The closest thing to the dream of "just press a button" is the S/MIME in Outlook. That still requires users to get a certificate ("a what?!", they will ask). And S/MIME has drawbacks.
Working for a security firm, we decided to use Outlook and S/MIME. We had a policy that we would sign all messages by default, and use encryption where possible. After over a year of problems, we have stopped the default signing. We still use encryption, but not as much. The problems included:
* People not being able to read a S/MIME signed email - includes Hotmail and certain combinations of Outlook/IE (since Outlook gets most of it's crypto libraries from IE, the version of IE is important). Sending people messages that can't be read is a serious barrier!
* Random false-negatives for signed messages. Once in a while, a message would indicate it had an invalid signature, but we could discern no change from the proper message. It does not build confidence to tell people, ignore the error message saying the email has been tampered with!
* Outlook is really lousy when it comes to acquiring and managing certificates. I'm guessing they designed it with Exchange in mind (assuming some corporation puts certificates in Exchange for a closed system). Initializing and managing certificates was a real pain, even for those who knew precisely what they were doing.
* Outlook did not have a "use encryption only if person has certificate" option, which meant that you had to manually select encrypted email every time you wanted to use it. Also, there is no good way to send a single message with encryption to people who have the certificate and ability to read it, and no encryption for people who don't.
* Occasionally we could not read encrypted mail because of a variety of errors. The most common was obscure certificate issues (actually bugs, since most of these errors should not have been transient).
* The level of S/MIME encryption would vary, according to obscure and undocumented reasons (probably bugs too). I always selected 3DES, but more than half of my messages went out with some other form of encryption. Even worse, Outlook does not give you any warning that your message is going out with weak encryption!
Not all of these are S/MIME problems, but as you can see, we are still very far from "just press a button".
Interestingly enough, Arethan's comments about inalienable rights is often used in the copyright area, but usually by the copyright holders who are trying to gain more benefits from their copyrights (while taking away yours). If Arethan actually knew how copyright laws were passed, he would be a lot more worried!
For the last 100 years, the copyright law process has worked the same way. During the copyright conventions, the copyright holders make sweeping claims that greatly increase their power. All the participants in the convention don't contest the principle; instead they carve out narrow exemptions for the group they are representing. The "all copies are illegal" principle which was the basis of much of the DMCA is a good example. The copyright holders have been very nervous about digital technology, and use this principle to explain that a computer in its normal operation is making illegal copies because it has to store copies of the protected item in multiple places (main memory, over a computer bus, on a hard drives, etc.). The theory goes that the computer is natural infringer of copyrights just by the way it operates.
This concept is a ridiculous expansion of copyright power, and ought to have been rejected outright. Two simple examples of existing technology show how bad of a principle this is. When a person uses glasses to read a book (pretty much everyone over 40), their glasses perform a translation of the book, thus glasses are making an illegal copy. A closer example is playing back a record. The cartridge reads the vibrations and translates them into electricity. That electric signal is amplified, and than modified (RIAA equalization). Than it is amplified again, and presented to a speaker that transforms it back into mechanical vibrations. Each stage of this playback process corresponds to a digital process, but that does not mean the record player is a natural infringer of copyrights.
I don't believe we can easily change the copyright conventions, so that means we have to do something else to protect the citizen (not just a consumer!). The sad fact is that congress should have been acting to protect the citizen from overbroad claims like this, but the best that normally happens is that congress will ocasionally add exemptions. As recent court cases (and threatened legal actions) clearly show, these exemptions are often not worth much.
That is why things like "The Digital Consumer's Bill of Rights make sense. They will help ensure that citizen's rights are not traded away by special interests. The Bill of Rights is actually fairly limited, and to some extent it feels strange to even have to argue for them (indicates how weak of a starting point we have). I think Mr. Krauss's legal sense is right on target!
As I've explained the problems with the CBDTPA, I've found the best way is to start with digital cameras. Only a few of my friends make music or movies, but they all take pictures. I've found some people have fuzzy support for copy protection of videos, but when you start showing what happens with photos it really drives home the CBDTPA problems. Here is how I explain it:
The CBDTPA requires that all new devices that produce, modify, copy, or show copyrighted items have to have built-in copy protection. This includes cameras, microphones, computers, PDAs, discman, DVD players, TV, speakers, and computer monitors. In practice, this protection will be remotely administered by industry co-ops like the RIAA and MPAA; which in turn are largely controlled by companies like AOL-Time-Warner and Disney.
Hollywood and the recording industry believe all their customers are thieves, so they want to take control over the ability to control copyrighted material from all citizens (not just their customers). That means someone at Disney, indirectly controls which pictures you can transfer from your digital camera to your computer. Further, this law means giving some recording studio mogul the ability to decide if a citizen can email copies of their own pictures to their relatives.
They claim they need this control, because it is the only way to stop illegal copies, and that otherwise they will go out of business. Of course the movie industry made the same claims that TV and the VCR would ruin them. The music industry claimed Juke Boxes and Radio would ruin them. In all of these cases, the new technology turned out to be extremely beneficial despite the claims of disaster, and the industry would have suffered greatly in the long term if they actually got the laws they wanted.
Now once again, the established industry is afraid of change, and is reacting by trying to use the legal system to ensure they remain in power. There are a few differences this time, congress has already given them sweeping powers through the ill-conceived 1998 Digital-Millennium-Copyright-Act (DMCA), and now the industry is trying to take these principles to the next step. The rights and freedoms of citizens are given away by congress in backroom deals and poorly written laws. When the industry could not directly eliminate some of the citizens rights they wanted to, they instead wrote the DMCA in such a way that it outlawed perfectly legal actions (legal to copy, but illegal to break the copy protection that keeps you from coping). The CBDTPA is more of the same! Don't let them get away with it, contact your senators and representatives and instruct them to not support the CBDTPA.
-----------
If you go back and substitute "music recordings" and "movies" instead of "pictures", the argument does not have as much impact. But the fact that almost everyone makes pictures, really helps show how extensive of a privilege grab the CBDTPA is.
I expect to hear more from Adobe and Microsoft very soon, as both of them are going to take really big, nasty hits! Basically any program that produces, displays, or modifies copyrighted material will have to be formally regulated. We are talking the main cash cows here, Microsoft Office and PhotoShop!
The programs will have to be rewritten virtually from scratch, so that they interface with hardware Secure-Modules (SM, essentially like smartcards). Most operations on the copyrighted items will have to be performed directly by the SM. It takes a totally different architecture to utilize an SM, so expect big learning curves and lots of hardware integration problems to occur during this process (I've got 14 years experience in seeing software crypto programmers try to convert their programs to use a SM).
In addition to the massive start-up cost (for learning-curves, re-architecting, redesigning, developing, and testing), there is even worse! My experience with encryption export regulations (the closest equivalent) is that it will increase expenses of supporting and maintaining the products by 10-20% per year. Icing-on-the cake, is that these programs are going to end-up with less functionality. The SM just does not allow the same type of access as normal software (nature of the beast, an unlimited SM is worthless).
In summary, they will have an incredible upfront cost, an on-going regulation burden, and end-up with dramatically inferior products. This post just mentions my conclusions, but some people may find my analysis framework to be of value. I'm happy to offer free consulting (within limits) to any company that wants to lobby against this bill.
Although I've seen the issue of "encryption never expiring" mentioned in/. I thought it would be worth looking into a bit more deeply. The failure of DIVX provides a very good example of what can happen to DRM protected material. Everyone who "bought" DIVX media ended up with worthless "coasters" once the centralized DRM controller went out of business. Thus even in the short term, the DIVX example shows that DRM is not consumer friendly.
As an amateur historian, I realize that in the longer term it is hard enough to find materials after the normal process of time. The digital revolution has made this much worse (for example a recent/. story mentioned that England could not retrieve census information that had been recorded c.1980 from obscure 14" optical storage disks). The use of encryption and DRM is going to make this situation much, much worse.
The problem is that DRM does not expire when the copyright expires (assuming congress will eventually allow copyrights to expire, and does not keep extending them forever:-) The copyright balance requires that the work goes into the public domain once the copyright has expired. The only way that will happen with a DRM scheme is if the copyright holders are still around, and have some type of motivation to make it public.
This is a difficult problem, with no easy solution. A minimal solution is to require that all copyright holders make their product available when it enters the public domain, but this won't help if the organization is no longer in business. Given this view, I don't know if DRM should be legal under copyrights. If DRM is legal, the only workable solution is to go back to the old method of copyrights (pre-1976) where you actually have to register for copyright protection. If you want to copyright something that is only "published" with DRM controls, an archival copy of the original unprotected version must be registered with the copyright authority (presumably Library of Congress, who will need new funding for this responsibility). This method has another real advantage, which is that it ensures that the copyright holder can be identified. The restoration industry has a big problem with "abandoned" works that are still technically under copyright, but they have no contactable owners.
This is a long term problem, and typically people don't worry about the long term (companies have trouble thinking past the end of the quarter!). But the issue of archiving and availability is extremely important. It goes right to the heart of what copyrights are supposed to do: "promote the progress of Science and useful Arts". Widespread use of DRM will make today's tragedies small potatoes (such as movies from the 1910-40's that should be in the public domain, which are instead literally rotting away without any care by the actual copyright holders).
Feel free to use some of these arguments in the letters to your congressmen!
This post contains a typical/. mistake -- Microsoft does not own THE patent on DRM. There are hundreds of patents that have some relationship to DRM.
A better way of phrasing this concern is to note that many DRM technologies have been patented, and the government should be very wary about mandating a scheme which enables one or more patent holders to hold an entire industry for ransom (several different industries actually).
It's just good business sense to buy reliability. No one else can offer that yet.
Sorry, as an ex-Tandem employee I can't let that pass. For companies that are really serious about reliability, they run Compaq NSK (aka. Tandem Guardian). Last I checked the NSK systems still used by 99% of the stock markets, and most of the ATM banking systems. The mission critical areas of telcos, airlines, trains and 911 services are all markets where NSK has a major advantage over IBM.
NSK has better TCO, and better uptime. A recent survey of the entire NSK installed customer base showed virtually every customer had an uptime better than 5 nines. I'd like to see the equivalent survey done with IBM's customers, it won't be pretty!
IBM does have a fault tolerant program, but it is hardly off-the-shelve. First you buy redundant IBM hardware and than sign a very expensive check to IBM Global Services so they can customize all your apps. IBM has name recognition and a strong service organization. That is not the same thing as reliability.
As both a dedicated member of the EFF, and an applied crypto specialist, I've been wondering how and if a DRM/content-control system could be made "reasonable". I even worked on a proposal for the product that became DIVX in a past job. My problem with pretty much every commercial system I've seen so far boils down to the issue: I don't trust the people designing and administering the system.
For example, I have no conceptual problem with restricting some traditional fair-use rights when it comes to renting movies. I don't think a renter needs the ability to copy the movie for either time-shifting or back-up purposes. Congress started with that basic thought, and ended up with section K of the DMCA that required copy protection on all new VCR's (CopyGuard/MacroVision). The problem is that the movie industry promptly screwed the consumer!
* They put copy protection on all tapes (and DVDs), not just ones for rental.
* The copy protection removes fair-use (that I think) should still be available in a rental situation: such as "quoting" a section of a movie for review or analysis.
* The copy protection does not expire once the movie becomes public domain, an issue that will cause our future historians fits!
Most the DRM systems I've seen proposed eliminate most of the rights/benefits consumers (and society) normally have under traditional copyright law. If the DRM clauses were put into a "shrinkwrap" contract, they would be ruled unenforceable (for example the courts quashed the publishers attempt to enforce a "do not resell" notice in a book). A DRM system combined with the DMCA anti-circumvention measures puts the consumer at the mercy of the system designer. Your only option is to not buy it, which may mean going without since the publishers/recording-industry are going to be loathe to make any non-DRM content available.
Ignoring all the practical issues with the SSSCA for a moment (and there are a bunch!), the only way the bill should proceed is if it guarantees that no DRM will hamper or eliminate rights in the copyright balance. I'm not talking about Disney's definition of fair-use either (which as best I can tell, is something to the effect that Disney can use public-domain material, but does not have to release any of it's own work into the public domain). To take my rental example, the DRM would have to find some way to accommodate all three bullets (not an easy thing to do).
To be fair, another slant on this is the definition of new "relationships". We can now think of two normal methods of obtaining a movie for example: "purchase" and "rental". The DRM proponents are trying to make new workable models. The original idea behind DIVX went something like this: Electricity used to be charged based on capacity. Edison would count the number of lights in your house, and set the monthly charge based on the potential capacity of how much electricity you might use. Once they designed a power meter (a very tricky area, even now), they could dramatically lower the prices and only charge you for the electricity that you used. DIVX would allow a very low charge per use (planned to be lower than a traditional rental charge), instead of a one-size-fits-all purchase price.
The DIVX problems make a good illustration for almost all the DRM schemes I've seen. I never heard of DIVX being cracked. Secure client software backed up with a centrally managed server can make things pretty bullet proof (up to the point it converts to something outside of the DRM scheme). But security aside, DIVX had a whole host of problems, which frankly I don't know of a way to get past. Aside: I've considered job offers at today's DRM companies, but many of them are just too sleazy. The typical attitude is that public domain and fair-use is unimportant - the copyright holders content needs to be protected at all costs!
* The most obvious issue, is that once the central DIVX system died, all the media became useless. This is the single largest issue with DRM.
* The discs were too machine specific (they did have some theoretical "sharing pool" for people who had multiple DIVX players, which I'm not sure how well it worked). Even if you paid for a life-time access (see above), you could not play the disc on your neighbor's machine.
* There was a large potential for "marketing abuse", since they had to identify each item played on the machine (they would know who played what media, how many times, etc.). Your only protection was voluntary agreement that the data collected would not be misused.
* You are at the mercy of the DIVX operations staff. They could change the price or terms-of-use any time they wanted to.
As to the practicalities of the SSSCA, I think the closest analog the computer industry has experienced is export regulations. I [unfortunately] have lots of experience of just how bad that can be! I worked for a company that used encryption in virtually all of it's products. We once estimated that approximately 20% of the company's resources were used to deal-with, design, and follow export regulations. Of a hundred employees, "only" 3-4 actually dealt with the regulations daily, but virtually the entire design team had to take them into account. What should have been a single product would be split into multiple products to fit the ever changing interpretations of the regulations (resulting in a dramatic increase in development, testing, manufacturing, and marketing). Believe me, very few people in or out of the industry have any idea of how bad the SSSCA would clog our technology industry up!
This concept was the basis behind the DMCA "changes" to the copyright laws. The philosophy assumes that any coping is illegal, including the concept of copying a program from a disk to RAM. Anything else requires a specific excemption (like your AHRA example).
This is a perfect example of how the copyright law has worked over the last century or so. Various stakeholders in the copyright arena periodically get together in a conference. The copyright holders make broad claims (like above). Instead of contesting it, the rest of the people just carve out exceptions for themselves. An example would be Librarians get an exception to make copy from disk to RAM, if they are making an archive of the program, and so-on.
The best explanation I've seen is Jessica Litman's "Digital Copyrights", which explains how this "any copy is an illegal copy" doctrine first got introduced and worked its way into the DMCA. This is a great explanation of why bad assumptions and all sorts of exceptions appear in copyright laws (biggest single reason, no one representing the general public takes part in the conferences, and the congress who should be looking out for us just rubber stamp the results).
Sony will probably use the counterargument that because the warranty on the media has expired
I agree that Sony would bring the warranty up. Part of what makes this an interesting case, is the mixture of "contract" and "copyright" law. The manufacture's warranty is part of the contract, but there are a number of other contract considerations that come into play. They range from the "value" of the sale, rights given up or extended, customer expectations, etc.
I actually think the warranty will end-up being both a strength and weakness for Sony. On their plus side, they will be able to claim that they shown some responsibility for taking care of VHS defects. On the negative side, they admit that VHS has (or can acquire) defects. The policy of limiting back-ups of a medium that has known defects show how they can unfairly take advantage of the consumer.
A discovery order from the court could obtain Sony's internal documents showing the expected rate of deterioration of a VHS tape (they probably have pretty accurate details, since they manufacture tapes and decks). The discovery order could even produce a "smoking gun" memo that shows a x% increase in sales due to customers buying new copies to replace worn-out or damaged copies (now that they have been prevented from making back-up copies).
Realistically, I don't think small claims court is going to issue any sweeping discovery orders (although wouldn't it be cool). They are going base the decision primarily on contract law, and although INAL, I believe there is enough substance that this would have a good chance of prevailing.
I've been looking around for a legal case that could be used to challenge this, preferably under the fact that it restricts me from making an otherwise legal media transfer (from DVD to VHS, so I can watch the movie in a location that does not have a DVD player). But I have found what I consider to be a pretty good small claims court about the back-up issue.
My child has just worn out of his favorite VHS tapes, which I attempted to make a back-up copy of because I knew it was going to occur. My contention is that Sony (the manufacturer of the Elmo recording) is responsible for replacing my worn out VHS because they chose to apply content protection that stopped from being able to make a back-up copy.
My expectation was that I would be able to make a back-up copy because VHS tapes are known to fragile. Sony's decisions to put content protection on a tape that I personally own clearly kept me from performing a normal operation. Therefore they should be responsible for replacing the tape.
The ability to make a back-up is important for several reasons. The most obvious reason is to protect the consumer's goods from normal usage and accidents. If the recording industry is allowed to kill off the ability to make back-ups, they could easily abuse the consumer by using cheap recording tapes that require regular replacement. Thus by Sony's actions in preventing the making of back-ups, and for the good of society, Sony should freely replace my worn-out tape.
I'm a solid opponent of the current tactics used by the recording industry, but let me kinda-of-sorta support what Warner Brothers was trying to do in Australia. I strongly deplore the attacks against fair-use, reverse-engineering, and free speech.
The reason I could support something similar to what WB was trying to do, is that I could support the concept of limiting some of the traditional rights during a rental "situation". This was what Rep. Boucher was trying to accomplish with his DMCA clause.
Of course the actual result of that DMCA clause turned out to be another total victory for the recording industry. It was supposed to protect rental movies from being copied, by making it mandatory for all VCR's to recognize MacroVision/CopyGuard. The industry promptly screwed the consumers by using this copy protection in all movies sold, not just the rental versions.
Still, I could almost support the scheme of two types of movies: bought and rental. The reality is that this probably won't work for a number of reasons, the classic reasons cited in the article is that the "rental version" ends-up being more expensive, so rental stores use consumer versions instead.
Another practical reason why this would probably not work, is that the recording industry has proved time and again that they are totally untrustworthy! I have to stretch to come-up with an example of an industry that is more sleazy (have to drop into organized crime like loan sharking and illegal immigrant smugglers).
So you're telling me it's illegal to decrypt rot13 messages?
Oops, forgot one other irony of the DMCA. Under the circumstances described in my last post, you could run into the following situation: It is illegal for you to circumvent the copy protection, even though your intended use of the copy protected item is a legal and non-infringing use.
A good example of this is the DVD. You have the legal right to make a back-up copy of a DVD you have bought, under the fair-use clause of the copyright laws. But it is also technically illegal to do so because making a back-up requires breaking the copy protection which is against the DMCA (unless you fall into one of those narrow exceptions allowed by the DMCA circumvention clause).
This is why people complain about the DMCA giving copyright holders the ability to "legally" eliminate fair-use. A good book on this topic is Lawrence Lessig's "Code and other Rules of Cyberspace".
So you're telling me it's illegal to decrypt rot13 messages?
Under some circumstances, that is true. If the rot13 method is used to protect a copy righted work, and you perform an unauthorized rot13 to read that information, you could be prosecuted under the DMCA. There are a number of circumvention exceptions, but so far these have been applied very narrowly (encryption research, library archival purposes, etc.).
What makes the DMCA really ironic is that you could even be prosecuted if you told someone else "company xx uses rot13 to protect their yyy copyrighted content, and here is how to decrypt using rot13". This is because of the DMCA anti-dissemination clause, and has almost no exceptions (the only one I'm aware of is reverse engineering of software). The quality or frequency of the use of the algorithm does not matter, only the fact that it is used to protect a copy righted item. This is the method the RIAA used to threaten Prof. Fenton.
There are some circumstances where it would be legal to crack (circumvent) the Adobe files (DMCA provides exceptions for libraries, encryption research, etc.). But in almost all cases it is illegal to tell anyone how to do it (dissemination, only DMCA exception is for software reverse engineering).
In general non-monetary circumventions of the DMCA are upheld by civil suits brought by the copyright holder or the producer of the protection method. My understanding of the criminal section is that it only normally applies when monetary gain occurs. INAL, but recommend reading Jessica Litman's "Digital Copyright" for more details.
The DMCA is a bad law, but it does NOT prevent anyone from doing cryptography or breaking it. It ONLY applies to circumvention of access control to a COPYRIGHTED WORK. It is copyright law, not encryption law.
Unfotunately, Tom7's statement is not true. It is true for the actual circumvention provided it is "encryption research" (there is an exception in the DMCA, although "encryption research" is not very well defined). The hitch is dissemination (i.e. publishing), which is the method the RIAA used to threaten Prof. Fenton. So it might be OK for the college students to try and break the code (assuming it was for valid encryption research purposes), but it is would be illegal for anyone to say how they broke it (assuming the same scheme was used to protect a copyrighted item). If they make money or might monteraly gain from publishing the break (does karma count) they could be subject to criminal prosecution under the DMCA. I highly recommend reading Jessica Litman's book "Digital Copyright" for more details on this complex subject.
The DMCA (to the best of my INAL reading) could even be applied retroactively. If I break the scheme before it was used to protect a copyrighted item, I could still be prosecuted under the DMCA. The clauses that talks about "dissemination of a circumvention device" provides no protection for already published breaks, hence a magazine that published my break might be liable to criminal prosecution if they sold back copies (the criminal part comes about because they are making money by disseminating a copy protection circumvention device).
The DMCA even allows the following doomsday scenario (note, I don't think this will actually happen, but the law as written could allow the following): Some party decides it wants to greatly hamper crypto research in the US. They take every bit of encryption technology they can find, and build it into one or more copy protection systems. Once that is done, encryption can still be studied and circumvention methods developed (the encryption research exception), but none of the results could be published (the dissemination hammer ).
The biggest problem with the DMCA is that it is written to be very over-reaching. It is assumed (and hoped) that selective enforcement will make it somewhat acceptable (thereby making my above doomsday scenario unlikely). My personal problem is that it is broad enough to effect me if someone had reason enough. I'm a specialist in logical security involving hardware security devices like smartcards. How do I know that someone won't go after me (perhaps retroactively) for publishing a smartcard vulnerability? After all, hardware security is very important to the future plans of the industry (SDMI, etc.). I truly don't think an anonymous researcher has much to worry about. But what about a person that has decided to become an activist like Prof Fenton? I really don't like the DMCA, or what the recording industry it trying to do, so I am considering becoming more politically active than just being an EFF member. Yet I wonder if my respectable work will provide leverage for civil lawsuits or even criminal prosecution by the DMCA.
Note: I do occasionally find flaws in this field, so this is not a purely academic worry. For example: I found a flaw in an optional feature of EMV-98 that allowed bank insiders to look at clear PINS; and I have found a number of single-DES attacks against industry standards that were supposedly protected by 3DES.
So now I have to worry: should I notify people of a security problem, or not. This is a concrete example of the "dampening effect" the DMCA causes, and why it is dangerous and overbroad. I strongly support the Fenton/EFF suit seeking to invalidate the DMCA clause that prohibits publication (dissemination) of encryption research.
A common quote, and as usual, make over broad claims. The three "factors" have, know, are) are a method of establishing a confidence factor of the identification of a person (or machine actor). They are only a small part of a secure system.
It is easy to think of other basics needed by a secure system; such as a method to enroll identification information (how does the system know what you are, should have and know); a permissions systems (Fred can't withdraw money from Joe's account); and an audit system (how did account "0s|\/|ma" get created and used?).
HP - Tandem + Compaq - HP
on
HP Buys Compaq
·
· Score: 2, Interesting
Here is a bit of history: Tandem Computers was founded by HP employees, after HP refused to build their design. At one point Compaq was in a lot of trouble, and asked Tandem to purchase them. Tandem thought the PC market was not too difficult, and besides they were building their own PC at the time (the Dynamite, an 80% compatible that bombed:-)
I seem to recall that Tandem did bail Compaq out with a loan though. Flash forward several years to an ousting of the founding CEO, and Tandem being prepped for sale by the new one. Bought by Compaq, who totally destroyed the sales organization (and strangely enough most of Tandem's sale too). Soon after that, they bought DEC, and destroyed it's sales organization in almost the exact same way (takes talent!).
As a Tandem employee at the time of the merger, I found Compaq to not really be a "new wave" company. They talked the talk of employee empowerment, but were more like GE or a telco (aside: Scott Adams of Dilbert fame worked for Pacific Bell), than a typical Silicon Valley company following the true "HP" way. The Compaq CEO and bureaucracy were not used to having a middle class (engineers and professionals); and tried to treat all it's employees as a factory worker or an executive. We were not treated as executives, except for international travel!
The new insider Compaq CEO, after the destroying CEO was ousted, provided some peace in the lands that were formerly Tandem, sounding similar to a manager that valued it's employees. Alas there was still much turmoil, and I parted company to the relative stability of a start-up. I wish my former comrades well. I envision their times might be easier, for I judge HP way is more powerful than the Compaq way; if there is any way left!
Microsoft have added code-signing (which I thought had been around a while) - which they could use to scare people away? How? I suppose they could do something by only allowing MS code to get signed or something, but that's pretty damn unlikely.
You miss the point where Microsoft won't sign your code unless you meet their requirements. Some of those requirements are pretty reasonable, but a number of them are almost exploitive (and they are subject to change, depending upon Microsoft's goals). I've already worked in an industry where all my code had to be reviewed by an outside controlling agency (NSA doing encryption export control). I don't have any desire to be contractually obligated to do the same to a ruthless monopoly.
Actually, the DMCA has an exception that allows cracking the protection for the purposes of reverse engineering. Not only is it legal to make these tools, it is even legal to distribute them (this is about the only exception for dissemination).
Typical of copyright laws, the people at the table get narrow exceptions to the overbroad privileges claimed by the other "players". It looks like the computer industry has more clout than libraries (who can create, but not disseminate), or the average person/consumer (who can not do either legally).
The laws on copyright are quite clear about the legality of ripping and redistributing MP3s for the use of others who do not own the product - it is illegal !
This statement is wrong on two counts:
1) The Digital Home Taping Act passed in 1992 specifically made some types of duplication and sharing legal. It is complicated, and full of exceptions, so read the law. You will need the help of a copyright lawyer if you truely want to understand it, which brings me to point 2...
2) I am very amused at your belief that copyright law is clear about anything! I highly recommend reading Jesica Litman's book __Digital Copyright__, as well as the laws themsleves. That should help clear up any misunderstanding about the clarity of copyright laws:-)
[windows has] always been sold for one price (~$80)
The Windows price stability is a myth, instead it has been getting increasingly expensive. Windows does not cost ~$80 unless you already own certain older versions. A new copy of Windows ME will run you ~$180. If you have a PC with Win2K and want to add Windows ME, you don't qualify for an "upgrade" and have to pay full price (happened while I was building a PC for my test lab).
Not only has the price of Windows increased, but the "privileges" have been limited. There are a number of limitations to the Upgrade Windows version. The OEM Windows version is cheaper and more limited than the Upgrade Windows (supposedly tied to a specific computer). There are a number of/. Threads about Microsoft requiring corporations to get multiple copies of Windows (basically comes down to the OEM version not being licensed for certain uses). Get a different computer, or change your current computer too much and Microsoft expects you to "throw away" the OEM license.
I think Microsoft expects XP registration to do two things: reduce piracy and help enforce limited versions of XP (ala. OEM licenses). They publicly soft-pedal the whole process, but this is a clear step down the DRM road of programmatic restrictions. Microsoft has added have added increasingly onerous conditions to the Windows licenses during the last few years, and I predict the trend will get even worse. Now XP will give them programmatic enforcement to go along with the legal threats.
It will be interesting to see when the public backlash will be strong enough to over come Microsoft's monopoly. Honestly, I did not plan to use Office XP at all, but it came "for free" on my new PC and I have not erased it yet (I even registered it). Windows XP sounds like it might have some desirable improvements (stability of NT but also supports my 9x-only applications). The whole registration process is theoretically enough to make me go to *nix alternatives, but the application swap-out will take a lot of time.
One of the ironies of the DMCA is that software reverse engineering tools are one of the few circumvention tools that can actually be legally distributed. The "distribution" section is the most restrictive part of the DMCA (this is the part that the RIAA used for threat letters to Prof Fenton).
The reason this is ironic is that many software people who are doing reverse engineering will be capable of building their own circumvention tools. By contrast, libraries are allowed to do some types of circumvention of copy protection schemes, but only if they build the circumvention tools internally, it is illegal for these tools to be "distributed".
I guess this goes to show that the software industry (other than a few industry leaders with code to "protect") got lucky during the convoluted negation process that lead to the DMCA. I got this information from Jessica Litman's _Digital Copyright_, which is a book well worth reading.
Don't get too complacent! I see a lot of posts saying something to the effect "copy protection is always easily cracked". These are mostly based on past experience, which the recording industry knows about too. There are techniques that can eliminate most of the current cracking methods, and reduce the effect of the remaining ones. That is where the recording industry would like to take us.
Let's ignore the "last meter" problem for a moment (monitor to the eye, speaker to the ear). Everything else has to potential to have extremely effective copy protection. The two factors that enable this is hardware security and universal connectivity.
Picture the use of "trusted components" (enabled by things like Thomson's smartcard technology) in every component of a reproduction system. These are difficult to tamper with, and do most of their processing inside (making tapping ineffective). They will always be vulnerable to some types of attacks, but there are techniques to reduce the value of attacking them. For example, I can get a chip lab to modify a smartcard so that it works on my system, but that is not easily replicable.
By the way, the keys I get from the breaking the smartcard are virtually useless. The reason is that I have universal connectivity (perhaps a wireless connection) and the trusted device is touch with a secure host (eliminates cloning in the medium to long term). Each trusted system has it's own unique keys and serial numbers, the host knows these values, and send all content uniquely encrypted for the target system.
Breaking copy protected programs is not like this - think instead what you would have to do if every copy protected program was in the "dongle", and only ran on a second smartcard like computer. Pirating satellite broadcasts is also much simpler - since all content is encrypted the same way and playback does not require host communications (allowing the use of cloning).
I'll agree that designing a system like this is fairly difficult, but we have the technology to do this today (just not cheaply). That is where the recording companies would like to go, and where groups like the EFF are trying to keep us from.
By the way, the "last meter" problem is not insoluble against all but the most sophisticated (i.e. money motivated) pirates. The watermarking technology is an attempt to deal with that. There have been some comments to the effect that only obvious watermarks can survive, and that consumers won't accept them. Guess what... they are already here! Think of the cable channels (like Sci-Fi and Disney) that float a little logo in the corner of the screen. I find it vastly annoying, but I still watch the programs. It would not be too hard to produce a video recorder that that checks for the watermark and makes a (recording company dictated decision) based on what it finds.
Or is it because it allows you to engage in borderline legal activity (time-shifting)
Time-shifting is explicitly legal, thanks to the DMCA. Take a look at section 1201(k)
http://www.eff.org/pub/Intellectual_property/DMCA/ hr2281_dmca_law_19981020_pl105-304.html
Slashdot Mirror
Working for a security firm, we decided to use Outlook and S/MIME. We had a policy that we would sign all messages by default, and use encryption where possible. After over a year of problems, we have stopped the default signing. We still use encryption, but not as much. The problems included:
* People not being able to read a S/MIME signed email - includes Hotmail and certain combinations of Outlook/IE (since Outlook gets most of it's crypto libraries from IE, the version of IE is important). Sending people messages that can't be read is a serious barrier!
* Random false-negatives for signed messages. Once in a while, a message would indicate it had an invalid signature, but we could discern no change from the proper message. It does not build confidence to tell people, ignore the error message saying the email has been tampered with!
* Outlook is really lousy when it comes to acquiring and managing certificates. I'm guessing they designed it with Exchange in mind (assuming some corporation puts certificates in Exchange for a closed system). Initializing and managing certificates was a real pain, even for those who knew precisely what they were doing.
* Outlook did not have a "use encryption only if person has certificate" option, which meant that you had to manually select encrypted email every time you wanted to use it. Also, there is no good way to send a single message with encryption to people who have the certificate and ability to read it, and no encryption for people who don't.
* Occasionally we could not read encrypted mail because of a variety of errors. The most common was obscure certificate issues (actually bugs, since most of these errors should not have been transient).
* The level of S/MIME encryption would vary, according to obscure and undocumented reasons (probably bugs too). I always selected 3DES, but more than half of my messages went out with some other form of encryption. Even worse, Outlook does not give you any warning that your message is going out with weak encryption!
Not all of these are S/MIME problems, but as you can see, we are still very far from "just press a button".
For the last 100 years, the copyright law process has worked the same way. During the copyright conventions, the copyright holders make sweeping claims that greatly increase their power. All the participants in the convention don't contest the principle; instead they carve out narrow exemptions for the group they are representing. The "all copies are illegal" principle which was the basis of much of the DMCA is a good example. The copyright holders have been very nervous about digital technology, and use this principle to explain that a computer in its normal operation is making illegal copies because it has to store copies of the protected item in multiple places (main memory, over a computer bus, on a hard drives, etc.). The theory goes that the computer is natural infringer of copyrights just by the way it operates.
This concept is a ridiculous expansion of copyright power, and ought to have been rejected outright. Two simple examples of existing technology show how bad of a principle this is. When a person uses glasses to read a book (pretty much everyone over 40), their glasses perform a translation of the book, thus glasses are making an illegal copy. A closer example is playing back a record. The cartridge reads the vibrations and translates them into electricity. That electric signal is amplified, and than modified (RIAA equalization). Than it is amplified again, and presented to a speaker that transforms it back into mechanical vibrations. Each stage of this playback process corresponds to a digital process, but that does not mean the record player is a natural infringer of copyrights.
I don't believe we can easily change the copyright conventions, so that means we have to do something else to protect the citizen (not just a consumer!). The sad fact is that congress should have been acting to protect the citizen from overbroad claims like this, but the best that normally happens is that congress will ocasionally add exemptions. As recent court cases (and threatened legal actions) clearly show, these exemptions are often not worth much.
That is why things like "The Digital Consumer's Bill of Rights make sense. They will help ensure that citizen's rights are not traded away by special interests. The Bill of Rights is actually fairly limited, and to some extent it feels strange to even have to argue for them (indicates how weak of a starting point we have). I think Mr. Krauss's legal sense is right on target!
The CBDTPA requires that all new devices that produce, modify, copy, or show copyrighted items have to have built-in copy protection. This includes cameras, microphones, computers, PDAs, discman, DVD players, TV, speakers, and computer monitors. In practice, this protection will be remotely administered by industry co-ops like the RIAA and MPAA; which in turn are largely controlled by companies like AOL-Time-Warner and Disney.
Hollywood and the recording industry believe all their customers are thieves, so they want to take control over the ability to control copyrighted material from all citizens (not just their customers). That means someone at Disney, indirectly controls which pictures you can transfer from your digital camera to your computer. Further, this law means giving some recording studio mogul the ability to decide if a citizen can email copies of their own pictures to their relatives.
They claim they need this control, because it is the only way to stop illegal copies, and that otherwise they will go out of business. Of course the movie industry made the same claims that TV and the VCR would ruin them. The music industry claimed Juke Boxes and Radio would ruin them. In all of these cases, the new technology turned out to be extremely beneficial despite the claims of disaster, and the industry would have suffered greatly in the long term if they actually got the laws they wanted.
Now once again, the established industry is afraid of change, and is reacting by trying to use the legal system to ensure they remain in power. There are a few differences this time, congress has already given them sweeping powers through the ill-conceived 1998 Digital-Millennium-Copyright-Act (DMCA), and now the industry is trying to take these principles to the next step. The rights and freedoms of citizens are given away by congress in backroom deals and poorly written laws. When the industry could not directly eliminate some of the citizens rights they wanted to, they instead wrote the DMCA in such a way that it outlawed perfectly legal actions (legal to copy, but illegal to break the copy protection that keeps you from coping). The CBDTPA is more of the same! Don't let them get away with it, contact your senators and representatives and instruct them to not support the CBDTPA.
-----------
If you go back and substitute "music recordings" and "movies" instead of "pictures", the argument does not have as much impact. But the fact that almost everyone makes pictures, really helps show how extensive of a privilege grab the CBDTPA is.
The programs will have to be rewritten virtually from scratch, so that they interface with hardware Secure-Modules (SM, essentially like smartcards). Most operations on the copyrighted items will have to be performed directly by the SM. It takes a totally different architecture to utilize an SM, so expect big learning curves and lots of hardware integration problems to occur during this process (I've got 14 years experience in seeing software crypto programmers try to convert their programs to use a SM).
In addition to the massive start-up cost (for learning-curves, re-architecting, redesigning, developing, and testing), there is even worse! My experience with encryption export regulations (the closest equivalent) is that it will increase expenses of supporting and maintaining the products by 10-20% per year. Icing-on-the cake, is that these programs are going to end-up with less functionality. The SM just does not allow the same type of access as normal software (nature of the beast, an unlimited SM is worthless).
In summary, they will have an incredible upfront cost, an on-going regulation burden, and end-up with dramatically inferior products. This post just mentions my conclusions, but some people may find my analysis framework to be of value. I'm happy to offer free consulting (within limits) to any company that wants to lobby against this bill.
As an amateur historian, I realize that in the longer term it is hard enough to find materials after the normal process of time. The digital revolution has made this much worse (for example a recent /. story mentioned that England could not retrieve census information that had been recorded c.1980 from obscure 14" optical storage disks). The use of encryption and DRM is going to make this situation much, much worse.
The problem is that DRM does not expire when the copyright expires (assuming congress will eventually allow copyrights to expire, and does not keep extending them forever :-) The copyright balance requires that the work goes into the public domain once the copyright has expired. The only way that will happen with a DRM scheme is if the copyright holders are still around, and have some type of motivation to make it public.
This is a difficult problem, with no easy solution. A minimal solution is to require that all copyright holders make their product available when it enters the public domain, but this won't help if the organization is no longer in business. Given this view, I don't know if DRM should be legal under copyrights. If DRM is legal, the only workable solution is to go back to the old method of copyrights (pre-1976) where you actually have to register for copyright protection. If you want to copyright something that is only "published" with DRM controls, an archival copy of the original unprotected version must be registered with the copyright authority (presumably Library of Congress, who will need new funding for this responsibility). This method has another real advantage, which is that it ensures that the copyright holder can be identified. The restoration industry has a big problem with "abandoned" works that are still technically under copyright, but they have no contactable owners.
This is a long term problem, and typically people don't worry about the long term (companies have trouble thinking past the end of the quarter!). But the issue of archiving and availability is extremely important. It goes right to the heart of what copyrights are supposed to do: "promote the progress of Science and useful Arts". Widespread use of DRM will make today's tragedies small potatoes (such as movies from the 1910-40's that should be in the public domain, which are instead literally rotting away without any care by the actual copyright holders).
Feel free to use some of these arguments in the letters to your congressmen!
A better way of phrasing this concern is to note that many DRM technologies have been patented, and the government should be very wary about mandating a scheme which enables one or more patent holders to hold an entire industry for ransom (several different industries actually).
Sorry, as an ex-Tandem employee I can't let that pass. For companies that are really serious about reliability, they run Compaq NSK (aka. Tandem Guardian). Last I checked the NSK systems still used by 99% of the stock markets, and most of the ATM banking systems. The mission critical areas of telcos, airlines, trains and 911 services are all markets where NSK has a major advantage over IBM.
NSK has better TCO, and better uptime. A recent survey of the entire NSK installed customer base showed virtually every customer had an uptime better than 5 nines. I'd like to see the equivalent survey done with IBM's customers, it won't be pretty!
IBM does have a fault tolerant program, but it is hardly off-the-shelve. First you buy redundant IBM hardware and than sign a very expensive check to IBM Global Services so they can customize all your apps. IBM has name recognition and a strong service organization. That is not the same thing as reliability.
For example, I have no conceptual problem with restricting some traditional fair-use rights when it comes to renting movies. I don't think a renter needs the ability to copy the movie for either time-shifting or back-up purposes. Congress started with that basic thought, and ended up with section K of the DMCA that required copy protection on all new VCR's (CopyGuard/MacroVision). The problem is that the movie industry promptly screwed the consumer!
* They put copy protection on all tapes (and DVDs), not just ones for rental.
* The copy protection removes fair-use (that I think) should still be available in a rental situation: such as "quoting" a section of a movie for review or analysis.
* The copy protection does not expire once the movie becomes public domain, an issue that will cause our future historians fits!
Most the DRM systems I've seen proposed eliminate most of the rights/benefits consumers (and society) normally have under traditional copyright law. If the DRM clauses were put into a "shrinkwrap" contract, they would be ruled unenforceable (for example the courts quashed the publishers attempt to enforce a "do not resell" notice in a book). A DRM system combined with the DMCA anti-circumvention measures puts the consumer at the mercy of the system designer. Your only option is to not buy it, which may mean going without since the publishers/recording-industry are going to be loathe to make any non-DRM content available.
Ignoring all the practical issues with the SSSCA for a moment (and there are a bunch!), the only way the bill should proceed is if it guarantees that no DRM will hamper or eliminate rights in the copyright balance. I'm not talking about Disney's definition of fair-use either (which as best I can tell, is something to the effect that Disney can use public-domain material, but does not have to release any of it's own work into the public domain). To take my rental example, the DRM would have to find some way to accommodate all three bullets (not an easy thing to do).
To be fair, another slant on this is the definition of new "relationships". We can now think of two normal methods of obtaining a movie for example: "purchase" and "rental". The DRM proponents are trying to make new workable models. The original idea behind DIVX went something like this: Electricity used to be charged based on capacity. Edison would count the number of lights in your house, and set the monthly charge based on the potential capacity of how much electricity you might use. Once they designed a power meter (a very tricky area, even now), they could dramatically lower the prices and only charge you for the electricity that you used. DIVX would allow a very low charge per use (planned to be lower than a traditional rental charge), instead of a one-size-fits-all purchase price.
The DIVX problems make a good illustration for almost all the DRM schemes I've seen. I never heard of DIVX being cracked. Secure client software backed up with a centrally managed server can make things pretty bullet proof (up to the point it converts to something outside of the DRM scheme). But security aside, DIVX had a whole host of problems, which frankly I don't know of a way to get past. Aside: I've considered job offers at today's DRM companies, but many of them are just too sleazy. The typical attitude is that public domain and fair-use is unimportant - the copyright holders content needs to be protected at all costs!
* The most obvious issue, is that once the central DIVX system died, all the media became useless. This is the single largest issue with DRM.
* The discs were too machine specific (they did have some theoretical "sharing pool" for people who had multiple DIVX players, which I'm not sure how well it worked). Even if you paid for a life-time access (see above), you could not play the disc on your neighbor's machine.
* There was a large potential for "marketing abuse", since they had to identify each item played on the machine (they would know who played what media, how many times, etc.). Your only protection was voluntary agreement that the data collected would not be misused.
* You are at the mercy of the DIVX operations staff. They could change the price or terms-of-use any time they wanted to.
As to the practicalities of the SSSCA, I think the closest analog the computer industry has experienced is export regulations. I [unfortunately] have lots of experience of just how bad that can be! I worked for a company that used encryption in virtually all of it's products. We once estimated that approximately 20% of the company's resources were used to deal-with, design, and follow export regulations. Of a hundred employees, "only" 3-4 actually dealt with the regulations daily, but virtually the entire design team had to take them into account. What should have been a single product would be split into multiple products to fit the ever changing interpretations of the regulations (resulting in a dramatic increase in development, testing, manufacturing, and marketing). Believe me, very few people in or out of the industry have any idea of how bad the SSSCA would clog our technology industry up!
This is a perfect example of how the copyright law has worked over the last century or so. Various stakeholders in the copyright arena periodically get together in a conference. The copyright holders make broad claims (like above). Instead of contesting it, the rest of the people just carve out exceptions for themselves. An example would be Librarians get an exception to make copy from disk to RAM, if they are making an archive of the program, and so-on.
The best explanation I've seen is Jessica Litman's "Digital Copyrights", which explains how this "any copy is an illegal copy" doctrine first got introduced and worked its way into the DMCA. This is a great explanation of why bad assumptions and all sorts of exceptions appear in copyright laws (biggest single reason, no one representing the general public takes part in the conferences, and the congress who should be looking out for us just rubber stamp the results).
I agree that Sony would bring the warranty up. Part of what makes this an interesting case, is the mixture of "contract" and "copyright" law. The manufacture's warranty is part of the contract, but there are a number of other contract considerations that come into play. They range from the "value" of the sale, rights given up or extended, customer expectations, etc.
I actually think the warranty will end-up being both a strength and weakness for Sony. On their plus side, they will be able to claim that they shown some responsibility for taking care of VHS defects. On the negative side, they admit that VHS has (or can acquire) defects. The policy of limiting back-ups of a medium that has known defects show how they can unfairly take advantage of the consumer.
A discovery order from the court could obtain Sony's internal documents showing the expected rate of deterioration of a VHS tape (they probably have pretty accurate details, since they manufacture tapes and decks). The discovery order could even produce a "smoking gun" memo that shows a x% increase in sales due to customers buying new copies to replace worn-out or damaged copies (now that they have been prevented from making back-up copies).
Realistically, I don't think small claims court is going to issue any sweeping discovery orders (although wouldn't it be cool). They are going base the decision primarily on contract law, and although INAL, I believe there is enough substance that this would have a good chance of prevailing.
My child has just worn out of his favorite VHS tapes, which I attempted to make a back-up copy of because I knew it was going to occur. My contention is that Sony (the manufacturer of the Elmo recording) is responsible for replacing my worn out VHS because they chose to apply content protection that stopped from being able to make a back-up copy.
My expectation was that I would be able to make a back-up copy because VHS tapes are known to fragile. Sony's decisions to put content protection on a tape that I personally own clearly kept me from performing a normal operation. Therefore they should be responsible for replacing the tape.
The ability to make a back-up is important for several reasons. The most obvious reason is to protect the consumer's goods from normal usage and accidents. If the recording industry is allowed to kill off the ability to make back-ups, they could easily abuse the consumer by using cheap recording tapes that require regular replacement. Thus by Sony's actions in preventing the making of back-ups, and for the good of society, Sony should freely replace my worn-out tape.
The reason I could support something similar to what WB was trying to do, is that I could support the concept of limiting some of the traditional rights during a rental "situation". This was what Rep. Boucher was trying to accomplish with his DMCA clause.
Of course the actual result of that DMCA clause turned out to be another total victory for the recording industry. It was supposed to protect rental movies from being copied, by making it mandatory for all VCR's to recognize MacroVision/CopyGuard. The industry promptly screwed the consumers by using this copy protection in all movies sold, not just the rental versions.
Still, I could almost support the scheme of two types of movies: bought and rental. The reality is that this probably won't work for a number of reasons, the classic reasons cited in the article is that the "rental version" ends-up being more expensive, so rental stores use consumer versions instead.
Another practical reason why this would probably not work, is that the recording industry has proved time and again that they are totally untrustworthy! I have to stretch to come-up with an example of an industry that is more sleazy (have to drop into organized crime like loan sharking and illegal immigrant smugglers).
Oops, forgot one other irony of the DMCA. Under the circumstances described in my last post, you could run into the following situation: It is illegal for you to circumvent the copy protection, even though your intended use of the copy protected item is a legal and non-infringing use.
A good example of this is the DVD. You have the legal right to make a back-up copy of a DVD you have bought, under the fair-use clause of the copyright laws. But it is also technically illegal to do so because making a back-up requires breaking the copy protection which is against the DMCA (unless you fall into one of those narrow exceptions allowed by the DMCA circumvention clause).
This is why people complain about the DMCA giving copyright holders the ability to "legally" eliminate fair-use. A good book on this topic is Lawrence Lessig's "Code and other Rules of Cyberspace".
Under some circumstances, that is true. If the rot13 method is used to protect a copy righted work, and you perform an unauthorized rot13 to read that information, you could be prosecuted under the DMCA. There are a number of circumvention exceptions, but so far these have been applied very narrowly (encryption research, library archival purposes, etc.).
What makes the DMCA really ironic is that you could even be prosecuted if you told someone else "company xx uses rot13 to protect their yyy copyrighted content, and here is how to decrypt using rot13". This is because of the DMCA anti-dissemination clause, and has almost no exceptions (the only one I'm aware of is reverse engineering of software). The quality or frequency of the use of the algorithm does not matter, only the fact that it is used to protect a copy righted item. This is the method the RIAA used to threaten Prof. Fenton.
In general non-monetary circumventions of the DMCA are upheld by civil suits brought by the copyright holder or the producer of the protection method. My understanding of the criminal section is that it only normally applies when monetary gain occurs. INAL, but recommend reading Jessica Litman's "Digital Copyright" for more details.
Unfotunately, Tom7's statement is not true. It is true for the actual circumvention provided it is "encryption research" (there is an exception in the DMCA, although "encryption research" is not very well defined). The hitch is dissemination (i.e. publishing), which is the method the RIAA used to threaten Prof. Fenton. So it might be OK for the college students to try and break the code (assuming it was for valid encryption research purposes), but it is would be illegal for anyone to say how they broke it (assuming the same scheme was used to protect a copyrighted item). If they make money or might monteraly gain from publishing the break (does karma count) they could be subject to criminal prosecution under the DMCA. I highly recommend reading Jessica Litman's book "Digital Copyright" for more details on this complex subject.
The DMCA (to the best of my INAL reading) could even be applied retroactively. If I break the scheme before it was used to protect a copyrighted item, I could still be prosecuted under the DMCA. The clauses that talks about "dissemination of a circumvention device" provides no protection for already published breaks, hence a magazine that published my break might be liable to criminal prosecution if they sold back copies (the criminal part comes about because they are making money by disseminating a copy protection circumvention device).
The DMCA even allows the following doomsday scenario (note, I don't think this will actually happen, but the law as written could allow the following): Some party decides it wants to greatly hamper crypto research in the US. They take every bit of encryption technology they can find, and build it into one or more copy protection systems. Once that is done, encryption can still be studied and circumvention methods developed (the encryption research exception), but none of the results could be published (the dissemination hammer ).
The biggest problem with the DMCA is that it is written to be very over-reaching. It is assumed (and hoped) that selective enforcement will make it somewhat acceptable (thereby making my above doomsday scenario unlikely). My personal problem is that it is broad enough to effect me if someone had reason enough. I'm a specialist in logical security involving hardware security devices like smartcards. How do I know that someone won't go after me (perhaps retroactively) for publishing a smartcard vulnerability? After all, hardware security is very important to the future plans of the industry (SDMI, etc.). I truly don't think an anonymous researcher has much to worry about. But what about a person that has decided to become an activist like Prof Fenton? I really don't like the DMCA, or what the recording industry it trying to do, so I am considering becoming more politically active than just being an EFF member. Yet I wonder if my respectable work will provide leverage for civil lawsuits or even criminal prosecution by the DMCA.
Note: I do occasionally find flaws in this field, so this is not a purely academic worry. For example: I found a flaw in an optional feature of EMV-98 that allowed bank insiders to look at clear PINS; and I have found a number of single-DES attacks against industry standards that were supposedly protected by 3DES.
So now I have to worry: should I notify people of a security problem, or not. This is a concrete example of the "dampening effect" the DMCA causes, and why it is dangerous and overbroad. I strongly support the Fenton/EFF suit seeking to invalidate the DMCA clause that prohibits publication (dissemination) of encryption research.
It is easy to think of other basics needed by a secure system; such as a method to enroll identification information (how does the system know what you are, should have and know); a permissions systems (Fred can't withdraw money from Joe's account); and an audit system (how did account "0s|\/|ma" get created and used?).
I seem to recall that Tandem did bail Compaq out with a loan though. Flash forward several years to an ousting of the founding CEO, and Tandem being prepped for sale by the new one. Bought by Compaq, who totally destroyed the sales organization (and strangely enough most of Tandem's sale too). Soon after that, they bought DEC, and destroyed it's sales organization in almost the exact same way (takes talent!).
As a Tandem employee at the time of the merger, I found Compaq to not really be a "new wave" company. They talked the talk of employee empowerment, but were more like GE or a telco (aside: Scott Adams of Dilbert fame worked for Pacific Bell), than a typical Silicon Valley company following the true "HP" way. The Compaq CEO and bureaucracy were not used to having a middle class (engineers and professionals); and tried to treat all it's employees as a factory worker or an executive. We were not treated as executives, except for international travel!
The new insider Compaq CEO, after the destroying CEO was ousted, provided some peace in the lands that were formerly Tandem, sounding similar to a manager that valued it's employees. Alas there was still much turmoil, and I parted company to the relative stability of a start-up. I wish my former comrades well. I envision their times might be easier, for I judge HP way is more powerful than the Compaq way; if there is any way left!
You miss the point where Microsoft won't sign your code unless you meet their requirements. Some of those requirements are pretty reasonable, but a number of them are almost exploitive (and they are subject to change, depending upon Microsoft's goals). I've already worked in an industry where all my code had to be reviewed by an outside controlling agency (NSA doing encryption export control). I don't have any desire to be contractually obligated to do the same to a ruthless monopoly.
Typical of copyright laws, the people at the table get narrow exceptions to the overbroad privileges claimed by the other "players". It looks like the computer industry has more clout than libraries (who can create, but not disseminate), or the average person/consumer (who can not do either legally).
This statement is wrong on two counts:
1) The Digital Home Taping Act passed in 1992 specifically made some types of duplication and sharing legal. It is complicated, and full of exceptions, so read the law. You will need the help of a copyright lawyer if you truely want to understand it, which brings me to point 2...
2) I am very amused at your belief that copyright law is clear about anything! I highly recommend reading Jesica Litman's book __Digital Copyright__, as well as the laws themsleves. That should help clear up any misunderstanding about the clarity of copyright laws :-)
The Windows price stability is a myth, instead it has been getting increasingly expensive. Windows does not cost ~$80 unless you already own certain older versions. A new copy of Windows ME will run you ~$180. If you have a PC with Win2K and want to add Windows ME, you don't qualify for an "upgrade" and have to pay full price (happened while I was building a PC for my test lab).
Not only has the price of Windows increased, but the "privileges" have been limited. There are a number of limitations to the Upgrade Windows version. The OEM Windows version is cheaper and more limited than the Upgrade Windows (supposedly tied to a specific computer). There are a number of /. Threads about Microsoft requiring corporations to get multiple copies of Windows (basically comes down to the OEM version not being licensed for certain uses). Get a different computer, or change your current computer too much and Microsoft expects you to "throw away" the OEM license.
I think Microsoft expects XP registration to do two things: reduce piracy and help enforce limited versions of XP (ala. OEM licenses). They publicly soft-pedal the whole process, but this is a clear step down the DRM road of programmatic restrictions. Microsoft has added have added increasingly onerous conditions to the Windows licenses during the last few years, and I predict the trend will get even worse. Now XP will give them programmatic enforcement to go along with the legal threats.
It will be interesting to see when the public backlash will be strong enough to over come Microsoft's monopoly. Honestly, I did not plan to use Office XP at all, but it came "for free" on my new PC and I have not erased it yet (I even registered it). Windows XP sounds like it might have some desirable improvements (stability of NT but also supports my 9x-only applications). The whole registration process is theoretically enough to make me go to *nix alternatives, but the application swap-out will take a lot of time.
The reason this is ironic is that many software people who are doing reverse engineering will be capable of building their own circumvention tools. By contrast, libraries are allowed to do some types of circumvention of copy protection schemes, but only if they build the circumvention tools internally, it is illegal for these tools to be "distributed".
I guess this goes to show that the software industry (other than a few industry leaders with code to "protect") got lucky during the convoluted negation process that lead to the DMCA. I got this information from Jessica Litman's _Digital Copyright_, which is a book well worth reading.
Let's ignore the "last meter" problem for a moment (monitor to the eye, speaker to the ear). Everything else has to potential to have extremely effective copy protection. The two factors that enable this is hardware security and universal connectivity.
Picture the use of "trusted components" (enabled by things like Thomson's smartcard technology) in every component of a reproduction system. These are difficult to tamper with, and do most of their processing inside (making tapping ineffective). They will always be vulnerable to some types of attacks, but there are techniques to reduce the value of attacking them. For example, I can get a chip lab to modify a smartcard so that it works on my system, but that is not easily replicable.
By the way, the keys I get from the breaking the smartcard are virtually useless. The reason is that I have universal connectivity (perhaps a wireless connection) and the trusted device is touch with a secure host (eliminates cloning in the medium to long term). Each trusted system has it's own unique keys and serial numbers, the host knows these values, and send all content uniquely encrypted for the target system.
Breaking copy protected programs is not like this - think instead what you would have to do if every copy protected program was in the "dongle", and only ran on a second smartcard like computer. Pirating satellite broadcasts is also much simpler - since all content is encrypted the same way and playback does not require host communications (allowing the use of cloning).
I'll agree that designing a system like this is fairly difficult, but we have the technology to do this today (just not cheaply). That is where the recording companies would like to go, and where groups like the EFF are trying to keep us from.
By the way, the "last meter" problem is not insoluble against all but the most sophisticated (i.e. money motivated) pirates. The watermarking technology is an attempt to deal with that. There have been some comments to the effect that only obvious watermarks can survive, and that consumers won't accept them. Guess what ... they are already here! Think of the cable channels (like Sci-Fi and Disney) that float a little logo in the corner of the screen. I find it vastly annoying, but I still watch the programs. It would not be too hard to produce a video recorder that that checks for the watermark and makes a (recording company dictated decision) based on what it finds.
Time-shifting is explicitly legal, thanks to the DMCA. Take a look at section 1201(k) http://www.eff.org/pub/Intellectual_property/DMCA/ hr2281_dmca_law_19981020_pl105-304.html