For my entire career I’ve designed, developed, maintained and secured commercial software products. So it is definitely not lost on me that the revenue generated by sales of those software products is what pays my bills. If customers don’t pony up then my employers quit paying me. So believe me, I’m certainly not advocating that all software should be free (“as in free beer” to quote Mark Shuttleworth).
But at the same time I’m a software user. I use both open source software (free as in speech because I like to tweak it, and free as in beer because I’m cheap and I like beer) and commercial software that my wife thinks I spend too much money on. And I hate Digital Rights Management (DRM) software. Hate it. It’s inconvenient, intrusive and hey – I paid for the product and I don’t want DRM. For me that is reason enough.
Okay, I think most of us can agree that DRM is annoying and intrusive but how is that a threat to information security? Glad you asked. From a recent article on the Harvard Law Zeroday blog:
EA could help end DRM
The backlash over DRM has finally started to gather serious momentum. Everyday consumers started a campaign to give the highly anticipated game Spore one-star ratings on Amazon. Thousands of Amazon users labeled Spore a poor choice because of the SecuROM DRM system that is forced onto PC users machines that purchase the game. EA has backpedaled a bit and eased the restrictions on the number of installs per machine. They have even made a verbal (but unenforceable) promise to disable the DRM system by patch should they ever end of life the product. But so far EA refuses to give in to consumer demand that they simply get rid of the DRM system. They hold on to the claim that DRM helps reduce piracy. Yet 30 seconds of searching on a popular torrent site shows not only Spore but a cracked copy that totally removes all DRM from the game.
This is possibly the most insulting bit for consumers. People who are pirating the game actually enjoy more freedom in the sense that their system does not have SecuROM permanently installed onto the hard drive. In the recent class action suit the defendants publicly document how the DRM used in Spore remains installed even after the game has been removed from the users computer. SecuROM also operates at “Ring 0″ which is to say the core of the kernel layer which is clever in that it is hard to bypass the program yet dangerous because anything that goes wrong will completely destroy the users session. All of these facts are not made plain to consumers before purchasing the game. Only after they have purchased the game and start installation will they have the chance to read about the DRM system in the EULA. Retailers almost never allow returns on software once opened which leaves consumers who don’t agree with the surprise DRM in a very bad position.
I see, it’s that nasty malware that they foist on users’ machines that is the security threat. Sorry, good guess, but no cigar. That’s nasty for sure, but there is a very real and significant threat that is inherent to all intrusive DRM. To illustrate this I will defer to someone familiar with Electronic Arts (EA) software and who has way more gamer cred than me, my son Nick Webster. He reviewed the article above and responded thusly:
Atari implemented the same sort of system on Alone in the Dark. AITD didn’t get any cracks and remained untorrentable largely due to the suckiness of the game, crackers didn’t waste their time on such a poor excuse for a game.
That MIGHT be why EA is claiming DRM works, cuz no one stole Atari’s AITD. You can clearly see their logic, “They had this really BAD game that no one wants to play, but it had DRM so no one stole it. DRM MUST WORK!!!”. Assuming you haven’t suffered brain damage you can obviously see where their logic is wrong. The REAL solution to keep people from stealing your game WAS hit upon in AITD, though, just make the game BAD and have Yahtzee FLAME it that seems to help.
My general tactic with all of this is to just NOT EVER buy EA games. So far the only game I’ve seen with any sort of REASONABLE DRM is UT3. They let you install it on as many comps as you want, you just can’t have more than 15 people logged ONLINE with your code at ONCE. Seems fair, right?
Or if you MUST be nasty about your DRM the BEST tactic is the old school one, leave some music on the CD that will be needed to load the game. Then the no-cd-cracks will hinder game play and frustrate the player, as Daemon Tools requires lots of work to get it to actually let you play games OFF the ISO.
Anyway… as a side note I DID go rate spore a 1 on Amazon the current rating for the game is like 1.5 stars… glad to see there are a lot of us out there.
Note: apparently Yahtzee doesn’t like Spore much either – so Nick could be on to something here!
Still not see it? I’m not surprised. It’s because Nick and the Zeroday author were both vague yet obvious in suggesting how to deal with intrusive DRM: They don’t – they torrent a cracked version of the software. This is where the very real and present security threat lies. Not only are warez sites notorious for purveying malware, but there are companies like MediaDefender that actually inject “spoof files into the [torrent distributors] network without permission … as part of its antipiracy efforts to dilute the pool of pirated content online”. Yikes! In fact this particular “antipiracy” effort caused a serious Denial of Service (DOS) attack on the popular – and completely legitimate – Revision3 network. So what happens when an employee decides to download a Spore crack from a warez site on your corporate network? Or what happens when your kid decides to grab it on your home network (note to self – check those firewall and IDS logs!).
The bottom line is this – at best DRM is ineffective and is counterproductive to the vendors antipiracy efforts. It is ineffective because people who want to steal your software and bypass the DRM can do it quite easily and it is counterproductive to your antipiracy efforts because it’s easier for users to deal with the pirates than it is to deal with the DRM. And what about the real sales lost due to DRM. Not the bogus sales lost to piracy (I posit that people who steal your software would not have paid for it, ergo they cannot be counted as lost sales), but the real sales. Some due in part to the free advertising you get from piracy. That’s right, I can’t count the number of software packages I have purchased after trying a “borrowed” copy. Nowadays I rarely have to resort to anything as nefarious as “borrowing” software since most shareware (I’m partial to small independent software developers) now employ a “try before you buy” model where I can try the full unencumbered program for several weeks before buying it. Just ask my wife how effective this model is – based on my software spending habits. But even though I can easily “borrow” a copy of Spore to try it out before I pony up $50 American, I absolutely will not consider it as long as EA insists on forcing the DRM on me. I may, however, go to Amazon and give Spore a 1-star rating.
But the point of this rant is: When your company implements a strictly self-serving mechanism that not only is ineffective in accomplishing it’s intended purpose, but has the (presumably) unintended consequence of promoting risky and (potentially) illegal behavior that increases the threat exposure on the network, I have a real problem with that. Sure we can disallow all P2P activity on our business networks – but what about users who need access to legitimate groups that rely on torrents to distribute their software like the Fedora project? Or we can teach our children that stealing software is wrong and they should always pay for it – but what about software that forcibly installs malware like EA’s SecuROM? I think the better lesson is “vote with your wallet” – don’t buy bad stuff that you don’t want – especially if it’s bundled with something you do want.
So how about it, EA? Why not do everyone a service and just say “no!” to stupid ideas like DRM. You won’t have to pay for it, and we won’t have to put up with it. Sounds like a win-win to me. And maybe I’ll consider buying your software instead of flaming you. Hey fifty bucks is fifty bucks. Or do you really need to suck up to Sony that badly. Whoa I better stop here – I feel a great conspiracy theory coming on.
Security For All 