Copy This! Can 'Military' Technology Beat Digital Piracy?
3/13/2001; 11:05:44 AM
'A small Austin start-up run by intelligence community alums is parachuting into the burgeoning, post-Napster, copy-protection market with a remarkably thin, invisible software product that claims to offer nearly invincible armor for music, video, film and e-books alike....'
'The InTether system consists of a packager, used by the originator of a file, and a receiver, used by the recipient. The packager enables a publisher, record label, movie studio -- or, for that matter, a law firm, doctor's office, bank or anyone else who wants information security -- to impose a set of restrictions on almost any digital file. InTether, Friedman says, works equally well with, for instance, Word, Adobe Acrobat, Lotus or Excel documents, e-books, music, video or photographic files....'
'In response to a detailed e-mail describing how InTether works, encryption expert Bruce Schneier responded dismissively, predicting in a sentence that InTether would fail. Schneier, who is the chief technology officer for Counterpane Internet Security, which provides network security services for businesses, appended a short essay of his, entitled, ''The Futility of Digital Copy Prevention,'' which he apparently believes is sufficient to outline the inherent flaws of all digital-rights management technologies.'
The author of the article seems to think he was too flippant, but Bruce is right. Read the article first, then read the rest of this commentary:
How to Crack InTether
Create a virtual machine, a la VMWare or Plex86 (which is open source, which when working makes this even easier for Joe Hacker). (If you don't know what VMWare does, visit the site. It's an awesome product, and it does everything they say it does.) Install Windows 95 (or actually any functional Windows that InTether supports) in the virtual machine. Install InTether into that copy of Windows. Load up an InTethered file. Copy with impunity using the host operating system's copying abilities.
If it's audio, have the host OS record it. If it's a picture, have the host OS snap a screenshot. If it's a file, heck, pull it directly out of memory. InTether can't do a thing about it, because you can pause the virtual machine entirely, if necessary, and InTether will remain there, frozen in time, while you attack the security with impunity. For video, grab the frames one at a time if necessary, because again, you can pause the VM as needed.
For any difference between the virtual machine and the real thing that Infraworks claims they can detect and thus use to refuse to run, fix the virtual machine so the difference no longer exists (because, by definition, it's a bug in the VM and should be fixed). The difference no longer exists, and thus InTether cannot detect that it is being emulated. This attack cannot be prevented indefinately by InTether; at best, a cat and mouse game will be played with the VM programmer and InTether, which will result in A: The VM being immensely improved and B: InTether eventually running out of exploitable differences.
Esp. after Plex86 becomes really capable, this attack will render InTether useless for the purposes of truly high level security. There is no way InTether can possibly tell that it's being emulated, period, no matter what they may claim, if the emulation is good enough (and it can be made good enough). Bruce was right, he just didn't have the time to crack it on the spot for the reporter (no surprises there; we're all busy). And as we all know, once somebody, anybody, has cracked a file, it can be distributed to anybody.
As for the knowlege level this takes? A large number of OS people could pull this off with impunity, probably any computer science grad student could do it, and certainly any dedicated hacker with actual knowlege of computers (i.e., not script kiddies) could do it. We're not talking black art here; and once Plex86 takes off, we aren't even talking heavy wizardry. If I had the time, inclination, and desire to help fix up Plex86, I think I could do it, pretty much by myself. InTether alone just doesn't raise the bar high enough to protect things as well as they seem to be claiming.