Following on from our article on how Digital Rights Management (DRM) is hampering pen testing, we’ve been asked what we think could help the situation

It’s very easy to assume that we’re all doomed with DRM, but there are some positive things that can be done to change things. The first thing on the list is to SUPPORT THE ELECTRONIC FRONTIER FOUNDATION!!! They are fighting a crucial battle. And there are plenty of other resources we can draw upon to help us fight for our ownership.

There’s sadly no perfect answer to any of this, but here’s what We Fight Fraud proposes:

1. Recognise that there is indeed a problem. DRM abuses have gotten a lot better than they were, but it’s still not changing as quickly as it could be. Companies need to understand that rights restrictions do exactly that; restrict. Being able to prove the monetary worth attached to the security research and development community is hard, but if we can show companies the benefits of a strong development community, I believe we can make a strong argument against the indefinite leasing model currently provided.
2. Reduce the size of the target. Essentially the argument here is that the more you try to double down on ineffective legal blockades, the more you’re telling people that what you’re protecting is worth breaking into. It’s in a similar vein to the Streisand effect; as soon as you tell a security professional not to do something, they’re going to REALLY want to do it, and they’ll find any way to make it possible.
3. Don’t underestimate people’s tendancy to want to break things and make things. Security professionals are especially curious, and most of them learned their craft by finding everything they possibly could to take apart and re-build into something else. Instead of vilifying that process, demonstrate a willingness to accept and develop it. You’ll end up in a lot of people’s good books that way.
4. Consider open-source. The open-source world is bountiful and plenty. Consider opening up your code for the curiously minded. There are many many success stories in open-source, and not many failures. Sure, it may lead to some people using your code for the wrong reasons, but it’s far outweighed by the good of constant security checking, quick fixes, and loyal consumers/developers.

Solomon Gilbert is We Fight Fraud’s Head of Cyber. He is in charge of penetration testing which is an integral part of WFF’s Holistic Threat Assessment.