Slashdot Mirror
Open Source DRM
Clyde writes "The different worlds of DRM and Open Source have come together under OGG-S, a project that just recently went to beta with their Open Source DRM toolkit. The project license in GPL and uses OpenSSL for its encryption engine. It will be interesting to see if this project helps to spread the acceptance of Ogg Vorbis."
I can already see thousands of rabid open source fanatics imitating Gollum over this...
"It isss OGG, so it isss good! Yes!"
"Nooo! DRM! Hateful it is!"
etc.
From the FAQ:
"If OGG-S is open source, how can the encryption be secure?
If a company wishes to use OGG-S to protect their content, SideSpace Solutions highly recommends purchasing a binary distribution license. Under this license, any modifications to OGG-S (such as a change of encryption engine or private keys) do not have to be released."
OK....
Under GNU, do you have to release any private encryption keys you may have used with the code?
Encryption keys would seem to fall under content/data and not code. It is my understanding of the GNU license that you must redistribute the source code, not any data that your created and feed into the application. As long as you provide sample data (in this case another encryption key) to allow the application to run properly when compiled.
I don't see how they can force people, under the GNU, to release any private keys.
Someone please explain.
I don't see how they can
DRM isn't bad. Big Media/MS is bad. If DRM becomes mandated, it will be better to have an open-source implementation than not. This will reduce the plausibility of the likely MS argument that since there is no DRM on linux or mac, these systems should be excluded outright from certification.
It's like an arms race. If everyone's got it, nobody is at a disadvantage. "Keep your friends close, but keep your enemies closer." The same is true of TIA, btw.
I worked for a startup that was researching DRM heavily (I was doing streaming-media stuff, others were doing DRM, and the company rightly failed promptly), and have done a lot of thinking about the issues.
Basically, OSS and DRM are mathematically incompatible. The purpose of DRM is to keep the user from being able to make a copy of the media in question. In order to do that, it must use encryption keys to hide the 'plaintext', and carefully control those keys. This is the core of what DRM is.
In order to plug the equivalent of the 'analog hole', all existing DRM implementations are binary-only, and carefully control and conceal the data path between the encrypted data and the finaly output hardware, so that it's 'impossible' for the user to get the plaintext.
As soon as you go Open Source, *anyone* can take the code appart, take the decryption routine, and get the plaintext right out of that. There is nothing 'forcing' the data directly into the hardware. At that point, the plaintext can be distributed, and the DRM has failed.
More important than that even is the fact that open-source licenses guarantee that you can redistribute your modifications. It will be a grand total of about 2.37 hours between initial release of the software and someone releasing a version that will export the plaintext. Guess how popular the original release will be?
No, I think the results of this little experiment will be mixed good and bad:
Good: it will prove that DRM is mathematically impossible
Bad: it will 'prove' that the industry *must* use binary-only distributions of such software in order to make it work
It remains to be seen which of these will take effect first.
GStreamer - The only way to stream!
Its good.
Why? Because it would be implemented in, obviously, an open manner with publically defined protocols and specifications. Therefore, anybody who wanted to build an infrastructure to support DRM could do so without locking people into a single vendor or implementation.
Somebody asked why couldn't you just change the libraries to let you bypass it? Well sure, if you can change the code on the machine, you *may* be able to bypass protections, depending on what they are. For example, if the file (text, sound, media, etc.) is encrypted and requires a decrypt key, mucking around in the code isn't going to help it decrypt itself.
Now.. what about extracting the protected media after the decrypt step? Well, thats a bit harder. In fact, that was how people broke Microsoft's first WMP protection.. they wrote a null sound driver that just dumped the output to a file. Works pretty well. Don't think that they didn't notice, when all of their drivers need to be signed these days..
Anyway.. there are different parts to Digital Rights Management. Step 1 is access.. can you access a file or not. Crypto protects that, and no open or closed source will change that. Step 2 is decrypted control. Who can manipulate the decrypted bytes of the media? That is up to people to implement and protect as they see fit.
Remember that an OSS DRM solution could provide an open source platform for building closed source clients and devices.. You have the advantge of an open standard combined with actual devices using it.
Emmett,
I agree that 10% of our proceeds should go to Xiph.org; tonight I will update the web page so that 10% of a purchase will go to Xiph.org as well as the EFF. The reason this change was not done sooner was because at the time OGG-S started, Xiph was not a non-profit organization (charging for the fixed point decoder).
Also, if you believe the name of OGG-S could cause any consumer confusion please feel free to email me at rsage@sidespace.com and I will work on changing our site accordingly. Since OGG-S has been mentioned on the Vorbis mailing lists in the past, I had assumed this name would not cause any confusion.
Sincerely,
Ryan @ SideSpace