You're actually right, its not FUD
on
Security Metrics
·
· Score: 1
They are just spreading 'F' for Fear. After all if you run MicroSoft and then live in 'F'ear, then 'U'ndoubtedly you are very 'C'ertain they are out there trying to infect your machine and they will 'S'ucceed 'U'sually (MS-FUCSU?). Well the only thing left from the original 'FUD' is the 'F' for Fear, but after all they are 'the experts' aren't they? I really must lay off the Secure Operating Systems (SOS) at work and Start Listening to those Important Experts! (SLIE)
My first own version of Moore's Law states in rule one; that the 'density' of the sales force is inversely proportional to the 'core size' (N) of the sales force times e^2. [eg. 1/(N*e^2)] That is the only "density measurement" worth paying attention to when buying any new computer equipment.
My second law of 'density' states that that the PR intelligence quotient is randomly modulated by Schroedingers' cat in the next room, and is only measurable when not actually listening to it.
thanks for the link. I actually have some coworkers asking around at work for someone who can chemically analyze this thing. I would like to know the chemical composition of it since it is very metallic feeling yet still looks somewhat like stone and may have even chipped in one place on impact. It also has debris from the impact embedded in the surface of the ridges so it must have hit the ground at an angle rather than just cratering.
I got up this morning and had a meteorite in my front yard. Landed about 40 feet from both my house and my car. It was about 3.5" in diameter and VERY heavy for its size. Metallic with iron oxide in the concave indentations but non-magnetic. It would do some serious damage if it hit something straight on, but this one must have skipped across the field next to us and just happened to stop where it was laying in my grass. I never heard a thing.
Ok, why does everyone who has not driven a Prius think its slow? I traded in a high-test gas guzzling performance V8 equiped with ZR rated tires (220 mph) for a smaller Toyota Prius and I can honestly say I'm not missing anything for performance. My Prius can outperform the vast majority of the cars on the street today. Ok, it won't blow the doors off of a Corvette or a 5.0L Mustang, but I will easily get 3-4 times their gas mileage while trying. As far as the top end speed I'm just not going to incriminate myself in this forum, but believe me the tires delivered on the stock Prius should be upgraded!
Two points on Prius "performance".
1) Electric motors have maximum torque at zero RPM's, so its quick off the line even though you may have to wait for the gas engine to start and rev up before you have full torque for full acceleration.
2) The computer controlled continously variable transmission (CVT) allows the small engine to work at maximum power throughout its acceleration, so there is no lag from shifting and slowing due to inefficient gear ratios. Smooth and constant acceleration which is optimized at all times once the engine is rev'ed up. When a Mustang shifts gears I generally catch up, then they take off again when they hit their sweet spot of their power range. Sometimes it can be annoying (lol) having to take your foot off the gas in the same rhythm as the car in front of you that is having to shift gears. Gas, break, gas, break, gas, break... (no, I don't really drive like that):-]
Since when does giving a deposition have anything with appearing in a court room? They ask the questions and you answer them. Thats it. They get to decide what topic is important and how to phrase that question and you simply get to say yes or no in most cases. They can ask you about your personal life, finances, and just about whatever they want to ask. Hopefully you'll bring a lawyer to draw the line in the sand if you are smart. If they don't ask a question where you can show them how stupid SCO is being then you miss the chance to have your say on the subject. Its not a fun experience I can assure you. If I could appear before the judge in this case I happily volunteer because that environment is a lot more conducive to showing a fair outlook on the facts of the case and with a little luck you might get to expand on the subject enough to nail them to the wall in the eyes of the court.
It seems every so often I need somebody at the White House dot gov to send a reminder email to my boss expaining to him what a wonderful job we are all doing. As a pointy haired boss/security researcher one day he might just catch on, but until then it is just a lot of fun to watch your boss being in such a good mood. Good thing that the Clues-Are-Us stores in our area have not had a good sale recently. Catburt would be proud!
Way back, around 82 I believe. Microsoft Flight Simulator V 1.0 in fact. Yes, Microsoft was one of the great pioneers of computer bugs back in those days. Still is I reckon. I had just trashed my home-brew birds nest of a computer I built in my dorm room and traded up for IBM's new 1.44Mhz 8088 speed deamon of a system with a whopping base of 64k memory and simultaniously bought a "color" monitor and the one and only computer game sold there at the business store just to try it out.
As a WWI flying ace I would cross the river into enemy territory and drop my one bomb on the enemies air strip while all their planes were scrambling after my old Sopwith Camel biplane. A few minutes after that I was dodging bullets and loosing fuel like a sponge made out of swiss cheese. When all hope seemed lost I had my trusty old 'physics trick' that would always bring me home to fight another day. By shutting off the throttle to idle and flipping the plane over I could "fall upwards" under the force of gravity (to most planes gravity is down, but my plane was special). In fact I would fall upwards even after the engine died from lack of oxygen. Since back in 1918 the turbo had not even been invented yet so I was soon above the enemy's normal flight ceiling and I could just flip back over and glide back home across the river and land at my own base. Good thing I could hold my breath that long, for lack of oxygen! Yes, Sonny, after landing back home I'd just dust myself off spend the night at a local saloon and go back for more the next day! That red Barron never could figure out how to shoot me down and they never figured out how to follow after me either. Yep, those were the good old days!
There are many software tools out there for static analysis, but differ in what they do or who they target as their customer. The big names in my mind are Coverty, Fortify, Prexis, and PolySpace. I only have personal experience with Prexis and PolySpace so I will just speak to those.
One important thing to consider is the set of compilers, tools, target system, and build environments you are using. If you are using MS only products the you will most likely have very good support because most all source code analysis suits will simply import the build information and you will be off and running right away. If your environment is Unix or embedded systems then things may be more difficult because you will need to hook into the build process somehow. The scanner tools usually intercept the CC command from a "make" build and call their back end using their custom processing rather than the compiler proper. Different products do this in different ways so be sure the product you choose knows how to deal with your specific build environment. In my case I walked into another parties environment and needed to simulate a build for a new build environment that I had never seen before, every time. Not one environment ever looked like the next, so the setup and configuration was always a big challenge, just to get started.
Prexis is primarily a tool for life cycle scanning of source code for security issues. There are two ways to perform the code scanning, with either the main engine component which can schedule nightly scans and track progress over time or with the additional Prexis Pro utility, which is designed for quick assessments by the engineers on their own code without logging everything into the main database. The Pro tool worked best for my code assessments since I had no need for tracking changes over time, and it was a little easier to configure which counts for a lot in my situation.
PolySpace is a completely different tool with a different purpose from Prexis. PolySpace attempts to mathematically discover runtime flaws in the code while only using static analysis to do so. It does a great job on smaller projects, but because of the complexity and thoroughness of its analysis, it is somewhat slow. PolySpace needs to evaluate an entire application all at once in order to do a good analysis. If your.5 MSLOC of code is many separate programs/executables then you will be fine, but if you are talking about one huge monolithic application then you may have to evaluate it in chunks which just increases the false positives and forces the engineer to do more manual chasing of details to determine if the issue is really a problem or not. From what I have seen this product is in a class by itself.
Yes, if I counted only 'kernel patches' and only made them available once a month, and collectively patched everything and its brother in one single "patch" file, then I bet my OS would have fewer patches than Windows(tm), no matter what OS I was talking about.
Cooking the numbers does not change reality one bit. Count the total infected machines on the Internet then divide by the total number of that type of OS and see who is more secure. Of course just detecting a rootkit installed on a Windows box will cause you problems because there are a lot out there with no way to even detect them yet. Yea, like I am going to believe a virus scanner company's stats that cant even detect an infection! Go figure.
...these days to fix all the security problems designed into their products? Its not that they are leaving the country, or even not coming here, they are just getting too smart to take such a thankless job anymore. I'm really not trying to be flame bait but I really do know lots of immigrants who would never work there by choice. They are not dumb or despite and are free to make up their own minds.
Sign up an get a free subscription to an RIAA law suit generator. For your money you get to download their installation utility (aka Limewire) and download all the law suits you like, for life! No monthly fees, no costs per download! Come and get your RIAA law suit while they are hot!
Subscription for life? If it sounds too good to be true, then it is just that.
Do you think for a minute that only "schoolgirls" get HPV? What about schoolboys? Schoolgirls would not contract a transmitted disease unless it is first transmitted. How about we give the vaccine to all the school boys instead, or in addition to, as the boys should share in some of the "responsibility" of the problem shouldn't they? Just because they don't contract the cancer from HPV does not mean they should not help the prevention of it. After all they do share at least 50% of the responsibility for the problem.
More like who will sign M$'s OS, which would be run within the VM/emulator that controls the simulated environment. The BIOS is what starts the whole trusted process, but you can replace that if you own it. You could do it with an Xbox as well but you first need to spend the time to figure out how it works. Emulated hardware can basically lieto the OS living on top of it, and any attempt to 'discover' it can be hooked and mitigated if you have control of the real/physical hardware. Both Xbox and PS3 will be hacked for you, give it time.
Yes, and just how obscure can a "standard" be? I have been harping on just how stupid the whole concept of DRM is, ever since Sony root-kitted everyone. Even after Gates makes all Windows boxes a "trusted system" we can just dust off the logic analyzers and hack the bios. If that does not work, vm's, and OS emulators will. There is no limit to the ingenuity of a pissed-off geek when they can't play what they just payed good money for, but only because of some arbitrary restriction embedded in the code. Just give a dedicated geek the binary and they will know _all_ the "secrets" about how it works. Thats a given. DRM by design can never logically work no matter how much time, energy, and money the designers throw into it. It is a flawed concept by design.
And I see that Apple has the same thoughts this morning. Right now they may be the one company that can actually do something about it too! If they can make that happen I will start buying from iTunes the very next day.
To achieve this concept of the mystical DRM you need three things: 1) Encrypted playable data, 2) the magic key, 3) the algorithm for applying that key to the data and sending it to the computers hardware. The problem is that you have to give the user all three components in order for them to play the music or watch the movie, otherwise its unusable. The producer of the DRM has but one goal, to keep the owner from knowing or accessing one or more of these components while still being able to put the three together when and how needed.
Whats wrong with this picture? Logically, if you can put them together in order to play the media you can 'read' the unencrypted data, and if you can read it you can copy it. The "magic" in DRM is simply the "how" that they keep you from knowing how to put them all together. Its nothing but a secret designed to prevent you from accessing your own computers data while playing the media. Everything else is nothing but hype with smoke and mirrors. The only people that truly benefit from the distribution of DRM are the ones designing, producing, and selling it the DRM itself, not the media that it encodes. The Media boardroom executives at the major studios are just not smart enough to realize the hype that they are being fed by these DRM designer companies. Bottom line, you can't make a DRM that is unbreakable so it prevents nothing so far as the goal that it is being sold for. Its a sham and it needs to be recognized for what it is.
To the professional black-market vendors all the DRM smoke-and-mirrors is merely a speed bump because they just physically copy the whole disk/file bit by bit and bypass the need to even decode the data, it's the user needs to do that and their player will happily do that for them. Making the much sought after DRM-free Internet down loadable version of the file is a little harder, but then you only need one pissed-off geek to put it out there and the game is over. Just one. Thats something that the all the Board Room Exec's should all think about. How much has the price of what they produce gone up due to the DRM they have uselessly added to their product? How many fewer people have purchased their product due to the DRM making it more expensive and in many cases completely unusable? If there is one thing I know is that the bottom line in their check book is what matters, and they are being duped by the technology vendors just like the snake oil salesmen of years ago.
You would think that any self respecting CyberSquater would be collecting all the email address of the recipiants. After all, only a real person would reject Spam, hence the 'To:" address was a valid one. Most spammers would pay a bundle for a list of valid addresses!
Give me any HD-DVD or Blue-Ray hardware player using AACS and any old cheap logic analyzer and I could (but don't bother asking) hand you any hardware or volume key you want. DRM does not work because the whole concept of DRM is flawed. If you give someone the data, and also give them the key so they can play it, then they can copy it. Period. Any "magic" that is applied to keep you from knowing the key is merely a speed bump to an average geek.
All you need is one very pissed-off average geek that can't watch their bought-n-paid-for movie and the whole non-DRM'ed movie is likely going to be out there for everyone else, that can't watch their own copy, to download it. In fact, the more players that they "revoke" the keys for, then the more pissed-off geeks there will be, and the more movies that will likely be available for download. Its a loosing proposition any way you look at it. With DRM the "fix" becomes "the problem". The only people that win are the ones writing the DRM and spoon feeding the Board room executives that don't know that DRM can't work.
When will they ever learn that you can't solve a SOCIAL PROBLEM using technology of any kind. In fact they should wise up and realize that its the professionals that build specialized hardware that copy the "protected" disk bit-by-bit, then burn a thousand copies, and are making big bucks off of all the boot-leg copies. Those are the ones they should go after, not the average people that paid for the movie and just want to watch what they paid for, when and where they want to. So, RIAA/MPAA, take it from a security geek, know thy enemy! You can't fix a problem if you don't even try to understand what the problem is!
I had a similar situation only it was during the switch of one Government contractor company to the newly awarded contractor. They made small promises of 'educational reimbursement' just to keep me onboard but later made excuses, and finally reneged on those promises altogether. We are not talking about big bucks here. Within two weeks of that realization I had another job and they were left hunting for someone who even had a clue about doing my job. For me it was not a matter of money, but moral principal. I just won't work for anyone who can't be trusted to keep their word. Period. As for my coworkers who did not do anything deceitful, I kept in touch and helped keep them personally out of hot water when they needed it, for the better part of two years. So I do know how long they were looking for a replacement. In the short run the company saved the cost of one semesters course tuition, but in the long run they paid dearly for their shameless deceptive behavior.
DRM is doomed to failure and addresses the wrong problem, but watermarking addresses the Social problem in making it less desirable to share with the Internet at large.
Any Crypto-based DRM can be bypassed. RIAA/MPAA give the person the DRM'ed data and give them the key to play it, and then they tell them they are not allowed to copy it. I have news, if you can play it you can read it. Period. Failure guaranteed. The problem is that by making it unusable by DRM'ing it they actually ensure that someone will be pissed-off enough to put it out on a p2p share.
Watermarking on the other hand addresses the Social issue and is only a deterrence to sharing the file, not to using it anywhere or anytime the purchaser chooses. The drawback is that one takes a chance of the media getting into the wrong hands and then getting blamed for willingly violating the copyright laws. Yes, you can easily remove or destroy a simple watermark, however the watermark can be done in such a way that when repeated with several variations of bit flips during encoding the water mark can still be recovered, much like using parity bits to correct a memory storage error. The question the p2p sharer will have to face is whether they have sufficiently removed the redundant copies well enough to prevent the recovery process from revealing their identity. Of course you can buy it under false pretenses/name and then its all a moot point. Just being a deterrence to keep the honest person from sharing without suffering undue problems during its use is definitely a step in the right direction.
The dark side of this is that DRM could be added in such a way that the player would refuse to play without a second watermark being present. If you destroy the first then the second won't allow the media to be used. Thats only a speed bump for a true geek. You can count on the MPAA/RIAA to jump on that band wagon before long, and we will see more of the same until they come to their senses. They don't learn very quickly after all.
DRM as a technology is a futile battle from the get go. Give a motivated person both the key and the data and [s]he can certainly figure out how to put the two together. You can't play the media unless you have both pieces of the puzzle, and if you do have both then you can copy it too. Its only a matter of time before someone does it, just once, and its game over if they choose to share it.
The main point of the matter is that they need to 'want' to share it. By making it difficult to use the media you are in fact creating a bias against the DRM provider, and that owner of the brand new unlistenable or unwatchable 'coffee cup coaster' may just choose to get even. The only question that remains is just how motivated this person becomes. Smart idea or not, once the mp3/iso/mpeg is out in the wild you can't put the genie back in the bottle. It only takes one pissed-off geek.
As a technology DRM can only be successful if you can withhold one of the pieces until it is needed or have it locked in the hardware. But even the 'special hardware' does not stand up to a simple soldering iron and a logic analyzer. The major players in the Video black market know how to use, modify, and build electronics that can get around the DRM. They can make a boat load of money dumping thousands of pirated CD/DVD's on the streets, and all that fancy DRM isn't going to be but a speed bump in their way. This is where the laws and enforcement needs to be channeled, not into suing somebody for copying last nights TV show for their little sister who was out late at that PTA meeting and happened to miss it.
Ok, What language is your Ada compiler written in? There are very few self-hosted languages that do not rely on "C" at some level. Also, the OS and the system libraries were written in C. At some level you need to deal with the stated problem. All that being said many people are probably better off with Ada unless they actually "study" software security on a daily basis.
Are all the analysts that came in contact with the disk drive in question certified forensic analysts, and if so by whom? http://www.cert.org/certification/IHcertification_ faq.html
Was the disk drive ever out of your possession?
Who handed you the drive and what paperwork did you sign?
Are all their tools "certified" for forensic analysis?
Was the drive mounted "read only" so that no contamination could occur?
When on what day did they last test their own forensic analysis computers for rootkits?
Did they perform those same rootkit tests on the disk drive in question?
Where is the certification for their forensic computer systems?
Have these machines ever been used for any task other than forensic analysis?
Was the disk drive checksummed both before and after the analysis to prove it was not tampered with?
Slashdot Mirror
They are just spreading 'F' for Fear. After all if you run MicroSoft and then live in 'F'ear, then 'U'ndoubtedly you are very 'C'ertain they are out there trying to infect your machine and they will 'S'ucceed 'U'sually (MS-FUCSU?). Well the only thing left from the original 'FUD' is the 'F' for Fear, but after all they are 'the experts' aren't they? I really must lay off the Secure Operating Systems (SOS) at work and Start Listening to those Important Experts! (SLIE)
My second law of 'density' states that that the PR intelligence quotient is randomly modulated by Schroedingers' cat in the next room, and is only measurable when not actually listening to it.
thanks for the link. I actually have some coworkers asking around at work for someone who can chemically analyze this thing. I would like to know the chemical composition of it since it is very metallic feeling yet still looks somewhat like stone and may have even chipped in one place on impact. It also has debris from the impact embedded in the surface of the ridges so it must have hit the ground at an angle rather than just cratering.
I got up this morning and had a meteorite in my front yard. Landed about 40 feet from both my house and my car. It was about 3.5" in diameter and VERY heavy for its size. Metallic with iron oxide in the concave indentations but non-magnetic. It would do some serious damage if it hit something straight on, but this one must have skipped across the field next to us and just happened to stop where it was laying in my grass. I never heard a thing.
Two points on Prius "performance".
1) Electric motors have maximum torque at zero RPM's, so its quick off the line even though you may have to wait for the gas engine to start and rev up before you have full torque for full acceleration.
2) The computer controlled continously variable transmission (CVT) allows the small engine to work at maximum power throughout its acceleration, so there is no lag from shifting and slowing due to inefficient gear ratios. Smooth and constant acceleration which is optimized at all times once the engine is rev'ed up. When a Mustang shifts gears I generally catch up, then they take off again when they hit their sweet spot of their power range. Sometimes it can be annoying (lol) having to take your foot off the gas in the same rhythm as the car in front of you that is having to shift gears. Gas, break, gas, break, gas, break... (no, I don't really drive like that) :-]
Since when does giving a deposition have anything with appearing in a court room? They ask the questions and you answer them. Thats it. They get to decide what topic is important and how to phrase that question and you simply get to say yes or no in most cases. They can ask you about your personal life, finances, and just about whatever they want to ask. Hopefully you'll bring a lawyer to draw the line in the sand if you are smart. If they don't ask a question where you can show them how stupid SCO is being then you miss the chance to have your say on the subject. Its not a fun experience I can assure you. If I could appear before the judge in this case I happily volunteer because that environment is a lot more conducive to showing a fair outlook on the facts of the case and with a little luck you might get to expand on the subject enough to nail them to the wall in the eyes of the court.
It seems every so often I need somebody at the White House dot gov to send a reminder email to my boss expaining to him what a wonderful job we are all doing. As a pointy haired boss/security researcher one day he might just catch on, but until then it is just a lot of fun to watch your boss being in such a good mood. Good thing that the Clues-Are-Us stores in our area have not had a good sale recently. Catburt would be proud!
As a WWI flying ace I would cross the river into enemy territory and drop my one bomb on the enemies air strip while all their planes were scrambling after my old Sopwith Camel biplane. A few minutes after that I was dodging bullets and loosing fuel like a sponge made out of swiss cheese. When all hope seemed lost I had my trusty old 'physics trick' that would always bring me home to fight another day. By shutting off the throttle to idle and flipping the plane over I could "fall upwards" under the force of gravity (to most planes gravity is down, but my plane was special). In fact I would fall upwards even after the engine died from lack of oxygen. Since back in 1918 the turbo had not even been invented yet so I was soon above the enemy's normal flight ceiling and I could just flip back over and glide back home across the river and land at my own base. Good thing I could hold my breath that long, for lack of oxygen! Yes, Sonny, after landing back home I'd just dust myself off spend the night at a local saloon and go back for more the next day! That red Barron never could figure out how to shoot me down and they never figured out how to follow after me either. Yep, those were the good old days!
One important thing to consider is the set of compilers, tools, target system, and build environments you are using. If you are using MS only products the you will most likely have very good support because most all source code analysis suits will simply import the build information and you will be off and running right away. If your environment is Unix or embedded systems then things may be more difficult because you will need to hook into the build process somehow. The scanner tools usually intercept the CC command from a "make" build and call their back end using their custom processing rather than the compiler proper. Different products do this in different ways so be sure the product you choose knows how to deal with your specific build environment. In my case I walked into another parties environment and needed to simulate a build for a new build environment that I had never seen before, every time. Not one environment ever looked like the next, so the setup and configuration was always a big challenge, just to get started.
Prexis is primarily a tool for life cycle scanning of source code for security issues. There are two ways to perform the code scanning, with either the main engine component which can schedule nightly scans and track progress over time or with the additional Prexis Pro utility, which is designed for quick assessments by the engineers on their own code without logging everything into the main database. The Pro tool worked best for my code assessments since I had no need for tracking changes over time, and it was a little easier to configure which counts for a lot in my situation.
PolySpace is a completely different tool with a different purpose from Prexis. PolySpace attempts to mathematically discover runtime flaws in the code while only using static analysis to do so. It does a great job on smaller projects, but because of the complexity and thoroughness of its analysis, it is somewhat slow. PolySpace needs to evaluate an entire application all at once in order to do a good analysis. If your .5 MSLOC of code is many separate programs/executables then you will be fine, but if you are talking about one huge monolithic application then you may have to evaluate it in chunks which just increases the false positives and forces the engineer to do more manual chasing of details to determine if the issue is really a problem or not. From what I have seen this product is in a class by itself.
BTW - keep you eyes on this site: http://samate.nist.gov/index.php/Main_Page
Cooking the numbers does not change reality one bit. Count the total infected machines on the Internet then divide by the total number of that type of OS and see who is more secure. Of course just detecting a rootkit installed on a Windows box will cause you problems because there are a lot out there with no way to even detect them yet. Yea, like I am going to believe a virus scanner company's stats that cant even detect an infection! Go figure.
...these days to fix all the security problems designed into their products? Its not that they are leaving the country, or even not coming here, they are just getting too smart to take such a thankless job anymore. I'm really not trying to be flame bait but I really do know lots of immigrants who would never work there by choice. They are not dumb or despite and are free to make up their own minds.
Subscription for life? If it sounds too good to be true, then it is just that.
Do you think for a minute that only "schoolgirls" get HPV? What about schoolboys? Schoolgirls would not contract a transmitted disease unless it is first transmitted. How about we give the vaccine to all the school boys instead, or in addition to, as the boys should share in some of the "responsibility" of the problem shouldn't they? Just because they don't contract the cancer from HPV does not mean they should not help the prevention of it. After all they do share at least 50% of the responsibility for the problem.
More like who will sign M$'s OS, which would be run within the VM/emulator that controls the simulated environment. The BIOS is what starts the whole trusted process, but you can replace that if you own it. You could do it with an Xbox as well but you first need to spend the time to figure out how it works. Emulated hardware can basically lie to the OS living on top of it, and any attempt to 'discover' it can be hooked and mitigated if you have control of the real/physical hardware. Both Xbox and PS3 will be hacked for you, give it time.
And I see that Apple has the same thoughts this morning. Right now they may be the one company that can actually do something about it too! If they can make that happen I will start buying from iTunes the very next day.
Whats wrong with this picture? Logically, if you can put them together in order to play the media you can 'read' the unencrypted data, and if you can read it you can copy it. The "magic" in DRM is simply the "how" that they keep you from knowing how to put them all together. Its nothing but a secret designed to prevent you from accessing your own computers data while playing the media. Everything else is nothing but hype with smoke and mirrors. The only people that truly benefit from the distribution of DRM are the ones designing, producing, and selling it the DRM itself, not the media that it encodes. The Media boardroom executives at the major studios are just not smart enough to realize the hype that they are being fed by these DRM designer companies. Bottom line, you can't make a DRM that is unbreakable so it prevents nothing so far as the goal that it is being sold for. Its a sham and it needs to be recognized for what it is.
To the professional black-market vendors all the DRM smoke-and-mirrors is merely a speed bump because they just physically copy the whole disk/file bit by bit and bypass the need to even decode the data, it's the user needs to do that and their player will happily do that for them. Making the much sought after DRM-free Internet down loadable version of the file is a little harder, but then you only need one pissed-off geek to put it out there and the game is over. Just one. Thats something that the all the Board Room Exec's should all think about. How much has the price of what they produce gone up due to the DRM they have uselessly added to their product? How many fewer people have purchased their product due to the DRM making it more expensive and in many cases completely unusable? If there is one thing I know is that the bottom line in their check book is what matters, and they are being duped by the technology vendors just like the snake oil salesmen of years ago.
The story is here
You would think that any self respecting CyberSquater would be collecting all the email address of the recipiants. After all, only a real person would reject Spam, hence the 'To:" address was a valid one. Most spammers would pay a bundle for a list of valid addresses!
All you need is one very pissed-off average geek that can't watch their bought-n-paid-for movie and the whole non-DRM'ed movie is likely going to be out there for everyone else, that can't watch their own copy, to download it. In fact, the more players that they "revoke" the keys for, then the more pissed-off geeks there will be, and the more movies that will likely be available for download. Its a loosing proposition any way you look at it. With DRM the "fix" becomes "the problem". The only people that win are the ones writing the DRM and spoon feeding the Board room executives that don't know that DRM can't work.
When will they ever learn that you can't solve a SOCIAL PROBLEM using technology of any kind. In fact they should wise up and realize that its the professionals that build specialized hardware that copy the "protected" disk bit-by-bit, then burn a thousand copies, and are making big bucks off of all the boot-leg copies. Those are the ones they should go after, not the average people that paid for the movie and just want to watch what they paid for, when and where they want to. So, RIAA/MPAA, take it from a security geek, know thy enemy! You can't fix a problem if you don't even try to understand what the problem is!
I had a similar situation only it was during the switch of one Government contractor company to the newly awarded contractor. They made small promises of 'educational reimbursement' just to keep me onboard but later made excuses, and finally reneged on those promises altogether. We are not talking about big bucks here. Within two weeks of that realization I had another job and they were left hunting for someone who even had a clue about doing my job. For me it was not a matter of money, but moral principal. I just won't work for anyone who can't be trusted to keep their word. Period. As for my coworkers who did not do anything deceitful, I kept in touch and helped keep them personally out of hot water when they needed it, for the better part of two years. So I do know how long they were looking for a replacement. In the short run the company saved the cost of one semesters course tuition, but in the long run they paid dearly for their shameless deceptive behavior.
Any Crypto-based DRM can be bypassed. RIAA/MPAA give the person the DRM'ed data and give them the key to play it, and then they tell them they are not allowed to copy it. I have news, if you can play it you can read it. Period. Failure guaranteed. The problem is that by making it unusable by DRM'ing it they actually ensure that someone will be pissed-off enough to put it out on a p2p share.
Watermarking on the other hand addresses the Social issue and is only a deterrence to sharing the file, not to using it anywhere or anytime the purchaser chooses. The drawback is that one takes a chance of the media getting into the wrong hands and then getting blamed for willingly violating the copyright laws. Yes, you can easily remove or destroy a simple watermark, however the watermark can be done in such a way that when repeated with several variations of bit flips during encoding the water mark can still be recovered, much like using parity bits to correct a memory storage error. The question the p2p sharer will have to face is whether they have sufficiently removed the redundant copies well enough to prevent the recovery process from revealing their identity. Of course you can buy it under false pretenses/name and then its all a moot point. Just being a deterrence to keep the honest person from sharing without suffering undue problems during its use is definitely a step in the right direction.
The dark side of this is that DRM could be added in such a way that the player would refuse to play without a second watermark being present. If you destroy the first then the second won't allow the media to be used. Thats only a speed bump for a true geek. You can count on the MPAA/RIAA to jump on that band wagon before long, and we will see more of the same until they come to their senses. They don't learn very quickly after all.
The main point of the matter is that they need to 'want' to share it. By making it difficult to use the media you are in fact creating a bias against the DRM provider, and that owner of the brand new unlistenable or unwatchable 'coffee cup coaster' may just choose to get even. The only question that remains is just how motivated this person becomes. Smart idea or not, once the mp3/iso/mpeg is out in the wild you can't put the genie back in the bottle. It only takes one pissed-off geek.
As a technology DRM can only be successful if you can withhold one of the pieces until it is needed or have it locked in the hardware. But even the 'special hardware' does not stand up to a simple soldering iron and a logic analyzer. The major players in the Video black market know how to use, modify, and build electronics that can get around the DRM. They can make a boat load of money dumping thousands of pirated CD/DVD's on the streets, and all that fancy DRM isn't going to be but a speed bump in their way. This is where the laws and enforcement needs to be channeled, not into suing somebody for copying last nights TV show for their little sister who was out late at that PTA meeting and happened to miss it.
Ok, What language is your Ada compiler written in? There are very few self-hosted languages that do not rely on "C" at some level. Also, the OS and the system libraries were written in C. At some level you need to deal with the stated problem. All that being said many people are probably better off with Ada unless they actually "study" software security on a daily basis.
Are all the analysts that came in contact with the disk drive in question certified forensic analysts, and if so by whom?_ faq.html
http://www.cert.org/certification/IHcertification
Was the disk drive ever out of your possession?
Who handed you the drive and what paperwork did you sign?
Are all their tools "certified" for forensic analysis?
Was the drive mounted "read only" so that no contamination could occur?
When on what day did they last test their own forensic analysis computers for rootkits?
Did they perform those same rootkit tests on the disk drive in question?
Where is the certification for their forensic computer systems?
Have these machines ever been used for any task other than forensic analysis?
Was the disk drive checksummed both before and after the analysis to prove it was not tampered with?