November 30, 2024

Posts Comments

HD-DVD Camp Disses Blu-Ray DRM

August 11, 2005 by

Proponents of HD-DVD, one of the two competing next-gen DVD standards, have harsh words for the newly announced DRM technologies adopted by the competing Blu-Ray standard, according to a Consumer Electronics Daily article quoted by an AVS Forum commenter.

[Fox engineering head Andy] Setos confirmed BD+ [one of the newly announced Blu-Ray technologies] was based on the Self-Protecting Digital Content (SPDC) encryption developed by San Francisco’s Cryptography Research. That system, which provides “renewable security” in the event AACS is hacked, was rejected for HD DVD over concerns about playability and reliability issues (CED Aug 2 p1). BDA [the Blu-Ray group] obviously had a different conclusion, Setos said.

[Hitachi advisor Mark] Knox also took a shot at the BD+ version of SPDC, calling its “Virtual Machine” concept “a goldmine for hackers.” He said the Virtual Machine “must have access to critical security info, so any malicious code designed to run on this VM would also have access. In the words of one of the more high-tech guys ‘This feeble attempt to shut the one door on hackers is going to open up a lot of windows instead.’”

There’s an interesting technical issue behind this. SPDC’s designers say that most DRM schemes are weak because a fixed DRM design is built in to player devices; and once that design is broken – as it inevitably will be – the players are forever vulnerable. Rather than using a fixed DRM design, SPDC builds into the player device a small operating system. (They call it a lightweight virtual machine, but if you look at what it does it’s clearly an operating system.) Every piece of content can come with a computer program, packaged right on the disc with the content, which the operating system loads and runs when the content is loaded. These programs can also store data and software permanently on the player. (SPDC specifications aren’t available, but they have a semi-technical white paper and a partial security analysis.)

The idea is that rather than baking a single DRM scheme into the player, you can ship out a new DRM scheme whenever you ship out a disc. Different content publishers can use different DRM schemes, by shipping different programs on their discs. So, the argument goes, the system is more “renewable”.

The drawback for content publishers is that adversaries can switch from attacking the DRM to attacking the operating system. If somebody finds a security bug in the operating system (and, let’s face it, OS security bugs aren’t exactly unprecedented), they can exploit it to undermine any and all DRM, or to publish discs that break users’ players, or to cause other types of harm.

There are also risks for users. The SPDC documents talk about the programs having access to permanent storage on the player, and connecting to the Internet. This means a disc could install software that watches how you use your player, and reports that information to somebody across the Net. Other undesirable behaviors are possible too. And there’s nothing much the user can do to prevent them – content publishers, in the name of security, will try to prevent reverse engineering of their programs or the spread of information about what they do – and even the player manufacturer won’t be able to promise users that programs running on the player will be well-behaved.

Even beyond this, you have all of the usual reliability problems that arise on operating systems that store data and run code on behalf of independent software vendors. Users generally cope with such problems by learning about how the OS works and tweaking its configuration; but this strategy won’t work too well if the workings of the OS are supposed to be secret.

The HD-DVD advocates are right that SPDC (aka BD+) opens a real can of worms. Unless the SPDC/BD+ specifications are released, I for one won’t trust that the system is secure and stable enough to make anybody happy.

Filed Under: Uncategorized Tagged With:

Blu-Ray Tries to Out-DRM HD-DVD

August 10, 2005 by

Blu-Ray, one of the two competing next-gen DVD standards, has decided to up the ante by adopting even more fruitless anti-copying mechanism than the rival HD-DVD system. Blu-Ray will join HD-DVD in using the AACS technology (with its competition-limiting digital imprimatur). Blu-Ray will add two more technologies, called ROM-Mark and BD+.

ROM-Mark claims to put a hidden mark on all licensed discs. The mark will be detected by Blu-Ray players, which will refuse to play discs that don’t have it. But, somehow, it is supposed to be impossible for unlicensed disc makers to put marks on their discs. It’s not at all clear how this is supposed to work, but systems of this sort have always failed in the past, because it has always proved possible to make an exact copy of a licensed disc (including the mark).

BD+ will apparently allow the central Blu-Ray entity to update the anti-copying software in Blu-Ray players. This kind of updatability will inevitably add to the cost, complexity, and fragility of Blu-Ray players. Trying to do this raises some nasty technical issues that may not be solvable. I would like to find out more about how they think they can make this happen, especially for (say) cheap, portable players. (This technology was reportedly Fox’s reason for joining the Blu-Ray camp.)

As always, content will be copied regardless of what they try to do, and the main effect of these technologies will be to make player devices more expensive and less reliable, and to limit entry to the market for the devices. My guess is that some movie studio people actually believe these technologies will stop copying; and some know the technology won’t stop copying but want the power to limit entry.

Both groups must be happy to see the Blu-Ray and HD-DVD camps competing to make the most extravagant copy-prevention promises. To law-abiding consumers, each step in this bidding war means more expensive, less capable technologies.

Filed Under: Uncategorized Tagged With:

Hollywood Controlling Parts of Windows Vista Design

August 9, 2005 by

A recent white paper (2MB Word file) from Microsoft details the planned “output content protection” in the upcoming Windows Vista (previously known as Longhorn) operating system product. It’s a remarkable document, illustrating the real costs of Hollywood’s quest to redesign the PC’s video hardware and software.

The document reveals that movie studios will have explicit veto power over what is included in some parts of Vista. For example, pages 22-24 describe the “High Bandwidth Cipher” which will be used to encrypt video data is it passes across the PC’s internal PCIe bus. Hollywood will allow the use of the AES cipher, but many PCs won’t be able to run AES fast enough, leading to stutter in the video. People are free to design their own ciphers, but they must go through an approval process before being included in Windows Vista. The second criterion for acceptance is this:

Content industry acceptance
The evidence must be presented to Hollywood and other content owners, and they must agree that it provides the required level of security. Written proof from at least three of the major Hollywood studios is required.

The document also describes how rational designs are made more expensive and complicated, or ruled out entirely, by the “robustness” rules Hollywood is demanding. Here’s an example, from page 27:

Given the data throughput possible with PCIe, there is a new class of discrete graphics cards that, to reduce costs, do not have much memory on the board. They use system memory accessed over the PCIe bus.

In the limit, this lack of local memory means that, for example, to decode, de-interlace, and render a frame of HD may require that an HD frame be sent backward and forward over the PCIe bus many times – it could be as many as 10 times.

The frames of premium content are required to be [encrypted] as they pass over the PCIe bus to system memory, and decrypted when they safely return to the graphics chip. It is the responsibility of the graphics chip to perform the encryption and decryption.

Depending on the hardware implementation, the on-chip cipher engine [which wouldn’t be necessary absent the “robustness” requirements] might, or might not, go fast enough to encrypt the 3 GByte/sec (in each direction) memory data bandwidth.

These are just a few examples from a document that describes one compromise after another, in which performance, cost, and flexibility are sacrificed in a futile effort to prevent video content from leaking to the darknet. And the cost is high. As just one example, nearly all of us will have to discard our PC’s monitors and buy new ones to take advantage of new features that Microsoft could provide – more easily and at lower cost – on our existing monitors, if Hollywood would only allow it.

There can be little doubt that Microsoft is doing this because Hollywood demands it; and there won’t be much doubt among independent security experts that none of these compromises will make a dent in the availability of infringing video online. Law-abiding people will be paying more for PCs, and doing less with them, because of the Hollywood-decreed micromanagement of graphics system design.

Filed Under: Uncategorized Tagged With:

DRM Textbooks Offered to Princeton Students

August 8, 2005 by

There’s a story going around the blogosphere that Princeton is experimenting with DRMed e-textbooks. Here’s an example:

Princeton University, intellectual home of Edward Felten and Alex Halderman, has evidently begun to experiment with DRM’d textbooks. According to this post, there are quite a few digital restrictions being managed:

  • Textbook is locked to the computer where you downloaded it from;
  • Copying and burning to CD is prohibited;
  • Printing is limited to small passages;
  • Unless otherwise stated, textbook activation expires after 5 months (*gasp*);
  • Activated textbooks are not returnable;
  • Buyback is not possible.

There an official press release from the publishers for download here.

Several people have written, asking for my opinion on this.

First, a correction. As far as I can tell, Princeton University has no part in this experiment. The Princeton University Store, a bookstore that is located on the edge of the campus but is not affiliated with the University, will be the entity offering DRMed textbooks. The DRM company’s press release tries to leave the impression that Princeton University itself is involved, but this appears to be incorrect.

In any case, I don’t see a reason to object to the U-Store offering these e-books, as long as students are informed about the DRM limitations and can still get the dead-tree version instead. It’s hard to see the value proposition for students in the DRMed version, unless the price is very low. It appears the price will be about two-thirds of the new-book price, which is obviously a bad deal. Our students are smart enough to know which version to buy – and the faculty will be happy to advise them if they’re not sure.

I don’t object to other people wasting their money developing products that consumers won’t want. People waste their money on foolish schemes every day. I wish for their sake that they would be smarter. But why should I object to this product or try to stop it? A product this weak will die on its own.

The problem with DRM is not that bad products can be offered, but that public policy sometimes protects bad products by thwarting the free market and the free flow of ideas. The market will kill DRM, if the market is allowed to operate.

UPDATE (August 12): The DRM vendor announced yesterday that usage restrictions will be eased somewhat. The expiration time has been extended to at least twelve months (longer for some publishers), and restrictions on printing have been loosened in some cases.

Filed Under: Uncategorized Tagged With: ,

Cisco Claims Its Product is a Trade Secret

August 4, 2005 by

I wrote Friday about the legal threats by Cisco and ISS against researcher Mike Lynn, relating to Lynn’s presentation at Black Hat about a Cisco security vulnerability. The complaint Cisco and ISS filed is now available online. Jennifer Granick, Lynn’s lawyer, has an interesting narrative of the case (part 1; part 2; part 3; part 4).

The complaint claims that Lynn wronged ISS, by giving a PowerPoint presentation that was copyrighted by ISS (because Lynn allegedly prepared it as a work for hire), and by violating the NDA he signed as a member of ISS’s board of directors. The complaint also claims that Lynn wronged Cisco by including snippets of its copyrighted software code in the presentation, and by presenting Cisco trade secrets that had been misappropriated.

The trade secret misappropriation claim is the most interesting one. Cisco’s argument goes as follows. The executable machine code that ships with Cisco routers is a trade secret of Cisco. Customers agree to a contract in which they promise not to disassemble the code. ISS agreed to that contract. Some unspecified person disassembled the code, in violation of the contract, to get information that was used in Lynn’s presentation. Lynn knew that the information was acquired by breach of contract and therefore was a misappropriated trade secret. Lynn disseminated the information anyway.

[Oddly, the complaint incorrectly refers to the executable machine code that ships on Cisco routers as Cisco’s “source code.” This false characterization looks deliberate – it is made repeatedly in the documents, and even occurs more than once in the two-page declaration signed by Cisco’s Vice President for Customer Support. Lawyers in a hurry might make this mistake in their papers, but it’s hard to come up with a charitable explanation for how this mischaracterization occurred twice in a very short statement under oath by the VP for Customer Support. Does he really not know the difference between machine code and source code? Does he not know which kind of code Cisco ships on its routers? Did he not recognize that the code in the presentation which he claims to have reviewed was not source code? Did he sign the declaration under oath without reading it carefully enough to catch such a simple error, which occurred twice in a document with less than one page of text? Or did he know about the error and sign anyway? He could easily have corrected the error himself by deleting or crossing out the word “source” before signing.]

Any discussion of this argument has to start with the obvious: Cisco is claiming that part of its product is a trade secret. The software is key to the product’s function, and Cisco sells the product to essentially anybody who wants it. It’s hard to think of any reasonable sense in which this can be called a secret. (I know that legal definitions of terms like “trade secret” aren’t always intuitive, but still, this seems a bit much.)

It’s also pretty clear that the alleged harm to Cisco from Lynn’s action was not the kind of harm that trade secret law was meant to prevent. There is no real argument that the brief snippets of code in Lynn’s presentation (2MB PDF) would help Cisco’s competitors improve their products. The reason Cisco wanted to prevent Lynn’s presentation is that it wanted to keep truthful information about flaws in its products out of the hands of the public. Why should information about product flaws be considered a trade secret?

As I argued on Friday, ISS is in a difficult position. The complaint alleges that ISS agreed not to disassemble Cisco’s code. It does not assert that Lynn himself had agreed not to disasssemble the code, and it does not accuse Lynn of directly misappropriating the secrets. It only says that Lynn knew that they had been misappropriated. The complaint essentially accuses ISS of misappropriating the trade secrets. Which is interesting, considering that ISS was one of the parties that filed the complaint.

Jennifer Granick, Lynn’s lawyer, also had her doubts about the trade secret claim. It would have been interesting to see the claim litigated. Instead, Lynn, on Granick’s advice, decided prudently to settle the case. It’s one thing to talk about cases like this in the abstract; it’s another thing entirely to be in the legal meat-grinder yourself.

The only good news here is that Cisco seems to be getting what it deserves after the legal strongarming of Mike Lynn. Cisco’s efforts have only notified more people that its product has a serious security flaw, and that Cisco is afraid to allow independent evaluation of its products’ security.

Filed Under: Uncategorized Tagged With: ,