[00:00:00] You’re listening to the Cyber Security Inside. A podcast focused on getting you up to speed on issues in cyber security, with engaging experts and stimulating conversations. To learn more, visit us at intel.com/cyber security inside.
Montage: [00:00:19] What are the components within that supply chain? And can we verify that those are actually the right components. You can get the benefits of AI without having to [00:00:30] share too much of your own personal data? Holy cow, so many places this could go wrong now. Right. And how do I secure all of this?
Tom Garrison: [00:00:41] Hi, I’m Tom Garrison. Thanks for joining me today for Cyber Security Inside. As always I’m here with my co-host and colleague Camille Morhardt. Hi, Camille, how are you doing today?
Camille Morhardt: [00:00:52] Hi, Tom. I’m doing okay.
Tom Garrison: [00:00:54] You know, I have noticed as nothing to do with security by the way, but I’ve noticed that I I’ve hit the point in my life where as I’m watching television, the people that I’m watching television are for the first time I consider them young. Like I’m watching newscasters now and all of a sudden they look like kids. Have you noticed that?
Camille Morhardt: [00:01:15] Yeah. Well, I first noticed that with doctors. I was like, “why are all of the doctors so young? Why is everybody a child?” And then, you know, kind of hit me slowly.
Tom Garrison: [00:01:28] Case is a little scary, [00:01:30] even pro athletes. I always thought pro athletes looked older than me and now I look at them and they just kids there. It’s incredible. But anyway, I guess that’s just the nature of getting older. Um, and you’re obviously much younger than me, but, but still. People are getting much younger relative. So what, uh, let’s try to get this back on track to security. What, what kind of interesting topics do you want to talk about today?
Camille Morhardt: [00:01:55] Well, since you’re, since you brought up, uh, people on TV, I think we should run with that and talk a little bit about media. So the internet kind of changed everything when it came to peer to peer sharing, sharing of information, of course, and then maybe even file sharing. Definitely kind of ended up changing the music industry. Uh, and now we’re streaming movies. Uh, and we’re streaming them directly from the internet. So I’m actually interested in understanding how content producers or content distributors are protecting the content now that it’s coming directly into people’s homes or onto people’s mobile devices over the internet.
Tom Garrison: [00:02:38] Yeah, and, you know, think about it, just the economic sort of tectonic shifts that’s happened here because when you’re talking about movies, They go to great lengths to protect their content. And the whole distribution was set around that because they could tightly tightly control the content when they went to theaters. And then they open up their control just a little bit more, and then they could go to airlines or, or streaming services, or, you know, back in the day cable things like HBO.
But now you have setups w here movies are going straight to streaming. So they really have a lot at stake in protecting their content from day one from pirates.
Camille Morhardt: [00:03:27] And it’s not, there’s kind of like an added nuance to it now, I think because I remember like over a decade ago, I bought a CD or DVD in the s ocolow in Mexico City to watch a movie and, you know, looking back, I’m sure that was a pirated movie. I didn’t realize that at the time. But the quality was horrible, but it was the recent movie. It was the new release, but it wasn’t the quality. But now that the quality is able to show up, you know, how do you deal with that?
Tom Garrison: [00:03:59] Yeah, setups where you have consumers that think they’re buying legitimate, you know, content and, and it actually turns out that no, that content was actually pirated in some way. Uh, so there’s, there’s a lot here. Uh, there’s a lot of trends. I think that, uh, make this a really interesting topic. So let’s, let’s go for this.
Camille Morhardt: Cool.
Tom Garrison: [00:04:24] Our guest today is Avi Wachtfogel. He is an Engineering Fellow and Senior Director of Security Strategy at Synamedia. His focus is on defining the foundation for its video security portfolio, working closely with its customers and ecosystem partners in collaboration with sending media’s executive leadership and product teams. So welcome to the show Avi.
Avi Wachtfogel: [00:04:46] Thank you, Tom. Good to be here.
Tom Garrison: [00:04:47] And so I thought it would be good. Maybe just to start a little bit with your background and what it is that you focus on at Synamedia.
Avi Wachtfogel: [00:04:54] I’ve been working at Synamedia for almost 30 years now. Our focus as a company is on the video technologies, primarily in the area of securing video for large, a service providers, broadcasters, customers like DirecTV in the U S or cable companies or Sky in the UK. We’ve been working on securing video for, like I said, about 30 years, all the way back, going back to the days of analog video through digital video and today in the world of IP, Over the Top streaming.
Tom Garrison: [00:05:29] Yeah. Well, I wonder, you know, I have some expense back in the day on, uh, some of the really early analog systems, but from a security standpoint, can you just describe how the types of threats have evolved from the early days to what we have today?
Avi Wachtfogel: [00:05:45] Sure. Generally speaking, we, we, the, we differentiated between, uh, content protection and service protection. So, you know, I always tell people, if you want to know what it was like in the eighties or nineties, you go back and you pick up an old, um, Popular Science magazine and go to the classifieds in the back and, and you’ll find there devices that allow you to copy the, uh, VHS videotapes. If you recall there was this system called Macrovision where if you tried to copy two tapes, the copy would come out all warped. And for a couple of bucks, you can buy a device from, you know, a mail order in the back of the popular science that we just canceled that out and allow you to make a copy.
So that’s, that’s sort of content protection, right? That’s taking a, an original and copying it. And obviously later you saw people selling ripped DVDs on street corners. That’s sort of the next level of, of content production. And eventually today, uh, you know, it’s, uh, it’ll be things like torrents and peer-to-peer sharing of downloadable copies of VOD content. So that’s that’s content protection.
And then it’s the service protection. That’s kind of, “how do I protect the overall service of a service provider? “ So, uh, and again, you know, if you go back to those Popular S cience magazines, you would see ways of building your own site, cable decoder box and using that cable decoder box. So even if you weren’t legally connected, but if you just took a cable, connected it to your home, you had the decoder box and that would allow you to watch cable.
And that also evolved–the service protection side also evolved later–with digital television. Obviously with satellite, it’s a much more difficult problem because satellite by its nature is a, is a broadcast medium and anybody can put up a satellite dish and pick up the signal. There isn’t even a cable that you can control and that.
And then service protection largely today in the 90s and 2000s is an issue that’s kind of been solved at that level with hardware and software technologies that protect the content.
Tom Garrison: [00:07:43] And so with the, uh, leading edge solutions today, where are the security concerns?
Avi Wachtfogel: [00:07:50] Yeah. I mean today with content being distributed over, over the top, it’s become a problem for providers because just like they can fairly easily start a Over the Top service, right. Because the technologies are out there that make it easy to start a service pirates can do the same. And it’s just a matter of, for them of having access to the content.
So if you have any device that outputs content, that can be a set up box, that can be a PC and that content is being output, it can be captured whether through the HTMI port. Or using the screen grabbing software, or even, you know, an extreme case of just taking a camera and having it opposite the monitor. You can capture that content. And once you can capture that content, you can re-stream it.
And you know, we’ll see cases of pirates that have racks–they literally have a broadcast environment. They’ll have racks and racks of set-top boxes. And, uh, those set top boxes will be connect to say to a satellite signal or to a over the top, uh, you know, IP signal and the outputs then just feed into encoders that are re-encoding, the content for redistribution. And then you, you end up with a sort of a pirate service where you can log in and you can watch hundreds of channels.
Camille Morhardt: [00:11:08] Could you actually just describe, you’ve mentioned Over the Top media a few times. Can you actually just describe what that is?
Avi Wachtfogel: [00:11:16] Yeah. So over the top media, generally speaking, it’s really television right over the open internet. So Over the Top refers over the top of open internet. So I have, uh, an internet connection, you know, that I got from my phone company or from my cable company or wherever, but Over the Top of that infrastructure, I’m signing up and consuming content. And that content could be from, you know, a provider like a Hulu or HBO Max or Netflix, or that content could be a YouTube or, or it can be pirated content.
Tom Garrison: [00:09:13] Yeah. So actually what’s your, the way I’m envisioning this as once you’ve cracked the content, then it’s up to you to decide, and you effectively become sort of the owner of the content. So you can start your own streaming service. You can charge subscriptions if you want, you can do whatever, whatever. The real key is, how do you get access to the content itself?
Avi Wachtfogel: [00:09:36] That’s right. I mean, in the past, uh, you know, that, that was pretty well secured, but today, uh, because they can set up their own streaming services, you know, there’s a big difference between the threat again, of, you know, somebody selling DVDs on the street corner and somebody being able to take that and just have access to the internet, upload it either to a server, then, then they re-stream it from the server or just uploading it for somebody else to download it as a Torrent. It’s just become that much easier for pirates to set up their own, their own services.
We’ll also see things like one pirate will take a stream, a live stream, say have a sports event, and then they will sell that on to other pirates. So you have a whole distribution chain and then those pirates will sell it on directly to consumers. And, uh, there’ll be resellers who are, you know, taking that content and selling it further and further along. You know, it’s, there’s a lot of confusion very often among customers actually, as to what they’re actually getting, whether it’s legal or not. A lot of these services, they call them IPTV services. We’ve seen in some countries, they will actually be a salesman going door to door. They’ll knock on the door and I’ll say, you know, “for $10 a month, would you like access to these 200 channels? And, you know, we’ll set it up for you.” They’ll come in, they’ll take a box of some sort and go plug it into your TV and they’ll set you up and set up the billing.
Some of these guys who got, you know, 24/7 support to pick up the phone and you, and you have support and they look really legitimate. And then very often the, the customers themselves to can’t tell whether they’re signing up for legitimate service or not.
Camille Morhardt: [00:12:09] Avi, have you seen the recent movie Wonder Woman or WW 84?
Avi Wachtfogel: [00:12:16] No, I actually, I actually can’t legally watch that because I’m in Israel. And I know that it’s out on HBO Max, uh, in, in the States. I would like to watch it. And it stars in Gal Gadot who’s an Israeli. But, I’m here in Israel and I can’t legally watch it because of the way the licensing agreements work. Uh, there’s actually a very interesting question because what we’re finding is that very often these kinds of arrangements actually drive consumers to use pirate services because I probably could fairly easily find it if I was willing to look forward on, you know, pirate streaming sites like BitTorrent and places like that. And we’re actually seeing that kind of tendency. People are, are, are looking for content. There’s actually a rise in the, in the amount of content that’s being viewed over Torrents these days because of these kinds of limitations.
Another threat we’re seeing today is certainly the issue of credential fraud. As you know, there are billions of passwords that are leaked every year onto the internet. We’ve seen various breaches of, of the passwords of different companies. And it doesn’t make a difference if the password that’s been leaked–the credentials that have been leaked–are for your video provider. In many cases, those credentials people obviously reuse credentials. They reuse usernames. They reuse passwords. And there are repositories online with billions of combinations of username passwords. And, uh, what hackers will do is they’ll actually fell by these so-called “repos,” these repositories of username, password combinations.
They’ll buy them on the dark web and then they have tools. They’re actually very advanced tools that take these and just try these combinations of username passwords across a lot of different websites, including websites of video providers. You can go on the dark web, you can buy a set of credentials for, you know, a variety of streaming services and, uh, pay a lot less for those than you would if you were subscribing, uh, illegally. And that’s an, also a major problem for the service providers today, there’s a lot of money that they’re losing to, to those kinds of attacks.
Tom Garrison: [00:14:31] Yeah, that’s really interesting. So Avi we’ve, we’ve talked now about the evolution of attacks and the either credential threats or, or the fact that pirates will stand up their own services. How is it that from a technology perspective, we can keep the content encrypted and, and so therefore make it much more difficult for the, the pirates to be able to take the content and, and, you know, stand up their services?
Avi Wachtfogel: [00:15:02] Yeah. Encryption of, of content is, uh, is a very difficult problem because, uh, as opposed to say, you know, your banking information, or, you know, other personal information that you may have on your device–which has information that you want to keep confidential, right? So you have a device and really what your only, only thing you are trying to do is prevent it from being accessed by an external attacker.
In the case of video, it’s a much more difficult problem because you’re trying to protect the content on the device from the person who’s holding the device, right? The pirate actually has a legitimate device with the content on it. And obviously you want a legitimate user to be able to view the content. There are different ways of capturing that content and then re-encoding. Today, just encrypting the content is really not enough.
You know, I mentioned earlier, the difference between content protection and service production today, once the content is out there, the lines are kind of blurred between content protection and service protection. And then you really have to get into the later phases of what we call in the industry. We have protect which is the first phase. And you have to recognize that very often, you’re not going to be able to do that. And then you get into Detect. How do I find that content out on the internet, where it’s being distributed and determine who’s distributing it and how they’re distributing it and so on? That’s the sort of the detect phase. And then the last phase is the Disrupt phase. And in the, the disrupt phase, you know, I’m either going to disable the accounts that are being used for streaming or take legal action against the parties, the people who are doing the streaming. So it’s to Protect, Detect and Disrupt.
Camille Morhardt: [00:17:02] What about the, um, resolve part of that? So I’m just wondering if you think some of these business models are going to change? I I’ve got, you know, I started off with like one or two streaming services to watch video content at home. And now I’m up to like six or seven because something comes out and I want to see it. And then I can’t see it on the services that I already have. And, um, you were previously describing, I guess, black market business model where people are subscribing–maybe even unknowingly–to services that are curating all of these different portfolios and then your content, and then distributing them out two people in a single service.
So is that putting any pressure on the industry itself to change business models or evolve models?
Avi Wachtfogel: [00:17:52] Yeah. I, I mean, I personally, I definitely view that as, as the next big challenge for the industry, because right now, you know, the different, uh, services, whether it’s, you know, Disney+, HBO Max, Netflix. I mean, you know, these are, these new services are appearing, you know, every other day. And, you know, we all talk about the ”streaming wars,” but at some point they’re going to have to recognize that they need to sort of get together. and solve what is really going to be a piracy problem because people are going, you know, looking for the content. People aren’t going to sign up for ten different services. And if they don’t happen to be subscribed to the particular service where there’s content that they want, they’re going to go look for it on torrents. And so they’re going to have to find some way to, to, to work together after this fragmentation happens to sort of re-aggregate the content.
I mean, there are a lot of different players that could be doing that. It could be some of the classic, uh, you know, something as soon as example in the UK, uh, Sky Television, for example, you can watch your Amazon Prime content. You can watch Disney+ you can watch Netflix, you can watch them through your Sky service. So there’s kind of a re-aggregate session that’s happening after, after all of this, uh, fragmentation.
Camille Morhardt: [00:19:11] This is a little bit maybe of a non-sequitur, but one of the other things that’s coming up a lot is this kind of new introduction of generative AI or the ability for machines to create content that appears to be original known as “deep fake.”
Um, and I’m just wondering, is that, is there a new added element that we’re incorporating into cyber security around actually verifying or testing that what you’re seeing is who you’re seeing and who you’re seeing it from? Is that something that’s needing to be incorporated now?
Avi Wachtfogel: [00:19:47] Sure. When we talk about the dangers of AI and in the future, but that’s really, I think a danger that’s already here. You know, it wasn’t video, but we’ve already seen, for example, last year there was report in the Wall Street Journal of an attack using audio deep fake where an attacker called a company and was able to use a deep fake to impersonate the voice of the CEO of the company, uh, and asked the financial department to transfer a large sum of money, you know, close to a quarter of million dollars to a fictitious supplier. And they got away with it.
Uh, there was a case in, um, in Gabon, where the president hadn’t been seen for a very long time. And then this video came out of him speaking and, you know, it’s the president alive, not alive. In that case, it probably was not a deep fake, but just the very fact that people are aware that deep fakes are possible, created all this uncertainty about. “Is what I’m seeing real or not?” We’re working with, uh, players in the, in the news industry to find ways to ensure that the integrity of video content. And make sure that, uh, you know, there’s, they’re not being fooled by deep fakes.
Tom Garrison: [00:21:08] So Avi I wonder if, if we’ve got people listening to this podcast and you know, some of them are just interested in the nature of video and video security and then others actually have content that they’re probably worried about and saying, “well, how do I keep that IP safe?” Do you have words of advice to the audience about what can, and should they be doing with their video content?
Avi Wachtfogel: [00:21:34] Well, from a legal perspective, if you have video content and you’re worried about it being distributed, say on YouTube or Facebook and places like that. They’re very good about taking down content if the content owner approaches them because they’re actually required to on there, the DMCA, the Digital Millennium Copyright Act. They’re each required to have an agent who can, in the case of a copyright complaint will receive that copyright complaint and, uh, take down that content. Uh, in addition, that also applies to things like search engines. So if your content is being linked to, uh, illegally on Google and you can approach Google and ask them to take down that link, uh, under the DMCA and they’re required to take down that link.
here are there sites there where the content isn’t necessarily as well known, they’re having an action stuff. These pirate opportunity providers being taken down and identifying them as a whole. It’s a horrible, it’s a whole process, right? So sometimes studios will use our service providers will use watermarking. They’ll insert a watermarking identifier within the content so that they know who, you know, which account is being used to, uh, to steal the content.
And other times it’s things like, you know, human intelligence, what we call OCENT, you know, online research, uh, and, uh, investigation, gathering the data, building a case. We work very closely with law enforcement. We actually have agents in the field who go and they find these pirates and they learn about them and they actually know will build a case for a studio, but it is a much more difficult process than it is for say a Facebook or YouTube where over there it’s, it’s, it’s fairly automated.
Camille Morhardt: [00:23:57] How do you think that, uh, security practices are going to evolve? And what does the industry need to do now to evolve with those specifically in the, uh, media content space?
Avi Wachtfogel: [00:24:13] The challenge today is really that as we described this becoming easier and easier for pirates to pirate.
Content and the challenge will be for the industry then to counter that. I see several different things that the, that the industry needs to do. I mean, the first is technological means, right? So things like I was saying before, like watermarking and, you know, tracking of pirate services over the internet. Mapping out which servers are being used going after those servers, going after the people who are operating those servers. So that that’s the first sort of technological. Um, they’re also, you know, legal. things that they can do, whether it’s a Take Down notices and so on and, and, you know, working with a lot of these sort of infrastructure providers. So they do it today with Google, but they should be doing it with CDNs and others.
Another is just really getting the industry together to find ways of making legal content more convenient for the users than illegal content. And I think the music industry eventually got there. Today, you know, if you sign up for Spotify or Apple Music or Amazon, you’re paying a one, one monthly fee, you’re not asking yourself, you don’t care what the label is behind the music. You’re just, you’ve got access to all the music you could want. And when the video industry reaches a point where they make it easier to access content legally than it is to access it illegally, they will have largely solved a lot of the problems that they’re seeing today.
Tom Garrison: [00:26:00] We do have a one segment that we like to do around an interesting fact that you’ve learned, or maybe something that you think our listeners would find very interesting. And so here’s your chance to enlighten our listeners with something that you find very interesting. So what do you have for us?
Avi Wachtfogel: [00:26:17] Something that I, that I saw recently, a if you’ve ever been to India, um, and you know, we have offices in India so I’ve been there quite often. And I think I remember the first time I landed at the airport in Bangalore and I stepped outside, the first thing that hit me was like the cacophony of horns honking of, you know, just the, the, it’s just the cultural thing. And when in India, when people are driving, they’re just constantly, constantly, uh, honking their horns.
And my son showed me a video the other day of, um, the police on YouTube and the police in Mumbai have actually set up decibel meters on some of the traffic lights. And what they do is if the, uh, the other, because the other thing you’ve, you may have noticed if you’ve been to India as a lot of the traffic lights have these sort of these countdown timers that show you when the light is going to turn green. So what they’ve done is they’ve connected these decibel meters. And if the sound of the honking cars is above 85 decibels in a particular direction, they’ll reset the countdown essentially punishing the drivers who are waiting to go through the light. Um, and it gives quite an incentive to the, to the drivers to stop honking and they’re apparently experimenting with this, uh, throughout Mumbai, to try to combat the sound pollution leg problems they have there from all the honking cars.
Tom Garrison: [00:27:38] (laughs) That is, yeah, for anybody who’s been to Mumbai or actually really any city, any major city in India that honking is incredible. And traffic just flows like water there. The lines on the road–if they even exist at all–are completely ignored. You know, completely ignored. But, uh, you know, that’s interesting, the idea of punishing drivers for honking. It’ll be interesting to see if that even works.
Avi Wachtfogel: Yeah.
Tom Garrison: So Camille.
Camille Morhardt: [00:28:16] I heard from somebody who works in Automated Driving that actually the, the way that humans navigate around intersections in places like major cities in India– ignoring the lines and the signals, and actually just kind of monitoring each other and making their way across the intersection, including humans, walking on foot bikes, mopeds motorcycles and cars and buses, and actually animals as well–is much more like how we will see the future of automated driving.
When everything’s automated, we won’t come to a site stop. Right? Our car will, um, no navigate off of surrounding cars and take into account humans and everything. We’ll just kind of slow down around. What’s likely to still remain are the major intersections for quite some time, until we can rebuild the entire infrastructure. Until then we have to use new technology on old infrastructure. So we’ll see the way of the future of driving will be like some of these major cities around the world that don’t use traffic lights, the same way that we do in the U.S.
Tom Garrison: [00:29:27] So what I’m hearing is when we all jump into our automated cars for the first few times, we’re just going to close our eyes when we come to intersections, because (laughs)
Camille Morhardt: [00:29:34] it might not be honking. You might not need earplugs, but your eyes. Yeah.
Tom Garrison: [00:29:39] So mine is, uh, I guess also in the theme of travel, although I was coming at it from a different perspective. So I’m starting to think, well, when I finally get the vaccine and when things start getting, it started open up, where do I want to go? And so I was doing a little bit of research and I came across this little fun fact that says, which country actually receives the most tourists of any country in the world. And so before I give you the answer, you guys have any guesses?
Camille Morhardt: Butan
Tom Garrison: Where? I didn’t hear what you said.
Camille Morhardt: [00:30:14] (laughs) I guess that wasn’t what it was. I think Bhutan has done a fantastic job marketing itself.
Tom Garrison: [00:30:19] Yeah. It’s not Butan. Avi you have a guess?
Avi Wachtfogel: [00:30:20] Oh, I would guess either the United States or France.
Tom Garrison: [00:30:26] The correct answer is France. Well done! Yes. So France actually receives 80, or this was the data point was back in 2017, so who knows what it is today, but, um, yeah, they welcomed, uh, 87 million people. Spain, by the way, was number two. And the United States was number three it’s 77 million people
So anyway, well, Avi, we’re going to draw this to a close here. Thank you so much for spending the time with us at the topic was fantastic and learning a little bit more about video security and, uh, and all the things we can do to keep ourselves safe. So thank you.
Avi Wachtfogel: [00:31:14] Thank you, Tom. Camille. It’s been a pleasure.
[00:31:26] Stay tuned for the next episode of Cyber Security Inside. Follow at @TomMGarrison and Camille @Morhardt on Twitter to continue the conversation.