Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:00 AM

Hurray for Hollywood!?

Why only total control will satisfy content providers (and Microsoft and Apple)

One day soon you will be able to watch Blue-Ray and HD-DVD movies on your Wintel PC (well, as soon as the audio-video device manufacturers line up and play by the Draconian rules being imposed by Microsoft if they want to support Vista), but this capability comes at a serious price.

When Microsoft bows to the will of Hollywood in the name of "premium content protection," design decisions in Vista get hairy, and the Vista user experience gets crippled as an unintended side effect. Maybe Microsoft is going too far to implement hard core data security. But why would they do that? Three letters: DRM.

Felten Forecasts the Future
Princeton Professor Ed Felten is a sane voice in the often arcane world that has grown up at the intersection of public policy and technology. Made famous by his early work in Java security (which we collaborated on) and his work with the Department of Justice in the Microsoft antitrust trial, Professor Felten took a sabbatical at Stanford Law School some years ago with Larry Lessig and came out a technological freedom fighter of the first order.

His well-read, excellent Freedom to Tinker blog explains complex technology policy issues in clear and certain terms.

Felten has an interesting view of the brave new world we may be creating for ourselves if we continue to traipse happily along the current DRM path. He paints a picture of a future in which interoperability is hampered in the name of content protection -- where Pilot pens only work on Pilot paper, where Schick razors only work with Schick razor cartridges, where Garanimals shirts only stay tucked into Garanimals pants, where HP print cartridges only work in HP printers (hey wait...), and where Hollywood HD content only runs on Microsoft Vista computers. All of this gets enforced by secret cryptographic handshakes between things.

His argument is subtle and rests on the idea that DRM is less about protecting content (something that copyright law is supposed to do) and more about price discrimination and product lock-in. You can already see evidence of this today. Millions of iPod users are blithely unaware that they could store their music collections as mobile and "free" MP3 files instead of as Apple's crippled ACC files (which you can't even share easily with your spouse). Those of us in the know may use MP3, but we are a distinct minority.

Felten coined the term Property Rights Management as a way to co-opt the momentum behind the more standard DRM term and to properly invoke the ominous nature of the trend.

Goodbye Cruel Vista?
Right. Surely computer manufacturers would never follow some insidious Hollywood lead as a reaction to possible piracy of their valuable content, would they? According to my kiwi friend Peter Gutmann, the answer is yes.

Peter recently posted a technical working paper that raged into the mainstream in a fit of YouTube-like viral emailing. The "Executive Executive Summary" of his paper states, "The Vista Content Protection specification could very well constitute the longest suicide note in history," an allusion to '80s British politics. All humor aside, Peter paints a technically deep and profoundly disturbing picture of the ways in which Microsoft has adjusted Vista (even Vista's requirements) in order to support Hollywood's demand for "premium content protection."

He argues that protection of the HD content comes at a price payable in terms of system performance, stability, and cost. He further states that the design decisions that Microsoft has made ripple far beyond Vista to deeply impact "all hardware and software that will ever come into contact with Vista." Gutmann's document is really about collateral damage from radical DRM technology.

One example plucked from the many in Peter's paper describes how Vista is set up to covertly degrade HD signal "if premium content is present." The idea is to downgrade the signal using a "constrictor" so that the process directly impacts audio and video quality. (I assume that Peter means unlicensed HD content... not licensed content, but the constrictor seems to have been applied to his argument and I can't tell.)

The spec even calls for "slightly fuzzy" pictures and sound that are "fuzzy with less detail." The purpose may be to prevent the utterly simple ripping of perfectly pirated copies of copyrighted Disney content (and an opening run in the Chinese black market that nets $30,000 for a million copies).

But think about the implications for medical imaging. I sincerely hope that next time I have an MRI that they aren't playing some pirated "premium content" Tim McGraw CD to drown out the whirring of the spiraling emitter. (I wouldn't put it past the gum chewing, paid-by-the-hour technician though.)

This one example only begins to scratch the surface of Peter's paper which is well worth a read. He also describes (among other topics):

  • An interface for disabling premium hardware that does not support the crypto pipe
  • A system for overtly disabling some PC functionality dynamically
  • A plan to eliminate open source hardware support
  • The re-Balkanization of hardware drivers
  • A remote driver revocation capability (this one should be fun)
  • Serious economic impact in terms of hardware cost, CPU, and reliability

    If Peter were some raving lunatic, I would not point you to his stuff. Instead, Peter is the lionized creator of one of the world's best free crypto libraries. Plus he is an objective independent thinker who has proven over and over to be worth listening to. His perspective is worth considering.

    No matter whether Peter is right or wrong, it is worth gaining some understanding of the kinds of technical constraints we may be signing up for when we subscribe to iTunes or run Vista. The future of PRM is upon us, and it is quickly gaining ground inside the very computers we think of as our own. Time to invoke the brain...

    Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 10/23/2020
    Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
    David Pearson, Principal Threat Researcher,  10/21/2020
    Are You One COVID-19 Test Away From a Cybersecurity Disaster?
    Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-10-26
    libtac in pam_tacplus through 1.5.1 lacks a check for a failure of RAND_bytes()/RAND_pseudo_bytes(). This could lead to use of a non-random/predictable session_id.
    PUBLISHED: 2020-10-26
    An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 allows attackers to cause a denial of service attack or possible further memory corruption via crafted JavaScript. Note that this is only exploitable if the application usi...
    PUBLISHED: 2020-10-26
    Ruckus through is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.
    PUBLISHED: 2020-10-26
    Ruckus vRioT through has an API backdoor that is hardcoded into validate_token.py. An unauthenticated attacker can interact with the service API by using a backdoor value as the Authorization header.
    PUBLISHED: 2020-10-26
    In the git-tag-annotation-action (open source GitHub Action) before version 1.0.1, an attacker can execute arbitrary (*) shell commands if they can control the value of [the `tag` input] or manage to alter the value of [the `GITHUB_REF` environment variable]. The problem has been patched in version ...