Friday, April 22, 2016

A magic bull.t

As a provider of solutions, related to security and data protection, we are often asked for some magic software, which will let the software developers and their customers protect the data from copying.
Moreover, such software should work on a platform, which was designed to be open, modular and to large extent hackable (and no, it's not Linux).

The problem with such requirements is that they contradict and conflict each other. The open platform means the ease to get into other processes' memory space (not that this is trivial, but very much possible) and copy bits and bytes from it. Protection means prevention of such operations.

Then, copying of information is the cornerstone of computer engineering and information-related sciences. Any use of information that you can imagine exposes this information to the outside world. And once exposed, this information can be translated further, and thus copied. This means that information is unusable without freedom to copy it. The question of whether information exists at all, if it can not be observed, should be left to philosophers, and we are more interested in practical aspects of this feature of information.

Copying of information is possible at any stage of its lifecycle, from the moment it is placed in the medium beyond your control, and up to the moment when the information disappears in the black holes billions of years later.

Talking about practical matters, such as copying of the document that you give to someone, you can not prevent copying of information. You can only make this information unusable (by encoding it in some way) and take measures to restrict the user from decoding this information in an uncontrolled manner.

What does this mean when applying the above said to documents and data that you distribute? Unfortunately, not very bright future for the classified secrets of your company. Once the document is decoded, it is used in one way or another. It is shown on display or printed by the legitimate user. It can also be captured by the hacker, trojan application or a spy sitting with a powerful electromagnetic antenna in the opposite building and listening for emissions of the computer display. Displayed or printed information can be copied, that's obvious. The information decoded in memory can be copied in decoded form to some other media. And the data of the document opened in the office suite can be easily transferred to another application via the system clipboard.

The described copying is easy to do on general-purpose systems like Windows. Would the closed system protect your information from being misused and abused? In theory, it could. Practically, though, prevention of leakage of information in serious organizations takes much more than a closed system, and usually involves restricted access to the rooms, no windows in such rooms, proactive protection measures like scanning of the electric networks, air conditioning systems, etc. for spying electronic devices and more. It's doubtful that you could enforce your recipients of data to take such measures.

So what is it all about? Is there no solution? If you search for "DRM" or "digital rights management" in the search engine, you'll get millions of links and dozens of software solutions. Yet, they (at least most of them) don't  claim absolute protection, but they promise to make stealing of information much harder. This is doable, and the question is how hard-to-crack is this or that protection.

We (our company) don't offer DRM solutions. We sell [licenses for] components, which can be used in building such solutions, and those components do make copying of information harder. But we also realize the shortcomings of most general approaches. If you let your file be opened in MS Office, then the user can copy the data to the clipboard or just save the file elsewhere. And neither our components nor the DRM solution itself can effectively counteract this without severely restricting users' capabilities to work with the data.

To make your life harder, let me remind you, that information carved in stone can also be copied using the simple tool called "camera". So if the information is so valuable that the risk of copying it can not be tolerated - don't disclose this information. Or take other, non-technical measures to secure your information and your position. NDAs, license agreements and alike could be a better defense than the most sophisticated DRM software.

No comments: