The iPod has caused a bit of a revolution in the music industry. By making the iPod incredibly user-friendly and providing affordable content, Apple has put more than 28 million iPods in the hands of consumers all over the world (with 10 million more expected to be sold before Christmas 2005). Consumers now expect that they can access legal music on demand for a dollar a song rather than having to go to the store to buy a CD for $15. And with the iPod you can listen to your massive music collection at home, in your iPod-enabled car, at the office, and at friends' parties. No more messing around with CD binders or a laptop full of music.
None of this is a surprise. We're all familiar with the iPod and its impact on society. It has become a household name. But from a security perspective, the iPod hasn't created the same ripple. Why should it? After all, it's simply a consumer electronic device.
Or is it?
Gartner issued a report in 2004 on how an iPod can be used to remove data from a corporate network. The iPod does double duty as a USB mass storage device and can serve the same role as a USB pen drive, but looks much more stealthy. Many people discounted Gartner's report, however, because USB storage tokens come in all shapes and sizes and it seems silly to single out the iPod for this purpose.
The big impact that the iPod will have on computer security is still in the future. Apple probably didn't intend it, but the iPod will likely prove to be an important stepping stone into solving a problem that has faced computer scientists for more than 30 years.
Controlling Data
Controlling access to data and resources is essentially the foundation of computer security. Many methods and mechanisms can be used to accomplish this type of access control, but historically they're generally software-only solutions. Further, most access control mechanisms are vulnerable to software bugs and implementation errors that can lead to data compromise. Also, these access control mechanisms must trust the environment or host on which they're running, in order to control access to data. If the host itself is compromised, the access control provided by the software is generally completely violated.
In 1971, Butler Lampson authored a paper titled "Protection," in which he puts forth the idea of multiple domains of information running a on a single host. The general idea is that each domain would execute independently and with potentially different rights existing for programs in each domain. Lampson's ideas became a sort of Holy Grail for computer scientists—provable separation of data and processing running on the same host.
Lampson's vision has many implications. For many years, the U.S. Department of Defense has pursued multi-level security (MLS) systems, in which data from different classification levels could be examined and processed on one system. In current systems, data from multiple classification levels must run on different computers because existing security mechanisms are not strong enough to keep data separate. For content providers such as record companies, Lampson's idea will allow them to ensure that their content is accessed only in a manner of which they approve. For instance, a system that has these domains implemented could enforce that MP3 files be read only by trusted and authorized programs.
The problem with reaching Lampson's vision is that it's nearly impossible to achieve complete control of data with a software-only solution. Complex software is difficult to create in a 100% secure manner; therefore, the access control mechanisms are not fully trustworthy. Also, the access control mechanisms themselves are complicated and require interaction with the user, the data "owner," management entities, etc.... It may look simple on paper, but Lampson's vision has been elusive for more than three decades.
The iPod and DRM
Search for digital rights management (DRM) on Google, and you'll find as much technical information as opinion on why it's a bad idea. In a nutshell, DRM is the concept of controlling access to content and media. It's the ability to enforce the rights of a content creator (or manager) on a piece of data. For example, if I create a book, I may wish that only people who had paid for the book could read it. In the physical world, the idea is pretty straightforward. In the electronic world, however, it's difficult to enforce.
Over the last few years, there have been many attempts at implementing DRM, and in general there has been incredible push-back by users. In 1999, Intel put a unique serial number in the Pentium III chip in an effort to help individually identify computers. Since the serial number was not tied directly to any one DRM mechanism, there was quite an outcry against Intel. The serial number was seen as a way to track users and felt like a "Big Brother" maneuver. Intel was eventually forced to remove the serial number from future chips due to public pressure and legal battles.
The lesson from the Intel serial number incident is that a DRM mechanism without a benefit for the user is going to meet a huge amount of resistance. The iPod and iTunes Music Store (ITMS) provide a counterpoint to the Pentium III serial number. To convince the major record labels to put their content on ITMS, Apple had to provide reasonable assurance that the music wouldn't be easy to pirate. Apple created a DRM mechanism that, in general, has kept piracy to a minimum. (In reality, Apple has been in a cat-and-mouse game with some very skilled security researchers who have repeatedly broken their DRM mechanism. However, the amount of piracy attributable to these attacks is minimal.)
So why have users adopted DRM so readily in the case of the iPod? In a nutshell, Apple found the killer app for DRM. Users can get music cheap and take it anywhere they want. By July 2005, Apple had sold more than 500 million songs on ITMS. Consumers have spent more than a half billion dollars on DRM'd media, effectively giving DRM a stamp of approval. Apple made DRM cool with the iPod.
Apple Switches to Intel
So the next piece of the jigsaw puzzle in realizing Lampson's vision is Apple switching to Intel. Apple has historically kept a stranglehold on their hardware. For a few years when Apple was really on the ropes, they allowed a competitive market to form around their hardware business. But once they were back on solid ground, they stopped all that and have been the only hardware provider for their software for the last seven years.
Part of how Apple enforces "users run Apple software on Apple hardware only" is by having a proprietary and relatively obscure hardware platform. Apple's operating system has been created to run on the PowerPC set of chips for the last decade, and with only a limited set of supporting hardware. This fact has kept even underground competition from affecting Apple's market or their products.
However, in June 2005, Apple announced that they would switch to Intel hardware. This change affects the landscape dramatically. In theory, a user would be able to buy a general-purpose PC and load OS X on it, thereby breaking Apple's rule of "users run Apple software on Apple hardware only." How will Apple keep control of their own hardware market?
Apple has already made DRM cool by providing value to the consumer, so now they're going to extend that idea. Apple is looking to use the Trusted Computing Group's Trusted Platform Module (TPM) to tie Apple software to their hardware. The TPM provides a cryptographic mechanism to prevent an unauthorized operating system from booting. Further, the OS can look for the TPM and, if it isn't found, the OS could refuse to boot.
The Trusted Computing Group (and its TPM) has been the target of privacy advocates for years. The TPM has been viewed as another example of evil technology that can be used and abused by corporations to repress the rights of the users. The reality is that TPM-enabled systems will probably be the foundation of the next giant leap in computer security. It's impossible to convince users to give up their privacy for the sake of security. Users will, however, give up their privacy if their life has been made better somehow, likely through entertainment. Apple on the Intel platform will probably make the new system so attractive for users that they'll happily overlook the TPM core of the machine.
Also, the TPM has not yet seen wide deployment. Software developers haven't had a chance to get used to programming to the TPM. Security researchers haven't had a chance to really poke holes in the Trusted Computing Group's architecture. And security engineers have not had a chance to figure out how to fully leverage the capability of a TPM-enabled system, especially at the enterprise level. Once Apple makes the switch to Intel, more than 2 million TPM-enabled hosts will probably be shipped by Apple in the first year. This will be a massive deployment of the Trusted Computing Group's architecture and give developers, researchers, and engineers the chance to beat on the technology.
Everyone Benefits
Apple will provide the trial by fire that the Trusted Computing Group's architecture needs. Once Apple has proven that it's technically possible to tie software to a hardware platform and win over users, other providers will follow suit. Specifically, Microsoft will have the road paved for them by Apple's maneuvers. They'll be able to integrate Windows onto a trusted platform and provide much higher-level trusted functionality than Apple will be able to give.
Ultimately, having a trusted platform on which to run general-purpose operating systems will result in totally new security capabilities. For the first time, transactions that are committed on a network can be traced all the way back to the trusted booting process and application launch on a specific host. Enterprises will be able to have much finer-grained information regarding the integrity of systems on their network. Users will have greater ability to prevent unauthorized programs from running on their PCs. And content creators will have greater assurance that their products and services are being used in the manner in which they intend.
Parting Shot
For the future of computer security, the iPod has been critically important from a societal perspective. Apple has made a controversial technology socially acceptable, thereby paving the way for greater capabilities. Putting DRM into the hands (and cars and offices and...) of millions of users, Apple has helped computer security to take a giant leap forward. The iPod has laid the groundwork for Apple to take another giant step—this time with the integration, and ultimate acceptance, of the Trusted Computing Group's architecture. And once Apple gets users onboard with the Trusted Computing Group, the rest of the software and hardware world will follow, allowing completely new uses and applications of computer security.