Security

No such thing as effective license enforcement

License security is not the same as software security. In fact, sometimes they are at odds with one another.

A year and a day ago, in the article Radiohead knows more than Microsoft about security, I pointed out the failings of DRM and the licensing based business model. On the third of this month, TR regular Oz_Media made the point that:

MS can't even secure their licensing system, yet alone the software that uses it.

In truth, the fact Microsoft is increasingly unable to secure its software license enforcement against circumvention isn't really Microsoft's fault. It's out of the corporation's hands, for all intents and purposes. Microsoft's real failure is in failing to read the writing on the wall, and make plans that don't require trying to secure the unsecurable.

The business model Microsoft uses for software like MS Windows and MS Office is, officially, dependent upon the assumption that the corporation can prevent people from using the software without explicit permission from Microsoft or one of its agents or partners. Ultimately, what this means for Microsoft's current business model is that it relies on the assumption that it can somehow both provide customers with everything needed to run the software and, at the same time, prevent people from using the software for reasons that are not specific to any given copy of the software.

This approach mandates the use of what amounts to DRM software. In this case, because the "content" the vendor wishes to "protect" is itself software, the DRM is integrated with the content itself. There are some minor advantages to this approach over that employed by distributors of non-software content, such as music distributors:

  • Because the DRM is integrated with the software, and because of the way people view software differently from music and other entertainment content, it is more acceptable to provide access keys separately from the content and DRM code itself. As a result, copies of the "protected" content do not actually contain the key needed to bypass protection.
  • When dealing with a closed source software vendor like Microsoft, it has come to be an expected fact of life that one will end up with stuff installed on the system with which the user is not familiar, and that the user did not explicitly approve, even months after the software was initially installed. Software updates such as those provided by Microsoft Windows Update often make undeclared changes to the system, and people have grown used to assuming they're wanted and needed changes -- or, at least, unavoidable. When DRM software for something like a CD full of music does something like that, however, people recognize it for what it is.
  • Because the "protected" content itself is software, the annoyance of having to install and run software that enforces that protection is not so great; users were planning to run software anyway.
  • Content, in the non-software sense, is expected to be portable. Software itself is not. This is a somewhat reasonable expectation, because that content is simply data, and software is meant to parse and interpret that data to render it in a form that is meaningful to the user. The software itself, however, must be compatible with the foundation on which it is built, starting at the hardware level, moving up through the OS, and so on. Tying such content to a piece of DRM software ties that content to the DRM software's compatibility limitations, which tends to annoy people who aren't using the specific software foundations (i.e., the "platform") assumed by the creators of the DRM software. This can make DRM functionality less acceptable for that content.

Just like more obvious uses of DRM, however, basing one's business model off assumptions of the inviolability of DRM code embedded in "protected" software is a losing proposition. Even though your license key for MS Windows is printed on a piece of paper rather than embedded in the software, even though it is expected and generally accepted that a closed source commercial OS will install things on your computer without your explicit permission or knowledge and will probably "phone home" occasionally, even though there is no additional software installation step distinct from access to the "content" you want, and even though the portability expectations are lower, you still have the basic problem that it's difficult to keep people from "misusing" the license key system.

Inviolable technological enforcement is essentially impossible, in fact, because to allow a user to get access to your software, you have to give that user the means to access it. If that user, either deliberately or without understanding what he or she is doing, decides to violate license terms, that means of access -- in the case of how Microsoft implements enforcement, a license key -- is no longer restricted to the authorized user. If your intent is also to keep the user from using the software in particular, unauthorized ways, your problem is compounded, because everything needed to violate such restrictions is in the user's hands. If it wasn't, he or she wouldn't even be able to use it the way you intended it to be used in the first place, and you'd have a very difficult time selling software.

Software can be kept secure, but the definition of "secure" in each case must essentially be the definition selected by the software's administrative user. Unless Microsoft gives up any pretense of selling software to consumers, and starts merely renting out or selling user accounts on software Microsoft employees will manage as administrative users, there is simply no way for Microsoft to achieve inviolable technological license enforcement. If it does so, it will only have the behavior of its employees to police (and, of course, vulnerabilities in the software itself).

The upshot is that license security is simply not enforceable the same way software security is. As a result, the fact Microsoft cannot keep its licensing model secure does not necessarily reflect poorly on its ability to secure its software. If there is blame to be laid at Microsoft's feet for poor software security related to poor licensing security, it is because Microsoft diverts resources from ensuring software security (an important goal) to chase after license security (an impossible goal).

Of course, it may be that inviolable technological license enforcement is not what Microsoft really wants at this time. Many have hypothesized that piracy is an integral part of Microsoft's marketing plan, dominating much of the market by any means necessary and trying to maximize revenue once the market is sewn up by selectively enforcing licensing via legal, rather than technological, means. That, however, is a discussion for another day.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

0 comments

Editor's Picks