Analytics
1/12/2007
05:00 AM
50%
50%

Hurray for Hollywood!?

Why only total control will satisfy content providers (and Microsoft and Apple)

One day soon you will be able to watch Blue-Ray and HD-DVD movies on your Wintel PC (well, as soon as the audio-video device manufacturers line up and play by the Draconian rules being imposed by Microsoft if they want to support Vista), but this capability comes at a serious price.

When Microsoft bows to the will of Hollywood in the name of "premium content protection," design decisions in Vista get hairy, and the Vista user experience gets crippled as an unintended side effect. Maybe Microsoft is going too far to implement hard core data security. But why would they do that? Three letters: DRM.

Felten Forecasts the Future
Princeton Professor Ed Felten is a sane voice in the often arcane world that has grown up at the intersection of public policy and technology. Made famous by his early work in Java security (which we collaborated on) and his work with the Department of Justice in the Microsoft antitrust trial, Professor Felten took a sabbatical at Stanford Law School some years ago with Larry Lessig and came out a technological freedom fighter of the first order.

His well-read, excellent Freedom to Tinker blog explains complex technology policy issues in clear and certain terms.

Felten has an interesting view of the brave new world we may be creating for ourselves if we continue to traipse happily along the current DRM path. He paints a picture of a future in which interoperability is hampered in the name of content protection -- where Pilot pens only work on Pilot paper, where Schick razors only work with Schick razor cartridges, where Garanimals shirts only stay tucked into Garanimals pants, where HP print cartridges only work in HP printers (hey wait...), and where Hollywood HD content only runs on Microsoft Vista computers. All of this gets enforced by secret cryptographic handshakes between things.

His argument is subtle and rests on the idea that DRM is less about protecting content (something that copyright law is supposed to do) and more about price discrimination and product lock-in. You can already see evidence of this today. Millions of iPod users are blithely unaware that they could store their music collections as mobile and "free" MP3 files instead of as Apple's crippled ACC files (which you can't even share easily with your spouse). Those of us in the know may use MP3, but we are a distinct minority.

Felten coined the term Property Rights Management as a way to co-opt the momentum behind the more standard DRM term and to properly invoke the ominous nature of the trend.

Goodbye Cruel Vista?
Right. Surely computer manufacturers would never follow some insidious Hollywood lead as a reaction to possible piracy of their valuable content, would they? According to my kiwi friend Peter Gutmann, the answer is yes.

Peter recently posted a technical working paper that raged into the mainstream in a fit of YouTube-like viral emailing. The "Executive Executive Summary" of his paper states, "The Vista Content Protection specification could very well constitute the longest suicide note in history," an allusion to '80s British politics. All humor aside, Peter paints a technically deep and profoundly disturbing picture of the ways in which Microsoft has adjusted Vista (even Vista's requirements) in order to support Hollywood's demand for "premium content protection."

He argues that protection of the HD content comes at a price payable in terms of system performance, stability, and cost. He further states that the design decisions that Microsoft has made ripple far beyond Vista to deeply impact "all hardware and software that will ever come into contact with Vista." Gutmann's document is really about collateral damage from radical DRM technology.

One example plucked from the many in Peter's paper describes how Vista is set up to covertly degrade HD signal "if premium content is present." The idea is to downgrade the signal using a "constrictor" so that the process directly impacts audio and video quality. (I assume that Peter means unlicensed HD content... not licensed content, but the constrictor seems to have been applied to his argument and I can't tell.)

The spec even calls for "slightly fuzzy" pictures and sound that are "fuzzy with less detail." The purpose may be to prevent the utterly simple ripping of perfectly pirated copies of copyrighted Disney content (and an opening run in the Chinese black market that nets $30,000 for a million copies).

But think about the implications for medical imaging. I sincerely hope that next time I have an MRI that they aren't playing some pirated "premium content" Tim McGraw CD to drown out the whirring of the spiraling emitter. (I wouldn't put it past the gum chewing, paid-by-the-hour technician though.)

This one example only begins to scratch the surface of Peter's paper which is well worth a read. He also describes (among other topics):

  • An interface for disabling premium hardware that does not support the crypto pipe
  • A system for overtly disabling some PC functionality dynamically
  • A plan to eliminate open source hardware support
  • The re-Balkanization of hardware drivers
  • A remote driver revocation capability (this one should be fun)
  • Serious economic impact in terms of hardware cost, CPU, and reliability

    If Peter were some raving lunatic, I would not point you to his stuff. Instead, Peter is the lionized creator of one of the world's best free crypto libraries. Plus he is an objective independent thinker who has proven over and over to be worth listening to. His perspective is worth considering.

    No matter whether Peter is right or wrong, it is worth gaining some understanding of the kinds of technical constraints we may be signing up for when we subscribe to iTunes or run Vista. The future of PRM is upon us, and it is quickly gaining ground inside the very computers we think of as our own. Time to invoke the brain...

    Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Security Operations and IT Operations: Finding the Path to Collaboration
    A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
    Flash Poll
    New Best Practices for Secure App Development
    New Best Practices for Secure App Development
    The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
    Slideshows
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2017-0290
    Published: 2017-05-09
    NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

    CVE-2016-10369
    Published: 2017-05-08
    unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

    CVE-2016-8202
    Published: 2017-05-08
    A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

    CVE-2016-8209
    Published: 2017-05-08
    Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

    CVE-2017-0890
    Published: 2017-05-08
    Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

    Dark Reading Radio
    Archived Dark Reading Radio
    In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.