Microsoft's digital rights management (DRM) may have implications for security professionals.
By Scott Granneman Jun 04 2003 09:45AM PT
But the physical difficulty of meeting was enormous. It was like trying to make a move at chess when you were already mated. Whichever way you turned, the telescreen faced you. (George Orwell's 1984)
DRM: Digital Rights Management. Or, as some prefer to call it, Digital Restrictions Management. Basically, the idea is that the creators, and/or owners, of digital content - a song, a video, a document, even an email - should be able to dictate how that content is used and who can use it. It's an issue that security pros need to be intimately familiar with.
In February, Microsoft announced that it is getting into the DRM business. In typical Microsoft fashion, they'll cover everything. Your servers: Windows Rights Management Services (RMS). Your workstations: Windows Rights Management client. Your Web browser: Rights Management Add-On for Internet Explorer. Your CDs, movie files, and MP3s: Windows Media DRM. Your Office suite: IRM, or Information Rights Management, for Word, Excel, PowerPoint, and Outlook. It's all covered. Covered like a carpet bombing.
...the very media companies interested in using DRM are the same companies who seek to deny consumers fair use rights.
The telescreen received and transmitted simultaneously. ... There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. ... You had to live - did live, from habit that became instinct - in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinized.
So how does it work? Let's say you're using Word 2003, part of Office 2003 (you have to be using Office 2003, the newest release), to create a document called "Super Secret.doc". There's a new button labeled "Permissions". You click the button and indicate that you want Ben to be able to read "Super Secret.doc", but not print or copy it, and you want Denise to have the same permissions, except that she only has 48 hours to view the document before it self-destructs. Your boss, Jerry, can read, print, and copy "Super Secret.doc" all he wants.
Now your copy of Office 2003 connects to the RMS server. The RMS server issues a license certificate that details your specified permissions, attaches that information to the Word doc, and then encrypts it. At that point, you can also save your document not just in its native Word format, but also as a Web page that you can post on your company intranet as an HTML document that ends not with the typical ".htm" or ".html" extension, but with ".rmh" instead.
After setting up your document permissions, you decide to email it to Ben, Denise, and Jerry. You open Outlook 2003 and create an email. Using the new "Permissions" button, you specify that Ben can read the email, but cannot forward, print, or copy it. Denise gets the same treatment. Jerry, your boss, can once again do whatever he wants. You attach "Super Secret.doc" to your email, and also mention the new intranet page with the same information. You hit "Send" and off it goes.
Everything is copacetic for Ben. He has Office 2003 with IRM installed, and already has the Windows Rights Management client on his Windows XP PC. He clicks on the email to open it. Outlook 2003 checks over the Local Area Network with the RMS server to verify that Ben has the right to view the email, and to find out what rights he possesses vis-a-vis the email. He can now read the email, so he double-clicks the attachment to open it. Word 2003 checks over the LAN with the RMS server to verify that Ben has the right to view the document, and to find out what rights he possesses vis-a-vis the document. "Secret Stuff.doc" is now decrypted, so Ben can now read the document, but he can't print or copy it.
Things don't go quite as smoothly for Denise, who works at home. She's running Office XP, which doesn't work at this time with IRM. So she buys Office 2003. After installing it, she tries to open the email in Outlook. Unfortunately, she doesn't have Windows Rights Managment client installed. She finds it at microsoft.com, downloads, and installs it. Now Outlook knows what to do: connect over the Internet to the RMS server and verify her rights. However, she has trouble connecting to the corporate RMS server over the Internet. Something about a routing issue. Since Outlook (or Word) can't connect to the RMS server, she can't open the document. She calls you to complain. "Use the Web page I put up," you reply, "The one that ends in '.rmh'." Unfortunately, Denise likes Mozilla, and Mozilla doesn't have a Rights Management Add-On. She fires up Internet Explorer and tries to view the content. Nope. She doesn't have the Rights Managment Add-On installed. She goes to Microsoft's site, finds the Add-On, and installs it. Finally! She should be able to see that &[EMAIL PROTECTED] document! She connects to the Web page using IE with the Rights Management Add-On, it authenticates and verifies her, and ... oh, too bad! Her 48 hours are up! She no longer has any rights to view the document. Now that's security!
A couple more points about how Microsoft's DRM system works. If you're in a corporate environment and want to use and manage your own RMS server, you also need to use Microsoft's Active Directory, as it is the component that manages authentication. If you're a consumer or small business who doesn't need (or can't afford) RMS server, you can use a free service from Microsoft. Of course, Microsoft Passport is required, and we all know how safe that is. Finally, Microsoft's RMS server tracks how many times you've looked at every Word document - and every Excel spreadsheet, every email, and every ".rmh" Web page - and what you've done with it. The privacy implications are obvious.
And those are Microsoft's plans for DRM.
Big Brother is infallible and all-powerful. ... Nobody has ever seen Big Brother. He is a face on the hoardings, a voice on the telescreen.
There are problems with Microsoft's DRM scheme that should worry security professionals. First, the system will further lock in companies to Microsoft. It may be hard for companies to switch now from Microsoft Office, but they can. But once important data has been locked up in encyrpted files that require Microsoft servers to decrypt them, it will be virtually impossible for a company to leave Microsoft behind.
Of course, that is moot if Microsoft's brand of DRM doesn't work. Let's assume that the encryption is super strong. That still doesn't mean the system is going to work. As Professor Edward Felten points out, "unbreakable codes don't make unbreakable DRM". Why? It's simple: no DRM method can provide end-to-end protection. At the beginning, before the DRM is applied, the file can be copied, forwarded, or printed. At the end of the process, the file must be decrypted in order to use it. At the point at which someone views the file, it's open in some way. So take a screenshot. Or use VNC or PC Anywhere to take a screenshot from another machine. On top of that, surely Microsoft will provide an override; otherwise, what happens if the RMS server crashes and isn't backed up? Or someone forgets a password? Once that override is discovered and publicized, all bets are off.
But let's assume it works. A bigger question involves the real users of Microsoft's DRM. Is your typical consumer or small business going to need DRM? I would wager that they do not. But Microsoft claims that the use of its DRM by conpanies will actually benefit end users. On Microsoft's site, we are assured that "Digital distribution offers consumers a convenient way to access their favorite content at any time. Also, the DRM licensing scheme protects consumers from inadvertently pirating a file." Note how Microsoft is pitching its DRM: as a way for consumers to acquire media content. But the very media companies interested in using DRM are the same companies who seek to deny consumers fair use rights (the legal right to make a backup copy), first sale rights (the right to resell something you have purchased), and the public interest (if it inhibits corporate interests, too bad - it's gone). Who else is going to use DRM? Governments interested in hiding secrets, including, of course, the USA. Pharmeceutical companies interested in locking up their medicines under patents. And, of course, people and organizations with criminal or even terrorist intent.
Microsoft swears that it "has heard from customers that they need new ways to control how their digital information is used and distributed". To this I answer, rely on current laws and current managerial practices. If I steal your documents, you can prosecute me. If I work for your company and abuse your trust, you can demote me, fire me, or sue me. The imposition of additional technology in order to protect documents seems unnecessary and actually dangerous.
And that's the big problem I have with Microsoft's DRM: it has great potential for unintended consequences. It can become a tool for the bad guys while also stopping the good guys - like whistleblowers. Daniel Ellsberg photocopied the famous Pentagon Papers detailing the true extent of America's involvement in Vietnam and sent them to The New York Times, where they were published. Cynthia Cooper, Vice President of Internal Audit at WorldCom, didn't believe Arthur Andersen was performing its job in an ethical manner, so she and her team performed a secret re-audit. Time Magazine reports that "one of Cooper's employees bought a CD burner and started copying data, concerned that the information might be destroyed before they could finish". Thanks to Cooper and her team, the world found out about the WorldCom's illegalities.
Microsoft's DRM would have made those heroic actions impossible, and there are plenty of other examples. Is this the world that security professionals want to help usher in? One in which companies can further diminish the rights of consumers, in which governments and businesses can better hide their wrongs, in which your every action with a document or Web page is controlled and tracked, and in which Microsoft gains even more control over computer users? As for me, I know which side I'm on. How about you?
He thought of the telescreen with its never-sleeping ear. They could spy upon you night and day, but if you kept your head you could still outwit them. With all their cleverness they had never mastered the secret of finding out what another human being was thinking.
Related Readings http://www.securityfocus.com/columnists/165
