Arxan CTO Musings

News has broken that most Android devices, Blackberry and some Nokia devices (but not, apparently, iPhone devices) have software installed called “CarrierIQ”. CarrierIQ is an activity/event monitoring package that reports back to “home base” (the carrier), ostensibly to help them assess and improve product and carrier services. You can read all the details here:

http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/

And here is a more critical review that details more of what CIQ is actually doing and able to do, and considers all the potential for misuse:

http://www.xda-developers.com/android/the-storm-is-not-over-yet-lets-talk-about-ciq/

Per the formal definition of “rootkit”, there is no question that this software is structured as a rootkit. From Wikipedia: “A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications.”

Of course, those involved with CarrierIQ deny it is a rootkit, and their denial is based on a common misunderstanding. A rootkit is defined technologically – not politically or economically or legally. In common parlance, “rootkit” means “evil software that got on my computer or device without my being aware of it or authorizing it, is doing things I don’t want done, and should not be there”.

While some or all of those points may be true of any given rootkit, none of them need to be true to properly label software such as CarrierIQ a “rootkit”. And while those offering devices or services for devices loaded with CIQ may argue that these attributes aren’t true of CIQ (because it is there by intent and “for good”), from the perspective of an owner of such a device, all these points COULD be viewed as true of CIQ.

The serious concerns that CarrierIQ raises are around what information is collected. For example, is it anonymous or not, who has access to this data, is it sold to other parties, is there an ability to opt out, was I, the consumer, informed in advance, etc. It would appear from the information extant that CIQ can and does indeed capture just about everything we ever do on these devices, so these concerns appear to be very legitimate and serious.

The deeper question is simple: who owns your mobile device? Do you own your mobile device? If you own it, do you have the right to know everything the phone is doing, including information it may be collecting? Do you have right to terminate that data collection? Or does the carrier actually own your device, and have rights to monitor every detail of that device’s use?

It also raises the fundamental question of what is malware? Is CarrierIQ properly labeled “malware”? Of course all parties involved in the mobile device business side of the equation will instantly argue “no”, because from their perspective, any software that comes with the device is, by definition, not malware. However, we have been awfully concerned about Android applications collecting even just little bits of mobile device data and sending it off to who knows where (“servers in China”), with who knows what future intent. Without any doubt whatsoever, we have instantly labeled these apps as “malware”, and Google has acted quickly to remove them from the Android application store.

Now we discover that many of these devices come preloaded with similar software. The data “only” goes to the carriers though, so…does that make CIQ not malware, and “okay”?

I, for one, find the overall situation extremely disturbing. The combined trends of more and more integrated computing/communication devices with our personal selves (I’ve discussed these trends and where they may lead in the future in an earlier blog post), more and more intelligence in every device, which are in and around our home and car and other environments, and now this trend of “the central communication organization monitors every detailed activity of every connected device” is a great starting point for all kinds of unpleasant science fiction movies. However, this isn’t science fiction, it’s today’s very real and very fast moving set of vectors, and before we are 120% “wired up” and “wired in” in every way shape and form, we’d better get social and legal clarity and control over who really owns computing/communication devices, and who has a say over what they monitor and report back to “command central”.

The mobile device security market is (justifiably) getting more and more attention. Recently Lookout raised an astounding $40M in a funding round to support their phone client security technology. Meanwhile, the large and established PC-security focused vendors are quickly ramping up their offerings for richer and more complete product solutions.

The problem of mobile device security (phones and pads, and other forthcoming evolutions in form factor) is not fundamentally different from desktop computer security. Malware can arrive on your device through the same basic channels: hiding inside what appears to be a benign “safe” application, or hiding inside “data” that in fact is a rich format with embedded code capabilities that have been used for malware injection. Furthermore, with richer browsing environments, browser-based code loading onto the device is even more probable and seamless.

Security on mobile devices however is not just a problem for, nor sole onus of, the user of the devices. The pressure to “go mobile” with business operations is incredibly high, and it is a competitive race in many industries to determine who can get a competitive advantage with the best mobile capabilities. This pressure is driving fast and furious mobile application development in just about every business domain.

This technology rush has created a serious security problem for those enterprise’s wishing to deploy business services onto mobile devices. The applications produced and distributed have several fundamental risks: first, they can be compromised with injected malware, and easily redistributed with a veneer of legitimacy that attracts downloads and usage. Voila, widespread infection. Second, they are subject to reverse engineering and tampering to effect compromises in the business processes they are providing.

Client security solutions from Lookout and the large security firms don’t address this side of the shady street of mobile device security, and it is not a simple problem to address. Protecting application software of any type from reverse engineering and tampering is a very hard problem, for the simple reason that ultimately, any software is “analyzable”. The general track record of attempts to protect software “in the wild” from successful cracking is poor indeed, as the wide availability of “cracked” commercial software available in all markets attests to.

We here at Arxan step up to this challenge every day. While we don’t have a simple magic bullet or “push button protection” solution or other snake oil to sell, we do have powerful technologies, a methodology and a track record of success when that methodology is practiced. Let’s take an example from the games market. PC based games are perhaps the most quickly and aggressively attacked and cracked s/w on the planet. Some time ago a senior PC game security architect at Microsoft told me the high water mark for successful protection of a game against cracking was six weeks.

Using the Arxan methodology for anti-reverse engineering, one of the world’s largest MMORPG game provider’s has been distributing a new game for over 20 months now, without a successful crack to the areas they specifically targeted for protection. Well over 10 million copies of this game are distributed worldwide, and the cracking process was initiated within hours of the initial beta release of this game.

The same core technology and methodology is available today for mobile applications for Apple/iOS and Android devices. Self-protection of mobile software, while not a universal requirement (does a free shopping mall directory app need self-protection? Probably not!), is extremely important in a large number of markets as mobile computing enables high-end value propositions for users and businesses alike . There’s no excuse for casually allowing theft of your mobile IP, or allowing counterfeit malware-loaded versions of your enterprise applications to proliferate and affect end-users. The security concerns that are slowing down a move into mobile enablement of your business can be addressed successfully, and over time, competitive forces will require that this opportunity for expanding business enablement be taken advantage of.

Come see us at Arxan to address mobile software security concerns.

System software news of the day: Toyota joins the Linux Foundation and announces a strategy which includes using Linux for in-car information and entertainment systems:  http://www.linuxinsider.com/rsstory/72867.html.  Sony, Matsushita and NEC initiated the Consumer Electronics Linux Forum to help drive Linux enablement for embedded systems to assure the availability of a royalty free base platform, and MontaVista Software under contract developed all the initial technologies provided under the CELF banner.  I know: I negotiated that contract and owned the execution of the development of those technologies.

So,  I have a little personal history here, having joined with Jim Ready at MontaVista Software in 1999 to create and drive GNU/Linux software for embedded systems.  Throughout the early 2000′s we experienced more and more industry segments rushing to adopt Linux.  By 2004, MontaVista Linux was in Japanese and Chinese smart phones from NEC, Panasonic and Motorola, in high end telecommunications infrastructure equipment from NEC, Fujitsu, Alcatel and Lucent, and innumerable devices in between.   Indeed, “Japan Inc.” was highly aware of the risk of the proprietary path in the early 2000′s, recognizing that we were heading towards “smart” computing systems inside devices and products of all types.

So why did Toyota take so long to make this move?  It’s certainly not because Linux wasn’t ready many years ago; we had Linux systems booting in under 10 seconds by 2004, and it was lots faster than that by 2007.  We had relatively small memory systems, we had the real-time problem fully licked with full kernel preemption fully supported in the mainstream Linux kernel.

I honestly don’t have an answer to the question, particularly given what will be tremendous cost savings for Toyota vs. using a third party proprietary technology.   Given this late adoption, I’d guess Toyota  was using a Tron variant system software, owned outright by Toyota and therefore carrying no royalties.  However, the world has clearly passed Tron by, and Toyota and all companies producing “intelligent products” need access to the huge benefits of Linux: lots and lots of solution software, and lots and lots of expertise around the world willing and able to adapt, customize, test, deploy and support.  Additionally, Linux enablement is fundamental now for all the world’s SoC manufacturers, so the problem of “is my operating system supported on the chip I want to use” is a solved problem with Linux.

This move does shine a light on the ever shrinking space wherein proprietary real-time OS’s still play: super real-time (sub 1.0 microsecond response guarantees now), super dedicated processing only.  It’s a fast shrinking market, just as we predicted.

I can’t speak to this without raising the security question: is Linux (and open source in general) more or less secure than proprietary systems?  That’s a big question with big answers, and will be the subject of another blog post in the near future.  Stay tuned!

Mobile phone based “wallets” (or, if you prefer, cash-less payments using a mobile phone) is becoming a hot technology.  Google has now announced a solution in the offing – Google Wallet (http://tinyurl.com/42ykp4m), designed and implemented of course for Android based devices.  The basic concept is simple: you have an account which is linked to your phone, and a near-field communication chip in your phone interacts with a similar device that is physically close. The transaction specifics are agreed to in a communications protocol, you are given an opportunity to say “yes” to the transaction via a button push on the phone…and viola, money is exchanged between the respective accounts.

This is a race to riches to be sure.  The few percentage points extracted from each transaction by those executing the back end functions adds up to mega-dollars very quickly, as Visa and MasterCard have demonstrated to the world.

Google’s announcement comes at an interesting time -  one in my opinion that is characterized by a backdrop of various security issues.

First, we have Google promoting all things Android, rolling out an Android application store and a licensing system for those applications…which was quickly and casually cracked.

Second, we have the Sony Playstation 3 getting fully cracked, and substantial turmoil around that, with legal action against the cracker (George Hotz), and agreements that he will not attempt to crack Sony products in the future.  This was then proceeded by a major attack on the Sony Playstation Network, with a reported theft of millions of credit card records as a result of the attack.

And now we have the iPhone 4 root key getting cracked (http://tinyurl.com/3rw769q), with the result that confidential info on your phone (which is automatically encrypted by the phone hardware and software) can be extracted in the clear.  The data is encrypted using AES-256, a very strong cipher which should be relatively impervious to brute force attacks using currently available computing technology.  So what did the crackers do?  Simple: they FOUND the key.  Where?  On the device, where it has to be in order to drive the data encryption/decryption processing!

So we have this backdrop of security issues to the left of us and to the right of us,  with our wonderful multi-function “mobile phones” now at the center!  The vendors keep giving us more more more, but as fast as we get it, we also learn it isn’t really secure, not even close.  For example,  no truly strong and robust Android application license management solution is yet available from or recommended by Google.

So how and why will mobile phone based payments be any different?  And isn’t it just a little bit more important that there IS a difference, particularly for THIS application?  This isn’t merely loss of my personal data.  This isn’t merely a $0.99 application being loaded and used without appropriate payment.  This is outright theft of cold, hard cash (or the electronic version thereof!).  Here’s a few scenarios I can think of casually on possible attack vectors:

• extracting the encryption key from the device, which could then allow any captured transaction data to be viewed in the clear.

• snooping on the near field communication traffic and extracting sufficient information to allow later similar (but unauthorized by “me”) transactions to be executed.

• running hacked payment processing software on the merchant side of the transaction, collecting sufficient information over time across many transactions to “run a raid” in one fell swoop on many, many accounts.

• injecting software into the payment software on the mobile phone, which in turn collects and then transmits account info as needed to enable similar account raids on either the device account, or possibly the merchants account.

Of course the above is all just speculation.  However, it’s speculation based on a steady stream of successes against the cracking of deployed “in the wild” devices and software of all types.  We call such attacks “MATE” attacks, for “man at the end”, meaning, the attacker has the actual device and/or software themselves physically, and can thereby do just about anything necessary for the cracking process.

What adds to my concern level about this, is the nature of the application here: MOVING MONEY AROUND.  Do we think this application is going to attract organized crime?  Do we think organized crime is going to seriously focus on this cracking problem?  Yes, and yes.  So if the Playstation 3 wasn’t cracked until Sony upset someone overmuch (by taking away their Linux support on the PS3, among other reasons), well, it’s going to be a different ball game here.  This system will be aggressively, even “violently” targetted from day 1, by those out for some serious profit making.

I don’t want to sound overly alarmist but perhaps I am, and perhaps rightly so.  We need to find means by which our electronic systems, devices and software CAN be made secure.

A few weeks ago I gave a presentation at OTTCon (the Over The Top Conference) in San Jose, California. What is “over the top”? The purest definition is multi-media (HD video, “television”, and other media) delivered to your home through the internet. Over the top refers to working “around” the traditional “television” delivery channels to your home (broadband cable, airwave broadcast, and satellite).

The conference was over-subscribed and indicative of the tremendous foment in this technology, product and service area. As with any market with such dynamics and growth, the business opportunities are tremendous.

This market has large, well established vendors operating “walled garden” solutions with strong interest in expanding out from their now traditional music or DVD quality video distribution to high definition content. There are a large number of smaller niche players, and new entrants of varying types almost every day. Of course all the major consumer electronic brands and consumer media sales brands are jockeying for position as well.

The cable companies are highly involved, particularly as they strive for a larger business role than just as a bandwidth provider for “the last mile”, which in turn has been and will continue to raise net neutrality issues.

There is tremendous product crossover, with gaming boxes serving as internet connected media access devices, smart phones and tablets operating as media access devices, set-top box functionality being integrated into traditional TV’s and monitors, not to the mention the evolving role of the traditional PC as a multi-media hub.

There are platform wars erupting. The most interesting is Google’s promotion of Android and Chrome as ubiquitous platforms to be used by all media oriented product vendors…which just happen to very easily integrate with Google’s services and advertising.

Standardization is a major market force. Ultraviolet is an open standard in development with huge industry participation working to define and create a uniform and compatible system for purchasing, renting, accessing and viewing high definition video content on all owned Ultraviolet compatible devices.

Behind all of this are the studios, with their content and in particular with their high definition content, which they are being extremely careful with relative to distribution and monetization.

Overall, this is an incredibly complicated business and technology ecosystem, with participation by telcos, cable companies, satellite companies, consumer electronics companies, cell phone companies, microprocessor companies, computer companies, bricks and mortar and web only consumer sales companies, studios, and security companies. The corporate membership list of Ultraviolet, for example, is stunning in its breadth.

Michael Porter of the Stanford Business School is famous for (among other things) his promotion of a “force analysis” of industries. A comprehensive force analysis of the “over the top” market would be fascinating, revealing and extremely complex and rich.

I can’t use the term “force” without bringing to mind the meme introduced into our social consciousness by George Lucas, “the Force”. As we all know the Force has a light side and a dark side, and in this market area, the dark side centers around (no surprise!) digital media piracy.

Digital media piracy requires a legal basis for defining digital media as proprietary assets. This basis was all but non-existent only a few short years ago, as our large body of property law was primarily concerned with the physical plane. The Digital Millenium Copyright Act (DMCA) is now the foundation on which digital media as proprietary property rests.

Intellectually, most of us understand and agree that media in digitized form is still property. However, sadly, our moral structure and cultural attitudes have not kept pace with the advancement of technology. There are huge numbers of people who would not steal a pack of gum from a store who can and do routinely access pirated digital content.

Why is that? I believe there are two fundamental reasons. The first is the lack of perception of “theft”, because there is no overt loss of goods to the owner when the piracy occurs. The second is what I call “second order access”: if it’s available for free or low cost download, then “I am not stealing it”. This is analogous to buying the fancy new watch from the back trunk of someone’s car; we know they stole it, yet we are tempted to make the purchase of the stolen goods.

Morality in a society is nurtured and supported by simple acts of peer pressure, and I urge readers to engage in this relative to digital piracy: do not allow this to occur in your home, refuse to support it by saying “no” to offers to enjoy “free” movies by friends and neighbors, and in general stand up at the critical times for the property rights of those who labored to create the content that has been stolen. All the technology in the world will not make us a moral society and protect our interests from ourselves. Only we as a society can do that, and it truly starts with each of us taking simple daily stands on the issue.

There is an incredible essay written in the early 1990′s by John Barlow (who later became a co-founder of the Electronic Frontier Foundation) called “Selling Wine Without Bottles: The Economy of Mind on the Global Net”. In this essay Barlow poses the following riddle: “if our property can be infinitely reproduced and instantaneously distributed all over the planet without cost, without our knowledge, without it’s even leaving our possession, how can we protect it?”, which in turn leads to a fascinating observation: “A lot of protection technologies will develop rapidly in the obsessive competition which has always existed between lock makers and lock breakers.”

Here at Arxan Technologies, we are deeply involved in this “obsessive competition” in the arena of propriety digital content lock making and breaking. Consistent with the vastness of the ecosystem involved in “over the top” media distribution is an alarmingly complex delivery value chain for the actual content. This in turn presents a vast “attack surface” for those who wish to steal the digital assets in motion. And the problem doesn’t stop with merely the protection of the digital content: other elements of the environment are subject to tampering to effect different forms of piracy. For example, tampering with a retail node to enable “purchases” without any actual financial transaction, or tampering with policy code to disable the time period restrictions on content.

We at Arxan are members of the Ultraviolet organization and are deeply involved in protecting digital assets in both Ultraviolet and many other “over the top” media distribution channels through Digital Rights Management software protections, key hiding technologies and node locking technologies.

For quite some time now I and others have been speaking out regarding the risks of the Android application marketplace, as an un-vetted “wild west” for software.

The essence of the problem is simple: any one can post software there, without any review of actual content and behavior. The overarching security model is that applications on installation must request and the user must approve certain capabilities (for example the right to access address book information, or to send text messages), and this then gives the user security control. The problem with this model is that broad capability requirements are very common on legitimate applications, and users become assumptive that the capabilities requested are both needed and will be used “appropriately” by the application. Neither is necessarily true, particularly with applications that are intentionally malignant.

Today we have the news of a significant number of applications with large #’s of download being, in fact, malware attempting to get device access at the root level, and stealing confidential information off the phone.

http://www.cnn.com/2011/TECH/mobile/03/02/google.malware.andriod/index.html?hpt=T2

It’s important to keep in mind that there are three types of parties involved in Android security issues. The first is of course the consumer and individual business user, and their concern is the ability to utilize applications that provide incremental value without concerns about malware. The second is businesses themselves who must field these devices with their staff for productivity reasons, and have to balance between the need to enable them with productivity applications, while still ensuring device security. This is particularly needful given the business data likely to reside on the device. Lastly, there is the application developers (sometimes these same businesses fielding such devices), who have to be concerned about the risk of their software being compromised with malware, and potentially their brand compromised as a result of re-distribution with malware injected into their application.

The heart of the problem leading to this action by Google is first, the lack of any review practices for the Android marketplace. Some are suggesting a “vetted” Android marketplace as a solution; meanwhile, some larger enterprises are constructing their own “vetted and approved” download areas for Android applications for employee business devices. It’s not hard given this recent action to see why such a methodology is needed for large corporate deployments of Android devices into the work force.

The second problem is the lack of any software protections in the application software itself. We at Arxan have been ringing this bell for some time, and while those with obvious code security concerns do take active steps to secure their application code with intrinsic security (media players, payment system software, banking software, etc.), others do not. This enables exactly the above situation to occur: hackers can casually lift an application, reuse/modify the binary level code, and republish. The result: rapid and effective malware distribution to a huge base of Android device users.

The solution isn’t overly difficult: protect your applications from reverse engineering and tampering! Arxan and others provide powerful technologies to accomplish this. While this won’t secure the Android marketplace itself, it will help to assure that YOUR software isn’t cloned and published under a similar function or brand name with malware inserted.

2010 is over, and a new decade is beginning to unfold. We have a tidal wave of computing change occurring, indeed it is really just getting started.

“Smart phones”, which I prefer to think of as hand held computers with cellular I/O support, are by far the fastest growing class of computer systems today. I’ve suggested it before and I’ll suggest it again: what we are witnessing is the rise of a “fourth wave” of computing. The first wave was the mainframe, the second was the minicomputer, the third wave was the PC. Interestingly, the “personal” computer was personal only in the sense that you, as an individual, had your own. The rise of the truly “handheld” computing device, which also adds cell phone I/O (for both data and voice transmission, thus making them “smart phones”), is more accurately a “personal” computer, in that the computer generally stays in contact with your body. However, since “personal computer” isn’t available as a moniker, I’ve suggested “intimate computer” as a more accurate and expansive name for this new computing class.

What can we learn from history, from the forces we see at work, from our own logical assessment, and even perhaps from our intuition, about how this new intimate computing wave will unfold?

First, as to form factor: I do not think we are anywhere near “done” with evolution of form factor in these new intimate computing devices. Just as the desk-side/desk-top PC fairly quickly evolved into a wildly popular “laptop” form, I predict that the current form factor of a rectangular hand held “bar” will evolve into yet more intimate forms. Generally I’d call this “wearable computers” and all that that implies. The specific forms that will be successful are hard to predict, but it’s sure to be a fascinating arena with multiple audio and visual possibilities!

The challenge of new form factors will of course be I/O between us and the computer. While voice is an obvious possibility for input, voice strikes me as being problematic for the innumerable times you want to “use the computer” but speaking extensively is inappropriate or just not comfortable. Audio output is easily dealt with via the current forms of ear based speakers, but perhaps during the decade we will some something more subtle, a la bone induction or some other means of bypassing the need for external speaker based output.

Visual output requirements would seem to take us back to some kind of “hand held screen” form factor, but I think this leads to a very likely “wearable” form factor that can address multiple needs in an integrated manner. Glasses. Yes, glasses, where visual output is projected onto the inside of the glass and is seen as an “overlay” on the outside visible world, similar to heads up displays in aircraft. Such a form factor can easily include audio output via integrated ear buds. Voice input is obvious but as I said, not ideal, and the human input side is probably the area I am least able to see what innovations might develop. Sensors on finger tips that allow some kind of finger movement based textual input? Perhaps we’ll get to internet access and general computing paradigms where textual input is generally obsolete! Or perhaps some kind of “sub-vocal” input means will be created, allowing “voicing” that is performed silently relative to the outside world!

If you think that I am alone or far fetched in my thinking, then perhaps you were not at the Open Mobile Summit late last year in San Francisco. I heard a few companies talking about these trends and sharing thoughts on concept products that might one day appear. One company showed a “mirror mirror on the wall who is the fairest of them all” concept where as you brush you teeth in the morning, you engage in I/O activites from getting the weather, news and sports, and sending them on to friends. Another company decryied the current “heads down” paradigm of smart phone usage, promising to lift up the heads of people everywhere with use of their future products. I don’t believe my ruminations are entirely speculative!

Of course where innovation goes, crime is sure to follow. It’s an immutable law of nature. What might be the evolution of “computer viruses”, and more generally, the entire arena of “cybercrime”? As noted in prior blogs, this area isn’t just kid stuff or even just “malicious people” stuff anymore. This is hard core major organized crime stuff! Billions of $’s are being stolen, every year, both in outright cash and in more subtle economic forms (intellectual property in particular).

Even today, we already have examples of viruses infecting intimate computing devices. We have an example of malware hiding under a veneer of a legitimate application (watching a new movie trailer) directly monetizing its infection by making toll calls charged to the service plan of the owner of the smart phone. It’s a safe bet that ALL the forms of viruses, malware, bots and botnets, and the like will move through the intimate computing landscape.

Do the specifics of intimate computers enable new and different forms of malware? Note: I’m not referring to the detailed level of “yes there will be differences because it’s Linux or Symbian or XX underneath not Windows or OS/X”. Are there new and unique attributes of intimate computers that will enable whole new classes of malware? If so, what are those unique attributes?

First, the “universal” connectivity of intimate computing devices to the cellular infrastructure is a unique attribute. Second, the popularity of mobile apps (downloaded to and run as independent programs) as the basis for functionality extension is rather unique. Yes we all have loaded applications onto our PC’s, but in general we are rather selective and judicious about that, loading those apps from large well established and recognized legitimate vendors, and we generally load relatively few in number. The intimate computer world is shaping up very differently where loading many tens and even hundreds of little apps from all kinds of no-name vendors is business as usual!

Do the apps represent a new means of malware infection? Well, to a large extent the same issue was present in PC’s. However, what we have here is a huge different in SCALE. BILLIONS of apps are being downloaded; Gartner is projecting approximately 30 BILLION app downloads into intimate computers by 2013. Is the opportunity for large scale infection substantially higher for these intimate computers? Clearly, it is.

What about the cellular I/O that is fundamental and pervasive on these devices? What can malware do with that? I truly don’t know, but one thing I’m 100% certain of: there are some very smart minds out there, with advanced technology knowledge, getting paid by very evil minds with lots of money and no compunctions or morals, thinking about this as a tremendous (criminal) revenue generating opportunity. And that puts intellectual property at risk, not to mention business models and privacy.

So, how do we move forward in our mobile, connected, app-loaded world? With excitement and innovation, but also with consideration for the defenses required to safeguard assets in this brave new world (apologies to Aldous Huxley). If this stirs your thinking a little as we march into the madness of a new decade, I’ve accomplished my goal for today. Happy New Year, and here’s to an exciting second decade of the millenium!

There are recent reports of Microsoft spending upwards of $200M (yes, million!) a year on anti-piracy technology. See the New York Times feature article:

http://www.nytimes.com/2010/11/07/technology/07piracy.html?scp=4&sq=microsoft&st=cse

This is an astounding figure, particularly given that in general, Microsoft software is available at vastly reduced costs from the pirates.

While it may be tempting to conclude from this that software piracy is unstoppable, I thought I would share my perspective based on my company, Arxan’s, experience. Frankly, we’ve seen time and again that our technology (for instance), properly applied on top of a thoughtful design from a security perspective can and does stop piracy. We’ve had major successes in a wide variety of market segments, from low end extremely high volume gaming software, to very low volume but extremely high value geophysical software, and all kinds of interesting applications between those two extremes.

We are also familiar with failure. That’s right, I’m not here to claim our solution is a panacea. It doesn’t work that way. It’s a continuous arms race in general, and on a software title by software title basis, it sometimes feels like hand to hand combat.

What we have learned is that a solid design in the security dimension is critical. A weak security design can’t be easily “protected” later! A design that seriously considers the threats to the software in general, how those threats are directly mitigated by the design, and then on top of that, how the design and implementation itself is protected from undermining through reverse engineering and code tampering, is required.

Secondly, we’ve learned that you have to stay right on top of latest technique used by the cracking community. As an example, we are now to “anti-anti-anti-debug” techniques. That’s right, we deploy anti-debug techniques…and the crackers have deployed anti-anti-debug techniques…and we are deploying techniques to detect those, hence “anti-anti-anti-debug”.

It’s a brave new world indeed!

Microsoft’s piracy problems are complicated by the fact that they have such a broad array of products, from multiple disparate design and development teams, with different licensing schemes, different distribution models and a wide diversity of distribution channels. As anyone who attempts to run their business on Microsoft software knows, Microsoft does NOT look like “one company” when viewed through the lens of purchasing and licensing their software!

Few companies have the financial wherewithal for this level of security investment, both in absolute terms and even in ‘relative to revenues” terms. For these companies, it’s critical that application security be integrated into their product lifecycle, as a “must” design attribute. Letting a team rip on a major product development program, then starting to think about “how do we address this piracy problem?” after the product has been shipping for a few days, weeks or months is to take a step in the direction of Microsoft levels of relative spend. Don’t do that! Just as reliability, usability, and supportability are, these days, critical requirements that are considered through the software product lifecycle, so must software security be considered and addressed.

The end result can be a secure, un-pirated product. We know this for a fact, we’ve succeeded with many customers in achieving this result. So don’t end up staring down the tunnel of extravagant anti-piracy costs: think application security early, and often.

The HDCP copy protection technology has been successfully hacked, through the generation and publication of the overall master key:

http://www.eweek.com/c/a/Security/Intel-Investigating-HDCP-Master-Key-Exposure-384053/

What does this really mean? It is in fact a bit complicated. The content on Blu-Ray disks is protected with something called AACS, and optionally with additional technology called BD+. The Blu-Ray player itself decrypts the content, de-compresses it, and re-scales it as needed for the target display device. Then this content is re-encrypted using HDCP and sent through HDMI to the target display. The display device decrypts the HDCP encrypted content for presentation on the monitor.

With this master key, it is possible to build external devices that will appear as legitimate recipients of HDCP encrypted content with an ability to decode that content, and then do whatever is desired with it (such as re-compress it and make it available through download sites). Will someone do this? It’s a good bet; where’s there’s money to be made via piracy, people will take advantage.

How did this happen? After all, isn’t encryption based security supposed to be based on an “ultimate level of obscurity”, namely, the problem of “can you figure out which # of our 100 billion possibilities I’m using?”.

Yes but…in this case the overall system had a flaw, that allows someone to use some heavy math to “back compute” the master key from a sufficiently sized (but still small, somewhere between 30 and 50) set of “device keys”, which get generated through use of the master key.

Overall, what does this say about our digital media security systems?

The answer is a hard pill to swallow: our digital media security system can’t really be trusted. Nothing about their basis on “hard cryptography” makes them immune from cracking, and nothing about their implementation directly in custom hardware makes them immune.

So what’s needed? What is needed is multiple layers of defense, ideally implemented with both hardware and software mechanisms. Arxan Technologies is predicated on the exponentially increasing difficulty of fully cracking a protected system, when that system is protected by multiple layers of relatively independent security mechanisms. Additionally, the overall architecture should be designed with not just the concept of stopping cracking, but also of anticipating and detecting a cracked environment…and them compromising that environment in a new, subtle but pernicious way.

Always seek to detect and create trouble for the cracker and/or for the user of the crack. I recommend an approach of multiple layers of defense, with both crack blocking strategies and crack detection strategies, all coupled to overt and subtle response strategies.

Intel, in response to this crack, has said they will sue anyone using the master key. Legal solutions to piracy historically have had very limited success. Our technology can and should do better in presenting very difficult barriers to those willing to act outside of the law.

Continuing this recent theme of Android specific blog posts, I’d like to point out the remarkable repeat of history we have going on here.

Consider Apple and their “market creation” and “market leader” position they’ve achieved with the iPhone. Consider its key attributes: a closed system environment in every respect: closed operating system, a tightly controlled 3rd party application solution set, strict limitations on what software is allowed on the devices, and a supporting Apple proprietary media solution (iTunes).

On the scene arrives Android, an open operating platform available to all. And quickly a new business ecology is born, consisting of a myriad of companies building Android/ARM based devices to rival Apple’s, all similar but all unique as well.

Does any of this sound familiar? I hope at least a few readers are old enough to remember Apple’s position in “personal computing” in the early 1980′s with the Apple II (and later MacIntosh) computer. They were “dominant”, with their closed proprietary technology. Along came IBM with an open component approach, with all the critical components (DOS, Intel x86 microprocessors, and boot loaders, backplane and I/O specifications), generally available to all comers. I remember the full page “welcome” add put out by Apple, welcoming IBM to the party, and of course the “once only” Super Bowl ad announcing the Mac a few years later.

So what happened back then? We all know the story: the IBM PC “clone” business got rocking, and soon Apple’s share in the market dropped to less than 20%. Open, clone-able, with lots of choice and variety from a multitude of vendors won out handily over single vendor, closed, more expensive and arguably “better”.

The story is repeating with the iPhone and Android, and in my opinion, the story will continue to repeat. In three years, Apple smart phone share is likely to be down to a fraction of their current leadership share, and you will see massive innovation, variety and choice in the Android based product field. Apple’s closed “complete ecosystem” solution will be better…and still won’t win.

A side note to all of this is the question of where is Microsoft? Here we have what I believe is a fundamental shift in the computing paradigm for the masses, from personal computers to “intimate computers”, computers that stay yet closer at all times to your body than those big and bulky “personal” computers. Where is Microsoft in this transition? Answer: nowhere in sight, at least thus far. The Windows environment has failed to be successful in the multiple attempts to adapt it to the smart phone form factor. The Kin product was a complete disaster and potentially reflective of a real inability to innovate successfully inside Microsoft. Apparently they will be making a fresh try soon with a “Window 7 phone”; it will be fascinating to see if they can recover and establish a serious market position.

In the meantime, the Apple vs. Android wars heat up. Apple yesterday announced a loosening of restrictions on iPhone developers, and everyone thinks this change is a function of competitive pressure from Android, and I’d have to agree. Competition is fundamental to successful capitalism and generally promoting market openness and freedom, and while I am a happy iPhone user, I like to see competition, choice and a lessening of market controlling restrictions.

To sum it up, if I was a betting man, I’d put my personal bet on Android to be the winner here. History tells us it’s the likely outcome — unless Apple will challenge that outcome by signficiantly opening up their walled garden.