Slashdot Mirror
Open Source DRM Solutions?
Feint writes "I'm working on an business platform for inter-company collaboration based on an open source software stack. As part of that platform I would like to integrate some sort of digital rights management for the documents in the system. The vast majority of articles about DRM are focused how good or evil it is to apply DRM to digital music or video. I haven't seen many articles address open source solutions for protecting business data like CAD / MS Office / PDF / etc. documents, which is a real need in business today. Can the Slashdot readership suggest some open source DRM offerings other than the Sun DReaM initiative, which hasn't had a release since Jan. 2007?"
I'm sure some of us could, but why would we want to? Design our own prison? Encumber data? Stop whistleblowers?
For every problem, there is at least one solution that is simple, neat, and wrong.
DRM is security through obscurity. If you have the code, you can break any DRM, so there's no point in developing open source DRM. It's also why all DRM eventually fails.
Use encryption if you want safety. But you still can't prevent the people who have legitimate access from doing whatever they want to the documents.
DRM depends on proprietary software. You are encrypting a file, then giving the user the key to decode it, while telling the program in question to decode the file, but only allow it to be used in one of a few ways (eg. display PDF, but don't print).
Such a system is untenable with proprietary software (just need to find the right memory address), and absolutely impossible with open source software, as you can simply remove the line in the program that tells it what actions not to allow. (See xpdf). With proprietary DRM systems, the companies just hope it's difficult enough to decipher the compiled code of the proprietary programs, that it takes a while before someone finds the right spots in memory to probe/change, and publishes the details... Then, they make trivial changes to the DRM system, and call it a new, "fixed" version that everyone should start using quickly (before someone figures it out).
The only thing DRM can do effectively, is to prevent the first opening of the file. After you send that first key (eg. via server), no matter what the DRM involved, the user can (trivially) strip the DRM off, and do whatever they want with the unencrypted file.
If that is what you want... I would suggest using public-key encryption to protect the file instead of a commercial "DRM" system. Either PGP or SSL (keys in combination with a password) can make absolutely sure only the intended recipient can make use of the file, even if others obtain copies of it. If you are expecting any more control over what others do with the file, you are simply denying reality.
All that said, here is one open source DRM system: http://www.sidespace.com/products/oggs/
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Here's what's become my business-side take on DRM: don't bother.
DRM systems set the bar too high for honest users who just need to get some work done, and too low for malicious users.
Corporate espionage in mind? Just make screen-captures. That won't work? Digital camera, anyone?
You can't make it work, principally because there's no way to both show and not show the same document to an end user. The security is only as good as your trusted users are.
You can also appeal to reason on financial grounds: the Hollywood studios are extremely motivated to make DRM work, have pored in millions and haven't hit on anything at all that prevents piracy.
If they can't do it, you probably can't either, and should probably focus on differentiating your content by making it sticky and extremely easy to use.
DRM is a twisted variant of crypto. If Alice sends a message to Bob using GPG, Eve can't read it because she doesn't have the key. In this case, Bob is the intended recipient, and Eve is the unintended recipient. In the case of DRM, Alice encrypts software and gives it to Bob. So, if Alice doesn't give Bob the key, Bob can't use the software. If Alice does, then Bob can break the DRM, having both the key and the code.
So, in DRM, Bob and Eve are the same person. DRM is not only socially undesirable, it's sexually perverse.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Make absolutely certain the drawings being used on the production floor are the correct revision. I mean on terminals on the line. And make sure no one printed a copy for "convenience".
I.E. - Engineers and CAD designers are the only ones that can see pre-production drawings. Pre-production drawings are not accessible from line terminals, only engineering or conference room workstations. Line terminals can not print drawings, though they can print some other things. Line terminals and assembly people can't even open non-production documents.
Considering many electronics assembly shops have people on staff that used to (like, last week) work for a competitor the possibility of moles in real. So, prevent documents from being opened by non-authorized personnel. Prevent drawings from being printed, copied to removable media, etc.
I've had to deal with all of that in a manufacturing environment.
Learning HOW to think is more important than learning WHAT to think.
Aditionally, at some point, people will just not put up with that nonsense anymore - with HDDVD players refusing to work with projectors or whatever because one little detail in the HDCP chain isn't exactly right, and other horror stories like this.
The alternative is easier nowadays: Piracy - It Just Works. With sites like ThePirateBay and easy to use Bittorrent clients like uTorrent and the likes, and with fast net connections, pirating HD content is seriously becoming easier for average users than getting it in a legit way.