Microsoft's DRM can expose Windows-on-Tor users' IP address Windows users running the Tor browser can be tricked into uncloaking themselves, with a pretty straightforward trick based on Microsoft's DRM system. The discovery was made by Hacker House, which says it's been researching social engineering attacks made using DRM-protected content. What the UK-based security outfit found is …
On the other hand a single signed file could be used to entrap many Tor users, so it'd make probably more sense for 'Them' to purchase one of these files from a company that already has the DRM signing solution.
Unless I'm understanding this wrong, of course. I don't have to put up with this windows DRM thing thanks to having it blocked at several levels, including browser plugins, OSS media players, firewall, ...
I think you ARE misunderstanding it then...
though if it's a wmv - they have the ability to open browsers and load webpages anyway - which would be a damn site easier way to establish a connection and grab the source IP address. This has the benefit however of working without needed to open a browser, etc
I believe the gist is something like:
- you download your torrent or download from tor the latest blockbuster zip...
-unzipped you find a large mp4 or mkv thats about the right size... but lo - when you try and play it it won't play - saying codec is missing or some mince.
- there's another file there - a little file "watch me if movie does not play.wmv"
- user plays that. all players that understand wmv/drm then connect to licence provider.
- congrats, you have been pwned.
WMV, like ASF before it were/are terrible containers that should never ever ever be used for anything EVER. Add AVI to that as well while you're at it.
...how does that harm my argument? Mr Robot purchases/hires the 'service'(a single DRM file) from a company with the infrastructure required to sign the keys, for a fraction of the price of purchasing their own DRM infrastructure, and afterwards use that same DRMed file in the way you described as many times as they please, pwoning lots of users. Profit!
Please consider that this would be used for hooking visitors of "illegal sites"(think child porn, Silk Road clones, and in the UK sites depicting any sexual practice nor approved by the government ;-) and "political oposition sites" or "terrorist sites" (both of which categories sadly are still treated in many countries exactly the same way).
Perhaps your point was that the hackers don't even need to do that, as they can create their own keys for free, as has been suggested in other comments in this thread?
Postdata: I've been blocking access to DRM content for many years and, in my opinion, that's what any security-conscious user should do.
What they've seen in the wild is someone managing to generate signed content, apparently without paying that toll.
If true, that means the MS DRM system is now broken and useless.
In fact, worse than useless because of the large quantity of money and effort needed to use it.
Absolutely. As with all DRM, once again it is demonstrated that, where security is concerned, a closed-source "solution" is just a disaster waiting to happen.
What this means is that there are people out there who could conceivably wrap a film with the proper DRM security (without MS' knowledge) and serve that up to unsuspecting victims in order to grab their IP address. For Tor, which is specifically a platform supposedly enabling you to hide it, it is nothing less than a targeted attack.
I suppose this could also blow through most anon proxies as well, though I may be wrong.
And, given that the people who have this capability are not any open-source advocates or geeky teenagers wanting bragging rights, there's a good chance that they are blackhats, which means that once they have the IP address, mayhem will ensue.
Not good news in any case.
Not necessarily, even WMP (or Flash) has an option (default on) not to retrieve usage rights/send unique id from/to Internet. Also Firefox has the option to disable playback of drm encumbered content (courtesy of Adobe if I recall correctly). Needless to say, whoever cared and knew anything should have these options set accordingly.
"...even WMP (or Flash) has an option (default on) not to retrieve usage rights/send unique id from/to Internet..."
The main difference here is that the OSS media player has a button for disabling the DRM crap and that you can trust that button to do precisely that. Oh, and that the option to use DRM in the OSS application is off by default.
or is MS getting more and more restricting and evil almost every day?
MS seems intent on transforming itself into Big Brother and the day when W10/Cortana says
"I'm sorry Dave I can't let you do that"
are getting closer and closer.
As has been said, use vlc or any of the other far better media players to view your content.
Come now! This started with XP's "product activation" feature and has been growing ever since. If you are still happy to use Windows then you are a hard-boiled frog by now.
Ultimately that is my main reason for choosing Linux - it is MY computer and if I do something fsckingly stupid with 'sudo' then its my choice, my responsibility, but ultimately also my freedom to change/copy/modify/bugger-up whatever I like.
Well, there are still several drawbacks on Linux:
Firstly, the fact that there are not many game companies supporting it. Steam is nice, but even then half of the games on Steam aren't available on SteamOS/Linux. And that's well, Valve is pretty much the best company when it comes to Linux gaming. EA and Activision-Blizzard don't give a hoot, and the latter even actively ban users caught using WINE to run their games. EA is slightly better in that they don't care if you use WINE, but a lot of their games are hard to get working in WINE anyway. Also, sadly, there has been no port of EA games to Linux ever since Loki Software folded.
Secondly, hardware support. Linux devs need to listen to their users more. Last I tried only Ubuntu supports hardware RAID. The excuse that motherboard RAID isn't beneficial is not valid. A lot of modern motherboards also enable caching when RAID is enabled. Also, I've said this many times before, but the anecdote that the CPU is handling the scheduling just isn't true on certain chipsets- for example, the NVidia NForce chipsets has an ASIC to handle the RAID arrays and offload the task from the CPU. The distro developers shouldn't be all smug and tell users to just stick to AHCI - there are valid reasons to support motherboard RAID.
Additionally, Radeon support on Linux still lacks CrossFireX/Dual Graphics support and even basic functionality like stippled and smooth primitives on certain cards. Ever since FGLRX support was dropped, many rigs went from competent to unusable. I was forced to convert one of my rigs that ran Ubuntu back to Windows because it FGLRX no longer supported it, and said rig happened to use a APU+GPU dual graphics configuration (1).
Don't get me wrong, I still do have several Linux boxes dedicated to the cause. But losing FGLRX and being stuck with Ubuntu because it's the only Linux distro that supports motherboard RAID is pretty frustrating.
(*1) https://www.x.org/wiki/RadeonFeature/
>Well, there are still several drawbacks on Linux:
Probably get downvoted but the big missing killer app on Linux for me is no streaming from my xbox one to my PC like with Windows 10. Sometimes when you are a family man your options for when and where you can game are limited especially if you prefer console gaming (don't ask me why). I of course still do all my browsing through Linux (Whonix in VMs).
"Well, there are still several drawbacks on Linux"
There are several (at least) drawbacks on Windows. The point is you pay your money (or not) and take your choice. If playing games in more important than privacy and security that is your choice to make. You are not me, your goals and priorities are not mine, so it is up to you to evaluate what matters most to you and to act accordingly.
" Linux devs need to listen to their users more"
No, they don't.
Since most of them are volunteers donating their time for free, they work on elements that interest them personally. Some of them are nice enough to add features that others want, if they feel like it.
If you can't convince a volunteer to spend their free time on something you want, then you have at least 3 choices:
1) do without;
2) pay someone to write the driver/feature for you;
3) donate your own free time to writing code yourself.
Also, the specific distribution is irrelevant. If Ubuntu has support for hardware RAID and it is provided as GPL'ed code, then that code will (80% likely if you are on the same CPU architecture and RAID hardware) work if you just download/copy the packages or (if different package management systems are in use) just the actual files (and any dependencies) to your Linux system. If this 80% chance fails, then you can get the source-code and compile it for your system, which should work 80% of the time (again same hardware). If that fails (i.e. the combination should work 96% of the time), then report the issue and persuade someone who's donating their free time to fix it, or see the 3 options above.
That's the whole point of Linux. A non-commercial distribution is just someone's "favourite package combination" bundled up. If there's a program you see on a someone else's Mint Linux, and you are running Slackware, well, assuming it's not propriety licensed non-GPL software, you can go and get it and, worst case, compile the source code to make it run on your distribution.
Doesn't this date back to "Paladium" and "Trusted computing," where MS mean "Trusted by Big Corporate customer to prevent unauthorised access to any of their documents off site unless you pay them big money and/or a senior manager."
In theory DRM could be used to allow individual artists to be receive micro payments and ensure you only pay once for something but each individual person does have to pay, rewarding creativity.
But IRL what are the f**king odds of anyone implementing a system with such goals?
Somewhat smaller than the googles revenue root of FA.
"Ultimately that is my main reason for choosing Linux - it is MY computer"
Well, unless you use Ubuntu in which its now Amazon's computer. Since the whole 'Unity' search bullshit, I've pitched Canonical into the same bin as Red Hat. Specifically, the bin marked 'bastardized versions of Linux that I will never install on my equipment'.
"the day when W10/Cortana says 'I'm sorry Dave I can't let you do that' are getting closer and closer."
Well you'd need to change your name first :-)
Beside, HAL wasn't evil. He was trapped with paradoxical mission parameters - report open and honestly, but secretly keep the mission objectives from the crew. HAL ultimately deduced that if the crew were dead, he wouldn't need to lie to them anymore. That could work for some of my stakeholders to be honest...
Don't let thoughts of conspiracy blind you to the possibility of cock-up (or vice versa!). I suspect the latter.
I'm obviously naive - I thought TOR was just for buying drugs, or criticising the totalitarian regime you happen you live under - and I didn't realise WMV movies were still a thing.
>It's the wmv DRM implementation, so in theory at least would affect wmv players on Linux or Mac too
For sure, but as the article notes, Tails disables WMV key requests. If you were concerned about privacy enough to use TOR then you would use a Linux that was tailored for privacy.
If you choose to walk through a maze to make sure you're not being followed, you'd make sure you didn't wear the same jacket that you wear down your local pub.
Even if WMV keys are not disabled in Tails, the routing is at OS level so any out of browser requests still go via the Tor network so your real IP would not be leaked anyway.
Although virtualisation is not recommended for Tails, running it in a VM window on a machine connected to a VPN has benefits when it comes to things that NIT's that want to unmask your real IP via whatever exploit.
If you're valuing your privacy/security enough to use TAILS, you're running NoScript.
From what I am told NS blocks Iframes on TAILS (I don't have it to hand so can't test myself I do have NS installed here and blocking Iframes but what is set on a default NS install and what is on TAILS could well differ). I assume iframes are different to JS since they have different settings in NS.
And the really obviously simple thing.. If you're valuing your privacy and a site requires a script to run, you go elsewhere or do without. Hell, I do that with sites that demand 3rd party cookies or 3rd party scripts (aside from CDN's and sometimes some Google API's). If it wants to run to much I don't trust, I don't run it.
There is no circumstance that requires you to run risky scripts, especially if you're protecting your identity (and have some clue about what you're doing/follow the very clear instructions)
Firstly 192.168.X.X is not a class C address, it is a contiguous range of 256 class C address ranges and therefore constitutes a /16. Except the whole concept "class C" or A&B was deprecated not long after Noah realised he was going to need slightly more than an umbrella and at about the same time it became practical to have dial up Internet connectivity at home in the UK.
Well of course any 192.168.X.X is a reserved private address block, other 192 addresses have other jobs, I used to "own" 192.195.something.orother. But when did you last see a non technical home user ever change it, or even a technical one for that matter, there is almost never a reason to change it from the one your ISP has setup when they ship you a router (assuming you run the router they give you). My point was that the private IPv4 address that most people use is of no practical use to anyone as a means of identify you and it isn't even persistent. There could easily be a hundred million PCs currently using that IP address.
The article completely fails to give any details of how the attack compromises you. It's bad that information can be leaked, but a limited sort of bad in most cases.
Sure if you run routed IP address blocks then a quick whois will give the miscreant your name, address and phone number. The PC I'm typing this on would fall into that category. The one next to it is using an RFC1918 private address which admittedly isn't 192.168.0.0/24, for reasons of a private joke.
One thing the article doesn't say is whether it is just the IP address of the PC itself, I'm assuming that is all that can be leaked here. So if you are DNAT'd then there isn't much to worry about for most people.
If you are running IPv4 real public address or you're using IPv6 (which is more likely to use public addresses) then you might well be being left open to identification.
Personally I think everyone should use NAT'd address for client only systems to avoid casual identification. I don't see any reason why people should be forced to walk around the Internet with a label stuck to their foreheads with their name and address in large print for anyone to read. The backers of IPv6 don't seem to agree with me. Sure there are protocols which NAT buggers up but in most cases the answer should be to fix the bloody protocol not make everyone pull their pants down and show their privates.
When WMP phones home, then it is likely to do so without going through the Tor router. This obviously reveals the public IP address you are connecting through. In a home environment that will usually equate to (or an easily determined) physical house address. Sure, it will not reveal which PC was responsible - so that's why if the activity is suspected of being illegal (e.g. drugs, kiddypron etc.) the police will bust down your door and take ALL of them for examination.
@Dazed
The article is quite easy to understand, Cynic_999 is perfectly correct (about the IP stuff, rather than door busting). I hope you weren't the one to downvote him, seems unfair.
I also find it odd that you don't think someone knowing your name, address and phone number would be a problem for someone using Tor... but that is only possible if you're using a fixed IP and you have a domain registered under your own details and they do a reverse lookup first.... but I'm going off track.
Let's see:
- Tor browser arrives at webpage which serves a WMV
- Browser attempts to launch WMV
- Windows Chooses your default player
- Player checks for DRM
- DRM is there, Player checks for validity
- Yep, valid and signed by Microsoft, player fetches license key from the content producer server without popping up a warning [HINT: this is how you get identified]
And, to state the obvious:
- Player then requests content producer uri
- Player is not using Tor
- URI request goes out through the router in the same way as normal internet traffic (if you've got a VPN configured on your router then at least you're partially hidden (not from TLAs though))
- Content provider server receives request, and as per normal in a TCP session, gets your public facing IP so it can talk to you
- Ta Dah - Your Public IP is now known - you may or may not be totally fucked - depending on who the content producer is.
Bit of a problem for most people using Tor:
If it's a TLA - prepare for APTs, social engineering or the old fashioned plod shakedowns;
If it's something illegal, prepare to be arrested (whether or not we're talking Iran vs N Korea vs 'legal highs')
Hope that's cleared it up for you
:)
@cbars
Firstly it wasn't me that downvoted Cynic, any cynic is OK by me.
As to whether the article is clear, I clearly didn't feel it so, hence the original question about whether it was the IP address of the PC or whether it was the IP address of the router. I'd read the article as saying that the Windows media shit was exposing the IP address of the PC, as presumably (my guess from the article) that was inside any packets. OK, perhaps I'm in the tin foil hat brigade but when I resort to TOR I make sure there are no other routes off the PC.
> I also find it odd that you don't think someone knowing your name, address and phone number would be a problem
What I was saying was the exact opposite of this. I'd said that if, like me you run fully routed addresses which can be looked up in whois then you're wide open. But if it is the NAT'd address which is exposed then there isn't much harm and that everyone should do this to avoid casual identification.
Lots of ISPs also NAT the routers IP address and these are not persistent. So to the casual observer the only thing which would be visible would be which ISP you're using.
What I'd not considered was state sponsored snooping where of course the ISP is likely to reveal your ID to the hacker. Or perhaps where the hacker is the ISP.
My other mistake was not to realise that people using TOR would be allowing non-TOR traffic at the same time.
Thanks for the explanation and please accept 1 up vote for your trouble.
As others have noted, you probably meant 192.168.1.1, and no, that's usually the ADSL/fibre/cable routermodemlboxthingy.
And of course, at home I do have a public IP address on my PC. IPv6, that is. 2A01:stuff. I also have a 192.168.1 type address. But that IPv4's not interesting for the alphabet soups and the hackers.
But I'm not sure why the story is news. It's pretty much self-evident that any DRM solution that doesn't involve a physical token attached to the PC (including having the original installation medium in a local shiny-biscuit reader) will need to check on the Internet, and that might involve an IP check, and that might involve using the public IP that the DRM servers can see, and in a way that links your TOR activities to that IP.
And because it *might* involve such things, you must, if you are operating in full-on tin-foil-hat mode, assume that it *will* involve them, and that it will leak information about you.
>if you are operating in full-on tin-foil-hat mode,
Then you won't use digital communication at all because the traces you leave behind (always some) are forever.
>When WMP phones home, then it is likely to do so without going through the Tor router.
If you are using the Whonix workstation to do so it wouldn't be able to. Without breaking out of the VM its nearly impossible for any app to get the internet facing ip address unless of course the dumb meat sack starts typing it (or more likely their name and address) into web entry forms.
Just try going to this site:
https://ipleak.net/
It will tell you a lot about what is publicly seen from your computer, and you might want to follow up on the WebRTC aspect... If you are running Linux (or I guess have 'dig' for Windows somehow) then this will do it simply from the command line:
dig +short myip.opendns.com @resolver1.opendns.com
No doubt the El Reg commentards will have many, many more methods to do the same.
... that I understand the issue correctly: The actual problem appears to be that the media player launches IE to access the "information" site instead of using the Tor Browser, and that bypasses Tor and so snitches your IP address, right?
I'm not using Windows, so I have to ask: isn't there a way to prevent IE from launching (or otherwise cripple it)?
If you use transparent TOR proxying, all TCP requests (from DRM modules, Flash plugins, Java, JavaScript and shit) would go via TOR instead. But even transparent TOR proxying won't stop commercial software from running "ipconfig" on your host and sending the result to DRM server, MS, Google, CIA, FBI or NSA. Together with your address book and keyring.
Errrr ipconfig will just return a private IP address? e.g. 192.168.0.1 not your WAN IP address...
Unless you are using IPv6 which doesn't support NATing (NAT is why in IPv4 your PC will have a completely unrelated internal private address than your internet-visible external address), therefore the local address on your PC is the world-wide unique visible address of your specific PC.
The IPv6 evangelists didn't consider security as part of the IPv6 standard.
Actually, IPv6 actually supports and encourages the use of NAT. What it doesn't like is one-to-many NAT, but it's entirely cool with one-to-one NAT, including ephemeral NATs for outgoing connections (so that they can't be back-hacked) as well as topology-scrambling NATs for incoming connections (so no one can figure out how your network is structured).
Just remember it's not the NAT that keeps your internal LAN safe but the firewall, which BTW is still encouraged in the IPv6 world.
Just don't use bloody Windows. it's not difficult to do. If you're serious, don't use it.
for me, i can't think of a single thing that i would like to watch, download (or whatever) which will have DRM on it .. but i'm fussy with content, i gave my TV away years ago (not because i'm being trendy) but because when 'Young Fishmonger of the Year' hit the screens, i decided TV had lost it's way. Films that everyone seems to bleat on about nowadays are mostly all utter crap, TV is either soaps, propaganda or UNreality TV and everything else has to have narcissistic wannabe's and a panel of f*%king judges too. so why download this shite ?
"Just don't use bloody Windows. it's not difficult to do. If you're serious, don't use it."
Unless you're a serious gamer who happens to do some serious WoW and/or Overwatch or other PC-exclusive top-end game that simply won't run on Linux. So if you're serious about security AND gaming, you can only pick one or the other.
And that is indeed the only reason I still use Windows, of which 7 will be the last Windows I will ever have at home.
By the time the hardware requires 10, I'm guessing between Steam and some others that will surely crop up, I'll be able to kiss that infested swamp good bye without (too much) regret.
I just hope Blizzard will grow up about it all, because Diablo III is great fun a half hour at a time.
The situation between Blizzard and Valve is the same as the situation between say BT and Sky: both are competing for the same audience and want to conquer the other. To them, sharing is surrendering. Blizzard knows they have hits with WoW and now Overwatch. People willingly pay bookoo bucks each month for the former, so they have proven natural draw and really don't need a third party to help them.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
