1995-09-11 - Re: Digital Fingerprinting

Header Data

From: tcmay@got.net (Timothy C. May)
To: cypherpunks@toad.com
Message Hash: a5b446a680ad4848100576931304e97fbdbd9601c4fe134900a80251a3121289
Message ID: <ac78f5a804021004b64e@[205.199.118.202]>
Reply To: N/A
UTC Datetime: 1995-09-11 03:26:09 UTC
Raw Date: Sun, 10 Sep 95 20:26:09 PDT

Raw message

From: tcmay@got.net (Timothy C. May)
Date: Sun, 10 Sep 95 20:26:09 PDT
To: cypherpunks@toad.com
Subject: Re: Digital Fingerprinting
Message-ID: <ac78f5a804021004b64e@[205.199.118.202]>
MIME-Version: 1.0
Content-Type: text/plain


Many interesting points here...but I'll stick to just one:

At 2:56 AM 9/11/95, Douglas Barnes wrote:

>    On the legal front, it's not clear what you can do to someone
>    even if you _can_ prove that the 100,000 pirate copies of Windows
>    95 circulating in Amsterdam stemmed from his copy. Machines get
>    hacked, co-workers and family members often have free access to
>    machines running software -- it's not clear that media companies
>    _want_ to invoke the paranoia associated with potential responsibility
>    for millions of dollars in damages if someone makes an illegal copy
>    of one's software and the loaves and fishes ensue. [Imagine what
>    great revenge this would make for jealous co-workers, ex-wives, etc.]

If a piece of mail addressed to me is found littering the highway, can I be
convicted of littering? No, because the _provenance_ of that item of mail
cannot be determined...it might have accidentally blown out of a trash
truch delivering my mail to the dump, for example.

Ditto for most schemes to serialize software. As Doug notes, the offending
item might have been copied when I wasn't looking, copied by my girlfriend
when I was away, or even copied at the factory or at the software store
prior to my gaining control. Or copied after I discarded it.

(Requiring owners of Microsoft Word to treat it like a state secret--more
on state secrets in a minute--is impractical and unenforceable.)

One thing serialization could do is to allow proof that a distributor had
not acquired a particular copy/instance through normal channels. But it's
usually obvious anyway when Joe's Really Cheap Warez has 200 copies of
Microsoft Word, all with the same serial number.

The "light signatures" scheme I've written about here could be used to
authenticate the distribution media itself, though not the installed copies
of course. (This would be like the Microsoft hologram, except in spades.)
Since the technology for this is not available to home or business users, I
don't see this as a viable approach.

Another thing that could work to foil mass counterfeiters is to serialize
the diskettes and include a hash of the serial number, as some lottery
tickets now include. Counterfeiters could try two basic approaches:

1. Make up their own numbers. But they could not compute a valid hash, as
they lacked the (presumably secret) knowledge to do so. With public key
approaches, a customer could "authenticate" that at least Microsoft, say,
must have generated the number.

(This doesn't take care of multiple copies of the same serial number, which
takes us to:)

2. Multiple copies of a single, valid serial number. Here, the
counterfeiter directly copies both the serial number and its hash.

(This approach doesn't work to counterfeit lottery tickets. The reason is
left as an exercise for the reader.)

One way I can think of to head this off is to have a registry of "taken" or
"sold" numbers, in which serial numbers are deposited. A purchaser could
consult this data base to see if the number on the package he is planning
to buy is already registered. (There are complications about time delays,
and so forth, but this would eventually limit multiple same number
packages.)

This discussion assumes that purchasers are interested in getting valid,
non-counterfeit programs. Many are not, of course. Certain types of
programs pretty much require support by the vendor, others don't. A
standard discussion topic.

I said I'd mention "state secrets" again. The usual example for making
subtle modifications to documents to see who leaked it is the intelligence
community, which gave us the term "barium" (because the changes look like
barium in an x-ray diagnostic).

In that case, the agencies can enforce their laws in a draconian way,
sometimes merely by suspicion. And the workarounds we discuss, of DIFFing
the files, are unlikely to be practical. ("Hey, Sid, can I borrow your copy
of "Covert Operations in Bosnia" so I can DIFF it with my copy?")

--Tim May

---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay@got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
Corralitos, CA              | knowledge, reputations, information markets,
Higher Power: 2^756839      | black markets, collapse of governments.
"National borders are just speed bumps on the information superhighway."







Thread