Slashdot Mirror
DRM and Threat Analysis
miladus writes "A timely and concise intervention by Ed Felten
on the topic of DRM and the models used (or not used) to represent the
threats to defeat. In brief, 2 models, one based on the potential of
large scale redistribution of copyrighted files implying defeat of DRM
if one user succeeds in bringing file inquestion to P2P network; the
other, refers to the majority of users who would casually copy files.
The implications of the schematization are most interesting because
they explain some the logic behind the often confused and confusing
rhetoric of DRM advocates and the necessity for rational grounding for
technologies."
I am okay with DRM as long as I know who holds the keys. With todays Homeland security, I am not sure that I am the only key holder.
I couldn't bother going to the link, I'll just download it off kazaa later ;)
From the article: ..."
"... leads to incoherent rhetoric
The only rhetoric I hear and see all the time are the many euphemisms used by the "DRM industry".
drm - I best manage my rights by deciding freely what to do with the data on my PC
copy *protection* - what does it protect?
piracy - I am not on a ship in the carribean sea.
etc.pp.
From the ref. article:
"Either you choose the Napsterization model, and accept that your technology must be utterly bulletproof; or you choose the casual-copying model, and accept that you will not prevent Napsterization. You can't have it both ways"
If you're a big enough monopoloy, you can PRETEND to have a bulletproof model - sell the model to the copyright holders, and sell (indirectly) a cracking tool to the mass market. Build yet another platform (Palladium) to break the latter tool.
If you keep throwing chairs, one day you'll break windows....
DRM is the digital equivalent of having to keep a drunk, rowdy police officer in your home 24/7 without a warrant. There are constitutional protections against that sort of thing.
Repeal the DMCA!
The DRM advocates must choose the Napsterization Model: It is potentially the most damaging, in terms of profits.
Gosh... Who would've thought? 'Napsterize' has become a verb... Kind've reminds me how William Gibson used the phrase "Watergated" as a verb in Neuromancer.
But enough about that. The article generalizes far too much IMHO; I find it hard to believe that a large percentage of threats can be categorized into either of the two models mentioned. There is a valid point being made, by all means... but someone needs to elaborate a little more on the subject...
I guess that's what Slashdot is for!
But this article was fairly meaningless in its own right. Nothing new if offered just that the current solution doesn't work. Something we already know.
As a fellow security professional I find it puzzling to read this small, content-free, snippets found on the great ether. It helps to re-identify the issues at hand but does little to solve them. DRM is certainly an issue but it is time to stop complaining about it and offer real world solutions.
Me? I believe that copyright infringement is tatmount to terrorism and can only be addressed by regime change. I feel the only workable solution is the total elimination of the MIAA, RPAA and any other group involved in the creation, publication and distribution of copyrighted material. Also mandatory death sentences should be handed out to anyone who provides content.
Right now I have 3 squirrels in my pants.
Thank you for your support.
It would be far better to approach this problem on a social rather than a technical security basis.
I would perhaps like to see a model where you license a song for life. Something along the lines of paying $1.50 for a song and you get a digital certificate that licences you to own the song, no matter where you got it from.
That would mean that I could get the song quickly from my buddy down the road, and while that is downloading via the loacal bandwidth I could log on to BMI, Sony or whoever (The RIAA homepage!?!?), and pay my royalties.
No wait, I could just log on to the artist's homepage and pay the $.50 directly to him/her/them!!!
I just want to make the observation that in real life you don't get to choose your threat, of course; both threat models are present to some extent. You can only talk about which threat model $protection_measure addresses and to what extent.
Another thing is that *AA can hope to bring the Napster model closer to the small-scale copying model by persecuting individual users. Witness:
On most p2p networks there is no anonymity and so there is still a chance of preventing this scenario. But all that changes when freenet comes into the picture. If it gets widely used, an ugly, long-drawn, bloody clash between "content creators" and "pirates" is inevitable. There are two possible outcomes at the end of it: 1) a draconian world ruled by the evil side 2) a severe reevaluation of our current notions on copyright, intellectual property, and revenue models. I dearly hope the clash occurs and the latter outcome results. The sooner we get out of the digital dark age the better.There's another threat model, it's the immortal music. The RIAA is very upset that CD's last so much longer than LPs. They've tried to block the resale of used CDs. With DRM, they can go back to the old mortal music model. P2P is just the scape goat. Funny how much the casual model sounds like fair use.
Without DRM, one person buys TurboTax for $40 and copies it for 5 friends:
revenues: 1 x $40 = $40
losses due to piracy: 5 x $40 = $200
net: $40 - $200 = -$160
With DRM, the same person buys TaxCut and copies it for 5 friends:
revenues: $0
losses due to piracy: $0
net: $0
So by using DRM, Intuit saves $160.
is that at some point the music has to be unencrypted. There is no way to prevent me from intercepting the signal being sent to my speakers, recording it and ripping it to mp3. The quality is not going to be that great, but that's par for the course on Kazaa. The same is true for movies... there will always be cam versions no matter what.
So, if we accept the (logical) "Napsterization" model using any type of encryption/fair use deprivation sceme is going to be pointless when the music/film has to be percieved by the human eyes and ears in the same way it always has been.
These people look deep into my soul and assign me a number based on the order I joined.
2) I haven't seen a bulletproof DRM system yet, not even a theoretical one.
but what do i know, i'm just a model.
Ed Felten has a valid point about the need to choose a threat model, and to stick to that choice.
However, he has not convinced me that the two threat models that he describes are the only ones, or indeed separate threat models at all.
I would view p2p networks as a means to achieving "widespread, but small-scale and unorganized, copying," and not as a separate threat model at all.
I'm also not clear about whom he's addressing: Most DRM advocates are aware of the fact that today's systems will not stop a determined adversary, and only mildly deter a casual user.
Ubi dubium ibi libertas: Where there is doubt, there is freedom.
The talk of two copying models and the level of protection needed to minimize each is profound. It speaks of a deep wisdom which many have overlooked.
But I want to add something to it. Everyone here knows what a capacitor is, right? It's two metal plates separated by a little insulator. When enough of a charge builds up between those two plates, the current will briefly jump the gap through the insulator.
The same applies to the Napsterizing/Casual-Copying model. Under casual copying, people make copies and distribute them to one or two friends. With Napsterization, one copy is made and broadcast to a great many people who want it.
The two are separated by a small gap. Will someone make one or two copies, or make it available for hundreds to download? That's where the capacitance comes in. If there's enough pressure, sooner or later a piece of media will jump the gap from casual copying and appear somewhere for everyone to grab a copy of.
What affects capacitance between the two? Well, the better the content is, the more people will want to show it to other people. The easier it is to show to other people, the more people will do so. P2P software today has cut the gap considerably. DRM is an attempt to add insulation and keep things from making the jump from casual copying to mass distribution.
It's been demonstrated, preventing any copies from being made is theoretically impossible, but the Content Cartels continue to try to prevent it. Likewise, preventing the jump to from casual copying to underground mass distribution is nearly impossible, but the Content Cartels continue suing every P2P, university, or network service that doesn't outlaw it outright.
It'd be interesting to see statistics on which results in more copies being made: P2P distribution or casual copying. Because it seems that P2P networks do more damage, but are much harder to prevent. And, in fact, if a DRM is put into place which prevents casual copying, I could see MORE people going to P2P systems to get copies from those who CAN break the "anti-fair-use technologies."
Thoughtful as the piece on different types of copying threat is, it becomes moot as the different types come closer together.
You cannot truly appreciate Dilbert until you read it in the original Klingon.
Felten's comments come close to, but do not quite repeat, the twin comments I have been making to friends about Digital Rights Manglement for the past year.
First, Digital Rights Manglement schemes assume that the control over use of media offered to producers due to the virtue of being digital -- controls which they have never before possed in any other medium -- outstrip the value of fair use rights for their entire [potential] audience, despite the twin facts that fair use rights are established in law, and that [some of] the controls suggested violate other legal doctrines such as first sale. This alone is enough to dissuade me from supporting any such schemes.
Secondly, even if you are a prolific creator -- such as Steven King or the Beatles -- you cannot create as much media output as you have input. Even for a creator, the fair use rights lost to DRM will outweigh the additional rights gained. Any way you slice the question, the public rights lost to Manglement will outweigh the private ones gained, because even the few beneficiaries also lose -- on a scale far larger than they gain. (The rest of us just lose.)
Do you like Japanese imports?
They are just interested in having some sort of encription system and then have laws to protect it.
It just doesn't mather if the technical aspects of the encription methods are strong or weak.
They just want to have laws to be able to go after anybody suspect of breaking the encription systems.
My advice to all the people doing research on ecription and security is this: just be very carefull..
The point made by the author can be generalized to any form of problem solving. When approaching a situation, you must first understand the problem before you can even begin to formulate an adequate solution. In my experience, this is the #1 thing that people do wrong in engineering (software or otherwise). Why just the other day, I was conversing with a collegue who was trying to decide between two ways of structuring a web application that would affect how the client used it. I asked him how the client currently does their business. He didn't know.
I am NEVER okay with DRM. As long as someone else holds the keys, they can change the rules anytime afterwards.
Consider, you buy DRM protected music this year.
Next year, through spending lots of money in Washington D.C., the industries are are granted the legal right to specify that the music you bought cannot be copied to any other form, and your DRM is automatically updated to enforce that without ever asking your consent.
The year after that they get a law where your purchased music will expire after ten years of use. Just won't play after that.
And the year after that, instead of unlimited plays allowed within your remaining eight years (the ten year limit was made retroactive, of course), you now have to pay a few pennies for each play. And btw, it now expires in seven (for you four) years.
You can't do anything because they own the keys and can change the conditions of their use any time they wish (true of any DRM system, to deal with compromised keys, if nothing else). Your only recourse is to the law -- and they've already preempted that route.
Let's be clear here: DRM IS NEVER OKAY. Got that?
And if you're foolish to think the rules never change on something after you've bought it, look at how copyrights on old music and movies continue to be extended beyond ever expiring? Even now, copyrighted material first published before you were born will never expire in your lifetime.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."