European DRM News

burgburgburg writes "Two new fronts opening in the battles over digital rights management. First: news.com is reporting how French authorities are investigating EMI France and music retailer Fnac over anticopying technology included on CDs that allegedly renders them unplayable on some systems. The investigation began after the Bureau of Competition's antifraud unit (DDCCRF) received complaints from a consumer group known as UFC-Que Choisir. Second: BusinessWeek reports that the EC is investigating Microsoft to make sure that they don't illegally dominate the field of digital rights management. Regulators have told Microsoft and its partner Time Warner that they are looking into their plan to acquire the company ContentGuard, which makes DRM software because of concerns that it will create or strengthen Microsoft dominance of the field."

Kudos to Europe

[ahsile]

For having the balls to stand up to the industry bigwigs.

Re:Kudos to Europe

[gmanic]

And that's what I like about the "old world" and I'm glad to be back here - even if some other things go terribly wrong - still better than fully-openly-industry-funded-government

Although, might not be that much better...

Re:Kudos to Europe

[Ignignot]

If you think that European governments are any less influenced by corporations than the American government you are mistaken. They're just funded by different corporations. Also, Europe's monopoly laws are slightly different, so you will have companies prosecuted in the United States that are doing perfectly legal things in Europe, and vice verca. This doesn't mean that one is less influenced by industries. It just means that they're different environments for companies.

Re:Kudos to Europe

but on this side of the ocean (in the USA er UCA) we find a monopoly doing illegel things, we just let them off the hook.

has any corp in europe been found to be a monopoly and then let off the hook?

welcome to the United Corperations of America, did you get the memo, and have you been a productive worker today?

Re:Kudos to Europe

[Blue+Stone]

Stand up to industry bigwigs?

In case you've forgotten, we have the EUCD over here just as you have the DMCA overe there - the effective privatisation of copyright law (Corps now write their own rules - trying to circumvent those rules brings in the law).

Our governments are just as 0wnz0red by media corporations as America's, I'm afraid.

Re:Kudos to Europe

[William+Baric]

Of course, european governments are incluences by corporations but the difference is most european people think the real ennemy is not their government but big corporations. So when their governments side to much with corporations they tend to vote the other way.

Also, it you take France for example, democracy is not a two-party system. Which means a government is in fact a coalition and that is far more difficult to buy.

Re:Kudos to Europe

[Aldoo]

Well, that's not that clear.

French democracy is not a two-party system, but almost : small parties have a very small place in the system (a very few parliement members or not at all, and never presidents and - almost never - government members).

But it's true that it is illegal for corporations to finance parties. However if that's how it works in France, in Germany and some other countries corporations have this right.

Well....

[thewldisntenuff]

Article 2 is interesting....Here's a quote -

"Regulators put Microsoft and partner Time Warner on notice that it intends to investigate their plans to jointly acquire Bethesda (Md.)-based ContentGuard, which makes digital-rights-management (DRM) software to prevent music and movie piracy.

Call me crazy, but wouldn't each content company want their own DRM software? I mean, if you've got one lock, and a whole hell of a lot of people trying to open it, once it is open, you're screwed. Furthermore, content companies wouldn't want to pay a MS tax on each piece of content that is protected with MS-DRM. They'd be better off with their own DRM scheme......A monopoly in the DRM arena seems stupid at best - but am I wrong?

-thewldisntenuff

Re:Well....

[Otter]

They'd be better off with their own DRM scheme......A monopoly in the DRM arena seems stupid at best - but am I wrong?

The whole thing is completely speculative, anyway. There is no significant DRM market, no dominant player and at the moment, Microsoft doesn't even own anything. I'm inclined to agree with you that the content providers would be better off with a standard than with giving Microsoft control over them but, at the moment, this is just EU regulators grandstanding.

Re:Well....

[Bob(TM)]

Probably. But business is business. The only successful way to dodge problems (certain incompatibilities with OS and hardware, yada-yada) and development costs with rolling out DRM is to make sure the technology for doing it is ubiquitous. This pushes toward cooperation (like the DVD consortium that administers licensing CSS).

As far as the tax, Microsoft is more likely to pass the costs off in the other direction. The content providers won't pay because they've agreed to adopt it. Rather, they will pass the tax off to the players (like DVD).

Re:Well....

[Gooba42]

Keep in mind that with DMCA-like legislation in place it's illegal to even tamper with the lock, not to mention if you break open the lock *and* steal the goodies inside.

Just fidgeting with the DRM stuff is a crime even if you're just curious and even if you're not successful.

Re:Well....

[SpecBear]

The "one lock" method has been used repeatedly by the content industry. Think Macrovision and CSS. It has the disadvantage you stated (crack one, crack 'em all) but has the advantage of providing consistency and influence over people who make content players.

If there are six big content providers each with their own system, and one of their DRM systems screws up on one the players, the manufacturer of the player will say "The DRM is screwy and we don't support it. Bitch at the content provider." If there are six big providers who all use the same system, and it doesn't work on one player, then the player is broken and it will be "fixed" to work with the DRM.

Remember, DRM isn't about stopping piracy. It's about controlling how the everyday user consumes content and allowing the content providers to build a revenue structure as they see fit without having to worry about users circumventing it through things like (time|space|format) shifting.

Re:Well....

[st1d]

Very true, but there's a gamble there as well. For instance, if MS and T-W were to come up with one system, and other groups came up with their own, there would be the temptation to break the other guy's system, to drive artists to your "better" DRM system (DMCA items aside). Especially if MS has desktop dominance and an interest in promoting one system over another, seeing as they're the only folks that know how their OS interacts with the software.

DRM is actually a beautiful catch-22 for MS. They can cash out any way you build it, because all they need to do is break/leak competing software, and competitors are screwed. (And as history shows, MS has no problem doing this when the situation calls.) So, MS builds a system, IP's it to death, and gets to call the shots on who gets to do what. Even if someone were to do the same for another OS (not that OSS folks are real big on the DRM idea), they're risking MS's ire.

So, in one smooth "righteous" move, MS automatically sweeps up the competition. Thanks to the DMCA and other fine laws, reverse engineering and so on means that no other OS users will be able to listen to music on their PCs. Then, while sales fall, those laws will get tightened even more , until using another OS is all but illegal.

It kind of reminds me of school. Someone would screw things up for everybody else, because the boneheads in charge (in this case, congress), can't see that they need to deal with the real problem (putzes that load 500 CDs onto the internet). Instead, they want to "protect" everybody, so we all have to sit back and allow our computers to be loaded down with stuff to protect us from what we MIGHT be tempted to do.

Meanwhile, the majority of people respond with, "Baaa. I just want to listen to music. Baaa!" People often can't believe that the Inquisition happened without more people standing up against it, yet we're watching it unfold right in front of her eyes. Gotta love how history repeats itself.

Re:Well....

... they will pass the tax off to the players (like DVD).
You mean like:
"If you put another DRM technology in your player, we will charge you $10 per device to license our technology but if you only use ours then we will license our technology to you for $1 per device. It's your choice."

Re:Well....

DMCA fixes any holes that may be found in a bad DRM software, and it seems each government is coming up with their own version of DMCA.

it will be alot like the war on drugs.
compare drug crime punishments to violent crime punishments.

Re:Well....

[TyrranzzX]

First, they've got money and if they're going to do something they might as well acquire something that's been successful.

Second, they're going to push this via the OS no doubt, and Joe 6 pack is going to be screwed out of making copies of his CD's. This won't, of course, stop pirates and IT people, much less those who want their systems hacked up so they're usable. I know if DRM comes out in the next version of longhorn there won't be a single computer in my house that'll run the DRM part.

Frankly, I don't buy nor listen to any RIAA affiliated music. Smaller bands using the internet as a distrobution channel are thankful for the money and I don't have to deal with the CD not working, or being sued for giving a friend a few songs.

Re:Well....

This really needs to change. Write your congressman! Protest!

Re:Well....

[Fred_A]

I don't know exactly what kind of "DRM-software" this is, but it makes sense that there should be an industry standard for there scheme to succeed. If everyone were to deploy his own thing, players (on desktops end embedded) would have to support a dozen schemes, paying rights to use all of them, possibly with new ones popping up all the time.

Currently, several companies seem to be eager to gain access to Apple's DRM scheme so their content can be played on the iPod. I suppose they don't want a repeat of this. In this context, teaming with Microsoft seems like the sensible thing to do.

And at the same time, it means there will be just one DRM thingie to crack instead of dozens for those so inclined ;)

Region oding..

[t_allardyce]

When is someone going to investigate region coding? its anti-competative and has absolutely nothing to do with copy protection.

Re:Region oding..

Isn't Vanunu lucky he didn't get the standard traitor treatment? He knew what he was doing, and it's my understand Israel wasn't breaking any laws.

Re:Region oding..

[ahsile]

This is true in its entirety. Mod it waaaaay up.

Re:Region oding..

[N3koFever]

They still make players with region coding in Europe? I can't remember the last time I saw a DVD player in a shop that wasn't being advertised as "multiregion", "region free", "region 0", etc.

Re:Region oding..

[lfourrier]

http://europa.eu.int/rapid/pressReleasesAction.do? reference=SPEECH/01/275&format=HTML&aged=1&languag e=EN&guiLanguage=en
too lazy to put the correct link...

important facts:
date: 11/06/2001 (not iso, so don't know if june or november)

subject: speech from Mario Monti, European Commissioner for Competition Policy

extract: Another area where the Commission is giving direct follow-up to the concerns of individual consumers is that of Digital Video Disc pricing. We have received a significant number of complaints from private citizens on this matter. In each case, the complaint is virtually the same namely, that DVD prices are significantly higher in the EU than in the USA.

Whilst the prices of many products are higher in the EU than in the US, the major film production companies in agreement with the major equipment manufacturers have introduced a worldwide regional coding system for DVDs. Under this system, a DVD sold in one of the world's six regions cannot be played on a DVD player sold in another region. The thrust of the complaints that we have been receiving is that such a system allows the film production companies to charge higher DVD prices in the EU because EU consumers are artificially prevented from purchasing DVDs from overseas.

As a direct result of these complaints, we have initiated contacts with the major film production companies. We will examine closely what they have to say. Whilst I naturally recognise the legitimate protection which is conferred by intellectual property rights, it is important that, if the complaints are confirmed on the facts, we do not permit a system which provides greater protection than the intellectual property rights themselves, where such a system could be used as a smoke-screen to allow firms to maintain artificially high prices or to deny choice to consumers.

My services have had contacts on this issue with the Australian Competition and Consumer Commission, which has also sought clarifications from the major film production companies. I have noted with great interest the Australian Competition and Consumer Commission's conclusion that the regional coding system imposes a 'severe restriction of choice' on consumers. The Commission will need to determine whether there are similarly negative effects in the EU which could fall within the scope of the competition rules.

concrete actions : none to my knowledge as of 3 years later

Re:Region oding..

[fullmetal55]

you're right, region coding is nothing to do with copy protection, nor has it ever been claimed as such. it has to do with worldwide releases and marketing. and marketing to different countries at different times isn't illegal. they don't want a movie to be released on dvd in australia when the movie is released in theatres just a week before. but was released 2 months earlier in the US. While I agree its unnecessary, it had its purpose, but with most new releases being worldwide release within a week or two, all it seems to do now is delay the dvd release unnecessarily. and how is it anti-competitive? I'm just curious about that comment. seeing as only the movie studios are allowed to sell it, they have the right to sell it in whichever countries they want. Its their product, they sell it to resellers who then sell it. only thing I can see thats anticompetitive is the fact that they have exclusive rights to marketing their product. which isn't anti-competitive, thats capitalism. you want to compete with them, produce your own movie. I find region coding more frustrating than anything when I want to purchase a dvd thats only available in Europe or the UK, and not available in Canada or the US yet. but thats not anti-competitive... its similar to them not producing a french language version of a movie. is that anti-competitive? no its just disallowing french only speaking people from enjoying the movie, and it ends up hurting them in the long run. Region coding is merely a control method for the big movie studies to control where the dvds get released. Small movie studies release region free dvds because when they produce dvds they don't have big marketing plans to roll it out in one area of the world and then another etc. Also their releases aren't as anticipated as say Lord of the Rings. I mean the following of the movie "The Gamers" by Dead Gentlemen Productions, is miniscule compared to the following of "50 first dates".

Re:Region oding..

[t_allardyce]

Yeah, if he was actually in Israel, he had fled the country and was kidnapped from rome. Now hes out they are further restricting his freedom which is basically punishing him after he has served a full sentence.

Re:Region oding..

he had fled the country and was kidnapped from rome. [...] basically punishing him after he has served a full sentence.

Hudson Hawk?

Re:Region oding..

Yeah man! This region coding thing is ridiculous! Imagine requiring hardware companies to put region coding on PCs so that software written in India doesn't execute here. Because otherwise it would be much cheaper to buy software from India.

Oh...wait a minute!...

Re:Region oding..

What they are saying is that the movie studios can sell their movies in the EU for more than they sell them for in the US (even after factoring in shipping, currency ratios and such) becuase people can't buy them from the US and ship them to the EU themselves because of the region coding. The EU doesn't allow companies to have protection mechanics in place that give them more protection than IP law itself allows, and this prevents some resellers from being able to sell their products in certain areas of the world (most of it actually since there are several region codes) and therefore allows a certain kind of monopoly (almost.) I understand the almighty dollar (or euro) concept but there has to be some kind of control put in place, I just wish the market itself could do it (if we all boycotted things like big studio movies for long enough, things would change as revenue is king to these guys. They will do anything for money.) But good luck getting that done.

Re:Region oding..

[fullmetal55]

I wasn't replying to anything about how much they charge. that wasn't the post I was replying to. They have a monopoly on their product anyway. of course its not a true monopoly because you can produce another movie and compete. its not giving them more protection than IP law, its giving the more control over distribution. tough distribution licenses would do the same thing. all region coding does is give the tough distribution licenses teeth. I disagree that there should be control, revenue is king, and as long as the majority of people accept a policy that policy will continue. Region coding to me is merely an inconvenience. So this is capitalism, and capitalisms undesirable traits. but its obviously being accepted by the market.

Its just a fund rasier

[nurb432]

They will threaten to investigate, and the companies will pony up with protection money.. then all will be back to normal in the pursuit in the reduction of the citizens freedoms..

Its the way of the government...

Re:Its just a fund rasier

[freedom_india]

Nope. Not EU. Theu ACTUALLY investigate and FINE them. The company is prohibited from repeating the same mistake on penalty of criminal action against its management. Take SCO in Germany for example.

Re:Don't get your hopes too high

[eLamer]

that joke is tired

DRM

[danknight]

If they ever perfect DRM people will just make an analog copy and take the one time (small) quality hit. I'm not even going to talk about bit-for-bit copys that the real pirates use. It's really just a way to lock in the consumer.

Re:DRM

[ahsile]

I'm not sure it ever will be perfected. As quick as the publishers put copy-protection on, people are breaking through it. And, there are a lot more of us out there trying to break the lock, then are trying to keep it closed.

Re:DRM

[nkh]

people will just make an analog copy

Or people will stop buying CDs like I did two years ago. Computer-illiterate people accept a lot of things until something fuck with their own life. What will happen when they have no more consumers to lock? I hope it happens sooner than I think.

Re:DRM

[Audacious]

The truth about copy protection is that there IS no copy protection.

The first rule of computer programming states:

1. You must start somewhere.

The first rule of computer hacking is:

1. Since you have to start somewhere, then that "somewhere" is where you start hacking.

To put that in English: In order for your program/music/movie/whatever to be readable you have to provide some mechanism so the information becomes usable by the computer. Whereever that location is - that is where you start from to pick apart what they are doing and how they are doing it. Thus:

A. If you encode the information into a machine's prom you just desolder the prom and dump the code (or use hooks to latch onto each of the pin's legs and watch what it does as it does it).

B. If you release software to be able to read a disk (CD/DVD/Floppy/etc...) then you just get a disassembler to regenerate the original code.

So no matter what you do - so long as you have to let the user have the hardware/software, then you've just made it available to a hacker who will break the code.

SO! Knowing this, what are the companies really doing? If only a tiny fraction of the entire population of the earth (8 Billion people) are working against you why are the rest of us being discriminated against? Wouldn't it be better to just not do any kind of protection at all and put your money towards finding those who are doing this and prosecuting them?

Seems to me that these idiots are doing both. Which is why I have stopped having anything to do with movies and music. Let them keep their movies and music. I'll just read books instead, play the games I've written (or that are given away for free) and have a great time without them! :-)

Re:DRM

[Alsee]

Good post, but you need to take a closer look at Trusted Computing. It's not "just another" DRM system. It is seriously nasty.

In order for your program/music/movie/whatever to be readable you have to provide some mechanism so the information becomes usable by the computer. Whereever that location is - that is where you start from to pick apart what they are doing and how they are doing it.

In Trusted Computing the data will only be readable inside the CPU itself. And as if ripping a CPU open isn't hard enough already, the new CPUs will be "tamper resistant" and self-destruct their unique key if the lose power or they detect you trying to access the chip.

Data can even be encrypted before leaving the CPU and sent to RAM, and decrypted within the CPU when reading RAM. Even the final audio and video can be sent encrypted to chips within the noitor or speakers for final decryption.

Every chip has a unique key, and all data and keys get encryption-bound to to an individual chip.

Even if you do manage to read out a chip key, you always risk that fact being detected and that key being revoked. If you ever try to use a single key in two or more machines it is almost guaranteed to be detected and revoked.

-

Re:DRM

[Audacious]

Ok, so let me get this straight:

1. If I ever have a power failure in my house or the battery dies in the computer the encryption key will explode. So I sue Intel over this in a class action suit and they have to fix everyone's cpu chip. Massive recalls, etc.... I can't see Intel doing that.

1a. Besides which - you can buy CPU chips by themselves and they don't have any power being applied to them. You think Intel would develop something that you can only plug in once? Not likely. Man! Would Tom's Hardware have a fit!

2. If I install a watchdog on my computer, install a program which has this technology on it and it shows me how to access the information on the chip my CPU will somehow know and blow itself up. I don't think so. You give too much credit to the PR guys. Either the information can be accessed or it can't. If it can't - then no one else can either. Which makes this technology moot. Use common sense and logic. It is either:

A. You can access this information (albeit in a specific manner).

B. Or you can not access this information.

A program which watches what another program does (Anti-Virus Software anyone?) interrupts whatever the other program is doing to check it. A watchdog program is just doing the same thing. It intercepts whatever the other program is going to do BEFORE it does it, checks it out, and can send that information to a file or the screen. Thus, BEFORE any request goes to the CPU for whatever reason, those commands are intercepted and stored so someone could hack (fairly easily) the command used to access the key information. Once you can do that - the key becomes meaningless because you can then forge the key (captured on output from the CPU by the same program) and make a new disk with this.

Further, what a lot of hackers used to do (and probably still do) is just to find the JSR to the function which does the check and negate it by either putting in their own routine at the end of the program and JSR'ing to it so it can return the key or just NOP'ing it so it is never called. If the function is supposed to return TRUE or FALSE depending upon whether or not the key passed verification, then you just JSR to a function which pushes a TRUE value onto the stack and return.

JSR myFunction
.
.
.
myFunction:
lda a1,1;
push;
return;

What's so hard about that? Then you just load the program in, disassemble it, and do a global replace on that JSR CheckKey function.

After all, why try to disable something when you can just go around it? This is a lot like those dongle things. The people who sold the dongles would also include a set of functions which would check the dongle and the dongle would send back the "special" id. (Sound familiar?) The problem is the same with this Trusted Computing PR BS. Remember that rule #1 says:

"You have to start somewhere."

It is no different with them. Somewhere, somehow, you have to be able to access the key. You find that and the rest is as easy as eating a donut.

Re:DRM

[Alsee]

I was half-asleep when I wrote this, so forgive me if I'm unclear or repeat stuff. I think I botched the order of some things, there are crucial facts/explanations towards the end that justify earlier parts. Mainly that the Trust chip tracks the program's "identity". Bear with me till the end if somethings seem wrong or unsupported.

power failure in my house or the battery dies in the computer the encryption key will explode

I've read detailed specs on the external Trusted Platform Modules, not embedded in the CPU. Blackouts are not a problem because of the built in battery. It only takes a trickle of power to maintain that RAM when there's no external power and nothing is running, so the battery is expected to last a couple of years.

Unfortunately there's *very* little information available of the CPU-embedded Trust chips. Micrographs of the new Intel Prescott CPU show about 20% of the chip used for a second internal Trust CPU, but they are not releasing any data. I guess I assumed they would have the battery deal too, but packaging a battery on a CPU does seem awkward. I can't say for sure how they plan to handle this.

install a program which has this technology on it and it shows me how to access the information on the chip my CPU will somehow know and blow itself up.

Such a program is not possible.
The chip is physically incapable of revealing the master encryption keys no matter what software you run. They are locked inside dedicated circuits with no instrictions or physical wiring to access, read, or directly use the master keys. For the most part the master keys are only used to encrypt/decrypt lower-level encryption keys and a handful of other operations. You send an instruction to the Trust circuitry to encrypt/decrypt something and *it* uses the master keys without revealing them to you or to the rest of the CPU.

As for encrypted music and other files, you can't read them either because you can never get at the lower level keys except with the original program. The Trust circutry watches the identy of the program that is allowed to read those DRM'd music files and it will only properly decrypt the music's encryption key for that *exact* program. If you run a different program or try to alter the approved DRM music player, the Trust circutry will see that is not the same software. The Trust circutry then returns a *different* key, and obviously you can't decrypt the music file with the wrong key.

Either the information can be accessed or it can't.

You cannot access the master key, you can only tell the Trust system to use it in certain restricted ways. The file encryption key can only be accessed *within* the CPU, and only by the approved and unmodified DRM program. The file itself can only be accessed using that key, and therefore only by that approved DRM program.

That program may then re-encrypt the video/sound inside the CPU and send it to the sound card/monitor. The sound card and monitor have their own chips and their own key, so you can't even access the data when it leaves the CPU. Only the sound card and monitor can decrypt it, and those keys never leave the sound card/monitor.

A program which watches what another program does (Anti-Virus Software anyone?) interrupts whatever the other program is doing to check it.

New hardware. When there's an interrupt the new program (the watchdog in this case) gets it's own key. The first program's data and CPU register values are unreadable under the new key. If the watchdog looks at RAM it sees encrypted garbage. If the watchdog looks at the cache, that's encrypted. If the watchdog tries to look at the old register vales, they are either not available or encrypted. And the first program's identity, it's key, is hidden in inaccessible circuitry. There is no instrution for the watchdog to read or copy the first progam's identity value/key. When the interrupt returns the old programs identity is restored. Note that since

Re:DRM

[Audacious]

I felt I had to make two responses. Mainly to try to show you where your logic is off (if possible). I'm going to include tag lines from your message and show you why it will not work like you think it is going to work (or they say it is going to work).

Blackouts are not a problem because of the built in battery. and I guess I assumed they would have the battery deal too, but packaging a battery on a CPU does seem awkward. I can't say for sure how they plan to handle this.

Answer: Batteries generate magnetic fields which would make a CPU useless or the CPU so clunky that it is highly unlikely that they will even bother with this. Further, if they build something in which destroys the DRM stuff there is always the chance that it might kill someone or harm them. One multi-million dollar lawsuit and Intel would abandon DRM.

Such a program is not possible.

Answer: Debuggers do this so why would it suddenly become impossible?

The chip is physically incapable of revealing the master encryption keys no matter what software you run.

Answer: I do not need to know the master keys in order to just get around them.

They are locked inside dedicated circuits with no instrictions or physical wiring to access, read, or directly use the master keys.

Answer: It is possible to not be able to get to the master keys directly. But they still have to be accessible. So if you wanted to know what the master keys were all you have to do is to figure out how to make the CPU give you the same answer over and over. Then you build up an array of what you get when you send just "A", "B", "C", and so on.

For the most part the master keys are only used to encrypt/decrypt lower-level encryption keys and a handful of other operations.

Answer: Ok. So you can interoperate with the master keys - only in a second hand way. No problem so far. This "handful of other operations" wouldn't happen to include such things as sending the encrypter a code and being able to read what that value was are they? If so you've just opened the door for the hacker to get in and figure out the master key.

You send an instruction to the Trust circuitry to encrypt/decrypt something and *it* uses the master keys without revealing them to you or to the rest of the CPU.

Answer: Don't need to know the master keys. Just how to access them.

That program may then re-encrypt the video/sound inside the CPU and send it to the sound card/monitor. The sound card and monitor have their own chips and their own key, so you can't even access the data when it leaves the CPU. Only the sound card and monitor can decrypt it, and those keys never leave the sound card/monitor.

Answer: Ah! This is getting to the good stuff. Ok, somehow the sound card (which has its own, special master key) can understand what the master key encoded on the CPU has given it. (Even though the CPU's encryption is supposed to be secure and unreadable. Which is where the abiguities begin. After all if the CPU encrypted something and the encryption is unbreakable then how is the sound card/monitor going to break it to know what it says? Don't tell me - let me guess. It's got some kind of hardwired thing that makes it impossible to otherwise break the code. Right? Wrong. Hardware is just software given form when you are talking about computers. So if they can do it in hardware you can do it in software.) Ok, so forging ahead - they must have some way to communicate this information. But more importantly, the OS probably talks to the sound card/monitor, then to the CPU, and then back to the sound card/monitor. This gives us our opening to begin seeing how this is done. Which means our watchdog can gather up all of this code and give it to us. This is because the information doesn't just magically fly from one place to the other it has to follow a given route. Since there are no wires directly connecting

Re:DRM

[Alsee]

Yes I am a programmer and yes I've programmed in assembly and yes I've used debuggers. I have been reading the Trusted Computing Group's technical specifications, documentation and research papers from IBM and HP and Intel and numerous companies, as well as research from universities.

The fact that you are familiar with assembly language and CPU's will be a big help - usually I need to avoid getting technical. However you do not appear to be adaquately familiar with assymetric public key cryptography (PKI) and signatures and what they allow. If you are familiar with PKI, well, you clearly overlooked it in several places in your post. If you you're not well familiar with PKI then you need to Google and read up on it.

Ah! This is getting to the good stuff. Ok, somehow the sound card (which has its own, special master key) can understand what the master key encoded on the CPU has given it.

Yes, using public key encryption (PKI). Snoop all you like, you can't decrypt the video data. I'll walk you through it;

The CPU has a private key which never leaves the chip, and a public key you can see. The soundcard has a private key which never leaves the chip, and a public key you can see. The CPU's public key is signed by the manufacturer. You cannot fake that signature. The sound card's public key is signed by the manufacturer. You cannot fake that signature. The manufacturer's signatures are both signed by the Trusted Computing Group's private key, you cannot fake that signature. So:
(1) The sound card and CPU exchange public keys and signatures. You are free to watch this and record the data.
(2) The sound card and CPU each look at the data they received and validate the Trusted Computing Group's signature, they now know the manufacturer public key they got was valid.
(3) They then use the manufacturer public key to validate the signature on the chip public key. They now know they were given a valid chip public key.
(4) One of them (lets say the CPU) then generates a 128 bit symetric key for encrypting data. This is the session key. This is inside the CPU, you can't see it.
(5) The CPU encrypts the session key using the sound card's pulic key and sends it out. You are free to watch this and record the data.
(6) The sound card then decrypts the session key using its private key. Both chips know the secret session key for all future data.

You got to watch all of the data fly back and forth, but all you saw was public data and an encrypted session key. You can't read that session key without the secret PRIVATE key. Without the session key you cannot decrypt any of the video data.

PKI magic, you get to see everything but you can read nothing.

Debuggers do this so why would it suddenly become impossible?

As I said, NEW HARDWARE.
I am quite aware that on current hardware a debugger can access anything and everything. However on the new hardware there is no CPU instruction for reading certain keys. There are no instructions for assuming another program's identity.

One of the ADVERTIZED features of Microsoft's Next Generation Secure Computing Base (Palladium) is "strong process isolation". This means that when a program requests a secure "memory compartment" that no other program can read that compartment, not a debugger, not even the operating system itself. The memory is reserved for that program ad that program alone. The most the operating system can do is wipe and free that memory.

This process isolation can be acheived in different ways. The "lesser" way is for the hardware to simply grant/deny access to certain segments of RAM based on a process ID. And remember there are no CPU instructions for directly manipulating this ID value - the value is generated by hardware when the process is spawned, the current ID is changed by hardware when an interrupt occurs, and the old ID is restored by hardware when the interrupt retur

Re:DRM

TCPA's TPM implementation has already been cracked. The crack requires physical access, but is economical, non-destructive, and repeatable for both internal and external modules. The crack will, sooner or later, be commercially available, although possibly illegal in your jurisdiction. I am contractually obliged not to give further details at this time.

Re:DRM

[Audacious]

Ok. I'm going to start an outline so we can go through this together. This is just an outline we can expand upon. :-)

1. I put a CD into my CD reader
2. The OS detects the CD
3. The OS starts the CD reader
4. The CD reader talks to the CD Drive and gets the key.
5. The CD reader talks to the CPU and gets that key and does whatever it wants to with it.
6. The CD reader talks to the speaker and gets that key and does whatever it wants to with it.
7. The CD reader verifies everything and begins sucking in the file/music to play.
8. The music plays on the speakers

Can you agree that this is how the key system is going to work in this case? Or if you want to do music downloading make up a list like the above and then we can talk about each step.

Also, One of the ADVERTIZED features of Microsoft's Next Generation Secure Computing Base (Palladium) is "strong process isolation". Microsoft says a lot of things which aren't true. I'd take this with a large grain of salt. After all, the OS has to know where this is otherwise it would just reuse the memory and thus wipe it out.

And when you say The system is *INSANE*. - you are right. The blather they put out is just that - blather, PR, spin. Something meant to fool everyone into believing the system is impregnable so their sales go up. But it can never be. They can make it harder to break the system - but it is never going to be unbreakable. Ever. They are, basically, fighting against themselves. Because when they make the machine faster they try to make the codes harder which usually involves just making the codes bigger (as in going to a 2048 byte length) which slows everything down again.

Anyway, check out the list above and let me know.

Later! :-)

Re:DRM

[Alsee]

repeatable for both internal and external modules

When you say "internal", would that include a TPM embedded within the CPU itself? My huge worry is that Intel is ALREADY shipping chips with some at least a preliminary version of an embedded Trust processor, as seen in Prescott micrographs. Would it still work with the initital Trust Measurement code within the CPU itself? Would it still work if code and data were to be encrypted (and secured by encrypted hash) before leaving internal cache and sent to external RAM? I don't know if the Trusted Computing Group has considered this secured RAM step, but I did read a detailed research paper on it.

As far as I can see the available avenues of attack rely on getting at that initial Measurement code, falsifying data flow between the CPU and TPM, being able to modify (or at least read) RAM, connecting a cooperative CPU to the TPM, or physically digging keys out of a TPMs one by one.

-

Re:DRM

[Alsee]

when they make the machine faster they try to make the codes harder which usually involves just making the codes bigger (as in going to a 2048 byte length)

Public key cryptography (asymmetric keys) inherently requires much bigger keys. A 2048 asymmetric key is about the same strength as a 128 bit normal symmetric key.

which slows everything down again

Yes, 2048 bit asymmetric keys are very very slow. This is why they don't try to encrypt actual data under them. They are only used to encrypt the 128 bit normal keys.

the OS has to know where this is otherwise it would just reuse the memory and thus wipe it out.

Yes, the OS knows "where" the memory compartments are and can allocate/deallocate them. It is just physically incapable of reading or altering the contents of the compartment. Think of it like existing memory no-execute flags or existing memory banking techniques. The difference if that access is restricted by program ID, and there is no direct software control of that ID value. Only instructions to spawn an ID'd process, interrupt/pause such a process, return/restore such a process, or to terminate that process and free the compartment.

It needs new hardware, but it really isn't that different than existing techniques and hardware.

Actually I'm speculating a bit on the method. They have documented that they *will* be using some sort of memory compartments, but have not released details on the implementation. The method I described I read in a research paper, but it clearly is at least one way to effectively implement such compatrments.

music downloading make up a list like the above

Yes, downloading is much more the intended purpose. There's actually a huge number of low level steps, just ask and I can give a more detailed brakedown.

(1) You contact an RIAA music sales server and provide your system credentials. These credentials include secure signatures chaining back to the Trusted Computing Group's root key, and a public key. They also contain a signed hash bound to and identifying the currently running program.
(2) RIAA server verifies the chain of Trust for those keys. That chain effectively indicates that the public key you sent was generated inside a genuine Trust Module and that the matching private key is secure inside that module and bound to the hash bound to the DRM program they wrote.
(3) The RIAA generates a random 128 bit session key (different for every sale) and encrypts the music using that key.
(4) The RIAA encrypts the session key using the public key you sent (the one bound to the hash of the currently running program they they wrote).
(5) RIAA sends the encrypted music and the encrypted session key.
(6) Only the program with the EXACT hash can use the private key inside your Trust Module to decrypt the session key, so their DRM program decrypts the session key.
(7) That DRM program decrypts the music using that session key, then immediately re-encrypts it with its own storage key (this storage key was generated during installation is bound to its own hash).
(8) You want to play music. That DRM program talks to the sound card and exchanges a session key with the sound card chip, much like above process and just like I said last post.
(9) That DRM program loads the encrypted music from disk and decrypts it with its storage key, it then reencrypts it with the soundcard session key.
(10) Encrypted music is sent to the sound card and decrypted there.

Only public keys and authentication signatures are ever exchanged in the clear. Everything else is encrypted with session keys that only exist in the clear inside a Trusted chip.

There just aren't any software attacks. You either need to crack "military grade" encryption, or you need to do a hardware hack. Hardware attacks are fairly easy if Trusted Platform Modules are simply attached to the motherboard and external to the CPU. Once the Trust Module is moved inside the CPU itself even physical at

Re:DRM

[Audacious]

Ok. Finished reading everything. Here goes:

I am inserting the following:

0. I boot up my computer.
0a. I load in my OS.
0b. I load in my watchdog program.
0c. I log on to the network.

(1) You contact an RIAA music sales server and provide your system credentials. These credentials include secure signatures chaining back to the Trusted Computing Group's root key, and a public key. They also contain a signed hash bound to and identifying the currently running program.

1a. I do not use my system's credentials. I use my forged system credentials I got from my other system via my watchdog program. I do this by capturing all i/o over the network on another machine. Since cpus are fairly cheap - I will probably be able to buy one or two of them for this project. My system is never known to the RIAA. Please note: I am not trying to crack/decode the keys
1b. Please note also that there is at least one piece of hardware you can buy, right now, off the shelf, which will monitor all traffic on your network and store it for later processing. (So this isn't being made up. It is for real.) Also note that at least one of these devices has the capability to allow a person to modify incoming/outgoing messages.
1c. I am spoofing the RIAA's website with another computer's id as well as hash. I can do this because I've already captured what needs to be sent back over the internet. My computer's DRM hardware is never notified about anything. That is because I intercept any/all requests to the DRM via my watchdog program. I specify that if command X is ever attempted that my watchdog program instead issues an interrupt and passes command back to me. Since the command was never executed the DRM can not be activated and instead, I can then tell the watchdog to send a different set of commands instead (ie: the previously captured information).

(2) RIAA server verifies the chain of Trust for those keys. That chain effectively indicates that the public key you sent was generated inside a genuine Trust Module and that the matching private key is secure inside that module and bound to the hash bound to the DRM program they wrote.

2a. Actually, they THINK I am a trusted computer. Sadly, I'm not. :-(

(3) The RIAA generates a random 128 bit session key (different for every sale) and encrypts the music using that key.

3a. Ok. First, it can't be VERY random because the chips on my system have to be able to decrypt the thing. If it were totally random garbage no one would be able to decrypt it. Which would make it totally useless. So let's throw out the word "random" and instead stick in "algorithmically created". Ok - now an algorithm might be really hard to decipher - but it can be done. Just like the Beale Codes.

(4) The RIAA encrypts the session key using the public key you sent (the one bound to the hash of the currently running program they they wrote).

4a. Actually, they encrypt the session key using the public key I wanted to send. Making my job of breaking their encryption easier.

(5) RIAA sends the encrypted music and the encrypted session key.

5a. Great! Thanks for both of those! :-)

(6) Only the program with the EXACT hash can use the private key inside your Trust Module to decrypt the session key, so their DRM program decrypts the session key.

6a. Actually, no. Any program which does not even use the DRM calls can use the data. But you feel that someone would not be able to decode the DRM'd data. This just isn't true. The initial time to decode the music may take longer but it still can be done. And whoever said hackers wouldn't take the time to do the decoding? After all, didn't they just recently show that even using nobrainer techniques to just crunch the possibilities of a 128 bit encrypted message only took them three days to circumven

Re:DRM

[Alsee]

Ok, I see where you're getting lost. You don't know what public key cryptography is and what it does. I mentioned before that you need to know about it, but I wasn't clear. To talk about the Trust system at all you NEED to understand public key cryptography. It is the entire foundation of the Trust system. It does things that normal cryptography can't do. That's why my post seems to fall apart to you, you are completely missing all of the public key / private key steps and connections.

Normal cryptography uses symmetric keys - the same key to encrypt and to decrypt. I encrypt a file with the password FOO, I send you the file, and you use the password FOO to decrypt it. Anyone who learns the password FOO can read the file. However that is *not* what happens in Trusted Computing, at least not at the top level.

Public key cryptography uses a PAIR of keys - one key to encrypt and a different key to decrypt. Asymmetric, different in each direction. A key pair consists of a public key and a private key. Lets say the public key is BAR and the private key is BAZ. Everyone gets to know the public key, BAR. You only need to keep BAZ, the private key, a secret. Using some fancy math you can generate BAR and BAZ at the same time, as a pair. However someone who only knows the public key (BAR) has no way to figure out the other half (BAZ). Anyone who knows the public key can encrypt messages, but those messages cannot be decrypted without the secret private key BAZ.

Let me take a side trip for a second:

3a ...let's throw out the word "random" and instead stick in "algorithmically created".

No, random means random. Not an algorithm. Not a software psudo-random number generator. I'm talking HARDCORE random. They are insanely paranoid about security. When they generate a random 128 bit session key they use an on chip source of physical quantum mechanical noise. As random as random gets.

Ok, lets review the numbered steps but I'll condense it to focus on the public key aspect:

(1)(2) You send credentials and a PUBLIC key. The credentials certify that the PUBLIC key is paired with a PRIVATE key inside a genuine Trust Module.
(3) They generate a random session key...
(4) ...and encrypt it using the PUBLIC key you gave them.
(5) They send you the encrypted session key.
(6) The Trust Module decrypts the session key using its secret PRIVATE key - inside the chip.

You got to watch this entire exchange, but you can't decrypt the session key because don't know the required PRIVATE key. Now that the RIAA and your chip share a secret session key. Now they can talk to each other locked under the session key and you can't read anything else they say.

The music is locked under a session key which is locked under a PRIVATE key which is locked inside genuine Trust chip.

4a. Actually, they encrypt the session key using the public key I wanted to send.
Making my job of breaking their encryption easier.

It's no help. You can't forge credentials, and if you copy credentials from another chip it just means they encrypt the session key using that chip's PUBLIC key. You'd still need that chip's PRIVATE key to decrypt the session key. You've gained nothing.

6a. Actually, no. Any program which does not even use the DRM calls can use the data.

The chip will only preform the session key decryption for the software with that exact hash. The chip is the only one with the PRIVATE key required to do it at all.

didn't they just recently show that even using nobrainer techniques to just crunch the possibilities of a 128 bit encrypted message only took them three days to circumvent?

Based on a Google search: key crack "three days" I'd wager you're thinking of the 56 bit DES crack. I can guarantee that no one has crunched a 128 bit key.

A 56 bit key has 72

Re:DRM

[Audacious]

Actually - no. I know about public/private key encryption. But you do seem to ignore my saying I only need to figure out how to replicate what the DRM is doing on my system and then I stop using it.

The idea is not to go through the DRM, but around it.

Random: Nonsense. Nothing in the universe is random. It may seem random to you but it is not random. Even using Quantum Physics - it isn't random. It is though, algorithmic. Again, meaningless garbage is just that - meaningles. Both to DRM as well as to anyone else. And any algorithm they come up with can be broken. The question in security is not IF something can be broken but HOW LONG it takes to break it.

2048! This is the number of combinations/permutations available if you did 2048*2047*2046.... For each machine added, you can divide up the number. So if there are 2048*10^22 for one machine, it would be 1024*10^22 for two machines and so forth. Also, the machines used at the time of the test were (I believe) 800mhz system and not the 3GHz or better systems used today. So 100 3GHz system are (somewhat) equivalent to 400 1GHz systems. So yes - it would take a while but no - it isn't impossible to do. Also, there are short cuts you can take can help to decode something. I'm not saying it will take five minutes - but you can reduce the number of permutations needed to be tried. The test used brute force methods. That is why the recommendation was to go to 256 or 512 bit encryptions because the people felt that 128 bit encryption would soon be broken as well.

I believe the biggest problem we have (presently) is agreeing on random versus algorithm. Here is my argument:

Totally random would equate to not being able to use the information because each time it changes and you would have no basis to determine what the information was that was coming over to you. Thus, the information would be meaningless.

Algorithms can cause information to look as if it were random garbage but it isn't. By increasing the overall size of a key you can introduce more garbage to throw off someone but it is still an algorithm. Such examples are PGP, image information encoding, and the make believe DRM. All of these use algorithms to encrypt or encode important information (such as a public key). Public keys can be given out because, for the most part, the private key is needed in order to decrypt or decode the incoming message. Still, in order for the whole thing to work - there has to be an algorithmic method behind it. Whether that method has been embedded into a silicon wafer using electronic voltages or whether they are using Quantum Mechanics makes no difference. There has to be a way (ie:algorithm) to read this information so sense can be made of what the other person is trying to do.

Until we can get past this point there is no reason to continue the rest of the conversation.

Re:DRM

[danknight]

Well I agreee but,(and I didn't think of this before) AFIK VCII has not been cracked. and direcTV's new access card has yet to have a publicly announced crack and there is a lot of money riding on that one.

Re:DRM

[Alsee]

Random: Nonsense. [] Even using Quantum Physics - it isn't random.

This is a totally irrelevant tangent, but essentially every physicist on earth says you're wrong. Quantum mechanics *DOES* inherently involve unpredictable and non-algorithmic randomness. This is excatly what prompted Einstein's famous objection that "God does not play dice with the universe".

But as I said, it is irrelevant. For our purposes merely tossing a coin is "random" in that no one can predict or use results unless I somehow tell them the results. Keys can be generated randomly. Both the session key and private key are random.

-------

you do seem to ignore my saying I only need to figure out how to replicate what the DRM is doing on my system

I have not ignored your statements. I have repeatedly explained that you CANNOT replicate what the DRM is doing unless you know the key it is using. You either need to (a)copy the key or (b)"crack" the key.

(a) Copying the key requires digging it out of a self-destructing microchip. I acknowledge this route exists. You have not persued this avenue, thus I presume you acknowledge the difficulty involved.

(b) As you said, cracking a key is not a question of "IF something can be broken but HOW LONG it takes to break it". You just don't have any grasp of the math involved. It would require millions of years EVEN IF YOU USED EVERY COMPUTER ON EARTH, as I will detail below.

I reather not attempt to explain the math behind complex 2048 bit keys when you don't even get the math involved in the normal 128 bit keys, so lets stick with the small 128 bit keys.

What would it take to crack a normal 128 bit key?

(1) It took 3 days to crack a 56 bit key using $50,000 worth of custom hardware (it cost them $220,000 to build, but you could copy it for $50,000).
(2) You want to "divide up the number" across multiple computers. Lets assume you use 16 million times as much hardware. I'm GIVING you 838 BILLION DOLLARS worth of hardware, a free gift. Divided 16 million ways gets you another 24 bits, good for cracking 80 bit key in three days.
(3) You want to use faster machines. Ok, lets assume I GIVE you magic computers that are 16 MILLION times faster. Another free gift. 16 million times faster gets you another another 24 bits, good for cracking a 104 bit key in three days.
(4) Obviously you can spend more than three days, on the project. Lets assume you work 16 million times as long. That gets you another 24 bits, finally enough to crack a 128 bit key.

So even with a free gift of almost a trillion dollars in hardware and a free gift of magically fast hardware, you still need to spend 137 thousand years of time to crack a 128 bit key!

You're actually going to want to go after the 2048 bit key, but is comparably as difficult as cracking the 128 bit key.

There has to be a way (ie:algorithm) to read this information so sense can be made of what the other person is trying to do.

Yes, if already know the private key or manage to calculate the private key then everything falls into place. You can then algorithmically read the encrypted random session key and use that to algorithmically read the encrypted music.

There *is* an "algorithmic" link between the public key and private key pair. Creating a public key using private key is fast and easy. Barring an earth-shattering mathematical breakthrough, it simply isn't realistically possible to do the reverse - to calculate the private key based on the public key. It would requires insane timescales EVEN USING EVERY COMPUTER ON EARTH.

You cannot realistically calculate the private key, thus you cannot read the session key. You cannot in realistically calculate the session key, thus you cannot read the music.

There are some very smart people working on Trusted Computing. People who know cryptography FAR better than you do. There are some very rich companies spending a fortunate to roll out Trusted Computing exactly because it is not attackable in the way you want to attack it. The only real attack is a hardware attack, and if thy put the Trust Chip is inside the CPU then it is extrodinarily difficult to make a physical attack.

-

Re:DRM

[Audacious]

Ok. I give up! :-)

I know that (from the calculations) a 2048 key making 128 bit encryptions is 1.36054607784341261505197379778e+5472 (courtesy of MS's sci-calc). But that is the number of permutations and not the number of combinations which, when groups of these are put to one machine, begins to drop to the possible well below 16 million machines.

So I do believe it will be cracked and most probably before six months are up. But let's wait and see. If you are completely correct and no one can get around it I will be more than happy to say so to whomever you wish me to do so. But if they do - then we will have to find out how they went about doing it. I believe they will use an algorithm to do so without the need for new hardware. But that remains to be seen.

In any event - that is it for me on this subject. Later!

Re:If people would just stop stealing...

[Dutchmaan]

...and if corporations would sell things for their real value people wouldn't feel compelled to steal because we would have pretty much everything we could ever want...

I agree with Phillips...

[Glock27]

Any CD that's copy protected shouldn't be called a CD. Simple enough...

Re:I agree with Phillips...

The ones that break the redbook standard aren't called CDs (except by retailers). Look on the case, you won't find the Compact Disc logo on it.

Re:I agree with Phillips...

[McDutchie]

FYI, that's Philips with one "l". The two-l'ed one is a different beast altogether.

Re:I agree with Phillips...

[Glock27]

Thanks for the correction...I posted without checking. :-)

Direct Matches schizophrenic behaviour

[tglx]

The regulators fight against market domination and the politicians influenced by those dominant companies want to legalize software patents. tglx

If we chose not to buy it....

[Anonymous+Luddite]

this wouldn't be around for very long. I doubt that's how it will work out, though. :-(

..."Contraband" by Velvet Revolver, a band newly formed by ex-members of Guns N' Roses and the former frontman of the Stone Temple Pilots, became a best seller in June despite heavy copy protection and a warning on the packaging.

(above excerpt from the USA today article.)

We need balance back in the system

[speedfreak_5]

How about this?

Set the copyright system back to the default 14+14 years. If the record companies decide to use DRM on their stuff, make it illegal for them to apply for the 2nd 14 years. That way people can make backups of their stuff unhindered by sh*tty copy protection, and they get to make a little more money.

-=OR=-

Let them keep their Life+70 terms and DRM. In turn file sharing must be legalized and royalty-free sampling and public performance made legal for everyone who buys a CD.

Re:We need balance back in the system

[spuzzzzzzz]

And what are the chances of that ever happening? In order to change laws, you need money for big campaign contributions. Who's going to donate to reduce IP rights? Certainly not any big corporations.

That may be the point

It may be the point.

Tech industry hates DRM.
Microsoft has monopoly in DRM.
One crack, and everyone can copy music.
P2P creaters love it.
!! profit !!

Oh...then its a good thing

[helmespc]

I ripped a copy to my hard drive before it rendered itself unplayable.

Previous judgement

[dago]

I don't have time to search, but the consumer union UFC/Que Choisir previously won against record companies selling copyprotected CDs...

I guess this is some followup to this judgment

Re:Previous judgement

The judgement you are mentionning was about the fact that a "copy-protected" CD did not mention in any way this protection.

The judgement was not at all about the fact that this "protection" took away the possibility for the user to make legitimate copies for his own (family) usage (which, in France, is accepted by the law even if it's not considered a right in the strictest sense).

This investigation is all about fair use, and if it is won by the consumers (through UFC/Que Choisir) this may be a great victory :o)

Analog copying

[cbr2702]

An analog signal is nessacary only for the step directly between the machine and us. Everything prior to that step, extending even to the speakers can be made digital and DRM'd. The increased quality of digital signals will push analog devices out of the market, and if MS, the *AA, etc. have their way, digital devices will be locked down with strong encryption-based DRM. So perfect DRM is possible, and by the time it comes analog copying will no longer be possible.

</paranoia>

Re:Analog copying

When analog devices are outlawed, only outlaws with have analog devices.

semi-serious

Re:Analog copying

[dgatwood]

Never going to happen, for two reasons:

1. We will never see audiophiles agreeing to replace their multi-thousand dollar speakers.
2. There's no such thing as a digital speaker. They are, by their very nature, an analog device. An analog waveform causes the cone to move. Therefore, at the point where the signal enters the speaker's voice coil, it must, by necessity, be an analog signal. It takes a dollar's worth of hardware to adapt an 8 ohm impedance speaker signal into a line level input.

If you can change the laws of physics to make a digital speaker possible, you -still- haven't solved the problem. Buy a good microphone, put it in front of a good (hypothetical) digital speaker. Record. What? You've made microphones illegal somehow? Well, I guess the recording industry won't be making any more recordings, either....

The only way it would be possible to remove the analog hole would be to remove the human being from the mix---hardwire it into your brain somehow. I know I won't be the first to sign up if they try that.... Maybe it's just me....

(Mutters something about always mounting a scratch monkey.)

Re:Analog copying

[st1d]

We will never see audiophiles agreeing to replace their multi-thousand dollar speakers.

Nope, but these people aren't the targets, either. Real audiophiles (the psychotic ones, not the ones that are wannabes) buy masters, not CDs.

There's no such thing as a digital speaker. They are, by their very nature, an analog device. An analog waveform causes the cone to move. Therefore, at the point where the signal enters the speaker's voice coil, it must, by necessity, be an analog signal. It takes a dollar's worth of hardware to adapt an 8 ohm impedance speaker signal into a line level input.

Sure, now, but there are most certainly digital speakers and microphones, and you can bet your tail Sony and so on aren't going to leave a loophole like this open for too long. Once people adapt to DRM, analog speakers and mics will start to disappear from the market, as they'll simply remove the analog jacks from equiptment (in the name of "quality"). Before long, it will be too much of a hassle to try and go around it, so either the encryption needs to be broken (illegal under DMCA-type laws), or people just need to accept it.

Experience with Fnac

[spaceyhackerlady]

I recently bought a CD from Fnac - "Face A/Face B" by Axelle Red. It says right on it that it incorporates copy-protection technology, though it also carries the official CD logo.

The results:

Linux: plays.

Windows: loads their CD player without asking, crashes system.

Car CD player: plays.

Portable Discman-style CD player: doesn't play. Each track plays about 9 seconds in then gets stuck in a loop skipping back a couple of seconds.

"My name is L...Laura..."

Sorry. Friday afternoon. A bit punchy.

...laura

Re:Experience with Fnac

[houghi]

I recently bought a CD from Fnac - "Face A/Face B" by Axelle Red. It says right on it that it incorporates copy-protection technology, though it also carries the official CD logo.

I just bought the CD from Anastesia that has some Windows software on it and a sticker that it is 'pre ripped for the PC' whatever that means.

No problem whatsoever to make mp3 files under Linux. The poor Windows user has to use the shift key to not launch software. Official Software CD's have been known to hit the stores with a virus on it. It is only a matter of time that a music CD will have a virus on it.

Who will I then be calling for claims of dataloss, because I was under the impression to be putting in a music CD and not a data CD.

Re:Experience with Fnac

[ejaw5]

Windows: loads their CD player without asking, crashes system.

try holding shift before loading CD and hold until CD stops spining in drive.

People will buy anyways

[lothar97]

We've seen over the years that people will pay for any kind of crap, from pet rocks, to "Catwoman" movie, to the next manufactured boy band. If it's the "cool thing," people will jump over cliffs like lemmings to obtain it.

It would need to be a massively coordinated effort to get a huge band's copy protected CD boycotted. You'd need mass targeted media, such as MTV or P. Diddy, to lead the charge. I figured it would be bad for them to lead the fight, and I doubt most people would care.

Re:People will buy anyways

[nkh]

It would need to be a massively coordinated effort to get a huge band's copy protected CD boycotted.

That's exactly what I'm trying to do with Prodigy's last album. Spread the word and explain what's happening.

Re:If people would just stop stealing...

Your ethics of convenience stems from a world view built upon a foundation of sinking sand. What exactly is this "real" value you suggest? Whatever you decide is "fair," right? What makes you think that your idea of fair is better than someone else's idea of fair? Quit rationalizing theft and just accept the fact that in a free-market system the price of something is set by the level of demand for that thing.

Re:The Rights of Us vs. the rights of Soviet Russi

[boisepunk]

What are you talking about? It's the same here in the good ol' U S of A!

Re:If people would just stop stealing...

[Dutchmaan]

So shoplifting at the store is okay?

Did I say that?

What are we worried about?

[Fortran+IV]

Let Microsoft get the monopoly! If MS is controlling DRM technology, then it's sure to be completely insecure and easily hacked.

Still, I'm glad I've hung onto all my old LP's.

Re:If people would just stop stealing...

[Dutchmaan]

FYI... the "value" I was talking about would be the cost of producing the item... period.

sans, profit.

After all if the parent poster wants to make a broad unrealistic statement about DRM and people stealing then isn't it only fair that I can reply with the same kind of broad unrealistic statement?

Already Covered

Both of these stories have already been covered by DRMBlog.
The EMI DRM story.
The Microsoft DRM story.

DDCCRF ?

[kakod]

It's DGCCRF not DDCCRF

Palladium

[Steve+Cowan]

I may be missing something here, but is there anything new on the evil Microsoft master plan known as 'Palladium'? Is this ultimately what's under investigation?

Seems to me that Palladium is the uber-DRM trump card that Microsoft has up its sleeve - just far enough off that it doesn't warrant "investigation" (yet), but still close enough that it makes me worry for the future of personal computing.

...and about time too

[Kerre]

I'll never set a foot inside one of the FNAC stores anyway. Two years ago I was a log-time fnac customer. About a year ago I bougt a 'protected' CD - Buscemi's 'Camino Real'. At that time I wasn't aware of the fact you shouldn't buy any audio CD without an official Philips logo on it. My problem was the CD refused to play on the Denon DVD-100 (part of my Denon mini hifi/home cinema set I bought ... at the very same FNAC). FNAC did not want to take the CD back, as the do not take back any opened CD or software package claiming this is to 'deter copying copyrighted material'. This is common practice at large retailers were I live. The Carrefour retail chain does it as well: they refuse to take back any CD or software. Carrefour even refuses to take back any pc you bought since these have a pre-loaded OS. So much even for the 'if you don't agree to this licince return the software and return it to get a refund-klick through agreement' I guess. But what can you do against this as a consumer? Go to small claims court and lose a lot of money over a CD? I have some confidence in Europe still.

Re:...and about time too

[nkh]

IIRC the copy protection is considered a hidden defect and you can return them all your protected CDs. If they still refuse, demand an explaination with the loudest voice possible, they won't last more than 2 minutes. Remembre that these employees have not a high pay every month and want to keep their jobs, they will do everything you ask as long as you keep quiet.

Re:...and about time too

[Kerre]

I was quite vocal about it. I spent half an hour arguing with two persons of the CD department. They kept on repeating it was company policy and that they could not make exceptions. I'm not starting a lawsuit because of this - I cannot affort that. But since then I've never set a foot inside a FNAC. I also recommended against FNAC whenever possible, and I explained the danger of copy-protected CD's to friends and relatives. I think bad publicity is the only thing the labels and large retail chains fear. Consumer organisations have the power to get things like this mass media. These problems have been known to FNAC for more than a year. They did not care. They only the offer to repay the price now because of the bad publicity.

Re:...and about time too

[Fred_A]

You can get an injuction at the court since it's clearly a hidden defect. It's free. Justice is still mostly inexpensive for consumer cases in France (although not speedy).

Browse the archives of news:fr.misc.droit for numerous similar stories.

FWIW I still buy at FNAC store or at whatever store (including small ones when I find some).
And if the huge corporations won't take something back when they obviously should, well... Let's say that I find it cheaper than the movies and a lot more entertaining :)

Re:If people would just stop stealing...

[Dutchmaan]

Quit rationalizing theft and just accept the fact that in a free-market system the price of something is set by the level of demand for that thing.

I think that was in relation to supply if I'm not mistaken...

What is the fair value when the supply is for all practical purpose instantaneous and infintely repeatable?

Re:If people would just stop stealing...

[st1d]

I certainly don't rationalize theft, but I agree to a point. A good example would be companies that slap their label on an otherwise cheaply available product, then charge a premium for it. While demand may be there, it's an artificial demand created under false assumptions and lack of knowledge. Hopefully we'll outgrow that kind of ignorance some day, at least until people can learn to balance their wants and their income.

I do remember all the talk about how we all needed to ditch our tape players, because CDs lasted longer, and would eventually become far cheaper than tapes. Now they cost twice as much, and if you do buy one, it won't play in a player a couple years from now. Beautiful.

Gov't's motivation ... ?

[H_Fisher]

I haven't met anyone who bought a new DRM'd album (read: Velvet Revolver) and then couldn't play it in his/her home or car equipment. I've known several who tried to listen on the computer; as most of them have Autoplay turned off on principle they didn't have problems either. My only experience with an allegedly DRM'd album was Steely Dan's Everything Must Go which ripped without a hitch and made me think the whole thing was just hype.

So how big a problem is this at this moment? On most supposedly-DRM'd albums the protection doesn't work most of the time; most of the people who want to play the CD are able to do so. Not to be a tinfoil-hat theorist, but why should the government step in now unless it's to set a precedent of some sort? i.e. "Software DRM is obviously not working, so we need hardwired anti-copying chips mandatory in all systems by 2010..."

Re:Gov't's motivation ... ?

[user32.ExitWindowsEx]

sounds likely. here in the us, I'd say it'll be somehow state based...california will fall first, but once it goes, we're all SOL.

I say 2007, not 2010.

p.s. someone help me, please! I've chipped in to the community. You should too. Besides, if I do get a free iPod, it could help me get laid.

Re:Gov't's motivation ... ?

I haven't met anyone who bought a new DRM'd album (read: Velvet Revolver) and then couldn't play it in his/her home or car equipment. I've known several who tried to listen on the computer; as most of them have Autoplay turned off on principle they didn't have problems either. My only experience with an allegedly DRM'd album was Steely Dan's Everything Must Go which ripped without a hitch and made me think the whole thing was just hype.

So how big a problem is this at this moment? On most supposedly-DRM'd albums the protection doesn't work most of the time; most of the people who want to play the CD are able to do so. Not to be a tinfoil-hat theorist, but why should the government step in now unless it's to set a precedent of some sort? i.e. "Software DRM is obviously not working, so we need hardwired anti-copying chips mandatory in all systems by 2010..."

There's a slight flaw in what you say: AFAIK there are no "albums" with DRM, just CD's.

Re:Gov't's motivation ... ?

I was reading a local (swedish) magazine for musicians and what do i see on one of the first pages? A rant by the magazine's editor about how he's getting tired of cds that won't play in his stereo or car because some silly copy protection.

Re:Gov't's motivation ... ?

[Fancia]

My experience with that CD has been different. I have a friend who bought it, not knowing about the protection, and wanted to rip it. After trying for hours over the course of many days, he finally gave up and was unable to make a backup of the CD he legally bought; he's been unable to remove the DRM driver from the hard drive, no matter what he's tried. He's extremely irritated and is boycotting the label's albums now.

Re:Gov't's motivation ... ?

[JaredOfEuropa]

why should the government step in now unless it's to set a precedent of some sort?

It appears that the French courts recognise the right to make copies for personal use as a right, i.e. something that you are entitled to, rather than something that is allowed on sufferance. Most other countries allow you to make personal copies, but if DRM, Macrovision or whatever gets in the way, it's touch luck.

The motivation for this ruling is that this particular DRM interfered with the right to copy, and as such is was ruled illegal. This wasn't just about problems playing CDs in cars or on computers.

Re:If people would just stop stealing...

[Wile_E_Peyote]

I think that was in relation to supply if I'm not mistaken... What is the fair value when the supply is for all practical purpose instantaneous and infintely repeatable?

Only problem with that is...people still need to get paid. What you pay for a CD or Movie, doesn't just go to the artists. There are millions of workers living off of the money. Studio techs, salesmen, marketers(shudder), attorneys, IT workers, secretaries/clerks, warehouse workers, PHBs, etc... etc... etc...

If a company decides to sell something for a low price or starts losing tons of money to piracy, that lost revenue needs to be made up somewhere. It's not going to be the president of the company or the artist taking the paycut or losing their job. It's going to be Joe and his buddies, who drive forklifts and barely make enough to stay above the poverty line.

W.E.P.

Only in the EU!

Please, oh please, I wish a US legislator would say this someday:

we do not permit a system which provides greater protection than the intellectual property rights themselves

followed by, "... and we've given you enough protection. In fact, we're thinking of repealing some if you don't go out and do what you said you would!"

Does anyone remember the legislative reason for the DMCA? The reason was to encourage copyright holders to increase the availability of music and video online to accelerate the transition to broadband lines. What happened? The entertainment companies got their law, and then started hunting down copyright infringers on websites, while meanwhile Napster arose, and then decentralized P2P, and then, yes, broadband adoption did begin to accelerate - the predicted effects did occur, but not because the media companies advantaged themselves of the protection the new law offered, but conversely, because citizens saw fit to break the law to achieve the ends the media companies promised in hearings publically and in closed sessions supposedly that they would implement.

With the same tongue-embedded-firmly-in-cheek tone one asks "How many mice does it take to screw in a lightbulb?" I ask, "How many times can the media industry lie to a Congresscritter before Congress screams, 'NO!'?"

I say to the hell with the lot of them! Nuke 'em all; and let god sort them out.

Not quite true

While I agree in theory theat Sony would love to do as you describe, this sentence is simply impossible:

analog speakers and mics will start to disappear from the market

There is no such thing as a "digital speaker" to be in opposition to an analog speaker. There are digital-grade speakers, which are constructed and optimized to play the frequency range of a CD, but they are no more digital than the speaker in your 1930's vintage RCA Victor. There are PCM-based speakers, but their utter output is still the same: air vibrates. Speakers are, and ever will be, an electromagnet attached to a material cone. Changes in the current loop of the magnet vibrate the cone and viola: sound! There's simply no other known way to produce sound mechanically from electricity.

Want to capture the sound? A 2 dollar inductor around the electromagnet will do the trick. Amplify, convert, record.

Then again, in 20 years people won't know how to build an amplifier. So I guess the media companies will become safer as time wears on.

Re:Not quite true

[iabervon]

Actually, there's also piezoelectrics. You could have a speaker which connected the membrane to a stack of 16 piezos which get zero or power-of-two voltages across them depending on input bits. Sure, it would be nuts, but it would be all digital (except for the air, of course) and not magnetic...

Re:Not quite true

[dgatwood]

True. That's insane, but true. You could probably do the same thing with ions and an electric field as well, though I'm not 100% certain how you'd do it just yet.

That said, those bits would not be encrypted at the final step, making that even -worse- for the industry as far as making it easy to copy the signal. With such a design, you could then get a bit-for-bit perfect copy by merely attaching a parallel-to-serial converter off the piezos (and figuring out how the heck to clock it....) :-)

Re:Not quite true

You're corect. That would be insane. The solution though was posted by the other poster.

Yes, I'm the original AC replying.

Re:what?

France is just one member of the EU, you're forgetting about the other 24 members:

Austria,Belgium,Denmark,Finland,Germany,Greece, Ireland, Italy,Luxembourg,The Netherlands,Portugal,Spain, Sweden,United Kingdom,
Cyprus,Czech Republic,Estonia,Hungary,Latvia, Lithuania,Malta,Poland,Slovakia,Slovenia

Back story of ContentGuard

[dfl]

Wendy Grossman has a short article on the back story of Microsoft and ContentGuard. The patent portfolio comes from Mark Stefik at Xerox PARC. http://www.theinquirer.net/?article=18130

The reason for DRM in Europe

[El+Cabri]

Copy-protected audio CDs are much more present in Europe mostly because it is made of small, insulated markets where people are culturally much less litigious, and where the legal system often does not offer the possibility of class-action lawsuits.

Imagine launching a copy-protected CD on the US market and ending up with a 1 or 2 million people demanding damages.

This just shows how judicially insecure media companies feel on that subject.

Re:The reason for DRM in Europe

That's exactly why the shift-key is a "feature" of the SunnComm discs. They are the only copy protected audio CDs in the US currently. The labels don't want the lawsuits.

Macrovision does alot of stuff over seas, but they also rely on making crap discs. They break spec on purpose for their copy protection. Some drives simply won't read them. If you do that here, you get sued. Just ask Charley Pride...

-- anon sunncomm developer

Re:The reason for DRM in Europe

Actually, it's because the U.S. has "fair use" laws, whilst the various European legal systems don't have clear positions on this. 100% working copy protection may even be illegal in the U.S., though probably not for much longer.
IANAL

Re:The reason for DRM in Europe

[Abel29A]

All the nordic countries(I'm from Norway myself) have similar fair use laws. But that doesnt stop the record companies selling this crap. Things are happening tough, as more and more people are boycotting DRM "cd's". I believe that the record companies will experience a backlash as more and more people get their musical experience lessend, and their players damaged...

Re:If people would just stop stealing...

[Frogbert]

When will people learn... Downloading music is NOT stealing, if it was they wouldn't have a copyright infringment law. They are two different things!

Integer Rights Management

I'm waiting for someone to come up with a system for Integer Rights Management, where you can encode any integer (say, 3) in a way so that when decoded, the recipient will only be able to enjoy the integer, but not remember it or pass it on to others.

After that, I wonder how long it will take someone else to crack this system and write down the decoded integer for, say, time-shifting purposes.

Let's hope there are at least as many integers as there are works of art.

Tamper-evident speakers

[tepples]

Want to capture the sound? A 2 dollar inductor around the electromagnet will do the trick. Amplify, convert, record.

Won't help much if the PCM loudspeaker's construction is tamper-evident, and the speaker feeds such evidence back to the DRM module on the player.

Re:Tamper-evident speakers

[mpe]

Won't help much if the PCM loudspeaker's construction is tamper-evident,

Unless the enclosure was 100% effective magnetic shielding (whilst still letting the sound out) then you wouldn't even need to open it.

and the speaker feeds such evidence back to the DRM module on the player.

This would make the speaker considerably more complex and expensive. Especially since it would need to proof against a small hole drilled anywhere in the case.
All of this complex engineering still being trivial to defeat with a microphone.

Re:Tamper-evident speakers

[tepples]

Unless the enclosure was 100% effective magnetic shielding (whilst still letting the sound out) then you wouldn't even need to open it.

The shielding only has to be effective enough that a microphone would produce less noisy results.

Especially since it would need to proof against a small hole drilled anywhere in the case.

Air would leak through that hole and be detected.

All of this complex engineering still being trivial to defeat with a microphone.

Not if a major government, such as that of the United States of America or the European Union, begins to regulate DACs. Fast forward to the SSSCA, CBDTPA, or other proposals to require all computers to have DRM chips (akin to U.S. federal regulation of assault rifles, with "pre-ban" computers grandfathered in) or to have microphones registered in a similar way as handguns. But still, I have faith that that's not going to happen before Christ comes back.

Copyright windfalls are irreversible

[tepples]

Set the copyright system back to the default 14+14 years.

How is the United States going to get out of the Berne Convention in order for that to happen? In addition, doesn't the Fifth Amendment prohibit Congress from taking private property such as so-called "intellectual property" for public use?

Re:Copyright windfalls are irreversible

[mpe]

How is the United States going to get out of the Berne Convention in order for that to happen?

The US manages to ignore all sorts of treaties anyway. What's one more...

In addition, doesn't the Fifth Amendment prohibit Congress from taking private property such as so-called "intellectual property" for public use?

AFAIK the US Constitution never makes use of the term "intellectual property" in the first place.

Re:Copyright windfalls are irreversible

[Ben+Hutchings]

The Berne Conventions don't specify consistent copyright periods. The most important things they specify are (a) copyright is automatic upon creation (contrary to old US copyright law) and (b) signatories will recognise and give equal protection to copyrights held by persons from other signatory countries as to copyrights held by their own people and corporations.

Re:If people would just stop stealing...

[Generalisimo+Zang]

Hold on a second... ..a minute ago you were talking about supply-and-demand, and as soon as someone called you on that, then suddenly you argument morphs into a "but won't someone please think of the forklift operators!" argument.

So, which is it? Are you gonna talk about supply-and-demand, and take your lumps when the obvious fact that supply of electronic data is infinite and inexhaustible is mentioned?

(Let's see... demand is fixed, and supply is infinite. What happens to price in this situation? This is Econ 101 stuff.)

Or are you gonna use a "Oh please thiiiink about the pooooor workers" argument... and take your lumps when we look into the treatment of non-MBAs and non-management workers by large corporations.

The bottom line is that only a very tiny percentage of what people pay for a CD is actually reflected in costs.

The artists who created the music get next-to-nothing, and the workers who manufacture and distribute the CDs get next to nothing... the bulk of the $17.99 cost of a CD is simply profit for people who contributed nothing.

Protecting the obscene ammounts of UNEARNED profits by middlemen who never created anything in thier lives, but who simply leech off of both artists and the public is not really something the public cares much about.

You can throw words like "theft" and "piracy" around all you like, but those words actually have specific dictionary meanings that in no way apply to the current situation.

No company ever LOST money because of song downloads... they simply didn't earn as much profit as they thought they would. If you view thier projections of future income as somehow something that company executives have a RIGHT to expect to recieve... then how about extenting that same courtesy to the lowly workers in that same company?

Ah.. no, but then, your argument will probably quickly morph back into the "free market" argument from before.

Gee, funny how the basic principles of economics only apply to arguments when they'd support the actions of our corporate overlords.... but as soon as free-market arguments would go against them, then suddenly logic and economic theory get thrown aside and we're back to the shrill shrieks of "THEFT!!" and "Pirate!!" and "Wont someone please think of the poor forklift operators!!" :)

Re:If people would just stop stealing...

[Rolo+Tomasi]

The same could be said for drugs. What you pay for your coke doesn't just go to the dealer. There are millions of workers living off of the money. Distributors, poor Coca farmers, the average dealer on the street, cartel bosses, etc... etc... etc...

So why is manufacturing and selling drugs illegal, if there is so much money to be made and a lot of people could live off it? The answer is simple: because drugs are detrimental to a society.

The same goes for monopolies, media cartels, price fixing and copyright laws that unfairly favor big corporations.

The problem in a lot of South American countries is that drug cartels are hugely profitable, and they just buy off the governments, so no real action will be taken against them.

A similar thing is happening in the US regarding media corporations.

Re:If people would just stop stealing...

[Richard_at_work]

That doesnt work, taking a car without the owners permission is theft, but you also have seperate laws to cover it - Grand Theft Auto.

Having the balls?

[mikelang]

I think, the matter is to get industry to pay EC in a try to settle.

Past investigation of Microsoft finished with exactly such a settlement

I just found a way out of Berne

[tepples]

The Berne Conventions don't specify consistent copyright periods.

It's not consistent across classes of works, but for "literary and artistic works," such as musical compositions, Berne specifies at least life plus 50.

However, after having read the Berne Convention again, I did just find a way out of Berne that the government could use to punish major players in the U.S. entertainment industry should they go too far.

MOD THE PARENT UP!

[latroM]

He has a clue.

Re:If people would just stop stealing...

[Wile_E_Peyote]

Hold on a second... ..a minute ago you were talking about supply-and-demand, and as soon as someone called you on that, then suddenly you argument morphs into a "but won't someone please think of the forklift operators!" argument.

You sure that was me? Check again.

The artists who created the music get next-to-nothing, and the workers who manufacture and distribute the CDs get next to nothing... the bulk of the $17.99 cost of a CD is simply profit for people who contributed nothing.

I don't disagree, but that doesn't change the fact that when a company starts losing money, it isn't the guys up top that suffer. That isn't fair, I agree, but it is reality. The system must be changed.

Protecting the obscene ammounts of UNEARNED profits by middlemen who never created anything in thier lives, but who simply leech off of both artists and the public is not really something the public cares much about.

So only people who create should make money? Only software developers should get paid, not the people who support software or ship software or sell software?

You can throw words like "theft" and "piracy" around all you like, but those words actually have specific dictionary meanings that in no way apply to the current situation.

Dictionary? Who cares? This is as ludicrous as Bill Clinton's definition of Oral Sex. Let's say we make it okay tommorow to copy anything you want from whoever you like. Who do you think will be the first to start making money off of it? I imagine it would be Corporations...

W.E.P.

Re:If people would just stop stealing...

[Wile_E_Peyote]

The same could be said for drugs. What you pay for your coke doesn't just go to the dealer. There are millions of workers living off of the money. Distributors, poor Coca farmers, the average dealer on the street, cartel bosses, etc... etc... etc... So why is manufacturing and selling drugs illegal, if there is so much money to be made and a lot of people could live off it? The answer is simple: because drugs are detrimental to a society.

Actually this is a wholely different question. The legality of drugs is a little arbitrary in my opinion and we could go on for quite a while on it's "affect" on society. Given that, I wasn't talking about potential jobs, I was talking about jobs that are currently being held.

The same goes for monopolies, media cartels, price fixing and copyright laws that unfairly favor big corporations. The problem in a lot of South American countries is that drug cartels are hugely profitable, and they just buy off the governments, so no real action will be taken against them. A similar thing is happening in the US regarding media corporations.

I totaly agree, but simply stealing a small percentage of their profits isn't going to change anything, it is just a convenient argument for people who want something for nothing. The enemy here really isn't them, it is the lawmakers who are supposed to protect this country from thi type of thing.

W.E.P.

Re:If people would just stop stealing...

[zbik]

What is the fair value when the supply is for all practical purpose instantaneous and infintely repeatable?

Don't forget, the total cost of supply includes the time invested by those who make the album, in addition to the per-item cost of album distribution (which we agree is effectively zero). That time must be paid for by somebody.

Some feel that the artist should just pay for the time out of his own opportunity cost -- on the assumption that the creative work will be a "loss leader" by means of selling other services. Or that the artist receives other indirect benefits that are sufficient incentive. This sometimes works, but I believe not generally enough; to encourage content development we should have a way to fund content development per se.

I don't care for the current idea of selling individual CD's either, because it unneccesarily retards consumption (by financially penalizing music ownership), and because it introduces an onerous regime of control for enforcement. I expect we are left with the need for a kind of tax or "rent", whereby consumers collectively pay into an agency which funds recording. I'd like to see how such an agency could be structured to promote more and better music development than the record labels we have today (and how the public could be convinced to pay into it).

Flogging a dead horse

[Audacious]

Ok. I've read your entire post and here is what I have to say in response: I am not sure, if you have never done assembly language programming, system's programming, and worked on trying to implement security measures before that I can explain to you why DRM will never work no matter how hard they try to make it work.

I am not trying to talk down to you. This is not to say I am better than you or greater than you or god-like in my knowledge. Nor am I trying to make you mad/glad/happy/sad or anything else. I'm just trying to say that DRM will never work. Oh - it may work for a while. Maybe a few months - but then there will come workarounds and such at the least. And I've read up on DRM also and find it to be an interesting twist on older technology. But I will stand by my saying it won't keep the hackers out. I do not care how much they tout it to be impregnable, super collossus, made of Kryptonite, or whatever - it won't do it.

Now, by your very post you show that you do not get how a computer basically works. Sort of like how I understand how a car works but if my car breaks down I'd probably have to call a tow truck because I really don't want to actually DO the work (if you know what I mean) and probably do not have the right tools anyway. So I have some knowledge of cars (enough to be dangerous) but not a deep down knowledge of cars like a mechanic has.

Having said that, let me lay out some ground rules to go by and then look back at what you posted. You will (hopefully) see what I mean.

1. All computers run machine language. Zeros and ones.
2. All computers perform basically the same operations.
3. All compilers reduce instructions given to them to machine language eventually (either directly or through a linker or whatever).
4. On machines which have multitasking abilities, the CPU could care less what is going on. It is told to do X, then Y, then Z. It just executes the instructions given to it. (ie: It does not think per se and only does what it is told to do. Hardwired or otherwise.) If two programs are running it is the OS and not the CPU which makes the decisions on who gets to run when.
5. In order for there to be any semblance of normallacy between computers - all programs execute the same code. That is to say that the reason a JPEG image doesn't execute a program is only because as a program it contains meaningless garbage. Real programs, in order for them to run on your computer, must contain similar code which the CPU can recognize and execute.
5a. Thus, and therefore, you are doomed. Because you can not run an encrypted program unless the CPU recognizes this blob of meaningless garbage to actually be executable code. (Which is an oxymoronic statement because if the CPU recognizes encrypted programs as executable then people would only run encrypted programs which would make the encrpytion useless since everyone would know it.) Ever tried running a ZIP file without a ZIP decoder installed and without the auto-execute program as part of the ZIP file? It won't. The CPU goes "I don't know what kind of garbage you are trying to feed me, but I can't run it," and you get an error message from the OS (not the CPU). Thus, and therefore, all programs must follow a given path in order to be recognized as executable.
6. A debugger is a program which monitors all traffic from another program. The CPU could care less what the debugger is doing. The debugger catches all input and output as well as all other executions a program may perform. A watchdog is nothing more than a debugger with a different function. This means that a watchdog can, and will, catch all I/O that a program generates as well as all executions.

Ok - hopefully you have gotten this far. Now we just need to go one step further.

IF - we can run a watchdog program and capture the i/o and commands executed (Which: Why would Intel, the CPU, the OS, or anyone else care if we are running a program which acts like a debugger but really is catching all

How do you prevent key leakage

[farnz]

As far as I can see, the weak point in this scenario is that there is one trusted root key (the Trusted Computing Group key); as soon as that key is leaked (both private and public halves), it is possible to generate fake data that I can use to intercept the media.

Am I missing something important?

Re:How do you prevent key leakage

[Alsee]

as soon as that key [trust root] is leaked (both private and public halves)

Chuckle. The public half will be, well, public. Kinda funny to talk about it leaking :)

Anyway, you're right. If the root private key were to leak it would be a mess. Hmmmm..... thinking... thinking....

Ah, I just thought of a way they could mitigate the damage and "reboot" the system. They make a new root key, revoke the old root key, and "grandfather in" explicit trust for the list of authentic existing manufacturer keys. They'd have to push down global software updates, but it could probably do a fairly credible job at cleaning up the mess. Much less damaging than I would have expected. It definitely would have hit Slashdot.

However I don't think it will really be possible for the key to leak. Once you get into the Trusted Computing mindset there are obvious ways for handling this key. No human will ever see the key. There will be no copyable version of the key anywhere. Using Trusted Computing you can generate a random key and just leave it locked inside one of their Trust chips. Or, with some fairly easy programming, they can easily have that key securely copied into a small number of Trust chips. They can impose pretty much any sorts of restrictions on using/copying the key they like.

If they did that there'd be no way to "leak" the key short of physically stealling an entire computer.

It's pretty much a non-issue. Keys like this simply don't leak. Microsoft already has certain root keys sort of like this, verisign has root keys sort of like this, pretty much any signifigant group using public key cryptography and signatures has a root key like this. I have never heard of such a key leaking.

The question that hits my fancy is what happens if a private key from a major manufacturer were to leak. With many many manufacturers of all kinds such a scenario becomes much more likely. If they do nothing the system is blown wide open. If they revoke that key then ALL of the existing hardware using that key instantly drops dead, a worthless lump of slag. Can you imaging the outrage when millions of ordinary innocent people wake up to find their computers "revoked" and dead? You'd have mobs taking to the streets with torches and pitchforks, screaming for blood! :)

-

Re:How do you prevent key leakage

[farnz]

In other words, as with all PKI systems, TCPA boils down to whether the private keys can be kept secret. If just one gets stolen, you've got trouble.

Although DVD-CSS wasn't PKI-based, it was broken initially in exactly that fashion; Xing failed to keep their player key secret, and the knowledge gained by using Xing's key showed that the system was weak. Xing's key was promptly revoked, and as a minor player, this caused no major hassle for anyone, but since the system was weak, DVD-CSS was dead.

In this system, the danger point is someone leaking a major manufacturer's key; killing a small player like Xing over poor security didn't upset many people. If Sony used one key in all their devices, from cheap portables to expensive HiFi players, and I obtained it, I can put the industry in a nasty situation. Do you stop all the millions of Sony players from working, and upset consumers, or do you just release stuff that you know is hacked?

Based on past evidence (DVD-CSS), I suspect that sooner or later, TCPA will hit that dilemma.

BTW, I am aware that the public key is guaranteed to leak; however, not everyone in this thread acts like they have a basic understanding of PKI, and I was attempting to make it clear that the public key alone isn't enough.

Re:How do you prevent key leakage

[Alsee]

DVD-CSS is a total NON-comparision. DVD keys were not "leaked", they were PUBLISHED. Had Xing "succeded" in keeping key secret and private then their player would not have worked at all.

With PKI the manufature private keys can be issued only within a tamper resistsant self-destructing chip. No one will be able to see this key. No one will be able to copy this key. All they need to do is mount this chip inside a 12-ton block of concrete (overkill, but quite doable) in their manufacturing plant and use it to generate signatures.

The only way to leak the key is for the chip to be physically stolen. For starters it would be immediately revealed because the manufacturer loses the ability to use their key and make any more hardware. Even if the chip is stolen the breach is signifigantly limited in that the key itself will almost certainly still not leak. You'd need to manage to rip open a chip and scan it with pretty much an electron microscope, all without triggering the key self-destruct. The breach is quite bad in that someone can use the chip to generate signatures, but not nearly as bad as having the key itself being copied over the internet. Actually now that I think of it, there can be further security. They can quite easily require the chip to constantly "phone home" to the Trusted Computing group to be able to continue generating signatures. You steal the chip, generate maybe a thousand signatures, then the chip locks out untill it can phone home for reactivation. Poof! Dead chip unless you manage to physically read out the key.

Personally I'd LOVE to see these master private keys leaking, but it's seriously unlikely. A government agency like the NSA might be able to pull off a Mission Impossible stunt like stealling a chip, extracting the key(destroying the chip), manufacturing a replacement chip with a copy of that key, and returning that replacement chip back in the plant they stole it from, all without being detected. Chuckle.

No, the main attack is to buy genuine hardware and physically mod it. And even that gets seriously hard if they move the Trust system inside the CPU itself.

The best hope is massive public backlash, like the one that killed the Pentim CPU-ID serial numbers.

-

Whoops....

[Alsee]

Whoops, "It definitely would have hit Slashdot" got stuck onto the wrong paragraph. It was supposed to be about private keys leaking.

-