Microsoft sues over source code theft
By John Borland
Special to CNET News.com
Published: September 26, 2006, 4:19 PM PDT
Last modified: September 27, 2006, 3:02 AM
PDT
update Microsoft
has filed a federal lawsuit against an alleged hacker who broke through its
copy protection technology, charging that the mystery developer somehow gained
access to its copyrighted source code.
For more than a month, the Redmond,
Wash., company has been combating a program released online called FairUse4WM,
which successfully stripped anticopying guards from songs downloaded through
subscription media services such as Napster or Yahoo Music.
Microsoft has released two
successive patches aimed at disabling the tool. The first worked--but the
hacker, known only by the pseudonym "Viodentia," quickly found a way
around the update, the company alleges. Now the company says this was because
the hacker had apparently gained access to copyrighted source code unavailable
to previous generations of would-be crackers.
"Our own intellectual property
was stolen from us and used to create this tool," said Bonnie MacNaughton,
a senior attorney in Microsoft's legal and corporate affairs division.
"They obviously had a leg up on any of the other hackers that might be
creating circumvention tools from scratch."
In a Web posting early Wednesday
morning, Viodentia denied using any copyrighted Microsoft code, and released
yet another version of his tool.
"FairUse4WM has been my own
creation, and has never involved Microsoft source code," the developer
wrote. "I link with Microsoft's static libraries provided with the
compiler and various platform SDK (software development kit) files."
This latest round of copy-protection
headaches comes at a delicate time for Microsoft. In a few months, the company
plans to launch its own digital music subscription service, called
"Zune," paired with an iPod device rival of the same name. The
package will compete with services from Microsoft's traditional partners, such
as Napster and Yahoo.
The Zune service and device will use
their own flavor of digital rights management, and this will not be directly
compatible with Microsoft's partners' products, despite being based on the same
Windows Media technology. The company is taking great pains to assure its
partners that their PlaysForSure-branded products are still state of the art.
Two-pronged approach
At the moment, Microsoft is taking a two-pronged technical and legal approach
to FairUse4WM that goes beyond the scope of its earlier DRM battles.
On the technical side, it is
pursuing much the same strategy as in the past: studying the hacker's tool and
trying to update its Windows Media technology to block it.
Indeed, the company's Windows Media
copy protection technology was designed from the start to support swift updates
that would address inevitable cracks. That has long been part of the
technology's draw for record labels and movie studios, which are fearful that
content protection flaws will lead to films and music being swapped freely
online.
Microsoft's copy protection has been
cracked before and then quickly
fixed. Company representatives said that the FairUse4WM tool, despite its
developer's success in breaking through the company's first patch, is simply
triggering the same kind of security review that has happened in the past.
"This particular circumvention
doesn't change that reality at all, or affect the underpinnings of the
system," said Marcus Matthias, a senior product manager at Microsoft.
"This is not quite as 'cat and mouse' as some people might have you
believe."
The crack's unusual longevity has
caused ripples of worry inside the digital media community, however. One
service provider, the British network BSkyB, even temporarily canceled movie
downloads.
Representatives from other services
say Microsoft's previous rights-management security updates have been
successful and expect this effort ultimately to be no different.
"One of the great features of
the Windows Media DRM is its renewability," said Bill Pence, chief
technical officer at Napster. "When the DRM system is compromised, we can
incorporate updates with minimal impact on users, and we expect to do the same
with the current patch."
Using courts to track a cracker
However, the federal "John Doe" lawsuit, along with
"dozens" of legal letters sent to Internet sites that are hosting the
allegedly copyright-infringing tool, is a decidedly different tack for
Microsoft.
The copyright lawsuit was filed in
Seattle federal court last Friday, without a name attached. Just as in the
recording industry's many lawsuits against accused file swappers, it targets an
unknown individual or individuals, whose true identity will be sought in the
course of the case.
For now, that means going to the
Internet service providers for Web sites where the original FairUse4WM tool was
released, in hopes of tracking down an IP address or other digital traces that
might lead to the developer, MacNaughton said.
Microsoft is also contacting other
Web sites that have posted the FairUse4WM tool, asking them to remove the
software, on the grounds that it contains copyrighted company code.
Company representatives declined to
speculate on exactly how "Viodentia" gained access to copyrighted
source code. The code in question is part of a Windows Media software
development kit, but is not easily accessible to anyone with a copy of that toolkit,
Microsoft said.
So far, little is known about the
developer, who has used the pseudonym "Viodentia" in several online
postings at a site called Doom9.org. "Viodentia" could not
immediately be reached for comment.
After spending an unaccustomed month
of grappling with the problem, Microsoft representatives stopped short of
promising their latest Windows Media update will be impregnable--although
certainly, the hope is that a third patch won't be needed. Viodentia's newest
release, posted online Wednesday, will test the strength of the company's
latest approach.
"Any time we put out an update,
it is our hope that it will be as efficacious as possible," Matthias said.
"It is our hope that the technical mitigations that we've put in place
will do something to impede this circumvention."
Analysts say that
"Viodentia" hasn't proved that Microsoft's DRM tools are
fundamentally flawed, but has shown that the business of keeping it, or any
rights management system, secure is increasingly becoming a full-time job.
"Any DRM out there is going to
be cracked," GartnerG2 analyst Michael McGuire said. "More important
is how the technology service reacts. Someone has to be keeping an eye online
all the time now, looking for the next time."