Penetration Testing mailing list archives
Re: [PEN-TEST] SealedMedia secured content?
From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Fri, 3 Nov 2000 13:18:39 -0800
Russ Spooner wrote:
I know I am probably stating the obvious and a bit OT, but almost all DRM is flawed. No matter the encryption methodology an end user eventually puts something to screen or soundcard, this is the vulnerability. I know for a fact that there are macros around that will exploit this with "Secure" text formats like Microsoft Reader E-books, or PDF files. Basically the macro will take screen shots of each page once it is viewed in the reader in a format suitable for most OCR packages. In a couple of hours one can recontruct the originally encrypted material as an "in clear" form. With "secure" music you can use dummy audio drivers that will just dump the audio output stream to a file. With jpegs and gifs, a good old fashioned screen capture will do the trick.
DRM? Which SecurityFocus mail list just got a lecture about tossing in obscure acronyms without definition? Was it this one? What is DRM? Anyway, it seems to me that it is even easier to circumvent the controls on the systems I have seen. The ones that promise to protect _any_ format rely on the recipient's software to actually handle the data. Why bother with replacing the audio drivers or do a screen capture? The data is being fed to some application UNDER THE CONTROL OF THE END USER in an unecrypted format. That's all you need to say. Game over, no? Why can't your MPEG or WAV player be a quick proggie that writes its input to a file? I must caveat this by saying I have only played with one vendor's product. The idea that you could protect files you give to someone else just seemed so strange to me that I had to check it out. Did not take me 15 minutes to get around their restrictions. It may just be I have a funky environment (but that is not a very good argument for the vendor) or this particular vendor does not have a great product, but I strongly believe it is a fundamental issue with the concept. Systems that protect a specific type of data with an imbedded or "trusted" application to use data are another issue. That gets to the watermarks and all that good kind of great stuff. -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926
Current thread:
- [PEN-TEST] SealedMedia secured content? Christian Jensen (Nov 04)
- Re: [PEN-TEST] SealedMedia secured content? GC (Nov 04)
- Re: [PEN-TEST] SealedMedia secured content? Russ Spooner (Nov 04)
- Re: [PEN-TEST] SealedMedia secured content? Crist Clark (Nov 04)
- Re: [PEN-TEST] SealedMedia secured content? Iván Arce (Nov 04)
- Re: [PEN-TEST] SealedMedia secured content? Russ Spooner (Nov 05)
- Re: [PEN-TEST] SealedMedia secured content? Crist Clark (Nov 04)
- <Possible follow-ups>
- Re: [PEN-TEST] SealedMedia secured content? Security Related (Nov 07)