Hacking the Xbox
Hacking the Xbox
Hacking the Xbox
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
186<br />
<strong>Hacking</strong> <strong>the</strong> <strong>Xbox</strong>: An Introduction to Reverse Engineering<br />
In combination, <strong>the</strong>se DMCA provisions create major barriers to<br />
cryptographers and security researchers who want to analyze <strong>the</strong> security<br />
measures used in real, mass-marketed products. A commercial reverse<br />
engineer who discovers a problem with ano<strong>the</strong>r firm’s technical measure<br />
and offers suggestions about how to improve it is at risk of being<br />
indicted on criminal DMCA charges.<br />
Even an academic reverse engineer is at risk of being sued for publishing<br />
a paper about <strong>the</strong> weaknesses in a firm’s security measures, because such a<br />
paper could be labeled a “tool of circumvention.” 37 One example is<br />
Princeton professor Edward Felten, who assembled and entered a team of<br />
scientists in <strong>the</strong> music industry’s “SDMI Challenge,” a contest to crack digital<br />
watermarking and o<strong>the</strong>r technologies being considered by <strong>the</strong> Secure Digital<br />
Music Initiative for protecting digital music. Felten and his team entered <strong>the</strong><br />
contest with <strong>the</strong> intent of using <strong>the</strong> SDMI Challenge as a real-world security<br />
case study, and <strong>the</strong>y eventually authored a peer-reviewed academic paper that<br />
was to be presented at a conference. Before <strong>the</strong> paper was actually presented,<br />
<strong>the</strong> Recording Industry Association of America (RIAA) sent Felten and <strong>the</strong><br />
conference organizers a letter warning him that publishing <strong>the</strong> paper would<br />
violate intellectual property laws, including <strong>the</strong> DMCA.<br />
The DMCA also contains several exemptions relevant to reverse engineering:<br />
circumvention of a technical protection system when necessary to achieve<br />
interoperability among computer programs; circumventions conducted in<br />
<strong>the</strong> course of legitimate encryption research; and circumvention for purposes<br />
of computer security testing. Unfortunately, each of <strong>the</strong>se exemptions is<br />
both complex and narrow. Even when <strong>the</strong> act of reverse-engineering is<br />
allowed, <strong>the</strong> DMCA strictly regulates what can be done with <strong>the</strong> resulting<br />
information.<br />
1201(f): reverse-engineering for interoperability<br />
This exemption allows <strong>the</strong> circumvention of technical protection measures<br />
for interoperability reverse engineering. It also allows, to a very limited<br />
extent, <strong>the</strong> dissemination of information gained from reverse-engineering.<br />
Note that 1201(f) would not have exempted Felten’s attack on <strong>the</strong> SDMI<br />
watermarks, because it had no relation to interoperability.<br />
The 2600 case, mentioned earlier, concerns <strong>the</strong> publication of a computer<br />
program known as “DeCSS” on <strong>the</strong> website of 2600 Magazine.<br />
DeCSS can be used to bypass CSS, <strong>the</strong> technical protection measure used<br />
to control access to DVD movies. EFF, which represented 2600<br />
Magazine, argued that DeCSS qualifies for <strong>the</strong> interoperability privilege<br />
of 1201(f). DeCSS was designed, we argued, to enable people to build<br />
software that would enable <strong>the</strong>m to play legitimately purchased DVD<br />
movies on <strong>the</strong>ir platform of choice, namely, Linux computer systems.<br />
The courts rejected this argument, saying that 1201(f) only permitted<br />
circumvention for purposes of achieving program-to-program<br />
37 While this seems odd, consider that many academic papers in<br />
<strong>the</strong> security include computer program code.