Presentation on theme: "Copy prevention, detection and DRM DRM: management of whose digital rights ? Copy detection and tracking Steganography, steganalysis and the canary trap."— Presentation transcript:
Copy prevention, detection and DRM DRM: management of whose digital rights ? Copy detection and tracking Steganography, steganalysis and the canary trap Surveillance of network copyright infringement Copy prevention technologies: fundamental problems, early methods, license servers, DVDs and De-CSS, Sony Rootkit. Trusted Platform Management and criticisms An easily overcome DRM nuisance DRM and Windows Vista - broken by design ?
DRM: management of whose digital rights ? The 4th amendment to the US constitution and the 8th article of the European Convention on Human Rights provides for general rights to privacy of communication as interpreted by the highest relevant courts. The principle of state interception of communications in respect of the most serious of offences is generally recognised. But if private surveillance occurs in respect of minor offences and small scale copyright infringement, the use of court warrants to obtain personal data relating to Internet addresses from ISPs is controversial.
Copy detection and tracking Detecting unauthorised commercial copying is often more practical than preventing it. An example might be use of digital photography on a website. A photographic image library which sells photographs for publications might be able to scan websites within a particular industry, and automatically compare image files downloaded against their own files. Someone taking and using an unauthorised copy might have edited the image, e.g. cropping it or changing the colour balance, or over or under exposing it slightly. Even deliberately changing a single pixel to a slightly different shade on a digital copy will result in a different file checksum, resulting in no match being detected using an automated system which relies on checksums or cryptographic hashes of whole files.
Hidden Errors 1 Those publishing content which can legally be reproduced by others at a cost will often want to be able to prove when their copyright was misused. Such copyrights include: A particular photograph e.g. taken of a public building, but not the ability to photograph the same scene again. A compilation of logarithms in a table, but not the properties of numbers and maths which enable the same table to be recomputed. When reprinting an old book for which the copyright in the text has expired, the typesetting of a new edition is copyrighted but the original text is not
Hidden Errors 2 Hidden errors can be deliberately introduced into such material, e.g. changing the last digit by one in a single logarithm in a book of logarithms. Someone who computes all the values themselves can be assumed unlikely to make this error by accident. For someone to find where such an error was, they would have to recompute the entire table of logarithms themselves, which would lose the cost saving of copying a compilation made by another publisher. A thesaurus can be used to substitute a few words in a reprint of an old text with synonyms and these changes will enable an exact text copy to be detected. Someone who uses OCR to scan old and new versions and then uses a file comparison program such as diff will be able to detect the changes.
Steganography 1 Steganography means hiding secret information. This and related techniques, e.g. digital watermarking, offer more sophisticated solutions to the copy detection requirement. An ancient example is that of Histiaeus, who shaved the head of his most trusted slave and tattooed the hidden message on his bald head to instigate a revolt against Darius I of Persia around 500BC. The message became hidden when the hair regrew and was revealed when the head was shaved again.
Steganography 2 Invisible ink dries invisibly on a letter containing another message, until revealed using chemical treatment or ultraviolet light etc. During WWII messages written using microscopy and contained in microdots were placed under a postage stamp or on a full stop in the covertext letter. The least significant bit in one colour value in every N pixels in a cover photo can be used to contain one bit of an undetectable message. This is made to look random by using a one time pad, with the value of N and the OTP known to both message sender and recipient.
Steganalysis 1 This means detecting stegotext messages. This is likely to involve automated and statistical means, e.g. comparing edge effects in similar photographs or music MP3 recordings in suspected covertext files against collections of similar files, e.g. taken using the same make and model of digital camera, or produced using the same MP3 encoder program.
Steganalysis 2 This is likely to be expensive because: the stegotext is likely to be encrypted, the steganalyst probably won't know what to look for and the number of possible places to hide the information and methods of hiding it are likely to be great. This seems unlikely to be cost effective unless there are very good reasons to believe that a small collection of data is likely to contain one or more stegotexts of enough significance to justify the cost.
The Canary Trap This involves someone creating and distributing a number of slightly different versions of an information package to identify the party responsible for unauthorised disclosure of it. The variations in the information package communicated to specific recipients are recorded before distribution. This approach might be used to identify the government minister or official responsible for leaking a discussion document to the press. In a situation where relatively few copies of software are distributed only to identifiable customers this would enable unauthorised copies to be tracked to a specific customer.
A practical Canary trap application This involves managing subscriptions to multiple lists for personal data protection requirements. The person setting this trap creates a new address each time an address is given, recording the party to whom it is provided e.g. by creating a commented entry in the /etc/aliases file. Then if this address gets into the hands of spammers this will identify the party which illegally disclosed the address. Messages from a mismanaged list can be discontinued by ending acceptance of messages sent to the relevant address.
Surveillance of Internet copyright infringement Detecting when people copy files on the Internet in breach of copyright is an activity engaged in by various organisations e.g. FAST, RIAA acting on behalf of rights holders. Copyright infringement for personal use is currently a civil and not a criminal offence. So you can't go to jail for it, but you can be sued. Also the standard of proof required in a civil case is lower than is needed in a criminal case. Bittorrent trackers disclose the Internet protocol (IP) address of the participants in a torrent and an ISP can be warranted to disclose the street address and account holder name for a particular connection.
Anonymous filesharing approaches The popular Bittorrent protocol for sharing files is an entirely peer to peer (P2P) network for content distribution. However, to obtain a file being distributed, a user needs to find a tracker through a centralised search engine function. Efforts to prevent use of this network for infringing purposes are now (Mar 2009) concentrating on the trackers, with a prosecution of the operators of Piratebay attempted. Other approaches involving distributing hash tables for search purposes within the P2P service and onion routing with multiple cryptography layers. These are being researched by developers of the Gnutella, Tor, Freenet and other P2P networks.
Copy prevention: the problem 1 Computers are designed to copy data. Register memory which can be processed directly is a few bytes at the top of a pyramid. Lower layers in the pyramid progressively provide greater volume, lower cost per byte and slower access speeds: Level 1 and 2 CPU caches, RAM, solid state disk, hard disk and archival media (magnetic and optical). To be processed and saved, all data has be be copied up and down this pyramid.
Copy prevention: the problem 2 Computers networks are also designed to copy data. Here the data is packaged into standard protocol packets with standard headers attached to be copied from one location to another. The consumer electronics industry services its customers by producing products which copy data from one form or place to another. E.G. photographs from a camera chip to memory, or sound information from a CD to a speaker or between 2 mobile phones. The "analogue hole" also can't easily be protected.
Copy prevention: the problem 3 The media content industry sells books, magazines, packaged software, TV programs, music recordings and movies etc. This industry has a commercial interest in preventing infringement. This industry is reluctant to distribute its products except for computers, operating systems and application programs designed to make copying of their content difficult. But this conflicts with the nature of how computers, networks and consumer electronic devices work. The techniques which are designed to prevent copying tend to be overcome.
Early copy-prevention schemes 1 There has been an arms race between the copy prevention engineers on the one side, and software users interested either in making illegal copies or in avoiding nuisance measures on the other. For example, users are exercising legitimate rights to take backup copies of software in case the master copy fails. The software company might no longer exist. In some cases a software user making use of personal data which comes under the Data Protection Act has a legal obligation to maintain secure access to the data concerned.
Early copy-prevention schemes 2 For each new copy prevention scheme, skilled users will attempt to defeat it. Approaches have included asking users questions which can be answered from the manual assumed to accompany all legitimate copies. This meant that for a user with a legitimate copy it was more convenient to use a cracked copy distributed illegally with the nuisance prompts removed. Other approaches have involved installing non-standard software drivers to read information from CDs and floppy disks formatted using non-standard formats, making it difficult for users with legitimate copies to take backups.
License Servers Some software is designed to call its supplier and register a serial number. Alternatively software might be required to register with a local license server which will attempt to prevent more than the licensed number of copies being used simultaneously. Vendors of this category of software will tend to provide a telephone backup for those using products behind restrictive firewalls or on non-networked computers. Anyone who has supported software in this category is likely to be aware that a proportion of the support effort has to go into maintaining the license server and the credentials needed to operate the software, and will consider this kind of approach an expensive nuisance at best and a denial of service at worst.
Hardware Dongles A dongle is a hardware device that attaches to a computer to authenticate a piece of software. The hardware device will be more difficult to copy than the software. The downside is that the hardware dongle will add cost something and can easily be lost or borrowed and mislaid. It doesn't protect the software vendor against cracked versions of the software with the authentication disabled (often called warez). This approach does ensure that those unwilling to run warez or use illegally reverse engineered dongles pay to use the product, so this approach is suited to relatively high-value proprietary software products.
DVDs and DeCSS DVDs were protected by a weak proprietary system which was broken by Jon Johannsen. This resulted in the widespread distribution of unscrambling software known as DeCSS. The simplicity of DeCSS has removed the barrier preventing multi- region DVD players. Jon had purchased DVDs while in the USA which were unplayable in Norway due to region encoding. Jon's defence of his actions was based on the view that he broke no law in Norway. Jon was prosecuted for copyright violation but found not guilty. The CSS system had not prevented commercial-scale infringement but had regionalised the DVD market at the cost of travellers having to buy DVDs multiple times.
The Sony rootkit 1 The Extended Copy Protection (XCP) software was developed by the UK firm then known as First 4 Internet which was present on a number of audio CDs by Sony. In Oct 2005 a security researcher Mark Russinovich released a description of this program as functionally equivalent to a rootkit, in the sense that it installed on a computer without effective authorisation and compromised security. Based on research into DNS cache requests made by this software, which infringed privacy by reporting usage over the Internet, Dan Kaminsky estimate that 568,000 networks had one or more PCs infected by this rootkit.
The Sony rootkit 2 There was some criticism of anti-virus vendors at the time concerning their failure to include signatures of this software and disinfection routines in their products for some time after the nature of this trojan was published. The Wikipedia article on this (Mar 2009) alleges that Sony violated copyrights on GNU Public Licensed components of this rootkit software. This article mentions other legal investigations and actions concerning the allegedly unauthorised software modification carried out by this program.
Trusted Platform Management The concept of trusted computing involves a computing environment in which all executable components are cryptographically signed, checked and authorised starting with the initial boot sequence. For this to work according to the specifications of the Trusted Computing Group this technical approach requires a custom hardware chip known as a Trusted Platform Module (TPM) to be included on the system motherboard.
TPM protected boot sequence 1. Hardware TPM module confirms the BIOS checksum. If hardware checksum checking module agrees with BIOS checksum it runs the BIOS code. 2. The BIOS checksums the bootloader. If it agrees with bootloader checksum the bootloader is run. 3. The bootloader confirms checksums on configuration files, OS kernel and other files needed to complete boot sequence. If these are accepted the OS kernel is loaded and run. 4. Once the filesystem is loaded all other signed drivers are cryptographically checked. 5. The kernel checks cryptographic signatures on all other programs and components. 6. The kernel checks signatures on all other applications which are loaded and executed.
What happens when a TPM network goes wrong ? Those involved in creating a 'walled garden' using a network of TPM computers need to be able to regain control if a master software signing key is leaked. The following can be deduced: Old software signed legitimately with the compromised key seems more likely to be whitelisted than revoked, because revoking it would annoy users as well as the developers. This also limits use of the compromised key to clients which discontinue vendor network participation and which retain older firmware. The network operator restricts access to the network, limiting older client firmware versions to upgrade only. The new key signs the whitelist. Old software is allowed to run if whitelisted.
TPM example - the Xbox The TPM functionality of this games console enables Microsoft to control the software which can be sold for use on this hardware. Only programs signed with cryptographic keys used by Microsoft can be run. Modified versions of this system which defeat the TPM functionality are prevented from accessing the Xbox Live gaming network. Older console firmware versions can be freed using a signed version of a game in which a known exploitable buffer overrun can be exercised.
A criticism of TPM Richard Stallman and others have been critical of the trusted computing concept. He argues that when the end user does not have access to the encryption keys used to control the software allowed to run on his or her computer that the use of the word "trust" has nothing to do with whether the user can trust the system but whether the party controlling the system through the encryption keys trusts the user of it. Stallman argues that in this situation, "trusted computing" should be renamed as "treacherous computing" because the computer is not acting in the interests of its user but in the interests of the organisation controlling the cryptographic keys determining what the system can be used for.
GPLv3 - a TPM counterattack ? Version 3 of the GNU Public License states that software licensed under its terms must include the cryptographic keys required to enable its users to exercise rights as users of free software as defined by the Free Software Foundation. These rights include the ability to use and obtain source code, to study the software, and to redistribute it including in modified form. This prevents any GPLv3 software from being used on TPM platforms without either an infringement of the copyright license or the end users being provided with the keys.
DRM - Digital Rights or Restrictions Management This term applies to a variety of techniques e.g. as applied in I-Tunes and the BBC I-player software to restrict what users can do with content playable through these technologies. For some purposes this can be a genuine constraint and for others it becomes a minor nuisance. The next slide shows how a DRM nuisance for users of Adobe's Acrobat PDF viewer does not affect the free software Evince PDF viewer.
Password protected PDF ? Source:
DRM and Vista More advanced forms of DRM are included within Windows Vista and Windows 7. This sets various flags within content designated as "premium" or "commercial" e.g. a very high resolution movie, which results in data being communicated over the system bus and to display and output devices encrypted. Separate keys are used in connection with software drivers, hardware devices and content files. This design creates additional expense for hardware manufacturers. On the next slide is a diagram taken from a Microsoft White Paper describing parts of the video premium content protection mechanism within Vista. This paper describes the view diagrammed as simplified.
DRM and Vista 2
Further Reading on TC and DRM Sony Playstation 2011 network outage: (starting point to a number of other more useful articles). The HTML (old) version of these notes contain clickable links to a selection of articles including: An assessment of DRM costs concerning use of the Microsoft Vista platform to view DRM protected content. Ross Anderson has written a FAQ on Trusted Computing The Trusted Computing Group Microsoft white paper describing Vista DRM design Don't press the shiny red button ! issues to do with hardware key revocation.