Tuesday, May 13, 2008

Security through obscurity

As I write this entry, I am on an intercity train going from Tilburg to Utrecht after a 3 hr meeting. Coming back to my home country after having been away for a while, I always forget how beautiful the country really is. Large open spaces, lots of green, a lot of water and pretty scenery. I have been pretty much up for 29 hours (only slept for 3 hrs or so) and feel fairly jet lagged. Readers who do the West-East crossing regularly can probably identify with how I feel at this point :)

Anyhow; I am in The Netherlands to attend the 2008 SURFnet customer relationship event and I will be presenting the work we are doing on AIRT. AIRT is a web-based platform distributed under the GNU General Public License that aims to assist computer security incident response teams with the bureaucratic aspects of their work. AIRT's goal is to minimize the work on incident administration through automation, allowing handlers to focus on the work that really matters.

What does this have to do with Security through obscurity? Absolutely nothing, but since I was writing a blog entry, I might as well throw in a shameless plug for a project on which I spend a considerable amount of time ;).


The topic of this post is to once more drive the point home that
security through obscurity does not work. Most information security
professionals know this, but do not really live it. I try to have as
little of my security work confidential; most of the controls that we
put in place are easy to detect by scanning anyway. Even if we do
practice near-full-disclosure, the bad guy will still want to verify
that what we are saying is correct and he will scan us just for the
heck of it. Of course, our security controls should detect that and we
should determine our reaction to the scans before they take place.



What brought this topic on?



Having moved to the United States from Europe (The Netherlands, to be
exact; look it up), we have a fairly large collection of DVD's that are
now useless. DVD's have a region encoding that prohibits discs authored
for one region from being played in a player meant for another region.
Presumably the content owner did this to be able to segment the market
with different pricing schemes and release schedules. However, the
scheme was cooked up before the ubiquity of the Internet and the
realization that DRM does not really provide as much value as many
people think.



Most DVD players are region-specific by a setting in their software,
and through manipulating that software, the region can be changed. Many
players will allow you to select your region once, and prohibit you
from changing it after the initial choice.



We recently bought a $40 DVD player that was rumored to be region free.
In other words, the manufacturer of that DVD player configured it in
such a way that it would play DVDs for all regions. Unfortunately, the
particular model that we purchased was region 1 locked (the USA is in
region 1). Browsing the internet, we found many unlock codes for other
model players by the same manufacturer, but nothing worked.



Eventually, I decided to just email the manufacturer's customer
services address and ask them how I could change the region code. After
all, I already have "No", so it can only get better form that point on.



Much to my surprise, I got an almost immediate response with detailed
instructions how to change the region encoding of our new player. We
can now play all our Dutch-spoken DVDs, which is important to us, since
we are raising our daughter with two languages.



This manufacturer understood a number of very important lessons:

1. the world is flat. People (consumers!) move around all the time;
arbitrarily assigning regions to people is rude, inconsiderate, and
flawed.

2. consumers are demanding. As a consumer, I don't care about why or
how. I want something that works when I need it (Availability!)
Assigning region codes to discs and players impedes with perceived
availability of the content I legally purchased.

3. consumers are willing to pay for content. Provided that the content
is of sufficient quality and reasonably priced, products will sell.
Protecting content via DRM-techniques is a feeble attempt to prevent
market efficiency. It might work in the short run, but it is not
sustainable indefinitely.



If you are interested in more details, please contact me.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.