Transcript Powerpoint format

Copy prevention, detection and DRM
DRM: management of whose digital rights ?
 Copy detection and tracking
 Steganography, steganalysis and the canary trap
 Surveillance of network copyright infringement
 Copy prevention technologies: fundamental
problems, early methods, license servers, DVDs and
De-CSS, Sony Rootkit.
 Trusted Platform Management and criticisms
 An easily overcome DRM nuisance
 DRM and Windows Vista - broken by design ?

DRM: management of whose digital rights ?
The 4th amendment to the US constitution and the 8th
article of the European Convention on Human Rights
provides for general rights to privacy of communication
as interpreted by the highest relevant courts.
The principle of state interception of communications in
respect of the most serious of offences is generally
recognised. But if private surveillance occurs in respect
of minor offences and small scale copyright
infringement, the use of court warrants to obtain
personal data relating to Internet addresses from ISPs is
controversial.
Copy detection and tracking
Detecting unauthorised commercial copying is often more
practical than preventing it. An example might be use of digital
photography on a website. A photographic image library which
sells photographs for publications might be able to scan
websites within a particular industry, and automatically compare
image files downloaded against their own files.
Someone taking and using an unauthorised copy might have
edited the image, e.g. cropping it or changing the colour
balance, or over or under exposing it slightly. Even deliberately
changing a single pixel to a slightly different shade on a digital
copy will result in a different file checksum, resulting in no
match being detected using an automated system which relies on
checksums or cryptographic hashes of whole files.
Hidden Errors 1
Those publishing content which can legally be reproduced by
others at a cost will often want to be able to prove when
their copyright was misused. Such copyrights include:
A particular photograph e.g. taken of a public building, but
not the ability to photograph the same scene again.
 A compilation of logarithms in a table, but not the properties
of numbers and maths which enable the same table to be
recomputed.
 When reprinting an old book for which the copyright in the
text has expired, the typesetting of a new edition is
copyrighted but the original text is not

Hidden Errors 2
Hidden errors can be deliberately introduced into such
material, e.g. changing the last digit by one in a single
logarithm in a book of logarithms. Someone who computes
all the values themselves can be assumed unlikely to make
this error by accident. For someone to find where such an
error was, they would have to recompute the entire table of
logarithms themselves, which would lose the cost saving of
copying a compilation made by another publisher.
A thesaurus can be used to substitute a few words in a reprint
of an old text with synonyms and these changes will enable
an exact text copy to be detected. Someone who uses OCR to
scan old and new versions and then uses a file comparison
program such as diff will be able to detect the changes.
Steganography 1
Steganography means hiding secret information.
This and related techniques, e.g. digital
watermarking, offer more sophisticated solutions to
the copy detection requirement.
An ancient example is that of Histiaeus, who
shaved the head of his most trusted slave and
tattooed the hidden message on his bald head to
instigate a revolt against Darius I of Persia around
500BC. The message became hidden when the hair
regrew and was revealed when the head was shaved
again.
Steganography 2
Invisible ink dries invisibly on a letter containing another
message, until revealed using chemical treatment or
ultraviolet light etc.
During WWII messages written using microscopy and
contained in microdots were placed under a postage stamp or
on a full stop in the covertext letter.
The least significant bit in one colour value in every N pixels
in a cover photo can be used to contain one bit of an
undetectable message. This is made to look random by using
a one time pad, with the value of N and the OTP known to
both message sender and recipient.
Steganalysis 1
This means detecting stegotext messages. This is
likely to involve automated and statistical means, e.g.
comparing edge effects in similar photographs or
music MP3 recordings in suspected covertext files
against collections of similar files, e.g. taken using the
same make and model of digital camera, or produced
using the same MP3 encoder program.
Steganalysis 2
This is likely to be expensive because:
the stegotext is likely to be encrypted,
 the steganalyst probably won't know what to look for
and
 the number of possible places to hide the information
and methods of hiding it are likely to be great.

This seems unlikely to be cost effective unless there are
very good reasons to believe that a small collection of
data is likely to contain one or more stegotexts of
enough significance to justify the cost.
The Canary Trap
This involves someone creating and distributing a number of
slightly different versions of an information package to
identify the party responsible for unauthorised disclosure of it.
The variations in the information package communicated to
specific recipients are recorded before distribution.
This approach might be used to identify the government
minister or official responsible for leaking a discussion
document to the press. In a situation where relatively few
copies of software are distributed only to identifiable
customers this would enable unauthorised copies to be tracked
to a specific customer.
A practical Canary trap application
This involves managing subscriptions to multiple email lists for
personal data protection requirements. The person setting this
trap creates a new email address each time an email address is
given, recording the party to whom it is provided e.g. by creating
a commented entry in the /etc/aliases file .
Then if this address gets into the hands of spammers this will
identify the party which illegally disclosed the address.
Messages from a mismanaged email list can be discontinued by
ending acceptance of messages sent to the relevant address.
Surveillance of Internet copyright
infringement
Detecting when people copy files on the Internet in breach of
copyright is an activity engaged in by various organisations
e.g. FAST, RIAA acting on behalf of rights holders. Copyright
infringement for personal use is currently a civil and not a
criminal offence. So you can't go to jail for it, but you can be
sued. Also the standard of proof required in a civil case is
lower than is needed in a criminal case.
Bittorrent trackers disclose the Internet protocol (IP) address of
the participants in a torrent and an ISP can be warranted to
disclose the street address and account holder name for a
particular connection.
Anonymous filesharing approaches
The popular Bittorrent protocol for sharing files is an entirely
peer to peer (P2P) network for content distribution. However,
to obtain a file being distributed, a user needs to find a tracker
through a centralised search engine function. Efforts to prevent
use of this network for infringing purposes are now (Mar
2009) concentrating on the trackers, with a prosecution of the
operators of Piratebay attempted.
Other approaches involving distributing hash tables for search
purposes within the P2P service and onion routing with
multiple cryptography layers. These are being researched by
developers of the Gnutella, Tor, Freenet and other P2P
networks.
Copy prevention: the problem 1
Computers are designed to copy data. Register memory
which can be processed directly is a few bytes at the top
of a pyramid. Lower layers in the pyramid progressively
provide greater volume, lower cost per byte and slower
access speeds:
Level 1 and 2 CPU caches, RAM, solid state disk, hard
disk and archival media (magnetic and optical).
To be processed and saved, all data has be be copied up
and down this pyramid.
Copy prevention: the problem 2
Computers networks are also designed to copy data.
Here the data is packaged into standard protocol packets
with standard headers attached to be copied from one
location to another.
The consumer electronics industry services its
customers by producing products which copy data from
one form or place to another. E.G. photographs from a
camera chip to memory, or sound information from a
CD to a speaker or between 2 mobile phones. The
"analogue hole" also can't easily be protected.
Copy prevention: the problem 3
The media content industry sells books, magazines,
packaged software, TV programs, music recordings and
movies etc. This industry has a commercial interest in
preventing infringement. This industry is reluctant to
distribute its products except for computers, operating
systems and application programs designed to make
copying of their content difficult.
But this conflicts with the nature of how computers,
networks and consumer electronic devices work. The
techniques which are designed to prevent copying tend
to be overcome.
Early copy-prevention schemes 1
There has been an arms race between the copy
prevention engineers on the one side, and software users
interested either in making illegal copies or in avoiding
nuisance measures on the other.
For example, users are exercising legitimate rights to
take backup copies of software in case the master copy
fails. The software company might no longer exist. In
some cases a software user making use of personal data
which comes under the Data Protection Act has a legal
obligation to maintain secure access to the data
concerned.
Early copy-prevention schemes 2
For each new copy prevention scheme, skilled users will attempt
to defeat it. Approaches have included asking users questions
which can be answered from the manual assumed to accompany
all legitimate copies. This meant that for a user with a legitimate
copy it was more convenient to use a cracked copy distributed
illegally with the nuisance prompts removed.
Other approaches have involved installing non-standard
software drivers to read information from CDs and floppy disks
formatted using non-standard formats, making it difficult for
users with legitimate copies to take backups.
License Servers
Some software is designed to call its supplier and register a
serial number. Alternatively software might be required to
register with a local license server which will attempt to prevent
more than the licensed number of copies being used
simultaneously. Vendors of this category of software will tend to
provide a telephone backup for those using products behind
restrictive firewalls or on non-networked computers.
Anyone who has supported software in this category is likely to
be aware that a proportion of the support effort has to go into
maintaining the license server and the credentials needed to
operate the software, and will consider this kind of approach an
expensive nuisance at best and a denial of service at worst.
Hardware Dongles
A dongle is a hardware device that attaches to a computer to
authenticate a piece of software. The hardware device will be
more difficult to copy than the software. The downside is that
the hardware dongle will add cost something and can easily
be lost or borrowed and mislaid. It doesn't protect the
software vendor against cracked versions of the software with
the authentication disabled (often called warez) .
This approach does ensure that those unwilling to run warez
or use illegally reverse engineered dongles pay to use the
product, so this approach is suited to relatively high-value
proprietary software products.
DVDs and DeCSS
DVDs were protected by a weak proprietary system which was
broken by Jon Johannsen. This resulted in the widespread
distribution of unscrambling software known as DeCSS. The
simplicity of DeCSS has removed the barrier preventing multiregion DVD players.
Jon had purchased DVDs while in the USA which were
unplayable in Norway due to region encoding. Jon's defence of
his actions was based on the view that he broke no law in
Norway. Jon was prosecuted for copyright violation but found
not guilty.
The CSS system had not prevented commercial-scale
infringement but had regionalised the DVD market at the cost
of travellers having to buy DVDs multiple times.
The Sony rootkit 1
The Extended Copy Protection (XCP) software was
developed by the UK firm then known as First 4 Internet
which was present on a number of audio CDs by Sony. In Oct
2005 a security researcher Mark Russinovich released a
description of this program as functionally equivalent to a
rootkit, in the sense that it installed on a computer without
effective authorisation and compromised security.
Based on research into DNS cache requests made by this
software, which infringed privacy by reporting usage over the
Internet, Dan Kaminsky estimate that 568,000 networks had
one or more PCs infected by this rootkit.
The Sony rootkit 2
There was some criticism of anti-virus vendors at the
time concerning their failure to include signatures of
this software and disinfection routines in their
products for some time after the nature of this trojan
was published.
The Wikipedia article on this (Mar 2009) alleges that
Sony violated copyrights on GNU Public Licensed
components of this rootkit software. This article
mentions other legal investigations and actions
concerning the allegedly unauthorised software
modification carried out by this program.
Trusted Platform Management
The concept of trusted computing involves a
computing environment in which all executable
components are cryptographically signed, checked and
authorised starting with the initial boot sequence.
For this to work according to the specifications of the
Trusted Computing Group this technical approach
requires a custom hardware chip known as a Trusted
Platform Module (TPM) to be included on the system
motherboard.
TPM protected boot sequence
1. Hardware TPM module confirms the BIOS checksum. If
hardware checksum checking module agrees with BIOS checksum
it runs the BIOS code.
2. The BIOS checksums the bootloader. If it agrees with
bootloader checksum the bootloader is run.
3. The bootloader confirms checksums on configuration files,
OS kernel and other files needed to complete boot sequence. If
these are accepted the OS kernel is loaded and run.
4. Once the filesystem is loaded all other signed drivers are
cryptographically checked.
5. The kernel checks cryptographic signatures on all other
programs and components.
6. The kernel checks signatures on all other applications which
are loaded and executed.
What happens when a TPM
network goes wrong ?
Those involved in creating a 'walled garden' using a network of TPM
computers need to be able to regain control if a master software
signing key is leaked. The following can be deduced:
Old software signed legitimately with the compromised key seems
more likely to be whitelisted than revoked, because revoking it
would annoy users as well as the developers. This also limits use of
the compromised key to clients which discontinue vendor network
participation and which retain older firmware.
The network operator restricts access to the network, limiting older
client firmware versions to upgrade only. The new key signs the
whitelist. Old software is allowed to run if whitelisted.
TPM example - the Xbox
The TPM functionality of this games console enables
Microsoft to control the software which can be sold
for use on this hardware. Only programs signed with
cryptographic keys used by Microsoft can be run.
Modified versions of this system which defeat the
TPM functionality are prevented from accessing the
Xbox Live gaming network.
Older console firmware versions can be freed using a
signed version of a game in which a known
exploitable buffer overrun can be exercised.
A criticism of TPM
Richard Stallman and others have been critical of the trusted
computing concept. He argues that when the end user does not
have access to the encryption keys used to control the software
allowed to run on his or her computer that the use of the word
"trust" has nothing to do with whether the user can trust the
system but whether the party controlling the system through
the encryption keys trusts the user of it.
Stallman argues that in this situation, "trusted computing"
should be renamed as "treacherous computing" because the
computer is not acting in the interests of its user but in the
interests of the organisation controlling the cryptographic keys
determining what the system can be used for.
GPLv3 - a TPM counterattack ?
Version 3 of the GNU Public License states that
software licensed under its terms must include the
cryptographic keys required to enable its users to
exercise rights as users of free software as defined by
the Free Software Foundation.
These rights include the ability to use and obtain source
code, to study the software, and to redistribute it
including in modified form. This prevents any GPLv3
software from being used on TPM platforms without
either an infringement of the copyright license or the
end users being provided with the keys.
DRM - Digital Rights or Restrictions
Management
This term applies to a variety of techniques e.g. as
applied in I-Tunes and the BBC I-player software to
restrict what users can do with content playable
through these technologies. For some purposes this can
be a genuine constraint and for others it becomes a
minor nuisance.
The next slide shows how a DRM nuisance for users of
Adobe's Acrobat PDF viewer does not affect the free
software Evince PDF viewer.
Password protected PDF ?
Source: http://www.9-11commission.gov/report/911Report.pdf
DRM and Vista
More advanced forms of DRM are included within Windows
Vista and Windows 7. This sets various flags within content
designated as "premium" or "commercial" e.g. a very high
resolution movie, which results in data being communicated
over the system bus and to display and output devices
encrypted. Separate keys are used in connection with software
drivers, hardware devices and content files. This design creates
additional expense for hardware manufacturers.
On the next slide is a diagram taken from a Microsoft White
Paper describing parts of the video premium content protection
mechanism within Vista. This paper describes the view
diagrammed as simplified.
DRM and Vista 2
Further Reading on TC and DRM
Sony Playstation 2011 network outage:
http://en.wikipedia.org/wiki/Talk:PlayStation_Network_outage
(starting point to a number of other more useful articles).

The HTML (old) version of these notes contain clickable links to a
selection of articles including:





An assessment of DRM costs concerning use of the Microsoft
Vista platform to view DRM protected content.
Ross Anderson has written a FAQ on Trusted Computing
The Trusted Computing Group
Microsoft white paper describing Vista DRM design
Don't press the shiny red button ! issues to do with hardware key
revocation.