Slashdot Mirror
The Choice Between DRM and Security
gormanly writes "Victor Yodaiken has an article up on Groklaw in which he discusses how DRM may decrease security and reliability. He raises several questions that the developers of DRM technologies ought to answer - because not all computers are merely personal entertainment systems for 'content' consumers." From the article: "Sony BMG put DRM software onto CDs that broke the basic system security and made the entire system slower and less reliable. Imagine that your children put such a CD on your computer and opened an avenue for hackers to make copies of your business memos and personal email ... We are entering the era of ubiquitous and safety critical computing, but the developers of DRM technologies seem to believe that computers are nothing more than personal entertainment systems for consumers. This belief is convenient, because creating DRM mechanisms that respect security, safety, and reliability concerns is going to be an expensive and complex engineering task."
Replace 'DRM' with 'liberty' throughout that paper for an interesting take on things...
Here are some issues:
1. One goal of DRM developers is to prevent "digitization".
That first point sums it up. How do you stop something in its raw digital format from being copied?
You can't, David Bowie is correct in his assumption about music flowing freely like electricity or water.
Maybe one possible scenario is that a digital tax will be added to all machines that can play digitized music/games/etc. in order to make up for the lost revenue.
Another idea is to package the music/software/game with something that is above and beyond what you would normally get from just a plain disc. Add something to the packaging that makes people want to buy the product and not just download it. You could add writing, pictures or objects that people could enjoy that can't be easily reproduced with a copy program.
He who knows best knows how little he knows. - Thomas Jefferson
PC owners need to take control of their PC to secure the machine. If content owners can control what content buyers do with their data, then perhaps PC owners should exert similar control. Perhaps not every application on a PC should have the right to send any bit of data over a network. Preventing keyboard loggers, file snoopers, IM buddy list readers, etc. is effectively a type of DRM -- "sorry MalWare.exe, but only one copy of that SSN is allowed". As with P2P applications, DRM is just a tool that can be used for "evil" or "good". Perhaps PC owners can use that tool to secure their data and their machines.
Two wrongs don't make a right, but three lefts do.
When I buy DRMed music by downloading it to my own PC, then (some implementations of) DRM will bind the downloaded music to a licencing key on my machine. So if the bought and downloaded music is intended as a birthday gift for someone else, how will he/she be able to play it on his/her PC? Or how will I be able to play it on my laptop, if I downloaded it on my desktop?
While DRM is intended to increase music sales, the implementation of DRM technologies that binds a DRMed tracks to a license key on the downloading PC will prevent this track from playing on other (peoples) machines. So buying DRMed music as a gift for someone else won't be an option if DRM prevents playback on other PC - which isn't very good for music sales.
Rootkits and security holes are just one kinf of pain that comes with DRM. The inability to playback bought tracks on the OS of your choice (say Linux), or a different PC than the one used for the download, is another pain.
I can't believe this. I never thought I'd see the day. Someone using the fact that Micros~1 writes a terribly insecure operating system to argue that DRM and IP is a bad idea.
I'm not saying that enforcing IP rights on media files via proprietary software is a good idea.
The fact that Windows' terrible security model makes it a trivial task for user-space programs to comprimise the security of a computer, doesn't mean DRM-enforcing techniques are a TERRIBLE IDEA.
What a HORRIBLE, AWFUL scar on the front page of Slashdot. Shame on Slashdot (again)
Remember that the DRM software on the Sony (and other) CDs installed itself *silently* - there was no "do you want to install this evil software?" prompt.
"If you think the problem is bad now, just wait until we've solved it." --- Arthur Kasspe
I don't think it's impossible to create DRM that won't undermine your system; DRM acheived with encryption can effectively limit the reading of a file to one computer or to that computer and a handful of devices. The DRM would enable the computer to read the file, not prevent it from doing anything. It would "work" (in the sense of preventing unauthorized listening) on any computer, music player or toaster, but only "work" (in the sense of allowing authorized listening) on suppported systems.
The real problem with, say, the Sony/Sunncomm DRM is that it's trying to prevent you from copying files that are written in an open format. Doing this means removing functionality from a system. Therefore the DRM must damage your system, but fortunately can only work on specific systems.
The type of DRM I described in the first paragraph is what the record companies really want. And if there must be a DRM system, I'd really it rather be one that wasn't going to try to harm my computer.
I guess the problem is that as long as the model persists in which albums are sold in physical form in stores and have to play on a variety of "consumer electronic" devices without hassle they will always have to be protected by the harmful type of DRM if they are to be protected. And yet this type of DRM is also doomed to failure (anything released on a CD that can be read in anything resembling a CD player will be on the Internet within a few days of its release, regardless of the DRM attached to it). It appears that DRM that degrades a CD's quality has been rejected, and we seem to be in the process of loudly rejecting DRM that tries to modify users' computers. I don't know if there are any more steps beyond creating a new encrypted music format and protecting the secret better than they did with DVDs.
Back in the days of Shakespeare, when copyright didn't really exist, there were people with trained memories who would go to the first night of one of his plays, make notes, and then later recreate the entire play largely from memory. A rival theatre would then put on a production of Shakespeare's new (and extremely popular) play.
Music, being more patterned and generally shorter, should be even easier to recreate from memory.
Next came 78's. These were cast in a mold and made of the miracle plastic bakelite. Since the recording machinery was expensive and complex, as was the disk manufacturing process, the door was opened to both rights management and mass production. Improvements in technology lead to the 45 and the 33 &1/3 LP & EP albums.
While the technologies which used mechanical force were dominating the marketplace, a competing technology, based on magnetic recording also existed. Magnetic recording was less expensive, and much harder to mass-produce, but it was capable of making copies fairly easily. The new difficulty was that a small portion of the magnetic image was erased every time it was played.
Finally the digital technology emerged as the primary vehicle for copyrighted audio materials. At first it was not a problem, because individual users were unable to afford the technology to duplicate and/or create recordings which were theoretically perfect copies. But today it's hard to get a computer that can't accomplish this feat. So the audio industry turned to the promise of DRM. Unfortunately, though it will take many more incidents like Sony's debacle, we will reach a level of understanding where we realize that as long as the technology is in the hands of everyone that can duplicate these forms of media, that they will be copied.
The only way that we will see any form of successful rights management will be for the audio industry to develop a technology which is as popular and as acceptable as the LP. It may take the form of a holographic crystal or some other 'futuristic' media. But as long as the ability to manipulate the bits is available to end users, DRM will continue to fail. IMHO it is an unrealistic expectation on the part of the audio industry to believe that there will ever be a digital solution to a digital problem. In the meantime I believe that any damage to computers and infrastructure brought on by companies who cannot accept the fact that DRM will never work should be punished to the full extent of the law.
"Can there be a Klein bottle that is an efficient and effective beer pitcher?"
Currently there is no "CONTENT PROTECTED" designation on iTunes, since all content is protected by default. But I hope that eventually artists, presumably independent ones at first, will start to release DRM-free works on iTunes. When a critical mass is reached, this could become an important selling point, encouraging other artists/companies to do the same. I believe people will still buy the works because of the low price, convenience, and guaranteed quality. Most of their DRM-protected songs are available on P2P for anyone who puts in the effort, yet iTunes is still successful. DRM has nothing to do with it, other than possibly making it less successful than it could be. For example, I am not a customer because of their DRM but would be for DRM-free works. As people become more savvy, and as more choices are offered (initially by independent artists), I think more people will become like me.
All I hope is that Congress stays out of it and lets the free market do its thing.
There has never been a functional DRM system, and there never will be, because it is impossible to create one.
I agree with your position but I disagree with your reasoning. The failure of DRM is in that you have to give the consumer both the lock and the key. If you don't give them the key then they can't use it...ever!
Plug the analog hole. Make circumvention illegal. Etc. Etc. All it is is restraining how the user can use the key. There's no way, in this case, to have your cake and eat it too.
This game was lost before it ever started and it's a game that can never be technologically won. Only politics can make it winable, and that only creates a black market and an underground so you never really win.
Once you have a digital copy of something, there's no scarcity on copies; once you have an idea, there's no scarcity on spreading it. DRM is like any IP protection (copyrights, patents, trade marks, service marks): it's an artificial restraint on non-scarce resources.
:wq
"the developers of DRM technologies seem to believe that computers are nothing more than personal entertainment systems for consumers"
Worse than that, they seem to have this impression that it's okay to modify my computer to work how they think it should. This isn't even just DRM, I'm getting incredibly fed up with programs which automatically install themselves on the desktop/quick launch bar (the Quicktime player, as an easy example, which I almost solely want to launch by double clicking on a file), and/or auto-run at startup (Creative used to be terrible for this - install soundcard drivers, and suddenly it plays an intro movie on the desktop at login, and you have an application launcher stuck to the top of your screen).
</rant>
I have to disagree here. It's not your music, it's (in effect) his. There's no law by which you can demand that he allow you to listen to that music on any arbitrary device; you have to negotiate that privilege with him, and pay the price he demands. If he sells you a disk with the understanding that you are not to play it on a Mac (or to cover it with cheese sauce) and you choose to do so anyway, you're breaking your end of the agreement.
Most publishers don't (or can't) do that. They might say it's not supported on Mac or Linux and leave it up to you to try to figure out how to do it, but they don't make you agree not to play it on a Mac. Or if they do, at least their lawyers make them be up-front about it.
I agree with you that if you don't like their product you shouldn't have to give them any money. I disagree that this is how it is. In the U.S., compulsory license laws (whereby a tax is added onto the cost of blank media and paid to the music publishers to cover the cost of copying you might do) force you to give money to the music publishers even if you don't like their product, or are incapable of using it. (Deaf people pay this compulsory license tax on CD-R media and audio tapes used for data storage only.)
The model we are moving toward (and can't get there fast enough, if you ask me) is for a world where in order to play an MPAA movie or listen to an RIAA CD, you will need a special-purpose hardware device (think: E-book reader or DVD player) which specifically serves the needs of a specific publisher.
Unfortunately, their efforts, if successful, will result in no 'open' or 'general purpose' devices able to read the media (which, many argue for many reasons can never happen), no general purpose communication platforms (kkss the Internet bye-bye) and ultimately the death of media companies in the market place due to competition from other media companies (each with their own proprietary media and devices) and publishers who do not attempt to restrict access using DRM.
The threat here is that their efforts will result in a 'music tax' anyway. Think about this: If you publish (and own the copyrights to) a song, and choose to give it away (for reasons that make sense to you) and I choose to 'buy' (er. download for free) it for reasons that make sense to me, I still have to pay the compulsory music tax, that tax gets paid to the RIAA -affiliated publishers (who I'm trying to boycott), and you don't see a penny of it.
The thing about things we don't know is we often don't know we don't know them.
1. People can gather, record, produce, and distribute their music anywhere in the world from a single computer.
2. Everyone inherently seems to feel that music has been overpriced and overmanaged for a long time.
3. People don't mind paying to download.
4. p2p downloaders statistically (RIAA numbers!)are the biggest customers of pay per download.
5. Inevitability of open formats which are cross-platform for distributing all sorts of music and video type files.
With business cycles there tends to be shifts in certain industries. For example sometimes an industry will be in a shift of Centralization (Big Labels for distribution of millions of CD's/Vinyl/Tapes), future market conditions can cause this shift to head in the other direction (Indie Labels, Web Distribution) which is Decentralization. The music industry is decentralizating and with more and more artists forming their own labels the Big Labels become useless empty shells with only their intellectual property left to earn them money. The death of the CD will be the death of the Big Labels for this will remove the last reason for their existence.
IMHO, this article, while well written doesn't really paint an accurate picture of the way DRM will likely be implemented on the PC, and how that will affect security. But before I go any further, let me state for the record, I am apposed to the concept of DRM in every way, and everytime I think about how bad the issue can get, I feel sick in my stomach.
/. over the last few years, and I feel I have a fair idea of what the industry envisages happening. Let's look at Microsoft's software activation technology, which is there primarily to prevent piracy of their intellectual property, I believe it's consequences are similar to what we can expect from DRM, a pain in the ass, but the majority of people accept it, and more importantly, it works pretty well, without creating security problems.
About the only good line in the article is "DRM technology is sometimes described as security technology when it is really licensing technology -- something very different.". This is of course marketing at work, people rename things to make them less ugly sounding, just like Microsoft's "Genuine Advantage Validation Tool" could far more easily have been called something along the lines of "Windows Anti-Piracy Validator", however the latter just has such bad implications, even though that is exactly what it is. So the author demonstrates in the second sentence of the article exactly what it is he is trying to say, but then proceeds to use IMO very bad examples of what he means.
I have been diligently reading all DRM mentioned articles on
What I personally hate about software activation is that Microsoft made a far more secure way of protecting their software from casual piracy, but did not take the time to make it easier for their customers to keep track of their paid for software. Our company often has the task of fixing computers, which occasionally involves reloading Windows and or Office, and if the client doesn't know where their Office Product key happens to be (Windows key is normally stuck on the box), we end up "legally" having to tell the client we are unable to reload Microsoft Office onto their machine until such time as we have a valid CD-KEY. What I would like from Microsoft Activation is something similar to the way the WoW (the US release is the same or similar I would think) authorisation key system works. When one buys a copy of the game, they get an authorisation key with it, they then logon to their respective regional website, and create a new account, during the account creation they are required to input their authorisation key, once the account creation is complete they will NEVER require the authorisation key ever again. If their house burnt down, they could copy their friends WoW CD, use it to install the game on their new PC, and carry on playing. Obviously, Microsoft Activation has to work a little differently, seeing as we don't have to pay a monthly subscription to use it (yet). But it should work the same, the customer should to create an "account" with Microsoft, once done they can authorise copies of Office or Windows or whatever onto it, if the computer needs to be reloaded, they will always have access to their paid for software.
Right, now onto DRM, to get back to the attached article's point about security, I believe that when and if Microsoft's codename "Palladium" technology is released, if done right, will not negatively impact the integrity of the host computer's security, all that Palladium will do is prevent other programs of that computer from accessing the memory of that program, which is why DRM advocates like the idea of Palladium, it should be practically impossible for hackers to reverse engineer software which utilizes Palladium, as they have no way of seeing the memory of that active program. Assuming Palladium works as intended, everything is protected with the help of encryption, so it is still *possible* for the hacker to work out the private key, but unlikely, and the only other wa
> You can't use DRM for security, because the whole system is designed around the premise that you are the threat.
Bingo. You've gone straight to the heart of the issue.
For security today, on most desktop machines, that premise matches reality. Most desktop machines are compromised Windows boxen. Most are run by people who will download and install hostile software. The problem of DRM is a lot like the problem of keeping transactions secure on a compromised box, and not just because both are impossible.
Traditionally, security and crypto people have designed with the idea that two trustable endpoints communicate over an unsafe channel. In the military, that made sense. It's a seductive model because it matches our hard-wired belief that our own cave is a safe place and that dangers come from the outside. SSL was a good solution for that kind of environment. But today the people studying online payment security are coming around to the idea that the client PC has to be considered hostile.
Right now I'm looking at a problem in payment software distribution and it looks like the device's DRM capabilities may actually help.
Well, herein lies the rub.
DRM is not designed to increase music sales. And it never was. It is designed to let the copyright holder control how and where you access the content. Increasing or maintaining sales levels is secondary in their mind. It's all about control. They had it, and they're not giving it up without a fight.
The big media producers are scared right now. They are scared out of their wits, because things are changing, and the old comfortable system is getting obsolete. So they design half-assed measures to maintain their control of the content, which only servers to infuriate legitimate customers because they are being treated as criminals.
I can only laugh when I am forced to watch an anti-copying commercial at the start of my DVD disk (which I payed for), and think that the people that just fetch a torrent of the movie are not subjugated to this.
So its all about control. They have no idea how to increase the sales, or if they do, they are so afraid of taking the plunge into a new media paradigm that any effort made by them is destined to fail. So they crack their buggywhips, and shout "legislate!"
No obvious path? Do you not know a single person that is in a local band? My friends would be ecstatic if you just listend to their music. Not all artists sold out to the RIAA, and they seem to be able to make money.. Granted, this money is not as much as they'd be making as a pop band, but that's never stopped the _good_ musicians. It's odd now anyway, the shitty ones get payed top dollar (I'm sorry if I offend any early teens reading).
But I do agree with your first statement, I just hope the RIAA's main source of income does not become court settlements.
They call me the wookie man, I guess that's what I am