Slashdot Mirror
Virtualization May Break Vista DRM
Nom du Keyboard writes "An article in Computerworld posits that the reason Microsoft has flip-flopped on allowing all versions of Vista to be run in virtual machines, is that it breaks the Vista DRM beyond detection, or repair. So is every future advance in computer security and/or usability going to be held hostage to the gods of Hollywood and Digital Restrictions Management? 'Will encouraging consumer virtualization result in a major uptick in piracy? Not anytime soon, say analysts. One of the main obstacles is the massive size of VMs. Because they include the operating system, the simulated hardware, as well as the software and/or multimedia files, VMs can easily run in the tens of gigabytes, making them hard to exchange over the Internet. But DeGroot says that problem can be partly overcome with .zip and compression tools -- some, ironically, even supplied by Microsoft itself.'"
It would be possible for Vista's DRM to be (relatively) secure if the virtualization software also supported DRM; this potentially opens the way for Microsoft to specify some virtual environments as "acceptable" for use with the Vista home versions.
Encryption allows Alice to send a message to Bob that can't be viewed by Jack. The problem with DRM is it uses encryption such that Bob and Jack are the same person.
Think about it.
Alice (the publisher of the song) is using encryption to ensure that you and only you (Bob) can recieve the message. But Jack (also you) is being prevented from viewing the message.
The only reason that DRM is making any kind of headway is because of the hand-waving around terms like "dual key cryptography" and "license management". When you get right down to it, the content producers exist to deliver content to me. Once I get it, the only thing limiting my distribution of that content is legal in nature - I'm afraid of getting sued or prosecuted, so I don't.
Speakers can be recorded, screens can be videotaped. DRM can make it more difficult to copy content, but it will NEVER make it impossible. And the sad part is, DRM frequently makes it more difficult to VIEW content legitimately.
As a good example, I just set up a Windows XP laptop for one of my sales associates. I spent an ungodly amount of time going thru "Genuine Advantage" this and "Genuine" that, along with some dozen or more reboots. It's riduculously annoying, especially when updating a new CentOS system takes a single line:
yum -y update; shutdown -r now;
Microsoft has it wrong, and it may well be their undoing to find this out.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Why would the file have to be so large? There's no need to exchange the entire VM file... just swap the key file which is produced after authentication. To explain, if two VMs are set up as identical (e.g. same HDD size, same virtual processor, same virtual RAM, same video card, etc.) they will produce the same hardware "hash". Once an authentic software ID has been used to unlock the first file, a file will be written to disk which contains an encrypted signature which authenticates the software and thus "unlocks" it. That same key, copied elsewhere to an otherwise identical environment, will also authenticate the other environment. Put another way, one key will unlock them both.
I'm sure there's a legal use for this. I just can't think of one...
Will encouraging consumer virtualization result in a major uptick in piracy?
No way. I told my mom and my aunt not to trade those VMs and they listen to me.
I don't want to see them in jail.
Operator, give me the number for 911!
I believe that there's more to Microsoft's dislike of VM than simply DRM, and I think that they're hoping to be shielded by a bit of DRM FUD.
Last year I was in Taiwan running WinXP under VirtualPC - with the appropriate upgrades after Microsoft had bought the product from its creators - and I had zero trouble.
This year, I'm in Taiwan again, but this time I'm running WinXP under Parallels. Shortly after my use of the machine here on the internet, I got this message telling me that my hardware had significantly changed since the original installation and that I needed to re-validate - I don't recall the rest of the message, but it involved Genuine Advantage and suggestions of unusability. So, even though I'm not carrying my original box around with the keycode (would you??), I decided to be brave and tapped on the warning from the tray as instructed. Took me right to an MS page at what appeared to be Microsoft-Taiwan, and it was quite persistent that I should continue to be routed to some Chinese language page. Long story short, I got some embedded wizard launched, got the MS phone number for the USA (Bangalore notwithstanding), called in, got re-validated and woot, woot, woot.
It seems - very strongly to me - that the only thing that Microsoft could have detected was my location in a way that didn't make sense to them, and I think I triggered something that decided I had a pirated copy. I really haven't had any use of my machine or anything change in any other way to cause me to suspect anything else.
So, how long before business travellers - and we fill a lot of 747s, virtually all running Windows - picking up VM for one reason or another start pitching fits when they discover that they can go into a full-screen presentation and be tagged publicly as potential software pirates?
I couldn't understand why MS had a real problem with Vista under VM, but if the cause I posited is in fact true, then the problem Microsoft is worried about goes back to the XP codebase. Say anything about Vista's new codebase, but it's all from the same company..... so, I think DRM is a specious explanation but it allows them to hide behind something where they can try to claim some innocence regarding VM - when in fact the OS may be more seriously broken w.r.t. VM than they're admitting.
Pathological kinda promises Path + Logical - but instead, you get stuck with pathetic.
These jerks think they define popular culture. They don't.
DRM doesn't work. People steal the stuff before it's encoded with the DRM. The key is always distributed with the content or recoverable.
DRM can't work. Their attempts are hilarious. In order to be perceived by a human it has to be rendered in analog format, at which point capturing and encoding it in an open format is trivial in all cases.
DRM shouldn't work. If they won't sell me the content for the device I want to play it on when I want to play it where I want to play it, I'll convert it and to hell with what they think I should be allowed to do. Fair use.
DRM is a security risk. I will not surrender control of my PC to render your content.
The more they annoy people, the more visibility worthy indie acts get. People will listen to their popmart derivative garbage less.
I am personally opposed to straight pirating the stuff but I have to admit my conviction on the subject is wavering at this point.
Help stamp out iliturcy.
I use "Microsoft Plus! Analog Recorder" to record albums from Yahoo! Unlimited with the cable from line-out to line-in trick, effectively ignoring Microsoft DRM with their own software.
What's purple and commutes? An Abelian grape.
> So is every future advance in computer security and/or usability going to be held hostage to the gods of Hollywood
> and Digital Restrictions Management?
Microsoft has nothing to do with Hollywood. There are waiters in Hollywood who have forgotten more about movies than anyone at Microsoft will ever know. Even the accountants use Macs here in California.
Microsoft does not even make a movie player that plays the standard format. Calling Windows Media Player or Zune a movie player is like saying Microsoft Word is a Web browser because it can also display text and images. That is a very unsophisticated view that you can't sell to someone who actually knows how the Web works. Well, in Hollywood, they know how movies work. MPEG-4 was coming for many years, then it was standardized, then it became the format in iTunes+iPod, then the iPod took off. MPEG-4 is also HD DVD and Blu-Ray and AppleTV and iPhone and PSP. MPEG-4 is also the standardization of the QuickTime format which all the content creation tools are built around, even those like Avid that compete with Apple, so it arrived already having mature development tools. One day there was a QuickTime update and all of my tools could now generate MPEG-4 H.264 as if they had always known what it was. Further there is a free open source MPEG-4 streaming server that runs on every Unix and also Windows, it also has no streaming tax. Finally, most of all, MPEG-4 has no "content tax" while Microsoft's Windows Media business model depends on a content tax and everybody in both music and movie industry already knows better than that. All this happened already with sheet music and player pianos 100 years ago. Nobody is going to use an encoder that spits out a file which you can't copy or share without paying a tax to Microsoft, because everybody wants their movie or album to sell 100 million copies (even if it actually has no chance) so when Microsoft says aw it's only a penny per copy, people do the math and say no you are raping me with that, I can buy an MPEG-4 encoder for $20 and use it to make all the copies I want and not owe anybody anything why don't I just do that? And MPEG-4 just happens to already be integrated into all my tools and integrated into the hardware of consumer video playback so there was never any there there with Microsoft and movies. Even if they built a technically sound system or one that had a cost advantage, they would have to overcome the fact that nobody wants to work with the evil typewriter company.
All you are seeing here is another way that Windows sucks. Core computing functionality that customers use and want and even need to stabilize their Windows software on a real operating system is falling victim to Microsoft's lack of focus and hopeless star fucking. Why isn't Windows ready to be a good typewriter today? Because of its magic DRM.
Until about 2096, at least according to Richard Stallman. Eerily similar to what you just suggested.
Saying it's because of what the MAFIAA will say is a fucking cop-out. Why would you want anyone to virtualize your $100 - $400 operating system when they can just buy a new one? Especially with their Draconian licensing agreements. They want to pass the buck, plain and simple, and the MPAA/RIAA are more than willing to take that buck and run with it.
"Content provider revolt" is a pitiful excuse that no one with a brain really buys.
Let's stop dilly-dallying and just change "-1: Overrated" to "-1: Disagree" or "-1: Doesn't Subscribe to Groupthink".
JVC hdtv, name and shame.
If you mod me down, I will become more powerful than you can imagine....
I was originally floored by the amount of hardware required to run Vista. So now with all the eye candy brought on in Vista, I was wondering...
"What could MSFT do next to require me to once again throw out my computer and buy the latest and greatest hardware in 2008 or 2009?"
Virtualization. MSFT Vista 4.0 or 3.51 or 95/98 or 2009... Would require:
Min of 1GB of RAM.
1TB HD (supplied by FibreChannel disk).
Quad Core CPU
Dual Core GPU.
All I wanted was to be able to surf the web and play Civ. I now require the computational power of an IBM p590.
Being a generous IT worker, when an employee's machine goes bad I'll sometimes give them my own machine if they need something fast. Last time I did this, a copy of Vista which I purchased directly from Microsoft's website suddenly became "not genuine". Not wanting to fuss with it, hoping I'd be able to get my machine back and make my copy of Vista genuine again, I ended up passing the time frame (30 days?) allotted for using the OS, then was locked out with a red screen saying "this copy of Microsoft Windows Vista Business is not genuine". This statement was clearly a lie if taken literally, but discussing vocabulary destruction through marketing would be quite a digression.
So, I went back to using my dual-boot linux partition and another spare PC for my day-to-day work.
Fast forward a few weeks...
Last Friday I got my laptop back, put the hard disk back in, and what's this? Vista still said it was not genuine. I tried to re-activate online but it said I couldn't do that because that key had already been activated. (Gee, you think? Maybe when I bought it?) So, taking the only course left, I called Microsoft on the phone and entered a series of numbers about 30 digits long. When the computer couldn't validate my install it forwarded me to some Indian call center, a place I'm familiar with because I've had to do this process more than a few times.
But this time was different... (Don't get your hopes up, it wasn't different in a good way. I was on the phone with a Microsoft offshore call center, remember?) Not only was my personal system down, but apparently their whole call center system was down. They were unable to validate my install and told me I'd need to call back later after they got their system back up and running. Apparently there was no other backup call center online, I simply had to hang up and call back another time when their system was back up.
Back to my trusty dual-boot Linux partition with its `sudo bash -c 'apt-get update && apt-get upgrade && reboot'`, or my Mac with its `sudo bash -c 'softwareupdate -i -a && reboot'`
Oh, and Jim Allchin can kiss my ass. "It's rock solid and we're ready to ship." Rock solid as in paper weight. What good is a stable OS that won't let you use it?
Ok, you've got many PCs most of which run Windows XP. They've been crashing every Exploit Wednesday since October. Every one has a license that was paid for three times (six times under Software Assurance). You have seventeen core apps. Some of them are paid for several times. Some have a licensing server so that some people can use them when other people aren't, and come with a utility so that priority users can kick off nonpriority users. A couple of them are free. Four of them are nagware that came with your PCs or that you thought were a good idea at the time. One is an in-house app that only runs in a DOS box and accesses dBase files stored on your server. Every month a couple get pwned for no detectable reason.
Even if they don't run Windows you've paid over and over. You have to because they've made it happen what "enforcement" will happen if you don't.
Every software vendor you buy from makes it clear the software you bought is being split into "basic" versions that include most of the features you use, and an "Enterprise" version that includes must have features you can't live without. Both new versions will be annual subscriptions instead of purchases. Naturally, the Premium version you require will cost many times what you already paid and the cost will be annual rather than once each. Of course they're entitled to this conversion of your purchase into a "revenue stream" because they've upgraded their product from an application to a "platform framework" that "optimizes" your "TCO".
You're thinking about investigating this multicore thing that people are talking about, but it seems impossible to reconcile the software licenses with multiple "cores" on one or more CPUs. You want to do server consolidation, but every server app has to be evaluated both by a professional enginner and by a hideously expensive team of lawyers who also want to audit every piece of software you've purchased since 1974. Your CPA wants to know why you licensed the same software 3-6 times for each PC, and why you're buying licenses for software that won't run on the PCs they're purchased for. And what's this entry for "SCO Linux licenses"? You live in dread of being audited by jack-booted thugs, not because you're pirating but because the danger of a paperwork snafu that destroys your budget is nearly certain and the slightest discrepancy is going to get you canned.
I have one question: What the hell are you thinking? Get off the train to crazy town. The free stuff isn't just good, it's better. So much better that you're not going to believe you put up with this crap. If it's truly free you don't have to account for each copy/user/use/year/processor/incidence. It's not free because it's less worthy: it's free because you're not the first person to be disgusted by the experience you're having. Pay for support. Nobody ever got sued for terminating their support contract. Figure it out. The world has changed. The future is open.
Help stamp out iliturcy.
http://imgs.xkcd.com/comics/alice_and_bob.png
455fe10422ca29c4933f95052b792ab2
The police analogy is more apt than I think you realize. Like all victimless crimes, it's nearly impossible to enforce, because there's no one to complain to police.
It sounds like there is a lot of confusion, and admittedly, I'm not going to read the article, because it seems to come from there.
Vista apparently requires an authenticated path from the digital media all the way through the audio and video output devices to play a DRM data file. The kernel and system drivers are configured so as to prevent hooks form intercepting the data once it has been decrypted, making it difficult to get around the DRM on a Vista-installed system, short of a brute-force key cracking (all of this is theoretical, of course -- knowing MS the system is probably filled with more holes than swiss cheese, but I'll ignore that for a moment).
In a VM environment, however, the OS doesn't have direct access to the hardware -- th software VM environment emulates all of the hardware including the display and audio hardware. If you run Vista inside a VM on an OS that doesn't restrict digital data capturing (like say Linux or Mac OS X), you can easily capture the data Vista is decoding within th host OS layer.
I'll give you an example. On my MacBook I'm running VMware Fusion beta 4.1, with a 64-bit Windows Vista Business Edition virtual machine (an an Ubuntu, Debian, and Solaris VMs -- I'm a bit of a VM junkie). Under Vista, I can play Microsoft DRM'ed audio files without an problems -- they go through MS's protected media player and the protected Vista kernel, through the properly signed audio driver, to VMware's virtualized audio device (I believe it emulates one of the Sound Blaster series cards), which simply outputs the audio through Mac OS X's audio subsystem.
OS X's audio subsystem can be easily hijacked using third-party tools, which simply grab the digital audio stream from the specified application, optionally cruns it through a user-specified codec, and writes it to disk. Presto -- I can take MS DRM'd audio files and strip them of their DRM quickly and painlessly, in full digital quality.
The same can conceptually be done for video, although with certain added complexity (as I'd need to capture just a region of the display, and not the entire display itself. I'm not sure if the hardware could handle both decoding and re-encoding a digital video stream simultaneously in real-time, along with the audio that accompanies it -- but that's something easily solved by either storing everything temporarily in uncompressed form (if the HDD can keep up), or by waiting a few years for faster/more parallelized hardware which can do these task simultaneously).
Of course, if MS had any backbone they'd stand up for their end-users and say no to the media conglomerates, and remove DRM limitations from their products, but the likelihood of that happening appears to be virtually zilch. But that's no skin off my nose, and just gives Linux yet another way to gain a foothold into the enterprise.
Yaz.
This is incorrect. The HDCP spec DOES NOT include the capability to permanently disable a device, period.
It is possible that content providers can blacklist/revoke the encryption key for a HD-DVD or Bluray player, but this would only brick the disc player, not a TV.
In short, no signal - either junk or deliberate - can permanently disable the hdmi port on a tv unless there is something wrong/faulty with the tv design itself.
You don't need a 5GB VM for every song (hell, the 5GB number is twink anyways, but whatever) you need ONE VM for your whole library, to run the OS that'll let you play the video while the OS that's actually on the bottom REALLY running the show does all those dirty things the boys at the RIAA and MPAA have nightmares about.
DRM is really one of the core components of Vista. It makes virtualization easier to defeat than you may realize. Go look up Palladium, renamed "Trusted Computing". It's hardware level authentication and software access control, and it's specifically designed to weld host authentication to file access. Those keys are hardware stored, on the motherboard, not software stored. And the encryption chips or CPU based encryption is not directly accessible to emulation, not without paying a genuinely unacceptable performance penalty in use.
Gah.
Is stupidity abound or something? The comment from the article about copying multi gigabyte images is ludicrous and makes one ask if the guy has ever used a VM let alone knows anything about the basics of DRM.
First things firsts. Virtualization means that the physical hardware and virtual hardware are not linked. That means, in no simpler language, if you want to use a TV, monitor recording device or whatnot to view your VM: you can, and the VM doesn't know. This is a technological threat to DRM implementations inside a VM, because they cant guarentee the path outside the VM.
Why you would copy potentially dangerous VM images from one PC to another when you could simple capture the output, i don't know.
Once upon a time NES ROM carts implemented their own I/O multiplexing - the vast majority still aren't emulated today because it's tedious work. Guest OSes inside VMs will continue to find ways of obfuscating their data (after all the guest inside a VM doesn't even have to be the same architecture as the host!)... its anybody's game once you're outside of the Guest.
MS don't want people to virtualize their software for the same reason DRM is a CEOs best friend: they can charge more for less restrictions.
If you have to pay $100 extra for the Ultimate or Pro versions of Vista to get virtualization, and people want virtualization, it can be seen as a valuable extra. Extras, not to be confused with added value, increase price premiums through added cost to the purchasing party.
However, the meat of the issue is not that people spoke out about DRM in such obvious and clear cut language, touting the anti-competitive stance MS has taken, but bloggers and writers are steering the focus to Linux which is offering a mirad of virtualizations for free. The only sensible stance is to do the same - just like MS did with VirtualPC... MS can't afford to be completely leapfrogged in any area.
The thing the irks me is that people are constantly barking up the wrong tree with regards to industry ties with companies and DRM. The "MAFIAA" (as it's been put) is convincing companies to make DRM provisions, but they can't force the implementation on to end users if companies can't/don't want to/disagree. MS allowing virtualization is nothing more than a technology response to Linux. No one is warming to DRM, DRM is not dying any time soon. This is market forces at work. Granted market forces are slow, and cause no end of problems for us now...
The advantage of digital for piracy is not that you can get a perfect copy. Perfection is not the goal in piracy. In many cases a camcorder shooting a screen is fine. Instead, the advantage of digital is that the quality is not degraded further as an infinite number of generations are made. Traditional pirates were limited to making 2 to 5 generations of VHS tapes because after that, almost nothing was left of the original movie. But an analog ripped (not cracked) MPEG file can be traded all over the world without any further single bit errors (although some of that will happen at times). The internet scares the content industry because of the speed (the latest release can be in the hands of millions before the big opening). Digital scares them because it enables the multi generational sharing as we already see in P2P. The problem is, they are fixated on encryption, which is at best going to prevent the average Joe from making a perfect copy and sharing with his neighbor across the street. When Joe finally figures out how to make an analog rip or just shoots it off his screen with a camcorder, his neighbor might reject it because it's not perfect, but you can bet the world will eat it up via the internet.
now we need to go OSS in diesel cars
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Virtualizing Palladium is non-trivial. Like most encryption technologies, it's designed to be computationally expensive, which makes emulation awkward for file-based decryptions, and will make doing it in emulation painful indeed. Also, numerous of its technologies are patented: this makes it very difficult indeed to get it built into licensed software form the US, or to import commercial software that supports it.
Second, Palladium is based on phoning back to the mother ship. *Every single Palladium key* is revocable, and replaceable by the registered key owners or their upstream signatories, including Microsoft itself. The upgrade and shift to new keys is designed to be vendor controllable. This makes a single signed key of limited usefulness and limited lifespan.
Want to reply? Try my a little reading comprehension first.
Point 1: I didn't say I'm upset with Vista. What I did say is that I don't like the Widows Platform. As such, moving from running my embedded dev tools on XP instead of Vista really makes no difference to me -- I don't like either one, have a free license for 64-bit Vista Business Edition, and so use it in those few instances where I have to.
Secondly, I was defending Vista as actually running quite well under VM. So where do you get the idea that I'm upset with Vista? I dislike Windows because the entire line has been poorly designed, I don't like the UI at all, and MS routinely over-promises and under-delivers (how is WinFS, which was most recently supposed to ship in Vista and was yanked roughly a year ago "10+ years ago"?), but I don't have any particular hatred for Vista beyond it being another flavour of Windows crap.
As for your accusation of hypocrisy, Mac OS X doesn't have anywhere near the level of RM Vista has, and OS X's DRM is pretty easy to avoid: just don't buy songs from the iTunes Music Store. It doesn't have secured pathways that require handshaking with your video display just to play encoded videos, and it doesn't have a kernel you can only plug signed, vendor-validated extensions/drivers into (and which refuses to ply such content if you don't). It simply has a DRM decryption module built into a codec. That's it. It's easy to void and remove, and doesn't impinge developers abilities to develop applications or drivers for the system. Don't like DRM on the Mac? Drag and Drop iTunes to the trash and it's effectively gone. Then go and play your media in VLC.
So, before you post, at least use some reading comprehension first before you go foaming at the mouth?
Yaz.