1 / 30

The Sony CD DRM Debacle

The Sony CD DRM Debacle. A case study of digital rights management. Overview:. DRM Goals XCP MediaMax Defeating Software Engineering Code of Ethics and the principles that were broken Lawsuit. Goals of DRM.

nimrod
Télécharger la présentation

The Sony CD DRM Debacle

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Sony CD DRM Debacle A case study of digital rights management

  2. Overview: • DRM Goals • XCP • MediaMax • Defeating • Software Engineering Code of Ethics and the principles that were broken • Lawsuit

  3. Goals of DRM The primary goals of a DRM system is to protect and enable the business models of the record label and the DRM vendor. Lessons from the Sony CD DRM Episode (pg 2)

  4. Record label Goals • Overall purpose is to increase profit. • Increase sales • Limit disc-to-disc copying • Limit local copying • Get software onto users computers • Sell advertising • Gather and sell information about users Lessons from the Sony CD DRM Episode (pg 2, 3)

  5. DRM Vendor Goals • Maximize price for DRM software by creating value for the record label • Survive • Smaller companies need to take more risk • Maximize installed base • Need to get major recording labels on board • Become THE DRM used, beat out other vendors Lessons from the Sony CD DRM Episode (pg 3)

  6. CD DRM Systems • Must play on ordinary CD players • Limited readability by computers • Must prevent copying on computer without permission • DRM’s software must give access to music • DRM software must be installed somehow • Autorun on windows computers • Must be intentionally run by user on Mac • DRM software must recognize the DRM discs Lessons from the Sony CD DRM Episode (pg 4)

  7. XCP • Relies on the autorun feature of windows • Commands in autorun.inf on cd executed • Auturun commonly used to display splash screens and initiate installation of programs • MacOS does not use autorun, user must manually run installer • XCP protected discs contain two sessions • Music session • DRM content session Lessons from the Sony CD DRM Episode (pg 5)

  8. Two Session Disc http://www.fadden.com/cdrpics/data-surface-3.jpg

  9. XCP (continued) • Unprotected time between disc insertion and protection software installed • User required to agree to End User License Agreement (EULA) • Software is then installed • CD can now be played • If user declines, CD immediately ejected Lessons from the Sony CD DRM Episode (pg 6,7)

  10. XCP (continued) • Temporary protection auto-loaded on cd insertion – not installed • Uses blacklist of applications known for burning/ripping • Loads window displaying any blacklisted applications running • Will not continue until blacklisted apps are closed Lessons from the Sony CD DRM Episode (pg 7)

  11. XCP (continued) Lessons from the Sony CD DRM Episode (pg 6)

  12. MediaMax • Also uses autorun • Also utilizes multi session discs • Temporary protection more invasive • Immediately installs protection software • Temporarily activates protection software • This happens even if EULA is declined Lessons from the Sony CD DRM Episode (pg 5,7)

  13. Defeating The Copy Protection • Marker the Data • Hold shift-key while inserting • Disable auto-run • Use alternative Operating System • Linux • Mac Lessons from the Sony CD DRM Episode (pg 5)

  14. Marking the CD http://www.fadden.com/cdrpics/data-surface-3.jpg

  15. Hold down shift-key while inserting disk

  16. Disabling Auto-Run

  17. Alternative Operating Systems Tux image from: http://www.sjbaker.org/tux/Penguin.png Apple image from: http://en.wikipedia.org/wiki/Image:Apple-logo.png

  18. XCP Rootkit • XCP detected as rootkit • Hidden from detection • Files • Network access • Processes • Registry keys • Potentially allows root access to system Lessons from the Sony CD DRM Episode (pg 18,19)

  19. XCP Detection as rootkit http://www.f-secure.com/weblog/archives/updated_xcp.gif

  20. XCP Vulnerabilities • Installed and ran invisibly • Undetectable by even virus software • Hides itself and its processes • Hides anything starting with $sys$ • Any malicious code can be hidden by $sys$ • Exploited by at least two malicious programs • Also allows random crashing of system via updated system files Lessons from the Sony CD DRM Episode (pg 19)

  21. MediaMax Vulnerabilities • Automatically installs on CD insertion • Permissions set so any user can modify • Allows malicious code to easily be installed • Next time MediaMax protected cd inserted, malicious code executed Lessons from the Sony CD DRM Episode (pg 17,19)

  22. Vulnerabilities (continued) • Requires Power User privileges to run • Allows attacker’s code to have complete control • Aggressively updates installed code with each protected CD • Patch to rectify attack initiated attack code Lessons from the Sony CD DRM Episode (pg 17,19)

  23. Spyware-like Activities • Report user activities to label/vendor • Vendors said it did not, it infact does • Retrieve images or adds to display from web • Log user’s info • IP address • Date and time • Identity of album Lessons from the Sony CD DRM Episode (pg 14)

  24. Software Engineering Code of Ethics(ACM/IEEE-CS Joint – shortened version) Software engineers shall commit themselves to making the analysis, specification, design, development, testing and maintenance of software a beneficial and respected profession. In accordance with their commitment to the health, safety and welfare of the public, software engineers shall adhere to the following Eight Principles: Info from: http://www.acm.org/serving/se/code.htm

  25. Software Engineering Code of Ethics(continued) • 1. PUBLIC - Software engineers shall act consistently with the public interest. • 2. CLIENT AND EMPLOYER - Software engineers shall act in a manner that is in the best interests of their client and employer and consistent with the public interest. • 3. PRODUCT - Software engineers shall ensure that their products and related modifications meet the highest professional standards possible. • 4. JUDGMENT - Software engineers shall maintain integrity and independence in their professional judgment. Info from: http://www.acm.org/serving/se/code.htm

  26. Software Engineering Code of Ethics(Continued) • 5. MANAGEMENT - Software engineering managers and leaders shall subscribe to and promote an ethical approach to the management of software development and maintenance. • 6. PROFESSION - Software engineers shall advance the integrity and reputation of the profession consistent with the public interest. • 7. COLLEAGUES - Software engineers shall be fair to and supportive of their colleagues. • 8. SELF - Software engineers shall participate in lifelong learning regarding the practice of their profession and shall promote an ethical approach to the practice of the profession. Info from: http://www.acm.org/serving/se/code.htm

  27. Ethical Issues • Install without user permission • Users left vulnerable to malware • After uninstall, user still vulnerable • Spyware tactics used • Prevents fair use • Damages the reputation of software manufacturers • Sony refused to deny wrong-doing

  28. Class Action against Sony • Requests from Electronic Frontier Foundation (EFF) • Stop production of CDs with bad DRM • Get people non-DRM’d versions of music • Do this quickly • Get people free music or money in case of XCP • Ensure independent security testing pre-launch of any new DRM • Agree to quick response by Sony BMG in future security flaws of DRM http://www.eff.org/IP/DRM/Sony-BMG/settlement_faq.php

  29. Settlement • Sony agreed to EFF’s requests • Never admitted to wrong doing • No reparations for crashed systems • At present no criminal cases • Sony still left open to future law suits, but EFF’s case over http://www.eff.org/IP/DRM/Sony-BMG/settlement_faq.php

  30. Sources: • 1. http://www.acm.org/serving/se/code.htm • 2.Lessons from the Sony CD DRM Episode,Authors: J. Alex Halderman and Edward W. Felten Center for Information Technology Policy, Department of Computer Science, Princeton University, Extended Version. February 14, 2006 • 3.http://www.eff.org/IP/DRM/Sony-BMG/mediamaxfaq.php • 4.http://www.eff.org/IP/DRM/Sony-BMG/ • 5.http://www.f-secure.com/weblog/archives/updated_xcp.gif • 6.http://www.sjbaker.org/tux/Penguin.png • 7.http://en.wikipedia.org/wiki/Image:Apple-logo.png • 8. http://www.fadden.com/cdrpics/data-surface-3.jpg

More Related