330 likes | 525 Vues
The Sony CD DRM Debacle. A case study of digital rights management. Overview:. DRM Goals XCP MediaMax Defeating Software Engineering Code of Ethics and the principles that were broken Lawsuit. Goals of DRM.
E N D
The Sony CD DRM Debacle A case study of digital rights management
Overview: • DRM Goals • XCP • MediaMax • Defeating • Software Engineering Code of Ethics and the principles that were broken • Lawsuit
Goals of DRM The primary goals of a DRM system is to protect and enable the business models of the record label and the DRM vendor. Lessons from the Sony CD DRM Episode (pg 2)
Record label Goals • Overall purpose is to increase profit. • Increase sales • Limit disc-to-disc copying • Limit local copying • Get software onto users computers • Sell advertising • Gather and sell information about users Lessons from the Sony CD DRM Episode (pg 2, 3)
DRM Vendor Goals • Maximize price for DRM software by creating value for the record label • Survive • Smaller companies need to take more risk • Maximize installed base • Need to get major recording labels on board • Become THE DRM used, beat out other vendors Lessons from the Sony CD DRM Episode (pg 3)
CD DRM Systems • Must play on ordinary CD players • Limited readability by computers • Must prevent copying on computer without permission • DRM’s software must give access to music • DRM software must be installed somehow • Autorun on windows computers • Must be intentionally run by user on Mac • DRM software must recognize the DRM discs Lessons from the Sony CD DRM Episode (pg 4)
XCP • Relies on the autorun feature of windows • Commands in autorun.inf on cd executed • Auturun commonly used to display splash screens and initiate installation of programs • MacOS does not use autorun, user must manually run installer • XCP protected discs contain two sessions • Music session • DRM content session Lessons from the Sony CD DRM Episode (pg 5)
Two Session Disc http://www.fadden.com/cdrpics/data-surface-3.jpg
XCP (continued) • Unprotected time between disc insertion and protection software installed • User required to agree to End User License Agreement (EULA) • Software is then installed • CD can now be played • If user declines, CD immediately ejected Lessons from the Sony CD DRM Episode (pg 6,7)
XCP (continued) • Temporary protection auto-loaded on cd insertion – not installed • Uses blacklist of applications known for burning/ripping • Loads window displaying any blacklisted applications running • Will not continue until blacklisted apps are closed Lessons from the Sony CD DRM Episode (pg 7)
XCP (continued) Lessons from the Sony CD DRM Episode (pg 6)
MediaMax • Also uses autorun • Also utilizes multi session discs • Temporary protection more invasive • Immediately installs protection software • Temporarily activates protection software • This happens even if EULA is declined Lessons from the Sony CD DRM Episode (pg 5,7)
Defeating The Copy Protection • Marker the Data • Hold shift-key while inserting • Disable auto-run • Use alternative Operating System • Linux • Mac Lessons from the Sony CD DRM Episode (pg 5)
Marking the CD http://www.fadden.com/cdrpics/data-surface-3.jpg
Alternative Operating Systems Tux image from: http://www.sjbaker.org/tux/Penguin.png Apple image from: http://en.wikipedia.org/wiki/Image:Apple-logo.png
XCP Rootkit • XCP detected as rootkit • Hidden from detection • Files • Network access • Processes • Registry keys • Potentially allows root access to system Lessons from the Sony CD DRM Episode (pg 18,19)
XCP Detection as rootkit http://www.f-secure.com/weblog/archives/updated_xcp.gif
XCP Vulnerabilities • Installed and ran invisibly • Undetectable by even virus software • Hides itself and its processes • Hides anything starting with $sys$ • Any malicious code can be hidden by $sys$ • Exploited by at least two malicious programs • Also allows random crashing of system via updated system files Lessons from the Sony CD DRM Episode (pg 19)
MediaMax Vulnerabilities • Automatically installs on CD insertion • Permissions set so any user can modify • Allows malicious code to easily be installed • Next time MediaMax protected cd inserted, malicious code executed Lessons from the Sony CD DRM Episode (pg 17,19)
Vulnerabilities (continued) • Requires Power User privileges to run • Allows attacker’s code to have complete control • Aggressively updates installed code with each protected CD • Patch to rectify attack initiated attack code Lessons from the Sony CD DRM Episode (pg 17,19)
Spyware-like Activities • Report user activities to label/vendor • Vendors said it did not, it infact does • Retrieve images or adds to display from web • Log user’s info • IP address • Date and time • Identity of album Lessons from the Sony CD DRM Episode (pg 14)
Software Engineering Code of Ethics(ACM/IEEE-CS Joint – shortened version) Software engineers shall commit themselves to making the analysis, specification, design, development, testing and maintenance of software a beneficial and respected profession. In accordance with their commitment to the health, safety and welfare of the public, software engineers shall adhere to the following Eight Principles: Info from: http://www.acm.org/serving/se/code.htm
Software Engineering Code of Ethics(continued) • 1. PUBLIC - Software engineers shall act consistently with the public interest. • 2. CLIENT AND EMPLOYER - Software engineers shall act in a manner that is in the best interests of their client and employer and consistent with the public interest. • 3. PRODUCT - Software engineers shall ensure that their products and related modifications meet the highest professional standards possible. • 4. JUDGMENT - Software engineers shall maintain integrity and independence in their professional judgment. Info from: http://www.acm.org/serving/se/code.htm
Software Engineering Code of Ethics(Continued) • 5. MANAGEMENT - Software engineering managers and leaders shall subscribe to and promote an ethical approach to the management of software development and maintenance. • 6. PROFESSION - Software engineers shall advance the integrity and reputation of the profession consistent with the public interest. • 7. COLLEAGUES - Software engineers shall be fair to and supportive of their colleagues. • 8. SELF - Software engineers shall participate in lifelong learning regarding the practice of their profession and shall promote an ethical approach to the practice of the profession. Info from: http://www.acm.org/serving/se/code.htm
Ethical Issues • Install without user permission • Users left vulnerable to malware • After uninstall, user still vulnerable • Spyware tactics used • Prevents fair use • Damages the reputation of software manufacturers • Sony refused to deny wrong-doing
Class Action against Sony • Requests from Electronic Frontier Foundation (EFF) • Stop production of CDs with bad DRM • Get people non-DRM’d versions of music • Do this quickly • Get people free music or money in case of XCP • Ensure independent security testing pre-launch of any new DRM • Agree to quick response by Sony BMG in future security flaws of DRM http://www.eff.org/IP/DRM/Sony-BMG/settlement_faq.php
Settlement • Sony agreed to EFF’s requests • Never admitted to wrong doing • No reparations for crashed systems • At present no criminal cases • Sony still left open to future law suits, but EFF’s case over http://www.eff.org/IP/DRM/Sony-BMG/settlement_faq.php
Sources: • 1. http://www.acm.org/serving/se/code.htm • 2.Lessons from the Sony CD DRM Episode,Authors: J. Alex Halderman and Edward W. Felten Center for Information Technology Policy, Department of Computer Science, Princeton University, Extended Version. February 14, 2006 • 3.http://www.eff.org/IP/DRM/Sony-BMG/mediamaxfaq.php • 4.http://www.eff.org/IP/DRM/Sony-BMG/ • 5.http://www.f-secure.com/weblog/archives/updated_xcp.gif • 6.http://www.sjbaker.org/tux/Penguin.png • 7.http://en.wikipedia.org/wiki/Image:Apple-logo.png • 8. http://www.fadden.com/cdrpics/data-surface-3.jpg