1 j. alex halderman legal challenges in security research j. alex halderman center for information...
TRANSCRIPT
1 J. Alex Halderman
Legal Challenges in Security
ResearchJ. Alex Halderman
Center for Information Technology PolicyDepartment of Computer Science
Princeton University
2 J. Alex Halderman
3 J. Alex Halderman
4 J. Alex Halderman
Part 1 — CD DRM
5 J. Alex Halderman
CD DRM
CD Players
Plays normally
Computers
Restricted usee.g. Can’t copy disc
Can’t rip as MP3 Can’t use on iPod
6 J. Alex Halderman
Why Study CD DRM?
• Add to practical knowledge of DRM designWhat works well in practice? What tends to
break?
• Independently critique deployed systemsStrengths and weaknesses? Prospects for
success?
• Assess dangers to users’ security and privacyPhoning home? Vulnerability to attacks?
Who wants to know?Record companies, musicians, investors,policy makers, music buyers, researchers
7 J. Alex Halderman
The DMCA
Prohibits:• “circumvent[ing] a technological measure
that effectively controls access to a work”• distributing “any technology, product,
service, device, component, or part thereof” primarily intended to circumvent an effective TPM
Extremely limited security testing and encryption research exemptions not applicable here.
— Digital Millennium Copyright Act [17 U.S.C. 1201]
8 J. Alex Halderman
EULAs
“You will not reverse engineer, decompile, disassemble or otherwise tamper with or modify the [copy protection software]”
“You will comply with and will not circumvent or attempt to circumvent the [copy protection] or any technology designed to enforce the [copy protection]”
— SonyBMG End User License Agreement
9 J. Alex Halderman
SunnComm MediaMax (2003)
“[An outside testing firm] determined that none of the ripper programs used in the testing process was able to produce a usable unauthorized copy of the protected CD yielding a verifiable and commendable level of security for the SunnComm product.”
— SunnComm Press Release
10 J. Alex Halderman
Security Analysis of MediaMax
First time a protected CD is inserted…Autorun (normal Windows feature) installs a copy protection driver between CD drive and applications
When a user tries to rip or copy a disc…Driver blocks access to audio
A major undisclosed design defect:Users can disable AutoRun by holding the “shift” key
CD Drive
Ripper/copier Application
OS
Protection driver
11 J. Alex Halderman
“… Halderman and Princeton University have significantly damaged SunnComm’s reputation and caused the market value of SunnComm to drop by more than $10 million.”
“… Halderman has violated the Digital Millennium Copyright Act (DMCA) by disclosing unpublished MediaMax management files placed on a user's computer … SunnComm intends to refer this possible felony to authorities having jurisdiction over these matters…”
“SunnComm believes that the author’s report was ‘disseminated in a manner which facilitates infringement’ in violation of the DMCA or other applicable law.”
“The act of publishing instructions under the cloak of ‘academic research’ showing how to defeat MediaMax such as those instructions found in Halderman's report is, at best, duplicitous and, at worst, a felony.”
“SunnComm … intends to take legal action”
— SunnComm Press Release
12 J. Alex Halderman
The SonyBMG Episode (2005)
Mark RussinovichOctober 31, 2005
13 J. Alex Halderman
Sony Rootkit Vulnerability
Privilege escalation attack
– Hidden objects not limited to copy protection software
– Malware unable to install its own rootkit can utilize Sony’s
– Use to hide from virus checkers, admin tools
Exploits found in wildBackdoor.Ryknos.BTrojan.Welomoch
14 J. Alex Halderman
I Felt the Chill
15 J. Alex Halderman
MediaMax Vulnerability
13+ MB installed before EULA screen
Access permissions set incorrectly
An unprivileged attacker can exploit this error to run with administrative access when a CD is inserted
16 J. Alex Halderman
CD DRM as Spyware
Sony’s CD DRM systems:• “Phone home” about each title played
despite privacy statement to the contrary• Ship without a meaningful uninstaller• Install without consent or exceed consent
Spyware is hard to define, but these meet most common definitions.
17 J. Alex Halderman
Sony CD DRM Uninstallers
“Oops! ... I did it again”
18 J. Alex Halderman
“Most people, I think, don't even know what a Rootkit is, so why should they care about it?”
— Thomas Hesse President, Sony BMG Global Digital Business
“It’s very important to remember that it’s your intellectual property — it’s not your computer. And in the pursuit of protection of intellectual property, it’s important not to defeat or undermine the security measures that people need to adopt in these days.”
— Stewart BakerAsst. U.S. Secretary of Homeland Security
19 J. Alex Halderman
Scientist / Attorney Ratio
Two Researchers Eight Lawyers(actual lawyers not pictured)
20 J. Alex Halderman
Aftermath
Rootkit discs recalled …but still in many stores and CD collections
Major class-action suits filed, settledCustomers can trade discs for cash,
MP3 downloads, and non-DRM versions
Sony won’t use CD DRM, for now
21 J. Alex Halderman
Hope for Copyright Reform
H.R. 1201: Digital Media Consumers Rights Act (Rick Boucher, D-VA)
• Requires labeling for DRMed CDs• Adds new DMCA exemptions:
– persons “acting solely in furtherance of scientific research into technological measures”
– circumventing TPMs “in order to obtain access to the work for purposes of making noninfringing use”
• Codifies the Sony “capable of substantial non-infringing uses” test for secondary liability
22 J. Alex Halderman
Part 2 — E-Voting
23 J. Alex Halderman
24 J. Alex Halderman
2000 Recount Debacle
Legislative response:
Help America Vote Act
Provided $3.9 billion to statesto upgrade voting machines by November 2006
25 J. Alex Halderman
DREs to the Rescue?
Direct Recording Electronic – Store votes in internal memory
26 J. Alex Halderman
DREs are Computers
Bugs
RootkitsVirusesAttacks
27 J. Alex Halderman
The Diebold AccuVote-TS
28 J. Alex Halderman
Diebold’s History of Secrecy
• Uses NDAs to prevent states from allowing independent security audits
• Source code leaked in 2003, researchers at Johns Hopkins found major flawsDiebold responded with vague legal threats,personal attacks
• Internal emails leaked in 2003 reveal poor security practices by developersDiebold tried to suppress sites with DMCA letters(Several sites successfully sue for misrepresentation of copyright)
29 J. Alex Halderman
We Get a Machine (2006)
Obtained legally from an anonymous private party
Software is 2002 version, but certified and used in actual elections
First complete, public, independent security audit of a DRE
30 J. Alex Halderman
Our Findings
• Malicious software running on the machine can steal votes undetectably, altering all backups and logs
• Anyone with physical access to the machine or memory card can install malicious code in as little as one minute
• Malicious code can spread automatically and silently from machine to machine in the form of a voting machine virus
31 J. Alex Halderman
Video Demonstration
32 J. Alex Halderman
Low-Tech vs. High-Tech
Paper BallotsLow-cost cheating(ballot stuffing)Small scale tampering(individual precincts)
Electronic VotingHigh-cost cheating(viral attacks)Large scale tampering(counties or states)
Leverage these complementary failure modes for greater security.
33 J. Alex Halderman
Paper to the Rescue
Voter-Verified Paper Audit Trails (VVPAT)
• DRE prints a paper ballot, voter verifies and places in a ballot box
• At a few random precincts, paper ballots counted to ensure machines totals are accurate
• If discrepancies found, paper ballots can be counted more widely
34 J. Alex Halderman
Proposed Legislation
H.R. 550: Voter Confidence and IncreasedAccessibility Act (Rush Holt, D-NJ)
• Amends HAVA to require VVPATs– Paper ballots would be the official record– Random manual recounts in 2% of precincts
• Opens voting software and source code to public inspection
• Additional $150 million for states
35 J. Alex Halderman
36 J. Alex Halderman
Final Thoughts
• Security research remains a risky businesswhere chilling effects are widely felt
• Legal uncertainty adds cost and delay, harming users of insecure systems
• Legal changes (e.g. DMCA reform) would be a major boon
• Pro bono legal help makes research possible — Thank you!
37 J. Alex Halderman
Legal Challenges to Security
ResearchJ. Alex Halderman
Center for Information Technology PolicyDepartment of Computer Science
Princeton University
http://itpolicy.princeton.edu
38 J. Alex Halderman
Research in the Blogosphere
39 J. Alex Halderman
Research Goals
• Conduct independent security audit
• Confirm findings of previous researchers
• Verify threats by implementing attack demos
Who wants to know? Voters, candidates, election officials, policy makers, researchers
40 J. Alex Halderman
Vulnerabilities
• Malicious software running on the machine can steal votes undetectably, altering all backups and logs
• Anyone with physical access to the machine or memory card can install malicious code in as little as one minute
• Malicious code can spread automatically and silently from machine to machine in the form of a voting machine virus
41 J. Alex Halderman
Correct result: George 5, Benedict 0
42 J. Alex Halderman
43 J. Alex Halderman
Vulnerabilities
• Malicious software running on the machine can steal votes undetectably, altering all backups and logs
• Anyone with physical access to the machine or memory card can install malicious code in as little as one minute
• Malicious code can spread automatically and silently from machine to machine in the form of a voting machine virus
44 J. Alex Halderman
45 J. Alex Halderman
46 J. Alex Halderman
Vulnerabilities
• Malicious software running on the machine can steal votes undetectably, altering all backups and logs
• Anyone with physical access to the machine or memory card can install malicious code in as little as one minute
• Malicious code can spread automatically and silently from machine to machine in the form of a voting machine virus
47 J. Alex Halderman
Voting Machine Virus
48 J. Alex Halderman
Viral Spread