How Tractors and DVDs are Preventing Penetration Tests
Have you ever bought an ebook for a kindle? Or purchased a device from Apple? Ever watched a DVD? Then you’ve participated in something called Digital Rights Management. Well, DRM has been plaguing the cyber security community since its inception.
Here we attempt to understand a little more of the history behind DRM, why it’s so controversial, and how it affects not just the penetration testers and cyber security researchers of the world, but how it affects you; the users, customers, and all-knowing consumers.
How it all started
DRM is a legal and technological tactic to prevent the copying, redistribution, and modification of proprietary intellectual property in-line with DMCA law. It usually involves some kind of encryption technique, along with legal agreements that prohibit certain actions taken upon a product after sale. It was birthed through companies trying to grapple with protection for their intellectual property in the early internet, and was born as a result of the Digital Millennium Copyright Act or DMCA. You’ve probably seen the letters DMCA littered around the internet, usually in relation to videos being taken off of social media websites.
For example, when you purchase a DVD, you may be legally prohibited from copying its contents to another device, such as a memory stick. The DVD is also encrypted very badly flawlessly, making it uselessly easy impossible for someone to copy the contents of the DVD even if they wanted to. Thus both technological and legal solutions are in place to enforce DRM.
Companies will claim that DRM prevents viruses and copyright theft – piracy. The problem is, none of that is evidenced to be true. In reality, it stifles competition and prevents cyber security professionals from conducting research.
Back in the early days of DRM, it was decided that companies should try to encrypt DVDs to ensure they couldn’t be decrypted and copied. Subsequently, DVD players and Windows had to come with the passwords to decrypt DVDs inaccessibly hard-coded into their technology. ‘But how does the DVD player/Windows know which password to use?’ I don’t hear you ask. Well (to simplify it a little) the DVD Copy Control Association boffins decided to encrypt them all with the same password(ish – see: DVD region codes).
This was a huge, preventable mistake all well and good, until those using open-source software realised they also enjoyed watching the matrix too many times films. Open-source software is, well, open. Anybody can view and understand the code used to create the software, and communities of people build projects to incredible heights (see: Blender 3D animation feature films). Whether you like it or not, your world and the internet around it is almost entirely defined by open-source. The problem is, if you were to program in the password to decrypt DVDs into the open-source code used to play them, you’d essentially be offering that password for all to see. The criminals would win and there wouldn’t be a film industry anymore.
Unfortunately, the DVD CCA (Copy Control Association) underestimated to what extent people in the open-source community really do love the Matrix want to support the film industry by buying DVDs. A group of people from that community came up with a program called DeCSS; a way to decrypt DVDs for open-source users. This free software was widely distributed so that many a Linux fan could watch their favourite franchise which they had purchased on DVD - on their computer.
What the good chaps at DeCSS did was find out the password for DVDs and publish it. Not that hard right? Anyone could do it. Criminals and pirates could do it, fans of open-source could do it. Seems as though CSS (Content Scramble System) was totally useless. But it wasn’t rendered useless by the publishing of the keys. It was useless beforehand – DeCSS proved so.
This somewhat irked the Norwegian Government, along with the DVD CCA, and they eventually tried to prosecute a gentleman by the name of Jon Lech Johansen in criminal court for DMCA violation. The modern equivalent of DeCSS is libdvdcss, a library created as part of the VideoLAN project. The problem is that every time you use libdvdcss by watching a legally purchased DVD on Linux, you could be breaking the DMCA.
This whole debacle gave rise to the concept of ‘illegal numbers’. In 2007, a similar incident arose when websites began publishing the DVD decryption keys (09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0) for AACS standard DVD encryption. This time, the big companies were on it. They began forcing the websites to take down the key, citing DMCA violation. With this being the internet, however, nerds loveable rogues began pushing the boundaries of what could be considered DMCA violation. Well, maybe the number was a violation, but how about a flag with colours that were represented by each hexidecimal value of the number (see featured image)? How about a t-shirt? How about a tattoo? The options were endless, and in taking a note out of Barbra Streisand’s playbook (see: Streisand effect), the more they pursued, the more the password was spread.
From DVDs to tractors
Okay so that’s all well and good, so maybe watching DVDs in some cases in some countries is maybe possibly illegal so what? Well, DRM continues to be a cash cow. In 2014, the enthusiastic lawyers at tractor manufacturer John Deere argued that a farmer couldn’t fix the tractor he bought with his own money, because the farmer didn’t own it. He had just purchased a one time lifetime rental fee for the use of the tractor, but because it contained John Deere’s proprietary software (which was sending terrain data back to JD to be packaged up and sold to private companie used for research), the tractor still belonged to John Deere. Here’s the full filing:
The problem for cybersecurity
DRM now is an ugly monster of the ugly monster it was when it originated. And here’s where the cyber security professionals come in. The DMCA and DRM posits that we can’t take apart and understand proprietary technology without breaking contracts and laws, something that is essential for cyber security researchers to do their job. We need to be able to responsibly deconstruct the proprietary intellectual property of other companies without fear of retribution. We need to do this in order to understand how the technology works, find vulnerabilities in processes, and notify the companies to fix and prevent those vulnerabilities. We need to do this in order to keep others safe from cyber crime and malicious actors. While some companies are understanding of this, it is still a huge hurdle for us to overcome. The legal protections for DRM are utterly inadequate in punishing the legitimate criminals. When the DVD AACS password was released, there was no truly significant change in piracy activity. Criminals are not deterred by extremely easily circumnavigable copyright law. Nor are they deterred by bad cryptography. It is, in almost all cases, only those who operate with legitimate interest who are affected by this.
While most in the community believe in some kind of abolition and/or modification to DRM, there’s no perfect solution to the problem. I don’t wish to advocate any one particular solution, but rather hope that more people outside of the cyber security sector find themselves informed, and that a conversation can be more constructively had around the challenges of DRM. “Any old donkey can break down a barn, it takes a certain kind to build one.”
Solomon Gilbert is We Fight Fraud’s Head of Cyber. He is in charge of the penetration testing which is an integral part of WFF’s Holistic Threat Assessment.