Is Microsoft Using RIAA Legal Tactics?

Nom du Keyboard writes, "CNET reports, 'Microsoft has filed a federal lawsuit against an alleged hacker who broke through its copy protection technology, charging that the mystery developer somehow gained access to its copyrighted source code.' Looks to me like since they can't figure out how else he's doing it, they'll sue on this pretense and go fishing for the actual method through the legal system. They clearly have no proof yet that any theft of source code actually happened. This smacks of the RIAA tactics of sue first, then force you to hand over your hard drive to incriminate yourself. Isn't this something the courts should be putting a stop to at the first motion for dismissal?" Viodentia has denied using any proprietary source code, according to CNET.

Why is it so hard?

Why is it so hard to believe that he read the assembly and figured out how to crack the DRM from that?

Re:Why is it so hard?

Which makes this more like Apple then the RIAA. Apple sued various rumor sites to try to fish out a leak in their own organization. MS wants to sue to figure out how their information was broken.

Although it's not like MS and Apple aren't, the RIAA is simply interested in money and control, not information. This isn't RIAA style extortion so much as Apple style ass-backwards investigatory tactics.

The real reason for this lawsuit

Microsoft wants to convince its music partners that its DRM is unbeatable. Now that it's been cracked, they're trying to argue that the only way their "unbeatable" DRM could have been cracked would be due to access to the source code.In other words, along with being a fishing expedition, this lawsuit is a PR play to Microsoft's music partners to try to save face over their no-longer-unsinkable DRM scheme.

Re:Why is it so hard?

Shouldn't DRM be uncrackable even with access to source code? Just like open source encryption methods?

Re:Why is it so hard?

Shouldn't DRM be uncrackable even with access to source code?

Quite the contrary -- all DRM should be crackable even without access to the source code.

Ultimately, if you have the ability to "play" the content, you can beat the DRM -- because that's what playing the content is, decrypting it. If you (your computer) can decrypt the content, then you can decrypt the content. Simple!

The distinction between which program on your computer can decrypt the content is *solely* one of obscurity and not one of encryption at all. You have the encryption key -- you can decrypt the content -- the only thing that's preventing it is obscurity of the location of the key, and the methods of the encryption algorithm. Both of those are Security Through Obscurity and are a bad thing. It's also why DRM will never actually work until the hardware gets on board.

Because you always have the key, you can always decrypt it.

Re:Why is it so hard?

because windows is so complex not even MS can figure it out. they dont think this dude could.

Re:Why is it so hard?

For those who might think the parent is a troll, MS developers really do have trouble understanding Windows [msdn.com].

You'd think they were building killer cyborgs...

Thanks for that link. I had never read it before.

I found one claim in there particularly interesting:

We shouldn't forget despite all this that Windows Vista remains the largest concerted software project in human history. The types of software management issues being dealt with by Windows leaders are hard problems, problems that no other company has solved successfully. The solutions to these challenges are certainly not trivial.

I wonder...why is that, exactly? Why is Vista such a massive project?

It's a serious question. I mean, it's not like they're building HAL-9000 here. It's an OS. A microcomputer OS. Which really, as far as I can tell, doesn't do a whole lot more than a bunch of other OSes that are on the market already. What does it do that's so much more complex, fundamentally, than what OS X does? Or Linux? Or any number of other OSes? Why, exactly, is it such a freaking huge project?

If the size estimates [wikipedia.org] I'm reading are accurate, at 50 MLOC, Vista is still smaller than OS X at 80 MLOC (comparisons to Linux are tougher because when someone says "Debian has 160 MLOC," it's not clear if that's just the base system or including all the applications or what). Admittedly, OS X borrowed a lot of code from NeXT, but Microsoft has a lot of code they could steal from previous Windows versions and other projects. If they chose not to, then that was a conscious management decision on their part.

If this guy's characterization of Vista development is true, they have more problems than a slipped schedule; they need to be asking why the damn thing has turned into that much of an epic project in the first place. This is not like IBM building the S/360 here; they're not wandering that far off into uncharted, never-before-attempted territory, based on every description of Vista I've ever seen or heard of. Yet they're making it that much of an effort, either by choice or mismanagement.

Vista, Linux, OS X: it does the same thing. Ultimately, they're both ways of managing the filesystem and the computer's hardware resources, and presenting those resources to programs in a standard manner on one end, and presenting a GUI to the user on the other. Sure, they're different ways of doing things, but they're all solutions to the same basic problem. It's even the same hardware resources and architecture that they're supposed to manage -- it's not as though the premise of each is that different.

Frankly if what that article says is true, Vista might have a second, more dubious distinction: the most wasted effort ever spent on a project since the Russians built that expensive lawn ornament [nasa.gov].

If this guy did see the source code and was able to reverse engineer it, Microsoft ought to offer him a job. Apparently, they need the help.

Re:You'd think they were building killer cyborgs..

": Vista has to generally remain bug-for-bug compatible with every piece of software written for the overall Microsoft platform since MS-DOS 2.0."

Why? When I go do download some software from MS either it's only available for XP/2000 or it offers different downloads for 98, NT, XP, XP SP2, NT 3.5+, 2000, 2003 etc.

Clearly every version of windows is slightly incompatible with other versions. Even service packs break backwards compatibility requiring separate downloads for XP and XP SP2.

I think vista will not be fully backwards compatible with any other MS operating system. Some things will work but I would expect everything to be either completely or partially borked.

Re:You'd think they were building killer cyborgs..

"Most software just has one version, and that runs on basically any remotely modern version of Windows. "

Nonsense. At best software requires win98 or better. Most software I have seen requires XPSP2 or better. Like I said even MS software has different versions for different windows.

"Based on history, I would expect the vast majority of common-use software to work transparently out of the box,"

In that case we are living in a different universe. Where I work every version of windows disrupts our software some way or another. SP2 was especially painful. Migration from .NET 1.1 to 2.0 took over a month for one project alone.

Re:gnireenignE

"IIRC, The program doesn't even circumvent the DRM, it just waits for WMP to do it, and then reads some of its memory."

I dunno...there was a slashdot discussion with an argument similar to this. He did not technically crack or break any DRM. The WMP by nature decrypts the file, in order to play it. Now, right after WMP decrypts it...it is a file in memory just like any other file/code, and I don't know of any rules or laws out there that say what you can or cannot do to any bit of data in memory...especially if it is in a decoded, freely readable format. Are you 'forced' to play it through the speakers? What legally keeps you from directing that data to another file, or hell...to the printer if you saw fit?

It seems the legalese people try to argue this kind of crap to the letter of the law. And from what the DMCA seems to rule against is cracking the DRM on a file...but, I see nothing in it saying what you can or cannot do with the data once the DRM has been legally removed.

I think by definition, while yes you may have circumvented the way someone intended you to use the system...you in fact have not circumvented the DRM itself, and I think that is what the DMCA specifically tries to outlaw.

At the very least..like another poster said, couldn't this be defended as a way to allow interoperability with other applications/oses and the like, which DMCA does allow?

RIAA's Legal Tactics

I've read a lot of cases about the RIAA in court and I have to say there's some common tactics that this article doesn't mention:

1. Prior to the trial, make sure that the judge realizes that your wife, daughter and grandmother are available for him depending on his age preference.
2. Have the only licensed copy of Photoshop in the world installed on your laptop and present at the trial. Ask the defendent for his IP address during questioning and then add it to a BMP screen shot of some file sharing application with "KAZAA" shakily written at the top of the screen. Make sure that you wipe the drool from the judges mouth when you explain to him that this list is dynamic but you're sure the defendent is guilty. Also, throw his IP address on the Berlin Wall, the cover of Chairman Mao's Red Book & Hitler's armband in his 1936 speech just so the judge realizes the pure evil he's dealing with .
3. Remind the judge how much you and your industry mean to the American economy. Also remind him who's in charge right now and how important it is that the economy stays in full swing. Carefully explain to him that a successful lawsuit will not help the American economy.
4. Bring in Senator Ted Stevens as an expert witness on computers and tubes so the judge can understand how both computers and the internet works.
5. Act like the artists (or in Microsoft's case, developers) are the ones being screwed here. They are the ones that this hacker is stealing from and then show pictures of their families living in the cold run down mansions in Redwood. Also show a picture of Lars Ulrich with a measily pile of only 5 million dollars instead of 6.
6. Rinse, wash, repeat above card.
7. Use legions of lawyers to inundate the individual with accusations about his past and his profession.
8. Bottom line: stear clear of the fact that people pay you money for instances of something that's easily instantiated. Try to blur the concept of physical property versus intellectual property and use bad analogies such as grand theft auto or gas station holdups to the case at hand.
9. Oh, and stop at nothing to make sure the person is ruined for the rest of their life. Leans on paychecks are a sweel idea as well as restitution through house, car, possessions, etc.

So, as you can see, Microsoft has a ways to go before meeting the RIAA's stringent legal tactics. Don't worry though, I have faith in Microsoft.

Tenuous Grounds, IMHO

Microsoft has released two successive patches aimed at disabling the tool. The first worked--but the hacker, known only by the pseudonym "Viodentia," quickly found a way around the update, the company alleges. Now the company says this was because the hacker had apparently gained access to copyrighted source code unavailable to previous generations of would-be crackers.

Tenuous grounds -- Microsoft is in effect claiming nobody could have reverse engineered their code, or cracked it, so fast, therefore they must have cheated by having access to Microsoft's original sources. Sounds like a logical assumption, but it's a bit like claiming a driver went from Point A to Point B, 100 miles apart, in one hour must have been speeding, though there was no witness to the driver actually speeding.

I expect what Microsoft really wants is to find if they have an inside man leaking code. Have to get Viodentia to reveal that by poring over his/her drive, which may yield absolutely nothing and be fairly claimed as harrassment.

"FairUse4WM has been my own creation, and has never involved Microsoft source code," the developer wrote. "I link with Microsoft's static libraries provided with the compiler and various platform SDK (software development kit) files."

Sounds almost as if those at Microsoft pursuing this case do not even know what their own library routines may be capapble of.

Re:Tenuous Grounds, IMHO

Sounds like a logical assumption, but it's a bit like claiming a driver went from Point A to Point B, 100 miles apart, in one hour must have been speeding, though there was no witness to the driver actually speeding.

It's more like claiming a driver who went from point A to point B must have stolen your car to do so, despite the fact that your car is still in your garage.

Re:Tenuous Grounds, IMHO

but it's a bit like claiming a driver went from Point A to Point B, 100 miles apart, in one hour must have been speeding

That's nearly right.

More accurately, it's like claiming someone who managed to cover the distance from Point A to Point B, 100 miles apart, in one hour must have been driving and is therefore guilty of speeding.

Re:Tenuous Grounds, IMHO

Here's a more relevant quote:

Microsoft is also contacting other Web sites that have posted the FairUse4WM tool, asking them to remove the software, on the grounds that it contains copyrighted company code.

Company representatives declined to speculate on exactly how "Viodentia" gained access to copyrighted source code. The code in question is part of a Windows Media software development kit, but is not easily accessible to anyone with a copy of that toolkit, Microsoft said.

Anyone want to explain the logic behind that statement?

MS gives out the SDK
The SDK contains source code that is "not easily accessible"
Someone accesses the source code.
MS cries foul!

Re:Tenuous Grounds, IMHO

You are correct as far as the current crop of security through obscurity DRM is concerned. The next crop coming with Vista and the next MS Office will tie DRM to a crypto module on the motherboard (available in 90% of the PCs coming down the production line today) or to a personal certificate (or both). These will not have these flaws. More importantly with Vista + Fresh MS Office it will be possible to use DRM on MS office documents so RIAA will no longer need to push DRM down our throats. 90%+ of the businesses out there will do that for them as this provides a measure to prevent information leaks and costly disclosures. The DRMless computer will become a rarity in the hands of enthusiasts and the market forces will wipe it out from free circulation. This is not far off - 2-3 years at most.

DRM's fatal flaw

DRM can be easier or harder to crack, but it will always be crackable.

You give them the lock, you give them the key, and you hope that they can never figure out how to use them together.

Why the content industries keep believing that this is a good idea is a true mystery.

well...

What I take from this is the following:

Even WITH the source code microsoft cannot figure out how their code works and issue patches...so how would they be able to tell if some 'hacker' is really hacking their ultra secure corporate network? What do they do when third parties issue unofficial patches for IE? Are they going to start filing lawsuits against the white hats too as they might have figured something out on their own?

I am neither for or against hacking DRM and such, but honestly, assuming somebody hacked their way in and stole source code is a little bit harder to believe than simply figuring out a way around what I'm sure is an elementary DRM code. Poking and testing is easy to do, hacking, finding, downloading, and analysing source code is probably adding a bit more effort to the process than most guys trying to beat DRM are willing to go through.

The simplest explanation is usually the correct one. If he just plain figured it out by trying several different things, I'm inclined to believe him.

Viodentia motive?

Can some clue me in on the motive of Viodentia? Do they want donations? Do they have anything to sell? Ads? If they make any profit at all (donations are cool, however), then I will very quickly leave their side.

People don't usually crack things in record time without a motivation.

5th amendment?

This smacks of the RIAA tactics of sue first, then force you to hand over your hard drive to incriminate yourself.

Wouldn't that violate the 5th amendment [wikipedia.org]?

No person shall [...] be compelled in any criminal case to be a witness against himself

I'm not trolling about the RIAA violating the constitution, I'm really interested in knowing if the 5th would apply here.

Re:5th amendment?

The 5th Amendment would not generally apply, since it's a copyright infringement claim and thus not a criminal offense. The 5th Amendment pertains to crimes, not torts. Further, the 5th Amendment is understood to refer to the government compelling you to implicate yourself through testimony, not a third party or through evidence.

That said, the as-of-yet-unchallenged Digital Millennium Copyright Act clearly makes "access" to copyrighted works without a license illegal if they are "digital". Under that law, "access" to "digital" copyrighted works is indeed a crime. In that case, if the government got involved in the prosecution the 5th Amendment may very well apply with regard to whatever testimony you give.

Dismissal?

Dismissal is only appropriate where the complaint fails to state a claim upon which relief can be granted. There is no evidentiary burden for a motion to dismiss, and before some discovery, a motion for summary judgment (which seems to be what the author is referring to) is premature. If Microsoft has a good faith belief that what they alledge happened actually happened, then they are entitled to discovery to prove their point, so long as they actually have a cause of action (in this case, they do). If discovery information does not support their claim, then the defendant can have summary judgment. Even if they are using the legal system to "find out how he did it," if someone committed a tort against them, they have a right to figure out exactly what happened.

Don't write about law if you know nothing about law, and don't make assumptions or claims about lawsuits based on second-hand information and bias.

visual studio tattler

Hate to put any ideas in their heads, but odds are that a lot of hacks/cracks are compiled with visual studio, and on machines with WGA or other identifiable data.

In away I'm simply amazed that .exe and .dll files don't already have embedded in them a little tag that gives MSFT a clue who compiled it, what time zone, what IP address, what domain, what ISP/routes it uses, maybe even wifi connection history (if it's on the move).

Sounds a lot like SCO tactics to me...

"This smacks of the RIAA tactics of sue first, then force you to hand over your hard drive to incriminate yourself."

This smacks of SCO tactics to me. Accuse first, offer no proof, sue so you can fish for evidence...

Say, didn't Microsoft indirectly fund the SCO fishing expedition? Nuff said...

How about...

the MPAA and RIAA sue Microsoft? Since nobody could intentionally make software this insecure, it's obvious that Microsoft is in league with the pirates.

Exhibit A, for the defense...

A disassembler.

I mean come on! Really! Read this from TFA:

Microsoft has released two successive patches aimed at disabling the tool. The first worked--but the hacker, known only by the pseudonym "Viodentia," quickly found a way around the update, the company alleges. Now the company says this was because the hacker had apparently gained access to copyrighted source code unavailable to previous generations of would-be crackers.

Um, hello? People have been disassembling code to disable copy protection since the first days of the warez scene. You don't need the source. All the source does is speed things up a bit.

Not that I'd know anything about that. *ahem*

Another Interview with Viodentia

...... Can be found here:

http://www.engadget.com/2006/09/27/viodentia-respo nds-to-microsoft-releases-fairuse4wm-1-3/ [engadget.com]

The system works. Why are you bitching?

Our congressmen and senators look after the welfare of their constiuancy (sp?), and the courts come to a fair and balanced ruling which takes the best interests of the citizens into account and comes to a verdict which is most just for their citizenry.

It's just that now corporations are the only real citizens-- a situation no different than the late 1700's/early 1800s when only the rich white landowners were considered citizens.

Again, I'll ask --the system works; why are you bitching?

If I write something in hex...

...does that mean I can sue anyone who opens it in a text editor for stealing copyrighted source code?

Part of the MS DRM strategy

DRM is an arms race that the defender is going to eventually lose. Microsoft realizes this and is using the legal system to try to intimidate their NEXT adversary in the DRM battle. If they can successfully make an example of the person who bypassed their DRM this time, the next person may think twice. And yeah - it stinks.

Shouldn't the headline be...

Is Microsoft Using RIAA Illegal Tactics...?

Arrogance.

"I don't know how GuyIDontLike did something, therefore he must have cheated."

Some developpers are extremely slow to realize that things which seem nigh impossible to them are in fact, run-of-the-mill easy for talented hackers, crackers, upper-teir skr1pt k1dd13s, and others. Code obfuscation is not by any means adequate protection.

Neither is sticking anti-debugger crap in your code, for that matter.

This is not really about Microsoft

despite their DRM being yet another monopolistic trap.

It's about DRM being like gun control (don't get me wrong, I HATE guns and private gun ownership):
DRM punishes the honest, and does nothing about people who are going to steal.

Make 'legal' online music consumption easy for the consumer, and they will be happy, and you will make money.
Treat them like criminals, and... well, you'll just be cultivating this behaviour.

Users are beta testing M$'s DRM implentation

Personally this is another great M$ beta test. They can't hope to find the flaws in their DRM design, and Windows Media software, so they get users to do it. If the flaw is not obvious and no one will volunteer the info M$ needs to correct it, they send in the lawyers. Makes me wonder if they will take HP's lead and get some PI to do a black bag job on someone's house. Hey, computers get stolen all the time :)

If they do end up in court, at the very least only third party investigators should have access so as to protect the defendents trade secrets and IP. Afterward, to top it off, M$ should open itself up to verify that it isn't secretly using anything it learned in the trial without paying compensation.

Microsoft are so arrogant.

Microsoft are so arrogant.

Even though they have a perfect track record of inability to develop a single truly secure product, they presume this guy must have stolen the source in order to use any of their gaping holes.

Microsoft's own track record on security is this guy's own perfect legal defense.

Solution: Countersue

Hacker just needs to countersue, saying Microsoft could not have issued a patch that undid his DRM-removal without access to his source code. The arguement is the same, and with the time for Vista to ship as evidence that Microsoft cannot turn around updates quickly, source-code or no.

Mozart's Memory

From an article I just started reading: ...when Mozart was a boy he traveled to the Vatican with his father. Since they happened to be there at Easter, they were able to take in a performance of Allegri's Miserere. The Miserere is considered by many to be one of the most beautiful pieces of music ever composed. It is so beautiful, in fact, that at the time the Pope allowed no copies of the score to be made, and it was only performed at Easter, and only at St. Peter's Basilica in Rome. Only the choir was permitted to see the score, which was otherwise kept under lock and key.
Mozart, being the prodigy he was, heard the piece once and memorized it in its entirety. When he got home he wrote down the score without a single missed note. When Church authorities heard that Mozart had an unauthorized copy of the Miserere they took him to court, accusing him of stealing a copy of the score. The young boy was able to prove that he had not stolen the work only by writing down the piece again, perfectly, from memory in the presence of the court.

Obviously this probably isn't the case here, but isn't this a good example that you should not be allowed to sue somebody for copyright infringement unless you have some proof they obtained what they got thru illegal activity?

Another good reason not to have anything to do wit

Another good reason not to have anything to do with Microsoft.

Did you need another? Don't worry, they'll come up with one for you.

Download - Thanks, Microsoft!

So, what did I get from this article... There's a new tool available that can strip new Windows Media DRM! Thanks, Microsoft!

It took a bit of searching but I found the program and mirrored it [uberm00.net] if anybody's interesting. Please be sparing on my bandwidth. :^)

Microsoft can't win

Microsoft can't win the lawsuit. If you knew Microsoft was after your hard drive and they have no idea who you are, you have plenty of time to backup everything and wipe your hard drive(the right way). Just put the backups in a safe place. There you go, no evidence. This is all assuming you WERE guilty. And if you are innocent, and want to really piss off Microsoft, post the source code on the net. :)

The bottom line might be

that by forcing someone into the courtroom and accusing him of stealing the source code, his probable defense as everyone has pointed out is "I didn't steal the code, I reversed engineered it."

Guess what else is against the law? His/her best defense is an admission of guilt to breaking the system/scheme of protection. It is probably a win win for Microsoft.

And regardless if you are for or against the law(s), it seems as if some law has been broken.

I wouldn't say Microsoft is adopting RIAA tactics because that would be crediting RIAA for inventing the use of the courts to stop something they don't like. Companies have doing that for a long time.

You dont need to know

How someone did something to know they did something wrong. A lawsuit has to be started so they can do things like subpeona the hard drive. Once they can get the hard drive, they can figure out the "how". This is common legal tactics, and frankly is required. WIthout things like a subpeona there is no legal mechanism to force someone to hand over their material (with some exception like the patriot act).

What MS Said.. but what I heard..

What Microsoft said was "Our own intellectual property was stolen from us and used to create this tool" but what I hear was "You see, this hacker waltzed right through our corporate defenses, identified the one server out of a gazillion file servers that had that code, stole it, and wrote a new patch, all in under 24 hours of our new release".

Now, in my mind, the guy would have to be an ace cracker, a network sleuth, a crackerjack programmer, and completely clairvoyant to know where to even get the copyrighted code from. So, either Microsoft is stupid enough to not know that DRM as a technology simply can not work, or they are stupid enough to have a completely failed corporate security infrastructure and policy in maintaining it. If I were in their shoes I would just claim that I didn't know that DRM could ever be a workable solution, otherwise who would ever want to buy a "secure operating system" from them? (joke, joke)

Lose-lose

"Viodentia" can't even try to defend himself against these specious charges if he doesn't reveal himself. If he does reveal himself, or is discovered, Microsoft need merely drop this nonsense and pursue a DMCA claim. Pretty much his only hope is if they can't find him; I hope he hasn't been posting from networks which could identify him.

This lawsuit is bizarre...

I must confess that I didn't know US law allows you to sue a "John Doe" where not only their real identity isn't known, but even their *citzenship* (yes, they might not be American) is possibly in doubt.

Also, if Microsoft can't prove that "Viodentia" had access to Microsoft source code (which presumably breaks the law if he/she did - hence the lawsuit), then can Viodentia sue Microsoft for libel? Also, if Microsoft is allowed to sue this John Doe called "Viodentia", then can Viodentia sue Microsoft whilst remaining a John Doe anonymous litigator? If not, then isn't the law very one-sided on this issue where one party is unknown?

Is it just me or is this lawsuit verging on the absolutely ludicrous? Do other countries allow people to sue unknown parties?

BULLET DUP3 * GUN LOAD FOOT AIM TRIGGER PULL BANG!

So, by filing this suit, Microsoft admits that someone stole the source code. If that's the case, how can they ever guarantee that the same thief(s) didn't also plant code in their repository as well?