Slashdot Mirror
DRM and Threat Analysis
miladus writes "A timely and concise intervention by Ed Felten
on the topic of DRM and the models used (or not used) to represent the
threats to defeat. In brief, 2 models, one based on the potential of
large scale redistribution of copyrighted files implying defeat of DRM
if one user succeeds in bringing file inquestion to P2P network; the
other, refers to the majority of users who would casually copy files.
The implications of the schematization are most interesting because
they explain some the logic behind the often confused and confusing
rhetoric of DRM advocates and the necessity for rational grounding for
technologies."
I am okay with DRM as long as I know who holds the keys. With todays Homeland security, I am not sure that I am the only key holder.
I couldn't bother going to the link, I'll just download it off kazaa later ;)
From the article: ..."
"... leads to incoherent rhetoric
The only rhetoric I hear and see all the time are the many euphemisms used by the "DRM industry".
drm - I best manage my rights by deciding freely what to do with the data on my PC
copy *protection* - what does it protect?
piracy - I am not on a ship in the carribean sea.
etc.pp.
From the ref. article:
"Either you choose the Napsterization model, and accept that your technology must be utterly bulletproof; or you choose the casual-copying model, and accept that you will not prevent Napsterization. You can't have it both ways"
If you're a big enough monopoloy, you can PRETEND to have a bulletproof model - sell the model to the copyright holders, and sell (indirectly) a cracking tool to the mass market. Build yet another platform (Palladium) to break the latter tool.
If you keep throwing chairs, one day you'll break windows....
DRM is the digital equivalent of having to keep a drunk, rowdy police officer in your home 24/7 without a warrant. There are constitutional protections against that sort of thing.
Repeal the DMCA!
The DRM advocates must choose the Napsterization Model: It is potentially the most damaging, in terms of profits.
Gosh... Who would've thought? 'Napsterize' has become a verb... Kind've reminds me how William Gibson used the phrase "Watergated" as a verb in Neuromancer.
But enough about that. The article generalizes far too much IMHO; I find it hard to believe that a large percentage of threats can be categorized into either of the two models mentioned. There is a valid point being made, by all means... but someone needs to elaborate a little more on the subject...
I guess that's what Slashdot is for!
But this article was fairly meaningless in its own right. Nothing new if offered just that the current solution doesn't work. Something we already know.
As a fellow security professional I find it puzzling to read this small, content-free, snippets found on the great ether. It helps to re-identify the issues at hand but does little to solve them. DRM is certainly an issue but it is time to stop complaining about it and offer real world solutions.
Me? I believe that copyright infringement is tatmount to terrorism and can only be addressed by regime change. I feel the only workable solution is the total elimination of the MIAA, RPAA and any other group involved in the creation, publication and distribution of copyrighted material. Also mandatory death sentences should be handed out to anyone who provides content.
Right now I have 3 squirrels in my pants.
Thank you for your support.
It would be far better to approach this problem on a social rather than a technical security basis.
I would perhaps like to see a model where you license a song for life. Something along the lines of paying $1.50 for a song and you get a digital certificate that licences you to own the song, no matter where you got it from.
That would mean that I could get the song quickly from my buddy down the road, and while that is downloading via the loacal bandwidth I could log on to BMI, Sony or whoever (The RIAA homepage!?!?), and pay my royalties.
No wait, I could just log on to the artist's homepage and pay the $.50 directly to him/her/them!!!
it would seem to me that copanies whos software checks in with servers (much like the constant updating of firewall software or even MS OSes) could easily track when software has been propogated throught the Napsterization model. When someone downloads the latest update 100 times you can figure that it has been comprimized.
Can someone with more knowledge on the subject please ream my argument. I, unlike some slashdoters, enjoy intelectual discourse.
I just want to make the observation that in real life you don't get to choose your threat, of course; both threat models are present to some extent. You can only talk about which threat model $protection_measure addresses and to what extent.
Another thing is that *AA can hope to bring the Napster model closer to the small-scale copying model by persecuting individual users. Witness:
On most p2p networks there is no anonymity and so there is still a chance of preventing this scenario. But all that changes when freenet comes into the picture. If it gets widely used, an ugly, long-drawn, bloody clash between "content creators" and "pirates" is inevitable. There are two possible outcomes at the end of it: 1) a draconian world ruled by the evil side 2) a severe reevaluation of our current notions on copyright, intellectual property, and revenue models. I dearly hope the clash occurs and the latter outcome results. The sooner we get out of the digital dark age the better.There's another threat model, it's the immortal music. The RIAA is very upset that CD's last so much longer than LPs. They've tried to block the resale of used CDs. With DRM, they can go back to the old mortal music model. P2P is just the scape goat. Funny how much the casual model sounds like fair use.
Without DRM, one person buys TurboTax for $40 and copies it for 5 friends:
revenues: 1 x $40 = $40
losses due to piracy: 5 x $40 = $200
net: $40 - $200 = -$160
With DRM, the same person buys TaxCut and copies it for 5 friends:
revenues: $0
losses due to piracy: $0
net: $0
So by using DRM, Intuit saves $160.
is that at some point the music has to be unencrypted. There is no way to prevent me from intercepting the signal being sent to my speakers, recording it and ripping it to mp3. The quality is not going to be that great, but that's par for the course on Kazaa. The same is true for movies... there will always be cam versions no matter what.
So, if we accept the (logical) "Napsterization" model using any type of encryption/fair use deprivation sceme is going to be pointless when the music/film has to be percieved by the human eyes and ears in the same way it always has been.
These people look deep into my soul and assign me a number based on the order I joined.
...that this is equally relevant to DRM skeptics.
When we argue that DRM has no place in copyright law we need real understanding of its purpose and effect. Otherwise, we're just fighting windmills. Enough people doing that already...
Any sufficiently advanced libertarian utopia is indistinguishable from government.
2) I haven't seen a bulletproof DRM system yet, not even a theoretical one.
but what do i know, i'm just a model.
DRM is impossible partially because protection against only the casual-copying model implies that someone can copy the contents and thereby uploding it onto a P2P network, burn it on a CD for a friend or sell burnt CD's meaning we also get napterization (why did Felton fail to mention this?) Also there's the fact that the antinapsterization bulletproof protection is both digitally impossible (reverse engineering is always possible (although it can be made very hard through hardware)) and analoguosly impossible (there's always hi-fi capture.) I might not be able to copy a file but I can always just re-record it.
The only possible DRM - that I can imagine - is burying storageless chips deep into our brains with builtin credit card reader that streams contents encrypted from a sattelite server on demand. That thought however is awful.
The only thing that might help is: public-education (the copyright owner has rights too you know) and/or buisiniss remodelling. Believe it or not but developing software takes millions of $ (even Windows) and record labels are not pure evil (although sometimes not far from it) and serve for the artist and the public as an important middleman.
Shouldn't software developers and artists get paid like everybody in society, they do produce valuable products (even - to some degree - Windows.)
Look a monkey!
Ed Felten has a valid point about the need to choose a threat model, and to stick to that choice.
However, he has not convinced me that the two threat models that he describes are the only ones, or indeed separate threat models at all.
I would view p2p networks as a means to achieving "widespread, but small-scale and unorganized, copying," and not as a separate threat model at all.
I'm also not clear about whom he's addressing: Most DRM advocates are aware of the fact that today's systems will not stop a determined adversary, and only mildly deter a casual user.
Ubi dubium ibi libertas: Where there is doubt, there is freedom.
The talk of two copying models and the level of protection needed to minimize each is profound. It speaks of a deep wisdom which many have overlooked.
But I want to add something to it. Everyone here knows what a capacitor is, right? It's two metal plates separated by a little insulator. When enough of a charge builds up between those two plates, the current will briefly jump the gap through the insulator.
The same applies to the Napsterizing/Casual-Copying model. Under casual copying, people make copies and distribute them to one or two friends. With Napsterization, one copy is made and broadcast to a great many people who want it.
The two are separated by a small gap. Will someone make one or two copies, or make it available for hundreds to download? That's where the capacitance comes in. If there's enough pressure, sooner or later a piece of media will jump the gap from casual copying and appear somewhere for everyone to grab a copy of.
What affects capacitance between the two? Well, the better the content is, the more people will want to show it to other people. The easier it is to show to other people, the more people will do so. P2P software today has cut the gap considerably. DRM is an attempt to add insulation and keep things from making the jump from casual copying to mass distribution.
It's been demonstrated, preventing any copies from being made is theoretically impossible, but the Content Cartels continue to try to prevent it. Likewise, preventing the jump to from casual copying to underground mass distribution is nearly impossible, but the Content Cartels continue suing every P2P, university, or network service that doesn't outlaw it outright.
It'd be interesting to see statistics on which results in more copies being made: P2P distribution or casual copying. Because it seems that P2P networks do more damage, but are much harder to prevent. And, in fact, if a DRM is put into place which prevents casual copying, I could see MORE people going to P2P systems to get copies from those who CAN break the "anti-fair-use technologies."
Thoughtful as the piece on different types of copying threat is, it becomes moot as the different types come closer together.
You cannot truly appreciate Dilbert until you read it in the original Klingon.
From the viewpoint of someone who created the trust model for the MPEG IPMP framework, Dr. Felten comments are correct though he does not address the fundamental failure of DRM. The *AA of the world are trying to use technology to solve what is fundamentally social and economic failings.
As for DRM technologies, no technology can withstand attack indefinitely, Palladium not withstanding. The question really boils down to who is attacking, how much time are they willing to spend on it and what resources they have access to.
If the answer to the above question is professionals with lots of time and resources, any DRM system will be cracked.
Felten's comments come close to, but do not quite repeat, the twin comments I have been making to friends about Digital Rights Manglement for the past year.
First, Digital Rights Manglement schemes assume that the control over use of media offered to producers due to the virtue of being digital -- controls which they have never before possed in any other medium -- outstrip the value of fair use rights for their entire [potential] audience, despite the twin facts that fair use rights are established in law, and that [some of] the controls suggested violate other legal doctrines such as first sale. This alone is enough to dissuade me from supporting any such schemes.
Secondly, even if you are a prolific creator -- such as Steven King or the Beatles -- you cannot create as much media output as you have input. Even for a creator, the fair use rights lost to DRM will outweigh the additional rights gained. Any way you slice the question, the public rights lost to Manglement will outweigh the private ones gained, because even the few beneficiaries also lose -- on a scale far larger than they gain. (The rest of us just lose.)
Do you like Japanese imports?
They are just interested in having some sort of encription system and then have laws to protect it.
It just doesn't mather if the technical aspects of the encription methods are strong or weak.
They just want to have laws to be able to go after anybody suspect of breaking the encription systems.
My advice to all the people doing research on ecription and security is this: just be very carefull..
DRM is very simple. If there is a file on your machine that others can read and write but you can not, then someone else owns your machine. If all machines are owned in this manner and the law supports it, the law has violated the first amendment gaurntee of free press. If I can't make one of these or an anyonymous handbill equivalent with my own equipment the way I chose, then there is no free press. That is a much greater threat than the colapse of the pulp music sheet industry and it's illegitimate vinyl and radio broadcasting heirs.
DRM is the largest threat to the free flow of information ever. It has the ability to undo not just the digital revolution, but the benifits of mechinized paper publication as well. Once books were chained to their shelves in libraries and only a privaledged few could look at them. DRM chains are stronger than any steel.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
...it reminds me of my younger self as C64 owner and copyright infringer.
Back then, many game producers used DRM in different ways. There was no internet, I had very little money, no access to BBS'es and copying a single game took several minutes swapping disks. Yet I knew a couple of guys who could lend me bunches of new games for copying, DRM cracked and all. Everyone I knew had boxes stuffed with illegal games and perhaps one or two originals tops. Darknet indeed.
If that was the state of things back then, how can we reasonably expect that DRM will really limit copying today? I think we'll fare better informing people about the consequences of copyright infringement - both to themselves, but more importantly to the artists. I'd like an easy technological solution, but we don't have it, and we're not going to.
Any sufficiently advanced libertarian utopia is indistinguishable from government.
I'd like an easy technological solution, but we don't have it, and we're not going to.
In fact, I suspect we do have one now: Easy and cheap online sale.
Smart content providers will beat the pirates on ease-of-use, not to mention good-conscience. It's not perfect, but I'm generally optimistic that it'll be good enough. While waiting for the un-smart content providers to die off we should fight to stop copyright law from becoming too badly "fixed".
Any sufficiently advanced libertarian utopia is indistinguishable from government.
"Justice" Scalia has explained that you are wrong. You see, "Most of the rights that you enjoy go way beyond what the Constitution requires." But don't worry; he promises to protect the constitutional minimum. I feel safer already.
Yes, they killed Napster. They managed to get rid of AudioGalaxy, too. But FreeNet, Kazaa, WinMX, and any P2P systems likely to show up in the future are comparatively unkillable. The killing off of the first few centralized sharing networks accomplished nothing except to make 'the enemy' harder to get next time around. They can't possibly affect them anymore, so instead they announce their uncopyable (and often unplayable) CDs as the solution to all copying problems. Not only is it a bad solution, it's a bad solution being applied to an entirely different problem. Similarly, a hardware/OS-level DRM-ed music file will only work until it is broken once, after which it gets shared as an ordinary unprotected file and the solution is worthless, inconveniencing only the non-sharing customers.
Dyolf Knip
... which was discussed several months ago on /. IIRC, goes into much more detail on the dynamics of the cat-and-mouse game of DRM and copy distribution and is very insightful about the possible outcomes.
You were 80% angel, 10% demon. The rest was hard to explain. - Over The Rhine
"Math in a song is good."-Linford
The point made by the author can be generalized to any form of problem solving. When approaching a situation, you must first understand the problem before you can even begin to formulate an adequate solution. In my experience, this is the #1 thing that people do wrong in engineering (software or otherwise). Why just the other day, I was conversing with a collegue who was trying to decide between two ways of structuring a web application that would affect how the client used it. I asked him how the client currently does their business. He didn't know.
I am NEVER okay with DRM. As long as someone else holds the keys, they can change the rules anytime afterwards.
Consider, you buy DRM protected music this year.
Next year, through spending lots of money in Washington D.C., the industries are are granted the legal right to specify that the music you bought cannot be copied to any other form, and your DRM is automatically updated to enforce that without ever asking your consent.
The year after that they get a law where your purchased music will expire after ten years of use. Just won't play after that.
And the year after that, instead of unlimited plays allowed within your remaining eight years (the ten year limit was made retroactive, of course), you now have to pay a few pennies for each play. And btw, it now expires in seven (for you four) years.
You can't do anything because they own the keys and can change the conditions of their use any time they wish (true of any DRM system, to deal with compromised keys, if nothing else). Your only recourse is to the law -- and they've already preempted that route.
Let's be clear here: DRM IS NEVER OKAY. Got that?
And if you're foolish to think the rules never change on something after you've bought it, look at how copyrights on old music and movies continue to be extended beyond ever expiring? Even now, copyrighted material first published before you were born will never expire in your lifetime.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Considering the complete content of many CD's today, the industry is already 90% there.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."