Anti-Piracy Laws - Essay Example

Table of Contents Table of Contents 1.0 Introduction 2 2.0 Preventative Solutions 2 2 Hardware-Based Techniques 3 2 1 Dongles 3 2 2 Tamperproof CPUs 4 2.1.3 Smartcards 4 2.2 Software-based Techniques 4 3.0 Cost-Benefit 5 4.0 Conclusion 6 5.0 References 7 1.0 Introduction Anti-piracy laws are strict and offenders, whether individuals or corporations, are often confronted with very high fines. As regards organizations, it is the responsibility of management to ensure that employees do not violate anti-piracy laws. This responsibility is often delegated to the IT, or ICT, department. Corporate policies alone cannot, and do not, ensure employee compliance with anti-piracy laws and regulations (Kizza, 2002). Since, however, it is the company, not employees, who are held liable for copyright infringements, they often look for deterrence mechanisms which go beyond policies. Following an audit by the Business Software Alliance, in which our organization was found guilty of violating copyright laws and of running unlicensed, pirated, software on some of its computers, the ICT department experimented with both software and hardware deterrence mechanisms prior to implementing the former. 2.0 Preventative Solutions With the proliferation of peer-to-peer software and the growing ease of downloading and installing pirated software, organizations often confront serious difficulties in implementing anti-piracy regulations. Certainly, there are few, if any, organizations which do not have clear-cut anti-piracy policies but employees often assume that they will not be caught.' The fact is that they can very well be, with the organization left liable for the payment of the resultant fines and vulnerable to lawsuits by the software producers in question (Kizza, 2002). It is for this reason that policies have to be complimented with hardware or software-based deterrent techniques. Following a February 2006 audit by the Business Software Alliance, our organization decided that since policies were not effectively deterring employees from infringing anti-piracy laws, software and hardware mechanisms were required. A thorough study of the advantages and disadvantages of each was conducted prior to implementing software solutions. 2.1 Hardware-Based Techniques Special purpose hardware is commonly used in proof of ownership, to provide secure data storage and to provide a secure execution context for security-sensitive applications. Such hardware is typically more cumbersome for the user and more expensive than software based techniques. 2.1.1 Dongles A dongle is a hardware device distributed with software. Possession of the device proves ownership of software. A dongle typically connects to an I/O port and computes the output of a secret function. While running, the software periodically queries the dongle. If the communication fails or the results of the query are wrong, the software reacts appropriately (Craig and Burnett, 2005). There are three major drawbacks to dongles. These are cost, impracticality and vulnerability. Dongles are expensive at $10 per unit and distributing them with software is not practical. Thirdly, the attack point is clearly defined since the interface to the device is a hardware interface. This means that the signals passing over the interface must conform to the software standards. This gives attackers and analysis advantage (Craig and Burnett, 2005). 2.1.2 Tamperproof CPUs Tamperproof CPUs aid in piracy prevention by providing a secure context and/or secure data storage. By executing the software in a secure environment, the pirate is unable to gain access to the software. This technique prevents the attacker from observing the behavior of the software which means he is unable to identify portions of the software to remove. The obvious drawback to this technique is the cost of requiring all users to have tamperproof hardware (Flynn, 2005). 2.1.3 Smartcards Smartcards store cryptographic keys for use in authentication and authorization systems. A typical smartcard consists of an 8-bit microprocessor with ROM, EEPROM and RAM on a single chip with serial input and output. The EEPROM is used to store the secure information. Through the manipulation of voltage, an attacker can bypass the smartcard. Indeed, researchers have noted that attackers can do so simply by using a microscope and a laser, with the implication being that smartcards are not an effective anti-piracy mechanism (Craig, 2005). 2.2 Software-based Techniques Software-based solutions, such as code obfuscation, software tamperproofing, software watermarking, and software birthmarking, provide a number of advantages over hardware based techniques. First, the protection is cheaper to implement due to the lack of special purpose hardware. Second, many of the currently proposed hardware-based solutions have proven vulnerable and, hence, ineffective. Certainly, somre attacks require specialized equipment but many of the side-channels are relatively cheap. For example, the protection provided by some smartcards can be defeated by shinning a common lightbulb on the card. Third, many hardware based solutions can be difficult to deploy. For instance, it can take several months, possibly over a year, for an organization to upgrade all its computers to tamperproof ones. Besides the cost involved, once the tamperproof CPUs protection mechanism has been defeated, it cannot be fixed without upgrading the hardware again (Craig, 2005; Flynn, 2005). Software-based techniques take a different approach than hardware-based techniques because it is generally believed that given enough time a determined adversary will be able to defeat any protection mechanism. The goal, instead, is to develop techniques which require the expenditure of an inordinate amount of time and effort for the user to be able to install a pirated copy on the machine in question (Craig, 2005). 3.0 Cost-Benefit A quick overview of the advantages and disadvantages of either mechanism leads to the identification of software-based techniques as the more effective of the two. Software Based Hardware Based Ranges from cheap to manageable cost Ranges from costly to cost-prohibitive Violation requires the expenditure of tremendous time and effort Violation can be a simply matter of flashing a lightbulb Implementation is relatively simple Implementation is highly complicated Upgrading (pending discovery of a vulnerability) is cost-effective and simple Upgrading (pending discovery of a vulnerability) is cost-prohibitive and complicated As is evidenced through the above table, software mechanisms appear to be the more effective of the two choices. According to our organization's ICT director, subsequent to the decision to implement software-based techniques, a software programming company was hired to write a program which would specifically prevent the installation and use of pirated companies on any of the company's machines, including laptops which employees were allowed to take home with them. The program cost a little under $15,000 and within one month was installed on all our computers. It has, ever since its installation 8 months ago, prevented the downloading and running of pirated software on our computers. 4.0 Conclusion Anti-piracy laws have placed organizations in the position where they must control their employees' activities vis--vis pirated software. Should an organization fail to do so and should employees run pirated software on company machines, the organization becomes liable to costly legal action and retaliation. It is, thus, that organizations need to supplement their anti-piracy policies with either hardware ir software based deterrent mechanisms. 5.0 References Craig, P. and Burnett, M. (2005) Software Piracy Exposed. NY: Syngress. Flynn, N. (2005) The E-Policy Handbook; Designing and Implementing Effective Email, Internet and Software Policies. NY: AMACOM. Kizza, J. (2002) Ethical and Social Issues in the information Age. NY: Springer. Read More