Slashdot Mirror
CPRM Smokescreen
John Gilmore separates the chaff from the wheat with his look at the new copy-control proposal. See our previous story if you missed the bait-and-switch, as drive manufacturers attempt to include copy controls in all hard drives.
Looking briefly over this I see references to ATA-based drives. Would this copy protection mechanism be applied to future SCSI drives as well?
-- Making computers see, hear, and think... http://www.componica.com/
I think, most of people didn't exactly "get it", why adding a "standard" for unknown "generic" function can be a significant step to organization of CPRM schemes behind the scenes, so I will try to explain it. The "real" standards usually are pretty restrictive about what can be added to the protocol while it's still considered to be compliant. Say, if something claims that it talks SMTP, it can't demand that before "HELO" a client must send a credit card number, or the system won't work -- even if someone will make such a thing, no other SMTP client will work with that, and that system will be declared to be just as nonstandard as if it talked, say, one of internal Microsoft Exchange protocols. In some situations protocols allow extensions to be made in some backward-compatible way -- depending on the purpose of the protocol they may be allowed or not allowed, and if they are allowed, usually there is a requirement that all systems that support extensions MUST ("MUST" in capitals because it's used in the meaning, the word has in the standards texts) support the original protocol to avoid any kind of incompatibility. That was usually the rule when/where ptotocol standards were created to facilitate communication (say, first thousand-something RFCs) and not to be the base for "compatibility wars" (say, what ITU does).
Then large number of extremely vague and easily extensible "umbrella" standards appeared -- they usually involved some "wrapper" that can be easily pulled over anything, no matter how undocumented, proprietary or simply convoluted. Bright example is XML. The standard itself is very simple -- it defines how one can format the data, and, if the need will arise, how to make something that will allow to verify if there is a formatting error. What data is there, how it should be processed, what standards handle that, and who control those standards, is left to the "user". In some places it was justified -- one may want to use some standardized parser to save the trouble of using lex and yacc, so yes, there is a reason for this "umbrella" (I should add, weak reason because standard is awfully inefficient, and "poisoned" by overbroad requirements where they don't belong). But look, how it is used. Someone needs a "standard" for his data. He makes XML schema or DTD (and maybe publishes it), and some internal description, what the data means (and usually doesn't disclose it completely, leaves himself a "freedom" to change the semantics of the data, or simply writes that part in some ambiguous, illiterate way). Now he claims that he is using "open", "standardized" XML -- and indeed, with all its shortcomings, XML standard is defined in a very strict manner. More, DTD or schema very strictly defines, how to "verify" the format (but not the semantics of the data). But since XML is a "wrapper", and true format that he uses is defined in his internal or incomplete document about his internal semantics, all kinds of dirty tricks are possible. Developer can at will add, remove and change various rules and functionality that applies to semantics of the data (and more likely it will just happens because of his implementation's bugs -- there is no way to formally verify it), and different implementations, made by people who read XML standard, DTD or schema, and incomplete/confusing published part of semantics description, won't interoperate with "the original". Or different versions of implementation can appear, and while old and new versions all satisfy the standard, new version will stop interoperate with others' implementations, or will secretly get some new, harmful functionality. All that will be hidden from others because they know how wrapper works, but don't know, what mechanism is actually handling the data, and what is the true, complete definition of the semantics of the data.
This is the example how usually good feature of the standard -- extensibility -- can be counterproductive or even serve some sinister purpose. ATA standard is very strict. One can't easily add some completely unrelated functionality and claim that he is still compliant. So if someone will try to add a command for keys handling, he will make something other than ATA device, and no one in his right mind will place that thing where ATA hard drive is supposed to be. If the standard body will just extend the standard openly and say "This is a new command for copy protection, and now this is the new standard that includes it", it will be obvious that standard body is performing a sabotage of the standard that it is supposed to improve, and a lot of people will just vote against it. So the next best (or worst -- depending from the point of view) thing is to add the ability to extend the standard behind the scenes. Someone uses a "generic" command to control the disk rotation speed for power-saving reasons? Fine! Someone uses the command to erase all the data using some special eraser coil, to make it impossible to recover a disk that contained very sensitive data? Fine! Someone uses it to implement copy protection? Fine, too -- the standard says that the purpose and functionality is completely under vendor's control, and standard body isn't handling this.
Of course, the next step will be the creation of another "standard body" -- with closed membership, with only "interested parties" involved. And that body won't be responsible to anyone, it won't have to publish anything, and there will be nothing to prevent that body from issuing another standard -- how "generic" interface should be used for, you guessed, copy protection. Because whatever they will do, will be still compliant with the standard, accepted by the "public" standard body. Then they can publish copy-protection standard openly or keep it closed, patent it or keep it dangling in the air "trade secret", tie themselves by contracts or expect each other to support it willingly -- the end result will be that the next generation of ATA devices made by large companies will have copy protection implemented. And "public" standard body will have a heck of a problem reversing the loophole, once companies tasted the blood of imprisoned data.
Contrary to the popular belief, there indeed is no God.
Maybe they are afraid of some day being sued for contributory copyright infringement.
The 9th Circuit Napster ruling has changed the law. It used to be (Betamax case) that if your product had substantial non-infringing use, you were safe. The Napster decision now makes it so that if you have some infringing use, and you know that your product may be used to infringe, and you fail to do something about it, you are liable.
Thus, in the new legal climate, if they can do anything to cut back on infringement by 1%, then they must (or else they'll have a billion dollar judgement against them in the 2004 case of RIAA vs Seagate).
Just an idea. I'm probably wrong, but isn't a good conspiracy theory?
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
What do the storage device manufacturers get out of this CPRM effort? Why are they willing to play along?
With past ``usage-prevention'' efforts, such as the DAT initiative, ultimately legislation required storage device manufacturers to build compliant devices. It seems to me that CPRM will only make it harder and more expensive for drive manufacturers to build and support their product, in exchange for functionality which is not obviously useful and is obviously harmful to their customers, both retail and wholesale, at present.
What am I missing here?
While it is fair to say that creators of IP deserve to be rewarded for their efforts if that is what motivates them, hard drive protection is not the answer. Where property rights and individual rights conflict, individual rights must be protected. Copyright controls on hard drives are a gateway for other infringements of privacy despite their original intention. Your hard drive can be likened to a room in your house. Your personal, private belongings occupy the room. You arrange the room as you see fit(and people dont patent arrangements of furniture). Whether corporate or government, no one has a right to monitor what goes into or comes out of your room. Even if this means that crime might be more prevelant. It is obvious that all crime could be prevented if everyone was under constant surveilence, but it is not right. We are closer than most people think to being watched all the time. In my own town we have cameras to monitor traffic offenses on at least one major road. It is the responsibility of everyone who wishes to retain some form of privacy to fight these infringements at every step of the way. Privacy extends to your desktop.
My Blog
Because it makes copying inconvenient, without doing anything to protect copyright.
Nothing, but that's not what copy protection accomplishes. Look at the DVD CSS situation: it doesn't give the originator any influence over how their product is distributed (as the MPAA themselves attempted to show in court, with all their "demonstration" of how to pirate a movie), but it does have a severe effect on the market for players, so that there is a chokepoint (DVD CCA) to create a player monopoly.
If CPRM ever gets off the ground, it's not hard to guess how things will work out. Products that rely on it for copy protection will still be widely available among pirates. And programs that regular everyday users use to backup, scan for viruses, upgrade hard disks, etc., will only be available from deep-pocket developers that can purchase some kind of license from a central authority.
And it will cost everyone money, without getting them anything useful in return.
Have you ever seen any form of copy protection that protected copyright, and that didn't inconvenience users?
It controls distribution, not copying (regardless of the erroneous conclusion you might get from the filename).
That's right, they do. None of the anti-copy protection sentiment (except from the commies) is intended to remove anyone's right to sue pirates for copyright violations.Copying is usually not a copyright violation, though.
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Much has been said about consumers losing in the past and present congressional debates due to lack of organization, entertainment industry lobbying spending, etc. But I think there's another "follow-the-money" trail we should be prepared to understand and figure out how to route around:
The U.S. runs almost a trillion dollar trade deficit every year. Money is flowing out of the U.S. fast. For now, who cares? But longer-term it's a problem. To reduce this trade deficit, the U.S. needs to increase its exports. There are really only 3-4 big industries where the U.S. is competitive enough that they export much more than they import. One is the software (and to a lesser degree hardware) industry. A second is agriculture. A third is aerospace/military equipment. And the fourth big one is the entertainment industry. At the end of the day, the U.S. Congress is going to do what most seems to help American economic competitiveness, and at the moment, that means giving the entertainment industry whatever protection they need.
Is the DMCA really a hidden trade barrier then? Good question...
--LP
Disclaimer: I am not an economist. The argument above lacks obvious caveats in an attempt to retain simplicity and clarity. Harder statistics on exports by industry might confirm or refute the above analysis.
The people driving these changes are not naive, and they are not going to promote a 'secure architecture' which can be defeated by flashing the BIOS. From the TCPA FAQ:
The FAQ is pretty mealy-mouthed about what they're really up to. The least useless document I found on the site was TCPS05 - Integrity Metrics & Authenticated Boot (pdf) - a bloated, powerpoint-derived pdf that could be summed up in 4k of text.
Anyhow, you ask for evidence that the 'Generic' ATA proposal is CPRM in sheep's clothing. I think that the big piece of circumstantial evidence is the fact that the proposal surfaced so recently after CPRM was killed. Maybe T13 is a dynamic, fast-moving group that fields a major technical proposal every day, but I somehow got the impression that they're a slow-moving tortoise which cranked out CPRM over an extended period.
If that impression is correct, then the timing is suspicious.
Dear manufacturer, all I want is a device with the following interface: WRITEBLOCK, READBLOCK. I know this is deceptively simple, and your qualified engineers would like something more challenging to implement, but I have no need for extra features and options. Please stick with the following simple goals: large storage space, reliability, and low price. Thank you.
I could see some other possibilties here. Imagine this technology extending into all out trade war territory. You'd have HDs that would only allow certain kinds of data on your system (ie Microsquish) and block out non-sanctioned competitors (ie Linux).
You start allowing this kind of control, and it seems like they could eventually start running your life in an indirect manner.
What if they got these things to "tattle" on you as well, if you tried to circumvent it?
Just a few random thoughts to chew on...
Fuzzy Knights: New RPG Strips Tuesday and Friday!:
http://www.fuzzyknights.com
If you're looking for a good introduction to the whole CRPM issue, check out this FAQ from TheRegister.
Best part:
Q: So why is Microsoft against this, if it prevents wholesale "piracy" of its software in developing nations?
A: Um, can you ask us another...?
--Shoeboy
The message is a bit sensational, but I just don't understand where he gets the "single custom function", when in fact the proposal sets aside 8 of the 1-byte command codes, and whatever functionality the manufacturer would introduce under a particular code could easily access many custom functions, along the lines of the "Set Features" command (code 0xEF in my copy of ATA-3).
Intuitively it does seem like a bad idea to set aside a block of 8 command codes (of the 256 possible) and a group of 8 bytes from the 512 byte device ID data, with no functionality specified.
Besides, there's already plenty of "vendor specific" appearing in the ATA spec. For example, the "Download Microcode" (code 0x92) is a blank slate. So is "Format Track" (code 0x50). The device ID has several "vendor specific" bytes, but they're mostly obsolete data.
It would be tricky and a bit risky to build copy protection (or some other vendor's feature) on top of these things, some existing (perhaps old) applications use those ID bytes. Some software may generate those requests (eg Format Track), so the drive would need to be "smart" and not actually format tracks when the parameters (all vendor specific, not defined by the ATA spec) indicate a copy control operation. Of course, the software would also need to be "smart" and check the device ID data to make sure the drive really has the copy control features built onto a command like Format Track, as legacy drives might actually do something a little less desirable with that command (the RIAA would probably be pleased, as a pirate would lose his copy, and a legit consumer would have to pay again!)
I'm sure this slashdot story will get a lot of folks rilled up... but before you go leaping to conclusions, ask yourself what evidence is actually presented to establish that this is really a conspiracy? Not much... the only words I could find were that this proposal was ill-conceived to provide generic functionality (the "single custom function" comment), when in fact it appears to be a very reasonable way for a vendor to implement lots of custom functions, up to eight if each command is assigned a single function.
I'll agree that the generic custom functionality concept is a flawed idea, but this proposal is a reasonably well thought-out way to do it. Perhaps there is/was a conspiracy brewing, but it'd be nice to have some actual evidence of that before jumping to the conclusing and passing (mental) judgement on whoever made the proposal.
Indeed that's what standards are all about, discussing and accepting or rejecting proposals based on the combined wisdom of the participants in the process. That looks like what happened here.
PJRC: Electronic Projects, 8051 Microcontroller Tools
Here is a link to John Gilmore's Most Excellent Essay addressing your very question.
Schwab
Editor, A1-AAA AmeriCaptions
For every copy-protection scheme, there are n anti-protection schemes, where n>=1 (and usually n >> 1). What do they hope to gain with this? A little time?
Too bad these idiots weren't around in the time Guttenburg.
Them: "Hi, we'd like to put this device on your new printing press that chucks out the lead after every printing, just in case you try to print protected material."
Guttenburg: "Fuck off."
Microsoft is to software what Budweiser is to beer.
From the article:
ANY function stuffed into a disk drive would be compatible with this
spec, which means it doesn't define a standard at all. How exactly
would this promote interoperability among manufacturers? Or as the
committee chair asked, before voting against it, preventing it from
immediately becoming part of the standard, "Why are we doing this?"
Exactly. That dude realized that people are going to vote with their wallets on this one. Given the choice between a brand name, copy-protected drive or an unknown manufacturer's "open" drive, people will choose the more non-intrusive option.
This is one instance where consumers CAN make a difference, by electing not to go along with this strangely Orwellian notion of CPRM.
props to all dead homiez
In recent months, Slashdot has been flooded with stories of anti-freedom initiatives like CPRM. Various people leap into action and try to beat these monstrosities back. Sometimes they win; sometimes they lose. Increasingly, when the battlefield is a court, the good guys lose.
The obvious pattern is that these aggressors are never at risk while they attack us. They don't risk their freedom or property or prosperity while they fight to censor and ultimately to jail the free citizens. Therefore they become bolder with each attempt. At this rate, it doesn't matter if they win or lose a particular battle, because even when they lose they don't really lose anything.
How can we fight back in a way that really hurts them? How can we hit them so hard that they become reluctant to pursue this war?
Boycotting is useless. Even if we caused a 10% dip in sales, which would be phenomenally hard, I don't think we'd weaken their fanatical commitment to protect their privileged state.
Complaining to the aggressors is also useless. We are not going to open their eyes to anything - they understand the nature of this war quite clearly. So don't bother sending that carefully crafted email to the RIAA.
So what can we do? One thing that occurs to me is to bring this war home to the aggressors who are fighting it. We are being attacked by individual human beings, like Jack Valenti, Hilary Rosen, Leonard Chariglione, and an anonymous band of mercenaries who help them. And this might be the key. What if we strip away that anonymity, study the individuals behind these attacks, and do everything legally allowed to place unpleasant pressure on them?
An engineer who helps develop CPRM ought to be as much of an internet celebrity as Cantor and Siegel.
I think that the IP cartel relies on the services of many intelligent individuals who do not want to be famous on the internet for their participation in such a scheme.
This just scratches the surface. If we want to win this war, we must do something more than wait for the next assault.
Funny thing is, that even though this was published, the corporations will still claim plausible deniability, and that this will still go thru.
(appologies in advance for the sentence structure/grammar, but I've been up for 32 hrs and am going for a well needed rest)
Lets all write our congress person! And then, we'll show them by boycotting the product - that'll show them!!
oh... that didn't work in the past.
I mean, we all bitched when
- we found out that DVD players had region codes
- the DMCA was being passed
- the us government said that linking was illegal,
- decss was declared illegal
- our right to fair use was rendered void, but our rights remained (i.e. copy protection on digital TV's and fair use)
- we found out that ms word docs had a UID
and so on...
A shitload of people refused to buy DVD players in order to "boycott" the industry - which is doing quite well without them (well those who haven't given in yet...)
Honestly, get real, this is america and you have no voice here (I smell flame, bring it on), unless you pay for the congress person's / president's election, or for the industry parties.)
This standard will be passed - money was put into developing this and it will not be wasted - how much $ do you think the "RIAA" un officially gave the companies to develop this. (ironically, its probably not much, just paid for a party, booze, cuban cigars and hookers, but I digress)
These companies are not stupid - they realize that consumers are not going to stick with "small" 60 gig HDD's, but instead buy the 200 or 300 gig HDD when comes out. I wonder - if they are the same price, and the 300 gig runs faster etc... which one will you choose?
Even if you choose the fomer (un"protected"), the majority of the consumers will buy the larger/faster model.
95% of americans are sheep and will buy shit they don't even need. Anything that is marketed properly sells - _ANY_thing.
These 95% will create a market for the protected HDD's, which will be marketed under the premise of "protecting your data from hackers", "letting you listen to music on your pc" or some other stupid bullshit.
The 5% who want unprotected HDD's will whine, then realize that no one (or some super expensive / custom comapny) produces the unprotected hard drives. Finally they will buy the protected versions because they "need" to, or because a need will be created (want legal music? buy a new hard drive)
We are a consumer society, many of us will devour what is new - i.e. new dvds, music etc...
Those who want to "keep in touch with society" will do so - however it will be through sacrificing their ideals (i.e. giving out and buying a new protected hdd) or by commiting illegal acts (watching a divx encoded movie or downloading illegal mp3's)
Finally I say this;
The 95% will gladly exchange their rights for some security (someone has the sig that says they deserve neither)
Finding people who are willing to do this creates absolutism - and despotism. i.e. shit like this helped hitler, mussolini and the european absolutionist rulers in the 1700-1800's gain __absolute__ power - all these rulers also abused that power.
Oh... and the industry will NEVER say "whoops, lets take that back" once it has been introduced into the market.
Ironically North America is the best place to live in the world right, and is "leading" in civil rights et cetera.
Dunno what I'm suprised at, my confidence in humans has dropped quite a bit this week.
Fucking greedy lot we are, it's pretty disgusting.
A friend just returned from Indonesia, the police and army are shooting at each other because they both want to collect money from the refugees that are fleeing the massacres in their villages.
Beautiful ain't it? You should see some pictures of decapitated bodies, et cetera.
(sig doesn't really fit with this post)
I have a shotgun, a shovel and 30 acres behind the barn.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf