DRM vs. Hackers: Time to Surrender?

News Analysis: Industry experts question the future of digital rights management in the face of the latest assault on AACS encryption.

The recent news that a tool from SlySoft can bypass the newest Advanced Access Content System encryption scheme is the latest assault on digital rights management-and some are taking it as proof that the technology needs to change or wither away.

"I dont think it has been easy, but nevertheless [the AACS] is being broken ... due to software implementations, although there have been hacks done on HD DVD drive firmware as well," said Alec Main, chief technology officer of Cloakware, based in Vienna, Va. "Clearly these software implementations need to take better precautions against being hacked."

SlySofts recent AnyDVD HD release is sure to be a thorn in the side of the AACS LA (Advanced Access Content System Licensing Administrator), the organization that licenses the encryption technology meant to protect HD DVDs and Blu-ray discs from illegal copying. The AACS LA was recently involved in a dust-up with the Web site Digg.com, which permitted posts containing compromised AACS code.

"DRM is reactive," said Mike Goodman, an analyst at Yankee Group. "You are always playing catch-up."

Goodman said he considers that a reason to declare the technology defunct, and that DRM is a waste of time. He added that making DRM more secure would mean a trade-off in usability, and customers would be less likely to buy products that are harder to use.

/zimages/4/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

At its core, DRM is not just about security, Goodman added. "Its about trying to force a business model into the marketplace," he said.

Goodman said the music industry is pushing a business model that does not translate to a digital world where songs can be quickly and easily distributed across the Web to a broad audience. Though DRM is credited with helping thwart piracy, Goodman and Yankee Group colleagues Andrew Jaquith and Josh Martin noted in an April report titled "Kill DRM, Vol. 1: EMIs Move Underscores the Power of the Anywhere Consumer" that DRM has failed to present an effective barrier to skilled hackers.

"Every mainstream DRM implementation-from CSS to Apples FairPlay to the Advanced Access Content System (AACS) high-definition DVD formats-has been broken," the report states.

Cloakware's Main said part of the problem is hackers can monitor memory and find a random 16-byte key fairly easily because it stands out pretty clearly compared to most data and code.

"The software developers need to use more advanced techniques such as white-box cryptography, where the keys do not appear in memory," Main said. "This technique can still be hacked ... but these techniques require much more knowledgeable hackers, or more likely a team of hackers, with a strong background in computer science, hacking, mathematics and cryptography."

The challenge of securing physical media is unique in that the discs can only be protected at the time they are made and shipped-if you need to update the security feature, you can only do for future discs, said James McQuivey, a Forrester Research analyst.

"That is an exposure that software makers dont have to deal with," he said. "In the end, its a slight incentive to move to digital distribution where you can update security on the fly. Although thats unlikely to happen soon, given the $23 billion in DVD sales the industry is eager to protect."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.