Monday, August 20, 2007

Hacker Unlocks Microsoft's DRM Platform

Underlying the attack on Microsoft's Digital Rights Management (DRM) technology is the belief among members of the multimedia underground that they should have the ability to back up copyrighted media files that they have purchased in the event of a primary system malfunction. Microsoft, however, may see this as an open door to pirates and unlimited P2P sharing.

A member of the Doom9 Forum known only as "Divine Tao" claims to have defeated Microsoft Relevant Products/Services's Digital Rights Management (DRM) platform for securing the distribution of digital media files over the Internet. According to other Forum members who have already downloaded it, the new utility program for PCs running Windows XP and Vista not only works wonderfully but can even run on Microsoft's Zune player.

Divine Tao's exploitation of a chink in Microsoft's armor merely represents the latest clash between the software giant and members of the multimedia underground who believe they have the right to store archival copies of the copyrighted multimedia files they purchase in the event that their hard disks ever crash.

However, the same technology can also be used to illegally copy and distribute copyrighted programs for free. That potential for piracy is of grave concern to multimedia content vendors who depend on Microsoft's DRM platform to ensure that only those who pay for the privilege can download the multimedia files they offer.

Undermining Confidence

Though it is always dismaying when an attack occurs, the cracking of Microsoft's DRM platform is hardly the end of the world, according to one long-time Microsoft observer.

"Security overall is an ongoing battle and no one can ever declare total victory or relax their vigilance," Yankee Group research fellow Laura DiDio explained. In terms of their numbers and the time they can devote, there are more hackers than a security Relevant Products/Services team even as large as Microsoft's can deal with, she continued.

"It's just a fact of 21st century computer life, because nothing is hack-proof," said DiDio. "Microsoft just has to address the issue as fast as they can."

Growing Importance

"It's been a real cat and mouse game of late" between the hackers and Microsoft "and it's enough to give companies cause for pause," noted Jim Murphy, research director for content management at AMR Research.

"Enterprises are deciding right now which DRM approach they will take" for securing their documents and intellectual property, Murphy explained. But given that so many of them have already made an investment in Windows -- "and Office remains their lingua franca" -- coming to terms with Microsoft's DRM platform "is all but unavoidable in one way or another," Murphy said.

"There is no DRM system that is completely invulnerable to attack," Murphy added. "The question is: How will Microsoft stay on top of it and rectify the issues that come up?"

One possible solution suggested by Murphy would be to deal with DRM hacks in much the same ongoing way that antivirus software vendors now handle the onslaught of new viruses. This would involve "the ability to update the DRM platform on the fly by keeping a database of hacks and then patching as quickly as possible," Murphy explained.

Though it won't be easy to implement in comparison to how most antivirus offerings currently function, Murphy said he sees the need for DRM platforms that can not only update an enterprise's server Relevant Products/Services software, but also protect sensitive enterprise documents after they have been disconnected from a company's IT network.

An Ongoing Battle

Divine Tao's new upload to the Doom9 Forum is actually an update to a utility first posted by Forum member 'Viodentia' way back in April of 2006, after which Microsoft was forced to release two patches as a quick fix. However, Viodentia quickly broke the software giant's fixes.

Microsoft subsequently went to court, but was later forced to drop its lawsuit given that the software giant had been unable to identify or locate the utility's author.

"Lacking the source code to the extant programs, I can only offer this output of my own efforts," wrote Divine Tao in the hacker's initial posting at the Doom9 Forum. This is an apparent reference to Microsoft's prior claims that the source code for its DRM platform had been illegally accessed by a company insider.