1 j. alex halderman legal challenges in security research j. alex halderman center for information...

1 J. Alex Halderman

Legal Challenges in Security

ResearchJ. Alex Halderman

Center for Information Technology PolicyDepartment of Computer Science

Princeton University

2 J. Alex Halderman

3 J. Alex Halderman

4 J. Alex Halderman

Part 1 — CD DRM

5 J. Alex Halderman

CD DRM

CD Players

Plays normally

Computers

Restricted usee.g. Can’t copy disc

Can’t rip as MP3 Can’t use on iPod

6 J. Alex Halderman

Why Study CD DRM?

• Add to practical knowledge of DRM designWhat works well in practice? What tends to

break?

• Independently critique deployed systemsStrengths and weaknesses? Prospects for

success?

• Assess dangers to users’ security and privacyPhoning home? Vulnerability to attacks?

Who wants to know?Record companies, musicians, investors,policy makers, music buyers, researchers

7 J. Alex Halderman

The DMCA

Prohibits:• “circumvent[ing] a technological measure

that effectively controls access to a work”• distributing “any technology, product,

service, device, component, or part thereof” primarily intended to circumvent an effective TPM

Extremely limited security testing and encryption research exemptions not applicable here.

— Digital Millennium Copyright Act [17 U.S.C. 1201]

8 J. Alex Halderman

EULAs

“You will not reverse engineer, decompile, disassemble or otherwise tamper with or modify the [copy protection software]”

“You will comply with and will not circumvent or attempt to circumvent the [copy protection] or any technology designed to enforce the [copy protection]”

— SonyBMG End User License Agreement

9 J. Alex Halderman

SunnComm MediaMax (2003)

“[An outside testing firm] determined that none of the ripper programs used in the testing process was able to produce a usable unauthorized copy of the protected CD yielding a verifiable and commendable level of security for the SunnComm product.”

— SunnComm Press Release

10 J. Alex Halderman

Security Analysis of MediaMax

First time a protected CD is inserted…Autorun (normal Windows feature) installs a copy protection driver between CD drive and applications

When a user tries to rip or copy a disc…Driver blocks access to audio

A major undisclosed design defect:Users can disable AutoRun by holding the “shift” key

CD Drive

Ripper/copier Application

OS

Protection driver


“… Halderman and Princeton University have significantly damaged SunnComm’s reputation and caused the market value of SunnComm to drop by more than $10 million.”

“… Halderman has violated the Digital Millennium Copyright Act (DMCA) by disclosing unpublished MediaMax management files placed on a user's computer … SunnComm intends to refer this possible felony to authorities having jurisdiction over these matters…”

“SunnComm believes that the author’s report was ‘disseminated in a manner which facilitates infringement’ in violation of the DMCA or other applicable law.”

“The act of publishing instructions under the cloak of ‘academic research’ showing how to defeat MediaMax such as those instructions found in Halderman's report is, at best, duplicitous and, at worst, a felony.”

“SunnComm … intends to take legal action”

— SunnComm Press Release


The SonyBMG Episode (2005)

Mark RussinovichOctober 31, 2005


Sony Rootkit Vulnerability

Privilege escalation attack

– Hidden objects not limited to copy protection software

– Malware unable to install its own rootkit can utilize Sony’s

– Use to hide from virus checkers, admin tools

Exploits found in wildBackdoor.Ryknos.BTrojan.Welomoch


I Felt the Chill


MediaMax Vulnerability

13+ MB installed before EULA screen

Access permissions set incorrectly

An unprivileged attacker can exploit this error to run with administrative access when a CD is inserted


CD DRM as Spyware

Sony’s CD DRM systems:• “Phone home” about each title played

despite privacy statement to the contrary• Ship without a meaningful uninstaller• Install without consent or exceed consent

Spyware is hard to define, but these meet most common definitions.


Sony CD DRM Uninstallers

“Oops! ... I did it again”


“Most people, I think, don't even know what a Rootkit is, so why should they care about it?”

— Thomas Hesse President, Sony BMG Global Digital Business

“It’s very important to remember that it’s your intellectual property — it’s not your computer. And in the pursuit of protection of intellectual property, it’s important not to defeat or undermine the security measures that people need to adopt in these days.”

— Stewart BakerAsst. U.S. Secretary of Homeland Security


Scientist / Attorney Ratio

Two Researchers Eight Lawyers(actual lawyers not pictured)


Aftermath

Rootkit discs recalled …but still in many stores and CD collections

Major class-action suits filed, settledCustomers can trade discs for cash,

MP3 downloads, and non-DRM versions

Sony won’t use CD DRM, for now


Hope for Copyright Reform

H.R. 1201: Digital Media Consumers Rights Act (Rick Boucher, D-VA)

• Requires labeling for DRMed CDs• Adds new DMCA exemptions:

– persons “acting solely in furtherance of scientific research into technological measures”

– circumventing TPMs “in order to obtain access to the work for purposes of making noninfringing use”

• Codifies the Sony “capable of substantial non-infringing uses” test for secondary liability


Part 2 — E-Voting


2000 Recount Debacle

Legislative response:

Help America Vote Act

Provided $3.9 billion to statesto upgrade voting machines by November 2006


DREs to the Rescue?

Direct Recording Electronic – Store votes in internal memory


DREs are Computers

Bugs

RootkitsVirusesAttacks


The Diebold AccuVote-TS


Diebold’s History of Secrecy

• Uses NDAs to prevent states from allowing independent security audits

• Source code leaked in 2003, researchers at Johns Hopkins found major flawsDiebold responded with vague legal threats,personal attacks

• Internal emails leaked in 2003 reveal poor security practices by developersDiebold tried to suppress sites with DMCA letters(Several sites successfully sue for misrepresentation of copyright)


We Get a Machine (2006)

Obtained legally from an anonymous private party

Software is 2002 version, but certified and used in actual elections

First complete, public, independent security audit of a DRE


Our Findings

• Malicious software running on the machine can steal votes undetectably, altering all backups and logs

• Anyone with physical access to the machine or memory card can install malicious code in as little as one minute

• Malicious code can spread automatically and silently from machine to machine in the form of a voting machine virus


Video Demonstration


Low-Tech vs. High-Tech

Paper BallotsLow-cost cheating(ballot stuffing)Small scale tampering(individual precincts)

Electronic VotingHigh-cost cheating(viral attacks)Large scale tampering(counties or states)

Leverage these complementary failure modes for greater security.


Paper to the Rescue

Voter-Verified Paper Audit Trails (VVPAT)

• DRE prints a paper ballot, voter verifies and places in a ballot box

• At a few random precincts, paper ballots counted to ensure machines totals are accurate

• If discrepancies found, paper ballots can be counted more widely


Proposed Legislation

H.R. 550: Voter Confidence and IncreasedAccessibility Act (Rush Holt, D-NJ)

• Amends HAVA to require VVPATs– Paper ballots would be the official record– Random manual recounts in 2% of precincts

• Opens voting software and source code to public inspection

• Additional $150 million for states


Final Thoughts

• Security research remains a risky businesswhere chilling effects are widely felt

• Legal uncertainty adds cost and delay, harming users of insecure systems

• Legal changes (e.g. DMCA reform) would be a major boon

• Pro bono legal help makes research possible — Thank you!


Legal Challenges to Security

ResearchJ. Alex Halderman

Center for Information Technology PolicyDepartment of Computer Science

Princeton University

http://itpolicy.princeton.edu


Research in the Blogosphere


Research Goals

• Conduct independent security audit

• Confirm findings of previous researchers

• Verify threats by implementing attack demos

Who wants to know? Voters, candidates, election officials, policy makers, researchers


Vulnerabilities





Correct result: George 5, Benedict 0


Vulnerabilities





Voting Machine Virus


Viral Spread

1 j. alex halderman legal challenges in security research j. alex halderman center for information...

Documents