Slashdot Mirror
The DRM Scorecard
An anonymous reader writes "InfoWeek blogger Alex Wolfe put together a scorecard which makes the obvious but interesting point that, when you list every major DRM technology implemented to "protect" music and video, they've all been cracked. This includes Apple's FairPlay, Microsoft's Windows Media DRM, the old-style Content Scrambling System (CSS) used on early DVDs and the new AACS for high-definition DVDs. And of course there was the Sony Rootkit disaster of 2005. Can anyone think of a DRM technology which hasn't been cracked, and of course this begs the obvious question: Why doesn't the industry just give up and go DRM-free?"
Just because the ability exists to crack it, doesn't mean that the average Joe on the street can do so.
It discourages casual copying, nothing more, but I can't imagine it was intended to do any more. Nobody's that stupid.
"It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
Frivolous lawsuits. Until the RIAA finally realizes that its lawsuit tactic isn't working it's the only attempt at DRM that hasn't been made completely useless yet. Unfortunately I don't see that happening unless/until they lose bigtime in multiple court cases.
I have this massive pile of digital rights that I really need to manage. Yet every fucking piece of management software I download has been hacked. There's not even any patches for this shit. How the fuck am I, as a concerned citizen, supposed to manage my rights?
Is Blueray. That's going to last another decade.
Your ad here. Ask me how!
The same effect has been observed in software for years, Windows XP had an activation thing built in, anyone who knew what they were doing would bypass it, anyone who didn't (and didn't know anyone who did) would eventually go and buy superfluous copies of software they already owned.
Okay, let's try Alex Wolfe's argument in a different context:
"When you list every major law implemented to "protect" life and property, they've all been broken. Can anyone think of a law which hasn't been broken, and of course this begs the obvious question: Why doesn't society just give up and go law-free?"
DRM doesn't have to be perfect to do its job, anymore than law enforcement has to be "perfect". It just has to be effective enough to keep Joe Average from copying the file. Whether or not DRM is actually "good" or "bad" for media producers is a completely different argument, but Wolfe's sophomoric reasoning does nothing to address it.
but as far as this goes: "However, like true Brits, they're soldiering on and releasing it, possibly convinced that it's not much use worry about what those stupid Americans are up to with their software schemes, anyway." I think they got it pretty bang on.
No one ever expected DRM to stop all copying. That was never it's purpose. The purpose of DRM was to curb copying, which it has done. Everyone realizes there will always be a way to get around DRM (or anything else really) if you really want to. But if you can implement DRM and stop 50% or 75% of copying, that is a big improvement. That is exactly what they did. They implemented a solution that will reduce copying by the average person, which means more money in their pockets since less people are copying CDs and giving them to friends (and no, I'm not claiming every person who copied a CD would go and buy it, but certainly some of them will).
DRM works under the same concept as locking your car. IF someone really wants in, they will get in. But it certainly cuts down on the casual person who will take an easy opportunity, but doesn't care enough to put in the effort to get around the measures you put in place.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
Last I looked Cable HDTV DRM still hasn't been cracked which sucks if you want to use a myth box. You can only get an HDMI with HDCP signal out which I also don't think has been cracked. I really hope they do crack it so I can watch the HDTV that I pay for on my computer whenever I want. As a side note I once talked to my friend(who works for comcast) about driving a GNU/Linux driver for the CableCard. He told me it would be hard and was 100% sure we would be taken to court. The CableCard apparently looks to make sure the hardware using it is certified. Cracking that shouldn't be to hard but apparently the deal that at least comcast has with the content providers is that if there DRM is cracked they have 30days to fix it otherwise they have to recall all devices with the DRM capability and destroy them. Then they can issue new ones with newer DRM, otherwise they risk losing that content.
DRM is just "an electronic lock".
There's a well known saying "Locks secure you against honest people" (or words to that effect).
The hard-core/organized/professional criminals have the skills, technology and motivation to bypass these "security measures".
Remember people, locks aren't about making you secure, they're about making you FEEL secure.
s/locks/airport security screening procedures/
s/locks/the department of homeland security/ (well, that and political empire-building and creating a police-state by stealth)
Smokey The Bear Says: Only YOU can prevent the violation of your civil rights "in the interest of National Security".
Visit CryptoGnome in his home.
A mechanism that is difficult to crack (whether that is a physical lock or DRM or password) makes it harder for the cracker and reduces the likelihood of someone actually doing the cracking. That removes casual crackers from the equation.
It also makes the cracking act more deliberate and makes it far harder for someone to claim: "That diamond got in my pocket.... I just found it on the sidewalk and thought it had been thrown out." or "Oh that music on my MP2 player... I thought it was free!"
Engineering is the art of compromise.
Perhaps this has already been mentioned, but the dongle systems that protect many Mac music applications and plugins seem to have held up so far, as in either iLok
or some of the Synchrosoft dongles. Logic Pro 7 is not really something that has been cracked yet either, to my (admitedly limited) knowledge.
From what I recall reading, when H2O did manage to [k] Nuendo, it took them so long that I think they said
they were not going to bother doing it more, as the process was just too annoyingly time-consuming.
Theoretically, these systems could probably be made to protect anything which is a software-based application. Not sure if this qualifies as DRM, rather than just some 'copy-protection'
technique but certainly it has helped ensure that many small developers of quality audio plug-ins survive because their creations cannot be cracked.
Z.
There's only one copy protection system I know of that hasn't been (meaningfully) cracked, and that's MediaCipher, created by Motorola for the cable TV crowd. Ironically, it was one of the first ones ever created. (Of course, it helps that the boxes implementing MediaCipher are only rented -- never sold -- to end-users.)
Copy protection next showed up in a major way for computer games, most notably for the Apple ][ computer. This fetish briefly spread into applications software as well as games, until the users thundered, "No Fscking Way." It took about four to six years for this to shake out.
Despite the fact that there is no conclusive evidence that copy protection has any meaningful impact on sales, anti-copying measures are still used extensively, but by no means universally, throughout the games industry. In particular, Unreal Tournament's initial anti-copying measures are little more than perfunctory, and are later dropped entirely.
Near as I can determine, copy protection advocates claim as axiomatic that unsanctioned copying will depress sales to livlihood-threatening levels. They cleave to this axiom with a fervor usually associated with religious fundamentalists. However, every time this axiom is honestly examined, mitigating or even entirely contradictory evidence is discovered. Yet the myth persists.
It's not the technology we need to combat (since Turing proved it can never work). It's the defective thinking.
Schwab
Editor, A1-AAA AmeriCaptions
Was someone a little strapped for cash?
"Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
Unfortunately, the analogy doesn't quite hold. Breaking into bank vaults is more like performing a brute force attack on a DRM scheme, every time you wanted to break it. DRM schemes don't work like that. Typically once a scheme is compromised, it becomes possible for anyone subject to it to break it almost instantly. All it takes is for someone to write a quick tool that automates the cracking process and all the barriers presented by the DRM scheme pretty much fall away.
I'd say that DRM schemes are like having one giant bank vault. Yes, it will eventually get compromised, and once it is, everything inside is trivial to take.
Last time I checked, you can strip the FairPlay DRM from iTunes music files pretty easily, but nobody has released a tool that does the same for video files purchased from iTunes.
So ya can't yet burn that episode of "Lost" you bought on iTunes to a DVD.
I stole this sig from someone cleverer than me.
If a job's not worth doing, it's not worth doing right.
one definition of insane is doing the exact same thing over and over and expecting different results.
From Wikipedia:
"Cryptanalysis researchers demonstrated fatal flaws in HDCP for the first time in 2001, prior to its adoption in any commercial product. Scott Crosby of Carnegie Mellon University authored a paper with Ian Goldberg, Robert Johnson, Dawn Song, and David Wagner called "A Cryptanalysis of the High-bandwidth Digital Content Protection System". This paper was presented at ACM-CCS8 DRM Workshop on November 5, 2001.[1]
The authors conclude:
"HDCP's linear key exchange is a fundamental weakness. We can:
* Eavesdrop on any data
* Clone any device with only their public key
* Avoid any blacklist on devices
* Create new device keyvectors.
* In aggregate, we can usurp the authority completely."
It must be noticed, however, that for this attack you first have to break Blom's scheme (the linear algebra based key exchange system). In the case of HDCP you need a minimum of 39 device keys in order to reconstruct the secret symmetrical master matrix that has been used to compute all device keys.
Around the same time that Scott Crosby and co-authors were writing this paper, noted cryptographer Niels Ferguson independently claimed to have broken the HDCP scheme, but he did not publish his research, citing legal concerns arising from the controversial Digital Millennium Copyright Act [1].
The most well-known attack on HDCP is the conspiracy attack, where a number of devices are compromised and the information gathered is used to reproduce the private key of the central authority.
To read my post please enter the first word from pages 6, 27, and 32 from the manual.
Fundamentally, you're spot on. It is a hell of a lot worse than bank vault security. You can't have the party it's secured against also the one it decrypts for. It just makes no sense! All DRM is crackable by definition, they know this, they just want to make it as much of a hassle as possible.
No, it's flawed because it CAN be cracked easily: The decrypting key is in the firmware contained in your DVD player.
In cryptography, we have an explanation using Alice and Bob. Alice is communicating with Bob, while Eve (eavesdropper) tries to decrypt the message. Alice and Bob have the key to decipher the message, but Eve doesn't. She wants to decrypt the communication *without* the key.
A --- E --- B
Alice in this case, is the Digital Media producer (or encrypter), and B is your DVD. You're Eve. The problem with DRM is that Eve *HAS* the key. By cracking the DVD software (some disassembly, debugging and you're done), Eve can obtain the key from Bob.
A --------- B E
This is the problem with DRM. It's flawed by design. The DMCA is a legal "patch" to this algorithm, punishing Eve if she gets the key from Bob. The problem with DMCA is that the punishment doesn't apply to all countries, and trying to enforce it results in attacking freedom of speech.
"this begs the obvious question: Why doesn't the industry just give up and go DRM-free?"
The entire entertainment industry is so consumed with greed that they are no longer able to think clearly. The failure of DRM is so painfully obvious, but the MPAA, RIAA, BSA, etc. are so blinded by greed that they can't see it. To them, the failure of DRM is proof that they need bigger badder DRM along with bigger badder laws to punish people. This is what greed does to you.
The secret to success is simple: make a good product and sell it at a fair price. But when you are bkinded by greed and convinced that you're losing billions of dollars to "piracy", you think that the secret to success is to control your precious "intellectual property" with the most draconian iron-fisted methods possible.
I dont like the analogy of a bank vault at all. Its not like people are breaking into a video store and stealing videos. These are usually people who have lawfully purchased a video and want to use it for their own private purposes but this has been restricted by DRM. DRM circumvention is often an attempt for a consumer to simply use something they legally purchased for their own private use, such as making back up copies or playing it on their computer, or copying to their ipod. I dont see any problem with that unless they are distributing it to others, Once a person has legally obtained some work, it should be theirs to do as they please with it for their own private use.
We already have copyrights to protect the producers of works. DRM is going too far as it restricts the users rights to use something for their own private use, for which they have legally purchased.
"They give people who know what is right permission to do the right thing."
George Orwell just called and said he owns the IP to "newspeak", and he's giving you permission to do the right thing and stop stealing it.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
It is all about enforcing a monopolistic distribution channel, a walled garden. They are trying to get all of the pie, not just a chunk. I went into more detail here:
http://www.theinquirer.net/?article=29161
-Charlie
You're right in that what's currently used for digital cable and satellite TV feeds hasn't been cracked. But this has a history, at least in Europe, of being cracked, holes found in the algorithms and all sorts of fun, then 6 months after it gets public known they change encryption system, and the TV pirates can start over. The encryption systems have in that way gotten so tough to crack that the pirates have found other ways, the most common way to get around the encryption today, is to get a receiver of which you can replace the firmware, and in that way get the receivers to share the smartcards with each others over the internet, for the time being the TV providers knows it's happening, but they fail to figure out how to prevent it, so instead they spread rumours that their encryption providers in Israel are able to detect when cardsharing occurs, but I have yet to hear about them catching anyone in that way.
If I was as pragmatic and objective as I claim to be, would I be commenting?
Sure there is. A correctly employed OTP is completely, mathemathically proven, uncrackable.
But there is no uncrackable DRM-technology. There can't be. By nessecity the users machine MUST contain all the information needed to decode the media. If it didn't, it couldn't display it. If it can display it, it fundamentally CAN also save it in an unrestricted format.
Yes, it may be more or less tricky to get at the keys. But it'll always be *possible*.
Locks are a good way to keep honest people honest, but they should be simple and unobtrusive. The reason why we have key locks on our front doors instead of complicated biometric systems (this may be the wrong audience for this comment) is that they are simple, cheap and less prone to failure.
Remember the front door is public, the lock is public but only the owners have the key. The front door system works because not everyone who can get to the door has the key. DRM simply doesn't work because you have the content, the lock and the key.If this were really happening, what would you think?
Not trying to be a troll. But I strongly disagree with the hive-mind about DRM being as hopeless as the comments proclaim.
Frist off, digital piracy isn't that different from brick-and-mortar piracy -- sellers will always try to find ways to prevent theft, and those who want to pirate stuff will always find ways to circumvent the checks. This is human nature and the it'll probably never change.
Second, while we (rightly) think that the RIAA could save itself a lot of effort by revamping its model, that argument doesn't scale to other media. For example, movies. Movies are expensive to make, and don't sell in the same volumes as songs. The RIAA might easily solve its problems by moving to an AllOfMp3-like model, and pricing structure. But the MPAA won't be able to do the same -- charging 10 cents a movie will mean that they need to sell about 150 times the volume to make similar profits. Charging even $4 a movie will be enough incentive for people to go back to bittorrent. So clearly, its a never-ending tug of war, and while we think the RIAA/MPAA should in good faith adjust it's pricing model etc. the MPAA (at least) can't rely on the same good faith from its customers.
But of course, the RIAA and MPAA are not blameless. And neither are Apple and MS and anyone else creating DRM schemes for multimedia formats (in fact, perhaps the Apple and MS folk are more guily than the RIAA/MPAA. Thier real sin is, they are trying to exploit a side-effect of DRM by not openly licensing thier DRM schemes and not making them interoperable/platform-agnostic. They have seen the side-effect of locking in customers by not licensing thier DRM schemes and by using proprietary formats, and they're frothing at the mouth with the possibilities of locking in customers, and getting duplicate revenues from those that do defect.
At one point, I was actually willing to give MS some props for trying to rally the industry around a single DRM scheme (PlaysForSure) and keeping the API for it open. The lack of PlaysForSure on Macs and Linux is a big problem, and using WMA is a bigger problem, but the real sin was when they came out with yet another DRM system for the Zune. (Unless their PlaysForSure contracts made it a necessity by stipulating that MS will never come out with a PlaysForSure device or something like that - I wonder).
And Apples fault is in how they choose to license FairPlay. They seem to have some arbitrary 'coolness factor' that needs to be met before they license FairPlay (which they do license out). For example, it's clear that the Xbox ppl have given iPod integration a lot of importance, and they must surely have approached Apple to license Fairplay so that even protected songs could be streamed to the 360 from a PC/Mac or iPod. The fact that this doesn't work today can only be because Apple did not license FairPlay. A terrible sin, for what would have been a very cool and easy to use feature. They did not think about the benefit to their users first -- they thought about lock-in instead.
This is really what's wrong with DRM today. Companies are having a field day with trying to lock in consumers, and not giving any thought to enabling them to use thier property in as many fair ways as possible. The focus is completely on lock-in, and disabling, rather than enabling, and maintianing an audit trail without hindering.
The solution might come from the market, in time. But for that people need to be very vigilant about shunning DRM schemes until these companies learn thier lesson and start inter-oprating with each other. That doesn't look like its happening anytime soon -- what with iTunes downloads crossing the 3 billion mark the other day. Consumers only have themselves to blame if they endorse DRM in this manner.
The solution might come faster through litigation. Either through class action lawsuits (iTunes customers who want to migrate so a non-apple mp3 player, who get pissed because thier collections are now worthless), or Congress (ve
Good luck trying to get this information past any tie.
I've been in the computer security biz for a long while now. You'd be amazed how many suits think of security as a product to buy, to install and then never think of it again. When you tell them that it should be audited and reviewed every now an then at least (personally my suggestion is every month or at least every two months), they look at me bewildered and reply with something akin to "but we just bought the security you mentioned. What gives, is it not secure?" (implying "Are you selling snakeoil?")
You have no idea how hard it is to get it past an exec's skull that security is an ongoing process and evolving, not something static that you set in stone for now and forever.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
But some people enjoy working on their homes, and like the satisfaction of getting done and knowing that they did it. And I know that if my choices were either:
A. work overtime so that I can pay someone to do it, or
B. not work overtime and do it myself
I'd choose B. Working on a house is more interesting than sitting at a desk driving Catia all day, and (usually) the frustration level isn't any higher. It may take me longer overall, but I'd be at home with my family instead of at work.
The meek may inherit the earth, but the strong shall take the stars.