The internet and the television are "converging". It's an exciting, transformative time in media delivery, consumption and business models.
The dark underside to this happy and expansive story are the security threats associated with these new and emerging business models. In order to be a winner in this space, not only does a company have to deliver new innovations or better performance, but it also has to be viable and sustainable from a content and application perspective. Where are the potential content leaks in the system? Can unscrupulous hackers compromise the integrity of the ecosystem such that content and IP are pirated, and the ssociated revenues jeopardized? If companies don't model these risks and mitigate them proactively, and invest in properly validating the security strength of their solution through red teaming efforts, history will repeat itself, and serious losses will ensue.
What is needed are content protection, conditional access and digital rights management systems that are hardened and validated to be very difficult to crack or circumvent. Much of this innovation will come from applications enabling digital entertainment access through new devices with relatively new softare platforms. Android is the best current example, a popular emerging platform that is completely open. Those developing applications and digitial media infrastructure and solutions for Android have to plan for and validate the security of those applications. Anything less and the internet/TV convergence will be slowed down quickly by content owners unwilling to distribute their assets via this new channel.
Thursday, June 24, 2010
Monday, May 24, 2010
Respecting Digital Property
In the landmark essay "Selling Wine Without Bottles, The Economy of Mind on the Global Net", written in 1992-1993 (http://www.virtualschool.edu/mon/ElectronicFrontier/WineWithoutBottles.html), John Barlow anticipates and lays out the fundamental intellectual property issues that plague our current digital world. Barlow eloquently and precisely frames the core questions:
"If our property can be infinitely reproduced and instantaneously distributed all over the planet without cost, without our knowledge, without its even leaving our possession, how can we protect it? How are we going to get paid for the work we do with our minds? And, if we can't get paid, what will assure the continued creation and distribution of such work?
Barlow concludes his insightful essay with an assertion that has clearly come to pass:
"Cryptography...is the "material" from which the walls, boundaries--and bottles--of Cyberspace will be fashioned."
Barlow also anticipated the rise of Arxan Technologies (and other similar companies)) when he stated that:
"Cryptography will enable a lot of protection technologies which will develop rapidly in the obsessive competition which has always existed between lock-makers and lock-breakers."
We here at Arxan can certainly attest to the "obsessive competition" as we engage in virtual and digital hand to hand combat with the crackers striving to steal our customer's software and/or data.
The fascinating point Barlow made in 1993 that I'd like to explore today is the following:
"A social over-reliance on protection by barricades rather than conscience will eventually wither the latter by turning intrusion and theft into a sport, rather than a crime. This is already occurring in the digital domain as is evident in the activities of computer crackers."
Let's turn now to some recent news about the movie Avatar and it's release on Blu Ray disc. This release was protected using a technology called BD+. Unfortunately, the cracking community managed to procure (read "steal") an early copy, successfully cracked the protection, and published the movie through bit torrent sites. Here's a fascinating "news" report on the availability of the movie "for free" as a torrent download (which occured within a day or two of the public release of the blu ray disks for purchase):
http://torrentfreak.com/avatar-most-pirated-blu-ray-film-ever-100427/
So within a matter of just a few weeks, Avatar has become the most pirated movie ever.
What does it require for this to occur? It requires exactly what Barlow predicted: a withering of basic personal ethics of property ownership at the individual level. We now have a culture where people view the casual theft of intellectual property as completely acceptable. The heart of it seems to be a vast difference in perspective in people's minds and ethics between a physical object and a digital object.
What drives this difference in perspective and behavior? Is it the removal of risk of "getting caught stealing"? I personally believe this is a significant enabling factor, yet not the fundamental driver of this widespread contagion of theft. I believe it is a subtle, and simple. People fundamentally do not view creation of a (perfect) copy of something as theft. Morals are still wrapped around the physical-ness of goods and physical-ness of possession. Stealing means taking something so that I have it and you no longer have it. This notion of physical theft being "wrong" is deeply rooted in most individual's ethical system. Hence, most people (including those illegally downloading Avatar) would not steal the Avatar blu ray disk from a store, even if they knew they could do so without risk of being caught. They would be taking a "real thing" that belongs to another (the store), and that violates their sense of morals and ethics. But download the same movie for free? Hey, no one has been ripped off! No one has "lost" anything! So "it isn't theft". And besides, if it's wrong (illegal) to download it for free, it wouldn't be available on the network for free would it? Once again, "it must not be theft". Of course, this entire line of thinking is dead wrong. Every aspect of it's free availability is illegal, and access of this stolen property is itself theft.
So while I and my colleagues toil and sweat to provide the "digital locks" that will help prevent (or perhaps more realistically, deferred for a longer period of time) the cracking of the high value digital content in our world, I think it's paramount that we as a society strive to re-tool our ethics and attitudes. This battle must be fought on all fronts, not purely a technology front. How does this kind of change occur? Simple: it changes when you and I put simple social pressure on our family and friends regarding this kind of theft. "Come watch Avatar tonight at my place?" "Hey yea; you got it on Blu Ray?" "Yea, I downloaded it last night, it's awesome." "Oh...well, hey, that's theft and it's wrong, I'm sorry, I can't watch that with you." For me, it's takes the form of remonstrating with my son when he tells me of a friend who is downloading this or that PC video game for free: "that's wrong son, it is theft, and you are not allowed to do the same nor are you allowed to play his stolen games".
Social pressure is that simple and I believe it can be very effective at evolving and shaping attitudes and behaviors. It's really up to us to drive change in our culture to respect these new forms of property. Just because the wine is available for the sipping because it's outside the old bottles, doesn't mean it's right to open our mouth and gulp...without compensating those who made that wine.
"If our property can be infinitely reproduced and instantaneously distributed all over the planet without cost, without our knowledge, without its even leaving our possession, how can we protect it? How are we going to get paid for the work we do with our minds? And, if we can't get paid, what will assure the continued creation and distribution of such work?
Barlow concludes his insightful essay with an assertion that has clearly come to pass:
"Cryptography...is the "material" from which the walls, boundaries--and bottles--of Cyberspace will be fashioned."
Barlow also anticipated the rise of Arxan Technologies (and other similar companies)) when he stated that:
"Cryptography will enable a lot of protection technologies which will develop rapidly in the obsessive competition which has always existed between lock-makers and lock-breakers."
We here at Arxan can certainly attest to the "obsessive competition" as we engage in virtual and digital hand to hand combat with the crackers striving to steal our customer's software and/or data.
The fascinating point Barlow made in 1993 that I'd like to explore today is the following:
"A social over-reliance on protection by barricades rather than conscience will eventually wither the latter by turning intrusion and theft into a sport, rather than a crime. This is already occurring in the digital domain as is evident in the activities of computer crackers."
Let's turn now to some recent news about the movie Avatar and it's release on Blu Ray disc. This release was protected using a technology called BD+. Unfortunately, the cracking community managed to procure (read "steal") an early copy, successfully cracked the protection, and published the movie through bit torrent sites. Here's a fascinating "news" report on the availability of the movie "for free" as a torrent download (which occured within a day or two of the public release of the blu ray disks for purchase):
http://torrentfreak.com/avatar-most-pirated-blu-ray-film-ever-100427/
So within a matter of just a few weeks, Avatar has become the most pirated movie ever.
What does it require for this to occur? It requires exactly what Barlow predicted: a withering of basic personal ethics of property ownership at the individual level. We now have a culture where people view the casual theft of intellectual property as completely acceptable. The heart of it seems to be a vast difference in perspective in people's minds and ethics between a physical object and a digital object.
What drives this difference in perspective and behavior? Is it the removal of risk of "getting caught stealing"? I personally believe this is a significant enabling factor, yet not the fundamental driver of this widespread contagion of theft. I believe it is a subtle, and simple. People fundamentally do not view creation of a (perfect) copy of something as theft. Morals are still wrapped around the physical-ness of goods and physical-ness of possession. Stealing means taking something so that I have it and you no longer have it. This notion of physical theft being "wrong" is deeply rooted in most individual's ethical system. Hence, most people (including those illegally downloading Avatar) would not steal the Avatar blu ray disk from a store, even if they knew they could do so without risk of being caught. They would be taking a "real thing" that belongs to another (the store), and that violates their sense of morals and ethics. But download the same movie for free? Hey, no one has been ripped off! No one has "lost" anything! So "it isn't theft". And besides, if it's wrong (illegal) to download it for free, it wouldn't be available on the network for free would it? Once again, "it must not be theft". Of course, this entire line of thinking is dead wrong. Every aspect of it's free availability is illegal, and access of this stolen property is itself theft.
So while I and my colleagues toil and sweat to provide the "digital locks" that will help prevent (or perhaps more realistically, deferred for a longer period of time) the cracking of the high value digital content in our world, I think it's paramount that we as a society strive to re-tool our ethics and attitudes. This battle must be fought on all fronts, not purely a technology front. How does this kind of change occur? Simple: it changes when you and I put simple social pressure on our family and friends regarding this kind of theft. "Come watch Avatar tonight at my place?" "Hey yea; you got it on Blu Ray?" "Yea, I downloaded it last night, it's awesome." "Oh...well, hey, that's theft and it's wrong, I'm sorry, I can't watch that with you." For me, it's takes the form of remonstrating with my son when he tells me of a friend who is downloading this or that PC video game for free: "that's wrong son, it is theft, and you are not allowed to do the same nor are you allowed to play his stolen games".
Social pressure is that simple and I believe it can be very effective at evolving and shaping attitudes and behaviors. It's really up to us to drive change in our culture to respect these new forms of property. Just because the wine is available for the sipping because it's outside the old bottles, doesn't mean it's right to open our mouth and gulp...without compensating those who made that wine.
Friday, February 5, 2010
The Game Within the On-Line Game
Online gaming is a relatively new industry, and one with phenomenal growth over the last 15 years. The release of Call of Duty: Modern Warfare 2 late last year generated a stunning $550M in sales revenue in the first week alone, and overall the series has generated over $3B in sales for Activision, the publisher:
http://www.csmonitor.com/Innovation/Horizons/2009/1127/call-of-duty-series-sales-top-3-billion-activision-says
There is a fly in the ointment, however. As has been true forever, the larger the business, the larger the attraction for the criminal element. What's unique here is the nature of the crime, given that the essential product is that most intangible of assets, software.
There are two fundamental modes of online game play today: standalone mode, and multi-player mode. The latter can be more refined into two general categories, small group play and massively multi-player gaming.
Standalone commercial gaming software has suffered since it's inception from the problem of illicit copies in which the license protection has been "hacked". Simply put, someone has taken a version, analyzed the code internals, and modified the binary level code to disable or otherwise spoof the license checking code. The result: a "free" copy of the software, or at least a copy that won't generate any revenue for the publisher. And software being casually clone-able means this free copy can be and is distributable to as many people willing to pay for it (if required) and use it (illegally, of course).
The result of this common crime is a general axiom in the gaming industry for standalone games, namely that all the sales of significance happen in the first two weeks after release. After that, "cracked" copies are available on the cheap, and the revenue stream ramps down far more rapidly than normal sales dynamics and economics would indicate. As an example, a simple web search for "Call of Duty Modern Warfare 2 download" will quickly find cracked versions of this product available for little to no direct cost.
Massively multi-player on-line role playing gaming (MMORPG) vendors had a solution to this problem...or so they thought. The very nature of MMORPG games required participation in a single unified "world" (virtual reality), implemented as a single world by a server (or server farm) operated by the game publisher. The client software operating on the gamer's computer communicates with the servers to participate in the single world with all the other gamers participating at the moment. The business model is based on ongoing subscription revenue for the privilege of continued participation in the virtual world enabled by the publisher's servers, rather than the licensed sale of a single copy of the game.
Not to be stopped, the criminal element went to work on this model as well. Careful analysis of the code within and the networking traffic to and from the client software on the gamer's personal computer enables these server applications to be "reverse engineered", meaning new software is developed from scratch the performs the same functions as the original publisher's gaming server software. Obviously this isn't cheap nor simple, but given the literally millions of players involved in these types of games, and the ability to operate "parallel worlds" with lower subscription costs, the economic returns of the criminal effort become quite attractive.
For those of us who believe that we have rights to our owned intellectual property and deserve to be compensated for it's usage, there is hope. The technologies to fight back are available today. I'm not referring to simple copy protection schemes that are relatively trivial for competent code hackers to analyze and disable. I am referring to technologies that approach military grade anti-tamper facilities, used to protect US military software assets ("critical program information").
Given the stakes in the gaming industry today, the industry would be remiss to not take advantage of such technologies. The days of accepting only two weeks of revenue for a game that takes years and many millions of dollars to develop, and the days of organized crime stealing massively from the game publishers, can and should be over. To not take advantage of these technologies would be a business management crime of a different sort.
Needless to say, Arxan Technologies is here to help turn the tables on the criminals. We vend these technologies, with easy to use tools to define and insert such protection networks into executable software ("binary code"). Here at Arxan, nothing gives us more joy than a famous "cracker" getting flamed on the the download bulletin boards for long delays in providing a functioning crack for a "new" release after three months...then six months...then twelve months. At which point, the war is won, because that version is now "old" and the process starts over with a new version from the publisher, with yet stronger, more robust and unique guard protections.
It's time to stop intellectual property theft, it's time to stop software business operations theft, it's time to stop piracy of software in general. Call Arxan and let us show you how.
http://www.csmonitor.com/Innovation/Horizons/2009/1127/call-of-duty-series-sales-top-3-billion-activision-says
There is a fly in the ointment, however. As has been true forever, the larger the business, the larger the attraction for the criminal element. What's unique here is the nature of the crime, given that the essential product is that most intangible of assets, software.
There are two fundamental modes of online game play today: standalone mode, and multi-player mode. The latter can be more refined into two general categories, small group play and massively multi-player gaming.
Standalone commercial gaming software has suffered since it's inception from the problem of illicit copies in which the license protection has been "hacked". Simply put, someone has taken a version, analyzed the code internals, and modified the binary level code to disable or otherwise spoof the license checking code. The result: a "free" copy of the software, or at least a copy that won't generate any revenue for the publisher. And software being casually clone-able means this free copy can be and is distributable to as many people willing to pay for it (if required) and use it (illegally, of course).
The result of this common crime is a general axiom in the gaming industry for standalone games, namely that all the sales of significance happen in the first two weeks after release. After that, "cracked" copies are available on the cheap, and the revenue stream ramps down far more rapidly than normal sales dynamics and economics would indicate. As an example, a simple web search for "Call of Duty Modern Warfare 2 download" will quickly find cracked versions of this product available for little to no direct cost.
Massively multi-player on-line role playing gaming (MMORPG) vendors had a solution to this problem...or so they thought. The very nature of MMORPG games required participation in a single unified "world" (virtual reality), implemented as a single world by a server (or server farm) operated by the game publisher. The client software operating on the gamer's computer communicates with the servers to participate in the single world with all the other gamers participating at the moment. The business model is based on ongoing subscription revenue for the privilege of continued participation in the virtual world enabled by the publisher's servers, rather than the licensed sale of a single copy of the game.
Not to be stopped, the criminal element went to work on this model as well. Careful analysis of the code within and the networking traffic to and from the client software on the gamer's personal computer enables these server applications to be "reverse engineered", meaning new software is developed from scratch the performs the same functions as the original publisher's gaming server software. Obviously this isn't cheap nor simple, but given the literally millions of players involved in these types of games, and the ability to operate "parallel worlds" with lower subscription costs, the economic returns of the criminal effort become quite attractive.
For those of us who believe that we have rights to our owned intellectual property and deserve to be compensated for it's usage, there is hope. The technologies to fight back are available today. I'm not referring to simple copy protection schemes that are relatively trivial for competent code hackers to analyze and disable. I am referring to technologies that approach military grade anti-tamper facilities, used to protect US military software assets ("critical program information").
Given the stakes in the gaming industry today, the industry would be remiss to not take advantage of such technologies. The days of accepting only two weeks of revenue for a game that takes years and many millions of dollars to develop, and the days of organized crime stealing massively from the game publishers, can and should be over. To not take advantage of these technologies would be a business management crime of a different sort.
Needless to say, Arxan Technologies is here to help turn the tables on the criminals. We vend these technologies, with easy to use tools to define and insert such protection networks into executable software ("binary code"). Here at Arxan, nothing gives us more joy than a famous "cracker" getting flamed on the the download bulletin boards for long delays in providing a functioning crack for a "new" release after three months...then six months...then twelve months. At which point, the war is won, because that version is now "old" and the process starts over with a new version from the publisher, with yet stronger, more robust and unique guard protections.
It's time to stop intellectual property theft, it's time to stop software business operations theft, it's time to stop piracy of software in general. Call Arxan and let us show you how.
Thursday, January 21, 2010
Commercial Cyber Warfare
Today Sec. of State Clinton went after China for their network censorship:
http://www.cbsnews.com/stories/2010/01/21/ap/tech/main6123918.shtml
However, as I see it, the issue of real significance here isn't China's censorship. The news reports of "attacks" on Google and other "unnamed" companies is the action of real significance. I'm not referring to illegal access to mail accounts. I'm referring to the explicit theft of intellectual property in the form of source code:
http://www.wired.com/threatlevel/2010/01/google-hack-attack/
In China, the coupling between government and leading companies in different industries is extremely strong. It can be hard to distinguish where a company stops and the government begins when it comes to such industry players as Baidu, HuaWei, and China Telecom.
It is reasonable to suspect and to investigate the potential that aggressive theft of source code from US companies is an activity that is being actively supported, and potentially even led, by the Chinese government. It appears that at the very least, the Chinese government tolerates such operations and private industry reuse of this stolen software.
In an age when information and intellectual property is the coin of the realm, does government sanctioned intellectual property theft constitute not just a crime, but verges on an act of war?
These kinds of acts should be investigated deeply by the government. Regardless of ultimate responsibility, we need a strong, overt response from the US government. The message must be clear and backed by strong actions that this kind of attack will not be tolerated and will be prosecuted.
A specific US response needs to include a product watch program to monitor for the use of stolen software, followed by vigorous prosecution of such illegal usage of stolen technology through available legal, diplomatic and trade channels. Reused source code will have significant bodies of unique identifiable binary code in the products utilizing the technology. This is an area where private industry has far too little power to fight back effectively, though it could play a key role in the monitoring program.
I acknowledge the private industry accountability for failing to prevent such theft. We in the software industry can and must make deeper investments in our security systems around our core property of value, our source code. DLP technologies, encryption technologies, strong multi-factor authentication for source access, and other solutions are available.
China's censorship is an important issue. That some group from China is actively stealing US company technology out from under our nose is an extremely important issue as well, and needs equal attention and even more governmental action.
At Arxan, we provide technologies to help protect software intellectual property through protection of the binary code with what we call "guards". We provide this technology in both military/classified forms to the DoD and DoD contractors, and in commercial form to commercial customers. However, to protect the source code of software from theft through systemic security holes, different measures are needed. Stronger source code security measures need to be deployed by private industry. The US government must speak out and lead in efforts to identify and prosecute those responsible and those who attempt to take advantage of such theft.
http://www.cbsnews.com/stories/2010/01/21/ap/tech/main6123918.shtml
However, as I see it, the issue of real significance here isn't China's censorship. The news reports of "attacks" on Google and other "unnamed" companies is the action of real significance. I'm not referring to illegal access to mail accounts. I'm referring to the explicit theft of intellectual property in the form of source code:
http://www.wired.com/threatlevel/2010/01/google-hack-attack/
In China, the coupling between government and leading companies in different industries is extremely strong. It can be hard to distinguish where a company stops and the government begins when it comes to such industry players as Baidu, HuaWei, and China Telecom.
It is reasonable to suspect and to investigate the potential that aggressive theft of source code from US companies is an activity that is being actively supported, and potentially even led, by the Chinese government. It appears that at the very least, the Chinese government tolerates such operations and private industry reuse of this stolen software.
In an age when information and intellectual property is the coin of the realm, does government sanctioned intellectual property theft constitute not just a crime, but verges on an act of war?
These kinds of acts should be investigated deeply by the government. Regardless of ultimate responsibility, we need a strong, overt response from the US government. The message must be clear and backed by strong actions that this kind of attack will not be tolerated and will be prosecuted.
A specific US response needs to include a product watch program to monitor for the use of stolen software, followed by vigorous prosecution of such illegal usage of stolen technology through available legal, diplomatic and trade channels. Reused source code will have significant bodies of unique identifiable binary code in the products utilizing the technology. This is an area where private industry has far too little power to fight back effectively, though it could play a key role in the monitoring program.
I acknowledge the private industry accountability for failing to prevent such theft. We in the software industry can and must make deeper investments in our security systems around our core property of value, our source code. DLP technologies, encryption technologies, strong multi-factor authentication for source access, and other solutions are available.
China's censorship is an important issue. That some group from China is actively stealing US company technology out from under our nose is an extremely important issue as well, and needs equal attention and even more governmental action.
At Arxan, we provide technologies to help protect software intellectual property through protection of the binary code with what we call "guards". We provide this technology in both military/classified forms to the DoD and DoD contractors, and in commercial form to commercial customers. However, to protect the source code of software from theft through systemic security holes, different measures are needed. Stronger source code security measures need to be deployed by private industry. The US government must speak out and lead in efforts to identify and prosecute those responsible and those who attempt to take advantage of such theft.
Monday, January 11, 2010
Secure Software Marketplaces
The news today of a trojan'd application for Android phones (http://www.sophos.com/blogs/gc/g/2010/01/11/banking-malware-android-marketplace) is a fascinating and potentially extremely significant, if not altogether expected development in the smart phone wars.
Simply put, if the consumer marketplace develops a ground fear of the software available for Android phones, the predictions about Android phone growth may be vastly inflated.
Whether we like it or not (and some don't, preferring a phone browser centric world), ubiquitous phone apps are the "killer app" for smart phones, at least for the moment. This single spot of bad news for Android can quickly become a huge differentiator for Apple with its controlled iTunes store for safe apps for the iPhone. Similarly, it points to an interesting opportunity in the business ecology: who is going to offer a vetted app store for Android phones, with appropriate software security reviews on the in-bound side and guarantees on the outbound side? Without such a market service, I'm suspicious that hackers will quickly ruin the unregulated marketplace for Android apps.
Secure 'droid app store anyone? Anyone?
Simply put, if the consumer marketplace develops a ground fear of the software available for Android phones, the predictions about Android phone growth may be vastly inflated.
Whether we like it or not (and some don't, preferring a phone browser centric world), ubiquitous phone apps are the "killer app" for smart phones, at least for the moment. This single spot of bad news for Android can quickly become a huge differentiator for Apple with its controlled iTunes store for safe apps for the iPhone. Similarly, it points to an interesting opportunity in the business ecology: who is going to offer a vetted app store for Android phones, with appropriate software security reviews on the in-bound side and guarantees on the outbound side? Without such a market service, I'm suspicious that hackers will quickly ruin the unregulated marketplace for Android apps.
Secure 'droid app store anyone? Anyone?
Subscribe to:
Posts (Atom)
