Schneier on Security
A blog covering security and security technology.
« Database Error Causes Unbalanced Budget |
| Friday Squid Blogging: Giant Squid Sex Life »
February 17, 2006
"Lessons from the Sony CD DRM Episode"
"Lessons from the Sony CD DRM Episode" is an interesting paper by J. Alex Halderman and Edward W. Felten.
Abstract: In the fall of 2005, problems discovered in two Sony-BMG compact disc copy protection systems, XCP and MediaMax, triggered a public uproar that ultimately led to class-action litigation and the recall of millions of discs. We present an in-depth analysis of these technologies, including their design, implementation, and deployment. The systems are surprisingly complex and suffer from a diverse array of flaws that weaken their content protection and expose users to serious security and privacy risks. Their complexity, and their failure, makes them an interesting case study of digital rights management that carries valuable lessons for content companies, DRM vendors, policymakers, end users, and the security community.
Posted on February 17, 2006 at 2:11 PM
• 20 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"... triggered a public uproar"
Really? I don't think the majority of the public really understands what a rootkit is. How can there even BE public uproar?
Public uproar would be nice, as market forces would solve problems such as this.
I guess I'll read the paper now.
Even my Mom knew about the Sony Rootkit and asked me about it... I think it is safe to say it is common knowledge.
“users don't know what a rootkit is, and therefore, don't care." - attributed to a Sony executive during an NPR interview.
@McGavin - I assume you're joking or haven't been following the story. Check out Groklaw, SysInternals, or freedom to tinker on this subject. If you prefer to hear from litigants, try the ACLU or the State of Texas.
Knowing about something is not the same as having being in an uproar. Neither is "being concerned" about something.
Is the average PC user more upset that the Sony DRM may cause them problems or that it was intrusive, "hacky", and potentially illegal?
I'm just commenting on the use of the phrase "public uproar." I'm not convinced that the public cares. I believe the Sony executive is right when he says that users don't know what a rootkit is and therefore don't care. Does that mean Sony has a valid excuse? Heck NO!
I've followed the story. I don't see public uproar. I would think that public uproar warrants more than an ACLU lawsuit.
I think the biggest lesson learned from this is that, without understanding the technical details, the public reacts to the language used to describe a situation.
For example, "rights management software" sounds good. But add "malware", "rootkit", and "infection" to the equation and suddenly it doesn't sound so good anymore.
The music industry has chosen the term "content protection" for a reason--because it sounds reasonable. Copyrighted materials should be protected, after all. And that's why copyright laws have existed for longer than Sony has existed--they are content protection.
Imagine if music players started warning that DRM'd music was "sabotaged" and may suddenly stop working under some circumstances. Instead of a little key icon for secure, it could show a little timebomb icon for risky. Suddenly people would be more interested in this whole DRM debate. As long as the industry chooses the terminology, they will win. Sony just lost control of the terminology for a few weeks. They'll have it back soon enough.
Fair enough; one could have various defintions of "public uproar".
I count 6 lawsuits, one of which is tenatively settled (New York, class action).
I won't buy another Sony disc ever.
Off Topic: I like the sudden switch to full content in the RSS feeds. That is very nice for two reasons - it lets me scan feeds without interruption, and the copies I retain are subject to full-text indexing with Windows Desktop Search.
And I always know that I can come to the site to see the spirited discussion in the comments.
Seems like all like to assume that everyone is like "you". Those who choose to come to this site knows what is "rootkit", "DRM" etc etc.
But anyone who only uses the computer and uses what comes with it (the common OS) and using it for mostly for all sorts of games, mp3 etc. etc. probably DO NOT know (or care) what a rootkit is.
Just look at the amount of virus that may be in their system, you think another rootkit will make a difference to them?
Just like the linux chap who think that the CLI is cool and everyone else on this planet thinks the same as him/her. This is a joke that we all must first recognise :-)
You seem to associate "majority" with "uproar". From my own experience, the majority of the public don't have to know about something for there to be an uproar. Based on what I read in the public press, there was enough noise about this incident to term it an "uproar".
It certainly caused Sony to change their tack. In fact now Homeland Security wants to outlaw rootkits. The ripples haven't died down yet.
"Their complexity, and their failure, makes them an interesting case study of digital rights management that carries valuable lessons for content companies, DRM vendors, policymakers, end users, and the security community."
No, the content companies and the DRM vendors won't learn anything from it. They just try it again in another way, until they are successfully sued. Even then others will come and think that your computer is their property when their software is running on it.
BTW: Now we have the Sony/BMG XCP, Mediamax, the Alpha-DVD on german versions of Mr&Mrs Smith, Starforce on more and more games... any of them deeply and partly invisibly installing into the system, trying to control the CD drives, without clean uninstall functions. Has anyone ever tried what happens to the Windows machine when some or even all of them are installed on it at the same time? Maybe in different install orders? I'm sure THIS would give even more valuable lessons.
I, too, think the public outcry counts as an "uproar."
Wait just a minute!...
"...in-depth analysis of these technologies, including their design, implementation, and deployment."
"..makes them an interesting case study..."
You mean that these guys actually *reversed engenieered* that contraption?!? Oh boy Oh boy!!! Look ma'! I'm waiting for the XCP guys rub DMCA in J. Alex Halderman and Edward W. Felten noses!!! And i'm not even seatting!!
I won't buy another Sony disc ever.
"Oh boy!!! Look ma'! I'm waiting for the XCP guys rub DMCA in"
If they have any sense they probably won't. A lot of DMCA stuff has not gone down the expected path. Some Judges have shown an uncommon amount of "common sense" and a lot of them clearly do not like DMCA.
So XCP goes to court what can go wrong for them, first off it puts a lot of their "secret" technology into the public domain (woops) and the case may well go against them, setting a president that effectivly closes them and others in their industry down.
An established company might well think twice when faced with those risks. If as the report indicates XCP is an imature "young guns" organisation then they might well find their nose gets put out of joint.
People are okay with "digital rights management" and "content protection."
But they're not okay with stuff messing with their computer, no matter what you call it. I think that's the big think RM folks (like the companies using StarForce) don't quite get. I buy a game or an album, it's only one thing among many that I use my computer for (and some of those things are way more important to me than a tiny slice of commoditized entertainment). Screwing up those other things is not okay. Doing it silently is actionable. if I was an AG, I would threaten criminal charges, and start planning my campaign for Governor...
One thing to use as a measure of how widely understood this issue was is the stock price of Sony. It is up around 40% since the news broke. In contrast, the delay reported for releasing PS3 has caused the stock to fall.
Another issue with ActiveX-based uninstallers is that they might not work when a PC does not have Internet access. A standalone uninstaller application, on the other hand, could be downloaded to removable media and then used on a non-networked PC.
On the packaging for a certain PC game, there was a note about the copy protection used by the game. It was mentioned that the copy protection might interfere with certain virtual drives, among other things. This note may or may not have been added as a result of the Sony CD DRM episode. Of course, the copy protection might have other issues that were not mentioned.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.