Analytics

1/12/2007
05:00 AM
50%
50%

Hurray for Hollywood!?

Why only total control will satisfy content providers (and Microsoft and Apple)

One day soon you will be able to watch Blue-Ray and HD-DVD movies on your Wintel PC (well, as soon as the audio-video device manufacturers line up and play by the Draconian rules being imposed by Microsoft if they want to support Vista), but this capability comes at a serious price.

When Microsoft bows to the will of Hollywood in the name of "premium content protection," design decisions in Vista get hairy, and the Vista user experience gets crippled as an unintended side effect. Maybe Microsoft is going too far to implement hard core data security. But why would they do that? Three letters: DRM.

Felten Forecasts the Future
Princeton Professor Ed Felten is a sane voice in the often arcane world that has grown up at the intersection of public policy and technology. Made famous by his early work in Java security (which we collaborated on) and his work with the Department of Justice in the Microsoft antitrust trial, Professor Felten took a sabbatical at Stanford Law School some years ago with Larry Lessig and came out a technological freedom fighter of the first order.

His well-read, excellent Freedom to Tinker blog explains complex technology policy issues in clear and certain terms.

Felten has an interesting view of the brave new world we may be creating for ourselves if we continue to traipse happily along the current DRM path. He paints a picture of a future in which interoperability is hampered in the name of content protection -- where Pilot pens only work on Pilot paper, where Schick razors only work with Schick razor cartridges, where Garanimals shirts only stay tucked into Garanimals pants, where HP print cartridges only work in HP printers (hey wait...), and where Hollywood HD content only runs on Microsoft Vista computers. All of this gets enforced by secret cryptographic handshakes between things.

His argument is subtle and rests on the idea that DRM is less about protecting content (something that copyright law is supposed to do) and more about price discrimination and product lock-in. You can already see evidence of this today. Millions of iPod users are blithely unaware that they could store their music collections as mobile and "free" MP3 files instead of as Apple's crippled ACC files (which you can't even share easily with your spouse). Those of us in the know may use MP3, but we are a distinct minority.

Felten coined the term Property Rights Management as a way to co-opt the momentum behind the more standard DRM term and to properly invoke the ominous nature of the trend.

Goodbye Cruel Vista?
Right. Surely computer manufacturers would never follow some insidious Hollywood lead as a reaction to possible piracy of their valuable content, would they? According to my kiwi friend Peter Gutmann, the answer is yes.

Peter recently posted a technical working paper that raged into the mainstream in a fit of YouTube-like viral emailing. The "Executive Executive Summary" of his paper states, "The Vista Content Protection specification could very well constitute the longest suicide note in history," an allusion to '80s British politics. All humor aside, Peter paints a technically deep and profoundly disturbing picture of the ways in which Microsoft has adjusted Vista (even Vista's requirements) in order to support Hollywood's demand for "premium content protection."

He argues that protection of the HD content comes at a price payable in terms of system performance, stability, and cost. He further states that the design decisions that Microsoft has made ripple far beyond Vista to deeply impact "all hardware and software that will ever come into contact with Vista." Gutmann's document is really about collateral damage from radical DRM technology.

One example plucked from the many in Peter's paper describes how Vista is set up to covertly degrade HD signal "if premium content is present." The idea is to downgrade the signal using a "constrictor" so that the process directly impacts audio and video quality. (I assume that Peter means unlicensed HD content... not licensed content, but the constrictor seems to have been applied to his argument and I can't tell.)

The spec even calls for "slightly fuzzy" pictures and sound that are "fuzzy with less detail." The purpose may be to prevent the utterly simple ripping of perfectly pirated copies of copyrighted Disney content (and an opening run in the Chinese black market that nets $30,000 for a million copies).

But think about the implications for medical imaging. I sincerely hope that next time I have an MRI that they aren't playing some pirated "premium content" Tim McGraw CD to drown out the whirring of the spiraling emitter. (I wouldn't put it past the gum chewing, paid-by-the-hour technician though.)

This one example only begins to scratch the surface of Peter's paper which is well worth a read. He also describes (among other topics):

  • An interface for disabling premium hardware that does not support the crypto pipe
  • A system for overtly disabling some PC functionality dynamically
  • A plan to eliminate open source hardware support
  • The re-Balkanization of hardware drivers
  • A remote driver revocation capability (this one should be fun)
  • Serious economic impact in terms of hardware cost, CPU, and reliability

    If Peter were some raving lunatic, I would not point you to his stuff. Instead, Peter is the lionized creator of one of the world's best free crypto libraries. Plus he is an objective independent thinker who has proven over and over to be worth listening to. His perspective is worth considering.

    No matter whether Peter is right or wrong, it is worth gaining some understanding of the kinds of technical constraints we may be signing up for when we subscribe to iTunes or run Vista. The future of PRM is upon us, and it is quickly gaining ground inside the very computers we think of as our own. Time to invoke the brain...

    Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Veterans Find New Roles in Enterprise Cybersecurity
    Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
    Understanding Evil Twin AP Attacks and How to Prevent Them
    Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
    7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
    Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Flash Poll
    Online Malware and Threats: A Profile of Today's Security Posture
    Online Malware and Threats: A Profile of Today's Security Posture
    This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2018-19349
    PUBLISHED: 2018-11-17
    In SeaCMS v6.64, there is SQL injection via the admin_makehtml.php topic parameter because of mishandling in include/mkhtml.func.php.
    CVE-2018-19350
    PUBLISHED: 2018-11-17
    In SeaCMS v6.6.4, there is stored XSS via the member.php?action=chgpwdsubmit email parameter during a password change, as demonstrated by a data: URL in an OBJECT element.
    CVE-2018-19341
    PUBLISHED: 2018-11-17
    The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample because of a "Read Access Violation near NULL starting at FoxitReader...
    CVE-2018-19342
    PUBLISHED: 2018-11-17
    The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample because of a "Read Access Violation starting at U3DBrowser+0x00000000...
    CVE-2018-19343
    PUBLISHED: 2018-11-17
    The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read), obtain sensitive information, or possibly have unspecified other impact via a U3D sample because of a "Data from Faul...