[Infowarrior] - Microsoft sues over source code theft

Tue Sep 26 22:08:22 EDT 2006

Microsoft sues over source code theft

By John Borland
http://news.com.com/Microsoft+sues+over+source+code+theft/2100-1025_3-611989
2.html

Story last modified Tue Sep 26 16:41:42 PDT 2006

Microsoft has filed a federal lawsuit against an alleged hacker who broke
through its copy protection technology, charging that the mystery developer
somehow gained access to its copyrighted source code.

For more than a month, the Redmond, Wash., company has been combating a
program released online called FairUse4WM, which successfully stripped
anticopying guards from songs downloaded through subscription media services
such as Napster or Yahoo Music.

Microsoft has released two successive patches aimed at disabling the tool.
The first worked--but the hacker, known only by the pseudonym "Viodentia,"
quickly found a way around the update, the company alleges. Now the company
says this was because the hacker had apparently gained access to copyrighted
source code unavailable to previous generations of would-be crackers.

"Our own intellectual property was stolen from us and used to create this
tool," said Bonnie MacNaughton, a senior attorney in Microsoft's legal and
corporate affairs division. "They obviously had a leg up on any of the other
hackers that might be creating circumvention tools from scratch."

This latest round of copy-protection headaches comes at a delicate time for
Microsoft. In a few months, the company plans to launch its own digital
music subscription service, called "Zune," paired with an iPod device rival
of the same name. The package will compete with services from Microsoft's
traditional partners, such as Napster and Yahoo.

The Zune service and device will use their own flavor of digital rights
management, and this will not be directly compatible with Microsoft's
partners' products, despite being based on the same Windows Media
technology. The company is taking great pains to assure its partners that
their PlaysForSure-branded products are still state of the art.

Two-pronged approach
At the moment, Microsoft is taking a two-pronged technical and legal
approach to FairUse4WM that goes beyond the scope of its earlier DRM
battles.

On the technical side, it is pursuing much the same strategy as in the past:
studying the hacker's tool and trying to update its Windows Media technology
to block it.

Indeed, the company's Windows Media copy protection technology was designed
from the start to support swift updates that would address inevitable
cracks. That has long been part of the technology's draw for record labels
and movie studios, which are fearful that content protection flaws will lead
to films and music being swapped freely online.

Microsoft's copy protection has been cracked before and then quickly fixed.
Company representatives said that the FairUse4WM tool, despite its
developer's success in breaking through the company's first patch, is simply
triggering the same kind of security review that has happened in the past.

"This particular circumvention doesn't change that reality at all, or affect
the underpinnings of the system," said Marcus Matthias, a senior product
manager at Microsoft. "This is not quite as 'cat and mouse' as some people
might have you believe."

The crack's unusual longevity has caused ripples of worry inside the digital
media community, however. One service provider, the British network BSkyB,
even temporarily canceled movie downloads.

Representatives from other services say Microsoft's previous
rights-management security updates have been successful and expect this
effort ultimately to be no different.

"One of the great features of the Windows Media DRM is its renewability,"
said Bill Pence, chief technical officer at Napster. "When the DRM system is
compromised, we can incorporate updates with minimal impact on users, and we
expect to do the same with the current patch."

Using courts to track a cracker
However, the federal "John Doe" lawsuit, along with "dozens" of legal
letters sent to Internet sites that are hosting the allegedly
copyright-infringing tool, is a decidedly different tack for Microsoft.

The copyright lawsuit was filed in Seattle federal court last Friday,
without a name attached. Just as in the recording industry's many lawsuits
against accused file swappers, it targets an unknown individual or
individuals, whose true identity will be sought in the course of the case.

For now, that means going to the Internet service providers for Web sites
where the original FairUse4WM tool was released, in hopes of tracking down
an IP address or other digital traces that might lead to the developer,
MacNaughton said.

Microsoft is also contacting other Web sites that have posted the FairUse4WM
tool, asking them to remove the software, on the grounds that it contains
copyrighted company code.

Company representatives declined to speculate on exactly how "Viodentia"
gained access to copyrighted source code. The code in question is part of a
Windows Media software development kit, but is not easily accessible to
anyone with a copy of that toolkit, Microsoft said.

So far, little is known about the developer, who has used the pseudonym
"Viodentia" in several online postings at a site called Doom9.org.
"Viodentia" could not immediately be reached for comment.

After spending an unaccustomed month of grappling with the problem,
Microsoft representatives stopped short of promising their latest Windows
Media update will be impregnable--although certainly, the hope is that a
third patch won't be needed.

"Any time we put out an update, it is our hope that it will be as
efficacious as possible," Matthias said. "It is our hope that the technical
mitigations that we've put in place will do something to impede this
circumvention."

Analysts say that "Viodentia" hasn't proved that Microsoft's DRM tools are
fundamentally flawed, but has shown that the business of keeping it, or any
rights management system, secure is increasingly becoming a full-time job.

"Any DRM out there is going to be cracked," GartnerG2 analyst Michael
McGuire said. "More important is how the technology service reacts. Someone
has to be keeping an eye online all the time now, looking for the next
time."