Analytics
1/12/2007
05:00 AM
50%
50%

Hurray for Hollywood!?

Why only total control will satisfy content providers (and Microsoft and Apple)

One day soon you will be able to watch Blue-Ray and HD-DVD movies on your Wintel PC (well, as soon as the audio-video device manufacturers line up and play by the Draconian rules being imposed by Microsoft if they want to support Vista), but this capability comes at a serious price.

When Microsoft bows to the will of Hollywood in the name of "premium content protection," design decisions in Vista get hairy, and the Vista user experience gets crippled as an unintended side effect. Maybe Microsoft is going too far to implement hard core data security. But why would they do that? Three letters: DRM.

Felten Forecasts the Future
Princeton Professor Ed Felten is a sane voice in the often arcane world that has grown up at the intersection of public policy and technology. Made famous by his early work in Java security (which we collaborated on) and his work with the Department of Justice in the Microsoft antitrust trial, Professor Felten took a sabbatical at Stanford Law School some years ago with Larry Lessig and came out a technological freedom fighter of the first order.

His well-read, excellent Freedom to Tinker blog explains complex technology policy issues in clear and certain terms.

Felten has an interesting view of the brave new world we may be creating for ourselves if we continue to traipse happily along the current DRM path. He paints a picture of a future in which interoperability is hampered in the name of content protection -- where Pilot pens only work on Pilot paper, where Schick razors only work with Schick razor cartridges, where Garanimals shirts only stay tucked into Garanimals pants, where HP print cartridges only work in HP printers (hey wait...), and where Hollywood HD content only runs on Microsoft Vista computers. All of this gets enforced by secret cryptographic handshakes between things.

His argument is subtle and rests on the idea that DRM is less about protecting content (something that copyright law is supposed to do) and more about price discrimination and product lock-in. You can already see evidence of this today. Millions of iPod users are blithely unaware that they could store their music collections as mobile and "free" MP3 files instead of as Apple's crippled ACC files (which you can't even share easily with your spouse). Those of us in the know may use MP3, but we are a distinct minority.

Felten coined the term Property Rights Management as a way to co-opt the momentum behind the more standard DRM term and to properly invoke the ominous nature of the trend.

Goodbye Cruel Vista?
Right. Surely computer manufacturers would never follow some insidious Hollywood lead as a reaction to possible piracy of their valuable content, would they? According to my kiwi friend Peter Gutmann, the answer is yes.

Peter recently posted a technical working paper that raged into the mainstream in a fit of YouTube-like viral emailing. The "Executive Executive Summary" of his paper states, "The Vista Content Protection specification could very well constitute the longest suicide note in history," an allusion to '80s British politics. All humor aside, Peter paints a technically deep and profoundly disturbing picture of the ways in which Microsoft has adjusted Vista (even Vista's requirements) in order to support Hollywood's demand for "premium content protection."

He argues that protection of the HD content comes at a price payable in terms of system performance, stability, and cost. He further states that the design decisions that Microsoft has made ripple far beyond Vista to deeply impact "all hardware and software that will ever come into contact with Vista." Gutmann's document is really about collateral damage from radical DRM technology.

One example plucked from the many in Peter's paper describes how Vista is set up to covertly degrade HD signal "if premium content is present." The idea is to downgrade the signal using a "constrictor" so that the process directly impacts audio and video quality. (I assume that Peter means unlicensed HD content... not licensed content, but the constrictor seems to have been applied to his argument and I can't tell.)

The spec even calls for "slightly fuzzy" pictures and sound that are "fuzzy with less detail." The purpose may be to prevent the utterly simple ripping of perfectly pirated copies of copyrighted Disney content (and an opening run in the Chinese black market that nets $30,000 for a million copies).

But think about the implications for medical imaging. I sincerely hope that next time I have an MRI that they aren't playing some pirated "premium content" Tim McGraw CD to drown out the whirring of the spiraling emitter. (I wouldn't put it past the gum chewing, paid-by-the-hour technician though.)

This one example only begins to scratch the surface of Peter's paper which is well worth a read. He also describes (among other topics):

  • An interface for disabling premium hardware that does not support the crypto pipe
  • A system for overtly disabling some PC functionality dynamically
  • A plan to eliminate open source hardware support
  • The re-Balkanization of hardware drivers
  • A remote driver revocation capability (this one should be fun)
  • Serious economic impact in terms of hardware cost, CPU, and reliability

    If Peter were some raving lunatic, I would not point you to his stuff. Instead, Peter is the lionized creator of one of the world's best free crypto libraries. Plus he is an objective independent thinker who has proven over and over to be worth listening to. His perspective is worth considering.

    No matter whether Peter is right or wrong, it is worth gaining some understanding of the kinds of technical constraints we may be signing up for when we subscribe to iTunes or run Vista. The future of PRM is upon us, and it is quickly gaining ground inside the very computers we think of as our own. Time to invoke the brain...

    Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    5 Security Technologies to Watch in 2017
    Emerging tools and services promise to make a difference this year. Are they on your company's list?
    Flash Poll
    New Best Practices for Secure App Development
    New Best Practices for Secure App Development
    The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
    Slideshows
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2013-7445
    Published: 2015-10-15
    The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

    CVE-2015-4948
    Published: 2015-10-15
    netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

    CVE-2015-5660
    Published: 2015-10-15
    Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

    CVE-2015-6003
    Published: 2015-10-15
    Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

    CVE-2015-6333
    Published: 2015-10-15
    Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

    Dark Reading Radio
    Archived Dark Reading Radio
    In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.