Slashdot Mirror
Would You Secure Personal Data With DRM Tools?
museumpeace writes "From its own EmTech conference, Technology Review reports on a privacy strategy from Microsoft's Craig Mundie: When sharing music online took off in the 1990s, many companies turned to digital rights management (DRM) software as a way to restrict what could be done with MP3s and other music files — only to give up after the approach proved ineffective and widely unpopular. Today Craig Mundie, senior advisor to the CEO at Microsoft, resurrected the idea, proposing that a form of DRM could be used to prevent personal data from being misused."
Mundie also thinks it should be a felony to misuse that data. He thinks larger penalties would help deter shady organizations from harvesting data the user isn't even aware of. "More and more, the data that you should be worried about, you don’t even know about."
Record personal info in songs and sue any companies that sell them as copy infringement. Also use DMCA to force website to take down your info - they copied my lyric!
You know, because it works so well, it has completely wiped out the drug trade, and there's no more murders now with our fancy death penalty. Prison for all! Lock 'em up before they commit the crime. That's even better. When you're born, it's straight to jail, until you have rehabilitated yourself.
“He’s not deformed, he’s just drunk!”
Besides, isn't most of the misuse being done by companies like Microsoft? Companies whose Agree button we already click to give permission to do whatever they want with our secret datums in order to use their soivices (especially the free ones). Well, them and all the trackers but they're unscrupulous anyway.
I wouldn't secure my personal data with the same thing that's apparently keeping me from downloading a car
He thinks larger penalties would help deter shady organizations from harvesting data the user isn't even aware of.
The NSA is still going to harvest your data, laws clearly don't stop them. This will only be use as another point to increase the penalties for kids caught file-sharing, and they are already pretty extreme. $675,000 for 30 songs, might as well be a drug dealer.
A technical solution to a moral/ethical problem is doomed to failure, as someone will always be able to work around the technical "solution". Stiff penalties for abusing personal information is actually a good idea, however.
Microsoft? Trying to push DRM? Well, I never.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
This sounds like a company dying of a sucking chest wound. Any way to leverage a hated technology and force it onto people while collecting money from the RIAA/MPAA for it's implementation.
Join the Slashcott! Feb 10 thru Feb 17!
Even if you thought that this was a good idea, how would you?
The foundation of DRM is building computers whose primary allegiance is to some entity other than their owners, with this allegiance enforced by technical means (and, in the most pure form, building computers that 'default-deny' all non-DRMed content in order to make cracked cleartext copies from subverted systems useless: the iDevice 'app' situation or the contemporary console space is probably the best example of this: both realize that the cat is out of the bag for music, and most of the way for movies; but unblessed application binaries are simply refused; so, while doing so is easy, obtaining 'cracked' apps is useless without a blessed signing key).
If the intended victim is end users, this works; because the root-of-control entity simply has to have financial and/or legal ties with the 'content owners' that are closer than its ties to end users.
If actually-powerful-and-influential data brokers/advertisers/spooks/etc. are the target, though, who, pray tell, is going to be the cryptographic root of control? Google? Uncle Sam? Microsoft? Don't be absurd.
In this case, the "DRM" in question a tiny bit of metadata saying "please don't do X with this".
Sure, your data is encrypted, but as with all DRM, you're giving out the decryption key along with it. It was always a stupid idea that can NEVER work.
If you want to see the end result of well-implemented DRM, see Blu-rays... Everybody can play and copy any Blu-ray disc they want, but somebody has to go through the small hassle to do so. If the official player programs weren't closed-source and heavily obfuscated, it wouldn't even take any effort at all. That is really why Microsoft likes to push DRM... It's a back-door way to eliminate open source software from consideration.
So the crux of his point is: âoeYou want to say that there are substantial legal penalties for anyone that defies the rules in the metadata. I would make it a felony to subvert those mechanisms.â
Without the laws in place to enforce that, DRM doesn't help you AT ALL. With the laws in place to restrict what can be done with your private information, YOU DON'T NEED THE DRM.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
There may be some specific instance where I would consider using DRM, but mostly DRM stupidly prevents valid usage while failing to stop a persistent attacker. It's the nature of such things.
That is unless, of course, you're counting all encryption as "DRM". Encryption is useful. But the main reason Microsoft wants to push DRM for personal/business documents is that, by having their own proprietary DRM scheme, they create a stronger form of vendor lock-in. They can make it so that, if you want to read a standard text file, you *need* to be running Windows because the DRM is only supported on Windows. They might even be able to push you to the newest version of Windows/Office because you'll need Windows 10 and Office 2017 to open a generic text file encrypted with Microsoft DRM v3.
...if you'd use an armored division of WW2 era tanks to defend your home.
DRM doesn't work very well...in those few situations where it does work, it's an enclosed environment with a massive investment in identity management. The real key to making DRM work is being able to assert who people are...otherwise you can't tell people apart, and thus can't differentiate between who should and should not be allowed to see the content. So it's infeasible for "personal" use, off the bat; if you don't control the environment pretty much entirely (like a company with heavy IP content...one situation where DRM does work, for internal use only) then it's a losing proposition. But at the same time, using DRM to try and foil surveillance? Really? That's idiotic. DRM is not much else more than encryption with a front-end for selective decryption based on identity. It's clear enough that trying to beat the NSA at the crypto game is a tall, tall order, and probably not something which gets any easier if you make it more complex by doing it under the guise of DRM.
For your security, this post has been encrypted with ROT-13, twice.
Now all I need is a team of lawyers!
Nope. I can honestly say I don't. Not a single word.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
When Microsoft suggests anything to "protect" the user, I immediately look for the trap. In this case it's easy to find. When DRM violations are made a felony, it won't be a felony only when the violated party is the user. This is a back door way to make DRM violations against big corporations a felony. This has nothing to do with protecting users and everything to do with helping corporations.
"He took a duck in the face at 250 knots." -- William Gibson, Pattern Recognition
It sounds more like, for lack of a better term, "reverse" DRM.
Alice is trying to give data to Bob, but not give it to Chuck. Problem is, Bob and Chuck are the same person.
In "normal" DRM, Alice is a big corporation, and I am Bob/Chuck.
In "reverse" DRM, I am Alice, and the big corporation is Bob/Chuck.
Though all that said, yes, it does sound like a step towards getting people to accept "normal" DRM.
"I'm not sure I like the fugnutish tone you used in your post!" -RogL (608926)-
See subject...
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
I think this is a great place to discuss how wonderful Steam is, and how it never causes anyone any problems ever.
Cloudiot: A person who does not see offsite storage as a way to lose control over access to his or her own data.
I'm sure it will prove equally so for three-letter-agencies and other government entities.
Mundie also thinks it should be a felony to misuse that data. He thinks larger penalties would help deter shady organizations from harvesting data the user isn't even aware of.
Curious how the data collectors and abusers that we're so concerned about lately are parts of the government, thus mostly immune to their nefarious work being controlled or prosecuted. As the saying goes, "it's okay if I do it but not if YOU do it."
Laughter is the Spackle of the Soul.
the slash means everything
Laughter is the Spackle of the Soul.
Felony used to be limited to the most serious of crimes. Now we permanently cripple their ability to survive over such petty issues as copyright infringement.
DRM only works when you provide the data, and that data is difficult to reproduce. There's always the "analog hole", and the data you give a company that could potentially be protected by DRM would be transcribed in just a few minutes by some lowly data entry employee. That data is miniscule compared to the volumes of data on behavioral patterns that are collected completely outside your control.
The false sense of security is only one reason why this is dangerous as hell
(seriously, *any* form of DRM can eventually be cracked. It's just a question of motivation and resources.)
The biggest problem is that once implemented... ... it'd likely be used as some form of identification (as opposed to ordinary recognition/paper IDs)and, ... the data becomes irretrievable (to the average individual) by anything other than the tools used to build it.
This means that in total, for all practical/commercial intents and purposes, you're stuck with lock-in on one hell of a scale. I bet that Microsoft would be more than happy to be the company that gets to make those locks, no?
Quo usque tandem abutere, Nimbus, patientia nostra?
Well you remembered the dot, so I'll let it slide this time.
#1) "felony" is US-centric. The MS guy obviously ( still ) thinks the entire internet is governed by US laws. Prolly a balding 60-year old who has lost touch with reality, and especially with where, nowadays, innovation is coming from. #2) I can not recall having ever seen a good idea originating within Microsoft. Nor can I recall having seen any good idea that took the internet by storm fathered or mothered by Microsoft.
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
Besides, isn't most of the misuse being done by companies like Microsoft?
Well, not directly... but yeah.
Quo usque tandem abutere, Nimbus, patientia nostra?
Exactly. If you want to know if the data has been modified, digitally sign it, but don't rely on DRM to keep people from modifying the data, just check to see if it was modified.
What bugs the shit out of me is that people who should know better act as though DRM isn't impossible. Quick, describe a system to me in which I can give you my data but you can only process it in ways I approve of. That means that you can't copy-and-paste it, or even just take a film photo of the screen and scan that in. Seriously. Working copy protection cannot be implemented in this universe, perhaps short of every participating computer having a quantum component that stops working as soon as you observe it.
No, I wouldn't secure my personal data with Digital Restrictions Management. That's insane and can't possibly work. I'd secure my personal data with contracts that say "this is what you can do with it, and I'm going to sue you into oblivion if I find it on the Internet". That's the only known way of restricting how another party uses your information.
Dewey, what part of this looks like authorities should be involved?
Encryption sounds like what he wants, most likely the public-private key type. It has the flaw of being uncontrollable once it's reached the recipient, and his solution proposes to solve it, but that's not how data works, so they are going to be equally efficient.
This is my signature. There are many like it, but this one is mine.
"Locks keep people out of my house". They don't keep bad guys out. Anyone can kick the door in. I can pick the lock, as can many other people. A lock is a REQUEST. a "do not disturb" sign.
How about much bigger locks, like a bank vault? Have you ever noticed that most banks keep their vault door a) open and b) well polished? Does that look like security, or security theatre? Notice that next to the thick steel door is a plaster wall.
It's fairly rare that you can increase security enough that something is more expensive to steal than it's worth. Sometimes, but rarely. What you CAN do is avoid being low-hanging fruit. If only I use encryption while everyone else uses plain text, I'm safer. I don't have to outrun the bear, so to speak. If everyone encrypts their data , the bag actors will download the hack tool to decrypt it.
Whoever that guy is, he should be laughed down by the serious IT and security world for his stupid "input".
If your security solution requires that you pass a law making it illegal to break your security, then it's not a solution.
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
except with the record companies.
The true history is that the labels forced DRM on Apple and over time, Apple's DRM along with the popularity of iPods and iTunes gave Apple negotiating leverage over the record companies since it sold 70% + of the digital music and no one else could sell DRM protected music for the iPod.
When they asked Apple to license their DRM, Steve Jobs said no and told them if they wanted interoperability with iTunes and iPods with other vendors let everyone sell DRM free music,
http://www.apple.com/ca/hotnews/thoughtsonmusic/
Most people back then didn't care about DRM as long as they could play their music on iPods and burn their music to CDs,
Would You Secure Personal Data With DRM Tools?
Well, sort of, I guess. But it's called ENCRYPTION. And the only one with the rights to that material is me.
DRM traditionally let's other people sorta kinda maybe see the material. And is bound to fail.
When Microsoft and other companies try to fight copyright infringement, they essentially made the law that "making the product available" constitutes the infringement. It doesn't matter if anyone has actually downloaded the copyrighted material or used it in any way that might be illegal, the fact that the product was "made available" is a violation of the law and implies under hefty statutory damages without the owner needing to prove any damages. The corporations were successful at crafting the law that punishes such the behavior of sharing and essentially makes an individual who shares go bankrupt.
How would the same principle of overzealous punishing for "making available" work in the proposed case of personal data and DRM? Actually very simply. Only in this case the health care provider is the one who potentially "makes available" the personal data. Just as it doesn't matter whether the downloaded copyrighted material has ever been played/installed/used, the fact that it was made available is punishable. With personal data, once anyone's data is "made available" it would be irrelevant if it was used or misused, the mere fact of making it available should be punishable. And I don't mean a small fine. I mean jail time for those who approved the decision, the architecture, or made errors in code. As it is difficult to impose the same severity punishment that individuals face for sharing onto a corporation, it should be either a corporation to go bankrupt or responsible people going to jail. What will happen if such law gets passed? Since many executives will not like to end up in jail for proposing a stupid solution, the silly ideas will die out. So, if some provider decides to implement Microsoft's solution with DRM and an error in Microsoft DRM causes the data to be leaked, the Microsoft executives would face felony charges for not providing the appropriate safeguards and making the data available. Yes, I mean, you, Craig Mundie would become a felon! I completely support such a reciprocal implementation of the law.
There's no such thing as "illegal download"
http://www.pdfernhout.net/microslaw.html
This was originally posted to Slashdot on May 25 2002: :-) My comments to the Department of Justice request for comments were in the form of this satire:
http://slashdot.org/comments.pl?sid=33107&cid=3582999
It was in relation to an article: "MPAA to Senate: Plug the Analog Hole!"
about the MPAA wanting copyright protection built into all computer hardware. I sent a copy to Richard Stallman back then and he said it made him laugh.
Transcript of April 1, 2016 MicroSlaw Presidential Speech (Before final editing prior to release under standard U.S. Government for-fee licensing under 2011 Fee Requirements Law)
My fellow Americans. There has been some recent talk of free law by the General Public Lawyers (the GPL) who we all know hold un-American views. I speak to you today from the Oval Office in the White House to assure you how much better off you are now that all law is proprietary. The value of proprietary law should be obvious. Software is essentially just a form of law governing how computers operate, and all software and media content has long been privatized to great economic success. Economic analysts have proven conclusively that if we hadn't passed laws banning all free software like GNU/Linux and OpenOffice after our economy began its current recession, which started, how many times must I remind everyone, only coincidentally with the shutdown of Napster, that we would be in far worse shape then we are today. RIAA has confidently assured me that if independent artists were allowed to release works without using their compensation system and royalty rates, music CD sales would be even lower than their recent inexplicably low levels. The MPAA has also detailed how historically the movie industry was nearly destroyed in the 1980s by the VCR until that too was banned and all so called fair use exemptions eliminated. So clearly, these successes with software, content, and hardware indicate the value of a similar approach to law.
There are many reasons for the value of proprietary law. You all know them since you have been taught them in school since kindergarten as part of your standardized education. They are reflected in our most fundamental beliefs, such as sharing denies the delight of payment and cookies can only be brought into the classroom if you bring enough to sell to everyone. But you are always free to eat them all yourself of course! [audience chuckles knowingly]. But I think it important to repeat such fundamental truths now as they form the core of all we hold dear in this great land.
First off, we all know our current set of laws requires a micropayment each time a U.S. law is discussed, referenced, or applied by any person anywhere in the world. This financial incentive has produced a large amount of new law over the last decade. This body of law is all based on a core legal code owned by that fine example of American corporate capitalism at its best, the MicroSlaw Corporation.
MicroSlaw's core code defines a legal operating standard or OS we can all rely on. While I know some GPL supporters may be painting a rosy view of free law to the general public, it is obvious that any so called free alternative to MicroSlaw's legal code fails at the start because it would require great costs for learning about new so-called free laws, plus additional costs to switch all legal forms and court procedures to the new so called free standard. So free laws are really more expensive, especially as we are talking here about free as in cost, not free as in freedom.
In any case, why would you want to pay public servants like those old time -- what were they called? -- Senators? Representatives? -- around $145K a year out of public funds just to make free laws? Laws are made far more efficiently, inexpensively and, I assure you, justly, by large corpora
A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
We don't need DRM to protect personal data. All we need is for companies to be fined for $millions every time they let 15 parts of our personal information file get passed on to a 3rd party.
The problem would solve itself fairly quickly that way. It may not have worked for them but there's a key difference. I am one of billions being chased by a few. They are few being chased by millions.
Shame the end result currently is a class action, a rich lawyer, and a voucher for a 10% discount next time we hand our personal info over.
Let's not forget what DRM actually is. DRM-encrypted files are encrypted so that, at least in theory, only one program can read it. That program can arbitrarily impose restrictions on the user. How does that protect the user at all? From themselves and from their friends?
Encryption is a good way of protecting your privacy. Encrypting for Microsoft is a good way of losing control of your data.
I'd bet $100 I could simply kick in your door and walk out with your stuff.
You COULD spend $10,000 on a security system to protect your $10,000 worth of stuff. That would be stupid, though, wouldn't it.
Let's say you did spend $10,000 on security. In that case , a burglar would want to spend $4 on a ski mask and maybe $13 on a post driver to knock the door in. Then smash the door in an QUICKLY grab $3,000 worth of electronics etc. You spent $10,000, the bad guy spent $17 to defeat it (and didn't wait around for the security company to first call you, then call the cops.)
I used to work as a locksmith. Now I secure computer systems for a living. I've yet to see one I couldn't break with ease. There ARE some strong security measures you can take with a computer, just like there are quality locks. Quality locks won't stop a large crowbar and no amount of computer security will stop a root kit.
We defeated DRM for years, and we would want to protect us? That is nonsense.
And legal DRM protections will not help. NSA will find a way around it, and megacorporations will rely on offshore societies subjected to different juridiction to do the dirty job.
I watched a thief check door handles once, looking for low hanging fruit. As I said, as long as he found plenty unlocked, the locked ones were safer. When four in a row were locked, he smashed a window. Locks didn't keep him out, not when either a lots of people used them or he saw something he wanted.
That thief is currently serving time for murder for hire.
BTW, you can hook and book a Ferrari with an alarm. It's worth more than it takes to steal, so by your definition. it's. low hanging fruit. I don't think that. means what you think it means.
I think low hanging fruit is comparative - the bad Guy won't. break into my house of my neighbor leaves his door wide open. If we ALL lock our doors, the thief will get a crow bar.
Posted via crappy old phone that inserts extra periods.
You said it's easy to secure your house such that it costs more than $10,000 to break in. I pointed out that no, it wouldn't cost more than $17 to break in. I can see why you might want to change your argument.
Can you? You could cover your $10,000 house with $100,000 of concrete. It'd no longer be your house, though, since you couldn't get inside. Not a bad way to handle high level nuclear waste, though.
You could set up a shotgun booby trap and you'd probably end up in prison or dead.
Armed guards 24 / 7? Two guards at $20 / hour is $50,000 / year to protect $10,000 of property, and STILL it only costs the bad guy a few bucks to shoot them.
It's normally going to cost the owner more to completely protect the property than it costs to break that protection, simply because it's easier to break things to build things. There's a law to that effect in quantum physics or something. It doesn't make sense to spend more protecting it than it's worth, therefore the cost to steal it won't be more than it's worth.
However, you CAN make it harder to steal your stuff than to steal the neighbor's stuff. You're not preventing the theft, just persuading the bad guy to steal from your neighbor.
I suppose in the naive view you could say that the death penalty for petty theft would make it more costly than it's worth. However, that's a naive calculation because it would have huge costs to the defender. When your son steals a candy bar he's dead, so that's not really an option.
Lastly, one could twist the question and bring in SPIRITUAL costs, saying that stealing, and getting away with it, costs the bad guy's soul. That might even be true, but it doesn't solve the question asked because you proposed that YOU can DO something to protect your house, not that spiritual laws already make it costly.
While it's true that (poor) encryption is often used in DRM schemes, they aren't really the same thing. Encryption is designed to prevent third parties from observing your data without access to the decryption keys. This is an effective method of keeping secrets from adversaries even on systems that you don't know about and don't control. Contrast this with DRM which has the neigh impossible task of preventing devices, not in the custody or control of these "rights holders", from making copies of or format shifting data while still showing it to the end users in unencrypted form and keeping the decryption keys secret. Nobody who understands these matters believes that DRM is effective or can be made so, the very idea is asinine, but that doesn't seem to stop ignorant business people from trying.
The foundation of DRM is building computers whose primary allegiance is to some entity other than their owners, with this allegiance enforced by technical means (and, in the most pure form, building computers that 'default-deny' all non-DRMed content in order to make cracked cleartext copies from subverted systems useless: the iDevice 'app' situation or the contemporary console space is probably the best example of this
In 1985, legit consumers saw this default-deny policy as a feature. They had been burned by a flood of poor quality releases on the Atari 2600, and not having to take a chance on a game that turns out to be absolute crap was a selling point for the then-new Nintendo Entertainment System. A gamer back then didn't want the hardware's allegiance to be to him because he lacked the time and money ($60 or more after adjusting for inflation) to buy each new game and vet it himself.
or even just take a film photo of the screen
So long as drugstore photo departments continue to process film.
and scan that in
Scanning software and image editing software already have measures against use with images of currency.
I'd secure my personal data with contracts that say "this is what you can do with it, and I'm going to sue you into oblivion if I find it on the Internet".
Such a contract would apply only to parties to the contract, under the "privity of contract" doctrine. DRM lets a copyright owner use 17 USC 1201 and foreign counterparts to apply terms like these even to people who haven't signed the contract.
I suppose it depends on which ones you define as shady.
Along with most of the planet, I would describe every huge US, pseudo international, corporation as something that may well be shady. Every US TLA spook name I have ever heard of has shown itself to be shady at times. They all have what is called an "excessive sense of entitlement".
These groups will see it as their entitlement and their duty to ignore and breach any DRM used in this way. Using DRM like this would, however, rehabilitate it in the minds of a great many people.
I'm just not sure that it would even be allowed by those who feel they are our masters.
I'll see your Constitution and raise you a Queen.
"some entity other than their owners" but what if YOU own and enforce it.
"Publish" all of your data to a backup drive, apply DRM to "secure it*" and issue take downs to any intruder (like the NSA) to force them to remove it or face litigation and hassles from the sheriff.
All you need to do is have a warning page/file at the lowest lever on the backup drive and then encrypt your backup.
*) "Secure it" can be as flimsy as the original DVD DRM. The point is to insure the protection of the law, however unwilling the law might be to provide it.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
So in other words, no you have no reasonable way to prevent someone from breaking into your house, or even making it difficult to do so. You could just admit you were wrong instead of acting more and more of an asshole with each post.
Your interesting signature references beautiful open source code. Do you know how we get beautiful open source code? I post something on my github, Tim points out how it could be improved. I make those improvements, "admittingx" that my original code had flaws. Then Mary comes along and points out more imperfections. I admit it still wasn't perfect and make the changes. Then it goes to the integrators for a repeat. That's how we end up with beautiful code, by admitting that our first thought wasn't quite right. Hell even Microsoft admits they were wrong with Windows 8. Are you as intellectually honest as Microsoft?
I am curious about your sig. What do you have going there? Tim Hunt produces some code that's beautiful in it's perfection, but you may be looking for beauty in terms of being concise and as simple as possible. There's an implementation of strcpy that's beautiful in that way, something along the lines of:
while (dest++ = src++);
So in other words, no you have no reasonable way to prevent someone from breaking into your house, or even making it difficult to do so. You could just admit you were wrong instead of acting more and more of an asshole with each post.
A lock on the front door works well enough for my own purposes. What I have seen in a case where a church kept having their televisions stolen by gang members, they got a steal door for the storage room and lined the entire inside of the room with a cage made of rebar. BTW I didn't say the security measures had to cost less than $10k, that's probably where you got confused.
Your interesting signature references beautiful open source code. Do you know how we get beautiful open source code? I post something on my github, Tim points out how it could be improved. I make those improvements, "admittingx" that my original code had flaws. Then Mary comes along and points out more imperfections. I admit it still wasn't perfect and make the changes. Then it goes to the integrators for a repeat. That's how we end up with beautiful code, by admitting that our first thought wasn't quite right. Hell even Microsoft admits they were wrong with Windows 8. Are you as intellectually honest as Microsoft?
Go ahead, check it out
I am curious about your sig. What do you have going there? Tim Hunt produces some code that's beautiful in it's perfection, but you may be looking for beauty in terms of being concise and as simple as possible. There's an implementation of strcpy that's beautiful in that way, something along the lines of:
Generally looking for beauty in any way.....some code can be visually attractive but a nightmare to work on (like stuff at the IOCC), other code is not pretty to look at but incredibly flexible and easy to work with.......both are beautiful.
"First they came for the slanderers and i said nothing."