For more than a month, the Redmond, Wash., company has been combating a program released online called FairUse4WM, which successfully stripped anticopying guards from songs downloaded through subscription media services such as Napster or Yahoo Music.
Microsoft has released two successive patches aimed at disabling the tool. The first worked--but the hacker, known only by the pseudonym "Viodentia," quickly found a way around the update, the company alleges. Now the company says this was because the hacker had apparently gained access to copyrighted source code unavailable to previous generations of would-be crackers.
"Our own intellectual property was stolen from us and used to create this tool," said Bonnie MacNaughton, a senior attorney in Microsoft's legal and corporate affairs division. "They obviously had a leg up on any of the other hackers that might be creating circumvention tools from scratch."
In a Web posting early Wednesday morning, Viodentia denied using any copyrighted Microsoft code, and released yet another version of his tool.
"FairUse4WM has been my own creation, and has never involved Microsoft source code," the developer wrote. "I link with Microsoft's static libraries provided with the compiler and various platform SDK (software development kit) files."
This latest round of copy-protection headaches comes at a delicate time for Microsoft. In a few months, the company plans to launch its own digital music subscription service, called "Zune," paired with an iPod device rival of the same name. The package will compete with services from Microsoft's traditional partners, such as Napster and Yahoo.
The Zune service and device will use their own flavor of digital rights management, and this will not be directly compatible with Microsoft's partners' products, despite being based on the same Windows Media technology. The company is taking great pains to assure its partners that their PlaysForSure-branded products are still state of the art.
Two-pronged approach
At the moment, Microsoft is taking a two-pronged technical and legal approach to FairUse4WM that goes beyond the scope of its earlier DRM battles.
On the technical side, it is pursuing much the same strategy as in the past: studying the hacker's tool and trying to update its Windows Media technology to block it.
Indeed, the company's Windows Media copy protection technology was designed from the start to support swift updates that would address inevitable cracks. That has long been part of the technology's draw for record labels and movie studios, which are fearful that content protection flaws will lead to films and music being swapped freely online.
Microsoft's copy protection has been cracked before and then quickly fixed. Company representatives said that the FairUse4WM tool, despite its developer's success in breaking through the company's first patch, is simply triggering the same kind of security review that has happened in the past.
"This particular circumvention doesn't change that reality at all, or affect the underpinnings of the system," said Marcus Matthias, a senior product manager at Microsoft. "This is not quite as 'cat and mouse' as some people might have you believe."
The crack's unusual longevity has caused ripples of worry inside the digital media community, however. One service provider, the British network BSkyB, even temporarily canceled movie downloads.
Representatives from other services say Microsoft's previous rights-management security updates have been successful and expect this effort ultimately to be no different.
"One of the great features of the Windows Media DRM is its renewability," said Bill Pence, chief technical officer at Napster. "When the DRM system is compromised, we can incorporate updates with minimal impact on users, and we expect to do the same with the current patch."
Using courts to track a cracker
However, the federal "John Doe" lawsuit, along with "dozens" of legal letters sent to Internet sites that are hosting the allegedly copyright-infringing tool, is a decidedly different tack for Microsoft.
The copyright lawsuit was filed in Seattle federal court last Friday, without a name attached. Just as in the recording industry's many lawsuits against accused file swappers, it targets an unknown individual or individuals, whose true identity will be sought in the course of the case.
For now, that means going to the Internet service providers for Web sites where the original FairUse4WM tool was released, in hopes of tracking down an IP address or other digital traces that might lead to the developer, MacNaughton said.
Microsoft is also contacting other Web sites that have posted the FairUse4WM tool, asking them to remove the software, on the grounds that it contains copyrighted company code.
Company representatives declined to speculate on exactly how "Viodentia" gained access to copyrighted source code. The code in question is part of a Windows Media software development kit, but is not easily accessible to anyone with a copy of that toolkit, Microsoft said.
So far, little is known about the developer, who has used the pseudonym "Viodentia" in several online postings at a site called Doom9.org. "Viodentia" could not immediately be reached for comment.
After spending an unaccustomed month of grappling with the problem, Microsoft representatives stopped short of promising their latest Windows Media update will be impregnable--although certainly, the hope is that a third patch won't be needed. Viodentia's newest release, posted online Wednesday, will test the strength of the company's latest approach.
"Any time we put out an update, it is our hope that it will be as efficacious as possible," Matthias said. "It is our hope that the technical mitigations that we've put in place will do something to impede this circumvention."
Analysts say that "Viodentia" hasn't proved that Microsoft's DRM tools are fundamentally flawed, but has shown that the business of keeping it, or any rights management system, secure is increasingly becoming a full-time job.
"Any DRM out there is going to be cracked," GartnerG2 analyst Michael McGuire said. "More important is how the technology service reacts. Someone has to be keeping an eye online all the time now, looking for the next time."
