MS DRM is pure smoke

Email.Email weblog link
Blog this.Blog this

Lucas Gonze
Jul. 15, 2003 08:21 AM

Atom feed for this author. RSS 1.0 feed for this author. RSS 2.0 feed for this author.

Update July 22

Security through obscurity crumbles yet again: Mr. or Mrs. Anonymous posts the exploit below:

The tool being used is GraphEdit, a part of Microsoft's SDK for DirectShow. It show's the underlying encoders/decoders/stream splitters used to get from a file to an output device such as a soundcard, your monitor, or (and this is the 'crack' bit) another encoder's input and a subsequent file. It generally is lossy, because you are reencoding the decoded stream = generational loss. But it's possible that the bits could be caught before decoding, and shunted into a custom-written filter that instead of decoding the bitstream, just writes it to a file after decryption.
Update #2

Followup info is that the exploit Anonymous documented is a different one than I was originally looking for, meaning that there are two, and that the one which is not yet known does produce listenable audio.

Secondly, the issue is not whether the re-encoding is lossy, which some people have been microfocused on, but whether it's listenable. As long as you either re-encode with the same encoder used originally or re-encode without compression, the exploit given by Anonymous should sound the same as the file with DRM. (I'm just restating the point made by Tom below.)

Update July 19

Score one for security through obscurity. I haven't found a detailed explanation of the exploit, and I'm out of time for looking. The best documentation I have is mails from the wm-talk list, which I have archived here in mbox format -- you'll need to import these into your mailer to make the file readable.

Worth pointing out: check out the post below titled "Digital becomes Analog."

Update July 15

The crack turns out to be lossy. It grabs the audio stream at rendering time, so doesn't have access to the unencrypted bytes.

That said, this is all gossip. I still don't have access to either the details of the exploit or technical documentation, so can't judge for myself. There's no public documentation on the design of WM9 DRM (or iTunes DRM, for that matter).

If any regulars on AVSForums run across the original reference, I'd be grateful for a pointer.

Folks on AVSforums say they have successfully used tools from the Microsoft software development kit to rip and re-encode audio protected by Microsoft DRM in the WindowsMedia 9 format. This is only a rumor at this point -- I haven't seen the crack myself, but WM9 developers seem to be taking it as gospel.

How did these criminal masterminds pull off this incredible feat? Did they crack an encryption key? Did they beat an MS employee with a rubber hose? Did they heat a CPU in a microwave oven? Was it a buffer overflow? An underflow? What was this remarkable feat?

Incredibly, there was no exploit needed. These wily crackers merely had to write a program using well documented 100% aboveboard functions provided by Microsoft. It was not hard, involved no breakthroughs, did not depend on reverse engineering, and did not need a key. All they did was build the right DirectShow graph, and since DirectShow is a tool for third party software developers to build shipping software, ISVs can easily offer an all-in-one solution to strip DRM from content without fear of the DMCA.

What this means is that the DRM on which both Microsoft and their many partners in the RIAA and MPAA are counting on is nothing but a sham. There is no DRM in MS DRM.

Lucas Gonze works on Webjay, XSPF, and a survey of playlist formats.