Digital Rights Management (or restrictions for the cynical) is a mechanism for asserting their traditional control which has been weakened by P2P and parallel importing.
Funny, this is how most of copyright laws have been argued. It was always meant to be this way, but now new technology X forces us to be more explicit. The same quoted reasoning was used to argue against player-piano rolls, radio, jukeboxes, TV, VCRs, and cable television. And each time, what was really going on was a power grab.
Read __Digital Copyrights__ by Jessica Litman for more information on this. For the last 100 years copyright law has essentially been written by the copyright holders, and they have vigorously screwed anyone not at the law writing convention (the movie studios got screwed in the 1914 law, because they were not well established enough to participate).
The truth is that DRM gives copyright holders far more powers than they ever had before, and they have gotten bad laws passed (DMCA) that allow them to circumvent the remaining consumer rights. You mention this being a logical decision, and I guess you are right: pay money for a law, and get new rights under the dual pretenses of it was always supposed to be this way and we need this extra power because of threatening technology.
The ironic fact is that much of the worst law buying was prevented, because of the industries that got screwed. The copyright conventions would write laws, but the wounded parties would hold-up the actual legislation for years. For example the 1976 copyright law was actually based on a copyright convention in 1949! You would have thought the copyright conventions authors would remember this, and try to write more fair and balanced laws. Has not happened yet!
The spate of bad copyright laws in recent years comes from a couple of problems. The first is that some industries are getting better at lobbying congress (the DMCA was being pretty thoroughly reworked as usual, when all of sudden enough juice was applied and it got passed almost as originally written by the copyright convention in 1995). The other is that the public's interest has not really been represented in the copyright laws. The best that happens is that congress gets a bad law, and tries to save it a bit by putting in some exceptions. The DMCA exceptions were very incomplete, and poorly thought out (some might argue this was because the DMCA was so flawed in theory, that the exceptions just could not overcome the flaws).
Yes, we are probably in closer agreement than I first thought. As I look over my examples, a lot of what I was thinking about was at the "design" level, while you were really talking about the "coding" level.
To expand upon your SSL example: It should not take long for a competent programmer to add SSL to an existing program using the OpenSSL library. The protocols and libraries already exist, and there are a lot of existing examples. So long as you can avoid adding any buffer overflows:-( no special programming knowledge is needed.
It is quite another thing to design and implement a new cryptographic protocol (hmm, should I XOR those values together before or after I encrypt them?).
What most fail to realize is that 5 years in a single tech is probably a bad sign. A "better" programmer would probably have gotten bored and moved on, or moved on because it's highly unlikely that a single technology remains the best solution for that long a period of time.
There is probably a bit of truth somewhere in this statement, but there are some real problems with it too. Perhaps this is the view of a system administrator, but it does not match my experience as a developer. I enjoy technology, but at the end of the day I'm being paid to accomplish things. Technology is merely a tool that helps you accomplish your goal. There are a lot of reasons why people can enjoy their job, and why they should seek out new technology. Speaking from experience, boredom is rarely solved by new technology, it usually has it roots elsewhere.
It takes a few days to pick up 98% of any language/tech...
I won't comment on the language part, but from my experience it is wildly over optimistic for a technology field. I'm a generalist by nature, and pride my self on my ability to investigate and use new technology quickly. Over the years I have specialized in a few areas, and most of them can not be mastered in a few days. Perhaps that is because I don't consider any area that can mastered in a few days worthy of being called a specialization. I'm talking about things like embedded system development and developing/analyzing cryptographic protocols, or even managing the software development process.
For example, it takes years to get good at applied cryptography (and this is not based just on my own learning rate:-) The quickest I've seen someone become competent for a reasonable range of tasks was about 2 years (and she was an extremely intelligent cryptography Stanford post-doc). Even for very bright and experienced programmers (10-15 years of experience), it more typically takes 3-5 years to start designing good cryptographic protocols and systems.
I'm sure there are technology fields that are less demanding, but to be frank that is part of the fun of specializing in this field. It does not take much reading (recommend Schneier's Crypto-Gram as a good starting place) to start seeing the flops made by people who thought they could learn cryptography in a few days.
Should've picked a more knowledgable or reputable dealer. The Pioneer DV-AX10 plays both SACD and DVD-A. Even low-end companies like Apex have DVD-A/SACD/MP3/CD players (AD-7701).
Actually, The Audible Difference has a very good rep, and pretty much everything they were quoted in the article seemed correct. You seem to have some confusion about SACD/DVD-A digital outputs (not too surprising, both the RIAA and the equipment manufactures don't really want people to know about it). For example, the APEX you mentioned does not put out the full quality digital stream for DVD-A or SACD, instead it only puts out the lower quality CD stream.
There are a few disc players with full quality SACD/DVD-A digital outputs. These use proprietary content-controlled digital transport mechanisms, and require a same-brand pre-amp to be useful. The only one I've seen reviewed is the Meridian system (very, very expensive - the disc player and the matching pre-amp were well over $10,000). Another/. post mentions that Pioneer has introduced a connection scheme as well.
Despite the existence of these digital links, it does not change the general fact that SACD and DVD-A are designed with features that most audiophiles hate.
These are exactly the people who won't care about copy protection, because they don't want a lossy copy on their computer.
Speaking as one of the audiophiles who helped kill DAT, let me tell you some of the reasons an audiophile wants digital outputs:
1) The quality of digital/analog conversion can vary quite a bit. If you already have an ultra-high D/A converter, you don't want to be stuck with the inferior ones built-in to the SACD/DVD-Audio player.
2) Most current pre-amps perform sound modification (such as bass management, surround-sound effects, etc.) in the digital domain. If you can only get analog inputs, you need to convert the stream back to digital, and than back to analog. Even with the best gear, the extra AD/DA cycle noticeably degrades the quality!
3) Many current pre-amps don't have the six-channel analog inputs that it takes to properly play back the SACD/DVD-Audio material. Trying to get past this is UGLY!
That is three major reasons without even getting into the usual fair-use issues. The funny thing about this, is that they are making the exact same mistake they did with DAT (the most common method of personal copying was tape-to-tape using $50 boom boxes, so they block digital-to-digital?).
As a general rule, the only people who care about digital-to-digital quality are the audiophiles. These are the exact same people who are least likely to pirate music (heck, most audiophiles buy multiple copies of the same recording). The people who do the most piracy are the ones who don't have enough money to buy good systems, and don't care about the reduced quality of sound.
I've sent letters to most labels, and several manufacturers telling them what I think. I'm not surprised to see that other audiophiles agree with me, there is no way I'm supporting SACD or DVD-Audio until they drop the bullshit content-controls.
If you read the article, you will see that CDL had the CDL-82 hardware encryption chip, which was built-in to the unit. I don't know how good the chip is, but it sounds like there is more to their security claims than just the biometric scanner.
The CDL website makes vagues claims that their security chip is FIPS 140 rated, but I have not been able to find it. For that matter, it is not clear that the Paron MPC is actually built using the CDL-82, or some variant of it.
This happened to my parents (using SBC), when all of sudden they started getting long distance changes everytime they called their cell phones from home. While not bankrupting, the cost was closer to $5/month, not just the few pennies that Verizon claims in the article.
There solution was to change the cell phone numbers so that they were local calls instead.
From my experience, the FIPS 140 certificate does a good job of ensuring that products live-up to their formal design specifications. The obvious question is how good were the design specifications? This is where things get interesting. To over generalize, I think FIPS 140 does a good on tamper-resistant (and respondent) hardware design, and a poor job on logical security.
A lot of the FIPS philosophy came out of the military, and the testing labs impressed me with the breadth of their physical attacks. On the other hand, the military usually has very simple logical security requirements for a crypto-box. It should be inert until authorized users properly activate it, and at that point it can perform sensitive actions. Commercial cryptography designs by contrast, usually has a set of functions that needs to be generally available. They also have a much smaller set of functions that need authorized users to control.
When we put our product through the immediate predecessor to FIPS 140-1 certification, we were the first commercial product and ended-up breaking a fair-amount of new ground (somewhat painfully as you might imagine). What we had to show was that the cryptographic commands that were available to non-privileged users were safe - because of the logical security design. Even early FIPS 140-1 processes did not really deal with these "always-on" functions very well.
Although it improved, especially with the 140-2 modifications, logical security is still the real weak point. Michael Bond's well publicized attacks on the FIP 140-1 level 4 certified IBM 4758 security module were all aimed at the "logical security" level. My favorite example of insecure by design is the PKCS #11 security module when it is used for server security.
The Cryptoki (PKCS #11) interface was designed for security tokens, and basically works a lot like the military devices. The token (smartcard, whatever) would be plugged into the client device, where it would remain inert until activated by the user password. Actually a pretty good design when used this way.
The problem is when the same design is used for a server, which is unfortunately common since several PKI vendors standardized on using PKCS #11 security modules. PKCS #11 authorization levels are all messed-up for server use. There is no concept of "always-on" commands, or multiple levels of authorization. That means that any entity (server application) that wants to access the security-subsystem must be an authorized user.
The result is that the clear password that enables the PKCS# 11 modules has to be put into the server application. Because of that clear password an attacker no longer has to break into the PKCS #11 box or steal/forge authorized user's identities. They can gain authorized user privileges merely by monitoring the communication lines between the application and box, or by analyzing the object code of the application!
You will find a number of FIPS 140 certified PKCS #11 modules, which is actually no surprise given how well PKCS #11 matches the military origins of the FIPS 140. This is a classic example of a certified subsystem that is quite secure for some uses (human insertion of a token and entry of password), but it quite insecure for others (server applications storing and using clear passwords). All the FIPS certification does in the case of PKCS #11 is tell you that the vendor has followed their design, and not if it will provide logical security in your system!
I've taken some hardware crypto products most of the way through a FIPS 140-1 level 3+ cycle, but never completed it because our customers were not willing to pay the extra money (my company had certified other products before that, and has certified some since I've left).
I find it interesting that people are starting to specify AND demand FIPS 140. When we certified our first product, using the predecessor of FIPS 140, we only ever had one customer - the US treasury. Perhaps the chicken-and-egg situation is changing, because just enough companies have FIPS 140 certified products that customers might actually be able to buy one.
In reality, most customers will not use the actual certified product, for a couple of reasons. First, it is too expensive (and takes too long) to recertify the product for every minor version change. Second, the FIPS process only allows certain algorithms (FIPS algorithms naturally) and certain cryptographic formats. If your product wants to support the wide-spread PKCS format (RSA pseudo-standard) instead of the government preferred ANSI formats (in cases where there is a difference), those PKCS commands will have to be disabled in the FIPS version of the product.
I agree that digital copies should not be treated any differently. But there is a good reason we don't want to stir up that pot!
Right now digital content and copies are treated differently. There are a lot of additional restrictions on digital copies, thanks to laws like the DMCA. We don't want to even mention analog material, because it would be a step backwards if analog material came under the same rules (even relaxed by Lofgren's bill) as digital material.
Meanwhile, the publishing industry is trying to add restrictions to analog material as well. That is part of the whole "analog hole" that they keep harping about. Ironically, the fact that they complain about the analog hole reveals their first arguments about digital being diferent were lies! What really happened was they used digital issues as a "wedge" to get special privileges, and are now trying to expand those privileges to cover everything.
Nope, the bill adds a provision that allows distrubtion of "cracking programs" if the conditions are met (non-infriging use is blocked by copy protection, and the copyright owner does not provide an alterntaive method of enabling the use). All in all, this is a well written bill.
PS: Except for that "perfect digital copy" part, see my other post.
Here is an excerpt of my letter of support sent to my congressman:
I have one little quibble with the bill as it stands. In section 2. FINDINGS, paragraph (2), it states "Perfect digital copies of songs and movies...". This is an exaggeration that has been used by both the RIAA and MPAA to justify draconian copyright protection measures. They purposely confuse two different concepts: "digital copies" and "digital distribution". The reality is:
(1) Digital copies are far from perfect
(2) The quality of a copy has little impact upon non-commercial copyright infringers
Take an example from ten years ago, the mandating of copy-protection on Digital-Audio-Tape recorders. The only people who cared about quality enough to be effected by the copy-protection measures were audiophiles (who, by the, way effectively killed the format because of the restrictions imposed by congress). The irony is that audiophiles were also the least likely people to make illegal copies; on the contrary, many purchase multiple versions of a single recording. The more typical non-commercial copyright infringement was young teenagers buying $50 boom-boxes with abysmal sounding cassette duplication. The quality of the duplication was of minimal importance (you can't hear the poor quality on a $50 boom-box), as it had minimal impact on their decision to make illegal copies vs. buying legal copies.
I'd recommend striking the word "perfect", and putting to rest the urban legend that digital copies are somehow different from other method of copying. This is not meant to diminish the importance of digital distribution, which obliviously has had an impact on non-commercial copyright infringement. Confusing "digital copies" with "digital distribution" is how we got lousy laws like the DMCA in the first place.
Any security mechanism should be designed in such a way that when it fails, it fails closed.
I agree with that in general, but you always have to take denial-of-service into account too. Can I disable all user accounts just by entering three bad passwords into the system?
The web browser only has to maintain an encrypted connection to the server. The server then can have its own encrypted connection to the DB (eg, via PostgreSQL's hostssl setting.)
Encryption is not a magic wand. Does the web browser need to be able to decrypt traffic from the server? If so, when the web server becomes "owned", than the decryption capabilities get owned as well. What is the benefit, at best a layer of extra knowledge to find the decryption routines (security by obscurity).
Designing a cryptographic system that will help against "owned" servers (or insider fraud, say you can't trust the system administrators) is much harder. You almost always have to go with data oriented encryption, as opposed to channel oriented techniques (such as IPSEC or SSL). Hardware crypto devices are also very useful - the physical layer obviously is primarily designed to counter insider fraud in a server installation. But even more important is the ability of hardware crypto devices to control the type of operations they can perform.
Think of the "PIN" in a banking system. The hardware device does not have the ability to "decrypt a PIN" (at least in most banks, but that's a different story). Compare that with the situation where say a PIN Translate function is put on a software server and that server gets owned. It would be relatively easy to break down the PIN translate function (which consists of a decrypt followed by an encrypt) and examine the internal results to find the clear PIN.
In summary, most uses of channel encryption (clearly that was what was described in the quoted section) will provide little protection against compromised servers. Many types of database encryption have the same problems, if there is some means of the server accessing the clear data.
The DMCA would win, if the current court rulings are continued. A recent California court said the DMCA was legal, because the copyright holder is not under any obligation to make fair-use easy. He used the example of DVD fair-use by taking photos of still frames. Judge Kaplan (in the DeCSS case "MPAA vs. 2600") said DVD copies were not important because you could still make fair-use copies using a VCR (never mind the fact not all DVD material has been put onto VCR tape, and that VCRs have technology that stops fair-use too).
I think both judges may have some technically correct views (having withstood appeal), but are overall incredibly shortsighted. I wonder what those same judges will rule when Hollywood gets congress to fix the "analog hole" and outlaws any camera that would take a picture of a still frame.
Newsline 2007:Judge Kaplin rules fair use has not been abridged by the latest Fritz Chip 3000, since consumers can still exercise fair-use by talking and waving their hands to describe a movie sequence! In other news, the copyright scofflaw firm Crayola has filed for bankruptcy since they can no longer sell their anti-circumvention technology called "crayons", a device that enticed young children into a life of crime making drawings of copyrighted material.
...because most of the theft that happens with credit cards is not breaking into computers, rather it's physical theft of the cards themselves.
Stealing the physical card happens, but it is small potatoes. Fake cards (usually copies of legitimate cards) are a really, really big problem. Credit card companies loose billons of dollars a year due to fake cards.
The biggest issue I had from reading the article, was figuring out how the one-way-function was going to be verified. It's nice that there are a terabit of combinations that could be used, does this mean the issuer is going to have to store a terabit of data for each user?
If they only use a subset, than we no longer have the security range of a terabit of information do we? All an attacker has to do is figure out what the subset that will be used is. Since it is "copy proof", it is not like the host can perform a duplicate one-way-function. I don't think this will become practical unless they can clearly resolve this issue.
... you've never _really_ controlled the media you pay for. Your only control is the very limited ones the media companies afford you under extremely narrow conditions.
Incorrect, but becoming more true as the media companies buy congressional laws. Far from "never", until recently you always controlled the media you paid for. If I buy a book, I can read it, lend it, resell it, or even cross-out phrases that offend me.
These actions have been protected by a set of rules called copyrights. But for the last hundred years, consumers have been getting less and less from the copyright barging. This is because the media companies are the ones who have lawyers who write laws, and congress just rubberstamps them without sticking up for normal citizens.
But the consumers were still in pretty good shape (as opposed to artists and the public domain) until about 10 years ago. The 1992 DHRA mandated copy protection for digital audio recordings and started the latest slide.
The 1998 DMCA went over the top by making it illegal to bypass content control measures. Before that, the companies had to resort to contracts that courts judged to be an illegal attempt to override copyright laws (such as the book publisher who tried to prohibit reselling of it's book by something very much like a shrink-wrap license). Thanks to the DMCA, the media companies can just make a DRM control gizmo do anything they want and your only resort is to not buy that product (the DMCA granted them wide powers, but no restrictions on how they could use it).
The next step on the media company's agenda is well underway. They are attempting to remove any choice you have about not buying DRM systems by making them mandatory. They are using every means at their disposable to do this, including threats (no release for new media, nuisance lawsuits against product companies), congressional bribery (see the clear quid-pro-quo money trail for sponsors of pro-media company laws), and back-room government deals (FCC regulations mandating copy protection for satellite tuners, upcoming FCC copyright flag mandate for HDTV broadcasts, etc.).
They should not have the right to exercise this level of control over their media, but they are getting it. It will be bad for both them and the society in the long run, but they don't care. They have the money and political clout to preserve the gravy train for a little while longer; and care nothing about the negative effects.
Even going to Best Buy (shudder) is a lot cheaper than the mall.
One reasons for that is that Best Buy is not making money selling [at least some] CDs. A couple of years ago several record companies were convicted of price fixing. The basis of the lawsuit was that Best Buy was selling CDs below the "recommended cost", and therefore did not qualify for industry kick-backs.
From articles on the music business, the store that consistently buys CDs with the lowest prices is Walmart. I don't know how there retail prices compare to non-sale CDs elsewhere though...
I've pretty much stopped buying CDs from stores (mostly as a RIAA protest). I buy either directly from the artist or second-hand.
It is called capitalism. Vendors offer up products, I examine them and decide if they are worth the price asked.
Except you forgot several steps before that.
1) Corporations use special government granted-monopoly (copyrights) that are not part of the free market.
2) Corporations lobby for and get laws passed that remove your choices:
* UTICA contract terms that shaft the consumer (only two states so far)
* DMCA mandated copy protection in video recorders
* DHRA mandated copy protection in digital audio recorders
* FCC mandated copy protection in video satellite receivers
* DMCA anti-circumvention laws, etc.
3) Corporations are currently lobbing for, but have not yet received, laws that even further restrict your choices (FCC mandated HDTV copy protection flag, CBDTPA, etc.).
Now we get to the point where vendors offer up products. You call this a free market? If you really believe in the free market, you should be very concerned about these laws and working to get them repealed! Why do you assume that vendors selling these products get to take advantage of government mandates, but the consumers don't!
You got it! The DMCA does exactly this: it is illegal to circumvent the copy protection, even if you just want to exercise your fair-use rights.
This what happens when congress rubber-stamps laws written by the industry. The publishers (including RIAA and MPAA) did not like fair-use, and they used the DMCA as a legal lever to allow them to eliminate them!
The laws are all one sided, they put restrictions on the consumers, but don't put any restrictions on the publishers. That is why Digital Consumer's "Bill of Rights" is so important! (http://www.digitalconsumer.org/)
Mandatory five-minute commercials? You're kidding, right? I watch probably five new DVDs every week (NetFlix [netflix.com] rules), and I've never seen a mandatory commercial.
The Disney animated "Tarzan" DVD is the worst; it disables the "fast-forward" and "menu" features during 5 minutes of previews and commercials. By experimentation, I found the "skip" button still works. More recent Disney DVDs tend to disable "fast-forward" and "skip", but leave the "menu" option accessible ("Toy Story 2", "Tarzan and Jane").
The new method is targeted towards young children, old enough to load movies and do basic DVD operations. Most of this target audience ends-up sitting through the ads unless parents help out. I would call all of these cases of mandatory commercials (even in the technically proficient can find some method of reducing their impact).
Finally, you have probably sat through hundreds of mandatory commercials that disable all controls ("fast-forward", "menu", and "skip"). These are the studio logos and FBI Warnings (granted they are 5 seconds instead of 5 minutes). You may not realize it at first, but studio logos are a commercial! What makes showing the studio's logo so important that you can not skip it? Nothing except the built-in controls that Hollywood put into the DVD format.
Note that Jack Valenti is actually wrong about it being illegal to copy a DVD (what Jack say something incorrect, what a shock!). His reasoning is based on the DMCA, the fact that all DVDs are copy protected, and that all VCRs have federally mandated copy protection. Hence the DMCA anti-circumvention act prohibits you from breaking the copy protection and making a copy.
There are at least two big holes in this theory. The biggest is that VCRs made before 1998 can quite legally not recognize the copy protection signal. It is therefore legal for me to copy a DVD to a VHS tape because I'm not circumventing any copy protection; provided my copying otherwise falls into the fair-use or unregulated provisions of the copyright law.
The second is that not all DVDs have copy protection enabled. Seems like a minor point, but don't overlook it.
As these older VCRs wear out and go away, this statement about it being illegal to copy a DVD are going to become more and more true. Those are your rights that are fading away, sold by congress and delivered by the DMCA!
So again, my question: what is so fundamentally different between DVD's and CD's that I can space-shift one legally, but not the other?
Good question. The difference comes from the RIAA's interpretation of the DMCA. Unfortunately all the lower court decisions to date seem to agree with the RIAA's interpretation. The reasoning goes like this: DVDs are copy protected. It is illegal (with certain very narrow exceptions) to circumvent the copy protection. Thus if you made a copy, you could only have done that by circumventing the copy protection, an illegal activity.
Under this interpretation, it would not be illegal to make a copy of the CD, because the CD is not copy protected. If the CD is copy protected, than it would be illegal to make a copy by circumventing the copy protection (hence the recent stories that black pens are an illegal device under the DMCA, because they can be used to circumvent Sony's CD copy protection scheme).
The reason the RIAA's interpretation of the DMCA is being upheld by the courts is the totally inadequate authorship of the DMCA (some might propose this was on purpose, and I won't disagree with them). There is a clause in the DMCA which is supposed to protect fair-use. In the first DMCA related case, the DeCSS (MPAA vs. 2600) the judge ruled that the fair-use clause did not apply to the copy circumvention sections of the DMCA.
There have since been a number of rulings that manufactures and publishers are not obligated to protect fair-use. Aside: one judge said the DVD did not limit fair-use, because you could still take pictures of each still frame, at least until Fritz chips appear in all the camera and sounds recorders. The copyright rules as written force copy protection down the publics throat, but put no limits on the use of them. So that is why we are in the situation we are now, the DMCA essentially grants the copyright holders the ability to remove any right a citizen would normally have, so long as they can claim the citizen using it had to break copy protection in order to use it.
The consumer has the power to not buy it. Something that you all obviously have forgotten about.
I agree with the general statement, but the comment is somewhat trollish. Here are a couple of important corollaries:
1) The failure of DAT is almost directly tied to the copy protection that was built-in to the format (at the consumer level). The people won, kind-of, and you can bet the industry paid close attention.
2) The lesson the industry learned was "people won't knowingly buy copy protected items". This resulted in great efforts to keep consumers in the dark. How many people knew the DVD was content-controlled up the ying-yang? How many people know those new VCR's they are making have copy protection in them. The manufacturers do not tell you they do, the people selling the products don't tell you, the only way to find out is when it fails to do something you expected.
3) Another lesson learned from the great DAT failure, was that people would use other options in preference to the crippled format. People use a MP3 or a computer CDR instead of DAT or CDR-Audio, because it works better and is not hobbled by features they don't like. This is why the RIAA and MPAA are so hot on getting congress to mandate content control for everything! To eliminate consumer choice.
4) New items are very flexible, think of TIVO for a moment. I liked the way it worked when I bought it, but what happens if they configure it in a way that I don't like tomorrow. At best I could stop the service, unless I had already done the "lifetime" service.
In summary, not buying can work. But it does not solve all problems. Don't forget we have active, rich, and politically-connected monopolies doing everything they can to ensure it that consumer preference won't be taken into account!
How are you going to solve problems 2-4? Even if you are willing to boycott all forms of media (I can respect that), it does not help the damage to society. The public domain is shrinking, the future won't be able to read our DRM protected content, and we have powerful people trying to control information dissemination in our society. This needs more action than a boycott (although a really good boycott might help).
Slashdot Mirror
Digital Rights Management (or restrictions for the cynical) is a mechanism for asserting their traditional control which has been weakened by P2P and parallel importing.
Funny, this is how most of copyright laws have been argued. It was always meant to be this way, but now new technology X forces us to be more explicit. The same quoted reasoning was used to argue against player-piano rolls, radio, jukeboxes, TV, VCRs, and cable television. And each time, what was really going on was a power grab.
Read __Digital Copyrights__ by Jessica Litman for more information on this. For the last 100 years copyright law has essentially been written by the copyright holders, and they have vigorously screwed anyone not at the law writing convention (the movie studios got screwed in the 1914 law, because they were not well established enough to participate).
The truth is that DRM gives copyright holders far more powers than they ever had before, and they have gotten bad laws passed (DMCA) that allow them to circumvent the remaining consumer rights. You mention this being a logical decision, and I guess you are right: pay money for a law, and get new rights under the dual pretenses of it was always supposed to be this way and we need this extra power because of threatening technology.
The ironic fact is that much of the worst law buying was prevented, because of the industries that got screwed. The copyright conventions would write laws, but the wounded parties would hold-up the actual legislation for years. For example the 1976 copyright law was actually based on a copyright convention in 1949! You would have thought the copyright conventions authors would remember this, and try to write more fair and balanced laws. Has not happened yet!
The spate of bad copyright laws in recent years comes from a couple of problems. The first is that some industries are getting better at lobbying congress (the DMCA was being pretty thoroughly reworked as usual, when all of sudden enough juice was applied and it got passed almost as originally written by the copyright convention in 1995). The other is that the public's interest has not really been represented in the copyright laws. The best that happens is that congress gets a bad law, and tries to save it a bit by putting in some exceptions. The DMCA exceptions were very incomplete, and poorly thought out (some might argue this was because the DMCA was so flawed in theory, that the exceptions just could not overcome the flaws).
Yes, we are probably in closer agreement than I first thought. As I look over my examples, a lot of what I was thinking about was at the "design" level, while you were really talking about the "coding" level.
:-( no special programming knowledge is needed.
To expand upon your SSL example: It should not take long for a competent programmer to add SSL to an existing program using the OpenSSL library. The protocols and libraries already exist, and there are a lot of existing examples. So long as you can avoid adding any buffer overflows
It is quite another thing to design and implement a new cryptographic protocol (hmm, should I XOR those values together before or after I encrypt them?).
What most fail to realize is that 5 years in a single tech is probably a bad sign. A "better" programmer would probably have gotten bored and moved on, or moved on because it's highly unlikely that a single technology remains the best solution for that long a period of time.
:-) The quickest I've seen someone become competent for a reasonable range of tasks was about 2 years (and she was an extremely intelligent cryptography Stanford post-doc). Even for very bright and experienced programmers (10-15 years of experience), it more typically takes 3-5 years to start designing good cryptographic protocols and systems.
There is probably a bit of truth somewhere in this statement, but there are some real problems with it too. Perhaps this is the view of a system administrator, but it does not match my experience as a developer. I enjoy technology, but at the end of the day I'm being paid to accomplish things. Technology is merely a tool that helps you accomplish your goal. There are a lot of reasons why people can enjoy their job, and why they should seek out new technology. Speaking from experience, boredom is rarely solved by new technology, it usually has it roots elsewhere.
It takes a few days to pick up 98% of any language/tech...
I won't comment on the language part, but from my experience it is wildly over optimistic for a technology field. I'm a generalist by nature, and pride my self on my ability to investigate and use new technology quickly. Over the years I have specialized in a few areas, and most of them can not be mastered in a few days. Perhaps that is because I don't consider any area that can mastered in a few days worthy of being called a specialization. I'm talking about things like embedded system development and developing/analyzing cryptographic protocols, or even managing the software development process.
For example, it takes years to get good at applied cryptography (and this is not based just on my own learning rate
I'm sure there are technology fields that are less demanding, but to be frank that is part of the fun of specializing in this field. It does not take much reading (recommend Schneier's Crypto-Gram as a good starting place) to start seeing the flops made by people who thought they could learn cryptography in a few days.
Should've picked a more knowledgable or reputable dealer. The Pioneer DV-AX10 plays both SACD and DVD-A. Even low-end companies like Apex have DVD-A/SACD/MP3/CD players (AD-7701).
/. post mentions that Pioneer has introduced a connection scheme as well.
Actually, The Audible Difference has a very good rep, and pretty much everything they were quoted in the article seemed correct. You seem to have some confusion about SACD/DVD-A digital outputs (not too surprising, both the RIAA and the equipment manufactures don't really want people to know about it). For example, the APEX you mentioned does not put out the full quality digital stream for DVD-A or SACD, instead it only puts out the lower quality CD stream.
There are a few disc players with full quality SACD/DVD-A digital outputs. These use proprietary content-controlled digital transport mechanisms, and require a same-brand pre-amp to be useful. The only one I've seen reviewed is the Meridian system (very, very expensive - the disc player and the matching pre-amp were well over $10,000). Another
Despite the existence of these digital links, it does not change the general fact that SACD and DVD-A are designed with features that most audiophiles hate.
These are exactly the people who won't care about copy protection, because they don't want a lossy copy on their computer.
Speaking as one of the audiophiles who helped kill DAT, let me tell you some of the reasons an audiophile wants digital outputs:
1) The quality of digital/analog conversion can vary quite a bit. If you already have an ultra-high D/A converter, you don't want to be stuck with the inferior ones built-in to the SACD/DVD-Audio player.
2) Most current pre-amps perform sound modification (such as bass management, surround-sound effects, etc.) in the digital domain. If you can only get analog inputs, you need to convert the stream back to digital, and than back to analog. Even with the best gear, the extra AD/DA cycle noticeably degrades the quality!
3) Many current pre-amps don't have the six-channel analog inputs that it takes to properly play back the SACD/DVD-Audio material. Trying to get past this is UGLY!
That is three major reasons without even getting into the usual fair-use issues. The funny thing about this, is that they are making the exact same mistake they did with DAT (the most common method of personal copying was tape-to-tape using $50 boom boxes, so they block digital-to-digital?).
As a general rule, the only people who care about digital-to-digital quality are the audiophiles. These are the exact same people who are least likely to pirate music (heck, most audiophiles buy multiple copies of the same recording). The people who do the most piracy are the ones who don't have enough money to buy good systems, and don't care about the reduced quality of sound.
I've sent letters to most labels, and several manufacturers telling them what I think. I'm not surprised to see that other audiophiles agree with me, there is no way I'm supporting SACD or DVD-Audio until they drop the bullshit content-controls.
If you read the article, you will see that CDL had the CDL-82 hardware encryption chip, which was built-in to the unit. I don't know how good the chip is, but it sounds like there is more to their security claims than just the biometric scanner.
The CDL website makes vagues claims that their security chip is FIPS 140 rated, but I have not been able to find it. For that matter, it is not clear that the Paron MPC is actually built using the CDL-82, or some variant of it.
This happened to my parents (using SBC), when all of sudden they started getting long distance changes everytime they called their cell phones from home. While not bankrupting, the cost was closer to $5/month, not just the few pennies that Verizon claims in the article.
There solution was to change the cell phone numbers so that they were local calls instead.
What tests and process do they do? Is this always the same? How do they learn from their mistakes? Is the process upgraded and reviewed regularly.
:-)
Not used to working with the government I see
Actually, I think the FIPS 140 process is actually a very good example of those concepts done right. Review the FIPS site.
The answer to your question about tests will be answered thoroughly, perhaps you will want to start with the derived test requirements section.
From my experience, the FIPS 140 certificate does a good job of ensuring that products live-up to their formal design specifications. The obvious question is how good were the design specifications? This is where things get interesting. To over generalize, I think FIPS 140 does a good on tamper-resistant (and respondent) hardware design, and a poor job on logical security.
A lot of the FIPS philosophy came out of the military, and the testing labs impressed me with the breadth of their physical attacks. On the other hand, the military usually has very simple logical security requirements for a crypto-box. It should be inert until authorized users properly activate it, and at that point it can perform sensitive actions. Commercial cryptography designs by contrast, usually has a set of functions that needs to be generally available. They also have a much smaller set of functions that need authorized users to control.
When we put our product through the immediate predecessor to FIPS 140-1 certification, we were the first commercial product and ended-up breaking a fair-amount of new ground (somewhat painfully as you might imagine). What we had to show was that the cryptographic commands that were available to non-privileged users were safe - because of the logical security design. Even early FIPS 140-1 processes did not really deal with these "always-on" functions very well.
Although it improved, especially with the 140-2 modifications, logical security is still the real weak point. Michael Bond's well publicized attacks on the FIP 140-1 level 4 certified IBM 4758 security module were all aimed at the "logical security" level. My favorite example of insecure by design is the PKCS #11 security module when it is used for server security.
The Cryptoki (PKCS #11) interface was designed for security tokens, and basically works a lot like the military devices. The token (smartcard, whatever) would be plugged into the client device, where it would remain inert until activated by the user password. Actually a pretty good design when used this way.
The problem is when the same design is used for a server, which is unfortunately common since several PKI vendors standardized on using PKCS #11 security modules. PKCS #11 authorization levels are all messed-up for server use. There is no concept of "always-on" commands, or multiple levels of authorization. That means that any entity (server application) that wants to access the security-subsystem must be an authorized user.
The result is that the clear password that enables the PKCS# 11 modules has to be put into the server application. Because of that clear password an attacker no longer has to break into the PKCS #11 box or steal/forge authorized user's identities. They can gain authorized user privileges merely by monitoring the communication lines between the application and box, or by analyzing the object code of the application!
You will find a number of FIPS 140 certified PKCS #11 modules, which is actually no surprise given how well PKCS #11 matches the military origins of the FIPS 140. This is a classic example of a certified subsystem that is quite secure for some uses (human insertion of a token and entry of password), but it quite insecure for others (server applications storing and using clear passwords). All the FIPS certification does in the case of PKCS #11 is tell you that the vendor has followed their design, and not if it will provide logical security in your system!
I've taken some hardware crypto products most of the way through a FIPS 140-1 level 3+ cycle, but never completed it because our customers were not willing to pay the extra money (my company had certified other products before that, and has certified some since I've left).
I find it interesting that people are starting to specify AND demand FIPS 140. When we certified our first product, using the predecessor of FIPS 140, we only ever had one customer - the US treasury. Perhaps the chicken-and-egg situation is changing, because just enough companies have FIPS 140 certified products that customers might actually be able to buy one.
In reality, most customers will not use the actual certified product, for a couple of reasons. First, it is too expensive (and takes too long) to recertify the product for every minor version change. Second, the FIPS process only allows certain algorithms (FIPS algorithms naturally) and certain cryptographic formats. If your product wants to support the wide-spread PKCS format (RSA pseudo-standard) instead of the government preferred ANSI formats (in cases where there is a difference), those PKCS commands will have to be disabled in the FIPS version of the product.
I agree that digital copies should not be treated any differently. But there is a good reason we don't want to stir up that pot!
Right now digital content and copies are treated differently. There are a lot of additional restrictions on digital copies, thanks to laws like the DMCA. We don't want to even mention analog material, because it would be a step backwards if analog material came under the same rules (even relaxed by Lofgren's bill) as digital material.
Meanwhile, the publishing industry is trying to add restrictions to analog material as well. That is part of the whole "analog hole" that they keep harping about. Ironically, the fact that they complain about the analog hole reveals their first arguments about digital being diferent were lies! What really happened was they used digital issues as a "wedge" to get special privileges, and are now trying to expand those privileges to cover everything.
Nope, the bill adds a provision that allows distrubtion of "cracking programs" if the conditions are met (non-infriging use is blocked by copy protection, and the copyright owner does not provide an alterntaive method of enabling the use). All in all, this is a well written bill.
PS: Except for that "perfect digital copy" part, see my other post.
Here is an excerpt of my letter of support sent to my congressman:
I have one little quibble with the bill as it stands. In section 2. FINDINGS, paragraph (2), it states "Perfect digital copies of songs and movies...". This is an exaggeration that has been used by both the RIAA and MPAA to justify draconian copyright protection measures. They purposely confuse two different concepts: "digital copies" and "digital distribution". The reality is:
(1) Digital copies are far from perfect
(2) The quality of a copy has little impact upon non-commercial copyright infringers
Take an example from ten years ago, the mandating of copy-protection on Digital-Audio-Tape recorders. The only people who cared about quality enough to be effected by the copy-protection measures were audiophiles (who, by the, way effectively killed the format because of the restrictions imposed by congress). The irony is that audiophiles were also the least likely people to make illegal copies; on the contrary, many purchase multiple versions of a single recording. The more typical non-commercial copyright infringement was young teenagers buying $50 boom-boxes with abysmal sounding cassette duplication. The quality of the duplication was of minimal importance (you can't hear the poor quality on a $50 boom-box), as it had minimal impact on their decision to make illegal copies vs. buying legal copies.
I'd recommend striking the word "perfect", and putting to rest the urban legend that digital copies are somehow different from other method of copying. This is not meant to diminish the importance of digital distribution, which obliviously has had an impact on non-commercial copyright infringement. Confusing "digital copies" with "digital distribution" is how we got lousy laws like the DMCA in the first place.
I agree with that in general, but you always have to take denial-of-service into account too. Can I disable all user accounts just by entering three bad passwords into the system?
Encryption is not a magic wand. Does the web browser need to be able to decrypt traffic from the server? If so, when the web server becomes "owned", than the decryption capabilities get owned as well. What is the benefit, at best a layer of extra knowledge to find the decryption routines (security by obscurity).
Designing a cryptographic system that will help against "owned" servers (or insider fraud, say you can't trust the system administrators) is much harder. You almost always have to go with data oriented encryption, as opposed to channel oriented techniques (such as IPSEC or SSL). Hardware crypto devices are also very useful - the physical layer obviously is primarily designed to counter insider fraud in a server installation. But even more important is the ability of hardware crypto devices to control the type of operations they can perform.
Think of the "PIN" in a banking system. The hardware device does not have the ability to "decrypt a PIN" (at least in most banks, but that's a different story). Compare that with the situation where say a PIN Translate function is put on a software server and that server gets owned. It would be relatively easy to break down the PIN translate function (which consists of a decrypt followed by an encrypt) and examine the internal results to find the clear PIN.
In summary, most uses of channel encryption (clearly that was what was described in the quoted section) will provide little protection against compromised servers. Many types of database encryption have the same problems, if there is some means of the server accessing the clear data.
I think both judges may have some technically correct views (having withstood appeal), but are overall incredibly shortsighted. I wonder what those same judges will rule when Hollywood gets congress to fix the "analog hole" and outlaws any camera that would take a picture of a still frame.
Newsline 2007:Judge Kaplin rules fair use has not been abridged by the latest Fritz Chip 3000, since consumers can still exercise fair-use by talking and waving their hands to describe a movie sequence! In other news, the copyright scofflaw firm Crayola has filed for bankruptcy since they can no longer sell their anti-circumvention technology called "crayons", a device that enticed young children into a life of crime making drawings of copyrighted material.
Stealing the physical card happens, but it is small potatoes. Fake cards (usually copies of legitimate cards) are a really, really big problem. Credit card companies loose billons of dollars a year due to fake cards.
The biggest issue I had from reading the article, was figuring out how the one-way-function was going to be verified. It's nice that there are a terabit of combinations that could be used, does this mean the issuer is going to have to store a terabit of data for each user?
If they only use a subset, than we no longer have the security range of a terabit of information do we? All an attacker has to do is figure out what the subset that will be used is. Since it is "copy proof", it is not like the host can perform a duplicate one-way-function. I don't think this will become practical unless they can clearly resolve this issue.
Incorrect, but becoming more true as the media companies buy congressional laws. Far from "never", until recently you always controlled the media you paid for. If I buy a book, I can read it, lend it, resell it, or even cross-out phrases that offend me.
These actions have been protected by a set of rules called copyrights. But for the last hundred years, consumers have been getting less and less from the copyright barging. This is because the media companies are the ones who have lawyers who write laws, and congress just rubberstamps them without sticking up for normal citizens.
But the consumers were still in pretty good shape (as opposed to artists and the public domain) until about 10 years ago. The 1992 DHRA mandated copy protection for digital audio recordings and started the latest slide.
The 1998 DMCA went over the top by making it illegal to bypass content control measures. Before that, the companies had to resort to contracts that courts judged to be an illegal attempt to override copyright laws (such as the book publisher who tried to prohibit reselling of it's book by something very much like a shrink-wrap license). Thanks to the DMCA, the media companies can just make a DRM control gizmo do anything they want and your only resort is to not buy that product (the DMCA granted them wide powers, but no restrictions on how they could use it).
The next step on the media company's agenda is well underway. They are attempting to remove any choice you have about not buying DRM systems by making them mandatory. They are using every means at their disposable to do this, including threats (no release for new media, nuisance lawsuits against product companies), congressional bribery (see the clear quid-pro-quo money trail for sponsors of pro-media company laws), and back-room government deals (FCC regulations mandating copy protection for satellite tuners, upcoming FCC copyright flag mandate for HDTV broadcasts, etc.).
They should not have the right to exercise this level of control over their media, but they are getting it. It will be bad for both them and the society in the long run, but they don't care. They have the money and political clout to preserve the gravy train for a little while longer; and care nothing about the negative effects.
One reasons for that is that Best Buy is not making money selling [at least some] CDs. A couple of years ago several record companies were convicted of price fixing. The basis of the lawsuit was that Best Buy was selling CDs below the "recommended cost", and therefore did not qualify for industry kick-backs.
From articles on the music business, the store that consistently buys CDs with the lowest prices is Walmart. I don't know how there retail prices compare to non-sale CDs elsewhere though...
I've pretty much stopped buying CDs from stores (mostly as a RIAA protest). I buy either directly from the artist or second-hand.
Except you forgot several steps before that.
1) Corporations use special government granted-monopoly (copyrights) that are not part of the free market.
2) Corporations lobby for and get laws passed that remove your choices:
* UTICA contract terms that shaft the consumer (only two states so far)
* DMCA mandated copy protection in video recorders
* DHRA mandated copy protection in digital audio recorders
* FCC mandated copy protection in video satellite receivers
* DMCA anti-circumvention laws, etc.
3) Corporations are currently lobbing for, but have not yet received, laws that even further restrict your choices (FCC mandated HDTV copy protection flag, CBDTPA, etc.).
Now we get to the point where vendors offer up products. You call this a free market? If you really believe in the free market, you should be very concerned about these laws and working to get them repealed! Why do you assume that vendors selling these products get to take advantage of government mandates, but the consumers don't!
You got it! The DMCA does exactly this: it is illegal to circumvent the copy protection, even if you just want to exercise your fair-use rights.
This what happens when congress rubber-stamps laws written by the industry. The publishers (including RIAA and MPAA) did not like fair-use, and they used the DMCA as a legal lever to allow them to eliminate them!
The laws are all one sided, they put restrictions on the consumers, but don't put any restrictions on the publishers. That is why Digital Consumer's "Bill of Rights" is so important! (http://www.digitalconsumer.org/)
The Disney animated "Tarzan" DVD is the worst; it disables the "fast-forward" and "menu" features during 5 minutes of previews and commercials. By experimentation, I found the "skip" button still works. More recent Disney DVDs tend to disable "fast-forward" and "skip", but leave the "menu" option accessible ("Toy Story 2", "Tarzan and Jane").
The new method is targeted towards young children, old enough to load movies and do basic DVD operations. Most of this target audience ends-up sitting through the ads unless parents help out. I would call all of these cases of mandatory commercials (even in the technically proficient can find some method of reducing their impact).
Finally, you have probably sat through hundreds of mandatory commercials that disable all controls ("fast-forward", "menu", and "skip"). These are the studio logos and FBI Warnings (granted they are 5 seconds instead of 5 minutes). You may not realize it at first, but studio logos are a commercial! What makes showing the studio's logo so important that you can not skip it? Nothing except the built-in controls that Hollywood put into the DVD format.
There are at least two big holes in this theory. The biggest is that VCRs made before 1998 can quite legally not recognize the copy protection signal. It is therefore legal for me to copy a DVD to a VHS tape because I'm not circumventing any copy protection; provided my copying otherwise falls into the fair-use or unregulated provisions of the copyright law.
The second is that not all DVDs have copy protection enabled. Seems like a minor point, but don't overlook it.
As these older VCRs wear out and go away, this statement about it being illegal to copy a DVD are going to become more and more true. Those are your rights that are fading away, sold by congress and delivered by the DMCA!
Good question. The difference comes from the RIAA's interpretation of the DMCA. Unfortunately all the lower court decisions to date seem to agree with the RIAA's interpretation. The reasoning goes like this: DVDs are copy protected. It is illegal (with certain very narrow exceptions) to circumvent the copy protection. Thus if you made a copy, you could only have done that by circumventing the copy protection, an illegal activity.
Under this interpretation, it would not be illegal to make a copy of the CD, because the CD is not copy protected. If the CD is copy protected, than it would be illegal to make a copy by circumventing the copy protection (hence the recent stories that black pens are an illegal device under the DMCA, because they can be used to circumvent Sony's CD copy protection scheme).
The reason the RIAA's interpretation of the DMCA is being upheld by the courts is the totally inadequate authorship of the DMCA (some might propose this was on purpose, and I won't disagree with them). There is a clause in the DMCA which is supposed to protect fair-use. In the first DMCA related case, the DeCSS (MPAA vs. 2600) the judge ruled that the fair-use clause did not apply to the copy circumvention sections of the DMCA.
There have since been a number of rulings that manufactures and publishers are not obligated to protect fair-use. Aside: one judge said the DVD did not limit fair-use, because you could still take pictures of each still frame, at least until Fritz chips appear in all the camera and sounds recorders. The copyright rules as written force copy protection down the publics throat, but put no limits on the use of them. So that is why we are in the situation we are now, the DMCA essentially grants the copyright holders the ability to remove any right a citizen would normally have, so long as they can claim the citizen using it had to break copy protection in order to use it.
I agree with the general statement, but the comment is somewhat trollish. Here are a couple of important corollaries:
1) The failure of DAT is almost directly tied to the copy protection that was built-in to the format (at the consumer level). The people won, kind-of, and you can bet the industry paid close attention.
2) The lesson the industry learned was "people won't knowingly buy copy protected items". This resulted in great efforts to keep consumers in the dark. How many people knew the DVD was content-controlled up the ying-yang? How many people know those new VCR's they are making have copy protection in them. The manufacturers do not tell you they do, the people selling the products don't tell you, the only way to find out is when it fails to do something you expected.
3) Another lesson learned from the great DAT failure, was that people would use other options in preference to the crippled format. People use a MP3 or a computer CDR instead of DAT or CDR-Audio, because it works better and is not hobbled by features they don't like. This is why the RIAA and MPAA are so hot on getting congress to mandate content control for everything! To eliminate consumer choice.
4) New items are very flexible, think of TIVO for a moment. I liked the way it worked when I bought it, but what happens if they configure it in a way that I don't like tomorrow. At best I could stop the service, unless I had already done the "lifetime" service.
In summary, not buying can work. But it does not solve all problems. Don't forget we have active, rich, and politically-connected monopolies doing everything they can to ensure it that consumer preference won't be taken into account!
How are you going to solve problems 2-4? Even if you are willing to boycott all forms of media (I can respect that), it does not help the damage to society. The public domain is shrinking, the future won't be able to read our DRM protected content, and we have powerful people trying to control information dissemination in our society. This needs more action than a boycott (although a really good boycott might help).