Slashdot Mirror
CPRM Smokescreen
John Gilmore separates the chaff from the wheat with his look at the new copy-control proposal. See our previous story if you missed the bait-and-switch, as drive manufacturers attempt to include copy controls in all hard drives.
I think, most of people didn't exactly "get it", why adding a "standard" for unknown "generic" function can be a significant step to organization of CPRM schemes behind the scenes, so I will try to explain it. The "real" standards usually are pretty restrictive about what can be added to the protocol while it's still considered to be compliant. Say, if something claims that it talks SMTP, it can't demand that before "HELO" a client must send a credit card number, or the system won't work -- even if someone will make such a thing, no other SMTP client will work with that, and that system will be declared to be just as nonstandard as if it talked, say, one of internal Microsoft Exchange protocols. In some situations protocols allow extensions to be made in some backward-compatible way -- depending on the purpose of the protocol they may be allowed or not allowed, and if they are allowed, usually there is a requirement that all systems that support extensions MUST ("MUST" in capitals because it's used in the meaning, the word has in the standards texts) support the original protocol to avoid any kind of incompatibility. That was usually the rule when/where ptotocol standards were created to facilitate communication (say, first thousand-something RFCs) and not to be the base for "compatibility wars" (say, what ITU does).
Then large number of extremely vague and easily extensible "umbrella" standards appeared -- they usually involved some "wrapper" that can be easily pulled over anything, no matter how undocumented, proprietary or simply convoluted. Bright example is XML. The standard itself is very simple -- it defines how one can format the data, and, if the need will arise, how to make something that will allow to verify if there is a formatting error. What data is there, how it should be processed, what standards handle that, and who control those standards, is left to the "user". In some places it was justified -- one may want to use some standardized parser to save the trouble of using lex and yacc, so yes, there is a reason for this "umbrella" (I should add, weak reason because standard is awfully inefficient, and "poisoned" by overbroad requirements where they don't belong). But look, how it is used. Someone needs a "standard" for his data. He makes XML schema or DTD (and maybe publishes it), and some internal description, what the data means (and usually doesn't disclose it completely, leaves himself a "freedom" to change the semantics of the data, or simply writes that part in some ambiguous, illiterate way). Now he claims that he is using "open", "standardized" XML -- and indeed, with all its shortcomings, XML standard is defined in a very strict manner. More, DTD or schema very strictly defines, how to "verify" the format (but not the semantics of the data). But since XML is a "wrapper", and true format that he uses is defined in his internal or incomplete document about his internal semantics, all kinds of dirty tricks are possible. Developer can at will add, remove and change various rules and functionality that applies to semantics of the data (and more likely it will just happens because of his implementation's bugs -- there is no way to formally verify it), and different implementations, made by people who read XML standard, DTD or schema, and incomplete/confusing published part of semantics description, won't interoperate with "the original". Or different versions of implementation can appear, and while old and new versions all satisfy the standard, new version will stop interoperate with others' implementations, or will secretly get some new, harmful functionality. All that will be hidden from others because they know how wrapper works, but don't know, what mechanism is actually handling the data, and what is the true, complete definition of the semantics of the data.
This is the example how usually good feature of the standard -- extensibility -- can be counterproductive or even serve some sinister purpose. ATA standard is very strict. One can't easily add some completely unrelated functionality and claim that he is still compliant. So if someone will try to add a command for keys handling, he will make something other than ATA device, and no one in his right mind will place that thing where ATA hard drive is supposed to be. If the standard body will just extend the standard openly and say "This is a new command for copy protection, and now this is the new standard that includes it", it will be obvious that standard body is performing a sabotage of the standard that it is supposed to improve, and a lot of people will just vote against it. So the next best (or worst -- depending from the point of view) thing is to add the ability to extend the standard behind the scenes. Someone uses a "generic" command to control the disk rotation speed for power-saving reasons? Fine! Someone uses the command to erase all the data using some special eraser coil, to make it impossible to recover a disk that contained very sensitive data? Fine! Someone uses it to implement copy protection? Fine, too -- the standard says that the purpose and functionality is completely under vendor's control, and standard body isn't handling this.
Of course, the next step will be the creation of another "standard body" -- with closed membership, with only "interested parties" involved. And that body won't be responsible to anyone, it won't have to publish anything, and there will be nothing to prevent that body from issuing another standard -- how "generic" interface should be used for, you guessed, copy protection. Because whatever they will do, will be still compliant with the standard, accepted by the "public" standard body. Then they can publish copy-protection standard openly or keep it closed, patent it or keep it dangling in the air "trade secret", tie themselves by contracts or expect each other to support it willingly -- the end result will be that the next generation of ATA devices made by large companies will have copy protection implemented. And "public" standard body will have a heck of a problem reversing the loophole, once companies tasted the blood of imprisoned data.
Contrary to the popular belief, there indeed is no God.
Maybe they are afraid of some day being sued for contributory copyright infringement.
The 9th Circuit Napster ruling has changed the law. It used to be (Betamax case) that if your product had substantial non-infringing use, you were safe. The Napster decision now makes it so that if you have some infringing use, and you know that your product may be used to infringe, and you fail to do something about it, you are liable.
Thus, in the new legal climate, if they can do anything to cut back on infringement by 1%, then they must (or else they'll have a billion dollar judgement against them in the 2004 case of RIAA vs Seagate).
Just an idea. I'm probably wrong, but isn't a good conspiracy theory?
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Much has been said about consumers losing in the past and present congressional debates due to lack of organization, entertainment industry lobbying spending, etc. But I think there's another "follow-the-money" trail we should be prepared to understand and figure out how to route around:
The U.S. runs almost a trillion dollar trade deficit every year. Money is flowing out of the U.S. fast. For now, who cares? But longer-term it's a problem. To reduce this trade deficit, the U.S. needs to increase its exports. There are really only 3-4 big industries where the U.S. is competitive enough that they export much more than they import. One is the software (and to a lesser degree hardware) industry. A second is agriculture. A third is aerospace/military equipment. And the fourth big one is the entertainment industry. At the end of the day, the U.S. Congress is going to do what most seems to help American economic competitiveness, and at the moment, that means giving the entertainment industry whatever protection they need.
Is the DMCA really a hidden trade barrier then? Good question...
--LP
Disclaimer: I am not an economist. The argument above lacks obvious caveats in an attempt to retain simplicity and clarity. Harder statistics on exports by industry might confirm or refute the above analysis.
The people driving these changes are not naive, and they are not going to promote a 'secure architecture' which can be defeated by flashing the BIOS. From the TCPA FAQ:
The FAQ is pretty mealy-mouthed about what they're really up to. The least useless document I found on the site was TCPS05 - Integrity Metrics & Authenticated Boot (pdf) - a bloated, powerpoint-derived pdf that could be summed up in 4k of text.
Anyhow, you ask for evidence that the 'Generic' ATA proposal is CPRM in sheep's clothing. I think that the big piece of circumstantial evidence is the fact that the proposal surfaced so recently after CPRM was killed. Maybe T13 is a dynamic, fast-moving group that fields a major technical proposal every day, but I somehow got the impression that they're a slow-moving tortoise which cranked out CPRM over an extended period.
If that impression is correct, then the timing is suspicious.
Dear manufacturer, all I want is a device with the following interface: WRITEBLOCK, READBLOCK. I know this is deceptively simple, and your qualified engineers would like something more challenging to implement, but I have no need for extra features and options. Please stick with the following simple goals: large storage space, reliability, and low price. Thank you.
If you're looking for a good introduction to the whole CRPM issue, check out this FAQ from TheRegister.
Best part:
Q: So why is Microsoft against this, if it prevents wholesale "piracy" of its software in developing nations?
A: Um, can you ask us another...?
--Shoeboy
In recent months, Slashdot has been flooded with stories of anti-freedom initiatives like CPRM. Various people leap into action and try to beat these monstrosities back. Sometimes they win; sometimes they lose. Increasingly, when the battlefield is a court, the good guys lose.
The obvious pattern is that these aggressors are never at risk while they attack us. They don't risk their freedom or property or prosperity while they fight to censor and ultimately to jail the free citizens. Therefore they become bolder with each attempt. At this rate, it doesn't matter if they win or lose a particular battle, because even when they lose they don't really lose anything.
How can we fight back in a way that really hurts them? How can we hit them so hard that they become reluctant to pursue this war?
Boycotting is useless. Even if we caused a 10% dip in sales, which would be phenomenally hard, I don't think we'd weaken their fanatical commitment to protect their privileged state.
Complaining to the aggressors is also useless. We are not going to open their eyes to anything - they understand the nature of this war quite clearly. So don't bother sending that carefully crafted email to the RIAA.
So what can we do? One thing that occurs to me is to bring this war home to the aggressors who are fighting it. We are being attacked by individual human beings, like Jack Valenti, Hilary Rosen, Leonard Chariglione, and an anonymous band of mercenaries who help them. And this might be the key. What if we strip away that anonymity, study the individuals behind these attacks, and do everything legally allowed to place unpleasant pressure on them?
An engineer who helps develop CPRM ought to be as much of an internet celebrity as Cantor and Siegel.
I think that the IP cartel relies on the services of many intelligent individuals who do not want to be famous on the internet for their participation in such a scheme.
This just scratches the surface. If we want to win this war, we must do something more than wait for the next assault.
Funny thing is, that even though this was published, the corporations will still claim plausible deniability, and that this will still go thru.
(appologies in advance for the sentence structure/grammar, but I've been up for 32 hrs and am going for a well needed rest)
Lets all write our congress person! And then, we'll show them by boycotting the product - that'll show them!!
oh... that didn't work in the past.
I mean, we all bitched when
- we found out that DVD players had region codes
- the DMCA was being passed
- the us government said that linking was illegal,
- decss was declared illegal
- our right to fair use was rendered void, but our rights remained (i.e. copy protection on digital TV's and fair use)
- we found out that ms word docs had a UID
and so on...
A shitload of people refused to buy DVD players in order to "boycott" the industry - which is doing quite well without them (well those who haven't given in yet...)
Honestly, get real, this is america and you have no voice here (I smell flame, bring it on), unless you pay for the congress person's / president's election, or for the industry parties.)
This standard will be passed - money was put into developing this and it will not be wasted - how much $ do you think the "RIAA" un officially gave the companies to develop this. (ironically, its probably not much, just paid for a party, booze, cuban cigars and hookers, but I digress)
These companies are not stupid - they realize that consumers are not going to stick with "small" 60 gig HDD's, but instead buy the 200 or 300 gig HDD when comes out. I wonder - if they are the same price, and the 300 gig runs faster etc... which one will you choose?
Even if you choose the fomer (un"protected"), the majority of the consumers will buy the larger/faster model.
95% of americans are sheep and will buy shit they don't even need. Anything that is marketed properly sells - _ANY_thing.
These 95% will create a market for the protected HDD's, which will be marketed under the premise of "protecting your data from hackers", "letting you listen to music on your pc" or some other stupid bullshit.
The 5% who want unprotected HDD's will whine, then realize that no one (or some super expensive / custom comapny) produces the unprotected hard drives. Finally they will buy the protected versions because they "need" to, or because a need will be created (want legal music? buy a new hard drive)
We are a consumer society, many of us will devour what is new - i.e. new dvds, music etc...
Those who want to "keep in touch with society" will do so - however it will be through sacrificing their ideals (i.e. giving out and buying a new protected hdd) or by commiting illegal acts (watching a divx encoded movie or downloading illegal mp3's)
Finally I say this;
The 95% will gladly exchange their rights for some security (someone has the sig that says they deserve neither)
Finding people who are willing to do this creates absolutism - and despotism. i.e. shit like this helped hitler, mussolini and the european absolutionist rulers in the 1700-1800's gain __absolute__ power - all these rulers also abused that power.
Oh... and the industry will NEVER say "whoops, lets take that back" once it has been introduced into the market.
Ironically North America is the best place to live in the world right, and is "leading" in civil rights et cetera.
Dunno what I'm suprised at, my confidence in humans has dropped quite a bit this week.
Fucking greedy lot we are, it's pretty disgusting.
A friend just returned from Indonesia, the police and army are shooting at each other because they both want to collect money from the refugees that are fleeing the massacres in their villages.
Beautiful ain't it? You should see some pictures of decapitated bodies, et cetera.
(sig doesn't really fit with this post)
I have a shotgun, a shovel and 30 acres behind the barn.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf