Upload
nimrod
View
54
Download
0
Embed Size (px)
DESCRIPTION
The Sony CD DRM Debacle. A case study of digital rights management. Overview:. DRM Goals XCP MediaMax Defeating Software Engineering Code of Ethics and the principles that were broken Lawsuit. Goals of DRM. - PowerPoint PPT Presentation
Citation preview
1
The Sony CD DRM The Sony CD DRM DebacleDebacle
A case study of digital rights A case study of digital rights managementmanagement
2
Overview:Overview:
DRM GoalsDRM Goals XCPXCP MediaMaxMediaMax DefeatingDefeating Software Engineering Code of Ethics Software Engineering Code of Ethics
and the principles that were brokenand the principles that were broken LawsuitLawsuit
3
Goals of DRMGoals of DRM
The primary goals of a DRM system The primary goals of a DRM system is to protect and enable the business is to protect and enable the business models of the record label and the models of the record label and the DRM vendor.DRM vendor.
Lessons from the Sony CD DRM Episode (pg 2)
4
Record label GoalsRecord label Goals
Overall purpose is to increase profit.Overall purpose is to increase profit. Increase salesIncrease sales
Limit disc-to-disc copyingLimit disc-to-disc copying Limit local copyingLimit local copying
Get software onto users computersGet software onto users computers Sell advertisingSell advertising Gather and sell information about usersGather and sell information about users
Lessons from the Sony CD DRM Episode (pg 2, 3)
5
DRM Vendor GoalsDRM Vendor Goals
Maximize price for DRM software by Maximize price for DRM software by creating value for the record labelcreating value for the record label
SurviveSurvive Smaller companies need to take more Smaller companies need to take more
riskrisk Maximize installed baseMaximize installed base
Need to get major recording labels on boardNeed to get major recording labels on board Become THE DRM used, beat out other Become THE DRM used, beat out other
vendorsvendors
Lessons from the Sony CD DRM Episode (pg 3)
6
CD DRM SystemsCD DRM Systems
Must play on ordinary CD playersMust play on ordinary CD players Limited readability by computersLimited readability by computers
Must prevent copying on computer without Must prevent copying on computer without permissionpermission
DRM’s software must give access to musicDRM’s software must give access to music DRM software must be installed somehowDRM software must be installed somehow
Autorun on windows computersAutorun on windows computers Must be intentionally run by user on MacMust be intentionally run by user on Mac
DRM software must recognize the DRM DRM software must recognize the DRM discsdiscs
Lessons from the Sony CD DRM Episode (pg 4)
7
XCPXCP
Relies on the autorun feature of windowsRelies on the autorun feature of windows Commands in autorun.inf on cd executedCommands in autorun.inf on cd executed Auturun commonly used to display splash Auturun commonly used to display splash
screens and initiate installation of programsscreens and initiate installation of programs MacOS does not use autorun, user must MacOS does not use autorun, user must
manually run installermanually run installer XCP protected discs contain two sessionsXCP protected discs contain two sessions
Music sessionMusic session DRM content sessionDRM content session
Lessons from the Sony CD DRM Episode (pg 5)
8
Two Session DiscTwo Session Disc
http://www.fadden.com/cdrpics/data-surface-3.jpg
9
XCP (continued)XCP (continued)
Unprotected time between disc Unprotected time between disc insertion and protection software insertion and protection software installedinstalled
User required to agree to End User User required to agree to End User License Agreement (EULA)License Agreement (EULA) Software is then installedSoftware is then installed CD can now be playedCD can now be played If user declines, CD immediately ejectedIf user declines, CD immediately ejected
Lessons from the Sony CD DRM Episode (pg 6,7)
10
XCP (continued)XCP (continued)
Temporary protection auto-loaded on Temporary protection auto-loaded on cd insertion – not installedcd insertion – not installed Uses blacklist of applications known for Uses blacklist of applications known for
burning/rippingburning/ripping Loads window displaying any blacklisted Loads window displaying any blacklisted
applications runningapplications running Will not continue until blacklisted apps Will not continue until blacklisted apps
are closedare closed
Lessons from the Sony CD DRM Episode (pg 7)
11
XCP (continued)XCP (continued)
Lessons from the Sony CD DRM Episode (pg 6)
12
MediaMaxMediaMax
Also uses autorunAlso uses autorun Also utilizes multi session discsAlso utilizes multi session discs Temporary protection more invasiveTemporary protection more invasive
Immediately installs protection softwareImmediately installs protection software Temporarily activates protection Temporarily activates protection
softwaresoftware This happens even if EULA is declinedThis happens even if EULA is declined
Lessons from the Sony CD DRM Episode (pg 5,7)
13
Defeating The Copy ProtectionDefeating The Copy Protection
Marker the DataMarker the Data Hold shift-key while insertingHold shift-key while inserting Disable auto-runDisable auto-run Use alternative Operating SystemUse alternative Operating System
LinuxLinux MacMac
Lessons from the Sony CD DRM Episode (pg 5)
14
Marking the CDMarking the CD
http://www.fadden.com/cdrpics/data-surface-3.jpg
15
Hold down shift-key while inserting Hold down shift-key while inserting diskdisk
16
Disabling Auto-RunDisabling Auto-Run
17
Alternative Operating SystemsAlternative Operating Systems
Apple image from: http://en.wikipedia.org/wiki/Image:Apple-logo.png
Tux image from: http://www.sjbaker.org/tux/Penguin.png
18
XCP RootkitXCP Rootkit
XCP detected as rootkitXCP detected as rootkit Hidden from detectionHidden from detection
FilesFiles Network accessNetwork access ProcessesProcesses Registry keysRegistry keys
Potentially allows root access to systemPotentially allows root access to system
Lessons from the Sony CD DRM Episode (pg 18,19)
19
XCP Detection as rootkitXCP Detection as rootkit
http://www.f-secure.com/weblog/archives/updated_xcp.gif
20
XCP VulnerabilitiesXCP Vulnerabilities
Installed and ran invisiblyInstalled and ran invisibly Undetectable by even virus softwareUndetectable by even virus software Hides itself and its processesHides itself and its processes
Hides anything starting with $sys$Hides anything starting with $sys$ Any malicious code can be hidden by $sys$Any malicious code can be hidden by $sys$ Exploited by at least two malicious Exploited by at least two malicious
programsprograms Also allows random crashing of system Also allows random crashing of system
via updated system filesvia updated system filesLessons from the Sony CD DRM Episode (pg 19)
21
MediaMax VulnerabilitiesMediaMax Vulnerabilities
Automatically installs on CD insertionAutomatically installs on CD insertion Permissions set so any user can Permissions set so any user can
modifymodify Allows malicious code to easily be Allows malicious code to easily be
installedinstalled Next time MediaMax protected cd inserted, Next time MediaMax protected cd inserted,
malicious code executedmalicious code executed
Lessons from the Sony CD DRM Episode (pg 17,19)
22
Vulnerabilities (continued)Vulnerabilities (continued)
Requires Power User privileges to runRequires Power User privileges to run Allows attacker’s code to have complete Allows attacker’s code to have complete
controlcontrol Aggressively updates installed code Aggressively updates installed code
with each protected CDwith each protected CD Patch to rectify attack initiated Patch to rectify attack initiated
attack codeattack code
Lessons from the Sony CD DRM Episode (pg 17,19)
23
Spyware-like ActivitiesSpyware-like Activities
Report user activities to label/vendorReport user activities to label/vendor Vendors said it did not, it infact doesVendors said it did not, it infact does
Retrieve images or adds to display Retrieve images or adds to display from webfrom web
Log user’s infoLog user’s info IP addressIP address Date and timeDate and time Identity of albumIdentity of album
Lessons from the Sony CD DRM Episode (pg 14)
24
Software Engineering Code of EthicsSoftware Engineering Code of Ethics(ACM/IEEE-CS Joint – shortened version)(ACM/IEEE-CS Joint – shortened version)
Software engineers shall commit themselves to Software engineers shall commit themselves to making the analysis, specification, design, making the analysis, specification, design, development, testing and maintenance of software development, testing and maintenance of software a beneficial and respected profession. In a beneficial and respected profession. In accordance with their commitment to the health, accordance with their commitment to the health, safety and welfare of the public, software engineers safety and welfare of the public, software engineers
shall adhere to the following Eight Principles:shall adhere to the following Eight Principles:
Info from: http://www.acm.org/serving/se/code.htm
25
1. PUBLIC - Software engineers shall act consistently with 1. PUBLIC - Software engineers shall act consistently with the public interest.the public interest.
2. CLIENT AND EMPLOYER - Software engineers shall act in 2. CLIENT AND EMPLOYER - Software engineers shall act in a manner that is in the best interests of their client and a manner that is in the best interests of their client and employer and consistent with the public interest.employer and consistent with the public interest.
3. PRODUCT - Software engineers shall ensure that their 3. PRODUCT - Software engineers shall ensure that their products and related modifications meet the highest products and related modifications meet the highest professional standards possible.professional standards possible.
4. JUDGMENT - Software engineers shall maintain integrity 4. JUDGMENT - Software engineers shall maintain integrity and independence in their professional judgment.and independence in their professional judgment.
Software Engineering Code of EthicsSoftware Engineering Code of Ethics(continued)(continued)
Info from: http://www.acm.org/serving/se/code.htm
26
Software Engineering Code of EthicsSoftware Engineering Code of Ethics(Continued)(Continued)
5. MANAGEMENT - Software engineering managers and 5. MANAGEMENT - Software engineering managers and leaders shall subscribe to and promote an ethical approach leaders shall subscribe to and promote an ethical approach to the management of software development and to the management of software development and maintenance.maintenance.
6. PROFESSION - Software engineers shall advance the 6. PROFESSION - Software engineers shall advance the integrity and reputation of the profession consistent with integrity and reputation of the profession consistent with the public interest.the public interest.
7. COLLEAGUES - Software engineers shall be fair to and 7. COLLEAGUES - Software engineers shall be fair to and supportive of their colleagues.supportive of their colleagues.
8. SELF - Software engineers shall participate in lifelong 8. SELF - Software engineers shall participate in lifelong learning regarding the practice of their profession and shall learning regarding the practice of their profession and shall promote an ethical approach to the practice of the promote an ethical approach to the practice of the profession.profession.
Info from: http://www.acm.org/serving/se/code.htm
27
Ethical IssuesEthical Issues
Install without user permissionInstall without user permission Users left vulnerable to malwareUsers left vulnerable to malware After uninstall, user still vulnerableAfter uninstall, user still vulnerable Spyware tactics usedSpyware tactics used Prevents fair usePrevents fair use Damages the reputation of software Damages the reputation of software
manufacturersmanufacturers Sony refused to deny wrong-doingSony refused to deny wrong-doing
28
Class Action against SonyClass Action against Sony
Requests from Electronic Frontier Requests from Electronic Frontier Foundation (EFF)Foundation (EFF) Stop production of CDs with bad DRMStop production of CDs with bad DRM Get people non-DRM’d versions of musicGet people non-DRM’d versions of music Do this quicklyDo this quickly Get people free music or money in case of XCPGet people free music or money in case of XCP Ensure independent security testing pre-launch Ensure independent security testing pre-launch
of any new DRMof any new DRM Agree to quick response by Sony BMG in future Agree to quick response by Sony BMG in future
security flaws of DRMsecurity flaws of DRM
http://www.eff.org/IP/DRM/Sony-BMG/settlement_faq.php
29
SettlementSettlement
Sony agreed to EFF’s requestsSony agreed to EFF’s requests Never admitted to wrong doingNever admitted to wrong doing No reparations for crashed systemsNo reparations for crashed systems At present no criminal cases At present no criminal cases
Sony still left open to future law suits, Sony still left open to future law suits, but EFF’s case overbut EFF’s case over
http://www.eff.org/IP/DRM/Sony-BMG/settlement_faq.php
30
Sources:Sources: 1. 1. http://www.acm.org/serving/se/code.htmhttp://www.acm.org/serving/se/code.htm 2. Lessons from the Sony CD DRM
Episode, Authors: J. Alex Halderman and Edward W. FeltenCenter for Information Technology Policy, Department of Computer Science,Princeton University, Extended Version. February 14, 2006
3. http://www.eff.org/IP/DRM/Sony-BMG/mediamaxfaq.php
4. http://www.eff.org/IP/DRM/Sony-BMG/ 5. http://www.f-secure.com/weblog/archives/updated_xcp.gif 6. http://www.sjbaker.org/tux/Penguin.png 7. http://en.wikipedia.org/wiki/Image:Apple-logo.png 8. http://www.fadden.com/cdrpics/data-surface-3.jpg