Wednesday, 2 November 2005
J. Alex Halderman has an interesting post today on Ed Felten’s blog on some new music CD DRM (digital rights management) that actually makes your computer less secure. In essence, it installs software on your computer which will replace the music on the CD with static when someone attempts to ‘rip’ the CD. But it hides the existence of that software, even from the administrator. Even worse, it creates a system that will hide other software as long as the file name starts with a particular set of symbols. So it creates a hole that viruses and other nasty things can hide in.
There are plenty of provisions in Australian criminal law that ban unauthorised access to or modification of data on a computer, particularly where the person doing the modification is reckless as to whether the modification will impair the ‘reliability, security or operation’ of data on the computer. However, all those offences have a requirement that the modification be unauthorised. This DRM installs itself when you put a copy-protected CD in your computer. If there is something in the fine print which says that the computer user gives permission for copy protection software to be installed on their computer, is that ‘authorisation’?
Update: Bleeding Edge has more commentary on this issue. If you’re technically minded, go to the original discussion here.
Update 3 November: CNet has a fairly detailed story, that suggests, among other things, that:
1. The risk to the computer is largely theoretical, and
2. The technology used by the company involved has moved on (ie, this technology was only used on some CDs).
But see Ed Felten’s response here, rebutting some claims in the story.
Obviously, I’m not expert enough to know who is right on the technology here. But I think the legal issues raised in the comments both on this blog, and on Weatherall’s Law are real: just how detailed – and prominent – must ‘authorisation’ in a EULA be, in order to allow a company to install hidden software on your computer, particularly software that might in some circumstances make the computer less secure? If the software did lead to some security breach, could Sony (or First4Internet, developers of the technology) be liable?
Ed Felten has some commentary on the EULA itself, for those interested in following this up.
And here’s another thought. The current LACA inquiry is all about what protection TPMs should get. All these legal questions raise the opposite question – what protection should we get from TPMs? This issue is explored in Kerr et al’s paper on TPMs, which I recommend.
Update 4 November: via Copyfight – the debate is still going over at Felten’s blog.
Bookmark or share this story:
Del.icio.us | 
Digg | 
Reddit | 
ma.gnolia.com | 
Newsvine | 
furl |
Technorati | 
IceRocket | 
PubSub | 
Google | 
Yahoo
5 Responses to “Evil and nasty DRM that makes your computer less secure (updated 3 and 4 November)”
Leave a Reply
Do not post material that is defamatory or obscene, that infringes any third party's copyrights, trademarks or other proprietary rights, or that violates any other right of any other person.
We reserve the right to remove or edit any comment for any reason.
Note: Posting more than two links in a comment may cause it not to appear because it will be submitted for moderation. Also, links in comments will not be counted by Google, so spamming is pointless.
Posts
Comments
Posts
November 2nd, 2005 at 8:32 am
But is it enough authorisation? Is EULA agreement absolute in law, or is it reasonable to say: “I checked the fine print quickly and saw that there is copy-protection, but didn’t think it would be any different to other CDs with DRM. Now I have unwanted software creating a security problem for my system.” ?
I guess it depends on how the fine print is worded. I expect it would say that software will be installed, but not describe much about the workings that caused the concern in the article.
November 3rd, 2005 at 7:50 am
[…] 2 November 2005 Evil and nasty DRM that makes your computer less secure (updated 3 November) […]
November 3rd, 2005 at 2:22 pm
On the authorisation issue, but from a slightly different perspective, Australian readers in particular might want to check out the Spyware Bill 2005 [Senator Brian Greig (Australian Democrats, Western Australia)] for analogies. This is directed against so called spy and ad ware tracking the behaviour and identifying information of unknowing computer users & tries to codify consent and authorisation requirements in that context. But I think you could drive a truck through some of its definitions & approaches. It is of course also unlikely to actually see the light of day (in terms of becoming legislation).
November 12th, 2005 at 1:35 pm
[…] I see that matters have developed quickly in the Sony DRM story that I blogged about earlier. We’ve had a lawsuit filed, viruses developed that take advantage of the Sony rootkit system, instructions proliferating on how to remove the RootKit, and some warnings from US Government officials directed at Sony and others who do this kind of thing. Moreinfo, plus links, plus some thoughts on the legal issues, over the fold. […]
November 13th, 2005 at 12:08 pm
[…] I see that matters have developed quickly in the Sony DRM story that I blogged about earlier. We’ve had a lawsuit filed, viruses developed that take advantage of the Sony rootkit system, instructions proliferating on how to remove the RootKit, and some warnings from US Government officials directed at Sony and others who do this kind of thing. Moreinfo, plus links, plus some thoughts on the legal issues, over the fold. […]