Ask Andre Hedrick About Hard Drive Copy Protection

You've read about it here on Slashdot and elsewhere: How the 4C Entity is developing copy protection mechanisms for removeable drives (floppies, DVDs, etc.) that can also be used on hard drives. But Linux kernel hacker Andre Hedrick, member of both linux-ide.org and the industry-wide Technical Committee T.13 that sets ATA hard drive interface standards, has been raising a ruckus about copy protection on your hard drive, and he, along with EFF and EPIC, is trying to get this idea killed (or at least muted). So post any questions you have for Andre about this whole thing below, and tomorrow we'll shoot 10 of the highest-moderated ones to him by email. We'll post Andre's answers as soon as he has time to get them back to us, which may be a bit because, he warns,"everyone else is hounding me ..."

Their web site

[scsirob]

Isn't it ironic that their web site is www.4Centity.com...

It pronounces as "Force Entity"...

Re:Their web site

[LarsG]

It pronounces as Force Entity

Check out Hedrick's proposal for a disable command (AC 4C pronounce as....):

http://www2.linuxjournal.com/articles/briefs/0074. html

"New Command Pair:

Set Features CPRM Lock. 0x4C and 0xAC
(Yes I cleverly picked the pair to reflect their true nature)"

How voluntary is voluntary?

[squiggleslash]

Is making the CPRM spec a feature that can be turned off truly making it voluntary, given that presumably some content will not be supplied to users who fail to leave CPRM enabled? Would it not end up being as "optional" as DVD CSS encyption and non-zero region encoding?
--

Re:How voluntary is voluntary?

[dagoalieman]

What would you think about creating a file system instead of hardware encoded protection? Perhaps some way to make copy protection workable in a file system (and non-transferable to unprotected file systems) would work better, and with less commotion.

Re:How voluntary is voluntary?

[MsGeek]

Bad idea. Totally bad idea. But I suspect Microsoft is prolly working on this project as we speak.

Re:How voluntary is voluntary?

[ideut]

squiggleslash is a naughty naughty troll.

Re:How voluntary is voluntary?

[ideut]

Heh heh.. looks like I've got a stalker.

Choices...

[cnladd]

I apologize for the open-endedness of this question, but I have to ask it anyways. :)

If this copy protection were to become mandatory, I can definately imagine the effects that it would cause. But what effects - both long and short term - do you feel this would cause?

--

Re:Choices...

[Mad-Mage1]

This type of tech is what scares me. Obviously readers of this (and others) have some sort of idea what these practices lead to in the future if left unchecked and unopposed, but the rank and file computer users rarely involve themselves in this. Most of them never even know such technologies are in their PC's, TV's, VCR's, etc... until they want to do something and they can't, or a mainstream news source picks up on it.

I wonder though if those same users realize what we (meaning all those opposing these types of issues) are trying to save for them. If these censorship technologies get too strong of a foothold in the everyday lives of people, if it becomes impossible to buy a TV without some sort monitoring devce, or a HD with a chip that checks to see if you are "allowed" to copy that file, and these same technologies are protected so that we cannot remove them legally...Think of the future, it makes 1984 look simple.

So to Andre I ask:

Why do I supposedly need these tech in my HD, and how am I to be assured that it will never prevent me from using my PC in a matter that I wish whether that is legal or not?

Re:Choices...

[Datafage]

Um, what would be the point if it never prevented you from using it in an illegal manner? That would be the way hard drives are now(and should be), but there would be no point if the control never stopped you from doing anything.

-----------------------

Microsoft's stance.

[Siqnal+11]

Why is Microsoft against CPRM, if it prevents wholesale "piracy" of its software in developing nations?

--

Re:Microsoft's stance.

[pallex]

Imagine the tech-support phone calls that would result!

"My hard disk was stolen, i have a backup, but the disk wont boot"
"Did it have CPRM enabled?"
"Yes, is that a problem"
"Yes, you have just lost all your data, permanently. Theres nothing we can do for you. Have a nice day (tm)"

Re:Microsoft's stance.

[sulli]

Wouldn't it make it substantially more difficult to design and run media software? Rights management == high overhead, more bugs, lower reliability, dissatisfied customers, etc. MS like anyone else would want to avoid it at all costs.

Re:Microsoft's stance.

[Siqnal+11]

...eliminating the competition there, with an eye toward future sales.

You, sir, are fucken brilliant.

--

Re:Microsoft's stance.

[Sloppy]

Copy protection is only tangentially related to piracy. It is very easy (logical, IMHO) to be anti-piracy and anti-copyprotection.

This will just create additional expense for Microsoft, without having a significant effect on piracy. Copy protection normally only hurts legitimate users, not pirates.

---

Re:Microsoft's stance.

[lonesome+phreak]

Working in tech support, that would be my dream. Right now we don't support win2k, so anytime someone calls in with a win2k problem I just say "I'm sorry, I have to send that to teir 2" and hang up on them. It would be the same, resulting in a much lower time-per-call for me and better stats, and therefor a better pay raise.

I thought that ATA CPRM was already dead.

[AFCArchvile]

In the Boston Globe (where I first found out about 4C and their nefarious plans), I read about the CPRM strategy, and how they whined that they wouldn't be able to implement it globally for computer hard drives. Unfortunately, the craze with firmware-enabled hard-drive controllers (of which HighPoint, Promise, and CMD are the three main culprits) could change this. However, I don't think that the gov could force everyone to replace their hard drive controllers.

Either way, go get 'em Andre! I hope that you'll keep the Win2K users in mind as well, because no anti-DMCA techie leaves another anti-DMCA techie behind.

Re:I thought that ATA CPRM was already dead.

[DEATH+AND+HATRED]

Is this in the controler itself? Could I kill this feature by using the SCSI controller I have now? Oh yeah, ide. Anyways same thing, can you use an old controler that doesnt have the CPRM built into it with a new drive that does, and get past the control that way?

Re:I thought that ATA CPRM was already dead.

[LarsG]

Is this in the controler itself?

No. It is implemented in the harddrive.

One way of avoiding it is to make the ide driver in the operating system ditch the CPRM spesific commands, or fake "operation not supported" replies. You also want to disable raw access to the drive from applications.

I'd expect CPRM enabled software players/downloaders to complain if the feature is unavailable, though. "Your storage medium does not support content protection. You are not allowed to store the music album you just purchased."

Hardware/Software

[JPelzer]

Alright, the whole idea of CPRM really does scare me. I'll buy drives from manufacturers that don't support CPRM if I have to.

My question however, is that even if this standard is "beaten down" in ATA, how likely is it that a software-only solution could be devised? Don't hard drives already have unique ID numbers encoded on them?

Are we directing our attention to the wrong problem, where instead we should be clamouring for fair-use protections in general?

Perhaps this is too political a question, but I'd love to hear the thoughts of someone so close to the issue.

-Jason

Re:Hardware/Software

[btempleton]

That's where my question comes in -- I understand the purpose of the unique serial number on the media in CPRM, so that anything you buy to play from that particular device is encoded so you will need the unique serial number in order to decode it.

But what precisely are the large bank of keys also on the disk for? Do they come with protected items you buy? How are they involved in decoding?

The question of "optional" implementation of CPRM is a silly one. The whole SDMI plan is they wish to release music that can only be played by SDMI compliant devices. THe major record labels plan to use their oligopoly power to assure that almost all popular music can only be played by an SDMI compliant device.

So if you don't have a compliant hard drive in your computer, your computer won't be a compliant device, and it won't be able to play such music. You can download the music to your hard drive then copy it into your compliant portable player,
but it will only play in the player which knows how to decrypt it, not on your computer.

So you can "opt out" of having your hard drive have this function, but that doesn't matter to them.

What matters to them is that compatible players become wisespread, so that they feel a critical mass has been reached which will allow them to release content that can only be playd on compliant devices and not be hurting their market.

Or rather that the lost sales from people who don't have a compatible device, or have "turned it off" are, in their opinion, fewer than the lost sales from copyright infringement.

Re:Hardware/Software

[bobv-pillars-net]

I'll buy drives from manufacturers that don't support CPRM if I have to.

As of this moment, what manufacturers don't support CPRM?

Of those, which would you buy from, personally, and why?

Wasn't this already approved for SCSI?

[onyxruby]

I have read that this level of "copy protection" has already been approved for SCSI devices. Do you know if this in fact the case, and what other devices may have this built in?

My second question, does the 4C have even the slightest concern for the consumer in all of this?

What can we do to help you?

[rho]

This proposal is a tragedy to personal liberties and freedoms (and rates pretty high on the Suck-o-Meter), and your efforts thus far are admirable.

So, I want to know, what can we do to help? Letter writing, calls, faxes? Stand around and go "Brrbbrrbb" with our lips?

How can we aid your efforts in the most effective way?

Re:What can we do to help you?

[Hellburner]

Mod this up. (Not MY post you boneheads, the one to which I am currently replying.)

What can we do?
Letters to ignorant and ineffectual representatives?
Calls to faceless and uncaring corporations?
Protests on the campuses of universities already co-opted and servants or The Corporate Good(TM)?

I'll slap you all if you brand me a marxist, kids, but this collectivization of power into The Hand of the FedAOLWarnerMSFTSonyishibaBMG MCP is giving me the creeps. The monolithization of supposedly capitalist free society is acquiring a remarkable resemblance to the Central Committee for the Economic Plan of the Supreme Soviet. Or whatever.
Are we (the geek (sp. homo sapiens technii)) to be reduced to dissidents? This crap about re-wiring drives sounds like samizdat tape and document exchanging students behind The Wall in the 70's. This is nuts. Wake up, folks. The revolution IS being televised: and its like a bath of hot sweet honey that flows over you then suddenly turns to molten steel and then shifts into concrete.

This is crazy. And there is no "public figure" advocate to fight this garbage. No "media celebrity", no true statesman, no leader, no Joan of Arc.

Seriously, who's got an idea?

Re:What can we do to help you?

[Darkstorm]

Anyone out there work for one of the major hd manufatcurers? Start spreading the word that this new "standard" will cost them sales, will increase support costs. It will be a big problem for the hd makers themselves since anytime this thing screwes up or the software controlling it makes a mistake they will be calling the hd manufacture thinking thier drive is bad.

Re:What can we do to help you?

[Danse]

What about the journalists that do hardware and computer reviews? Are they all in somebody's pocket already, or could they help spread the word in mainstream computing mags like PC Magazine and such? Would they do it, or are they beholden to the advertisers?

Can we REALLY win?

[JCCyC]

As in, is there a >0 probability of this monstrosity NOT making it into the official stardard? (as opposed to merely becoming "optional", which would be the proverbial foot in the door)

Nodding to civil disobediance?

[AlephNot]

If copy protection ever became a nonoptional part of hard drives, would you support potentially illegal efforts to circumvent the copy protection? That is, to what extent will you defend the principle of truly free information, vis-a-vis the copy protection of the MPAA et al?

Re:Nodding to civil disobediance?

[SquadBoy]

Making this a legal part of hard drives would be very hard. It would require that somehow they get import controls on hard drives. That they get all the older drives out there to convert etc. etc. More likely is that some software just would not work on drives that do not have it. Think about it you can get DVDS that do not have or use the MPAAs copy protection it is not a legal mandate that they have to have it. You just can't have certain content if you don't. The same would go for drives odds are all the drive builders would build drives that have it and that don't. Just like Sony builds a DVD player that can use more than one region code. It would then be about content and OSS would win another one. Not to say it is not scary but unless you try and crack it to use some bit of software that needs it on a drive that does not have the protection it would never be illegal to have drives that do not have the protection and use software that does not care.

How to defeat it?

[sulli]

If this is forced through the industry, how would one write a DeCSS-like tool to defeat it? Is it in some way bypassable in software?

Re:How to defeat it?

[deathcubek]

Damnit. I was going to ask the same thing.

Re:How to defeat it?

[nightfire-unique]

I know you're looking for his answer.. :) but an encrypted filesystem would certainly do the trick.

--
All men are great
before declaring war

Better solution?

[RareHeintz]

The hard-drive copy protection scheme seems to me to be yet another attempt (in the vein of DVD/CSS, DPMI, etc.) to maintain a legal structure (that of multinational corporations with scarcity-based proprietary information models) with a technical fix. On /., it may be taken as an article of faith that such efforts are doomed - smart people solve legal problems with lawyers, and technical problems with technology, and know the difference.

My question, though, stems from the fact that (like it or not) software companies are within their rights to get paid for software they write, and to set up their own price structure, and to prosecute those who steal their software.

So the question is: If this misguided idea of hardware-based copy protection gets successfully scuttled (and I hope it does), what better solution might there be for proprietary-model software companies that has the benefit of providing them superior protection from pirates without screwing the rest of the world out of the benefits of the currently open hardware model, such as "fair use" under copyright law?

My US$.02: Coming up with such a "third way" solution could go a long way toward killing media-based copy protection - give them an out, and they might take it.

OK,
- B
--

Re:Better solution?

[Kwikymart]

"My question, though, stems from the fact that (like it or not) software companies are within their rights to get paid for software they write, and to set up their own price structure,"

Well, the truth is, corporations dont have the liberty to partake in such things as industry wide price fixing. In my view, CPRM (or whatever the hell it is) is exactly the same abuse of power by corporate collaborations. They are using their collective power to screw consumers out of their freedoms (instead of their money, in this case)

" and to prosecute those who steal their software."

This is a whole other topic right here. Under only one circumstance do I see real "stealing". This is when, and only when, someone pirates the software they were intending to purchase beforehand or in any time in the future and does not pay for it. Most people pirate software that they would never in a million years purchase at the prices software distributors charge. These software companies write these off as "lost revenue" and attach a price tag to these "lost sales" when they would never had a sale in the first place. You cant actually steal something without depriving someone of something that they have ownership or rights to. When you download some "warez" to decide if you want to use it or not, or just use it forever but dont actually need it nor would have payed for it, you are really not taking money out of the pockets of anyone. Its a grey area when it comes to non tangible goods, there is no fine line that distinctively seperates stealing.

Re:Better solution?

[RareHeintz]

They are using their collective power to screw consumers out of their freedoms (instead of their money, in this case)

Well, I think the former translates pretty directly into the latter, or the companies in question wouldn't bother. But that's splitting hairs. ;)

Under only one circumstance do I see real "stealing"... [much good stuff elided]

I agree with you - I'm not speaking of students, trial users, or warez bratz here, I'm talking about wholesale-level, shrink-wrap, counterfeit-the-authentication-holograms piracy like the kind the Chinese gov't turns a blind eye to. That kind of piracy does bite into legitimate sales and represents a real loss. It also seems to fit your (wisely narrow) definition of "stealing".

OK,
- B
--

What manufacturers DO NOT support this?

[theMAGE]

We heard about Intel and IBM... [And I have recommended IBM for so long].

I want to know where my money will go: Is VIA supporting this? And how about other hard-drive manufacturers: Seagate, Maxtor?

Would you advise buying Samsung and Fujitsu for IDE drives?

And finally: what IDE harddrive do you see yourself buying in a year?

Why just IDE and not SCSI ?

[Flabdabb+Hubbard]

If this copy protection is such a good idea, why hasn't SCSI been extended to support it ? SCSI is superior to IDE in all other ways (speed, access time, capacity, latency etc )

Re:Why just IDE and not SCSI ?

[JesseL]

SCSI is superior to IDE in all other ways (speed, access time, capacity, latency etc )

You forgot the one that decides most consumers - Price.

Also many of those factors have nothing to do with the interface used, SCSI is usally just the first to benefit from technological improvements in manufacturing that eventually get applied to IDE as well.

I don't listen to MP3s or play DVDs

[HuskyDog]

I don't use my Linux machines to read "entertainment files" (MP3s, DVDs etc) or run any closed source software. I just read Slashdot, send email and hack code. Is there any reason why I wouldn't be able to continue doing this on one of these crippled drives?

Re:I don't listen to MP3s or play DVDs

[Afty0r]

Assume that this makes it to the ATA standard, all hard drives will then contain the CPRM hole, you will be unable to purchase a modern hard drive without the CPRM hole. In time, current HDs will become to small/slow to be practical with the demands of the OS/applications. At this point you will have to have a hard drive with a CPRM hole, and then you're in trouble. I sincerely doubt that the CPRM technology will be placed in the open source community, meaning that Linux will be able to support it. As the coward above states, it will not authenticate with the HD, so Linux will not run on the CPRM drive as its authors will refuse to write a kernel with code that is not open source to work with the CPRM technology. At that point, you will not be able to surf slashdot anymore - and will probably have to use a commercial OS, or at least one that is not truly open source.
-------------- Russ
Conscience? Is that *still* in the dictionary?

Where's the power

[Shotgun]

To get people to change what their actions, usually requires that you have a stick to beat them with. The stick is usually made up of some sort of power over things that the person cares about. Where does your power to affect change within the standards come from?

It is assumed that certain media conglomerates are responsible for this bug. Where does there power to move the hardware manufacturers come from?

Finally, do the manufacturers even care what Open Source advocates have to say, and if so what is the most effective way for Open Source advocates to provide input?

Firewire?

[Siqnal+11]

Does this standard affect FireWire devices?

--

Re:Firewire?

[kyrre]

Yes, fire wire, cd's, and flash chips will be affected.

Re:Firewire?

[Schnedt+Microne]

Flash chips?

They're going to put a state machine in all the flash chips so if I try to write an unapproved pattern to, say address 0x01FFF in Block 3, it refuses to accept it?

I think you must mean 'Modules which are made out of flash chips' or something. Flash chips have data busses, address busses, and control lines.

How does 4C justify their position?

[plover]

What is 4C's reponse to "why don't you push for enforcement of the current copyright laws instead of an unpopular techno "fix" that will be thwarted upon release?" How do they justify their position?

John

Re:How does 4C justify their position?

[Snowfox]

What is 4C's reponse to "why don't you push for enforcement of the current copyright laws instead of an unpopular techno "fix" that will be thwarted upon release?" How do they justify their position?

Most importantly - how does the 4C justify their position to the consumer? How is this in the consumer's best interest?

Re:How does 4C justify their position?

[Petrophile]

I think the argument is "If we PC companies don't get onto this Secure Media initiative, Hollywood and the consumer hardware companies (Sony, Phillips) will create their own appliance boxes and cut us out of the action. Therefore we have to do the previously unthinkable and close our systems or home PC users won't be able to take advantage of all of the wonderful PPV secure digital audio and video services Hollywood is thinking up."

Which is bullshit, of course, because the media industry as tried repeatedly to turn the "set-top box" into the digital distribution point and failed everytime. The *only* thing that's worked is Internet-connected PCs and what comes with that is any damn applicaiton someone can dream up, copy prohibition or no. So, now the goal is to turn the PC back into that closed set-top.

Re:How does 4C justify their position?

[Darkstorm]

How is this in the consumer's best interest?

I think thats the point, its not. The only person to benifit from hd copy protection is big corporations. Why don't they just come out and say that they think all consumers are thieving bastards and that they want to control what we can and cannot do on our computers.

What is really scarry is the fact that all it takes is the right ammount of money and you can have control over someone elses computer also (under hd copy protection).

Re:How does 4C justify their position?

[zerocool^]

Also importantly, In order to justify it to the consumer, the almighty dollar (pound rubel shekel) comes into this. The entertainment industry is pushing this for financial benifit for them (no copied art) at the cost of the consumer. What's the per-drive cost increase for the consumer, assuming this gets enacted? ~zero


insert clever line here

Re:How does 4C justify their position?

[mikers]

Its not in the _consumer's_ best interest, it's in 4C _industry member's_ best interest.

Re:How does 4C justify their position?

[BSDevil]

They justify their position to Joe User from Utah (sorry if anyone's from Utah) by saying that having a drive that supports this standard will allow them access to special pieces of software and special applications that those evil people who use Napster and DVDs won't be able to. They'll say that soon everybody's going to be using it (regardless of the truth), and that if (for some silly reason) they oppose it, they'll be left out.

You have to realize that we (Slashdot readers) are for the most part much more educated than the average computer buyer. They'll see "special access" and "enforcing laws to protect workers" and "defeat piracy" as what they are told, not what they are. They will not see what is going on.

95% of the computer dosen't know what a "napster" is, has never seen or heard an MP3, and thinks Open Source is some kind of cult. This is what we're up against; people who are of the beleif that if you've done nothing wrong, then why should you oppose somthing that prevents people from doing things the Industry tells them not to. We need to educate the average person before any fight against this type of thing will work.

Last time I wrote somthing about a topic like this, it was called 'Flamebait' - it's not. It's a cold, hard dosage of the Truth. Don't pretend you don't see it.

Dan.

PS - If you're looking for my answer in the form of a question, it would be "How can we eduacate Joe User to what all this really means without scaring and confusing him."

Re:How does 4C justify their position?

[Danse]

Now, *hearing* about Napster is easy. It's in the newspaper all the time...

Of course half the articles I've seen on Napster say that Napster is a website that lets you trade MP3 files with other people.

Questions Answered

[packphour]

Since there's no telling when Andre will be able to get to the questions, I took the initiative to go find answers for my fellow /.'ers. So as you all know, when you have a question- the man to see is Jeeves. Below are his insightful and helpful answers.

Question: Does the 4C have even the slightest concern for the consumer in all of this?
Jeeves Answer: Where can I find the lyrics to songs by All/Descendants?

Question: Why is Microsoft against CPRM, if it prevents wholesale "piracy" of its software in developing nations?
Jeeves Answer: Where can I find the Web site for the company Microsoft?

Let's see if Andre even comes close to the revelations and understanding that Jeeves provides.

Answer:

[Siqnal+11]

Do my dishes.

--

What Can I Do?

What is the best way for me to prevent this spec from being implemented and help you in your cause?

--Bill 'EvilBill' Adams

protections on fair use rights

[AntiNorm]

How will (or will) consumer rights to fair use of content be protected through all this?

---
Put your feet out and stop ... climb out and hang ...

I'm still confused

[HuskyDog]

Can you please start by providing an idiot's guide to how this CPRM thing is actually supposed to work.

I gain the impression that compliant (presumably closed source) software encrypts data as it flows on and off the drive using keys which are specific to each drive. So, if the file is moved to a different drive it won't decrypt any longer? Have I got the right idea? If so, its only applicable to those prepared to run closed source software, right?

Re:I'm still confused

[f5426]

> Can you please start by providing an idiot's guide to how this CPRM thing is actually supposed to work.

Yes, yes, yes. I was about to ask the exact same thing.

In particular, I'd like to see when the data is encrypted/decrypted, and on what key.

For instance, if I buy a song on the internet via a proprietary browser, on a proprietary OS, and later play it with a proprietary music application, I fail to see why I can't fool the disk by writing a 'music' application that write the music back to the disk as a raw unencrypted mp3 file instead of playing it (by reverse engineering the player application, if necessary)

Please, please, enlighten me.

Btw, I am french, and I will now have to pay a 3.70 francs (about 70 cents) tax on the CD-Rs I use to do my weekly backup (a lot of thanks to the socialist government). I never 'pirated' music, but now feel entitled to.

Cheers,

--fred

Re:I'm still confused

[Trojan]

If mangling of files would get around CPRM, then a simple change to the filesystem would disable CPRM. On the linux-kernel mailing list I read that this would not be possible.

Therefore, it looks like _anything_ you write to disk will need to be signed before the controller accepts it, so effectively you won't be able to store data you generate yourself.

Ok so that's madness... but is there any other explanation?

Re:I'm still confused

[nightfire-unique]

Therefore, it looks like _anything_ you write to disk will need to be signed before the controller accepts it, so effectively you won't be able to store data you generate yourself.

While I doubt it, I certainly hope that's the case. Beauty would be all of the Windows users getting sucked into the trap, only to lose all of their data and investments again, when something goes wrong. Sometimes it takes a few iterations before the cost of proprietary solutions becomes evident.

--
All men are great
before declaring war

Lame

[meadowsp]

A very lame rip-off of Satirewire. A bit more originality next time please...

Re:Lame

[packphour]

Don't I have to first be previously aware of Satirewire before I can be accused of ripping it off?

A bit more understanding next time please...

Re:Lame

[sjames]

Don't I have to first be previously aware of Satirewire before I can be accused of ripping it off?

That depends on wheather or not they have filed a patent!

Re:Lame

[packphour]

Well, since we're all "techies" here I think we can use statistics to determine the probability of me previously knowing about Satirewire.

Millions of sites, one of me. Let's say I've been to 100,000 domains (unlikely but I'm trying to be fair to you). If my calcuations are correct, the maximum probability of me visiting Satirewire is 10%. Therefore, the assumption of your conclusion would be inaccurate.

My post != Rip-off.

Now as far as it being "lame", that dives into psychology in which there is no formula to apply.

What in the mood of the T13 on this issue?

[Kagato]

To be honest I'm leary here. When I look at the officers for the T13 (Maxim/Quantum personel), and add that to the locations the meetings take place: Microsoft, Dell, Seagate, Western Digital, etc. I can't help but to think that the end result is going to be business interests ahead of consumer interests.

What is the mood of the T13 on the issue? Are you part of a minority, or part of the majority on this issue? Do you think you will win on this issue?

The Sounds

[okmar]

I hear the sounds of herds of people running out and stocking up on curruent drive technology in order to have something to use if this is implemented.

some questions:

1) Mutual hardware support in boxes. OSes, Other hardware, etc?

2) What will be allowed?

3) Owner should have the option of disabling. Like old satelite dish signal scrambling tecnology. (A person could buy a descrambler.) In this case, an interface that most users never see. Kind of like the preferences areas of most OSes that no one ever knows are there unless you go looking for them. Make it a Hard Drive BIOS with the ability to set it's parameters from the boot origin.

4) Will there be *tripwire* type logs that will be sent to some where indicating that copy material was attempted to be accessed or cracked?

5) Why this and not an attempt to control the art of Cr/Hacking? Not that I'm opposed to either, it's what feeds the industry...



.

Moving from hardware to IRL implementation

[steelwraith]

If this standard did in fact become the 'law of the land', has the T.13 figured out how the implementation would affect several activities that are common today?

How would the drive know that something is 'legal'? Would it really have to contact a server somewhere to validate the software or file? What happens if you need to get the system operating to the point that you get a network connection to validate the OS, but can't get the system up to that point without validating that the OS is legal? I have no doubt that if CPRM is on a drive, that entities such as MS will require it be used.

Say that the 'go key' for the OS is stored on the drive in such a manner that it can access it without validating it with an external source. Would the same hold true for other files? What would prevent someone from developing an application that could generate a valid key, and either 'trick' the drive into accepting it, or in fact giving an 'a okay' signal itself without checking the drive in the first place?

It just seems to me that this is a no-win situation for everyone, as the less technically inclined will suffer greviously for the actions of a few, and the technically astitute will find ways around CPRM in short order, thus invalidating it's reason for existing.

Re:Moving from hardware to IRL implementation

[theman2]

I have no doubt that if CPRM is on a drive, that entities such as MS will require it be used.
Microsoft has never used any copy protection on their os. Try copying any of the win 9x/NTx cds onto your hard drive and you will quickly learn that the only protection is the serial number. I seriously doubt that microsoft will make your computer dial up some number to check that you own the OS just becuase a new copy control has been built into the ata specs.

Re:Moving from hardware to IRL implementation

[steelwraith]

They never forced the issue because they never had a way to enforce such a practice via hardware; without hardware being in the loop, there would be no way to create a 'foolproof' anti-piracy mechanism.

CPRM would give them that enforcement mechanism. If they could tie a specific OS/application license to a specific piece of harware (in this case a HD) via an encryption key created for a specific HD serial number (or master encryption block), and force that piece of hardware to validate that the OS/application is valid (and registered), then you wouldn't have PC shops cloning 1000 versions of an OS with the same serial number, as it had already been registered to one specific HD.

In this case, I fully believe that MS and other software companies would implement a requirement for CPRM hardware compliance into their operating systems and applications, so that they could cut down on 'piracy'. If the software couldn't 'call home' it would refuse to install.

And I guarantee that the mechanism to allow a person to re-install software onto a new HD (in the case of HD failure) would make the U.S. Tax Code read like 'See Jane run'.

Re:Moving from hardware to IRL implementation

[theman2]

haven't you ever heard of oem disks? Microsoft gives dell and all the other places different installation disks. The big difference is that the serial number is not needed until the installation is finished. Dell makes one good installation of the dell XXX laptop with all of the software and hardware properly configured. Then, they copy it to every machine with the same exact setup. Then, each machine is booted and its legal serial number is entered.
that is a special tool that microsoft provides to companies. They aren't going to stop providing the oem disks just becuase a new copy control scheme has been implemented. Dell would wack Bill Gates around with a large stick if they had to go through the process of installing the os on every machine.

Re:Moving from hardware to IRL implementation

[steelwraith]

It's ZDNet, so take this with a grain of salt, but..

http://www.zdnet.com/zdnn/stories/news/0,4586,2672 131,00.html

Looks like MS is already going this route..

Beneficial uses for this

[Ex+Machina]

Are there any possible beneficial uses for this technology, like implementing some sort of improved filesystem security model under Linux (or *BSD or Windows) that would be helpful to the BOFH?

Isn't CPRM actually a Good Thing?

[Vanders]

Excuse me for breaking into the screaming and hyterics and all, but whats so bad about CPRM?

From what I understand, CPRM relies on not just a CPRM compliant drive, but also CPRM compliant software & CPRM compliant data. All CPRM does is allow CPRM data to be stored on a CPRM area of a CPRM protected hard drive with CPRM software.

Now, this doesn't actually stop anyone using the non-CPRM portion of the drive. In fact, the non-CPRM section of the drive operates as a normal harddrive. It doesn't stop me storing my MP3's that I downloaded from Napster, or that DivX;-) I leeched from Usenet. In short, it doesn't stop me doing anything I do now.

It seems that CPRM is the only way that these companies are ever going to accept the Internet as a viable distribution channel for their movies, music etc. Thats not to say that when CPRM becomes a standard, that people will stop trading non-CPRM media the same way they did before by ripping the CD, DVD etc.

So surely, if CPRM means that we can finally download those films & MP3's legitimatly, thats got to be a good thing? Those who still want to pirate their stuff can do so, CPRM doesn't stop them using the old piracy methods. The only possible downside to this is that 4C may exclude Open Source from implementing CPRM, but then surely they want CPRM to be accepted industry wide, so why would they do that?

Really, my question is, why are you so against CPRM? What does it stop us from doing that we don't do already, & why6 can't we just ignore it?

Re:Isn't CPRM actually a Good Thing?

[mikeee]

So surely, if CPRM means that we can finally download those films & MP3's legitimatly, thats got to be a good thing?

But we'll not be able to download them with an open-source app. CPRM + DMCA = no legal open source for popular media formats.

Re:Isn't CPRM actually a Good Thing?

[SmokeSerpent]

1. You will only be able to legitimately view and download music, books, etc. using "approved" applications. What happens when you upgrade to Windows 2004 and your book-reading software is not compatible? You have to buy new book reading software. (And hope that the books you bought are in a compatible format.) What if you use a different OS entirely?
2. Hard drives don't last as long as vinyl or polycarbonate or paper. Are you okay with paying for a book or music that could become unusable tomorrow if your hard disk fails, since you can't back it up?
3. How many sectors of your life should megamedia companies have control over? At what point do you finally say "enough"? Will it be too late then?

Re:Isn't CPRM actually a Good Thing?

[Fruit]

The Right to Read is a small story written by RMS which I read some time ago.

When I first read it, I thought that (a) RMS is not a very good writer and (b) what he sketches is vastly exaggerated.

After seeing this copy protection scheme I still think RMS doesn't write very good stories, but I'm beginning to suspect that his dystopia isn't that far-fetched at all.

You see, hard drive encryption is not where it ends! Soon, everyone will be using it and you won't be able to get anything done for your school or company without it. Until now we have managed to avoid things like this but when cryptographic hard drives are involved, things will get a lot tougher. What will they come up with next?

Ironically, in this capitalist world it may not be the state muffling free speech and human rights but large corporations and cartels. We need a cushion between consumers and companies, being able to copy materials at will is one such cushion.

Killing the pirates?

[Foxxz]

Hollywood thinks that this protect will help rid themselves of pirates and force people to pay money for content. If pirates HAD the money to go out and buy the merchandise, they probably would. Isn't hollywood then shooting itself in the foot since its trying to make people pay for what they cannot afford? Since when has hollywood been allowed to design our computers? I beleive that if any producers actually used the technology they are about to impose they would quickly withdraw. How does this new standard benefit the consumer and why did the organizations even consider making this standar? I guess what I'm trying to get at is, you can't ring any money out of people that don't have any, so why bother?

-Foxxz

Why?

[X.25]

Did anybody ever ask the vendor a simple question: WHY?

I mean, did anybody ask guys from IBM (face to face), for example:

Why do you want to implement this?

If so - what happened? What was the answer? I mean, do they start talking about 'copyright protection', 'request from MPAA/RIAA/whoever', or they even mention word 'consumer' somewhere in the sentence?

I found that "PR people" (I'm sure engineers don't give a damn about these things) can spend hours making press releases, but when you ask them direct question face-to-face, they get completely lost (meaning: you can easily see that they're lying, and have no idea what they're talking about). More the question is 'simple', more "I'm lost" faces we get.

Any experiences? :)

Isn't this just encryption support?

[acoopersmith]

Couldn't it also be used to encrypt/protect data files as well? (Has anyone pointed out to the FBI & NSA that this could be yet another way to block what they consider to be their god-given right to read everyone's electronic data?)

Perhaps companies could use it to make sure hard drives are unreadable outside their corporate networks or without a key stored on the employee's smart-card ID badge.

Re:Isn't this just encryption support?

[Vanders]

Very good point. Has anyone pointed out to 4C that CPRM could cause a user in the UK to be in breach of our Oh-So-Wonderful RIP law?

"Sorry Mr. Judge, I cannot supply the data that was on the drive, as it is CPRM compliant and I do not have the keys to decrypt it any more."

Re:Isn't this just encryption support?

[Chang]

You don't need crap in the hardware/firmware to encrypt data on a disk drive.

You can do this today if you really want to.

Why more things more complicated than they have to be. I want drives to be just a generic place to store crap. I don't want my drive "knowing" anything about my data except how to find a given cylinder/sector/head and how to cache the data in and out.

Hmmm...

[Mister+Transistor]

As an old school cracker, I can only repeat "My Axiom" (for lack of a better name) - "Any system that can be devised, can be defeated." Now how much more money, useless effort, and general mental masturbation will go into "perfecting" a new copy protection system, only to see some 13 year old crack it in 3 hours? Are we going to just see a CD-based type of Everlock/Prolock/etc? Those worked REALLY well in thier day (HAR!), and just caused end users endless headaches trying to make legitimate backups and keep from botching up their protection schemes, while us crackers would be "unencumbered" from the protections within short order. Histeria repeats itself?!?!

Re:Hmmm...

[-Harlequin-]

I think you're a little too overconfident - there is a very real chance that, for the first time, you'll be up against real encryption technology - the kind of stuff that military intelligence can't break.

If things go badly, the only workable "crack" might need to be installed with a soldering iron and some expensive components. And once it's done, you might still need to crack all your legitimate software just to get it to think it's running on a compliant device rather than some evil pirate's machine.

It may be less than a year before we hear "If you've got nothing to hide, why do you have a problem with CPRM?"

Re:Hmmm...

[swm]

It will be cracked.

Remember back when the NSA was pushing the clipper chip? Clipper was going to be tamper-resistant, and they were claiming it would cost $30M to crack.

Their point was that only big companies and foreign governments have that kind of money. Companies won't crack it, because there's no profit in it. Governments will crack it, but they won't publish the results: they will keep the secret for their own use. So the NSA was arguing that the Clipper chip was effectively uncrackable.

But the fact is, money doesn't crack chips: engineers crack chips. You can buy engineers for something like $100K/year, so when the NSA said it would cost $30M to crack the clipper chip, what they were actually saying is that it would take 300 engineering-years.

So the real question is whether 300 engineering-years of talent will be brought to bear on the problem. And the answer is yes, it will. It will come from dorm rooms, and university labs, and random hackers all over the world.

They won't have as much equipment or funding as the NSA, but they will be highly motivated, they will collaborate over the internet, and they will crack it.

I'll go out on a limb and predict no more than one year.

Re:Hmmm...

[Mister+Transistor]

Well, I'll admit there are some nasty prime-based cryptos that I won't be solving this millenium, my technique was always an oblique approach - get past the decrypt and snip out the final go/no-go decision that is the crux of the matter. Seemed easier that way. There's almost always an angle SOMEONE overlooked! Also, if all else fails, yes, I know which end to hold a soldering iron from :)

What about educational fair use?

[lordvolt2k]

With all these new laws, napster/DeCSS scares, etc, are companies choosing to ignore educational fair use, or do they just not care anymore? Basically, as a university, we have the right to use copyrighted materials in certain ways (such as taking a video file and copying it to all the machines in a classroom for temporary educational use) for educational purposes. Would this new hard drive standard take this into consideration or would we no longer be able to exercise our fair use rights as an educational institution?

Re:What about educational fair use?

[-Harlequin-]

>or would we no longer be able to exercise our fair use rights as an educational institution?

Going by what Kaplin's ruling suggests, merely having the right to fair use does not give one the right to have the means to achieve that right.

If they can rig the market to preclude fair-use-compliant devices being sold, that's their prerogative.

Hopefully Kaplin's idiocy will be overturned, but I fear it might be the idiocy of the legal system at large.

Enforcement on Open Source platforms

[TWX_the_Linux_Zealot]

How can copy protection of data be maintained on hard disks and other media if the operating system has the ability to use partition types that encrypt? Wouldn't a layer in an OS kernel be able to circumvent a good portion of the measures if the data does not reach the drive in its original form?


"Titanic was 3hr and 17min long. They could have lost 3hr and 17min from that."

Re:Enforcement on Open Source platforms

[Black+Parrot]

> Wouldn't a layer in an OS kernel be able to circumvent a good portion of the measures if the data does not reach the drive in its original form?

At the cost of having the OS DMCA'd as an illegal circumvention device.

--

Please name names

What the names and email addresses of the committee members, and the people they report to in their companies? At least, please, the email addresses of the committee members or a link to a proper page with the info.

I feel it would be proper for each one of us to personally share our deep felt feelings with the fine upstanding members of the committee.

Bounce-back hardware and filesystems

[3Suns]

How does CPRM hope to deal with the use of bounce-back hardware (that receives information byte-for-byte and returns it, unchanged) to copy the files? It seems to me that it would not be that hard to write a driver that sends the copy-protected files to the bounce-back (not a violation of the file-signing?!) and save all the information it receives back in a different duplicate file.

Also, wouldn't CPRM have to be built into exitsting filesystems? into existing OSes in order to sign individual files?

Pork Barrel Politics?

[lordvolt2k]

Will the 4C attempt to be like congress and pull a pork barrel trick? For example, they could make this new copy protection part of the next ATA stanard. While companies could 'opt' not to use the copy protection, they would also not be able to make hard drives with the newest ATA standard, pretty much forcing them to go with the new copy protection. Do you see the 4C doing something like this?

How does it relate to USB Copy Controls?

[Big+Jojo]

The USB Implementor's forum has defined some Content Security standards, evidently using a slightly different technical approach (different group of companies pushing it).

I'd be interested in comments from Andre about (a) whether this indicates fragmentation among advocates of copy controls, confusion, or perhaps something sinister; (b) how creators of USB-to-ATAPI style bridge products (usb storage devices) would decide which style copy control scheme to implement, assuming they really wanted to do so, (c) the degree having different copy control systems may be defensive efforts to make hardware products stop being commodities.

On issue (c), I just want to point out that consumers benefit from commodity products as much as they benefit from commodity data formats for the information they've acquired ... while vendors of both hardware and digitized data can see both of those as significant threats to business strategies that rely on vendor control rather than providing customer value.

virtual copy protected hard drives ?

[RGRistroph]

Now that there exists a free software virtual computer, plex86, what prevents this whole scheme from being circumvented by adding virtual copy-protected disks to plex86 ?

That is, suppose someone takes a windows installation disk from their workplace, brings it home, and attempts to install it onto a plex86 running inside linux or FreeBSD or whatever. Can't they modify plex86 to make it virtualize the machine that the software was licensed to, down to any harddrive copyprotection and ethernet mac addresses or processor serial numbers or what have you ? Once one person figured out the details, couldn't they come up with simple, easy to use tools that would probe a computer and produce a configuration file to give the virtual computer software ?

I'm thinking that the PC, or any architecture which is open enough to be virtualized or emulated, is hard to use to control the delivery or use of content. In addition to lobbying to stop the copy-protection scheme, should we be focusing on making sure that the mechanisms to virtualize or emulate it are available in software ? If the proponents of the scheme where well informed of the efforts, then maybe they would see the futility of it and stop, devoting their resources to making their devices more useful (faster and bigger harddrives), not less useful.

criminalization of current practices?

[bill_mcgonigle]

So many current practices (like encrypted filesystems) would bypass this technology. Do you predict the 4C will attempt to have these outlawed under DMCA if this effort is successful?

Re:criminalization of current practices?

[-Harlequin-]

So many current practices (like encrypted filesystems) would bypass this technology. Do you predict the 4C will attempt to have these outlawed under DMCA if this effort is successful?

My guess would be no need - an encrypted filesystem just makes the HDD look like a non CPRM compliant device. Once CPRM is established in the market, there will be a little label on the software box you buy:

Requires Pentium4 1Ghz, 256Mb RAM, 300Mb CPRM HDD.

If you're running an encyrpted filesystem, tough luck. Ditch your system or ditch the software. You can't have both. A non-CPRM disk will probably be like DVD player without CSS descrambling.

What happened to our right to archival copies?

[AugstWest]

It seems that in the name of stopping copyright infringement in the way of piracy, we have lost our right to make archival copies of whatever media we purchase.

This right never seems to be mentioned in the debates that I've seen, and yet it is something that is extremely important to the individual, especially when you are looking at software packages beomcing more and more expensive every year. If we've paid several thousand dollars for an Enterprise package like, say, Visual InterDev, having an archival copy of it is extremely important.

It doesn't appear as though the schemes for hard drive copy protection have any such concerns, much like all of the current pushes to reform copyright law.

We're living in an age when individual rights are being thrown over left and right in the name of profit margins, and it's projects like this that are eroding them.

Re:What happened to our right to archival copies?

[Grape+Shasta]

Or what if I want to listen to a song I purchase on my computer, and on my rio mp3 player, and burned to a CD so I can listen in my car, and then copied off the CD to my work PC so I can listen at work, and then backed up on an archive CD, and posted to a private ftp server so I can download it while at a different computer, and also copied to my laptop, and plus a clip to play on my toaster when my toast pops up...

The point is, it's MY song and I want to put it where I want to. I couldn't imagine ever buying technology that would stop me from doing that.

"copy protection" propaganda

[Dr.+Awktagon]

This isn't a question but it will help if /. and other sources of news use a term like "copy control" or "access control", depending on how it works, instead of the meaningless "copy protection". RMS has written on the subject and I tend to agree that the word "protection" lends a false air of credibility and necessity to these technological control schemes.

Imagine hearing a debate against "protection". Who in their right mind except a bunch of evil hackers would want to take away protection? Now imagine a debate against "control". Well that's good! Americans don't like to be controlled!

If they can use spin and propaganda to further their needs, I think we should too. Like when talking about "censorware", that word is really spin we use to make our message clearer.

What's does 4C get from copy protection?

[astrashe]

I don't understand why drive manufacturers would want to impose copy protection on their customers. How does a company like IBM benefit from cooperating with this scheme?

I don't think that there are many customers who would prefer a copy protected drive. Why would a rational company ignore the desires of its customers in order to satisfy the desires of the companies who will benefit from these crippled drives?

Are they afraid of lawsuits? Legistlation? Are they being paid? Are they simply standing in solidarity with other multi-national corporations?

I don't understand why drive manufacturers are on board, and it seems to me that knowing why they're doing what they're doing would help us to think of effective strategies to comabat this noxiouis proposal.

4C's legal defenses - how many attorneys?

[Jim+McKim]

Directed at the 4C group: What sort of legal resources do you intend to devote towards defending yourselves as businesses and consumers start suffering damage from being unable to use drives that have been intentionally engineered this way.

Yet another useless organ: the appendix

[3Suns]

This whole system reeks of becoming yet another "appendix" for programmers/system designers in the not-so distant future to have to work around. Once computer systems are revolutionized in 5-10 years, CPRM will go the way of 8-character filenames, IRQ assignments, and AOL - just another ill-conceived patch-fix idea that new systems just have to support even though they don't want to. What can we do, here and now, to avoid having to perform routine CPRM-ectomies on old hardware in the future?

How would this be enforced?

[brogdon]

In order for the current copy-protection scheme used by DVD-producing movie studios to work, they must have control not only over the discs that have the movies on them, but the players as well. They accomplish this by maintaining copyright and patent control of the DVD format, making it illegal to produce a reader that works with the DVD format unless you obtain a license from them and agree to play by their rules. This has proved a fairly effective scheme, with only a few exceptions. How will a scheme to add this "copy protection" to hard drives be enforced universally? What's to prevent smaller companies from trying to get into the market by producing rogue drives much like many businesses have carved a niche for themselves by selling cable decoding boxes and the like? Is there going to be a controlling group like the DVD-CCA? Will I have to get another bumper sticker that says "Fuck the Hard Drive Control Authority" to go along with my "Fuck the MPAA" sticker?


--Brogdon

New opening for viruses

[Darkstorm]

It occured to me that if this would allow a piece of software to lock out a portion of the hd, then would it be ridiculous to assume that someone might lock you out of the whole hd? If I wrote a virus that found any areas of the drive, or just took the whole drive, encrypted it, and shut down the computer. The computer never boots again without being reinstalled.

If this is based off of DVD protection scheme then we know that was broken, but a DVD is read only, with a HD that seems to open a new form of abuse by virus creators.

SFPCC

[SFPCC]

Congratulations! You got the First Post.

In an effort to help the Open Source trolling community, the Slashdot First Post Compensation Commission is prepared to offer you one US dollar.

All you have to do to claim your payment is e-mail us at sfpcc@hotmail.com with the address to which you would like your compensation sent.

This offer only valid for US mailing addresses. Please allow 2 - 3 weeks for delivery. Please include in your e-mail a link to your first post.

Sounds like a new use for VMWare to me!

[wegster]

I'll agree with others this is a scary idea...however, it seems to me the fact that Intel & company are _trying_ to do this in the first place is scarier by far than their specs on this thing- what's to stop everyone from running a modified version of VMWare for example, one that simply always 'validates' any key requests? As it's already doing actual HD emulation already it's pretty doubtful this would prove to be difficult.. Or someone writes a new device driver for NT/Windows-something that does the same thing?

Granted, I haven't looked at the specs themselves closely(are they available now?), but this seems like it will be more an enormous waste of time and money for anyone involved in it, followed by a short time of 'chaos' before the solution(s) come out- ways around this useless waste of an idea..

How will linux deal with the copy protect feature?

[AndroSyn]

As the IDE subsystem developer for Linux, how will you deal with this misfeature? Will you merely work around it in software, or will you stay true to the SPECS and implement the copy protect feature? Or perhaps have the copy protect a CONFIG option? Or will this be a layer below the kernel(in the chipset) and in such case, hack around that too(XORing the file as it goes to disk obscuring any goofy signatures and reversing the operation on the way back?).

Aaron

That huge bank of keys

[heikkile]

I admit freely that I do not understand the technicalities of this, but there seems to be a large are reserved for various encryption keys. Where do they come from, how do they get to the disk, and most of all, who controls them? How long before Napster Inc, Gnutella.Org, and EFF have their own keys that just happen to be identical over all machines?

How can it work, anyway? Data goes to the disk, Data comes out of the disk, and can be grabbed. Encrypted data goes to the disk, comes out decrypted, and can be grabbed. If nothing else, someone can simulate a display/sound card on a virtual machine, and grab the data at that point. Once *one* person has extracted the data, it can be shared like any other data. They can not seriously hope to stop all email and file transfers, can they?

Re:That huge bank of keys

[LarsG]

comes out decrypted,

It comes out _encrypted_.

If nothing else, someone can simulate a display/sound card on a virtual machine, and grab the data at that point.

The problem is that most of these devices are going to be tagged "circumvention device", and thus be hunted down by law enforcement where the DMCA or WCT is in effect.

And not all data can be accessed like this, either. For example, extra DVD subtitles.

Is there a central authority?

[Sloppy]

Do you know if there are any patents or other legal tricks involved, so that ultimately, a manufacturer who decides to create CPRM-compliant drives will be forced to sign a contract with some single controlling monopolistic entity?

---

Re:Is there a central authority?

[LarsG]

From the spec:

"The commands as described below may be included in a device without license obligations. However, to be useful in a copy protection environment, the commands need keys, keying material, and intellectual property requiring a license. This license is available from 4C Entity, LLC, and is administered by License Management International, LLC, in California(http://www.lmicp.com/)."

So the keys and crypto algoritms are available through a license. This license will of course contain a lot of requirements (like never exposing the content in cleartext, etc).

Is this already approved for SCSI and Firewire?

[VValdo]

Last week we read that a copy-control scheme similar or identical to CPRM has been already approved for SCSI and Firewire (without objection...probably because no one knew about it.)

First off, is it true? Secondly, why hadn't we heard about this before? Can we expect this technology to be built into all new SCSI and Firwire hardware, or is "optional" there too?

W
-------------------

Re:Is this already approved for SCSI and Firewire?

[LarsG]

Don't know about SCSI, though...

SCSI has them as part of MMC. As far as I know, it is only implemented in DVD players at the moment (to support CSS).

spec

DMCA

[DzugZug]

Easy. With a techno fix everything on the hard drive becomes protected by an effective copy protection device. Anyone who coppies anything on the device, finds a way to copy stuff on the device, or even tells other people how to copy stuff on the device is guilty of a federal offence. This standard makes the existing copyright laws stronger which it can then enforce through traditional means. Also, it is hard for big companies to go after small time infrengers (e.g. mp3 users) because it looks bad for them. This prevents the average person from copying protected content and allows only those evil "hackers" to do it. It's a lot easyier to sue "hackers" than conumers. And, the media industry does not appear to be limiting people the hardware industry does. This is why the media giants want this and the hardware ppl dont.

We're not the problem, so why target us?

[scotpurl]

I'm tired of seeing this copy protection aimed at "pirates." All of the copy protection schemes I've seen aired are designed to coax more money out of the consumer out of pay-per-use schemes.

Since a DVD pirate, with $20,000 worth of mastering equipment avaialable, can make perfect copies without decoding or altering the content, how will copy protection on my hard drive help thwart Chinese DVD piracy?

Who falls where when it comes to motive?

[-Harlequin-]

The only reason why IBM etc. would want to do this thing, that I've heard, that makes sense, is that they want to sell more computers by pushing them as home entertainment devices for playing all the lastest movies and music. Hollywood isn't going to let that happen without some way of preserving their distribution models, so the deal between them is CPRM.

Is this the primary motivation?

If so, can we expect Apple (which prides itself on playing media) to fall in line with IBM etc (or at least quietly look in the other direction, happy to use to proceeds of CPRM but not dirty its hands creating it) ?

Should we expect companies that sell HDDs rather than computers (eg Maxtor, Seagate) to be fairly neutral in this (eg either way, they still sell their product), or support it (eg greater sales for IBM means greater HDD volumes which means higher profits) or against it (extra headaches)?

We know MS and some others are pretty loudly against it, but are there other relevant sectors of the industry that might play key roles that are currently being overlooked?

Are the legal precedents that will be set from the DeCSS trials likely to play a key role?

Lastly, would I be correct in my assumption that it is not actually within 4C's power to claim that CPRM is "optional" - it is completely up to the manufacturer of CPRM-compliant-software, as they can choose to write software that will not operate when CPRM features are turned off or absent?

Simulations & remote access

[dsmouse]

How would this effect simulated and networked hard-drives... SMB and NFS(&c &c) drives and keep the files on disks elsewhere, and loop-back filesystems and products like VMware that use files to simulate harddisk space?

Sensitivity of Corporations to Non-Business Issues

[DG]

As you've had some contact with these folks, perhaps you've got a feel for this:

- Corporation implements (or proposes to implement) a technology designed to protect their business model that happens to trample on the rights of their customers

- Educated customer realizes implications, makes a big stink about it.

How sensitive are the corporations you've been dealing with to non-busines-related "huma rights" issues?

In other words, how big does the stink have to get before the profit provided by the implementation being disputed is no longer worth the effort?

Which I suppose is another way of asking "how much effort do we have to make before they'll back down?"

Independent Musician

[cannes]

This is my situation. I'm an Independent Musician who owns all copyrights and publishing rights to the music that I wrote, recorded and released. This is legit too, all copyrights are done through the Library of Congress and I'm a Publisher through ASCAP. Now the question is how would I control what is done with my material? My stance on my material is somewhat a GPL license. If you want to give it to a friend, by all means give it to them. Now if these are under copy control I don't have control of what is rightfully mine. I really don't need someone to tell me what to do with my material. This subject is not only stupid it's offensive. I won't let Hollywood tell me what to do with my music or my computer. One last question would be how can I help? Who can I call, fax, email, bitch at? I'm more than willing to help.

Infallible digitalia...

[Keighvin]

Digital, by it's nature, can be perfectly reproduced on every account only varying where analogue turns it into something for humans to play with. There will never be a way to completely protect a method of copying files - how will this prevent someone from using say ZipMagic to treat contents of regular zip files as programs and executing them from there, where the copy protection won't be able to check? Or any other form of sub encryption to get around the device. As for reproducability, I will *always* be able to get my data on and off a hard drive. What will this device really accomplish other than satisfy some intellectual property rights advocates (and abusers) ?

Can They name a single advantage to the consumer

[Dievs]

..for including this feat?

Is there any at all benefit to the user by the fact that certain data on his harddrive is not as freely accessible as others?
Filesystem permissions are better for what they do; while secure encryption will anyway be needed for really secure data.
So, aside from the ability of the industry to try to forbid to copy music/viedo/warez/whatever, can They think of any possible reason why someone would want to buy a drive with this feat ?

Just a joke. . .

[John,+the+HERO]

Military intelligence? That's more of an oxymoron than dry water or something.

Your prospective...

[chancycat]

Perhaps we could use the following: Because you have seen both sides of this issue, perhaps you can help us understand the arguments of the other side. I know you have chosen your side, but you can probably articulate the other side with ease and help us understand the whole issue.

Re: Military Intelligence (off-topic)

[bobv-pillars-net]

I remember my first day at FCTCLANT, when somebody pointed at the NMITC building and said, "That's NMITC. Military Intelligence."

To which I instantly responded,

So that's where they put it!

Privacy of CPRM?

[BuckMulligan]

What about CPRM and users' privacy?

Will I be able to buy a copy of software or music anonymously and still transfer the data from one drive to another without revealing my identity?

Historical perspective between end of 19th & 20th

[hburch]

IANAHM (history major), but the parallels between the Internet now and the railroads at the end of the 20th century seem, at least, superficially interesting (both mostly relate to activity within the States, as that is what I'm most familiar with).

The price of transport is close to, if not below cost, due to exterme competition. The industries transporting, however, are behaving monopolistically, to the point of trying to `tax' competitor distribution (a la fees for DVD encoding). It is perceived to be driving the economy.

Of course, maybe I'm just wrong. It's a similar situation: people pioneering into a new industry, so maybe the parallels are unsurprising.

there's a weird basis to the 4C's thinking

[jdbo]

I believe that there is a fundamental misconception in the committee's thinking about the issue of user identification, which may be summarized as follows: "The user of a computer may be considered to _be_ the computer."

As insane as this sounds on its face, consider the recent history of "universal identification" technologies which we've had inflicted upon us:

• the PIII unique identifier - one identifier per CPU; i.e. every person who uses a given machine (either by sitting in front of it or logging in remotely) is considered to be "the same person". Furthermore, this "identity" is non-transferrable between machines.

• cookies - not quite as bad as the PIII uid (as it isn't built in at such a low level), and can be made specific to different users (who have separate log-in accounts)... but forget library-style usage by multiple casual users; plus, cookies are still non-transferrable between machines (for the average/majority user).

It appears to me that the disk copy control technology takes a PIII-like low-level approach of user-identification. In this case, it identifies the user with a single disk (removable or fixed), while further assuming that the user/disk will never run out of room/need to be re-organized/or break (please note the combination of human-level issues as well as technological-level issues).

A less hysterical(?) sounding statement of this misconception might be that the disk copy control technique requires us to consider the _storage mechanism_ and the _data stored on it_ to be identical; this basic assumption is also insane, probably on the logical level (I'll leave a proof to those with spare time), and definitely from a marketplace viewpoint (I doubt Maxtor's legal department would appreciate Microsoft claming ownership of their under-warrantee hard drive which I just installed MS-Office on).

Perhaps I am mistaken in seeing these person/data/computer/storage method conflations as being part of the committee's thought process, but I was wondering if you could comment on whether the commmittee considers "user identification" to be an appreciable aspect of what they are working on.

Is IBM aware that they harm their Linux investment

[Sara+Chan]

IBM recently announced that they plan to spend a billion dollars supporting Linux. As I understand things, if CPRM becomes common, then Linux will be very severely harmed. Thus CPRM will severely harm IBM's billion-dollar investment. Yet IBM is supporting CPRM. This support is bad for IBM.

Is IBM aware of this?--or is it that IBM is so big, the part dealing with CPRM is unaware of the implications for Linux? If the latter, then maybe just making IBM aware of things will help to kill of CPRM, or at least IBM's support for it.

data recovery

[greysky]

I've been in a situation before (and known others who have had similar situations) where important data for a project was physically located on a specific machine, and that machine's drive crashed. I've known several instances where the drive no longer worked, but the data was recovered (for a hefty fee). If a drive is equiped according to this copy protection standard, would data on a crashed drive be recoverable?

What about CPRM's sister technologies?

[ZigZak]

OK, here's my question:

CPRM is obviously just ONE of several technologies designed to build the CPSA (Content Protection System Architecture) framework, as described in the CPSA whitepaper published by the 4C Entity.

Reportedly you're trying to convince the T.13 committee of introducing a possibility to opt-out of CPRM support for Linux.

What are your views on CPRM's sister technologies like CPPM (Content Protection for Prerecorded Media), DTCP (Digital Transmission Copy Protection), HDCP (High-bandwidth Digital Content Protection) etc. and their possible inclusion in upcoming devices such as DVD-RW recorders, Firewire and USB devices, DVI displays, etc.? Will Linux just not support these devices?

How does the CPRM relate to the SDMI?

[DreamingReal]

I've been wondering how the CPRM is going to relate to the SDMI. The SDMI will work on watermarking/encrypting music files themselves. Is it even necessary given that CPRM will give content providers control over replication no matter what the media is?

-------

Is there a valid free software use?

[dentin]

All I hear is people saying this is bad; however, is there any possibility that the addition of strong cryptography to hardware might be a good thing?

Suppose someone wanted to make use of hardware disk encryption for personal security?

Perhaps enhancements to tools like tripwire or sshd which could use some secure hardware storage of data?

In other words, would it be possible to convert the spec into something positive, that could be used by free software to its benefit?

-dentin

Re:Is there a valid free software use?

[no2cp]

This is a valid point. I didn't get to read the spec yet but from what I've gathered going from the previous discussions there are several reasons why this will probably not work out: 1. The key space on the device, whether it's a couple of tracks of disk or a flash in a secure microcontroller will propably be limited in most cases. This means that this space will most likely be rented out to entities with a valid reason of using the scheme. Entities with a valid reason to use do not include people like you and me because we're only consumers. Even if they did rent it out to everyone it would propably be very expensive. 2. Who says the device itself is secure. Since we do not have (convenient) access to the firmware or microcode of the devices this will be implemented on whose to say there isn't a away for example to access & decrypt the contents with a special "law enforcement" key? 3. Letting 3rd parties (us) in onto the system beyond the spec, meaning letting us choose keys to operate the system with might be the first step towards a deCSS style hack. NO 2 CP

What Are The Hard Drive Manufacturers Thinking?

[sigwinch]

Hi Andre.

What the content providers really want is to impose their controls on the data they provide. E.g., they want to be able to impose policies like "single use", "pay-per-use", "time-limited", "give up to 4 copies to your friends", and so forth. They want to impose these policies using technology. That's fine by me: if customers find value in it, the content providers will get rich; if customers find insufficient value, content provider CEOs and VPs will find their bonuses shrinking when the stockholders hear they flushed millions of $$$ down the toilet.

To control content, the PC needs a tamper-resistant crypto module under the content provider's control. It could be a PCI card, a smart card, a parallel port dongle, a FireWire box, integrated with the motherboard chipset, yadda yadda yadda. The are only three requirements: 1) high bandwidth, and 2) tamper-resistance, and 3) easy access to a power supply. As long as these criteria are met, it really doesn't matter what location or form the cryptographic module takes.

It looks to me like the content control people listed every PC subsystem, and wrote off the ones that couldn't work. "RS-232 is too slow." "Smartcard reader is too expensive." "Video card OEMs would laugh at us." "Sound card OEMs would laugh at us." What they were left with was IDE/ATA: it has plenty of volume, power, and bandwidth, and hard drive OEMs might buy their stories.

This begs a question: why will the hard drive OEMs design, manufacture, and distribute their crypto module for free? What is in it for them? Designing custom, tamper-resistant silicon and firmware is expensive, and superfluous for data storage. Manufacturing the custom chips is expensive. (If a hard drive engineer told his boss he'd just added $2 to the manufacturing cost, he'd be picking his teeth up off the floor.) Supporting it will be tremendously expensive, requiring cooperation with OS vendors. Data loss and guilt-by-association could besmirch the OEM's reputation.

So here's my question(s): Have the hard drive pointy-haired bosses been sold swampland by the content providers? Will the crypto survive the merciless budget slashing manufacturing engineers at Seagate, IBM, Maxtor, and friends? Do the content providers really believe hard drives need crypto, or are they just looking for a free ride from the OEMs?

Re:What Are The Hard Drive Manufacturers Thinking?

[Technician]

This begs a question: why will the hard drive OEMs design, manufacture, and distribute their crypto module for free?

I think the bill of goods was sold to the likes of TVIO and they are asking the HD manufactures to provide the hardware so TVIO can cut deals with content providers. Without content deals, they can't sell their products. Content providers will not promise releases without concessions to protect content. After the content is pay per view, you will need an enabled hard drive (read better does more feature rich) as it is compatible with the new content. Sheeple will need to get the latest and greatest. Who wants a machine incapable of doing something? It's all in the marketing!

P. T. Barnum was right! There is a sucker born every minute.

RAID, Defragging, Backups

[alteran]

I'm having a lot trouble sorting the paranoia from the reality here regarding RAID, Defragging, and Backups. I have seen the following questions answered and debated, but it'd be nice to have more knowlegable answers.

Specifically, with RAID5, for example, which could very likely want to spread CPRM data across a number of disks, will CPRM muck up this process? Will the new spec allow me to swap disks if one is defective and retain my data? What are realistic problems with various RAID implementations?

Regarding backups, will restoring CPRM data to replacement disks abort a restore, either in part or in total? Will it limit itself to blocking just the CPRM data restoration or could it block the whole process?

Can I defrag a CPRM file?

What is the plan for Mac OS?

[Hodag]

Since the kernel of Mac OS X is open source, what are the plans for keeping Mac hackers from defeating the copy hindrance hardware? Or are the media moguls giving up on the Mac market?

OOPS

[RareHeintz]

Pardon me, "DPMI" should read "SDMI". I'm having a brain-cramp kinda day.

OK,
- B
--

Opting out

[erotus]

I remember reading somewhere that one could opt out of this hard drive copy protection. If this is the case, what incentive do programmers have to write CPRM compliant software?

Also, since most CPRM compliant software would be windows based, would this not make Linux even more attractive as an alternative?

Circumventing

[N4N0]

If 4C got what they wanted, wouldn't it be likely that people all around the internet would come up with quick and easy ways to circumvent the copy protection? Even if the hardrives blocked against special software that hackers develop to circumvent it, the programs could just be made to look like something different (or distributed as source code). Have you considered pointing out to 4C that it would be theorettically unenforcable?

hard drive performance

[greysky]

If media rich content on these drives would have to be encrypted/decrypted any time it is written to/read form your hard drive, doesn't this impact the performace of your drive negatively? I would think that this would be trivial for text and audio files, but what about full-screen video files where data access time is critical?

The Effect on External Devices

[Intrinsic]

I for one would like to know how this spec would affect the portable devices. Will mp3 devices be incapable of transferring any music from the device to your computer? Or will the spec just limit copying of music downloaded from RIA compatible web sites?

Forcing vendor protection on you? Legal basis?

[justin+sane]

I understand EULA provisions, many of which are objectionable and often skirt the laws of property rights. However in the EULA case, it is simple: you don't like the protection or terms required of you, you don't purchase, install or use the product and it costs you nothing in effect. The acceptability of a property protection scheme and its overhead is subject to market acceptance. A good example of the effect of the lack of acceptance was the decline of many early game copy protection schemes--the market rejected them. In this case the protection is there whether you want it or not--you pay for protection that benefits the vendor and not you and, further, the scheme not only costs you but inconveniences you as well and will undoubtedly cause crashes, block legal use , etc. as all such schemes invariably do. Yet if the scheme becomes ubiquitous, market acceptance forces will be circumvented. I believe this is autocratic and improper. Is there a legal strategy available to prevent a scheme being foreced uppon you BEFORE you buy the software or other content--i.e. before you have a chance to accept/reject individual licenses?

How did it get this far?

[kettch]

What I would like to know, is how do these sort of ideas even get published,
with all sorts of ways that they can be implemented without any
consideration of the consequences?

This idea was published, and immediately there was a lot of noise about the
problem that this would cause throughout the entire computing industry, and
beyond. Why are people who are motivated only by greed, and not the good of
the industry, even allowed to even open their mouths?

Do they not have any methods for actually thinking before they speak?

Article about it in WIndows Magazine...

[subsolar2]

Found this article at windows magazine http://www.winmag.com/columns/powerw2k/2001/01.htm

- subsolar

Enough

[Sc00ter]

This stuff is all bogus!

They're not putting copy protection on hard drives

See here for more info
--

Re:Enough

[phulshof]

Hmm, if so (as noted by the Register): Why is CPRM written for ATA? Which devices should this work on that are going to be ATA based?

How long will it take?

[Bender+Unit+22]

How long will it take before you can find a program on astalavista, that replaces the code partition on the harddrive with a text of your own choice. Or maybe rotates it everytime you boot?
--------

Technical weaknesses -- CSS round 2?

[Roundeye]

I requested (and received) the official specifications for CPRM from 4C last week, as the CTO of a company producing content management solutions.

After digging through the specs I noticed that the encryption components appear to be based on 56-bit keyed C2 ciphers. The cipher appears to be a modified version of C2, the specs for which they had to send by regular mail.

The authentication phase (where the host software authenticates the drive) uses a 39-bit nonce (random number), which they claim doesn't have to be unpredictable. There is also, as you have noticed, an unused bit, always set to zero -- this makes me think that there's a back-door in the authentication system, perhaps to allow changing keys when they are inevitably cracked.

Security through obscurity, short key lengths, guessable random nonces for authentication, likely back-doors, an overly complex chain of security -- this sounds to me like another poorly designed protection scheme like CSS.

Do you feel that the 4C bunch hasn't learned much from the DeCSS debacle? How strong do you feel the actual security component of this system is (regardless of how notoriously bad an idea it is)? If the DMCA gets thrown out as unConstitutional as some think might happen, how high and dry will 4C be left when CPRM is open to reverse-engineering?

some questions

[Astralmind]

Will we know what exactly is being "encrypted" by CPRM? What recourse will an end user have in the event of a device failure where the device needs to be replaced? How can we be certain that our own material is not being encrypted?

CPRM and Open Source

[Old+time+hacker]

It seems that CPRM and Open Source are completely at odds with each other. The only way that CPRM can acheive its goals is by having *all* the software between the content player and the hardware under license.

This means that it will not be possible to have a (closed source) player that runs on an open source operating system.

Note that it would be possible to implement the CPRM hooks (for non-removable drives) in the linux kernel *entirely in software*. Of course, the drive ID might be hardwired to a known value, and the hidden area might not be very well hidden.

The problem that they are trying to solve cannot be solved by technical means without having a secure cryptographic processor as part of the system. This processor has to be physically secure and well integrated. Just recall how much effort has gone into making secure smartcards, and how difficult it has been.

In short, this scheme will probably hit the shelves, but provided that the open source community builds the CPRM emulators *before* the media recorders/players arrive, I think that will make for more interesting court cases under the DMCA -- imagine telling a judge that the player was produced *after* the circumvention device was distributed world-wide.

yet again, a doomed to fail idea...

[geoff+lane]

If you intend to make use of the information on a storage device (music, video etc) there has to be a point where it's presented in the clear. At this point all the copy protection in the world on the hardware has done you no good whatsoever.

Copy protection DOES NOT PREVENT LARGE SCALE PIRACY.

Everyone is so fixed on harddrives

[Steeltoe]

To my understanding, CPRM is going to be implemented mainly on removable media, namely flash memory. Are there plans in the workings for other types of removable media and why doesn't anybody protest against this? (I do! ;-)

- Steeltoe

"Voluntary switch"

[Steeltoe]

If I have understood correctly, the customer is allowed to turn the CPRM-feature on and off. However, is this something that can be done software-wise like the Pentium III ID? Exploitable by a trojan program perhaps?

- Steeltoe

Getting people involved

[ishark]

How could we get the general public involved and fighting on the anti-CPRM side? DVD is encrypted, (was) not copiable, but still a lot of people buys it because "it's better", what could be a "user-level" example of why CPRM is bad?

Quantum IDE drives and Andre's IDE patches

[cymen]

Andre,

For a long while I followed the reports on the linux kernel mailing list that detailed the problems with the Quantum IDE drives. Finally I caved in and got an IBM drive that was supported. I realize that the problem with the Quantums was that they didn't follow the IDE spec on reporting the proper drive size. Is that true? Is Quantum not working with you on this? Personally I am disgusted at Quantum and will now only buy IBM drives...

I realize this is off topic but as you are a busy man I hoped to get a final answer to this question. Boycott Quantum?

Can we twist IBM's arm?

[Simon+Brooke]

Preamble

I don't listen to MP3s; I rarely watch movies and don't expect to do so on my computer. All the closed source software I have (very little) is properly licensed and paid for. I am not a criminal. Having hardware copy protection on my computer does not benefit me at all, and it doesn't benefit the media industry at all (because I'm not stealing from them and I don't intend to).

If I have hardware copy protection in my computer, and it works perfectly always, I'm still paying for extra complexity that I don't want and don't need. If it fails, then I lose my valuable work. I don't like:

• The assumption that I am a criminal;
• The assumption that it's reasonable to require me to pay for protection for someone else against my presumed criminality;
• The fact that if their protection misfunctions or fails I get to lose my data.

The Question

As I understand it, IBM is a big player in this game. IBM is genuinely putting a lot of effort into making relationships with the Open Source community. This move is (in my opinion) going to badly hurt the Open Source community. Can we put effective pressure on IBM to publicly renounce it?

Re:Is IBM aware that they harm their Linux investm

[phulshof]

Although I'm highly opposed to the CPRM proposals, I wonder if it has more influence on Linux than on other operating systems. The only problem I can see is the license needed for the CPRM complient drivers, but I wonder if IBM (considering their interest in Linux) will have any problems spending the money on such license so they can provide the drivers needed to protect their investment.

Optional implementation?

[crusher-1]

Of the 3 options that might be taken by manufacturers, a) T.x bounces the proposal, b) manufacturers use an imcomplete standard (unlikely), c) implememt it but leave it inactive - of the latter. Say it's left inactive. And then some creative hack figures out the activation key/process. Would it be possible for someone to essentially hold the data hostage by locking down the HDD and then ransoming the key. I realize that the security issue has been addressed, somewhat relating to securing the data for the entitled user. My concern is there is always a way around things and this my lead to new avenues of extortion by locking out the entitled user by certain nefarious individuals.

Encrypted filesystem

[sulli]

Makes sense. Would you devise a filesystem that would simply encrypt everything before it gets written on the HD? That would certainly confuse the copy-protection-watching code in the hardware. I'm wondering also if there are other ways to do this that don't involve replacing your whole filesystem.

Right...

[Danse]

Very true. We should not be negotiating on this issue. We should be telling them where they can stick their copy-protected devices.

Re:Right...

[MaximDiscord]

Unfortunately the mainstream consumers are using their PC's for every day mundane things such as email and surfing the net... they probly don't know or care whether their hard drives are copy protected, which means that it will be hard to boycott these things.

Would you support alternatives?

[meldroc]

I would like to know if you support alternatives to copy protection, such as copyright protection (holograms, watermarks, digital signatures & such.) If so, which methods you would support, and how would you like to see them used?

For example, one alternative could be the use of watermarks to track pirated music back to the purchaser and slap him with a small fine, as I suggested in this post. I wanted a scheme does not obstruct fair use, helps to catch those responsible for pirating, gives a moderate punishment (multi-million dollar judgements and 20 year prison sentences are not moderate), and get rid of some of the legal baggage. This would be preferable to treating honest customers like criminals.

Anyways, what do you think about these kinds of alternatives?

Re:Can They name a single advantage to the consume

[no2cp]

There is incidentally one big advantage to the consumer... They can use CPRM enabled software to use, view or listen to music/video/software/whatever encrypted for CPRM.

A slightly different angle

[sorak]

&nbsp &nbsp &nbsp I'm sure all of you have tried to install one product and had another placed on your system without your permission. Examples are Real-Player, Winamp, and AOL instant messenger (all of which included with Netscape) MSIE (included with windows), and Gator (included with several internet programs)
&nbsp &nbsp &nbsp And more companies are doing more annoying things every day just to push their product on you. Since the protection requires you to have a "key" before a protected file can be moved copied or deleted, does that mean it would be possible for companies to install programs on your system and make it impossible (or at least extremely difficult) to remove them from your hard drive?