consulting question....
Ray Dillinger
bear at sonic.net
Tue May 26 16:37:49 EDT 2009
At a dinner party recently, I found myself discussing the difficulties
of DRM (and software that is intended to implement it) with a rather
intense and inquisitive woman who was very knowledgeable about what
such software is supposed to do, but simultaneously very innocent of
the broad experience of such things that security people have had.
She was eager to learn, and asked me to summarize what I said to her
in an email. So I did....
And it turns out that she is an executive in a small company which is
now considering the development of a DRM product. I just got email
from her boss (the CEO) offering to hire me, for a day or two
anyway, as a consultant. If I understand correctly, my job as
consultant will be to make a case to their board about what hurdles
of technology and credibility that small company will find in its
path if it pursues this course.
So now I need to go from "Dinner party conversation" mode to
"consultant" mode and that means I need to be able to cite specific
examples and if possible, research for the generalities I explained
over dinner. I'll be combing Schneier's blog and using Google to
fill in details of examples I've already cited to get ready for
this, but any help that folks could throw me to help illustrate
and demonstrate my points (the paragraphs below) will be much
appreciated.
I explained to her that the typical experience of "monitored" or
"protected" software (software modified for DRM enforcement) is that
some guy in a randomly selected nation far outside the jurisdiction
of your laws, using widely available tools like debuggers and hex
editors, makes a "cracked" copy and distributes it widely, and
that current efforts in the field seem more focused on legislation
and international prosecutions than on software technology. Software-
only solutions, aside from those involving a "Trusted Computing Module"
(which their proposed project does not - She seemed unaware of both
the Trusted Computing Platform and the controversy over it) are no
longer considered credible. I cited the example of DeCSS, whose
crack of players for DRM'd movies used techniques generally
applicable to any form of DRM'd software.
I explained that in the worst case, such software works by making
unacceptable compromises of security or autonomy on the machines where
it is installed, citing the infamous and widespread Sony Rootkit, (and
IMO also the TCM system, but I didn't go into that messa worms at
dinner) and that these compromises usually become public and do
serious damage to both the credibility of DRM systems generally and
the cash flow of the companies that perpetrate them (ISTR Sony wound
up losing something over 6 million in the US judgement alone on that
one, and spent considerably more than that on legal fees in the US
and several other nations).
Finally, I explained the "cheap" attacks available to a sysadmin who
does not want his DRM'd software reporting its usage statistics; for
example having a firewall that filters outgoing packets.
Does anyone feel that I have said anything untrue?
Can anyone point me at good information uses I can use to help prove
the case to a bunch of skeptics who are considering throwing away
their hard-earned money on a scheme that, in light of security
experience, seems foolish?
Ray Dillinger
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list