The Anti-Piracy Fiscal Maelstrom

There are recent reports of Microsoft spending upwards of $200M (yes, million!) a year on anti-piracy technology. See the New York Times feature article:

http://www.nytimes.com/2010/11/07/technology/07piracy.html?scp=4&sq=microsoft&st=cse

This is an astounding figure, particularly given that in general, Microsoft software is available at vastly reduced costs from the pirates.

While it may be tempting to conclude from this that software piracy is unstoppable, I thought I would share my perspective based on my company, Arxan’s, experience. Frankly, we've seen time and again that our technology (for instance), properly applied on top of a thoughtful design from a security perspective can and does stop piracy. We've had major successes in a wide variety of market segments, from low end extremely high volume gaming software, to very low volume but extremely high value geophysical software, and all kinds of interesting applications between those two extremes.

We are also familiar with failure. That's right, I'm not here to claim our solution is a panacea. It doesn't work that way. It's a continuous arms race in general, and on a software title by software title basis, it sometimes feels like hand to hand combat.

What we have learned is that a solid design in the security dimension is critical. A weak security design can't be easily "protected" later! A design that seriously considers the threats to the software in general, how those threats are directly mitigated by the design, and then on top of that, how the design and implementation itself is protected from undermining through reverse engineering and code tampering, is required.

Secondly, we've learned that you have to stay right on top of latest technique used by the cracking community. As an example, we are now to "anti-anti-anti-debug" techniques. That's right, we deploy anti-debug techniques...and the crackers have deployed anti-anti-debug techniques...and we are deploying techniques to detect those, hence "anti-anti-anti-debug".

It's a brave new world indeed!

Microsoft's piracy problems are complicated by the fact that they have such a broad array of products, from multiple disparate design and development teams, with different licensing schemes, different distribution models and a wide diversity of distribution channels. As anyone who attempts to run their business on Microsoft software knows, Microsoft does NOT look like "one company" when viewed through the lens of purchasing and licensing their software!

Few companies have the financial wherewithal for this level of security investment, both in absolute terms and even in 'relative to revenues" terms. For these companies, it's critical that application security be integrated into their product lifecycle, as a "must" design attribute. Letting a team rip on a major product development program, then starting to think about "how do we address this piracy problem?" after the product has been shipping for a few days, weeks or months is to take a step in the direction of Microsoft levels of relative spend. Don't do that! Just as reliability, usability, and supportability are, these days, critical requirements that are considered through the software product lifecycle, so must software security be considered and addressed.

The end result can be a secure, un-pirated product. We know this for a fact, we've succeeded with many customers in achieving this result. So don't end up staring down the tunnel of extravagant anti-piracy costs: think application security early, and often.

Digital Media Security

The HDCP copy protection technology has been successfully hacked, through the generation and publication of the overall master key:

http://www.eweek.com/c/a/Security/Intel-Investigating-HDCP-Master-Key-Exposure-384053/

What does this really mean? It is in fact a bit complicated. The content on Blu-Ray disks is protected with something called AACS, and optionally with additional technology called BD+. The Blu-Ray player itself decrypts the content, de-compresses it, and re-scales it as needed for the target display device. Then this content is re-encrypted using HDCP and sent through HDMI to the target display. The display device decrypts the HDCP encrypted content for presentation on the monitor.

With this master key, it is possible to build external devices that will appear as legitimate recipients of HDCP encrypted content with an ability to decode that content, and then do whatever is desired with it (such as re-compress it and make it available through download sites). Will someone do this? It's a good bet; where's there's money to be made via piracy, people will take advantage.

How did this happen? After all, isn't encryption based security supposed to be based on an "ultimate level of obscurity", namely, the problem of "can you figure out which # of our 100 billion possibilities I'm using?".

Yes but...in this case the overall system had a flaw, that allows someone to use some heavy math to "back compute" the master key from a sufficiently sized (but still small, somewhere between 30 and 50) set of "device keys", which get generated through use of the master key.

Overall, what does this say about our digital media security systems?

The answer is a hard pill to swallow: our digital media security system can't really be trusted. Nothing about their basis on "hard cryptography" makes them immune from cracking, and nothing about their implementation directly in custom hardware makes them immune.

So what's needed? What is needed is multiple layers of defense, ideally implemented with both hardware and software mechanisms. Arxan Technologies is predicated on the exponentially increasing difficulty of fully cracking a protected system, when that system is protected by multiple layers of relatively independent security mechanisms. Additionally, the overall architecture should be designed with not just the concept of stopping cracking, but also of anticipating and detecting a cracked environment...and them compromising that environment in a new, subtle but pernicious way.

Always seek to detect and create trouble for the cracker and/or for the user of the crack. I recommend an approach of multiple layers of defense, with both crack blocking strategies and crack detection strategies, all coupled to overt and subtle response strategies.

Intel, in response to this crack, has said they will sue anyone using the master key. Legal solutions to piracy historically have had very limited success. Our technology can and should do better in presenting very difficult barriers to those willing to act outside of the law.

Apple vs. Open: Doomed to Repeat History?

Continuing this recent theme of Android specific blog posts, I'd like to point out the remarkable repeat of history we have going on here.

Consider Apple and their "market creation" and "market leader" position they've achieved with the iPhone. Consider its key attributes: a closed system environment in every respect: closed operating system, a tightly controlled 3rd party application solution set, strict limitations on what software is allowed on the devices, and a supporting Apple proprietary media solution (iTunes).

On the scene arrives Android, an open operating platform available to all. And quickly a new business ecology is born, consisting of a myriad of companies building Android/ARM based devices to rival Apple's, all similar but all unique as well.

Does any of this sound familiar? I hope at least a few readers are old enough to remember Apple's position in "personal computing" in the early 1980's with the Apple II (and later MacIntosh) computer. They were "dominant", with their closed proprietary technology. Along came IBM with an open component approach, with all the critical components (DOS, Intel x86 microprocessors, and boot loaders, backplane and I/O specifications), generally available to all comers. I remember the full page "welcome" add put out by Apple, welcoming IBM to the party, and of course the "once only" Super Bowl ad announcing the Mac a few years later.

So what happened back then? We all know the story: the IBM PC "clone" business got rocking, and soon Apple's share in the market dropped to less than 20%. Open, clone-able, with lots of choice and variety from a multitude of vendors won out handily over single vendor, closed, more expensive and arguably "better".

The story is repeating with the iPhone and Android, and in my opinion, the story will continue to repeat. In three years, Apple smart phone share is likely to be down to a fraction of their current leadership share, and you will see massive innovation, variety and choice in the Android based product field. Apple's closed "complete ecosystem" solution will be better...and still won't win.

A side note to all of this is the question of where is Microsoft? Here we have what I believe is a fundamental shift in the computing paradigm for the masses, from personal computers to "intimate computers", computers that stay yet closer at all times to your body than those big and bulky "personal" computers. Where is Microsoft in this transition? Answer: nowhere in sight, at least thus far. The Windows environment has failed to be successful in the multiple attempts to adapt it to the smart phone form factor. The Kin product was a complete disaster and potentially reflective of a real inability to innovate successfully inside Microsoft. Apparently they will be making a fresh try soon with a "Window 7 phone"; it will be fascinating to see if they can recover and establish a serious market position.

In the meantime, the Apple vs. Android wars heat up. Apple yesterday announced a loosening of restrictions on iPhone developers, and everyone thinks this change is a function of competitive pressure from Android, and I'd have to agree. Competition is fundamental to successful capitalism and generally promoting market openness and freedom, and while I am a happy iPhone user, I like to see competition, choice and a lessening of market controlling restrictions.

To sum it up, if I was a betting man, I'd put my personal bet on Android to be the winner here. History tells us it's the likely outcome --- unless Apple will challenge that outcome by signficiantly opening up their walled garden.

Android Application Security

Android based devices are exploding onto our consumer products scene. By my recent count at the wikipedia list of Android devices (http://en.wikipedia.org/wiki/List_of_Android_devices), there are 97 devices shipping today, and another 57 in the delivery pipeline.

On the volume side, Android devices are also showing rampaging growth. Gartner numbers show Android smart phones at 1.8% market share in Q209, rising to an astounding 17.2% share in Q210. While I don't have "smart devices (not phones)" figures, I'd expect even larger percentages for Android. (Who are the big losers of smart phone share you wonder? No surprises there: Windows Mobile and Symbian.).

Yet the Android model is fundamentally suspect at the level of 3rd party applications. Why? Simple: the bulk of these applications are from "boutique" developers or development shops, and there is absolutely no vetting of what exactly these applications do. The potential for malware in these applications is enormous.

Android does have a mechanism that requires applications "request" capabilities at installation time. However, it appears few pay much attention to that. A few million downloads of wallpaper applications that requested sufficient capabilities to send phone specific information (SIM ID, phone #'s, etc.) to a server in China certainly proved that point (why would you grant your wallpaper application internet access? Because it asks for it and you want the wallpaper, so..."yes" you click!). A security researcher, Jon Oberheide, demonstrated the potentially malicious application "Rootstrap", which bootstrapped a rootkit on an Android device. The app, (a preview of the popular movie Twilight Eclipse) routinely polled a server to see if new Android exploit code was available, and if so would download it into the application and execute it. About 200 people installed this app, and while in this case the compromised app didn't inject malware, it's a sober reminder of how you really have no clue what you are getting when dealing with Android applications.

Is the iPhone model better? From a security perspective, absolutely. Apple is doing something with apps to vet them. What exactly they do in this vetting process they don't share (and I like many others would like them to be much more transparent about this), but personally I'm reasonably comfortable loading an iPhone app onto my phone, but would hesitate long and hard before loading any application written by any unknown publisher onto my Android device.

Don't get me wrong, I do like the broader openness that Android devices offer. After all, it's my device is it not? I should have the right to load any software I want, in my opinion. At the same time, the marketplace needs to provide me with options for ensuring or identifying problems with the security of my choices. Those options don't exist today.

This leads different parties involved with the Android device phenomena to different (sometimes overlapped) sets of requirements.

First, for the consumer, there's an enormous need for Android application vetting, some high quality "seal of goodness" that is arrived at through a reasonably thorough review of the actual code in the app and what it is doing.

For the enterprise IT professional, there's a need for the same vetting service, and of course some device management services. Corporate phones should not be allowed to be loaded with arbitrary applications; all apps should be required to come from a secure enterprise location that holds only vetted (and dare I say business appropriate?) applications, or alternatively, a vetting service can offer a means for particular enterprise phones to only download applications marked as appropriate by that same enterprise's IT organization.

For the application developer, whether a small shop or an enterprise, there is another critical need. While Android applications are signed, they are self-signed. It is not difficult to take (as an example) a well known bank's application, insert into it high value malware, re-sign it, and publish it in way that gives an illusion that it is still from or works with the original bank. Applications need protection from this kind of malware insertion. Additionally there is the usual piracy problem. Recently Google initiated an attempted solution to this, with a licensing service. However, that led to immediately demonstrated trivial cracks allowing applications to run without licensing. In response, Google has said "oh, you need to obfuscate your application code". Why, thank you Google! What have I been prattling on about in this blog for the last year? Guard your application software folks, because if you don't, others will open it and have a field day stealing and modifying it to serve their own economic agendas.

Did I mention that Arxan is announcing support for guarding of native code in Android applications yet? Yes indeed: watch for our announcement this week.

DLL Hijacking Redux

Someone once suggested there is nothing new under the sun, and that's certainly true with this week's spate of reports about DLL hijacking attacks in Windows.

This is a well known vulnerability dating back many years. New reports that that specific Microsoft applications fall prey to this vulnerability are not at all surprising (http://tinyurl.com/33btjkh).

Microsoft is quoted by Computerworld (http://tinyurl.com/23ag8kb), saying:

"We're not talking about a vulnerability in a Microsoft product," said Christopher Budd, a senior communications manager with the company's MSRC, or Microsoft Security Response Center. "This is an attack vector that tricks an application into loading an untrusted library."

Assessing this statement requires a brief review of the facts. First, this is a vulnerability driven by the fact that Windows will search in all kinds of places to find a DLL that your application requests to be loaded, if you application is so "unsecure" as to identify that DLL only by file name instead of a fully specified pathname.

Why would applications fail to use a fully specified pathname? One good reason is compatibility: Microsoft DLL's are not consistently in the same location across different versions of Windows! Therefore software striving for compatibility needs to allow Windows to search for the DLL, or search itself. A second reason is simply because Windows allows it and thereby "it's easier".

Windows first looks for the DLL by name in the current process's current ("working") directory. That's where an attacker can easily load their own replacement DLL under the same DLL name (through a wide variety of means, none legitimate but all relatively easy to perpetrate), if (as is usually the case) the current directory is not where the named DLL resides. The next time the application runs, viola, they have their own software now running on the computer. What can it do? Literally, just about anything, including quickly load other more subtle and pernicious bot-ware, key loggers, system scanners, etcetera.

Can applications operate in a manner to avoid the vulnerability? Yes, they can, but doing so is more complicated for the application developer. The key is to always load a specific DLL in a specific directory using a fully specified pathname. This in turn can create its own application compatibility issues, as any given path name to a system DLL is not guaranteed to be the same from Windows version to version! This is the true heart of the design issue, because any attempt to deal with this multiplicity of DLL locations across Windows versions in a single version of an application requires the application perform a "search" for the DLL across different directories...which is exactly what Windows does automatically for you and which opens up the application to a replacement DLL attack!

We here at Arxan are looking at this problem in an orthogonal manner, by identifying opportunities to validate that the proper DLL was loaded, regardless of its originating location. Those are the kinds of application internal security features we are quite good at. Note the elegance of this kind of solution: it doesn't require any application source code changes (because our technology inserts such checks directly into the binary application code), it creates no new dependencies on Windows specifics such as specific DLL locations in this or that version of Windows, and it is a security solution that migrates with the application itself.

To end with another ancient aphorism, if you want a job done, best to do it yourself. If you want your applications secure, don’t trust in the operating system to provide that security: secure your applications yourself!

Smart Phones: The Fifth Wave of Computing!

Two recent analyst reports detail the proliferation of smartphone apps. ABI Research predicts that mobile application downloads from iOS and Android will account for 78% of all application downloads in 2010, with iOS (the iPhone's operating system) taking the lion's share of 52% of all applications. Meanwhile iSuppli predicts Android will be used in 75 million smartphones by 2012, up from 5 million in 2009. Meanwhile, iOS usage will amount to 62 million in 2012, up from 25 million in 2009. Sales of these multi-function hand-held internet connected computers are expected to pass up sales of traditional PC's and laptops well before the middle of this new decade.

Overall, I believe this represents a titanic shift in the computing industry. If we step back far enough we can see perhaps four massive waves in the evolution of computing: first, the custom/boutique computing period of 1940's and 1950's, then the mainframe period of the 1960's through 1970's, then the minicomputer period from the 1970's through the 1990's, and the PC period from the early 1980's to the 2010's. The fifth wave is upon us, and it is the "smartphone" period.

Note how with each wave, old winners faded away, and new winners emerged. Nowhere is this more stark today than the fading glory of Microsoft, huge winner in the PC wave...with virtually no technology or product position in the heart of the smartphone wave.

In this new wave, the iPhone is the front runner, and Android-based smartphones are gaining in what appears to be a two-horse race, as the overall smartphone market is poised for explosive growth. This is great news for the smartphone ecosystem, while at the same perhaps a "deer in the headlight" moment for enterprise security teams.

Today's smartphones continue to expand in functionality, driven by huge numbers of innovative applications and generally better performance as a computing device. The iPhone and Android-based phone is rapidly becoming a serious alternative as a general personal computing device offering unique value in terms of personal mobility.

This is leading to sticky issues for enterprise security teams. What applications are okay to download? Will any applications used for personal purposes create any security issues (i.e. malware) with applications to be used at work? Can third party "business" applications be generally trusted? What are the additional costs to add smartphones to the already broad mix of enterprise IT managed devices? Are the appropriate security policies and underlying practices, mechanisms and resources in place?

While no doubt a daunting task for the enterprise security teams, this is yet another reason why widely used data protection methods aimed at "defending the perimeter," are not enough in today's distributed computing world. Today, companies need to adopt new strategies aimed at integrating security into the software and application themselves. Given today's distributed enterprise computing model, a modern enterprise literally has no set network perimeter to defend. This was true with the laptop and home PC being used routinely as a corporate computing devices. But now with the smart phone filling the same role, the distributed computing nature of the modern enterprise reaches it ultimate manifestation: corporate computing is happening everywhere there are employees, everywhere they go, all the time.

Obviously the security industry must roll up its sleeves and expand the notion of enterprise security. In this process, the old models of "centralized everything" probably won't work. Individuals must broaden their awareness and their personal practices, because these are "personally managed" devices. Application providors must consider the risks and take appropriate actions to protect their applications from cloning and trojan insertion. Lastly, device and the system software providers must continue to enhance and refine the security attributes, features and functions of the devices themselves.

-------------------

Late breaking news: Intel, with a growing new focus on mobile computing, acquires McAfee, and the talk is all about...traditional PC anti-virus you say? No! Not a word! The talk is all about the need for Intel to get a position in mobile/wireless computing security. Just another indication that the fifth wave of computing is upon us.

Smart Phone Privacy?

The media is in a minor uproar over (the lack of) phone privacy:

http://www.zdnet.com/blog/google/apps-on-your-phone-putting-your-privacy-at-risk/2332?tag=nl.e550

The essence of the story is that (1) you don't really know or control what all those applications you are loading onto your "smart" phone really do, and (2) they do far more spying on your phone data than you realize.

If you think such hidden spyware in phone apps is uncommon, let me tell you about a presentation at last week's Black Hat conference in Las Vegas. Kevin Mahaffey and John Hering reported in their session "Application Attack: Surviving Explosive Growth in Phone Applications" on an automated methodology called "Genome" in which they have downloaded and analyzed just about all the world's free applications for both the iPhone and Android phones.

Among their many interesting results, they found an abundance of "wallpaper" applications, all from the same author, that sent back to a server in China your phone's sim serial #, your subscriber ID, your phone line # and your voice mail #. Whoops, so much for phone privacy and application security. This news is now getting general media coverage:

http://www.tgdaily.com/security-brief/50862-as-many-as-4-million-people-downloaded-data-stealing-android-app.

These researchers also found that while it appeared that about 30% of smart phone applications "steal" your phone location information, in fact the bulk of that usage is by 3rd party adware software in those applications, which want to vend to you location targeted ads. So it's not necessarily as nefarious as it may seem, though just as with Google mail giving you targeted ads based on the content of your email, all kinds of interesting questions of appropriate bounds of privacy arise.

Before we run, scream and shout about the lack of smart phone privacy, let's acknowledge that there is nothing new here under the sun. The exact same issue presents itself on our PC's. We can and do download all kinds of apps, and they can (and do) gather and lift info.

One critical difference is that on our PC's, we don't have the same privilege management systems that at least give us the chance to know of and approve of the rights the app is requesting. So one could argue Android is superior to PC's in this regard. And on the iPhone, there is at least a minimal amount of vetting, again, an improvement vs. the PC.

A key difference here is that people have more sense of "privacy" related to a phone than to a PC. We've been inured to PC virus issues so we just assume that nothing's really safe or personal on a PC. Phone calls and phone specifics are viewed as private, so all the PC issues coming to roost on smart phones creates a media uproar.

What we need to understand and accept is that the "smart phone" device you have in your pocket (or are reading this blog post with) is not a phone! It's an extraordinarily powerful internet connected computer, with all the security issues such computers come with. All of them.

Downloading an application to a computer is a fundamentally dangerous proposition, just as wheeling in a large wooden horse into their city was a bit risky for the Greeks. The situation is worsened by the fact that the application arena for smart phones is a cottage industry. We are comfortable and reasonably safe when we load a PC application from a known business entity; when we load a wallpaper application written by "jackeey wallpaper", do we have any idea what we are really getting? Clearly not.

There is a business opportunity here, and that is to provide a technology/service that vets phone applications through internal code analysis (just as the Greeks should have first taken a look inside that wooden horse!). A "Good Housekeeping Seal of Approval", perhaps structured as a separate app store front or just as an informational service.

There is a corollary problem of how do I, as a "good guy" or "good company" publishing application software, protect my application from being trojanized and republished? If you've read any of my earlier blogs you'll find plenty of material on how to effectively deal with that.

So the next time you are about to casually download that nifty new game or whizzy app that makes your phone sing and dance...think about how much you really know about the software you will be unleashing on your "private" hand held computer, and the range of possible objectives of the person who wrote and published that software.

And beware Trojan's bearing application gifts.

Electronic Espionage and Application Security

When it comes to cyber attacks, “the stakes are too high to ignore the problem,” according to InfoWorld (http://tinyurl.com/2fk3vt6) in an in-depth report on electronic espionage.

The attacks often bypass typical security tools that companies implement to protect their data assets. Once inside the system, the electronic spies quietly gather data over time without causing disruptions that could alert integrated security tools or draw suspicion from a company's IT security team.

Neil MacDonald, vice president at research firm Gartner, says, "as many as 75 percent of enterprises have been or are being infected with undetected, financially motivated, targeted attacks that evaded their traditional perimeter and host defenses."

The simple fact is that widely used data protection methods aimed at "defending the perimeter," are not enough to protect against more and more sophisticated threats such as electronic espionage. There are far too many methods by which the perimeter can be penetrated, both through direct and indirect attack. Applications in the enterprise, in the cloud, distributed applications and applications in end point devices are the new focused target of attack by organized crime.

This is a good time to re-post what I call my "application commandments."

1.) Applications can and should detect and notify of debugger attachments.
2.) Applications can and should protect critically sensitive code through encryption and dynamic decrypt/execute/re-encrypt operations.
3.) Applications should utilize multiple levels of networks of self-guarding techniques, with a variety of overt and subtle response actions, to ensure that persistent attacks are foiled at some level.
4.) Enterprise applications should have these response actions wired into the security monitoring systems deployed by the enterprise.

These practices need to become commonplace and part of our general software lifecycles. We need to keep up with the organized criminals, and right now our software is falling woefully behind.

Happy Tenth Birthday, Microsoft .NET

The popular Microsoft framework celebrated an impressive milestone this past month - ten years ago, .NET arrived on the scene and with its debut, quickly became the development "framework of choice" for innovative software and a key framework enabling the evolution to Web 2.0 applications, including Silverlight.

Given the popularity of .NET applications, the issue of how best to protect the framework is one of vital importance. Software piracy is rampant around the world and .NET applications have unfortunately been among those most heavily targeted by hackers for reverse engineering. This is due at least in part to the comprehensive metadata included with .NET applications, which (in a manner similar to Java), enables easy software analysis, including comprehensive de-compiling (meaning, generation of near original source code).

As B2C client software with greater amounts of intelligence and interactivity with corporate back-end systems become more prevalent, we will see a higher volume of business client applications written in .NET and Silverlight. This code is highly vulnerable and generally needs strong anti-reverse engineering and anti-tamper properties. No one wants a trojan-ized version of your favorite banking client app available on the internet, indistinguishable (to the casual user) from the un-tampered version!

To address this risk in .NET applications, meta-data must be stripped, character strings in the code must be encrypted, the code in the application must be obfuscated, and internal detectors of code modifications must be installed. Without aggressive protections, client software produced by businesses for consumer usage is open to casual hacking for illicit and nefarious purposes.

Windows .NET introduced a new way to build rich software applications for Web 2.0, and this model now applies to applications for emerging Cloud platforms as well. To continue to expand the .NET usage footprint, particularly for commercial business application client software, it's critical that development teams be aware of the security issues implicit in .NET code, and how to address them.

Here's to a safe and secure next 10 years, .NET!

Internet TV: The New Security Battlefield

The internet and the television are "converging". It's an exciting, transformative time in media delivery, consumption and business models.

The dark underside to this happy and expansive story are the security threats associated with these new and emerging business models. In order to be a winner in this space, not only does a company have to deliver new innovations or better performance, but it also has to be viable and sustainable from a content and application perspective. Where are the potential content leaks in the system? Can unscrupulous hackers compromise the integrity of the ecosystem such that content and IP are pirated, and the ssociated revenues jeopardized? If companies don't model these risks and mitigate them proactively, and invest in properly validating the security strength of their solution through red teaming efforts, history will repeat itself, and serious losses will ensue.

What is needed are content protection, conditional access and digital rights management systems that are hardened and validated to be very difficult to crack or circumvent. Much of this innovation will come from applications enabling digital entertainment access through new devices with relatively new softare platforms. Android is the best current example, a popular emerging platform that is completely open. Those developing applications and digitial media infrastructure and solutions for Android have to plan for and validate the security of those applications. Anything less and the internet/TV convergence will be slowed down quickly by content owners unwilling to distribute their assets via this new channel.

Respecting Digital Property

In the landmark essay "Selling Wine Without Bottles, The Economy of Mind on the Global Net", written in 1992-1993 (http://www.virtualschool.edu/mon/ElectronicFrontier/WineWithoutBottles.html), John Barlow anticipates and lays out the fundamental intellectual property issues that plague our current digital world. Barlow eloquently and precisely frames the core questions:

"If our property can be infinitely reproduced and instantaneously distributed all over the planet without cost, without our knowledge, without its even leaving our possession, how can we protect it? How are we going to get paid for the work we do with our minds? And, if we can't get paid, what will assure the continued creation and distribution of such work?

Barlow concludes his insightful essay with an assertion that has clearly come to pass:

"Cryptography...is the "material" from which the walls, boundaries--and bottles--of Cyberspace will be fashioned."

Barlow also anticipated the rise of Arxan Technologies (and other similar companies)) when he stated that:

"Cryptography will enable a lot of protection technologies which will develop rapidly in the obsessive competition which has always existed between lock-makers and lock-breakers."

We here at Arxan can certainly attest to the "obsessive competition" as we engage in virtual and digital hand to hand combat with the crackers striving to steal our customer's software and/or data.

The fascinating point Barlow made in 1993 that I'd like to explore today is the following:

"A social over-reliance on protection by barricades rather than conscience will eventually wither the latter by turning intrusion and theft into a sport, rather than a crime. This is already occurring in the digital domain as is evident in the activities of computer crackers."

Let's turn now to some recent news about the movie Avatar and it's release on Blu Ray disc. This release was protected using a technology called BD+. Unfortunately, the cracking community managed to procure (read "steal") an early copy, successfully cracked the protection, and published the movie through bit torrent sites. Here's a fascinating "news" report on the availability of the movie "for free" as a torrent download (which occured within a day or two of the public release of the blu ray disks for purchase):

http://torrentfreak.com/avatar-most-pirated-blu-ray-film-ever-100427/

So within a matter of just a few weeks, Avatar has become the most pirated movie ever.

What does it require for this to occur? It requires exactly what Barlow predicted: a withering of basic personal ethics of property ownership at the individual level. We now have a culture where people view the casual theft of intellectual property as completely acceptable. The heart of it seems to be a vast difference in perspective in people's minds and ethics between a physical object and a digital object.

What drives this difference in perspective and behavior? Is it the removal of risk of "getting caught stealing"? I personally believe this is a significant enabling factor, yet not the fundamental driver of this widespread contagion of theft. I believe it is a subtle, and simple. People fundamentally do not view creation of a (perfect) copy of something as theft. Morals are still wrapped around the physical-ness of goods and physical-ness of possession. Stealing means taking something so that I have it and you no longer have it. This notion of physical theft being "wrong" is deeply rooted in most individual's ethical system. Hence, most people (including those illegally downloading Avatar) would not steal the Avatar blu ray disk from a store, even if they knew they could do so without risk of being caught. They would be taking a "real thing" that belongs to another (the store), and that violates their sense of morals and ethics. But download the same movie for free? Hey, no one has been ripped off! No one has "lost" anything! So "it isn't theft". And besides, if it's wrong (illegal) to download it for free, it wouldn't be available on the network for free would it? Once again, "it must not be theft". Of course, this entire line of thinking is dead wrong. Every aspect of it's free availability is illegal, and access of this stolen property is itself theft.

So while I and my colleagues toil and sweat to provide the "digital locks" that will help prevent (or perhaps more realistically, deferred for a longer period of time) the cracking of the high value digital content in our world, I think it's paramount that we as a society strive to re-tool our ethics and attitudes. This battle must be fought on all fronts, not purely a technology front. How does this kind of change occur? Simple: it changes when you and I put simple social pressure on our family and friends regarding this kind of theft. "Come watch Avatar tonight at my place?" "Hey yea; you got it on Blu Ray?" "Yea, I downloaded it last night, it's awesome." "Oh...well, hey, that's theft and it's wrong, I'm sorry, I can't watch that with you." For me, it's takes the form of remonstrating with my son when he tells me of a friend who is downloading this or that PC video game for free: "that's wrong son, it is theft, and you are not allowed to do the same nor are you allowed to play his stolen games".

Social pressure is that simple and I believe it can be very effective at evolving and shaping attitudes and behaviors. It's really up to us to drive change in our culture to respect these new forms of property. Just because the wine is available for the sipping because it's outside the old bottles, doesn't mean it's right to open our mouth and gulp...without compensating those who made that wine.

The Game Within the On-Line Game

Online gaming is a relatively new industry, and one with phenomenal growth over the last 15 years. The release of Call of Duty: Modern Warfare 2 late last year generated a stunning $550M in sales revenue in the first week alone, and overall the series has generated over $3B in sales for Activision, the publisher:

http://www.csmonitor.com/Innovation/Horizons/2009/1127/call-of-duty-series-sales-top-3-billion-activision-says

There is a fly in the ointment, however. As has been true forever, the larger the business, the larger the attraction for the criminal element. What's unique here is the nature of the crime, given that the essential product is that most intangible of assets, software.

There are two fundamental modes of online game play today: standalone mode, and multi-player mode. The latter can be more refined into two general categories, small group play and massively multi-player gaming.

Standalone commercial gaming software has suffered since it's inception from the problem of illicit copies in which the license protection has been "hacked". Simply put, someone has taken a version, analyzed the code internals, and modified the binary level code to disable or otherwise spoof the license checking code. The result: a "free" copy of the software, or at least a copy that won't generate any revenue for the publisher. And software being casually clone-able means this free copy can be and is distributable to as many people willing to pay for it (if required) and use it (illegally, of course).

The result of this common crime is a general axiom in the gaming industry for standalone games, namely that all the sales of significance happen in the first two weeks after release. After that, "cracked" copies are available on the cheap, and the revenue stream ramps down far more rapidly than normal sales dynamics and economics would indicate. As an example, a simple web search for "Call of Duty Modern Warfare 2 download" will quickly find cracked versions of this product available for little to no direct cost.

Massively multi-player on-line role playing gaming (MMORPG) vendors had a solution to this problem...or so they thought. The very nature of MMORPG games required participation in a single unified "world" (virtual reality), implemented as a single world by a server (or server farm) operated by the game publisher. The client software operating on the gamer's computer communicates with the servers to participate in the single world with all the other gamers participating at the moment. The business model is based on ongoing subscription revenue for the privilege of continued participation in the virtual world enabled by the publisher's servers, rather than the licensed sale of a single copy of the game.

Not to be stopped, the criminal element went to work on this model as well. Careful analysis of the code within and the networking traffic to and from the client software on the gamer's personal computer enables these server applications to be "reverse engineered", meaning new software is developed from scratch the performs the same functions as the original publisher's gaming server software. Obviously this isn't cheap nor simple, but given the literally millions of players involved in these types of games, and the ability to operate "parallel worlds" with lower subscription costs, the economic returns of the criminal effort become quite attractive.

For those of us who believe that we have rights to our owned intellectual property and deserve to be compensated for it's usage, there is hope. The technologies to fight back are available today. I'm not referring to simple copy protection schemes that are relatively trivial for competent code hackers to analyze and disable. I am referring to technologies that approach military grade anti-tamper facilities, used to protect US military software assets ("critical program information").

Given the stakes in the gaming industry today, the industry would be remiss to not take advantage of such technologies. The days of accepting only two weeks of revenue for a game that takes years and many millions of dollars to develop, and the days of organized crime stealing massively from the game publishers, can and should be over. To not take advantage of these technologies would be a business management crime of a different sort.

Needless to say, Arxan Technologies is here to help turn the tables on the criminals. We vend these technologies, with easy to use tools to define and insert such protection networks into executable software ("binary code"). Here at Arxan, nothing gives us more joy than a famous "cracker" getting flamed on the the download bulletin boards for long delays in providing a functioning crack for a "new" release after three months...then six months...then twelve months. At which point, the war is won, because that version is now "old" and the process starts over with a new version from the publisher, with yet stronger, more robust and unique guard protections.

It's time to stop intellectual property theft, it's time to stop software business operations theft, it's time to stop piracy of software in general. Call Arxan and let us show you how.

Commercial Cyber Warfare

Today Sec. of State Clinton went after China for their network censorship:

http://www.cbsnews.com/stories/2010/01/21/ap/tech/main6123918.shtml

However, as I see it, the issue of real significance here isn't China's censorship. The news reports of "attacks" on Google and other "unnamed" companies is the action of real significance. I'm not referring to illegal access to mail accounts. I'm referring to the explicit theft of intellectual property in the form of source code:

http://www.wired.com/threatlevel/2010/01/google-hack-attack/

In China, the coupling between government and leading companies in different industries is extremely strong. It can be hard to distinguish where a company stops and the government begins when it comes to such industry players as Baidu, HuaWei, and China Telecom.

It is reasonable to suspect and to investigate the potential that aggressive theft of source code from US companies is an activity that is being actively supported, and potentially even led, by the Chinese government. It appears that at the very least, the Chinese government tolerates such operations and private industry reuse of this stolen software.

In an age when information and intellectual property is the coin of the realm, does government sanctioned intellectual property theft constitute not just a crime, but verges on an act of war?

These kinds of acts should be investigated deeply by the government. Regardless of ultimate responsibility, we need a strong, overt response from the US government. The message must be clear and backed by strong actions that this kind of attack will not be tolerated and will be prosecuted.

A specific US response needs to include a product watch program to monitor for the use of stolen software, followed by vigorous prosecution of such illegal usage of stolen technology through available legal, diplomatic and trade channels. Reused source code will have significant bodies of unique identifiable binary code in the products utilizing the technology. This is an area where private industry has far too little power to fight back effectively, though it could play a key role in the monitoring program.

I acknowledge the private industry accountability for failing to prevent such theft. We in the software industry can and must make deeper investments in our security systems around our core property of value, our source code. DLP technologies, encryption technologies, strong multi-factor authentication for source access, and other solutions are available.

China's censorship is an important issue. That some group from China is actively stealing US company technology out from under our nose is an extremely important issue as well, and needs equal attention and even more governmental action.

At Arxan, we provide technologies to help protect software intellectual property through protection of the binary code with what we call "guards". We provide this technology in both military/classified forms to the DoD and DoD contractors, and in commercial form to commercial customers. However, to protect the source code of software from theft through systemic security holes, different measures are needed. Stronger source code security measures need to be deployed by private industry. The US government must speak out and lead in efforts to identify and prosecute those responsible and those who attempt to take advantage of such theft.

Secure Software Marketplaces

The news today of a trojan'd application for Android phones (http://www.sophos.com/blogs/gc/g/2010/01/11/banking-malware-android-marketplace) is a fascinating and potentially extremely significant, if not altogether expected development in the smart phone wars.

Simply put, if the consumer marketplace develops a ground fear of the software available for Android phones, the predictions about Android phone growth may be vastly inflated.

Whether we like it or not (and some don't, preferring a phone browser centric world), ubiquitous phone apps are the "killer app" for smart phones, at least for the moment. This single spot of bad news for Android can quickly become a huge differentiator for Apple with its controlled iTunes store for safe apps for the iPhone. Similarly, it points to an interesting opportunity in the business ecology: who is going to offer a vetted app store for Android phones, with appropriate software security reviews on the in-bound side and guarantees on the outbound side? Without such a market service, I'm suspicious that hackers will quickly ruin the unregulated marketplace for Android apps.

Secure 'droid app store anyone? Anyone?