Recently in DRM Category


July 18, 2009

As you may have heard, Amazon recently decided that they shouldn't have sold electronic copies of two George Orwell novels and deleted them from people's Kindles (found via TGDaily):
In George Orwell's "1984," government censors erase all traces of news articles embarrassing to Big Brother by sending them down an incineration chute called the "memory hole." On Friday, it was "1984" and another Orwell book, "Animal Farm," that were dropped down the memory hole - by

In a move that angered customers and generated waves of online pique, Amazon remotely deleted some digital editions of the books from the Kindle devices of readers who had bought them.

An Amazon spokesman, Drew Herdener, said in an e-mail message that the books were added to the Kindle store by a company that did not have rights to them, using a self-service function. "When we were notified of this by the rights holder, we removed the illegal copies from our systems and from customers' devices, and refunded customers," he said.

Amazon effectively acknowledged that the deletions were a bad idea. "We are changing our systems so that in the future we will not remove books from customers' devices in these circumstances," Mr. Herdener said.

Customers seem pretty surprised that Amazon has this capability, and I admit that I'm a little surprised that they have it as a built-in feature, but a Kindle isn't like a PC, or even an iPhone: it's basically a device that Amazon controls that you just happen to have in your hands. Here's how software updates from Amazon happen:

All Kindles are designed to automatically check for and download updates when one is available. If an update is available, your Kindle will download and install the update the next time the wireless connection is activated and Kindle goes into sleep mode.

During the update, you'll see screens that show the update progress. The update should take less than 10 minutes and is complete when Kindle displays the Home screen. Do not power off or reset your Kindle until the update is complete.

So, even if the current software load doesn't include remote control features, tomorrow's load could, and you don't really have the option of refusing the update.

Of course, this is just a generalization of what digital rights management software has always done: outsourced control of some of the functions of your computer to whoever (allegedly) has copyright over the contents you're displaying. With a typical DRM scheme this just extends to stopping you from making copies, maybe exporting to untrusted devices, etc., but you still generally have control of your own computer, and the terms don't suddenly change in unexpected ways after you've bought the thing. In principle, of course, Microsoft or Apple or whatever could force new updates on you, but in practice they always seem to ask you whether you want to install an update. But in the case of a Kindle, Amazon controls it more or less completely. As you've just seen, we don't have any real idea of what Amazon can do at the moment and as I said they can change the terms at any time.

Addendum: This is twice in a week that Amazon has had to walk back some customer-unfriendly move (the first was cracks in the case due to Amazon's protective cover, where Amazon was initially going to charge $200 to fix the screen). The general pattern from Amazon and companies in general (think Apple's $200 price cut on the first generation iPhone), it seems like the vendor generally starts by ignoring fairly obvious customer dissatisfaction and then having to fold due to bad PR. Any readers have a sense of the cost/benefit analysis here? Do companies consciously decide to blow the customers off and figure they'll just weather the bad press or is it one of those things where they just have lousy customer service policies and it doesn't get escalated to a high enough level until after the PR situation has gotten pretty bad?


June 26, 2009

Panasonic is improving their cameras to prevent you from installing third-party battery packs:
Panasonic Digital Cameras now include a technology that can identify a genuine Panasonic battery. For the protection of our customers Panasonic developed this technology after it was discovered that some aftermarket 3rd party batteries do not meet the rigid safety standards Panasonic uses.

Some of these aftermarket batteries are not equipped with internal protective devices to guard against overcharging, internal heating and short circuit. If these aftermarket battery packs were used, it could lead to an accident causing damage to your camera or personal injury.

Panasonic's Digital Camera firmware has been updated on this website to detect these aftermarket 3rd party batteries so such serious safety issues can be avoided.

Protecting the customer is basically the standard rationale that manufacturers use for this kind of lockin technology. However, one can't help noticing that the third party batteries are dramatically cheaper than the Panasonic standard batteries, so I think you could be forgiven for thinking that they might have a bit of another interest here. [See Rescorla, Savage, Shacham and Spies from the CRYPTO 2008 Rump Session for another example of this.] And of course, if you want whatever bug fixes, improvements, etc. Panasonic added to the new firmware, you have to take the DRM as well.

A few questions seem worth asking:

  • Does Panasonic consider any third party batteries safe or can you only use Panasonic brand?
  • Does Panasonic give you some mechanism for overriding the the firmware and using a "dangerous" battery if you want to?

If the answer to these questions is "yes", then this looks like a genuine case of consumer protection. Otherwise, you should at least suspect monopoly maintenance.

UPDATE: Fixed citation. I had the wrong rump session talk.


March 7, 2009

I understand that in-theater videotaping of movies is a major source of piracy, but it's hard to understand the threat model under which this is a useful technique:
In recent years, the problem of camcorder piracy in theaters has become more serious due to technical advances in camcorders. In this paper, as a new deterrent to camcorder piracy, we propose a system for estimating the recording position from which a camcorder recording is made. The system is based on spread-spectrum audio watermarking for the multichannel movie soundtrack. It utilizes a stochastic model of the detection strength, which is calculated in the watermark detection process. Our experimental results show that the system estimates recording positions in an actual theater with a mean estimation error of 0.44 m. The results of our MUSHRA subjective listening tests show the method does not significantly spoil the subjective acoustic quality of the soundtrack. These results indicate that the proposed system is applicable for practical uses.

OK, so let's say that this works as advertised: why does it help. The full article is behind a paywall, but I'm assuming the way this is supposed to work is that you wait for a pirated movie to show up on the file sharing network, then what? Let's assume that each print is separately marked, so you can tell what theater it was taken in and what position the camera was in. I still see several problems.

First, you need to figure out which showing the video was taken at. The easiest way to do this is probably to inject a signal into either the audio or video. As I understand the situation, modern projection equipment generally uses digital audio, so I suppose it's possible that you can reprogram the projection system to add a time signal to the audio track somehow; if you're using digital projection you could probably add it to the video as well. Even so, it seems to me that this technique requires new equipment or at least new software on every theater. That's a pretty significant investment.

Second, you need to be able to go from the position of the camera in the theater to the person doing the taping. Even if we assume that the camera position and the perpetrator's position are the same, people typically sit within a half meter or so of each other, so in a packed theater, there are probably about 4-8 people who potentially did the taping. Or, rather, you now know what seat they were sitting in. But theaters don't typically know where people are sitting, so now we need some way to keep records of where people are sitting, which either means IDing customers and having assigned seating, photographic records of where people are sitting, or both. That's a major change in the way theaters do business.

Of course, even if the theaters (or rather the movie distributors or MPAA) did all this stuff, if they actually started going after pirates this way, it should be pretty easy to circumvent. The low tech countermeasure is just to put the microphone somewhere else in the theater. The high tech countermeasure is to use signal processing techniques to tamper with the time signal, remove the theater-specific watermarks, or just fuzz things enough to remove the information used for positioning. For that matter, when you go into the theater to pirate the film you could presumably—and this is pretty advanced stuff—wear some sort of disguise.

UPDATE: I should probably mention that there's a /. thread on this, which is where I originally saw it. The remote mike idea was suggested there, but it's pretty immediately obvious as soon as you hear about this technique.


February 2, 2009

From the NYT article on Obama's e-mail:
After all, Gov. Sarah Palin of Alaska found her e-mail account broken into and her messages posted online last year when she was running for vice president. Imagine a president's e-mail put on display for the whole world to see -- or perhaps just for the head of a hostile foreign intelligence service.

To minimize the risk, the government technology gurus have made it impossible to forward e-mail messages from the president or to send him attachments, people informed about the precautions say. His address is likely to be changed regularly as well. And the president's friends and staff members are being lectured about security.

So, it's trivial to stop people from sending him attachments. Your average email filtering system can do this no problem. Lecturing people about security is easy too (though probably futile). However, as far as anyone in the public computer security field knows, from forwarding e-mail that was sent to me is basically impossible. Once the email is available on a computer you control, you can do pretty much anything you want with it, including foward it. The only real exception to this if the computer isn't really under your control, but is running software controlled by the government, which isn't really scalable. Even that's not enough: the government would need to replace your hardware with something that they control because otherwise you can modify the software to allow forwarding. That isn't to say one couldn't label mail with some "no forwarding" tag, it's just that your mail client wouldn't be required to obey it. Indeed, as far as I know there's no widely accepted tag like this, even for advisory purposes.

Even if it were possible to prevent you from forwarding emails from the president, it's not clear how this would prevent the threat described in the first paragraph. OK, so you can't forward the message, but nothing stops you from just whipping out your camera and taking a picture of the screen and sending that to the New York Times, foreign intelligence service, etc. Remember that that's just digital information too, so it's pretty much equally easy to forward. Even if we imagine that a digital photo is problematic for some reason [technical note: sometimes people propose schemes designed to make it difficult to photograph or videotape movies, etc. Generally the idea is to exploit some misfeature of the recording sensor, that isn't an issue in ordinary recording scenarios.] there's nothing stopping you from having a second computer which you use to—and this might be too sophisticated for some attackers—retype the entire message and send it to someone else.

Neither you or I is ever likely to receive an email from the president, to this isn't a very cosmic issue. However, a very similar delusion, namely that you can stop people from making copies of the music and videos you sell them, has been the cause of a very large amount of inconvenience for users, so it's not trivial to get this right either. I suspect that pretty much any computer security person (Alex Halderman, call your office) the reporters had talked to would have dumped cold water on this claim, but I also suspect that they didn't even know enough about computers or think about the threat model enough to be suspicious; they just wrote it down. I wonder what would have happened if someone had told these reporters that in the future Air Force One would be powered by perpetual motion machines?


January 31, 2009

A while back I wrote about Blizzard's suit against MDY, which produces a WoW bot called Glider. Blizzard sued MDY and the judge in the case just ruled that MDY violated the DMCA. (Ars Technica article here; ruling here, link thanks to Joseph Calandrino). I'm not a lawyer but as far as I can tell from reading the ruling, the reasoning is that the visual and audio elements that emerge from the act of playing WoW constitute a copyrighted work, the warden (WoW's anti-bot measure) controls access to that copyrighted work, and Glider allows you to circumvent that access control, hence it violates the DMCA anti-circumvention provisions.

It's interesting to ask how far you could extend this reasoning. Consider this alternate design for a WoW bot: you run WoW in a VM and then have your bot interact with the VM to scrape the screen, simulate key and mouse presses, etc. [This was originally suggested to me by Terence Spies.] The warden can't detect your bot because it's shielded by the VM (it might detect the VM, but there are legitimate reasons to run WoW in a VM). The VM itself isn't a DMCA violation because it has significant legitimate uses. The bot doesn't have to specifically have any anticircumvention measures to avoid the warden; it just processes the video output and simulates user input. Would the same reasoning still apply in this case?


January 26, 2009

Rep. Peter King (R-NY) has introduced the Camera Phone Predator Act that would require camera phones to emit an audible indication whenever a picture is taken:
Congress finds that children and adolescents have been exploited by photographs taken in dressing rooms and public places with the use of a camera phone.

(a) Requirement- Beginning 1 year after the date of enactment of this Act, any mobile phone containing a digital camera that is manufactured for sale in the United States shall sound a tone or other sound audible within a reasonable radius of the phone whenever a photograph is taken with the camera in such phone. A mobile phone manufactured after such date shall not be equipped with a means of disabling or silencing such tone or sound.
(b) Enforcement by Consumer Product Safety Commission- The requirement in subsection (a) shall be treated as a consumer product safety standard promulgated by the Consumer Product Safety Commission under section 7 of the Consumer Product Safety Act (15 U.S.C. 2056). A violation of subsection (a) shall be enforced by the Commission under section 19 of such Act (15 U.S.C. 2068).

OK, so the value proposition for this is something like "protects children (think of the children!) from surreptitious photography". Except that it doesn't, because the bill doesn't apply to non-camera phones, which can be made just as small as camera phones, so if you're willing to plonk down $150 or so for a compact camera, you can evade this restriction and get much higher quality pictures. So, we need to sharpen the value proposition somewhat, to something like "protects children from surreptitious photography by people without digital cameras."

And of course, despite the "no disabling" provision, it's not like the tone is an essential function of the camera like the sound of a physical shutter release, it's just a speaker. So, unless you're going to totally redesign the phone, the miscreants can just open the phone, disable the speaker, and go to town. It's true this does render your phone useless as a phone, but seeing as used Motorola Razrs (remember, you don't need to connect it to the network) go for $30 or so on eBay, this isn't much of a problem. We need to revise the value proposition yet again to something like "protects children from surreptitious photography by people without digital cameras or who don't have $30 and a screwdriver."

Actually, it's even worse than that, since newer camera phones will do video recording, it's going to be pretty unacceptable to have it making an annoying noise the whole time it's being used. So, now we've got something like "protects children from surreptitious photography by people without digital cameras or who don't have $30 and a screwdriver, and whose camera phones don't take video." And let's not even talk about people who are willing to replace the software on their phones.

Other than that, this seems like a great idea.

Acknowledgement: I borrowed this argument technique from Allan Schiffman.


August 21, 2008

Hovav Shacham, Stefan Savage, Terence Spies and I have been working on some exciting, exciting technology in the field of paper cryptography and we were pleased to present it at the CRYPTO Rump Session. Slides here.

December 7, 2007

You know, I never thought that I would never need to worry about hard drive neutrality. When I first heard about this I just sort of assumed it would be something vaguely sensible that people were overreacting to, but no, when you go to the site it sure seems to be true.
Due to unverifiable media license authentication, the following file types cannot be shared by different users using WD Anywhere Access.

If these file types are on a share on the WD My Book World Edition system and another user accesses the share, these file will not be displayed for sharing. Any other file types can be shared using WD Anywhere Access.

The list includes: MP3, AVI, WMA, AAC, etc. Outstanding!


October 30, 2007

Terence Spies pointed me to this item from the AACS licensing association:
AACS LA announces that it has started periodic "proactive renewals", which, primarily for software player applications, provide for periodic renewal and refreshing of AACS encryption keys by licensed manufacturers and eventual expiration of old keys by AACS LA. This helps maintain the AACS technology as a vital means of distributing valuable high definition content to consumers. Consumers should expect that updates/patches will be periodically offered by their software manufacturer in order to ensure that the players continue to function as intended. The upgrading of software is a common practice in the software industry. Pursuant to the AACS technology licenses, manufacturers of software players are required to perform such updates in a consumer-friendly fashion.
In other words, if you don't update, you won't be able to play new disks. That's not exactly a customer-friendly value proposition.

As I said earlier, this seems like an arms race that's going to be pretty hard for the manufacturers to win. It's really inconvenient for the customers to have to upgrade their players, and it's not like each new release is a simple matter of changing the key and respinning the distribution. If you want to stop the crackers from immediately extracting the key, you need to re-obfuscate the binaries so that they have to attack the binary again. The combination is not cheap for the manufacturers

In other news, Antigua-based Slysoft claims to have cracked Blu-Ray's BD+ copy protection.


September 23, 2007

Apparently the iPod SHA-1 thingamajig has been reverse engineered. As I said earlier, I'm not convinced that this actually was intended to lock down the iPod. However, it's interesting to ask how one would actually do that in a way that was harder to reverse engineer.

Two goals were ascribed to the alleged SHA-1 in the database:

  • Stop any programs other than iTunes from managing the iPod.
  • Lock the iPod to a specific instance of iTunes.

If all you have is a hammer, everything looks like a nail, and if you're a COMSEC guy, problems like this bring crypto to mind. At a high level, there are two cryptographic strategies for this kind of job: encrypt the database which is then decrypted by the iPod/iTunes or apply an integrity check which is checked by the iPod/iTunes. Each of these have advantages in some contexts, but we can treat them mostly the same for the purposes of our discussion, so without loss of generality, let's talk about an integrity check.

The difficulty, as with most cryptographic contexts, is key management. We want to make sure that only legitimate copies of iTunes can produce databases that the iPod can verify, which means that iTunes has to contain a key that isn't known to third party developers. There are two options here: all copies of iTunes have the same key—this is basically the same as a fixed, secret, integrity check function or one over unknown data, i.e., the situation we have now. Any system of this type is very vulnerable to key extraction via reverse engineering. Once you have the key (or the function) you can write your own program.

The other approach is to use a separate key for each copy of iTunes. When a new iPod is attached to iTunes, it gets a copy of the key (imprinted). The most attractive mechanism here is probably to use public key cryptography and put the public key on the iPod. The key can even be signed by Apple to avoid false imprinting. Then all database updates are signed and the iPod verifies them. Of course, you can still mount a reverse engineering attack and extract the key from a single copy of iTunes, but then we're in an arms race where Apple can program new iPods to ignore that key, thus forcing the third-party software authors to constantly change keys.1

Another strategy for the attacker is not to extract a single key but rather to have the third-party software extract keys from a valid copy of iTunes, though this is obviously this is a bit inconvenient if you don't want to be involved with Apple's software at all.

If this sounds like the kind of issues you have with DRM, it is. And like DRM, the attacker has an enormous advantage as long as your system is software only and he's prepared to reverse engineer it. The situation changes a lot if you are willing to have trusted hardware (in this case on the host computer) but that would be a big change for Apple.

1. If Apple is willing to force people to register online, you can make detection and revocation of extracted keys much more efficient.