[ISN] Microsoft sues over source code theft

From: InfoSec News (alerts@private)
Date: Tue Sep 26 2006 - 23:15:39 PDT


http://news.com.com/Microsoft+sues+over+source+code+theft/2100-1025_3-6119892.html

By John Borland
Special to CNET News.com
September 26, 2006

Microsoft has filed a federal lawsuit against an alleged hacker who 
broke through its copy protection technology, charging that the mystery 
developer somehow gained access to its copyrighted source code.

For more than a month, the Redmond, Wash., company has been combating a 
program released online called FairUse4WM, which successfully stripped 
anticopying guards from songs downloaded through subscription media 
services such as Napster or Yahoo Music.

Microsoft has released two successive patches aimed at disabling the 
tool. The first worked--but the hacker, known only by the pseudonym 
"Viodentia," quickly found a way around the update, the company alleges. 
Now the company says this was because the hacker had apparently gained 
access to copyrighted source code unavailable to previous generations of 
would-be crackers.

"Our own intellectual property was stolen from us and used to create 
this tool," said Bonnie MacNaughton, a senior attorney in Microsoft's 
legal and corporate affairs division. "They obviously had a leg up on 
any of the other hackers that might be creating circumvention tools from 
scratch."

This latest round of copy-protection headaches comes at a delicate time 
for Microsoft. In a few months, the company plans to launch its own 
digital music subscription service, called "Zune," paired with an iPod 
device rival of the same name. The package will compete with services 
from Microsoft's traditional partners, such as Napster and Yahoo.

The Zune service and device will use their own flavor of digital rights 
management, and this will not be directly compatible with Microsoft's 
partners' products, despite being based on the same Windows Media 
technology. The company is taking great pains to assure its partners 
that their PlaysForSure-branded products are still state of the art.


Two-pronged approach

At the moment, Microsoft is taking a two-pronged technical and legal 
approach to FairUse4WM that goes beyond the scope of its earlier DRM 
battles.

On the technical side, it is pursuing much the same strategy as in the 
past: studying the hacker's tool and trying to update its Windows Media 
technology to block it.

Indeed, the company's Windows Media copy protection technology was 
designed from the start to support swift updates that would address 
inevitable cracks. That has long been part of the technology's draw for 
record labels and movie studios, which are fearful that content 
protection flaws will lead to films and music being swapped freely 
online.

Microsoft's copy protection has been cracked before and then quickly 
fixed. Company representatives said that the FairUse4WM tool, despite 
its developer's success in breaking through the company's first patch, 
is simply triggering the same kind of security review that has happened 
in the past.

"This particular circumvention doesn't change that reality at all, or 
affect the underpinnings of the system," said Marcus Matthias, a senior 
product manager at Microsoft. "This is not quite as 'cat and mouse' as 
some people might have you believe."

The crack's unusual longevity has caused ripples of worry inside the 
digital media community, however. One service provider, the British 
network BSkyB, even temporarily canceled movie downloads.

Representatives from other services say Microsoft's previous 
rights-management security updates have been successful and expect this 
effort ultimately to be no different.

"One of the great features of the Windows Media DRM is its 
renewability," said Bill Pence, chief technical officer at Napster.  
"When the DRM system is compromised, we can incorporate updates with 
minimal impact on users, and we expect to do the same with the current 
patch."


Using courts to track a cracker

However, the federal "John Doe" lawsuit, along with "dozens" of legal 
letters sent to Internet sites that are hosting the allegedly 
copyright-infringing tool, is a decidedly different tack for Microsoft.

The copyright lawsuit was filed in Seattle federal court last Friday, 
without a name attached. Just as in the recording industry's many 
lawsuits against accused file swappers, it targets an unknown individual 
or individuals, whose true identity will be sought in the course of the 
case.

For now, that means going to the Internet service providers for Web 
sites where the original FairUse4WM tool was released, in hopes of 
tracking down an IP address or other digital traces that might lead to 
the developer, MacNaughton said.

Microsoft is also contacting other Web sites that have posted the 
FairUse4WM tool, asking them to remove the software, on the grounds that 
it contains copyrighted company code.

Company representatives declined to speculate on exactly how "Viodentia" 
gained access to copyrighted source code. The code in question is part 
of a Windows Media software development kit, but is not easily 
accessible to anyone with a copy of that toolkit, Microsoft said.

So far, little is known about the developer, who has used the pseudonym 
"Viodentia" in several online postings at a site called Doom9.org. 
"Viodentia" could not immediately be reached for comment.

After spending an unaccustomed month of grappling with the problem, 
Microsoft representatives stopped short of promising their latest 
Windows Media update will be impregnable--although certainly, the hope 
is that a third patch won't be needed.

"Any time we put out an update, it is our hope that it will be as 
efficacious as possible," Matthias said. "It is our hope that the 
technical mitigations that we've put in place will do something to 
impede this circumvention."

Analysts say that "Viodentia" hasn't proved that Microsoft's DRM tools 
are fundamentally flawed, but has shown that the business of keeping it, 
or any rights management system, secure is increasingly becoming a 
full-time job.

"Any DRM out there is going to be cracked," GartnerG2 analyst Michael 
McGuire said. "More important is how the technology service reacts.  
Someone has to be keeping an eye online all the time now, looking for 
the next time."


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Tue Sep 26 2006 - 23:25:34 PDT