Don t Forget Original Sin

Previous page
Table of content
Next page

The Futility of Secrets

The history of DVD copy protection contains an important lesson. The movie industry thought it had an unbreakable system for preventing DVDs sold in, say, England from working on players in the United States or in other parts of the world. (This was done to facilitate price fixing, which was slow to dawn on some governments-duhh!-until very recently, and has already been outlawed in some countries, like New Zealand.) CSS (Content Scrambling System) was good-from the standpoint of an amateur computer user. Not one person in a million could have broken the system.

However, one person in a million could -and did. What happened next was so obvious that you wonder why the movie people didn't think of it: The guy who broke CSS wrote a little program called DeCSS that could be run on any computer to get past the CSS technology. He then posted DeCSS on the Web, where millions of people who weren't smart enough to create DeCSS themselves could download it. In a matter of days, millions of not-so-smart people were happily breaking the CSS system in seconds.

The problem with CSS is simply that to do its job (and be trusted by the movie people) its inner workings had to remain a secret. Ferreting out that secret took some brilliance and some work. However, once one smart person had broken the technology, other technology was used to automate the process, so that breaking CSS no longer required any brilliance or any work at all.

Trusting a system because the details of its operation are a secret (something called 'security through obscurity') is futile. People who don't understand computer security often assume that all security mechanisms must be shrouded in secrecy, and that as soon as anyone learns how they work, they fail. This isn't true. All security systems of any value at all must withstand attack even by people who know exactly how they work. Such systems are harder to design, but they're designed all the time, and their creators generally publish their details of operation and encourage others to try and break them. (Unexpected flaws often turn up this way, and are then fixed.)

Of course, there are things like passwords that must be kept secret. That's not what I'm talking about. CSS only worked because the methods it used (mostly how it manipulated data read from the DVD itself ) were a secret. Passwords weren't even involved.


Previous page
Table of content
Next page
Jeff Duntemann's Drive-By Wi-Fi Guide
Jeff Duntemanns Drive-By Wi-Fi Guide
ISBN: 1932111743
EAN: 2147483647
Year: 2005
Pages: 181
Authors: Jeff Duntemann
BUY ON AMAZON
Beginning Cryptography with Java
VBScript Programmers Reference
Image Processing with LabVIEW and IMAQ Vision
Snort Cookbook
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
Comparing, Designing, and Deploying VPNs
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy