Re: [PEN-TEST] SealedMedia secured content?

[Russ Spooner <labrat () INTERROREM COM>]

Sorry, as we were directed at the resource I believed we would be familiar
with the subject matter:

Digital Rights Management.

Something that has fascinated (in a morbid sense) for a while now....

You are absolutely right, of course, regarding the circumvention of some
more primitive containers, however the current trend seems to be more along
the lines of proprietary client software which is required to view as well
as decrypt the content.

This company seems to be doing exactly that.

It is because there are no applications directly under the control of the
user that more "clandestine" digital rights subversion is required.

This is very similar to what Magex (http://www.magex.com) and by reference,
Universal, are doing using Intertrust's Digital rights management
technology.

The content is encrypted and placed in a "container". The only way to view
the content is by using the "special viewer" that is supplied with the
"virtual wallet" software....

Digital Rights Management is seen as "necessary" by large corporations in
order to "legitimise" business on the Internet. I.e. so that supply (which
is actually infinite on the internet) can be artificially restricted thereby
increasing the value of the content...

It is a laudable theroretical goal, in terms of technical achievement,
nevertheless, as with so much in the field of security, it is currently
achieved with obfuscation and assumptions of a technically inept user
base.... Thus, easily broken.

The next generation of DRM will probably be included at an integral level
within the hardware platform, much in the same way as some hardware MP3
players already contain.

I believe Sony(?) have already prototyped a monitor with DRM.

At a hardware level (kind of like "bump in the wire") rights management is
much harder to subvert, primarily because there is the potential to have
lower level control over what the user can do.

Cough, Mod chips...

Sorry if this is boring, but I could go on all day...

Returning to Lurk mode....

Russ Spooner
Interrorem LTD


-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Crist Clark
Sent: 03 November 2000 21:19
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] SealedMedia secured content?


DRM? Which SecurityFocus mail list just got a lecture about tossing in
obscure acronyms without definition? Was it this one? What is DRM?

Anyway, it seems to me that it is even easier to circumvent the controls
on the systems I have seen. The ones that promise to protect _any_ format
rely on the recipient's software to actually handle the data. Why bother
with replacing the audio drivers or do a screen capture? The data is
being fed to some application UNDER THE CONTROL OF THE END USER in an
unecrypted format. That's all you need to say. Game over, no? Why can't
your MPEG or WAV player be a quick proggie that writes its input to a file?

I must caveat this by saying I have only played with one vendor's product.
The idea that you could protect files you give to someone else just seemed
so strange to me that I had to check it out. Did not take me 15 minutes to
get around their restrictions. It may just be I have a funky environment
(but
that is not a very good argument for the vendor) or this particular vendor
does not have a great product, but I strongly believe it is a fundamental
issue with the concept.

Systems that protect a specific type of data with an imbedded or "trusted"
application to use data are another issue. That gets to the watermarks
and all that good kind of great stuff.
--
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926