Wednesday, April 6, 2011

Over The Top Media Distribution

A few weeks ago I gave a presentation at OTTCon (the Over The Top Conference) in San Jose, California. What is "over the top"? The purest definition is multi-media (HD video, "television", and other media) delivered to your home through the internet. Over the top refers to working "around" the traditional "television" delivery channels to your home (broadband cable, airwave broadcast, and satellite).

The conference was over-subscribed and indicative of the tremendous foment in this technology, product and service area. As with any market with such dynamics and growth, the business opportunities are tremendous.

This market has large, well established vendors operating "walled garden" solutions with strong interest in expanding out from their now traditional music or DVD quality video distribution to high definition content. There are a large number of smaller niche players, and new entrants of varying types almost every day. Of course all the major consumer electronic brands and consumer media sales brands are jockeying for position as well.

The cable companies are highly involved, particularly as they strive for a larger business role than just as a bandwidth provider for "the last mile", which in turn has been and will continue to raise net neutrality issues.

There is tremendous product crossover, with gaming boxes serving as internet connected media access devices, smart phones and tablets operating as media access devices, set-top box functionality being integrated into traditional TV's and monitors, not to the mention the evolving role of the traditional PC as a multi-media hub.

There are platform wars erupting. The most interesting is Google's promotion of Android and Chrome as ubiquitous platforms to be used by all media oriented product vendors...which just happen to very easily integrate with Google's services and advertising.

Standardization is a major market force. Ultraviolet is an open standard in development with huge industry participation working to define and create a uniform and compatible system for purchasing, renting, accessing and viewing high definition video content on all owned Ultraviolet compatible devices.

Behind all of this are the studios, with their content and in particular with their high definition content, which they are being extremely careful with relative to distribution and monetization.

Overall, this is an incredibly complicated business and technology ecosystem, with participation by telcos, cable companies, satellite companies, consumer electronics companies, cell phone companies, microprocessor companies, computer companies, bricks and mortar and web only consumer sales companies, studios, and security companies. The corporate membership list of Ultraviolet, for example, is stunning in its breadth.

Michael Porter of the Stanford Business School is famous for (among other things) his promotion of a "force analysis" of industries. A comprehensive force analysis of the "over the top" market would be fascinating, revealing and extremely complex and rich.

I can't use the term "force" without bringing to mind the meme introduced into our social consciousness by George Lucas, "the Force". As we all know the Force has a light side and a dark side, and in this market area, the dark side centers around (no surprise!) digital media piracy.

Digital media piracy requires a legal basis for defining digital media as proprietary assets. This basis was all but non-existent only a few short years ago, as our large body of property law was primarily concerned with the physical plane. The Digital Millenium Copyright Act (DMCA) is now the foundation on which digital media as proprietary property rests.

Intellectually, most of us understand and agree that media in digitized form is still property. However, sadly, our moral structure and cultural attitudes have not kept pace with the advancement of technology. There are huge numbers of people who would not steal a pack of gum from a store who can and do routinely access pirated digital content.

Why is that? I believe there are two fundamental reasons. The first is the lack of perception of "theft", because there is no overt loss of goods to the owner when the piracy occurs. The second is what I call "second order access": if it's available for free or low cost download, then "I am not stealing it". This is analogous to buying the fancy new watch from the back trunk of someone's car; we know they stole it, yet we are tempted to make the purchase of the stolen goods.

Morality in a society is nurtured and supported by simple acts of peer pressure, and I urge readers to engage in this relative to digital piracy: do not allow this to occur in your home, refuse to support it by saying "no" to offers to enjoy "free" movies by friends and neighbors, and in general stand up at the critical times for the property rights of those who labored to create the content that has been stolen. All the technology in the world will not make us a moral society and protect our interests from ourselves. Only we as a society can do that, and it truly starts with each of us taking simple daily stands on the issue.

There is an incredible essay written in the early 1990's by John Barlow (who later became a co-founder of the Electronic Frontier Foundation) called "Selling Wine Without Bottles: The Economy of Mind on the Global Net". In this essay Barlow poses the following riddle: "if our property can be infinitely reproduced and instantaneously distributed all over the planet without cost, without our knowledge, without it's even leaving our possession, how can we protect it?", which in turn leads to a fascinating observation: "A lot of protection technologies will develop rapidly in the obsessive competition which has always existed between lock makers and lock breakers."

Here at Arxan Technologies, we are deeply involved in this "obsessive competition" in the arena of propriety digital content lock making and breaking. Consistent with the vastness of the ecosystem involved in "over the top" media distribution is an alarmingly complex delivery value chain for the actual content. This in turn presents a vast "attack surface" for those who wish to steal the digital assets in motion. And the problem doesn't stop with merely the protection of the digital content: other elements of the environment are subject to tampering to effect different forms of piracy. For example, tampering with a retail node to enable "purchases" without any actual financial transaction, or tampering with policy code to disable the time period restrictions on content.

We at Arxan are members of the Ultraviolet organization and are deeply involved in protecting digital assets in both Ultraviolet and many other "over the top" media distribution channels through Digital Rights Management software protections, key hiding technologies and node locking technologies.

Thursday, March 3, 2011

Android Marketplace Apps Removed by Google

For quite some time now I and others have been speaking out regarding the risks of the Android application marketplace, as an un-vetted "wild west" for software.

The essence of the problem is simple: any one can post software there, without any review of actual content and behavior. The overarching security model is that applications on installation must request and the user must approve certain capabilities (for example the right to access address book information, or to send text messages), and this then gives the user security control. The problem with this model is that broad capability requirements are very common on legitimate applications, and users become assumptive that the capabilities requested are both needed and will be used "appropriately" by the application. Neither is necessarily true, particularly with applications that are intentionally malignant.

Today we have the news of a significant number of applications with large #'s of download being, in fact, malware attempting to get device access at the root level, and stealing confidential information off the phone.

It's important to keep in mind that there are three types of parties involved in Android security issues. The first is of course the consumer and individual business user, and their concern is the ability to utilize applications that provide incremental value without concerns about malware. The second is businesses themselves who must field these devices with their staff for productivity reasons, and have to balance between the need to enable them with productivity applications, while still ensuring device security. This is particularly needful given the business data likely to reside on the device. Lastly, there is the application developers (sometimes these same businesses fielding such devices), who have to be concerned about the risk of their software being compromised with malware, and potentially their brand compromised as a result of re-distribution with malware injected into their application.

The heart of the problem leading to this action by Google is first, the lack of any review practices for the Android marketplace. Some are suggesting a "vetted" Android marketplace as a solution; meanwhile, some larger enterprises are constructing their own "vetted and approved" download areas for Android applications for employee business devices. It's not hard given this recent action to see why such a methodology is needed for large corporate deployments of Android devices into the work force.

The second problem is the lack of any software protections in the application software itself. We at Arxan have been ringing this bell for some time, and while those with obvious code security concerns do take active steps to secure their application code with intrinsic security (media players, payment system software, banking software, etc.), others do not. This enables exactly the above situation to occur: hackers can casually lift an application, reuse/modify the binary level code, and republish. The result: rapid and effective malware distribution to a huge base of Android device users.

The solution isn't overly difficult: protect your applications from reverse engineering and tampering! Arxan and others provide powerful technologies to accomplish this. While this won't secure the Android marketplace itself, it will help to assure that YOUR software isn't cloned and published under a similar function or brand name with malware inserted.

Thursday, January 6, 2011

A New Decade of Computing!

2010 is over, and a new decade is beginning to unfold. We have a tidal wave of computing change occurring, indeed it is really just getting started.

"Smart phones", which I prefer to think of as hand held computers with cellular I/O support, are by far the fastest growing class of computer systems today. I've suggested it before and I'll suggest it again: what we are witnessing is the rise of a "fourth wave" of computing. The first wave was the mainframe, the second was the minicomputer, the third wave was the PC. Interestingly, the "personal" computer was personal only in the sense that you, as an individual, had your own. The rise of the truly "handheld" computing device, which also adds cell phone I/O (for both data and voice transmission, thus making them "smart phones"), is more accurately a "personal" computer, in that the computer generally stays in contact with your body. However, since "personal computer" isn't available as a moniker, I've suggested "intimate computer" as a more accurate and expansive name for this new computing class.

What can we learn from history, from the forces we see at work, from our own logical assessment, and even perhaps from our intuition, about how this new intimate computing wave will unfold?

First, as to form factor: I do not think we are anywhere near "done" with evolution of form factor in these new intimate computing devices. Just as the desk-side/desk-top PC fairly quickly evolved into a wildly popular "laptop" form, I predict that the current form factor of a rectangular hand held "bar" will evolve into yet more intimate forms. Generally I'd call this "wearable computers" and all that that implies. The specific forms that will be successful are hard to predict, but it's sure to be a fascinating arena with multiple audio and visual possibilities!

The challenge of new form factors will of course be I/O between us and the computer. While voice is an obvious possibility for input, voice strikes me as being problematic for the innumerable times you want to "use the computer" but speaking extensively is inappropriate or just not comfortable. Audio output is easily dealt with via the current forms of ear based speakers, but perhaps during the decade we will some something more subtle, a la bone induction or some other means of bypassing the need for external speaker based output.

Visual output requirements would seem to take us back to some kind of "hand held screen" form factor, but I think this leads to a very likely "wearable" form factor that can address multiple needs in an integrated manner. Glasses. Yes, glasses, where visual output is projected onto the inside of the glass and is seen as an "overlay" on the outside visible world, similar to heads up displays in aircraft. Such a form factor can easily include audio output via integrated ear buds. Voice input is obvious but as I said, not ideal, and the human input side is probably the area I am least able to see what innovations might develop. Sensors on finger tips that allow some kind of finger movement based textual input? Perhaps we'll get to internet access and general computing paradigms where textual input is generally obsolete! Or perhaps some kind of "sub-vocal" input means will be created, allowing "voicing" that is performed silently relative to the outside world!

If you think that I am alone or far fetched in my thinking, then perhaps you were not at the Open Mobile Summit late last year in San Francisco. I heard a few companies talking about these trends and sharing thoughts on concept products that might one day appear. One company showed a "mirror mirror on the wall who is the fairest of them all" concept where as you brush you teeth in the morning, you engage in I/O activites from getting the weather, news and sports, and sending them on to friends. Another company decryied the current "heads down" paradigm of smart phone usage, promising to lift up the heads of people everywhere with use of their future products. I don't believe my ruminations are entirely speculative!

Of course where innovation goes, crime is sure to follow. It's an immutable law of nature. What might be the evolution of "computer viruses", and more generally, the entire arena of "cybercrime"? As noted in prior blogs, this area isn't just kid stuff or even just "malicious people" stuff anymore. This is hard core major organized crime stuff! Billions of $'s are being stolen, every year, both in outright cash and in more subtle economic forms (intellectual property in particular).

Even today, we already have examples of viruses infecting intimate computing devices. We have an example of malware hiding under a veneer of a legitimate application (watching a new movie trailer) directly monetizing its infection by making toll calls charged to the service plan of the owner of the smart phone. It's a safe bet that ALL the forms of viruses, malware, bots and botnets, and the like will move through the intimate computing landscape.

Do the specifics of intimate computers enable new and different forms of malware? Note: I'm not referring to the detailed level of "yes there will be differences because it's Linux or Symbian or XX underneath not Windows or OS/X". Are there new and unique attributes of intimate computers that will enable whole new classes of malware? If so, what are those unique attributes?

First, the "universal" connectivity of intimate computing devices to the cellular infrastructure is a unique attribute. Second, the popularity of mobile apps (downloaded to and run as independent programs) as the basis for functionality extension is rather unique. Yes we all have loaded applications onto our PC's, but in general we are rather selective and judicious about that, loading those apps from large well established and recognized legitimate vendors, and we generally load relatively few in number. The intimate computer world is shaping up very differently where loading many tens and even hundreds of little apps from all kinds of no-name vendors is business as usual!

Do the apps represent a new means of malware infection? Well, to a large extent the same issue was present in PC's. However, what we have here is a huge different in SCALE. BILLIONS of apps are being downloaded; Gartner is projecting approximately 30 BILLION app downloads into intimate computers by 2013. Is the opportunity for large scale infection substantially higher for these intimate computers? Clearly, it is.

What about the cellular I/O that is fundamental and pervasive on these devices? What can malware do with that? I truly don't know, but one thing I'm 100% certain of: there are some very smart minds out there, with advanced technology knowledge, getting paid by very evil minds with lots of money and no compunctions or morals, thinking about this as a tremendous (criminal) revenue generating opportunity. And that puts intellectual property at risk, not to mention business models and privacy.

So, how do we move forward in our mobile, connected, app-loaded world? With excitement and innovation, but also with consideration for the defenses required to safeguard assets in this brave new world (apologies to Aldous Huxley). If this stirs your thinking a little as we march into the madness of a new decade, I've accomplished my goal for today. Happy New Year, and here's to an exciting second decade of the millenium!

Monday, November 15, 2010

The Anti-Piracy Fiscal Maelstrom

There are recent reports of Microsoft spending upwards of $200M (yes, million!) a year on anti-piracy technology. See the New York Times feature article:

This is an astounding figure, particularly given that in general, Microsoft software is available at vastly reduced costs from the pirates.

While it may be tempting to conclude from this that software piracy is unstoppable, I thought I would share my perspective based on my company, Arxan’s, experience. Frankly, we've seen time and again that our technology (for instance), properly applied on top of a thoughtful design from a security perspective can and does stop piracy. We've had major successes in a wide variety of market segments, from low end extremely high volume gaming software, to very low volume but extremely high value geophysical software, and all kinds of interesting applications between those two extremes.

We are also familiar with failure. That's right, I'm not here to claim our solution is a panacea. It doesn't work that way. It's a continuous arms race in general, and on a software title by software title basis, it sometimes feels like hand to hand combat.

What we have learned is that a solid design in the security dimension is critical. A weak security design can't be easily "protected" later! A design that seriously considers the threats to the software in general, how those threats are directly mitigated by the design, and then on top of that, how the design and implementation itself is protected from undermining through reverse engineering and code tampering, is required.

Secondly, we've learned that you have to stay right on top of latest technique used by the cracking community. As an example, we are now to "anti-anti-anti-debug" techniques. That's right, we deploy anti-debug techniques...and the crackers have deployed anti-anti-debug techniques...and we are deploying techniques to detect those, hence "anti-anti-anti-debug".

It's a brave new world indeed!

Microsoft's piracy problems are complicated by the fact that they have such a broad array of products, from multiple disparate design and development teams, with different licensing schemes, different distribution models and a wide diversity of distribution channels. As anyone who attempts to run their business on Microsoft software knows, Microsoft does NOT look like "one company" when viewed through the lens of purchasing and licensing their software!

Few companies have the financial wherewithal for this level of security investment, both in absolute terms and even in 'relative to revenues" terms. For these companies, it's critical that application security be integrated into their product lifecycle, as a "must" design attribute. Letting a team rip on a major product development program, then starting to think about "how do we address this piracy problem?" after the product has been shipping for a few days, weeks or months is to take a step in the direction of Microsoft levels of relative spend. Don't do that! Just as reliability, usability, and supportability are, these days, critical requirements that are considered through the software product lifecycle, so must software security be considered and addressed.

The end result can be a secure, un-pirated product. We know this for a fact, we've succeeded with many customers in achieving this result. So don't end up staring down the tunnel of extravagant anti-piracy costs: think application security early, and often.

Tuesday, September 28, 2010

Digital Media Security

The HDCP copy protection technology has been successfully hacked, through the generation and publication of the overall master key:

What does this really mean? It is in fact a bit complicated. The content on Blu-Ray disks is protected with something called AACS, and optionally with additional technology called BD+. The Blu-Ray player itself decrypts the content, de-compresses it, and re-scales it as needed for the target display device. Then this content is re-encrypted using HDCP and sent through HDMI to the target display. The display device decrypts the HDCP encrypted content for presentation on the monitor.

With this master key, it is possible to build external devices that will appear as legitimate recipients of HDCP encrypted content with an ability to decode that content, and then do whatever is desired with it (such as re-compress it and make it available through download sites). Will someone do this? It's a good bet; where's there's money to be made via piracy, people will take advantage.

How did this happen? After all, isn't encryption based security supposed to be based on an "ultimate level of obscurity", namely, the problem of "can you figure out which # of our 100 billion possibilities I'm using?".

Yes this case the overall system had a flaw, that allows someone to use some heavy math to "back compute" the master key from a sufficiently sized (but still small, somewhere between 30 and 50) set of "device keys", which get generated through use of the master key.

Overall, what does this say about our digital media security systems?

The answer is a hard pill to swallow: our digital media security system can't really be trusted. Nothing about their basis on "hard cryptography" makes them immune from cracking, and nothing about their implementation directly in custom hardware makes them immune.

So what's needed? What is needed is multiple layers of defense, ideally implemented with both hardware and software mechanisms. Arxan Technologies is predicated on the exponentially increasing difficulty of fully cracking a protected system, when that system is protected by multiple layers of relatively independent security mechanisms. Additionally, the overall architecture should be designed with not just the concept of stopping cracking, but also of anticipating and detecting a cracked environment...and them compromising that environment in a new, subtle but pernicious way.

Always seek to detect and create trouble for the cracker and/or for the user of the crack. I recommend an approach of multiple layers of defense, with both crack blocking strategies and crack detection strategies, all coupled to overt and subtle response strategies.

Intel, in response to this crack, has said they will sue anyone using the master key. Legal solutions to piracy historically have had very limited success. Our technology can and should do better in presenting very difficult barriers to those willing to act outside of the law.