Slashdot Mirror
DRM Hole Sets Patch Speed Record For Microsoft
puppetman writes "Wired columnist Bruce Schneier has an article up called 'Quickest Patch Ever', about a patch that was issued within three days to fix a vulnerability in Windows Digital Rights Management (DRM)." From the article: "Now, this isn't a 'vulnerability' in the normal sense of the word: digital rights management is not a feature that users want. Being able to remove copy protection is a good thing for some users, and completely irrelevant for everyone else. No user is ever going to say: 'Oh no. I can now play the music I bought for my PC on my Mac. I must install a patch so I can't do that anymore.' But to Microsoft, this vulnerability is a big deal. It affects the company's relationship with major record labels. It affects the company's product offerings. It affects the company's bottom line. Fixing this 'vulnerability' is in the company's best interest; never mind the customer."
So this is going to be the least installed patch for windows ever. untill they make it mandatory
I often have trouble remembering which way is out of bed in the morning.
No matter what anyone in your company tries to tell you, this kind of rapid response is EXACTLY what we are clamoring for when we ask that you take security seriously. Please tell your bosses. Thanks...
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
This leads me to 2 questions: "can patching be regulated?" and "should patching be regulated?". It seems obvious the free market can't keep our computers secure. I've been wrong before though. I guess maybe it could if people didn't already have the expectation that they shouldn't have to pay for patches b/c Microsoft should fix their own faulty software.
I guess it's all pretty moot since open source is going to take over the world anyway.
Does this sig remind you of Agatha Christie?
"ut to Microsoft, this vulnerability is a big deal. It affects the company's relationship with major record labels."
what relationship? why is it important?
Do the get money from them? Is Steve B. banging a secretary in the RIAA office?
I just don't get it.
The Kruger Dunning explains most post on
How can they make it a mandatory patch, even if marked critical? It seems to me that the most they could do is impose a restriction that you couldn't install other patches until you installed this one, but they still can't force you to install it.
<microsoft bashing bitch session>It really makes me wonder whether, as Microsoft introduces more "security" and "protection" that diminish a user's capability, at what point will it cease to be worthwhile to upgrade/patch/fix? Sometimes I think that point was crossed with the introduction of Windows XP</microsoft bashing bitch session>
This is not a patch. A patch fixes a problem and makes software usable again.
This takes usable, functioning software (FairUse4WM) and breaks it.
"Patch" my ass, this is a bug, which users are expected to install themselves.
It's not a lie. It's the truth with lossy compression.
Good point, good point... but why can't they do this with the security patches that are just as small then? I mean, sure, some of the patches may require billions of lines of code and touch every product in their lineup, but I have a hard time believing they all do. In fact, I would be shocked if there weren't quite a few of them that are easier to repair, once the vulnerability is known, than this was.
I don't want the "monthly rollouts were requested by corporate customers" line, either... Even if they were - there is no reason to not release them to those that want them earlier, as well as a monthly package.
First of all, it's been cracked again. Look up FairUse4WM 1.2.
Second of all, from what I've seen, it's not pushed out via windows update, but rather the client you are using for music. For instance, Napster pushed out the new version via a tiny patch when I launched the client. There IS a way to trick your client into believing that you already have the latest version (thus preventing the forced update). Look it up in the doom9 forums.
This should keep the crack working until Napster pushes out a completely new version of the client that explicitly checks the version, or Micrsoft issues a regular update.
-T
P.S. Napster provided free of charge by my university. Hell, as a grad student, I guess I get paid to use it...
I know this goes against the Slashdot groupthink but yeah, real customers (as in people) do get hurt by this kind of thing.
My brother used to subscribe to the Napster "all you can eat" music service, in which you basically rent music - you pay a fixed amount each month and just listen to however much you like. If you stop subscribing you lose access to the music. He liked this business model, because it suited the way he listens to music. I'm the same. There isn't any way to implement this without DRM, and if DRM is not robust, that business model will die. And then the silent section of the populace who doesn't read Slashdot, and doesn't really give a crap about DRM, will just get pissed off.
You've gotta love how one sided DRM debates here always are ... the artists and non-technical users are sort of presumed to not exist, or not be important.
That they didn't have the bug pre-patched?
In the case of DRM, the system is setup to block comprised clients at the server level immediately.
In the case of DRM, backup DRM methods are already pre-written and ready to ship.
As soon as a system is compromised, the existing method is deactivated, servers notified to deny licenses, and the new system is delivered via the servers.
They are able to 'patch' this so quickly because they already had it written months, if not years, ago. Just like when this one gets compromised, they will be able to 'patch' as fast because they already have the next backup DRM method already on the shelf waiting.
They know this is a game with those who circumvent DRM, and a game which requires time for each DRM method to be circumvented. So they build a store of different methods of DRM and when one is circumvented they release the next. The game continues... and time is currently on the side of Microsoft as they have their next few moves on the shelf ready.
It sounds like it should be easy enough to make WM licenees believe the patch has been installed when it really hasn't.
In WA state the programmer is a slave to overtime. WA state laws allows busineses to require overtime without having to pay for it on any salaried worker. This is a device of Microsoft. Microsoft lobbied to get he laws changed so that the programmer positions changed.
A programmer is the person who actually, through their very creativity and knowledge, makes the product come into being. This is far different than someone that works as an assembly line worker who just does their small part. Programmers are the reason the products exist. For me, that's the reason I don't work as a programmer. I don't want my blood, sweat, and creativity exploited by companies such as Microsoft that make billions of dollars a quarter on my work.
WA needs to revert back to the laws that allow these programmers to get paid overtime. It is only fair. This isn't a management position and thus should never have been changed. It only happened because Microsoft lobbied to make it happen.
You can lead a man with reason but you can't make him think.
We tend to think of all patches as security patches, but that isn't the case. A change to DRM should not, on the face of it, appear among the security updates seen on Tuesdays.
I was going to suggest this. When I really need to run something that's Windows-only, I run it in a WinXP virtual machine on my Linux box.
I was actually surprised at how spry Windows feels, when it's not bogged down by a lot of anti-virus/spyware/adware, automated backup programs, and the like. Of course, without those things it's not a terribly useful host OS, because it gets owned so easily (click on wrong link in Internet Explorer -> ActiveX control -> rootkit), but as a guest OS, I just disable all patching and auto-updates.
When I'm done with whatever I'm doing with it, I just roll the image back to its saved state and shut it down. Basically I can abuse the living shit out of it, and then just kiss it goodbye the second it starts acting up.
Obviously you need to take steps to make sure that you save your work somewhere not on the VM's drive (duh...), but I could definitely see the possibility for working like this. I still hate working in Windows, but Windows as a VM is orders of magnitude nicer than Windows running on the actual metal.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
You have taken on faith that M$ puts into patches what they say they put into patches. During the anti-trust trial, M$ swore that divulging the source code to Windoze would create a national security risk. Imagine that, they were hysterical before 911 but still have one of the easiest to crack OS's in the world. Next thing you know, they are selling the same source code to China and the former KGB. Now you trust them to not sneak in anything they please onto your system? Why? Isn't it part of their EULA that they can change any part of their OS on your computer with or without your consent?
Friends don't help friends install M$ junk.
An imperfect solution?
I ran into this question some years ago and decided on a different solution. I installed Linux and bought a PS2 (Now GameCube). The reasons are simple and straightforward:
- Game consoles don't crash like computers do.
- They are less expensive than the video upgrades or anything else
- Similarly the games are console compatible for years without requiring hardware upgrades.
- I have a 34" game monitor!
- Kids play games and I still have my computer available.
I found over the years that this is a great solution.While there are some games I can't get on my console I've learned to live without them (see human history for survival stories of people without video games). And there's always a variety of free games. Frozen Bubble!
Anyone know how the GetFileVersionInfo() call works? Does it just read the IBX file version as a sequence of unencryted bits from the .key file? If so, why not just take a hex editor to it and 'update' your old version to one which fill pass the DRM checks?