Microsoft grapples with mystery DRM cracker
27-09-2006
by Silicon.com

Microsoft has filed a federal lawsuit against an alleged hacker who broke through its copy protection technology, charging that the mystery developer somehow gained access to its copyrighted source code.

For more than a month, Redmond has been combating a program released online called FairUse4WM, which successfully stripped anti-copying guards from songs downloaded through subscription media services such as Napster or Yahoo Music.

Microsoft has released two successive patches aimed at disabling the tool. The first worked but the hacker, known only by the pseudonym "Viodentia", quickly found a way around the update, the company alleges. Now it says this was because the hacker had apparently gained access to copyrighted source code unavailable to previous generations of would-be crackers.

Bonnie MacNaughton, a senior attorney in Microsoft's legal and corporate affairs division, said: "Our own intellectual property was stolen from us and used to create this tool. They obviously had a leg up on any of the other hackers that might be creating circumvention tools from scratch."

This latest round of copy-protection headaches comes at a delicate time for Microsoft. In a few months, the company plans to launch its own digital music subscription service, called "Zune", paired with an iPod device rival of the same name. The package will compete with services from Microsoft's traditional partners, such as Napster and Yahoo.

The Zune service and device will use Microsoft's own flavour of digital rights management, and this will not be directly compatible with Microsoft's partners' products, despite being based on the same Windows Media technology. The company is taking great pains to assure its partners that their PlaysForSure-branded products are still state of the art.

At the moment, Microsoft is taking a two-pronged technical and legal approach to FairUse4WM that goes beyond the scope of its earlier DRM battles.

On the technical side, it is pursuing much the same strategy as in the past: studying the hacker's tool and trying to update its Windows Media technology to block it.

Indeed, the company's Windows Media copy protection technology was designed from the start to support swift updates that would address inevitable cracks. That has long been part of the technology's draw for record labels and movie studios, which are fearful that content protection flaws will lead to films and music being swapped freely online.

Microsoft's copy protection has been cracked before and then quickly fixed. Company representatives said the FairUse4WM tool, despite its developer's success in breaking through the company's first patch, is simply triggering the same kind of security review that has happened in the past.

Marcus Matthias, a senior product manager at Microsoft, said: "This particular circumvention doesn't change that reality at all, or affect the underpinnings of the system. This is not quite as 'cat and mouse' as some people might have you believe."

The crack's unusual longevity has caused ripples of worry inside the digital media community, however. One service provider, the British network BSkyB, even temporarily cancelled movie downloads.

Representatives from other services say Microsoft's previous rights-management security updates have been successful and expect this effort ultimately to be no different.

However, the federal "John Doe" lawsuit, along with "dozens" of legal letters sent to internet sites that are hosting the allegedly copyright-infringing tool, is a decidedly different tack for Microsoft.

The copyright lawsuit was filed in Seattle federal court last Friday, without a name attached. Just as in the recording industry's many lawsuits against accused file swappers, it targets an unknown individual or individuals, whose true identity will be sought in the course of the case.

For now, that means going to the internet service providers for websites where the original FairUse4WM tool was released, in hopes of tracking down an IP address or other digital traces that might lead to the developer, Microsoft's MacNaughton said.

Microsoft is also contacting other websites that have posted the FairUse4WM tool, asking them to remove the software, on the grounds it contains copyrighted company code.

Company representatives declined to speculate on exactly how "Viodentia" gained access to copyrighted source code. The code in question is part of a Windows Media software development kit but is not easily accessible to anyone with a copy of that toolkit, Microsoft said.

So far, little is known about the developer, who has used the pseudonym "Viodentia" in several online postings at a site called Doom9.org. "Viodentia" could not immediately be reached for comment.

After spending an unaccustomed month of grappling with the problem, Microsoft representatives stopped short of promising their latest Windows Media update will be impregnable -- although, certainly, the hope is that a third patch won't be needed.

Analysts say "Viodentia" hasn't proved Microsoft's DRM tools are fundamentally flawed but has shown that the business of keeping it, or any rights management system, secure is increasingly becoming a full-time job.

GartnerG2 analyst Michael McGuire said: "Any DRM out there is going to be cracked. More important is how the technology service reacts. Someone has to be keeping an eye online all the time now, looking for the next time."

John Borland writes for CNET News.com.

Reprinted with permission from Silicon.com