Slashdot Mirror
Open Source DRM Solutions?
Feint writes "I'm working on an business platform for inter-company collaboration based on an open source software stack. As part of that platform I would like to integrate some sort of digital rights management for the documents in the system. The vast majority of articles about DRM are focused how good or evil it is to apply DRM to digital music or video. I haven't seen many articles address open source solutions for protecting business data like CAD / MS Office / PDF / etc. documents, which is a real need in business today. Can the Slashdot readership suggest some open source DRM offerings other than the Sun DReaM initiative, which hasn't had a release since Jan. 2007?"
Public key cryptography. It won't protect work from being copied, but that's an endless battle anyways until the trusted computing platform is mainstream.
I think the systems you're after are called Document Management Systems, like you'd find used for medical records under HIPAA.
The only open source system I am aware is OpenKM[http://www.openkm.com/].
Most people smart enough to program such a thing are also smart enough to know it can never work. People who do create/sell/push drm solutions are selling snake oil.
Your best bet is to use PGP and simply encrypt your data, and trade public keys with your intended recipients. And plan ahead - once someone can see it, assume they can always see it. The whole "revoking a key" bit is the snake oil part of DRM.
Weaselmancer
rediculous.
For all those who are saying "open source DRM" is an oxymoron, they should have a look at OpenIPMP, which is an open-source DRM solution for video formats. So there is a precedent for this kind of thing, although it may not be widely adopted.
Nemilar http://www.techthrob.com - Visit Me!
Public key is the way to go. Place the keys on smart cards or smart USB keys. Encrypt files individually, not just as volumes. OK, it'll be a pain in the ass. Maybe PGP Enterprise will help?
"DRM" is not the search term you want, though, and it is in fact not what you want for business documents. You just want to set up a public-key infrastructure (PKI) and make sure people protect their private keys. This can be done by OpenPGP, GnuPG, etc.
DRM makes it hard for people to leak a file. It does not spend very much effort, if any, on authenticating the initial owner of the file (for example, anyone who picks up a DVD can play it, although they can't copy it to a new DVD). In a business environment, you're usually far more worried about authenticating the file's recipient and making sure the original does not accidentally reach anyone else's computer, than about preventing a cooperative person from intentionally leaking the file. (In most cases, you do want to permit them to print, copy-and-paste, etc. the document. These would all be prevented by DRM because they all make it easy to leak the file.)
The other failing of DRM, as I'm sure you've seen discussed, is that it's crackable by mere cleverness. If you're going to permit someone to view a file on screen (or hear an audio clip over headphones), you can always take a screenshot (or recording) and leak that. HDCP and so forth make the screenshot harder, but nothing prevents you from pointing a camera at the TV. It will be low quality but it will be a leak. PKI, on the other hand, is only crackable by brute-force searches of the key space, or (unlikely though possible) sufficiently smart mathematicians.
There's basically two kinds of DRM in the world: DRM that's been broken and DRM that no one has cared to break.
So, that said, here's some python DRM you can use which I am releasing into the public domain:
(replace _ with spaces)
Repton.
They say that only an experienced wizard can do the tengu shuffle.
What you want is those medical records/taxes/bank records encrypted or otherwise secured. DRM is a very specific thing which is not that.
Cory Doctorow was been over this a couple of years ago when Sun came up with the (I'm guessing abandoned) idea of an Open Source DRM. Here, go read why it's oxymoronic: DRM != SSL
Any protection scheme where your customer and your attacker are the same party, doomed to failure, IMO.
Do not buy any DRM-encumbered products. Make a statement about this by not participating.
You should also check out http://www.alfresco.com/. It was started by some of the founders of Documentum and Interwoven. It does some interesting Enterprise Content Management foo, which may be of use to you.
... I suggest you put your wallet back in your pocket, and don't spend any more money on consultants, software, or IT staff hours spent configuring the free and non-free stuff in furtherance of your goals.
Instead you should save your money and hire a lawyer instead who will draft up NDAs for you to have people sign in order to protect those documents/secrets you want tightly controlled.
Technical solutions will not cut it. They never will. You are throwing your money away.
Hire a lawyer, and only give the documents to people who ABSOLUTELY need it and is worth the time to get contracts involved with.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
The problem is -- with DRM the intended recipient and the potential attacker is THE SAME PERSON. Which is mathemathically impossible to solve using crypto.
Crypto works because you give the decryption-key to the intended recipient, but others don't know it, and can't easily guess it since it's a large random string.
But with DRM, you give the recipient the file *AND* the decryption-key, and then say: You may use this key to decrypt the file and display it on your screen; but not to decrypt it and print it on your printer ! (for example)
That is fundamentally impossible to enforce. The decryption-algorithm does not care what happens to the file AFTERWARDS.
If you're using systems with TCPA chips, then check out this overview and IBM's examples.
Learning HOW to think is more important than learning WHAT to think.
Beware: In C++, your friends can see your privates!