DRM Hole Sets Patch Speed Record For Microsoft 397
puppetman writes "Wired columnist Bruce Schneier has an article up called 'Quickest Patch Ever', about a patch that was issued within three days to fix a vulnerability in Windows Digital Rights Management (DRM)." From the article: "Now, this isn't a 'vulnerability' in the normal sense of the word: digital rights management is not a feature that users want. Being able to remove copy protection is a good thing for some users, and completely irrelevant for everyone else. No user is ever going to say: 'Oh no. I can now play the music I bought for my PC on my Mac. I must install a patch so I can't do that anymore.' But to Microsoft, this vulnerability is a big deal. It affects the company's relationship with major record labels. It affects the company's product offerings. It affects the company's bottom line. Fixing this 'vulnerability' is in the company's best interest; never mind the customer."
They patched it, but... (Score:5, Informative)
"It should surprise no one that the system didn't stay patched for long. FairUse4WM 1.2 gets around Microsoft's patch, and also circumvents the copy protection in Windows Media DRM 9 and 11beta2 files."
So it's not totally horrible... though I'm sure (and the article agrees here) that M$ will be quick to fix their fix.
Headline wrong again (Score:5, Informative)
DRM Hole Sets Patch Speed Record For Microsoft & Gets cracked again!!
Re:Headline wrong again (Score:5, Informative)
Re:can someone explain ths (Score:5, Informative)
It's called Zune and MSN Music. If the labels don't think that Microsoft can bolt down the music they "sell" to people then the labels don't want Microsoft to be selling their music. Microsoft wants to own this market segment because Apple does, since it forms a part of their new "MS is your everything" strategy.
Plus it might also make the labels pull the plug from other on-line music stores that use Microsoft's DRM technology, opening themselves up to another volley of lawsuits.
A Correction (Score:5, Informative)
When the summary says "Within three days" they mean "three days after it was reported in engadget".
Coz,FairUSE4Wm was released on August 19th in the forum.Microsoft patched it on August 28th.So 9 Days.
Not Accurate (Score:5, Informative)
There is a big difference in how fast you can roll out what ammounts to a configuration change and how fast you can roll out a code change.
That said, it didn't seem to do much good given that it was cracked again in a matter of days.
Knowing Where Your Priorities Lie (Score:3, Informative)
It's nice of Microsoft to let us know where their priorities lie. Obviously, things aren't as complex as Microsoft have let on (one of the many excuses for not getting patches out) if they can patch something that quick.
"Oh no. I can now play the music I bought for my PC on my Mac. I must install a patch so I can't do that anymore."
Really? I'm going to Windows Update as I write this. Mind you, good luck finding anyone who actually uses PlaysforSure. For those that are they've found out that stores selling Windows Media files are crap (you effectively rent your music - yay, what a great idea!) and they're looking to get out before they buy any more of the crap. Microsoft have some slight delusions of grandeur about the importance of their DRM software.
Re:Patch (Score:2, Informative)
It is semantics, and its wrong semantics, too... (Score:3, Informative)
Of course, the full slogan is "News for nerds. Stuff that matters." Whether the second part is a limitation on, or addition to, the first is debatable.
Re:Critical, or not? (Score:5, Informative)
On August 25th, 2006, Engadget.com reported on a software tool that would allow consumers to decrypt WMDRM protected content. In response, on August 28, 2006, Microsoft released an update to the individualized blackbox component (IBX) designed to ensure that client applications using the Windows Media Format SDK version 9.5 who individualize to this latest version are robust against a new circumvention tool.
This update is not yet available for the Windows Media Format 9 Series FSDK or for users of Windows XP Media Center Edition 2005 Update Rollup 2.
Consumers are not at risk in any way. Content services can require that the updates be present in order to issue licenses by following the instructions below. Please note that the version number of IBX was not incremented as part of these updates to avoid delaying the release of these critical breach mitigations. Consequently, the only way to determine if the update is installed is to query the build number of the IBX. This requires code executing on the client.
To determine the build number of the IBX:
1. Ensure the PC is running the August 2005 update to Windows Media DRM. See the attached white paper for details.
2. Determine the path of the WMDRM folder. The path is stored in the registry at HKEY_LOCAL_MACHINE\Software\Microsoft\DRM\DataPat
3. Identify the file name of the latest IBX. If the machine has been individualized only once, the IBX file name will be indivbox.key. Otherwise, the IBX file name is in the form indivbox_xxx.key, where xxx are digits 0-9. The file name with the greatest value of xxx will be the latest IBX.
4. Call GetFileVersionInfo() to retrieve the build version of the file identified in step 3. See [link].
5. If the IBX file version is 11.0.5497.6285 or greater, then the updated IBX is installed
Please submit questions to [email removed]
Best regards,
Windows Media Licensing Department
Microsoft Windows Digital Media Division
Basically -> the content provider CAN require that patch to be there. I don't know whether it's a separate patch through WMP or through MSUpdate but since I don't use Windows/Microsoft I can't speak for them.
Timeline is wrong (Score:5, Informative)
FairUse4WM "merely" wrapped up the techniques used by these tools in a neat package, and got to the frontpage of Engadget. It was pure luck that MS had a patch available at the time, even though it took extraordinary effort on the behalf of its DRM partners to implement, and denied "legacy" OS users, as well as users of the latest Media Center version, the use of new DRM-protected tracks.
A patch for FairUse4WM 1.2 still isn't available, even though the tool was released last weekend.
BTW, if you think MS is getting screwed by class breaks like this, think again. Content providers (think: RIAA members) will call in their non-refundable advances (usually over $25K per label!) received from distribution partners (think: music stores) for "material breach of contract". MS will fix the issue, the RIAA gets richer, and the guys that actually try to get music to you get screwed. Oh, well, they're used to it...
Shocking (Score:5, Informative)
Even then, the reason you don't release a patch in three days is that you're probably going to screw it up and not actually fix the problem. Amazingly enough, that appears to be exactly what happened.
Re:Oh, I know! (Score:5, Informative)
Re:Patch (Score:5, Informative)
Umm all that I have to do to disable automatic updates is:
1) Start->Control Panel
2) Click Automatic Updates
3) Select Turn Off Automatic Updates
4) Press OK
No registry tweaking needed. Now I do have XP Pro, do other versions of XP really make you edit the registry? That would really piss me off.
Re:Critical, or not? (Score:4, Informative)
Not quite accurate (Score:3, Informative)
Re:Critical, or not? (Score:4, Informative)
I know some people that have never upgraded their windows XP ever via windows update, yet have never been infected with virus' (virii?) or other malware. Just takes half of a brain on the user-end to make this possible.
Re:Plain and simple (Score:4, Informative)
There are no small fixes. A famous single-character error (typing "." for "," in a FORTRAN DO loop header, so it read DO I=1.10 instead of DO I=1,10) resulted in the destruction of a spacecraft.
While I agree that even tiny changes can have large consequences, it appears the FORTRAN-lost-a-spacecraft bug is a programming urban legend that eventually made its way into computer texts as a cautionry example. (See this Google archive [google.com] of a relevant 1993 alt.computer.folklore discussion on Mariner I.)
Re:Kinda blows their excuse (Score:1, Informative)
Re:Oh, I know! (Score:3, Informative)
What it sounds like is ACTUALLY happening is that you assigned ownership and sole access to a local account from your previous installation that does not exist in the new Vista installation's account database. Since no account on the new installation can match the unique SID of the old account in the previous installation, you are not granted access. This behavior has been the same in every version of NT. In UNIX terms, you've assigned ownership and group on the files to a uid that doesn't exist in this installation.
Usernames are not assigned access to and ownership of objects; SIDs are. A SID is a binary value that is used as the primary key identifying a user or group. A unique local account SID contains a randomly generated prefix that was generated during installation and a sequential suffix for the specific user. With the machine's prefix, no two unique SIDs from different installations can be the same. Even if the account name matches in the two installs, the accounts will have different SIDs.
When you said that "you have to go and Take Ownership of every item on the drive, and then give yourself Full Control" (emphasis mine) you're setting yourself up for failure if you ever try to access the volume from another installation that (again) can't and won't have information about the local accounts from this installation. If, in the future you want to assign access consistently across installations sharing a volume, assign access to non-unique groups such as Users and Administrators. The SIDs of these groups are the same regardless of installation. Either that, or join both installs to a domain and use domain accounts.
Re:Critical, or not? (Score:3, Informative)
Back when I first stopped, I would have patched if I felt it was necessary. Now, I wouldn't patch unless you held a gun to my head.
To be honest, I am stuck in a position that as my computer software ages, I am unsure how to upgrade. I will be VERY unlikely to switch to Vista or any future MS offering. Switching to some Linux distro will be a pain because my main computer has been windows for so long, and I enjoy playing games and using various software that is generally not supported on Linux. Mac might be a possibility, but it will still be a pain in the ass.
Oh well, I'll consider the options when the time comes.
One option you might consider is running XP (or even 2000, or, *shudder*, 98SE) in a VMWare-type virtual machine. Especially with the new multi-core CPUs, cheaper RAM, and heftier GPUs coming out, this will continue to be an increasingly-viable option for those that don't want to suffer from unwanted DRM in XP or switching to the even more locked-down Vista.
You could be securely browsing, e-mailing, etc. from your linux/FreeBSD OS, while fragging your buddies in CS/Doom3/whatever running in a virtual, sandboxed instance of 2000/XP running in a window on your desktop.
Cheers!
Strat
References for Treason and Perjury. (Score:3, Informative)
One of the many M$ troll accounts that cloud around here challenged me to produce references to M$'s infamous Windoze source code national security claim swiftly followed by sale of said code to China and Russia. Of course, I'd love to trot that whole mess out again. Non free software exists on trust alone and M$'s performance there really shows what contempt they have for the US Government and their customers.The memory hole has not yet extinguished the information presented by eweek [eweek.com] and Microsoft themselves [microsoft.com]. You can read it all yourself.
From eWeek, 2002:
If you need to, you can always reference the anti-trust evidence, which is still published and available. The quotes in the article are more than enough for me.
A quick Google Search [google.com] digs up all the articles here and a parade of Wintel rags falling over themselves to toe the party line. ZDNet echos Alchin again in 2004, a year after they had already sold out! Something called Neowin joins the chorus of woe that someone might look at the source code to W2k or NT4 and see how crappy it is. All as if any real hacker needed it.
The very next year, 2003, M$ announced sale to the highest bidding governments as noted above. Included was China [microsoft.com] and other friendly countries. But you know, Bill Gates it's just business buddies being chummy [slashdot.org]. Microsoft would never place the interests of Communist dictators over the rights and well being of their fellow citizens, would they?
The double talk going on at M$ was glaring and all of was bullshit. Access to the OpenBSD source code has not made OpenBSD less secure, it's made it better. The whole episode represented more perjury and a three year FUD attack on free software than it did treason, but you have to wonder what they really believe. Looking back, it's a low point in US corporate history that will only be made worse when they unravel like Enron did. The biggest lie of all is that the Microsoft Monopoly is based on anything more than mass delusion.
I ask you once again, do you trust Microsoft to do as they say? With your business? Code so crappy, it can't be shared but is shared with your worst enemies. If you do, you probably will tell me that Windows XP is easy to install [slashdot.org], has good uptimes and other nonsense like that. I'm not sure anyone really believes anything other than Windoze is "good enough because I'm using it for one or two specific tasks." No, that's not good enough and Vista's imminent flop is a good chance to move on to something better. The market is filled with better contenders and M$ will not be missed.
Vongo (Score:1, Informative)
Why the parent would give up torrents is far beyond my comprehension.