MPAA 1 – RealDVD 0

Posted on October 6, 2008 by wunderbarb

A judge has ordered RealNetwork to stop selling its new RealDVD software. Here is what is currently displayed when visiting the site of RealDVD.

RealDVD is a 30$ software that allows to backup DVDs on your PC. You may state that DeCSS is doing the same for 0$. The main difference is that the copy on PC is copy protected. Furthermore, it is supposed to limit the copies to 4 registered computers (additional 20$ per computer). Thus, RealNetworks claims not to have broken CSS and not infringing DMCA. Studios do not have the same opinion.

A rather similar started four year ago with Kaleidescape. Kaleidescape produces a video server that stores content read from DVD. The video server can then playback the movie without the presence of the original DVD. DVD Copy Control Association claimed that it was a violation of its compliance rules. In 2007, a judge ruled in favor of Kaleidescape.

Thus, a new battle of Titans started. A bet for the winner?

Is French HADOPI law dead?

Posted on September 30, 2008 by wunderbarb

One of the outcomes of French law, so called HADOPI, was to allow flexible response against P2P users. An organism nominated by the government could decide to stop for one month the Internet access of P2P recidivists. Before this last strike, the recidivist would have received two notifications.

Unfortunately for HADOPI, on 24th September, European Parliament has voted amendment 138. The odds were 574 against 73 deputies. Amendment 138 states that it is illegal to restrict free speech and access to information of any citizen without prior judiciary decision. This is not the case with HADOPI.

French government announced that it does not expect to drop the law and the flexible response. Nevertheless, European law supersedes national laws. Will there be some adjustment to HADOPI? Wait and see.

More information about fighting P2P piracy, HADOPI, flexible response in next security newsletter due end of October.

The DRM game

Posted on September 29, 2008 by wunderbarb

Heileman G. and Jamkhedkar P. are regular contributors for ACM DRM workshop. For many years, they have presented a paper at each workshop. An their papers are worthwhile.

Last year, they presented an interesting http://portal.acm.org/citation.cfm?id=1314287. It analyzed the different possible strategies for Vendor and Consumer using the game theory. The model was rather simplistic. Thus, there was no big surprise in the outcomes especially when analyzing the baseline game (section 2). Would DRM be unbreakable, Vendor should always sell protected content. For Vendor, it is important decrease the utility of downloaded content versus sold content. Only common sense.

The paper becomes more interesting with section 3 when it analyzes the sub-games. What does the consumer do with content and how Vendor reacts. One outcome is that the higher the penalty, the less Consumers Vendor has to sue. The interesting part is the description of a distribution mechanism with a trust valuation that defines the cost of the content and the associated bonuses. This is a trend that was initiated for many years by Philips labs based on the use of forensic watermark.

I have always problem with that philosophy because it relies on the rather strong assumption that the trust evaluation will work. I have many doubts about that, especially with B2C traitor tracing. Today, you have only limited number of sources on P2P networks, and they do not collude. Let’s now suppose that Consumers understand that they may cheat if either they collude or they issue more instances of sources just to dilute the system… I do not even speak about attacking the reputation system (look in electronic auctions).

Nevertheless, game theory seems an interesting tool to explore strategies. We may expect to see papers in the future with more complex models. I would like to see one which would differentiate authors from vendors/distributors and vendors from authorities.

China wants source code (2)

Posted on September 25, 2008 by wunderbarb

The Yomiuri Shimbun reported additional information. Some products that will be subject to the approval:

OS of contactless cards such as Felica (Sony’s contactless smart card) and MultOS
Digital photocopier, OS of AV products, ATMs or Point Of Sales devices!
Routers (no surprise at all, it would have been the first category I would have requested)
Software for data backup

The list is rather interesting because most of them may have an impact of overall security of the nation. An entity that would have a backdoor in these devices would have access to interesting data. Let’s take a simple device like a digital photocopier machine. The OS may have access to the digitized image. It could store it in some hidden storage unit. Maintenance crew could retrieve the storage unit. Of course storage capacity is limited. But now add an OCR software and a filtering software that spots a list of sensitive tag names. The spy software stores only the potentially interesting data. By the way, how are we sure that it is not already the case? Photocopier have some hidden features that are not often publicized. Try to copy a banknote with a high res color XEROX. Surprise, surprise…

To the mere intent of economical intelligence, we could add to the list: detecting potential backdoors and spywares, or implementing such backdoors.

By the way, the new regulation is scheduled for May 2009!

Many thanks to Masaru san.

China wants source code

Posted on September 24, 2008 by wunderbarb

According to the Yomiuri Shimbun, Chinese government plans to request access to source code of electronic equipment. The official rationale is to validate that the device will be immune against Internet viruses to fight these malwares. Without this approval, foreign companies would be banned to import devices to China. The Japanese newspaper does not disclose what happens if the examiners find some weaknesses. Will they return the information to the manufacturer for it to cope with? Will they keep it secret?…

Of course, most people assimilate this process to economic intelligence. Chinese government does provide no guarantee that the source codes would not leak. It is far easier than making reverse engineering. It would also an interesting method to find some ways to crack installed devices. They would just not disclose the exploit (and it is smarter than asking for back doors). this type of exploits could be used both on domestic market (to spy Chinese citizens) or in foreign countries (if the exploit is applicable on other releases). This would also ease production counterfeited critical devices (see FBI warning against counterfeited CISCO routers

The announced rationale has no sense. Every security specialist knows that it is impossible to analyze a full source code to find all the security vulnerabilities. Would we know how to do it, we would have more secure products in the field. Already strengthening a small piece of software is a complex task, then a complete application.

It is more likely that judging Chinese government on mere intent is legitimate. I doubt that many companies would accept.

Securing Virtual Worlds

Posted on September 22, 2008 by wunderbarb

Dr Igor MUTTIK, McAfee Labs, edited a document entitled “Securing Virtual Worlds Against Real Attacks”. The document is interesting. It is very IT security oriented in that it works on the traditional problems related to IT in a client server environment. The only specificity to the Virtual Worlds is the fight against cheating applet. Thus, only good advises but nothing revolutionary. In other words, he did not explore the new threats specific to Virtual Worlds (and there are many).

Nevertheless, he gives interesting advises for potential researchers for in-game threats. They will need

better than average knowledge of the environment
better access to the environment
clearance from the employer to run tests for malware in various gaming environments. This need of clearance is applicable to any researcher who handles malware.
enough demand from customers to justify research and development for such security solutions. For him, customers are the gamers. this is a typical bias coming from an anti-virus company. the customer is the end user. I believe that the customers are the game editors. If their game will be plagued by security flaws, making it not fun to play, then gamers will escape to another world.

Virtual worlds will be under fire of typical malwares but also new threats specific to them. Gamers will request their favorite virtual world to be safe (from the computing environment point of view, not from the game play point of view). There is a need to study these problems with a scope larger than traditional IT security

Spore: a great game (even with DRM)

Posted on September 21, 2008 by wunderbarb

Last week, I presented the crusade anti DRM against the new simulation gain Spore. In any case, DRM did not stop me to purchase it. My personal opinion is that it is a great game (at least as I like them ;-)) Hereafter are some of my first creatures.

Visit Spore.com

The installation requires connection to Internet. Without initial registration on the server, the game will not start ( This is frustrating when installing in a train 🙁) Once registered, there is no more need of Internet, or of the genuine disk. Nevertheless, online connection offers many goodies: possibility to share creatures, bio diversity on the planet due to creatures from other players, possibility to post videos of your creatures on YouTube, automatic patch installing.

A 86Mb path is already available. In theory, it is possible to do it manually without the official download manager. Nevertheless, I did not succeed. The patch did not find my official Spore version. When patching through the game, it was painless.

A naughty idea of mine: What about issuing an application with a severe known flaw. The patch release would need online registration. Furthermore, the patch would check that the copy protection elements are not tampered and still in place. Of course, it may not be pleasing customers. Furthermore, it may not be legal.

A cracked version is already available. It seems to be a good success when looking the number of seeds and leeches. It works. The crack does bypass the registration phase. Of course, it also provides a key generator. I did not test if the patch works on it.

Conclusion: Online connection to Spore server does bring so many goodies that may be Electronic Arts (EA) could have avoided the limitations to three computers. Online real time checking of the uniqueness by the server may have been sufficient. EA will issue next year another blockbuster: The Sims 3. Will EA use the same DRM policy for it?

The blog of content protection

A site managed by Eric Diehl

Author Archives: wunderbarb