An anonymous hacker, known only as "Beale Screamer", has hacked the copy control software used in Microsoft's Windows Media format, the company confirmed Tuesday. The hack means that digital music files that had once been protected from copying can now be swapped freely.
The scope of the hack is limited in that it only applies to media protected with version 7 of the digital rights management (DRM) system of Windows Media, said David Caulton, product manager for the Windows digital media division at Microsoft. Most available content uses version 1 of the system (version 7 is the upgrade to version 1), and that content is still protected, he said. Additionally, in order for the hack to be performed, at least one legal, authorized media file must initially be present on the hacker's computer, he said.
Microsoft is currently working on a fix for the hack, which will be offered to its partners and then to users as a free download, Caulton said. He declined to comment on whether the company will seek to identify or prosecute Beale Screamer.
That DRM might be hacked was not an unforeseen possibility at Microsoft, Caulton said.
"We don't believe any possible DRM system is actually invulnerable," he said. This is why Microsoft's DRM is updatable, rather than static, he added.
Screamer posted his or her lengthy analysis of how to break the digital rights management features of Windows Media (WMA) on the sci.crypt Usenet message board on October 18. At the same time, Screamer also posted the source code for a number of programs which, when compiled, can be used to strip the DRM out of Windows Media files.
Digital Rights Management is a way for content owners to control the use and number of copies that can be made from their works. The software was thrust into the spotlight in the wake of Napster, when entertainment and technology companies sought a way to provide digital content to compete with Napster while at the same time foiling Napster's wanton copying, which the entertainment industry charges hurts profits.
DRM's critics, however, charge that the software infringes on consumer's fair use rights, which allow consumers to make a backup copy of a work for private use and to share works among friends, among other things. They also charge that DRM ends the First Sale doctrine, which holds that when a work is purchased legally, it can be resold by the purchaser. DRM-protected files cannot be resold.
Complicating matters is the 1998 Digital Millennium Copyright Act (DMCA), a law that was designed to update copyright for the digital age. Instead, the DMCA has become a flashpoint of criticism in many circles due to a provision that makes it a crime to circumvent or provide information about how to circumvent copy control restrictions. This provision of the law has been at the root of a number of lawsuits, the first being the DVD descrambling case about DeCSS (De-Contents Scramble System). The Dmitry Sklyarov case, which has seen a Russian programmer arrested for removing the encryption from Adobe PDF files, an act that is legal in Russia, has the anti-circumvention provision at its heart. Lastly, the DMCA cropped up in the Edward Felten case, in which the threat of a lawsuit under the DMCA caused a Princeton University computer science professor not to publish a paper of how to break another DRM scheme.
Although the news that Microsoft's DRM has been hacked will grab headlines, it may not be a major problem for the company, said Matt Bailey, senior analyst at the digital media research firm Webnoize.
"It's pretty important to stress that all the security companies that have designed systems for digital music have expected attacks" and have ways of dealing with them, he said. DRM companies have built in updating features and ways to combat these attacks, he said. In addition, the files needed to decrypt the software are hard to find and use, Bailey said.
"It's a blow to Microsoft's security system," Bailey said, but "Microsoft doesn't have to go back to the drawing board."
"Security firms are in the stronger position," he said.
Microsoft has agreements with both Pressplay, the digital download company formed by Universal Music Group and Sony Music Entertainment, and CenterSpan, a peer-to-peer file-sharing company. Neither of these deals should be affected by the hack, Bailey said.
Nevertheless, Bailey said, "I'm sure there'll be an on-going war between security companies and hackers."
Microsoft's Caulton hopes such a war doesn't break out.
"I would hope that it wouldn't happen, but we'd be foolish not to be vigilant," he said.
"There are a lot of people out there trying to hack into various systems. These people are tenacious, and it's important to be able to adapt," he added.
Perhaps surprisingly, Beale Screamer doesn't seem to want such a war either. Screamer included messages to the entertainment companies using DRM, to users, to Microsoft and to artists in the posting.
To music companies, he wrote: "Give us more options, not fewer. If you try to take away our current rights, and dictate to us what we may or may not do, you're going to get a lot of resistance."
To users, the very people who might offer that resistance, Screamer said, "please respect the uses I have intended this software for. I want to make a point with this software, and if you use it for purposes of violating copyrights, the message stands a very good chance of getting lost."
To Microsoft, Screamer wrote, "My real beef is with the media publisher's use of this software, not the technology itself."
Lastly, Screamer told artists not to "fear new distribution methods -- embrace them ... (Entertainment companies) want a piece of the action for YOUR creativity, and you don't need to let them in on it any more. Your fans will treat you nicely, unless you treat your fans poorly (take note of that Lars)." The last note is an apparent reference to Lars Ulrich, drummer for Metallica and noted anti-Napster crusader.