Counterfeit Software, Digital Rights Management, and Security

[InfoSec News <isn () c4i org>]

Windevnet Security
http://www.windevnet.com
November 4, 2003

Counterfeit Software, Digital Rights Management, and Security
by Jason Coombs

Copy protection always fails for one simple technical reason: Anything
that exists can be copied. Even if it only exists in the memories of
its original creators or past users, if it was created once it can be
created again. Anything that can be engineered can be reverse
engineered -- even if reverse engineering safeguards are built into
the design, such as parts that self-destruct when exposed to light or
air in order to prevent disassembly in the field. Software that
self-destructs, self-deactivates, self-uninstalls, or calls home over
the Internet to complain of a possible license violation are recurring
themes in the battle to control unauthorized use or copying of
commercial software products. Security schemes for digital media, such
as DVD encryption, have similar themes.

Copying protected intellectual property is considered illegal pirating
when it is not allowed as "fair use" (e.g., under copyright law), it
is a statutory infringement of another's rights when unauthorized
benefits are derived from the copying (e.g., under trademark law), or
counterfeiting when the quality and packaging of the copy are
convincing enough to be publicly marketable as authentic. With so many
misuses of intellectual property able to stem from the simple act of
copying, digital expressions of such property are perceived as
security "problems" for many companies that depend on copy controls
and license restrictions for profits. Digital Rights Management (DRM)
is supposed to solve these security problems, rein in widespread
piracy and counterfeiting, and give artists and other creative
geniuses whom society should reward generously with privileged,
wealthy lifestyles the opportunity to hold out their hands expecting
payment each time somebody views, hears, or uses one of their
protected creations. While it has always appeared socially-absurd for
concentrations of wealth and power to occur around certain icons,
we've recently entered an era where many people expect technology to
help concentrate such wealth and power rather than destabilize and
decentralize it, and this expectation is a new technical absurdity.
Technical capabilities that have always existed, such as the ability
to rip, mix, burn, and share copies of entertainment media for
entertainment purposes or counterfeiting are now capabilities of the
prevailing marketplace.

Anyone who sets out to engineer any sort of digital copy protection is
attempting the impossible because to succeed, they must devise a
method and apparatus that is able to prevent even a single copy from
being made. As soon as one copy finds its way outside the confines of
the copy protection system, infinite identical copies become possible.
Additionally, a single near-perfect copy is often good enough, since
infinite identical copies can then be made of it, and this poses an
intractable problem for the recording and motion picture industries
whose digital products must exit any copy protection device in analog
form, as light and sound waves, in order to be enjoyed by paying
consumers. If eyeballs or eardrums can intercept the analog media,
then so can recording devices. Importantly, if people created the
original work, and those people are allowed to live, then there is a
real possibility that they will subsequently violate the terms of
agreements not to recreate or copy the work or claim residual rights
to the work as individuals.

The motion picture industry is having serious problems with pirates
using concealed video cameras to capture the analog output of movie
showings in order to distribute digital copies that are good enough to
entertain and can be shared at very low cost on the Internet. Many
companies approach this subject from a damage control and containment
viewpoint. For example, Microsoft uses a web crawler known as the
Internet Scanning Tool that trolls web sites or auction postings
looking for commercial offers of Microsoft software. Microsoft then
finances the purchase of a sample of these products for theft
detection and authenticity verification purposes. Other
countermeasures are being used at the point of unauthorized copying,
such as night vision goggles that help spot video cameras in use by
members of a movie audience, a practice that raises real privacy
concerns and compels us to question, or at least acknowledge, the
inherently invasive character of commerce. While it may be reasonable
for the motion picture industry to monitor the behavior of a movie
audience when the audience travels to a semipublic venue to view a
movie, it will never be reasonable, nor will it be technically
possible, to monitor everyone, everywhere, at all times. We should not
want this, but we've been so busy lately making commerce more
automatic that we've been discounting (or ignoring) its potential
risk.

There is some reason to be concerned that initiatives such as Radio
Frequency ID (RFID) tags for inventory control automation, Microsoft's
Palladium (now known as Next Generation Secure Computing Base),
Intel's processor ID feature, and every DRM solution that is ever
devised may take us closer to a future in which it will seem
reasonable to us that automated monitoring of every consumer should
occur and is a reasonable, unobtrusive thing. As a society we've
already decided that bits have value, are property, represent evidence
of criminal behavior, bind us to each other under contract, and in
many other ways shape or impact our lives. That bits can be copied
endlessly at near-zero cost or effort, forged anonymously with
perfection, intercepted with ease by unauthorized parties, data
warehoused and data mined in perpetuity, for some reason doesn't cause
us to question the wisdom of attributing to these bits the qualities
of wealth, power, property, and market value.

The security benefits of attaching RFID tags to all items of luggage
checked by authorized airline passengers may outweigh the risk, or the
cost, of leaving residual radio frequency trails of our subsequent
ravels. A court order authorizing the use of a tracking device on a
suspect's luggage may not be required if law enforcement officers
don't have to do anything special to arrange for installation of the
tracking device. The suspect's luggage simply goes in with all ports
closed, unable to respond even to a ping request, and comes out with
the equivalent of an open port with a microchip designed to receive
and respond to incoming requests. If we capture radio signals and
radiate responses without our knowledge or consent, it is difficult to
imagine anyone arguing that we have not been compromised materially.
Assurances that nothing bad will ever happen to us as a result of
having RFID tags attached to our belongings and our persons sound
hollow and are not very reassuring. Yet, the potential benefits for
counterfeit prevention, DRM, and streamlined security (think automated
employee identification at facility perimeters, or digital signature
verification of every item in a crate full of software received by a
retailer) may be substantial and compelling.

Microsoft has a team of attorneys who assist in criminal prosecutions
of counterfeiting or product theft cases who manage nationwide civil
litigation against people who have been found to pass counterfeit
merchandise. Microsoft is presently winning hundreds of thousands of
dollars per violator in statutory infringement penalties against
companies and individuals found to have passed counterfeit product by
mistake. The key to winning these civil and criminal cases is showing
that the software is in fact counterfeit. For this, Microsoft has a
special business unit called the Product Identification Group. Compact
Discs are manufactured with International Federation of the
Phonographic Industry (IFPI) numbers that allow software vendors to
determine whether or not the CD-ROM is counterfeit. If not
counterfeit, the IFPI number indicates the point of manufacture and
the intended distribution channel so that vendors can identify friends
who are conspiring with foes to steal finished product or counterfeit.
A counterfeiter who can fool Microsoft's Product Identification Group
into accepting the product as authentic may be able to avoid detection
and prosecution. Anyone who deals with Microsoft software product is
obligated to educate themselves about the steps to identify
counterfeit software. Click the "How to Tell" link at
http://www.microsoft.com/piracy/.

Product activation steps like Microsoft Product Activation (MPA) now
provide a valuable anticounterfeiting feedback channel that, when
combined with law enforcement or civil court action, enable Microsoft
to identify compromised distribution channels. Over time, Microsoft is
thus able to identify people who are untrustworthy by keeping track of
data collected through the courts, cross-referencing and comparing
this data to product activation, IFPI lists, and the identities of
authorized resellers, distributors, manufacturing partners, and
software duplication houses. Recently there has been a flurry of
anticounterfeiting activity in the software industry, and some large
arrests have been made by law enforcement involving millions of
dollars' of counterfeit and stolen software products. Some of these
cases are beginning to end up in my lap, as the defendants prepare for
trial or try to understand how prosecutors came up with million dollar
price tags for copies of obsolete or nonfunctioning product discs. I
have learned while working on these cases that secrets are being kept
that allow counterfeit detection even when IFPI numbers and other
known anticounterfeiting measures are fooled. I have also learned that
vendors are keeping lists of known bad people, and they use these
lists to help decide whom to sue or file criminal complaints against.

Anticounterfeiting and DRM can be complementary solutions to the
"problems" of copying. Where DRM attempts to control the use of bits
in a device, anticounterfeiting measures ensure that customers who pay
to install bits into a device are paying for authentic merchandise
and, thus, transmitting wealth signals back to the producer through an
authorized distribution channel. Software vendors, in particular,
could benefit from this blending of technologies. Will future versions
of Windows (e.g., Longhorn) incorporate runtime anti-counterfeiting
measures that help to prevent the installation of any software or data
that doesn't bear some form of electronic authenticity mark? It's not
hard to imagine that Longhorn may not be made available in an
"upgrade" edition, being restricted instead to installation only on a
Next Generation Secure Computing Base-compatible box. Perhaps PCs will
begin to ship with the ability to blast RFID signals out at the
physical media on which software and data are stored, listening for
the required RFID response. Such "security" countermeasures may help
to keep honest people honest, in a commercial sense, but they will
never stop piracy. We should all be aware that these countermeasures
may in fact stop counterfeiting. This is likely to be the political
and legal leverage used to justify widespread adoption of the enabling
DRM technology. Piracy may hurt businesses due to lost sales
opportunities, but counterfeiting results in actual sales that enrich
a criminal rather than a company. Recapturing that missed and diverted
sales revenue is a high priority because the money from diverted sales
can be proved in court and possibly reclaimed.

People who advocate the widespread deployment of DRM technology and
government support of it through law enforcement and civil court
procedures make us feel like we only exist to be consumers and as such
are subordinate to producers simply because we are below them in the
economic food chain. Though this is arguably true, or at least we
allow it to be true much of the time, when we're told the truth about
how certain companies view us, we stop doing business with them and
they disappear into bankruptcy with surprising speed. The company that
succeeds in convincing us that the right of a producer to innovate and
make profit through the ownership of intellectual property together
take priority over certain human rights belonging to consumers will
become a powerful and wealthy company indeed. When a company begins to
abuse its power and economic status to the detriment of society, abuse
legal procedures, exploit technical ignorance of elected officials,
judges, and juries, and attempt to desensitize us to harmful things in
order to advance business tactics, we should all begin to ask
ourselves one thing: What can I do to stop this company, today?

---------------------------------------------------------------------
Jason Coombs works as forensic analyst and expert witness in court cases
involving digital evidence. Information security and network programming
are his areas of special expertise. He can be reached at jasonc () science org.

Read previous newsletters online at http://www.windevnet.com/newsletters/.
---------------------------------------------------------------------



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.