Trusted computing and DRM: Friend or foe?

A respected mentor of mine, Steven Northcutt of SANS, once told me, "Eat the watermelon and spit out the seeds." It’s an appropriate metaphor: There is often truth buried in statements and concepts we disagree with.

The concepts of trusted computing and DRM (digital rights management) often require a watermelon approach. Trusted computing is the idea that integrity and authentication -- and at times encryption -- are built into all parts of a computing system. It's built into the hardware, into the CPU, and into supporting motherboard chips. It's supported by the OS and implemented all the way into the software application layers. Even the network and all the related network devices have authentication and trust built in. Default authentication and encryption are built in to every process, every computing cycle bit to terabyte.

Great discussions on trusted computing goals are covered by the Trusted Computing Group. If you really want to be a serious computer security professional, take the time to read and understand TCG's Trusted Platform Module, Trusted Network Connect, and PC Client specifications.

Trusted computing, if implemented correctly, is a beautiful thing. But can we trust our trusted vendors to be trustworthy? If the applications we install to our trusted platforms contain untrustworthy code, the whole exercise is for naught.

As for DRM, I support its overall objectives. Content providers and copyright holders should be able to charge for their content if they so choose -- as long as they are following commonly accepted laws and traditions. It's the American way.

But DRM is often swung as a sword by a drunken warrior blithely unaware of the damage he is causing. What's got my dander up this week is Sony's incredibly bad DRM decision making.

Two weeks ago, Sysinternal's Mark Russinovich discovered that many of Sony's music CDs are protected by a DRM mechanism that mimics a malicious rootkit program (see sysinternals.com/Blog for his excellent details on the issue). Sony's handling of the issue has gone from bad to worse. First, they basically said most people don't care about the issue and released flawed removal instructions. Then several worms and viruses started appearing that used Sony's rootkit hiding mechanisms.

Today, I read that Sony's new removal software leaves any computer it has been executed on in a very insecure state. Namely, the browser on any affected machine will allow any Web site to execute any program on the computer -- malicious or otherwise.

The removal process apparently leaves an insecure ActiveX control installed that can be remotely scripted by any Web site to do anything. Lest you think this is a joke, the post on the vulnerability was created (partially) by Ed Felten, one of the world’s most respected computer security experts. Add to that fact the many insane statements -- such as people filing bankruptcy have to delete the music and that you cannot play the music on a work computer -- Sony made in its EULA agreement, and the issue of DRM’s reach and who to trust becomes a lot seedier.