- Email: [email protected]
Dilemmas and boundaries of digital rights management
computers & security 25 (2006) 1 – 2
available at www.sciencedirect.com
journal homepage: www.elsevier.com/locate/cose
From the Editor-in-Chief
Dilemmas and boundaries of digital rights management
The issue of digital rights management (DRM) has once again flared up, this time in connection with Sony’s BMG Entertainment CDs with DRM measures designed to force Windows users to play tracks using only a particular version of Media Player. Playing these CDs results in installation of special code that restricts how many digital copies can be made, but this code also creates a clandestine directory structure with hidden files. Attempting to remove these files or to delete the directories has caused damage to systems and data stored within. Deleting files within these directories has in fact in some cases damaged systems to the point that they had to be rebuilt. ‘‘Luckier’’ users have escaped only with damage to their systems’ CD-ROMs. Mark Russinovich, a security researcher who runs the popular sysinternals.com site, labeled Sony’s code a ‘‘rootkit,’’ a term that normally refers to a malicious tool installed on compromised systems that masquerades the presence of intruders. A rootkit generally hides all files that the intruder has created, all processes that run on behalf of the intruder, and all audit log entries related to the intruder’s actions. Not to be outdone, soon afterwards Computer Associates labeled Sony’s code spyware, something that this company’s antispyware tool now looks for and attempts to delete. As if negative publicity were not enough, legal complications soon followed. Multiple class action lawsuits filed against Sony petition that Sony be ordered to cease manufacturing of such CDs and also that damages be awarded to those who purchased these CDs. The Association for Freedom in Electronic Interactive Communications-Electronic Frontiers Italy (ALCEI-EFI) has complained about Sony’s software to Italy’s computer crime investigation force. According to the ALCEI-EFI, Sony’s code breaks numerous Italian statutes in that it damages systems and acts maliciously in other ways. Additionally, ALCEI-EFI has requested that the European Union look into this matter. Other legal actions against Sony have also been initiated; yet more will undoubtedly surface in the near future. Sony has not stood by idly. Initially this company created and distributed a patch that makes the previously hidden files visible. Problems with the patch, some of which could result in data loss, emerged shortly afterwards. Then perpetrators soon learned how to hide malicious code that they have installed on systems running Sony’s DRM code. The Breplibot Trojan
program, for example, capitalizes on the feature in Sony’s code that hides any file name that begins with ‘‘$sys$.’’ Others have used features of this code to hide programs that cheat during online gambling. Sony soon agreed to cease installing this code on systems on which Sony entertainment CDs are played. Unfortunately for Sony, however, the negative repercussions from this company’s having introduced this code in the first place are not likely to cease any time soon. Sony has for all practical purposes admitted that it made a mistake, but where does that leave us? On one hand, we see an entertainment industry giant trying to do what it can to stop the constant stream of piracy. Piracy unjustly costs not only the entertainment industry, but also the software industry an untold amount of revenue lost every year. I, for one, cannot blame Sony or any other major piracy victim for initiating new measures designed to stop or at least considerably slow down the incessant problem of piracy. The choice of the measures used is, however, a critical considerationdthe ends do not justify the means. Sony’s DRM code clearly crossed the line of reasonableness. This company was not the first vendor to implement an unpalatable anti-piracy protection measure, however. What caught the computing world’s attention this time was the fact that a vendor had introduced software with functions that from a user’s point of view represented a complete ‘‘zero sum’’ game with the vendor being the undisputed winner and the customer being the clear loserdthis software, after all, could and did cause damage, some of it severe. Additionally, the inflammatory rhetoric that surfaced soon after Sony introduced this software fanned what could be described as a medium sized flame into a conflagration. The entertainment and software industries will continue to devise solutions for the piracy problem. Hopefully, the recent experience with Sony’s DRM software will result in ‘‘lessons learned’’ that will steer these solutions towards greater reasonableness. The user community as a whole should not, after all, be punished for the actions of relatively few unscrupulous individuals. At the same time, however, it is important to view the piracy problem from as broad a perspective as possible. Consider, for example, the role of law enforcement in the fight against piracy. Sufficient anti-piracy legislation is already in place in the
2
computers & security 25 (2006) 1 – 2
European Union, Australia, the US, and other places. Enforcement of the provisions of this legislation is, however, an entirely different matter. It seems rather tragic to me that the entertainment and software industries have virtually been forced to attempt to enforce measures that appear to be well within the domain of law enforcement. Why is law enforcement not making a bigger impact in the war against piracy? If better law enforcement efforts were to occur, I suspect that the entertainment and software industries would be far less tempted to implement measures as drastic as Sony’s DRM code.
E. Eugene Schultz, Ph.D., CISSP, CISM E-mail address: [email protected] 10 December 2005 0167-4048/$ – see front matter ª 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.cose.2005.12.002
available at www.sciencedirect.com
journal homepage: www.elsevier.com/locate/cose
From the Editor-in-Chief
Dilemmas and boundaries of digital rights management
The issue of digital rights management (DRM) has once again flared up, this time in connection with Sony’s BMG Entertainment CDs with DRM measures designed to force Windows users to play tracks using only a particular version of Media Player. Playing these CDs results in installation of special code that restricts how many digital copies can be made, but this code also creates a clandestine directory structure with hidden files. Attempting to remove these files or to delete the directories has caused damage to systems and data stored within. Deleting files within these directories has in fact in some cases damaged systems to the point that they had to be rebuilt. ‘‘Luckier’’ users have escaped only with damage to their systems’ CD-ROMs. Mark Russinovich, a security researcher who runs the popular sysinternals.com site, labeled Sony’s code a ‘‘rootkit,’’ a term that normally refers to a malicious tool installed on compromised systems that masquerades the presence of intruders. A rootkit generally hides all files that the intruder has created, all processes that run on behalf of the intruder, and all audit log entries related to the intruder’s actions. Not to be outdone, soon afterwards Computer Associates labeled Sony’s code spyware, something that this company’s antispyware tool now looks for and attempts to delete. As if negative publicity were not enough, legal complications soon followed. Multiple class action lawsuits filed against Sony petition that Sony be ordered to cease manufacturing of such CDs and also that damages be awarded to those who purchased these CDs. The Association for Freedom in Electronic Interactive Communications-Electronic Frontiers Italy (ALCEI-EFI) has complained about Sony’s software to Italy’s computer crime investigation force. According to the ALCEI-EFI, Sony’s code breaks numerous Italian statutes in that it damages systems and acts maliciously in other ways. Additionally, ALCEI-EFI has requested that the European Union look into this matter. Other legal actions against Sony have also been initiated; yet more will undoubtedly surface in the near future. Sony has not stood by idly. Initially this company created and distributed a patch that makes the previously hidden files visible. Problems with the patch, some of which could result in data loss, emerged shortly afterwards. Then perpetrators soon learned how to hide malicious code that they have installed on systems running Sony’s DRM code. The Breplibot Trojan
program, for example, capitalizes on the feature in Sony’s code that hides any file name that begins with ‘‘$sys$.’’ Others have used features of this code to hide programs that cheat during online gambling. Sony soon agreed to cease installing this code on systems on which Sony entertainment CDs are played. Unfortunately for Sony, however, the negative repercussions from this company’s having introduced this code in the first place are not likely to cease any time soon. Sony has for all practical purposes admitted that it made a mistake, but where does that leave us? On one hand, we see an entertainment industry giant trying to do what it can to stop the constant stream of piracy. Piracy unjustly costs not only the entertainment industry, but also the software industry an untold amount of revenue lost every year. I, for one, cannot blame Sony or any other major piracy victim for initiating new measures designed to stop or at least considerably slow down the incessant problem of piracy. The choice of the measures used is, however, a critical considerationdthe ends do not justify the means. Sony’s DRM code clearly crossed the line of reasonableness. This company was not the first vendor to implement an unpalatable anti-piracy protection measure, however. What caught the computing world’s attention this time was the fact that a vendor had introduced software with functions that from a user’s point of view represented a complete ‘‘zero sum’’ game with the vendor being the undisputed winner and the customer being the clear loserdthis software, after all, could and did cause damage, some of it severe. Additionally, the inflammatory rhetoric that surfaced soon after Sony introduced this software fanned what could be described as a medium sized flame into a conflagration. The entertainment and software industries will continue to devise solutions for the piracy problem. Hopefully, the recent experience with Sony’s DRM software will result in ‘‘lessons learned’’ that will steer these solutions towards greater reasonableness. The user community as a whole should not, after all, be punished for the actions of relatively few unscrupulous individuals. At the same time, however, it is important to view the piracy problem from as broad a perspective as possible. Consider, for example, the role of law enforcement in the fight against piracy. Sufficient anti-piracy legislation is already in place in the
2
computers & security 25 (2006) 1 – 2
European Union, Australia, the US, and other places. Enforcement of the provisions of this legislation is, however, an entirely different matter. It seems rather tragic to me that the entertainment and software industries have virtually been forced to attempt to enforce measures that appear to be well within the domain of law enforcement. Why is law enforcement not making a bigger impact in the war against piracy? If better law enforcement efforts were to occur, I suspect that the entertainment and software industries would be far less tempted to implement measures as drastic as Sony’s DRM code.
E. Eugene Schultz, Ph.D., CISSP, CISM E-mail address: [email protected] 10 December 2005 0167-4048/$ – see front matter ª 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.cose.2005.12.002