The Fascinating Story of DRM, Part Three: Big Corporate Lost Productivity

It’s a real bummer when people spend a lot of their money on AAA PC games, only to not be able to play them. Major publishers like EA, Activision, and Ubisoft are pushing their own online services, requiring their PC and console games to connect to their servers for any sort of functionality whatsoever. That includes single-player games.

Those publishers never seem to have sufficient server capacity to handle the traffic from millions of players executing their games soon after the launch of immensely popular titles. It leads to millions of customers becoming frustrated that they can’t play the games they paid for, many of which were preordered.

Developers and publishers say that the “always online” requirement of their new games is to enhance functionality that gamers should appreciate. Maybe so, but demanding constant connectivity to their servers is mainly a DRM measure, a sloppy way of combating piracy. But that sort of a system penalizes paying consumers a lot more than it inconveniences pirates.

My last article focused on that issue. In this article, I’ll explain how poorly designed DRM not only affects gamers, but it also hurts people who legitimately purchase and use applications from two software behemoths- Microsoft and Adobe. Then, I’ll tackle the issue Sony had nearly a decade ago when the DRM on their music CDs was actually vicious rootkit malware.

Redmond Goofed

The most frequently used components of the Microsoft Office suite have been available for MS-DOS, Windows, and Mac OS since the 1980s.

Later on, Microsoft decided to integrate Word, Excel, and PowerPoint into the Microsoft Office suite. The first version for Mac OS debuted in 1989, and for Windows in 1990. A few years later, Word and Excel surpassed competing applications from WordPerfect and Lotus to become the most popular formats for documents and spreadsheets.

Microsoft implemeted their own special kind of DRM in Office 2003, Information Rights Management. IRM is designed to enable people who create documents in Office programs to protect them from unauthorized changes, and from access from unauthorized parties. As some enterprises using Office applications have proprietary information in the files they create, IRM was developed to appeal to them.

It’s a wonderful technology, in theory. Until something goes wrong…

The function in Microsoft Office that controls IRM is the Rights Management System. RMS controls the IRM that document creators put on their files from Microsoft’s servers, via certificates.

On Friday, December 11th, 2009, people who have authorization to use and access IRM-protected documents, including people working for big corporations, received this error message:

“Unexpected error occurred. Please try again later or contact your system administrator.”

Of course, contacting one’s system adminstrator would’ve done no good. Considering that the bug affected everyone with IRM-protected documents in Office 2003, it’s reasonable to estimate that corporations lost millions of dollars from lost productivity.

So, what went wrong? What was the bug?

It was Microsoft’s fault, and they admitted it. They let one of their own certificates expire. Oops!

The following day, Saturday, December 12th, Microsoft released a hotfix to correct the issue. But as many corporate offices are closed on the weekend, and sysadmins at each affected corporation had to find and implement the hotfix on Monday, for many big businesses, they had to wait until the end of Monday or Tuesday to acquire access to their crucial documents again.

IRM and RMS functionality is also in later versions of Office. And not only does Microsoft have to make sure that their certificates are current, but also if their servers experience any downtime, many more millions of dollars in lost productivity could affect corporations worldwide.

Microsoft launched their Office 365 SaaS (software as a service) in 2011, and renewed it for Office 2013 support in 2013. With their productivity applications hosted off of Microsoft’s servers, server downtime can prevent corporations from creating new documents and editing existing documents. I wouldn’t recommend Office 365 to anyone. I foresee siginificant, albeit temporary, information security problems in the future.

Microsoft Silverlight is Microsoft’s equivalent to Adobe Flash. It was initially released in 2007. Of course, Microsoft’s own Internet Explorer supported it from the get go, and then support was extended to Mozilla Firefox, Google Chrome, and Apple Safari.

A very recent Patch Tuesday (which they now call Update Tuesday, for connotational reasons) broke Silverlight. In the immortal words of Britney Spears, oops, they did it again!

Update KB3011970 rendered Silverlight completely unusable. A large percentage of web apps use Silverlight, the web version of Netflix being one of many. The bug that KB3011970 introduced pertained to Silverlight’s DRM.

The bug was reported on December 11th, 2014. By December 12th, Microsoft rereleased KB3011970, fixing the DRM bug. I detect a pattern here, which is an intriguing coincidence. Problems on December 11th, fixes on December 12th. Hmmm…

Mountain View Goofed

Google isn’t the only big Silicon Valley corporation based in Mountain View, California. So is Adobe.

Adobe is the industry leader in media creation software. They intergrated their graphic editing Photoshop, PDF creation Acrobat, video editing After Effects and Premiere Pro, web developing Dreamweaver and Flash Professional, and a number of other applications into their Adobe Creative Suite.

Creative Suite 6, released in 2012, was the last version. Its replacement is Adobe Creative Cloud, a SaaS that initially launched in 2011. I suppose you can figure where this is going.

On or before May 14th, 2014, Creative Cloud went down. A lot of corporations and businesses depend on the SaaS, many of whom work in Hollywood. Adobe said it was due to a mistake made during a “database maintenance activity.”

Ceasing Creative Suite support, and shifting to Creative Cloud meant that, like Microsoft with Office 365, Adobe is depending on “always on” connectivity to their servers for the sake of DRM.

Editing of Hollywood blockbusters and television shows was halted. Graphic editing for advertising agencies and web developers ceased. Web developers, many of whom were working for the largest corporations, also couldn’t work on their web pages or Flash-based web applications. Software pirates were completely unaffected. So much for the objectives of Digital Rights Management. Just like other stories in this series, DRM implemetation was hurting the availability component of the CIA triad of information security. As with Microsoft’s DRM problems, corporations must have lost many millions of dollars due to lost productivity.

A full two days later, Adobe tweeted “Adobe ID issue is resolved. We are bringing services back online. We will share more details once we confirm everything is working.”

Maybe incidents like that will encourage some corporations to replace Creative Cloud with applications from competing developers.

That’s not the only time in 2014 that Adobe’s DRM has caused massive problems for legitimate users.

Adobe Digital Editions is ePub and PDF ebook reading software, with significant DRM of its own. Not only is Digital Editions its own desktop ebook reading software, it’s also integrated in Google Play Books, Barnes and Noble Nook ebook readers, and also in ebook readers and tablets from OEMs such as Sony, Acer, HP, and Samsung. Millions of people worldwide use Adobe Digital Editions whether they know it or not, and major publishing houses depend on it to protect their ebook titles.

In January 2014, a large number of users experienced problems when Adobe updated their Digital Editions DRM.

When legitimate users purchased ebooks on their desktop, they weren’t able to read their books on their ebook reader devices the way they’re supposed to. Once again, here’s another case of DRM hurting people who have purchased products, when pirates were unaffected because there’s no such DRM on most ebooks pirated via BitTorrent and other P2P networks.

Argh…

Remember When Sony Created Malware?

On the subject of information security attacks affecting people who properly purchased media, remember when Sony created malware?

Sony, of course, is a major player in the music industry, with their own assortment of record labels.

Sony was greatly concerned about users putting music CDs into their PCs, ripping the audio content, and pirating it via P2P. So, they installed DRM on many of their albums in an effort to prevent such piracy.

Sony’s XCP DRM is on CDs they released in 2005. Affected titles include Switchfoot’s Nothing Is Sound, Ricky Martin’s Life, Our Lady Peace’s Healthy in Paranoid Times, Neil Diamond’s 12 Songs, Celine Dion’s On Ne Change Pas, Natasha Bedingfield’s Unwritten, and Amerie’s Touch.

XCP was actually rootkit spyware malware. Not only did it allow Sony to spy on your activities, it also made millions of PC more vulnerable from destructive attacks from blackhats. Trying to remove XCP would break Windows at its very core.

When it was discovered, Sony’s Thomas Hesse arrogantly said, “Most people don’t even know what a rootkit is, so why should they care about it?”

Even worse, Sony’s initial fix created yet another backdoor vulnerability.

Within days, Breplibot trojan malware exploited the attack vector XCP created. Oops, once again.

In reaction, F-Secure’s Mikko Hypponen said, “Sony rootkit was one of the seminal moments in malware history. Not only did it bring rootkits into public knowledge, it also gave a good lesson to media companies on how not to do their DRM solutions.”

Sony and Microsoft eventually fixed the problem, but the cat was out of the bag, and Sony’s image took a major hit.

Hopefully they’ve learned their lesson, as has the rest of the music industry. Hopefully…

So, in this series, I’ve explained how DRM implemetations have created significant problems for corporations and consumers, with a lot of frustration, information security threats, and millions upon millions of dollars lost from our economy- perhaps collective billions from all DRM problems. Instead of hurting pirates, these DRM incidents have hurt paying consumers.

In my final article in this series, I’ll talk about developers and services who don’t use DRM at all. Their products should be considered if you want to avoid these sorts of issues from affecting you.

Want more articles like this? I need to buy groceries. Support a female tech writer via Patreon!