[Dshield] Microsoft DRM?

Thu Nov 15 19:01:41 GMT 2007

On Thu, 15 Nov 2007 01:46:26 PST, Pete Cap said:

>  One of my customers had an intrusion and is all in a tizzy about some stolen
> documents.  It occurs to me that using M$'s DRM solution might be a good idea
> in the future: Something along the lines of "these documents can only be opened
> within the work enclave" or "a license has to be downloaded from the company's
> servers, thus revealing the intruder's next hop IP" might be useful.

> Thoughts?

Two thoughts:

1) This introduces a new failure point - if the license server hangs, all work
comes to a screeching halt.

2) If that particular DRM ever becomes unsupported, you then have to worry
about extracting all your held-hostage documents.  This is an even bigger issue
if you live in a UCITA state, where MS has self-help provisions if they suspect
you have pirated copies of the software (quite probably in other states as
well, if you were foolish enough to click that OK on the EULA without reading
*all* the fine print.

3) To prevent the attack you're worried about, you'd basically totally
hamstring the usefulness of the document.  You'd have to ban (for a start):
saving a copy of the document anyplace, cut-n-paste out of the document,
altering the document, slice-n-mice out of the document, and so on.  Remember
that if there's an intrusion and the attacker has a presence on the local
machine, you need to ban *your local users* from doing anything that the
attacker might do, because the attacker is likely running *as that local user*.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/list/attachments/20071115/da6a74f3/attachment.bin 