there is proof that there are people who actually have the technical means.

That said, I think the hype on cyberterrorism is overblown. As is the case for cyberwarfare, although there are certainly nations that have already built up capabilities in this regard. But some of the proposed remediations are not only technically difficult (if not impossible) but have far more reach than is necessary.

Salman Khan, the founder of the Khan Academy gave an inspirational talk on possibly the future of education. It is the only talk I have attended at the conference to have received a standing ovation, and deservedly so - it was inspirational, it was funny and it was technical. The intention is that it is eventually available in multiple languages and I think it could really revolutionize education everywhere. Yes, bandwidth and infrastructure are issues, especially with video but this is not insurmountable.

RSA Conference Day 2

Most of the sessions I attended yesterday was about identity, especially on the fragmented nature of identity on the web. There was an interesting legal discussion on the legal issues of using a federated identity model, such as who gets the liability if things go wrong (eg incorrect authentication). I have also been interested in security metrics for a while, so the panel discussion gave some food for thought, though only scratched the surface.

Of the keynotes, David Brooks' talk on how social development affects decision making was informative, funny and interesting. He made some comments on trust that I want to blog about later, once I get my thoughts in order, and perhaps read a bit more of Bruce Schneir's new book.

The conference has an interesting concept of "Dinner for 6", where strangers can get together for conversation and a meal. We became a party of 8 (I think we were tables of 4&4), and the table consisted of a wide variety of people - a startup CEO with a background of starting and advising numerous (successful) startups, a reformed black hat hacker, a manager of dev team from a leading security company, an analyst from the DoD, two IT directors from separate non profit organizations and a manager from a state based angel funder. It was a great mix of people, and some engaging conversation.

RSA Conference 2012 - Day 1

The general theme of the conference seems to be "big data", though the definition of big data seems to vary. Some are referring to the general explosion in data, either due to increased production or due to retention practices; some are referring to the explosion in sensor data and te implications in processing while Bruce Schneir in his talk was referring to the Amazon, Google, Apple and others, who are collecting a lot of data, especially personal data, where the data owner is giving up a lot of control.

As is the case with first days, the majority of the day was keynotes from notable luminaries, of which I enjoyed the Cryptographers Panel (comprising of Diffie, Rivest, Shamir amongst others) the most.

In the evening, I attended Symantec's "small and exclusive" party, which was neither small not exclusive, with a line that stretched a block. Nothing special to be honest ...

ZaCon 2

Last year, a bunch of security techies (mostly from Sensepost it seems) banded together to form a technical security group, called ZaCon. In seemingly no time, they had organised a conference/get together - which I could not attend due to work commitments. ZaCon 2 was the newer, bigger conference event. It is not really a novel concept in many respects - a bunch of people get together (on the weekend off course), organise a venue and discuss their common interest for a day - and all for next to no cost (the organisers funded some of the equipment hires; the rest was either sponsored or non existent). It is the purest form of participation really - being there because it interests you.

As with all conferences; there was the mixture of the superbly interesting to be boring - but that is to be expected. With a strong technical focus; many of the talks focused on IT vulnerabilities - how they can be exploited and/or mitigated - from Google Apps to Java JAR files.

There were a number of highlights. On the attack front, Ivan Burke's talk on the usage of Google Apps to create features similar to botnets (though, as he willing admitted, he was not a good speaker) was a great example of how cloud computing facilities not only create security challenges with regards to confidentiality of data (stored in the cloud) but also create a platform for future security exploits. Jurgens van der Merwe's talk later about the use of Selenium expanded further the potential of attacking web based systems. In fact, a potential that wasn't explored in great detail - the combination of Selenium and cloud based services such as Amazon EC2 and Google Apps could create a significant assault on data confidentiality - through exploiting gaps in web based services. Also on the attack front; Daniel Cuthbert's talk on banking website security was a sobering reminder on vulnerabilities that are created by sheer incompetence as opposed to oversight.

Ross Simpson's talk on the use of jailbroken iPhones as a means to infiltrate wireless networks did not really explore major new ground - but was a very practical walk through on the power of smartphones and a new attack vector. Like the attack vector of cell phone cameras where normal cameras are not allowed; this is yet another attack vector that is easy to deploy and hard to mitigate against.

Ollie Whitehouse discussed the forming of UnCon 10 years ago (security community in the UK, and seemingly the idea that gave rise to ZaCon) via Skype - and was impressive not only in the content of the talk (I think there is a lot of things that ZaCon can "copy") but also the fact that the technology worked. Using two different computers (one to control the screen and the other to conduct the Skype call), each with its own 3G connectivity definitely helped in this regard.

The last talk, Barry Irwin's analysis on the propagation of Conficker was quite interesting - especially the patterns on the network traffic correlated to the spread of the virus. The fact that Conficker has gone quiet is itself a worry - and the correlation of Conficker to other viruses; including Stuxnet, could be interesting research.

Overall, it was a great event - and a great learning environment. I do think, however, that there is a need to shorten the number of speakers and instead open up the floor for a lot more debate and discussion. Congratulations to the organisers for a great event!

Conundrums caused by etiquette

Last night, was the "social" event of RSA TechFest, at the headquarters of RSA. There was a tour of the RSA facilities, and I was on the last tour. The impact of that was, we were effectively the last people to arrive for dinner - by which time, there was 1 plate and 1 set of cutlery, for about 25 people. This led to a social conundrum - taking the plate would be rude to everyone else, while not taking the plate would mean that everyone looked stupid, staring at the food and the last plate. Ultimately, everyone decided to look stupid - and wait while new dishes and cutlery was cleaned and delivered; but it's one of those awkward social situations which are just very funny (at least to those who are there).

Counting Crows, Police Escorts and a lot of expensive storage

I was in Boston for EMC World a very big vendor conference. EMC is largely known for its storage solutions, but there are a number of other products and services, notably VMWare and RSA. My engagement with EMC has largely been around RSA, so it was a good opportunity to learn about the other products and services offered by EMC. The big disappointment in my view was the under representation of RSA and VMWare,with a lot more focus on storage and software products.

It is quite interesting to attend an event of this size. The Counting Crows, were the entertainment for the first night,but they were really disappointing. They had no interest and their engagement with the crowd, understandable given that they have already been paid, and thus have no real stake in the performance. Another day, the shuttle bus from the hotel was given a police escort, easing the way through traffic. Being a Boston based company, EMC obviously has some clout in the city.

It was certainly a good experience, and the side discussions and networking certainly helps!

Virtual Goods 2009

This was my 3rd Virtual Goods Workshop, and my first as program chair. Without blowing my own horn too much, I think that although the number of papers in the workshop was not as high as I would have liked it to be, the quality of the papers was amazing.

The highlight for me was the keynote talk by Bill Rosenblatt, on the past, current and future of DRM. Like many in the DRM research community, it is well accepted that the biggest fundamental problem with DRM was not necessarily the technology, but the economics and the marketing that went in. More and more, DRM is being proposed as a means to enforce privacy legislation, one of the original use cases of DRM, that was overlooked in favour of pushing for a very small control set of copyright regulation enforcement. Bill Rosenblatt has been in the field of DRM for a long time, and the presentation was insightful on the many aspects that led to the current outlook on DRM.

Another interesting talk was Mario Kubek and Jürgen Nützel's paper on "Novel Interactive Music Search Techniques", which takes a number of different search techniques including text analysis, melody analysis, frequency analaysis and much more to derive the various genres that correspond to a musical item; and also look for similarities between musical pieces using sources such as Google and Wikipedia. It is certainly an interesting way for powering future media exploration.

Next year's Virtual Goods Workshop will take place in Namur, Belgium.

ITWeb Security Summit

I have been to many conferences, but this is the first time I have been to an industry only focussed conference. Apart from the product placements, the key difference between academic and industry conferences is in the level of detail and the practical application of the knowledge. In academic conferences, there is real in-depth knowledge and discussions while most presentations at industry seem to be at the glossy level - and stop just as things were getting really interesting. Conversely, the practicality of issues dealt with at this conference was much more tangible than that at academic conferences.

There were some great talks in the past three days - Phil Zimmerman's keynote on VoIP security, Tyler Moore's talk on economics of security, Fransisco Artes' talk on security of MMO games and really interesting talk by "The Grugq" on why there are criminal hackers.

What was ultimately annoying, was the short time spans of some of the really interesting technical talks (20 minutes) - hardly much time to discuss complex topics such as internet telescopes, privacy from data correlation across multiple online sources or even seemingly simpler topics such as security of IPv6.

I was also involved in a "pubcast" (which has yet to be released) - seemingly out of the blue. And I won a bottle of French Champagne at a product launch - although lost out on the Russian vodka, personalised golf clubs, the portable hard-drives, blackberries and numerous other lucky draws from vendors.

Virtual Goods 2008

Or to give its full name, "6th International Workshop for Technical, Economic and Legal Aspects of Business Models for Virtual Goods incorporating the 4th International ODRL Workshop", held in Poznan, Poland. This workshop has had some interesting history; and I thoroughy enjoyed it last year and brings together a number of different aspects of computer science. As we become more digital, the concept of a virtual good becomes more tangible; and some of the ideas explored in the conference are more realistic that ever!

There were a few really interesting talks and presentations. The host university, demonstrated a virtual museum system, which had a wonderful way to interact with 3D virtual objects; in a very low tech solution; and a presentation by the general chair on why the "free" economic theory ultimately will not work was very interesting.

With authors from 6 continents (no one from South America, but a presenter from Tahiti!), there was a small, but very diverse group of papers and people. This was a very good workshop, and I hope I can contiue to be involved.

One more paper

A couple of months ago, I submitted a paper to the ACM DRM workshop on the work I did while I was doing my internship at Fraunhofer. And it got accepted ... quite nice actually as it was a very complex paper on privacy and DRM. Also, my first paper that does not feature Andrew (my PhD supervisor) as an author.

Very impressed with myself :)

Reflections on AXMEDIS 2007

AXMEDIS; is a huge EU funded project, officially called Automated Production of Cross Media Content for Multi-Channel Distribution. This is the third conference ; hosted by the project, which brings together various efforts from the project itself and papers in the related fields.

To be honest, the conference was not very exciting ... many of the papers that I attended did not really promote anything new, and some were hashes of existing work. That said, I must admit that I did learn a lot about the MPEG-21 standard, and I am even more convinced that it is an almost useless piece of standardisation.

That said, there was one very interesting presentation, which made it all worthwhile. Richard Owens, a director from WIPO gave a long presentation on copyright and challenges on the enfocement of copyright. It was one of the most comprehensive talks I have ever been to, and he highlighted a number of interesting points; including:

• Technology should be taken as given. Copyright law needs to be applied to technology and not the other way round.


• Automatic filtering technology (based on watermarking and fingerprinting) has to be accepted as part of the deal, and groups like the EFF are coming round to accepting this position.


• Standards could have too much patents and themselves become technological barriers


• Access to education material in development countries could become a copyright exception

He also participated in a panel on rights expression languages (where I was also a panelist). The panel however was not that exciting to be honest, although my view that there is a strong need for core formal models for REL was accepted :)