Windevnet Security http://www.windevnet.com November 4, 2003 Counterfeit Software, Digital Rights Management, and Security by Jason Coombs Copy protection always fails for one simple technical reason: Anything that exists can be copied. Even if it only exists in the memories of its original creators or past users, if it was created once it can be created again. Anything that can be engineered can be reverse engineered -- even if reverse engineering safeguards are built into the design, such as parts that self-destruct when exposed to light or air in order to prevent disassembly in the field. Software that self-destructs, self-deactivates, self-uninstalls, or calls home over the Internet to complain of a possible license violation are recurring themes in the battle to control unauthorized use or copying of commercial software products. Security schemes for digital media, such as DVD encryption, have similar themes. Copying protected intellectual property is considered illegal pirating when it is not allowed as "fair use" (e.g., under copyright law), it is a statutory infringement of another's rights when unauthorized benefits are derived from the copying (e.g., under trademark law), or counterfeiting when the quality and packaging of the copy are convincing enough to be publicly marketable as authentic. With so many misuses of intellectual property able to stem from the simple act of copying, digital expressions of such property are perceived as security "problems" for many companies that depend on copy controls and license restrictions for profits. Digital Rights Management (DRM) is supposed to solve these security problems, rein in widespread piracy and counterfeiting, and give artists and other creative geniuses whom society should reward generously with privileged, wealthy lifestyles the opportunity to hold out their hands expecting payment each time somebody views, hears, or uses one of their protected creations. While it has always appeared socially-absurd for concentrations of wealth and power to occur around certain icons, we've recently entered an era where many people expect technology to help concentrate such wealth and power rather than destabilize and decentralize it, and this expectation is a new technical absurdity. Technical capabilities that have always existed, such as the ability to rip, mix, burn, and share copies of entertainment media for entertainment purposes or counterfeiting are now capabilities of the prevailing marketplace. Anyone who sets out to engineer any sort of digital copy protection is attempting the impossible because to succeed, they must devise a method and apparatus that is able to prevent even a single copy from being made. As soon as one copy finds its way outside the confines of the copy protection system, infinite identical copies become possible. Additionally, a single near-perfect copy is often good enough, since infinite identical copies can then be made of it, and this poses an intractable problem for the recording and motion picture industries whose digital products must exit any copy protection device in analog form, as light and sound waves, in order to be enjoyed by paying consumers. If eyeballs or eardrums can intercept the analog media, then so can recording devices. Importantly, if people created the original work, and those people are allowed to live, then there is a real possibility that they will subsequently violate the terms of agreements not to recreate or copy the work or claim residual rights to the work as individuals. The motion picture industry is having serious problems with pirates using concealed video cameras to capture the analog output of movie showings in order to distribute digital copies that are good enough to entertain and can be shared at very low cost on the Internet. Many companies approach this subject from a damage control and containment viewpoint. For example, Microsoft uses a web crawler known as the Internet Scanning Tool that trolls web sites or auction postings looking for commercial offers of Microsoft software. Microsoft then finances the purchase of a sample of these products for theft detection and authenticity verification purposes. Other countermeasures are being used at the point of unauthorized copying, such as night vision goggles that help spot video cameras in use by members of a movie audience, a practice that raises real privacy concerns and compels us to question, or at least acknowledge, the inherently invasive character of commerce. While it may be reasonable for the motion picture industry to monitor the behavior of a movie audience when the audience travels to a semipublic venue to view a movie, it will never be reasonable, nor will it be technically possible, to monitor everyone, everywhere, at all times. We should not want this, but we've been so busy lately making commerce more automatic that we've been discounting (or ignoring) its potential risk. There is some reason to be concerned that initiatives such as Radio Frequency ID (RFID) tags for inventory control automation, Microsoft's Palladium (now known as Next Generation Secure Computing Base), Intel's processor ID feature, and every DRM solution that is ever devised may take us closer to a future in which it will seem reasonable to us that automated monitoring of every consumer should occur and is a reasonable, unobtrusive thing. As a society we've already decided that bits have value, are property, represent evidence of criminal behavior, bind us to each other under contract, and in many other ways shape or impact our lives. That bits can be copied endlessly at near-zero cost or effort, forged anonymously with perfection, intercepted with ease by unauthorized parties, data warehoused and data mined in perpetuity, for some reason doesn't cause us to question the wisdom of attributing to these bits the qualities of wealth, power, property, and market value. The security benefits of attaching RFID tags to all items of luggage checked by authorized airline passengers may outweigh the risk, or the cost, of leaving residual radio frequency trails of our subsequent ravels. A court order authorizing the use of a tracking device on a suspect's luggage may not be required if law enforcement officers don't have to do anything special to arrange for installation of the tracking device. The suspect's luggage simply goes in with all ports closed, unable to respond even to a ping request, and comes out with the equivalent of an open port with a microchip designed to receive and respond to incoming requests. If we capture radio signals and radiate responses without our knowledge or consent, it is difficult to imagine anyone arguing that we have not been compromised materially. Assurances that nothing bad will ever happen to us as a result of having RFID tags attached to our belongings and our persons sound hollow and are not very reassuring. Yet, the potential benefits for counterfeit prevention, DRM, and streamlined security (think automated employee identification at facility perimeters, or digital signature verification of every item in a crate full of software received by a retailer) may be substantial and compelling. Microsoft has a team of attorneys who assist in criminal prosecutions of counterfeiting or product theft cases who manage nationwide civil litigation against people who have been found to pass counterfeit merchandise. Microsoft is presently winning hundreds of thousands of dollars per violator in statutory infringement penalties against companies and individuals found to have passed counterfeit product by mistake. The key to winning these civil and criminal cases is showing that the software is in fact counterfeit. For this, Microsoft has a special business unit called the Product Identification Group. Compact Discs are manufactured with International Federation of the Phonographic Industry (IFPI) numbers that allow software vendors to determine whether or not the CD-ROM is counterfeit. If not counterfeit, the IFPI number indicates the point of manufacture and the intended distribution channel so that vendors can identify friends who are conspiring with foes to steal finished product or counterfeit. A counterfeiter who can fool Microsoft's Product Identification Group into accepting the product as authentic may be able to avoid detection and prosecution. Anyone who deals with Microsoft software product is obligated to educate themselves about the steps to identify counterfeit software. Click the "How to Tell" link at http://www.microsoft.com/piracy/. Product activation steps like Microsoft Product Activation (MPA) now provide a valuable anticounterfeiting feedback channel that, when combined with law enforcement or civil court action, enable Microsoft to identify compromised distribution channels. Over time, Microsoft is thus able to identify people who are untrustworthy by keeping track of data collected through the courts, cross-referencing and comparing this data to product activation, IFPI lists, and the identities of authorized resellers, distributors, manufacturing partners, and software duplication houses. Recently there has been a flurry of anticounterfeiting activity in the software industry, and some large arrests have been made by law enforcement involving millions of dollars' of counterfeit and stolen software products. Some of these cases are beginning to end up in my lap, as the defendants prepare for trial or try to understand how prosecutors came up with million dollar price tags for copies of obsolete or nonfunctioning product discs. I have learned while working on these cases that secrets are being kept that allow counterfeit detection even when IFPI numbers and other known anticounterfeiting measures are fooled. I have also learned that vendors are keeping lists of known bad people, and they use these lists to help decide whom to sue or file criminal complaints against. Anticounterfeiting and DRM can be complementary solutions to the "problems" of copying. Where DRM attempts to control the use of bits in a device, anticounterfeiting measures ensure that customers who pay to install bits into a device are paying for authentic merchandise and, thus, transmitting wealth signals back to the producer through an authorized distribution channel. Software vendors, in particular, could benefit from this blending of technologies. Will future versions of Windows (e.g., Longhorn) incorporate runtime anti-counterfeiting measures that help to prevent the installation of any software or data that doesn't bear some form of electronic authenticity mark? It's not hard to imagine that Longhorn may not be made available in an "upgrade" edition, being restricted instead to installation only on a Next Generation Secure Computing Base-compatible box. Perhaps PCs will begin to ship with the ability to blast RFID signals out at the physical media on which software and data are stored, listening for the required RFID response. Such "security" countermeasures may help to keep honest people honest, in a commercial sense, but they will never stop piracy. We should all be aware that these countermeasures may in fact stop counterfeiting. This is likely to be the political and legal leverage used to justify widespread adoption of the enabling DRM technology. Piracy may hurt businesses due to lost sales opportunities, but counterfeiting results in actual sales that enrich a criminal rather than a company. Recapturing that missed and diverted sales revenue is a high priority because the money from diverted sales can be proved in court and possibly reclaimed. People who advocate the widespread deployment of DRM technology and government support of it through law enforcement and civil court procedures make us feel like we only exist to be consumers and as such are subordinate to producers simply because we are below them in the economic food chain. Though this is arguably true, or at least we allow it to be true much of the time, when we're told the truth about how certain companies view us, we stop doing business with them and they disappear into bankruptcy with surprising speed. The company that succeeds in convincing us that the right of a producer to innovate and make profit through the ownership of intellectual property together take priority over certain human rights belonging to consumers will become a powerful and wealthy company indeed. When a company begins to abuse its power and economic status to the detriment of society, abuse legal procedures, exploit technical ignorance of elected officials, judges, and juries, and attempt to desensitize us to harmful things in order to advance business tactics, we should all begin to ask ourselves one thing: What can I do to stop this company, today? --------------------------------------------------------------------- Jason Coombs works as forensic analyst and expert witness in court cases involving digital evidence. Information security and network programming are his areas of special expertise. He can be reached at jasonc@private Read previous newsletters online at http://www.windevnet.com/newsletters/. --------------------------------------------------------------------- - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Nov 05 2003 - 04:11:51 PST