I am writing this from my new Zune HD! Thanks Jess!

. and loving it!

The contention that DRM doesn't stop piracy and therefore should be abandoned is false an misleading, and yet it repeated constantly by anti-DRM zealots.

It is absolutely true that DRM will likely never totally prevent piracy. With enough time and effort, virtually any DRM can be cracked. Of course, that's not the reason DRM exists, and that's why the entire line of argument is a straw man.

DRM very effectively prevents casual piracy and counterfeiting. Windows Activation, for instance, effectively prevents the average computer user from sharing their copy of Windows with their buddy, as well as allows users to accurately tell if they were sold a counterfeit copy. 

Does the application of DRM to a software product result in the overall piracy rates of the product changing? That's a hard question to answer if only because casual piracy is virtually impossible to track.

It's fairly easy to track torrent downloads, but no so easy to track how often somebody casually lends an installation CD to somebody else. Studies of traditional piracy suggests that applying DRM doesn't affect the types of piracy that are easy to keep track of publicly.

Casual copying can really only be detected if the product in some way communicates back with the company that created it, or if there are mechanisms in place to audit large numbers of users in some way. Indeed, companies like Microsoft do both of these things. Microsoft claims that Windows Activation in Vista reduces casual piracy and counterfeiting by 50% over XP's Activation process. Even if that figure is off by an order of magnitude, it still makes a lot of sense for Microsoft to pursue these measures.

In the case of digital content distribution software, like Apple's iTunes or Microsoft's Zune Marketplace, DRM may do very little to decrease piracy overall, but these services simply wouldn't exist without DRM. Content creators (record labels, TV producers, etc) would not allow Apple or Microsoft to distribute their content digitally without some safeguards against trivial and casual piracy of that content. It's one thing for somebody to buy a CD, rip it, and create a torrent of it, but it's a far bigger problem if that same person had unrestricted access to 2 million songs that they could then download and redistribute and at ease. Whether that same content is available in bits and pieces via piracy sites is not the question (it obviously is), it's the ease of access and redistribution that a something like iTunes or the Zune Marketplace would provide to would be pirates if there was no DRM applied to those services.

DRM is meant to raise the barrier just enough to prevent casual piracy ("don't copy that floppy!"), and to make media companies happy enough to allow digital music companies like Apple and Microsoft to provide huge content libraries for distribution. It seems that, for now, it is accomplishing these goals. If it weren't, that funky thing called economics would dictate that companies stop using it.

I realize that anti-DRM zealots really want to make as big a stink as possible, either because of some silly ideological stance or because of a previous bad experience. Fine, if you manage to convince enough people that DRM is evil, maybe companies will stop using it. But stop saying that it doesn't work. It does. And, honestly, most computer users couldn't care less about DRM as long as it doesn't get in the way of them doing things they think they shouldn't reasonably be allowed to do.

I'm sure many of you have heard of the PWN to OWN contest... or maybe not. The basic premise is that three laptops running in a default but fully patched configuration, each with a different OS (Mac OS, Vista, Ubuntu), are connected to a network. Hackers then attempt to takeover these machines remotely. If they succeed, they keep the laptop and win $10,000 for their efforts.

The rules for the contest are that the exploit must take advantage of a 0-day exploit (one that is unknown to the general security community and to the software vendors), and it must be used to read a file on the disk. They are a bit light on the details, but one has to assume that the file is readable by the user logged into the machine at the time of the hack. This point becomes very important later in my post.

I spent much of yesterday e-mailing my favorite Mac fanboys and gleefully telling them that the Mac had been hacked first. While none of the laptops could be compromised remotely without user action, the people running the contest allowed for "luring" attacks where users on the laptops were encouraged to open e-mails, visit web sites, etc.

The Mac was brought down by Safari, Apple's web browser, which is the default and most popular web browser on the Mac.

I awoke this morning to find that the Vista machine was next to fall. This was surprising, as I was pretty confident that Vista would survive all the attempts against it... partly because I didn't read the full contest rules. Apparently, popular 3rd party apps were happily installed on the machine.

While I don't have the details of the hack (because they didn't provide them), I have to assume that it was a 3rd party app that allow for the Vista machine to be compromised. Why? Well, because the details given of the hack point all fingers at Firefox.
(UPDATE: This might not be true, see updates at the end of the post.)

Technically, it was Flash that allowed the Vista machine to be compromised. Some unknown exploit in Flash (probably a buffer overflow) allowed the hacker to read the file in question. But wait... IE 7 on Vista has a great feature called Protected Mode. Protected Mode basically boils down to IE running as an extremely low-rights users. If there is a bug in IE, or a bug in a plugin (like flash) running within IE, it will only have the privileges of that low rights user. In other words, it can't do basically anything, much less read one of the user's files.

The announcement that the Vista machine was compromised specifically stated that it was a bug in Flash that was exploited. In order for this to be possible, and for it to have taken place while the user was running IE, they must also have had a 0-day privilege elevation exploit for Windows. Since they didn't say that (and I'm sure they would have, if it was the case), we must conclude that Flash was not running in IE.

So what was it running it? Well, the 2nd most popular browser on Windows is Firefox. Firefox has no protected mode, so any exploits in it, or in any of the plugins that it runs, would have the rights of the logged in user. The fact that it was Firefox is incidental, as it could have been any other browser (aside from IE). Indeed, the fact it was a browser at all is also incidental. Virtually all applications that a user runs are run with the security privileges of that user. The only exceptions to this are managed frameworks (Java, .NET), and IE 7 on Vista.

So how, exactly, does this say anything about Vista security? In the case of the Mac, it was the default browser (written by Apple) that allowed the compromise. On Vista, it was almost certainly a 3rd party browser that is decidedly less secure than the default browser. The exact same hack could have occurred on any OS in exactly the same way.

Indeed, Protected Mode is unique to IE on Vista. It is a security innovation that does not exist on any other OS or any other browser. Microsoft identified IE has the primary attack vector for Windows, and invented a new security technology to defend against those attacks, even without knowing what they were going to be. It is a huge advantage to Vista... and one that apparently was handicapped, intentionally or not, to allow for Vista to be taken down before Ubuntu.

The goal of this contest was not to see which OS or vendor was more secure. (Although one can comfortably conclude that Apple got its butt handed to it.) So in that sense, the contest was a success. But many people will now conclude that Ubuntu is more secure than Vista, and this conclusion is absolutely not supported by what happened.

Update (3/29/2008 1:20 PM): A commenter on Slashdot suggests that Flash actually subverts Protected Mode by using its own brokering process. This allows the low-rights Flash plugin to make calls to a user-rights service which then performs user-level actions such as writing to files. If this is true, it makes me incredibly mad at Adobe. Instead of playing by the rules, they subverted them, and thereby exposed people to potential danger. If I could uninstall Flash, I would... but thanks to their virtual monopoly on a lot of web content, that's really not an option.

Update (3/29/2008 1:35 PM): The Slashdot commenter helpfully provided me with a blog post by the IE team in which commenters discuss ways to circumvent Protected Mode. One of them is indeed Flash, which uses the aforementioned brokering process. So now we're left with two distinct possibilities: either Firefox or some other non-Protected Mode browser was used, or there is an exploit in the brokering functionality of Flash. I think either is completely plausible. Regardless, I think my points still stand regarding how it's not fair to use this to condemn Vista security.

Ya, that's right. Me baby. Me. :)

It just appeared on MSDN Subscriber Downloads a few minutes ago.