[ISN] Have iPod, Will Secretly Bootleg

From: InfoSec News (isnat_private)
Date: Fri Mar 01 2002 - 02:28:06 PST

  • Next message: InfoSec News: "Re: [ISN] [TSCM-L] Security? Huh! (fwd)"

    Forwarded from: William Knowles <wkat_private>
    [Just as Furbys were banned from the NSA, and security managers are 
    wondering how to treat palmtops from wandering off with a few MB's of 
    sensitive data, now Apple iPod's will be the next security threat to 
    be writing policy on and banning from the office.  - WK]
    By Leander Kahney  
    2:00 a.m. Feb. 28, 2002 PST
    When Apple introduced the iPod, the company was aware that people
    might use it to rip off music from the Net or friends' machines. Each
    new iPod, in fact, is emblazoned with a sticker that warns, "Don't
    Steal Music."
    But it is unlikely that Apple imagined people would walk into computer
    stores, plug their iPod into display computers and use it to copy
    software off the hard drives.
    This is exactly the scenario recently witnessed by Kevin Webb at a
    Dallas CompUSA store.
    Webb, a computer consultant from Dallas, was browsing his local
    CompUSA when he saw a young man walk toward him listening to an iPod.  
    Webb recognized the iPod's distinctive ear buds.
    The teenager stopped at a nearby display Macintosh, pulled the iPod
    from his pocket and plugged it into the machine with a FireWire cable.  
    Intrigued, Webb peeped over the kid's shoulder to see him copying
    Microsoft's new Office for OS X suite, which retails for $500.
    When the iPod is plugged into a Macintosh, its icon automatically pops
    up on the desktop. To copy software, all the kid had to do was drag
    and drop files onto the iPod's icon. Office for MacOS X is about 200
    MB; it copies to the iPod's hard drive in less than a minute.
    "Watching him, it dawned on me that this was something that was very
    easy to do," Webb said. "In the Mac world it's pretty easy to plug in
    and copy things. It's a lot easier than stealing the box."
    Webb watched the teenager copy a couple of other applications. He left
    the kid to find a CompUSA employee. "I went over and told a CompUSA
    guy, but he looked at me like I was clueless," Webb said.
    Unsure whether the kid was a thief or an out-of-uniform employee, Webb
    watched as he left the store. "I thought there's no point in getting
    any more involved in this imbroglio," Webb said. "Besides, this is
    Texas. You never know what he might have been carrying."
    CompUSA representatives didn't respond to requests for comment.  
    Neither did Apple officials.
    The iPod is perfect for virtual shoplifting. It is designed as a
    digital music player, but its roomy 5-GB hard drive can be used as
    portable storage for all kinds of files, even the Macintosh operating
    system. In fact, it can operate as an external drive, booting up a
    machine and running applications.
    The iPod's FireWire interface -- one of its most important but
    undersold features -- allows huge files to be copied in seconds. The
    iPod doesn't even have to leave the user's pocket.
    And while the iPod has a built-in anti-piracy mechanism that prevents
    music files from being copied from one computer to another, it has no
    such protections for software.
    Ironically, Microsoft has pioneered an easy-to-use installation scheme
    on the Mac that makes its Mac software relatively easy to pilfer. The
    company is known for its sometimes heavy-handed, anti-piracy
    mechanisms in such products as Windows XP.
    When installing Office, users simply drag and drop the Office folder
    to their hard drive. Everything is included, including a self-repair
    mechanism that replaces critical files in the system folder.
    By contrast, a lot of software on the Windows platform relies on a
    bunch of system files that are only installed during an installation
    process. Simply copying an application from one machine to another
    will not work.
    Plus, getting a copy of the software application is only half the
    battle: most software won't work without a registration number. Usable
    serial numbers, however, are readily available on Usenet, IRC, Hotline
    and applications like Hacks and Cracks.
    "This is the first we have heard of this form of piracy," said Erik
    Ryan, a Microsoft product manager. "And while this is a possibility,
    people should be reminded that this is considered theft."
    While the iPod may be ideal for a software-stealing spree, there are a
    number of other devices on the market that could also be used by
    virtual shoplifters. As well as any external FireWire drive, there are
    now a number of tiny key-chain drives that plug into computers' USB
    ports, like M-Systems' DiskOnKey and Trek2000's ThumbDrive.
    Most key-chain drives work with both Macs and PCs. Some are available
    with up to one gigabyte of storage space. However, USB ports are a lot
    slower than FireWire, requiring the virtual shoplifter to hang around
    while the ill-gotten gains are transferring.
    CompUSA and other computer stores could take a few simple steps to
    prevent software from being copied, said Mac expert Dave Horrigan, who
    writes a syndicated Macintosh column.
    Any Mac can easily be configured to allow changes only by
    administrators, he said. Also, a system profile tool logs all
    peripheral equipment, but it must be running to log an iPod. For Macs
    running OS X, a locked dummy file in an application's package will
    protect the entire file from being copied without a password.
    But Horrigan didn't think the iPod presents a serious piracy threat to
    Microsoft, and doubted the company would take special measures to
    prevent in-store copying.
    "If Microsoft puts in protection it almost always screws up and causes
    problems for them or their legit users," he said.
    Dennis Lloyd, publisher of iPod fan site iPodlounge, also said this is
    the first time he'd heard of an iPod put to such use.
    "I can see how easy it would be to do," he said. "It's a shame someone
    has stooped this low to bring bad press to the insanely great iPod."
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Mar 01 2002 - 05:27:27 PST