November 29, 2024

G-Men Called on W-Hats for WMVD

[Despite our recent focus on the SonyBMG CD flap, our mandate here at Freedom to Tinker covers infotech and policy generally. So I hope any Sonymaniacs in the audience will forgive me for posting about something else today. (If you need a Sony fix, Bruce Hayden can help.) Regularly scheduled Sony-related programming will resume next week.]

There’s a fascinating story going around about the intersection between virtual worlds and real-life law enforcement. (I have written twice before about this topic.) It started in a virtual world called Second Life, which has 70,000 or so members. There’s a group of in-world characters calling themselves the W-Hats. Stories in the Second Life Herald – a foulmouthed but apparently somewhat trusted virtual newspaper about Second Life – depict the W-Hats as a gang of racist thugs. (The rest of the story I tell here is based on the Herald’s reporting.)

One of the cool things about Second Life is that players can create new kinds of objects, by writing small programs in a special scripting language to describe how the objects should behave, and then launching objects into the world.

Things got really out of hand when the W-Hats created a doomsday device. It looked like a harmless little orb, but it was programmed to make copies of itself, repeatedly. The single object split into two. Then each of those split, and there were four. Then eight, and sixteen, and so on to infinity.

Okay, not exactly to infinity but to billions of copies (after thirty-some generations of splitting), at which point the servers running Second Life crashed, and the whole virtual world was knocked off-line. The W-Hats had created a Weapon of Mass Virtual Destruction (WMVD).

The WMVD was detonated more than once, and on at least one occasion Linden Lab, the company that runs Second Life, contained the damage by taking parts of the world offline as a kind of virtual firebreak.

Last week at an in-world holiday party, Philip Linden, the character played by Linden Lab CEO Philip Rosedale, mentioned that the company had called the FBI about the attacks and had turned over the names of some players. Others at the party reportedly praised the action. But was this justified? Should the FBI get involved in this mess?

It seems to me that they should. A WMVD of this sort is just a fancy denial of service attack, and a deliberate denial of service attack against a large network service looks to me like a crime. It’s possible that the first attack wasn’t meant to crash Second Life – though even if not deliberate it was certainly reckless – but subsequent attacks could only have been intended to cause a crash.

There is some indication that Linden Lab may have banned at least one player temporarily because of the attacks, but there is a limit to the effectiveness of in-world punishment. As James Grimmelmann has argued, the worst punishment available in-world is exile from the world – try to impose a stronger penalty on someone and he will simply exile himself by leaving the virtual world permanently. Real-world punishments can be worse than exile and so stronger deterrence is available in the real world. When stronger deterrence is needed, real-world punishment may be the only option.

Some have argued that players shouldn’t be punished for doing things that the world’s coding allows them to do. But that seems to me to be the wrong rule. For one thing, that’s not how things work in the real world, where you can commit all manner of crimes without violating the laws of physics. And it’s just wrong to think that the virtual world can be coded in a way that allows everything good but prevents everything bad. Any virtual world (if I may be forgiven for that phrase) that is complicated enough to be interesting will probably enable some undesired behavior.

It will sometimes be necessary, then, to appeal to real-world law enforcement to handle bad acts in virtual worlds. In general, there are lots of caveats here – for example, in some worlds, in-world fraud or murder is considered just part of the game; and world-builders shouldn’t run to the FBI over minor problems. But the particular case before us seems like an easy one: the FBI should investigate and, at the very least, use its power to intimidate the perpetrators into behaving better.

Make Your Own Copy-Protected CD with Passive Protection

Here’s a great gift idea just in time for the holidays: Make your friends and relatives their very own copy-protected CDs using the same industrial-grade passive protection technology built into XCP and Macrovision discs.

Passive protection exploits subtle differences between the way computers read CDs and the way ordinary CD players do. By changing the layout of data on the CD, it’s sometimes possible to confuse computers without affecting ordinary players — or so the theory goes. In practice, the distinction between computers and CD players is less precise. Older generations of CD copy protection, which relied entirely on passive protection, proved easy to copy in some computers and impossible to play on some CD players. For these reasons, copy protection vendors now use active protection — special software designed to block copying.

Discs with XCP or Macrovision protection employ active protection in conjunction with a milder form of passive protection. You can create your own CD with exactly the same passive protection by following a straightforward five-step procedure. I’ll describe the procedure here, and then explain why it works.

What you’ll need:

  • A computer running a recent version of Windows (instructions are Windows-specific; perhaps someone will write instructions for MacOS or Linux)
  • Nero, a popular CD burning application
  • CloneCD, an advanced disc duplication utility
  • Two blank recordable CDs

Step 1: Burn a regular audio CD

Start Nero Burning ROM and create a new Audio CD project. [View] Add the audio tracks that you want to include on your copy-protected disc. [View] When you’re ready to record, click the Burn button on the toolbar. In the Burn tab, make sure “Finalize disc” is unchecked. [View] Insert a blank CD and click Burn. Be careful not to infringe any copyrights! For loads of great music that you can copy legally, visit Creative Commons.

Step 2: Add a data session to the CD

Start another Nero compilation, this time selecting the “CD-ROM ISO” project type. In the Multisession tab, make sure “Start Multisession disc” is selected; and in the ISO tab, make sure Data Mode is set to “Mode 2 / XA”. [View] Add any files that you want to be accessible when the CD is used in a computer. You might include “bonus” content, such as album art and lyrics. [View] For a more professional effect, consider adding the installer for your favorite spyware application and creating an Autorun.inf file so it starts automatically. When you’re finished, click the Burn toolbar button. Insert the audio CD you created in Step 1, and click Burn. [View] Nero should warn you that the disc you’ve inserted is not empty; click Yes to add your data files as a second session. [View]

At this point, you’ve created a CD that contains both audio tracks and data files. The data files you put on the CD should be visible in Windows Explorer (in My Computer, right click the CD icon and click Open) and the audio tracks should be rippable with your favorite audio player. To add passive copy protection, you’ll need to modify the layout of the data on the disc so that the audio tracks are more difficult to access.

Step 3: Rip the CD as a CloneCD image file

Make sure the CD you just created is still in the drive and start CloneCD. Click the “Read to Image File” button. Select your drive and click Next. Choose “Multimedia Audio CD” and click Next. [View] Select an easy to find location for the image file and click OK to begin ripping.

Step 4: Modify the image file to add passive protection

The CloneCD image you created in step 3 actually consists of three files with names ending in .CCD, .IMG, and .SUB. The .CCD file describes the layout of the tracks and sessions on the CD. You’ll edit this file to add the passive protection.

Start Windows Notepad and open the .CCD file. Modifying the file by hand would be tedious, so I’ve created an online application to help. Copy the entire contents of the file to the clipboard and paste it into this form, then click Upload. Copy the output from the web page and paste it back into Notepad, replacing the original file contents. [View] Save the file and exit Notepad.

Step 5: Burn the modified image to create a copy-protected CD

Insert a blank CD and start CloneCD again. Click the “Write From Image File” button. Select the image file you modified in step 4 and click next. Select your CD recorder and click Next. Select “Multimedia Audio CD” and click OK to begin burning. [View]

That’s it! You’ve created your very own copy-protected CD.

Now it’s time to test your disc. If everything worked, the files from the data session will be visible from My Computer, but the audio tracks will not appear in Windows Media Player, iTunes, and most other mainstream music players. The CD should play correctly in standalone CD players.

How it works. To see how this form of passive protection works, you can examine the layout of the CD you created. Start Nero and select Disc Info from the Recorder menu. You should see something like this:

(The exact number of tracks you see will depend on how many songs you included.)

Notice that the tracks are grouped into two sessions — essentially two independent CDs burned onto the same disc. Unprotected CDs that combine audio and data files contain audio tracks in the first session and a single data track in the second. The only difference in the passive protected CD you just created is that the second session contains two tracks instead of one.

You added the extra track (shown in yellow) when you edited the disc image in step 4. This simple change makes the audio tracks invisible to most music player applications. It’s not clear why this works, but the most likely explanation is that the behavior is a quirk in the way the Windows CD audio driver handles discs with multiple sessions.

For an added layer of protection, the extraneous track you added to the disc is only 31 frames long. (A frame is 1/75 of a second.) The CD standard requires that tracks be at least 150 frames long. This non-compliant track length will cause errors if you attempt to duplicate the disc with many CD drives and copying applications.

Caveat emptor. Yes, your copy-protected CD is “industrial strength” — XCP and Macrovision employ exactly the same passive protection — but even the pros have their limitations. There are many well-known method for defeating this kind of passive protection, such as:

  • Enhanced software – Advanced CD ripping programs avoid the Windows CD audio driver altogether and communicate directly with the CD drive. Thus, programs such as EAC are able to rip the tracks without any difficulty. – Better CD copying applications, including Nero, support a recording mode called Disc-at-Once/96; this lets them create an exact duplicate of the protected disc even though the last track has an illegal length.
  • Other operating systems – The discs can be ripped with standard software on Macs and on Linux systems. These platforms don’t suffer from the limitation that causes ripping problems on Windows.
  • Magic markers – The famous magic marker trick involves carefully drawing around the outer edge of the CD. This blocks out the second session, allowing the disc to be ripped and copied just like an unprotected CD.

And of course, at any time Microsoft could fix the Windows quirk that is the basis for this technique, rendering it completely ineffective.

Despite these limitations, who wouldn’t enjoy finding a homemade copy-protected CD in their stocking? They’re a great way to spread holiday cheer while preventing anyone else from spreading it further.

Inside the MediaMax Prospectus

Bruce Hayden writes that MediaMax, the company associated with the CD-borne spyware product that Sony has not yet recalled, recently filed a prospectus with the SEC in connection with an upcoming stock offering. In the prospectus, the company is required to describe truthfully its business plans and associated risks. MediaMax’s prospectus is a window into the company’s business practices. It was filed on November 4, about a week before we first reported the security and privacy problems caused by MediaMax.

There’s more interesting material in the prospectus than I can cover here. Bruce Hayden describes some of it. You can read the whole prospectus yourself, but most of it is pretty dry. The most interesting parts are the discussion of business risks (note the conspicuous non-mention of security and privacy risks), and the description of the company’s products. The product description is all I’ll write about here.

Page 30 of the prospectus describes how the MediaMax CD copy protection product works. Remember, this is the company’s own description of its product. Here’s the core of the description:

When the disc is inserted, the auto launch feature will activate the MediaMax program on the second session. Depending on the DRM license implementation, this program is either activated directly or through another program. The program first determines if the LMT Software controls are installed on the computer. If not, or if the disc concerned contains a newer version, it will copy the controls from the disc concerned and will install same. The LMT Software controls consist of two dynamic link libraries. The controls are used by the MediaMax application.

Whenever the second session software is executed, the LMT Software controls will first determine if the content protection device driver is installed on the system. If not, it will extract it from the main LMT Software into a separate file and install it as a standard Windows device driver.

The driver first locates all CDROM devices installed on the computer. Then it polls each device to determine if a new disc has been inserted. If so, it reads various elements of the disc to determine if it is a MediaMax protected disc. It is important to note that the driver is completely idle (without any chance to affect the computer or CD/DVD drives), unless an actual MediaMax disc has been detected. Once detected, the driver will insert itself into the communication stream for that drive to prevent any non-authorized activities. While allowing the computer to access the second session and associated content without any limitations, the driver will interfere when applications try to access the first session only.

When the driver detects that the MediaMax disc is ejected, it will remove itself from the communication stream for that drive and switch back to the polling mode. Several enhancements have been implemented to make it very difficult to locate and/or remove the device drivers.

There are several things to note here. First, in describing the installation process, there is no mention of obtaining user consent, or of the possibility that the user might not consent, or of how the product would cope with a non-consent situation. The description is pretty straightforward: when the disc is inserted, they install the software. So the decision to install without consent seems deliberate.

Second, there is no mention of the phone-home feature, even though websites associated with the product talk about how the feature can be used to display third-party ads.

Third, they brag that “enhancements have been implemented to make it very difficult to locate and/or remove the device drivers.” So the decision to resist uninstallation seems deliberate.

Indeed, they make an even stronger statement elsewhere on page 30:

The software is designed to be completely invisible to users, programs and system components.

This is an exaggeration, but it shows that they do aspire to invisibility. Which is interesting because the only way to be “invisible to users, programs and system components” is to use rootkit methods. So it would appear that MediaMax at least planned to follow First4Internet’s lead in shipping a rootkit.

All of this just confirms what I wrote on Friday about how the technical problems with CD copy protection lead vendors to adopt spyware methods. MediaMax’s description of their own product describes software that installs without consent and resists detection and removal, along with an apparent plan to adopt rootkit methods. MediaMax set off down the road of CD copy protection, and they ended up with spyware.

CD Copy Protection: The Road to Spyware

Advocates of DRM (copy protection) have been keeping their heads down lately, while they try to figure out what went wrong in the SonyBMG DRM spyware fiasco. No doubt they’ll try to explain it away as an anomaly – just a little speed bump on the road to the effective, unobtrusive DRM future that they’re sure will be arriving any day now.

There are some problems with this story. For starters, we’re not talking about a single DRM system – we’re talking about two totally separate systems (XCP and MediaMax), developed by rival companies, both of which turned out to be spyware and to endanger users, in strikingly similar ways. Is this just a coincidence?

Of course it’s not. If we look carefully at CD copy protection as a technical problem, we’ll see why DRM designers are drawn to spyware tactics as their best hope of stopping copying. Let me explain why.

CDs store music files in Compact Disc Digital Audio (CDDA) format, which is easily readable by a wide range of devices. If the music is encrypted or stored in some other tricky format, ordinary audio CD players won’t be able to read it, and the disc will be useless to most customers. So backward compatibility requires that the music be stored in a format that is readable by computer software.

(Technical digression: There are actually small differences between how a computer reads a disc and how ordinary audio CD players read it. So-called passive protection technologies try to exploit these differences by putting things on the disc that try to confuse computers without affecting ordinary players. For our purposes, it will suffice to say that purely passive protection systems are not viable, because computers are not so easily confused. To my knowledge, purely passive CD DRM technologies aren’t being used any more, although some current vendors combine passive protection with active measures. For reasons too boring to go into here, passive protection doesn’t really affect my analysis; and so to streamline the discussion I’ll assume from here on that there is no passive protection.)

If the music is encoded on the disc in a format that any software program can read, the only way to stop programs from reading it is to install software on the user’s computer, and to have that software actively interfere with attempts to read the disc, for example by corrupting the data stream coming from the disc. We call this “active protection”.

For example, suppose the user wants to use iTunes to read the disc. But the DRM vendor wants to stop the user from doing this, because iTunes can be used to make copies of the disc. The active protection software will detect this and will interfere to ensure that iTunes gets a garbled copy of the music.

Here’s the key issue: Active protection only works if the DRM software is running on the user’s computer. But the user doesn’t want the software on his computer. The software provides no value to him at all. Its only effects are to stop him from doing things he wants to do (such as listening to the music with iTunes), and to expose him to possible security attacks if the software is buggy.

So if you’re designing a CD DRM system based on active protection, you face two main technical problems:

  1. You have to get your software installed, even though the user doesn’t want it.
  2. Once your software is installed, you have to keep it from being uninstalled, even though the user wants it gone.

These are the same two technical problems that spyware designers face.

People who face the same technical problems tends to find the same technical solutions. How do you get software installed against the user’s wishes? You mislead the user about what is being installed, or about the consequences of installation. Or you install without getting permission at all. How do you keep software from being uninstalled? You don’t provide an uninstaller. Or you provide an uninstaller that doesn’t really uninstall the whole program. Or you try to cloak the software so the user doesn’t even know it’s there.

Of course, you don’t have to resort to these tactics. But if you don’t, your software will have trouble getting onto users’ computers and staying there. If your whole business model depends on installing unwanted software and preventing its uninstallation, you’ll do what’s necessary to make that model work. You’ll resort to spyware tactics. (Or you’ll quit and go into another business.)

Having set off down the road of CD copy protection, the music industry shouldn’t be surprised to have arrived at spyware. Because that’s where the road leads.

Not Just Another Buggy Program

Was anybody surprised at Tuesday’s announcement that the MediaMax copy protection software on Sony CDs had a serious security flaw? I sure wasn’t. The folks at iSEC Partners were clever to find the flaw, and the details they uncovered were interesting, but it was pretty predictable that a problem like this would turn up.

Security is all about risk management. If you’re careful to avoid unnecessary risks, to manage the risks you must accept, and to have a recovery plan for when things go wrong, you can keep your security under control. If you plunge ahead, heedless of the risks, you’ll be sorry.

If you’re a parent, you’ll surely remember the time your kid left an overfull glass of juice on the corner of a table and, after the inevitable spill, said, “It was an accident. It’s not my fault.” And so the kid had to learn why we don’t set glasses at the very edges of tables, or balance paintbrushes on the top of the easel, or leave roller skates on the stairs. The accident won’t happen every time, or even most of the time, but it will happen eventually.

If you’re a software vendor, your software creates risks for its users, and you have a responsibility to your customers to help them manage those risks. You should help your customers make informed choices about when and how to use your software, and you should design your software to avoid exposing customers to unnecessary risks. Your customers expect this from you, and they’ll hesitate to buy your product if they think you’re leaving the cyberjuice on the corner of the table.

The design of the MediaMax/Sony software is a case study in risk creation. I wrote about these risks two weeks ago:

But even if all [the software’s spyware] problems are fixed, the MediaMax software will still erode security, for reasons stemming from the basic design of the software.

For example, MediaMax requires administrator privileges in order to listen to a CD. You read that right: if you want to listen to a MediaMax CD, you must be logged in with enough privileges to manipulate any part of the system. The best practice is to log in to an ordinary (non-administrator) account, except when you need to do system maintenance. But with MediaMax, you must log in to a privileged account or you can’t listen to your CD. This is unnecessary and dangerous.

Some of the security risk of MediaMax comes from the fact that users are locked into the MediaMax music player application. The player app evades the measures designed to block access to the music; and of course the app can’t play non-MediaMax discs, so the user will have to use multiple music players. Having this extra code on the system, and having to run it, increases security risk. (And don’t tell me that music players don’t have security bugs — we saw two serious security bugs in Sony music software last week.) Worse yet, if a security problem crops up in the MediaMax player app, the user can’t just switch to another player app. More code, plus less choice, equals more security risk.

Sure enough, these risks enable the new attack, which exploits the presence of extra code on the system, and the fact that that code runs with full Administrator privileges.

The biggest risk of all, though, is that the software can install itself without the knowledge or consent of the user. When you decide to install a program on your computer, you take a security risk. But you take that risk knowingly, because you have decided the benefit provided by that program outweighs the risk. If you change your mind about that tradeoff, you can always uninstall the program.

But if you decline the MediaMax licence agreement, and the software secretly installs itself anyway, you will face risks that you didn’t choose. You won’t even know that you’re at risk. All of this, simply because you tried to listen to a compact disc.

Experience teaches that where there is one bug, there are probably others. That’s doubly true where the basic design of the product is risky. I’d be surprised if there aren’t more security bugs lurking in MediaMax.

Sony is still shipping CDs containing this dangerous software.