Re: [PEN-TEST] SealedMedia secured content?

[Iván Arce <core.lists.pentest () CORE-SDI COM>]

Hello,
 We (CORE-SDI) have done security audits for this type of products.
 We have NOT done it for SealedMedia
 We can not disclose results as per NDA requirements.

 That being said, I'll comment a bit on the issue.

----- Original Message -----
From: "Crist Clark" <crist.clark () GLOBALSTAR COM>
Newsgroups: core.lists.pentest
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Friday, November 03, 2000 6:52 PM
Subject: Re: [PEN-TEST] SealedMedia secured content?


> Russ Spooner wrote:
> > I know I am probably stating the obvious and a bit OT, but almost all
DRM is
> > flawed.
> >
> > No matter the encryption methodology an end user eventually puts
something
> > to screen or soundcard, this is the vulnerability.

No, this is not a vulnerability this is functionality, there is no point in
providing content
'securely' to the user if the security 'features' done let the user use that
content.
So we get to the first dilemma, a vendor/developer of this sort of products
have
to balance security and functionality.

> > I know for a fact that there are macros around that will exploit this
with
> > "Secure" text formats like Microsoft Reader E-books, or PDF files.
> >
> > Basically the macro will take screen shots of each page once it is
viewed in
> > the reader in a format suitable for most OCR packages. In a couple of
hours
> > one can recontruct the originally encrypted material as an "in clear"
form.

Well, yeah, you cant get around that, even if you disallow execution of
any other application on the clients side, the user could just take
pictures of the screen.

> > With "secure" music you can use dummy audio drivers that will just dump
the
> > audio output stream to a file.

...or record directly from the speakers...

> > With jpegs and gifs, a good old fashioned screen capture will do the
trick.
> DRM? Which SecurityFocus mail list just got a lecture about tossing in
> obscure acronyms without definition? Was it this one? What is DRM?

Digital Rights Management
its a cool-trendy-buzzphrase isnt it?
*cyber* is completly OUT these days...

> Anyway, it seems to me that it is even easier to circumvent the controls
> on the systems I have seen. The ones that promise to protect _any_ format
> rely on the recipient's software to actually handle the data. Why bother
> with replacing the audio drivers or do a screen capture? The data is
> being fed to some application UNDER THE CONTROL OF THE END USER in an
> unecrypted format. That's all you need to say. Game over, no? Why can't
> your MPEG or WAV player be a quick proggie that writes its input to a
file?

So now it gets more interesting...

It is necessary to define protection from what sort of end-user is being
provided. Is is protection from a hacker (i use the term hacker as in highly
skilled programmer) or a regular programmer or a non-techie end user?
Or from a malicious third party/eavesdropper?

In the last case, it is evident that content transport should be encrypted.
There, that one is over, as long as the malicious third-party has no access
to the client box.

For the others is just a matter of how many barriers you put in and
how complex you want them to be.
I believe that the acceptable point would be to force each end user
to actually break the protections him/her self and to require a certain
amount of reverse engenieering/programming skills for that.
Obviously, this should be done in such a way that wont make it
trivial or reasonably easy for a skilled person to code a generic
program that disables the content protection features (aka skript)
and then post it for the use of joe user (aka skript kiddie).

Code obfuscation/watermarking/polimorphism are interesting areas
to explore this. However, theoretically, this is all bound to failure, but
sometimes the real world does not conform to theory.
anyway, in the end it all boils down to: if you have to invest more
resources to break the protections than to get the content
legitimately you'll end up doing the later.
So now you'll have to question yourself how much is the content worth?

-ivan

---

"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 It's nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce


==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email   : iarce () core-sdi com
http://www.core-sdi.com
Florida 141 2do cuerpo Piso 7
C1005AAG Buenos Aires, Argentina.
Tel/Fax : +(54-11) 4331-5402
=====================================================================



--- For a personal reply use iarce () core-sdi com