Wow, it looks like you're right. I'm usually on top of the whole urban-myth thing (I'm a regular visitor of snopes2.com), and in fact I did a few quick net searches to refresh my memory of this event for a law school class about four years ago. But my searches now reveal this to be a myth - you are correct.
1) This is, to put it concisely, goddamn cool. We've been hearing for years about how countries might wage some kind of hax0r-cyber-warfare on each other, but aside from a few isolated instances (e.g., the U.S. disabling Iraqi computers in 1992 by introducing a hardcore virus via, of all things, printer driver software), we've dismissed it as futurist hogwash. But it may be happening now. If so, it's an historic moment in computer science.
2) This is better for people than having any country invade or bomb another. This type of invasion may be a precursor to that one - but if, in the future, a country can be brought to its knees with minimal loss of life by just wrecking its computer infrastructure, then that is a good development of history.
If the BIOS can be flash-updated, how does the system know whether a valid DRM-approved upload just occurred?
Nah, that part is easy. You can just cryptographically sign every BIOS release. Every valid BIOS release, including the one that comes with the device, will accept a flash ROM update only if the new ROM can be decrypted with the manufacturer's 65,536-bit public RSA key.
Windows XP has featured this for a while. Ever try to update a device driver and have Windows present you with: "This device driver is not signed and may be unsafe"? In Windows, it's just a warning; in DRM hardware, it will be a strict bar to accepting the flash update.
I still don't understand the point. After all the effort, money, and inconvenience it can be heard (audio) or seen (video). In either case, people can and will convert that to non-DRM formats such as MP3 or Mpeg. Then it's business as usual. So what's the point?
You're misunderstanding this whole conflict.
We've had videocameras and audio recorders for decades. Why did media producers only go ape-sh*t over media protection about five years ago? Aside from the occasional stupid quote ("the VCR is to TV production as the Boston Strangler is to the woman alone" is a gem) or a crackdown on pirates somewhere in Asia, the *AAs were perfectly content to sell tape-dubbable CDs at exorbitant prices.
Here's the difference. Given the choice between a shaky-video, scratchy-audio VHS tape of a movie captured by handheld videocamera and a DVD, the average Joe will buy the DVD. But given the choice between an audio CD and a ripped MP3 that sounds the same, the average Joe will download the MP3.
Reason: Digital media can make an identical-quality copy with almost no effort. DRM is designed to stop that. So even if the video can be captured or the audio recorded, the quality will be terrible, and the annoying effort required to capture the media will limit the amount of it that's available.
The following observation is off-topic (feel free to mod it as such), but I've been wanting to mention it on/. for a while, and we haven't had an article relevant to the issue in some time.
My mind boggles at the amount of attention that our governmental officials are spending legislating copyright issues. All of the time that the Fritz Hollingses have spent legislating in favor of media producers could have been spent, y'know, fixing the more important parts of our legal system.
America has terrifically important issues with current laws. With smart, well-thought laws, we can get some movement on reform of corporations, accountants, and stock traders - which is the primary reason that our economy still sucks. We could make some attempt at proportionality in punishment and fairness in the use of the death penalty. We could review our understanding of the First Amendment and reach a more consistent, fair, agreeable approach to the myriad issues therein. We could balance the budget and figure out how to pay off the debt; we could address unemployment and homelessness. We could fix Medicare, the tax system, social security, and our power grid.
Instead, our government is hell-bent on making sure that music doesn't get copied illegally.
Does this make any sense? How is this consistent with the government's stated purpose of being "of the people, by the people, and for the people?" Is the government accomplishing anything besides diverting time from more worthy goals in order to cater to business interests?
I find it repulsive that our government can find time to weigh in - heavily - on copyright issues while Kenneth Lay walks the streets unchallenged.
But thats not going to happen. There is no government agency that can legislate "only signed OS's can use the internet". There are no hardware manufacturers willing to piss away billions of dollars in revenue so the entertainment industry can make a paltry couple of extra million.
You're vastly underestimating the momentum behind this thing.
You know the *AAs' current actions? Suing Napster, cracking down on Kazaa users, non-rippable audio CDs? Why do we think they're foolish? That's right, because they're a whole lot of effort for not much copyright enforcement.
The *AAs know this, too. These are really just treading-water exercises - making an attempt to squelch the big offenders, and plant the idea in peoples' minds that piracy = theft. It's all they can do, and everyone knows it.
Their long-term strategy has to focus on making media completely non-rippable. Digital encryption will be how digital media is distributed in the future. By digital media, I mean all digital media that big corporations want to protect - music, movies, streamed video (i.e., all TV shows), electronic texts, you name it. It's the big gun that media producers intend to wield in the future.
This isn't conspiracy-theory stuff. It's sound business sense. Just look at the trends and listen to the *AAs talk about the future of distribution - it's obvious.
Embedding DRM in hardware is great news - it ensures that DRM will die a huge, flaming death.
Any protection mechanism of this scope - designed to work on many kinds of media, on all kinds of hardware, and on a host of operating systems - is bound to be full of holes when it's first released. Even Microsoft's audio-processing filters can be used to strip out DRM (i.e., to transform a locked sound file into an unprotected stream.)
Since this is known, the only really sensible way to implement an encryption method like this is to engage in an arms race with hackers. Release a first version, let hackers rip it to shreds, then release DRM v2.0 with those holes patched. Lather, rinse, repeat. If your encryption system has a sound basis and you're patching it in a smart, sensible way, the hacks will have to get more and more creative. Soon users will have to go to great lengths to defeat the scheme - mod chips, soldering connections onto circuit boards - so you've essentially made it tight enough that casual users won't bother. You can then crack down on the big sources of hacked media (e.g., large file-sharers on Kazaa), and voila, your scheme is fine.
But here's the key: Inherent in this arms race is the ability of the protection scheme to evolve in a robust way to patch holes. You can't do that if you create a hardware platform. Every new generation of DRM will (a) have to be backwards-compatible, in which case it can be broken on hardware running the older (unsecured) version; or (b) not be backwards-compatible, in which case you're breaking all of the old hardware.
Practical example: Look at today's media players - Quicktime Player, WMP, RealPlayer, DivX player. When new encoding mechanisms are invented for them, users have to grab a new version of the player, or at least download new codecs, to interpret files encoded under the new scheme. The new media won't play on the new players. This is greatly annoying, but users put up with it because it's software and it's easy to update.
Hardware is no such thing. Every time you release DRM version x+1, users have to download new drivers for their video card, sound card, hard drive, and bus and flash-update the ROMs on each device. Forget it. Users aren't going to put up with having to update their hardware devices every six weeks.
So, be happy: embedding DRM in hardware ensures the grand defeat of the whole thing.
The best opposition to this would be and Open Source BIOS. I've no idea if this is possible, likely, or already being done. It simply seems like the best response to DRM enabled BIOS.
Well, DRM and open-source technology aren't mutually exclusive. Indeed, any protection of this scope (e.g., relying on a flawless interaction between the CPU, the hardware devices and drivers, and the OS) really should be so securely implemented that publishing the details doesn't weaken it - i.e., "obscurity isn't security."
(Whether or not this level of coordination is achievable is an interesting point to consider. The fact that Microsoft's implementation of DRM is breakable by a routine, authorized use of their DirectX processing-filter functions is striking.)
The only thing this "DRM" provides is the ability to mass-distribute a document within a company without worrying that someone might be on a mailing list that they're not supposed to be on... since everyone has to authenticate to read the attached document, they'd have to use an authenticated account to read it.
Yeah, that worked really well for the Germans in WWII, didn't it?;)
Seriously: As a general security concept, it's a bad idea to put information into the hands of everyone and rely on an encryption scheme to ensure that only authorized individuals can decrypt it. Encryption schemes get broken; even the guys who created RSA encryption have suggested methods of weakening it (e.g., quick analysis that narrows the brute-force search space for the key.) It's infinitely safer to control who has it in the first place.
This is going to happen, too many people at the selling end like it.
To a limited extent, I agree with you.
In general, corporate secrecy is a good thing - companies aren't going to invest billions in R&D unless they know that they can protect their trade secrets. It's not a good thing when it comes to protecting fraud or spoliating evidence, but that's different.
So, I'm also in favor of allowing companies to secure their electronic documents - just as they lock up their paper documents and are careful about giving out the keys.
But in a technical sense, the mechanisms of doing this should be in the file store, not in the application. Either someone can access the information, or they can't.
Enforcing security on a per-application basis is needlessly complex, and as a result, is hopelessly, hopelessly error-prone. Meanwhile, it imposes grievous inconveniences on the users. And (not coincidentally), it breaks all of the old hardware and software with which the files were used, requiring everyone to upgrade everything. That is a terrific waste of resources.
Great - so you can disable the feature that's not practical.
So many of Microsoft's technologies fit that description:
System Restore
Indexing Service
Office Binder
Office Fast Find
!@#$ing office assistant (now assaulting you both in Office and in your Windows XP file searches!)
the much-vaunted voice-command feature in XP
the software firewall in XP
fixed-disk compression (does anyone use this?)
Office document properties
HTML content in Outlook (does this actually benefit anyone except spammers?)
Active Desktop (a/k/a "the ability to animate your desktop"... ugh, just what I need)
You know, it's a miracle that Microsoft sells any software at all, when 80% of its features turn out to be nonfunctional or pointless. If they dumped all of their resources into just increasing stability and security, and implementing a few features that users actually request, their business would skyrocket.
Like I wrote in follow-up to a similar comment, unless they DRM-protect users' eyeballs and find a way to DRM-protect every type of camera on the market, this is pointless.
Hell, if you're trying to steal corporate secrets, it's probably easier to take a photo of each screenful of information than to print every page, since there's less chance of discovery.
That said (written) - I do remember once hearing a half-baked scheme by the RIAA to embed a watermark into every music file, such that just playing the music would shut down the recording feature of any DRM-respecting audio recorder within earshot. But even the RIAA is not that stupid - they're awfully stupid, but even they recognized this as a no-fly idea.
Actually, I did read the article, but it has little detail. On the points that I mentioned, the article goes no further than just reading, "The corporation can block printing."
Plus - you're kidding, right? A word processing program that requires network authentication before you can print anything? My god, this is Microsoft - after almost a decade, they still can't get normal workgroup-computer-discovery file-sharing-permissions functionality working reliably.
Fine - disable my ability to print. If things are that touchy, we'll also have to stop people from taking digital camera photos of computer screens. And from copying the file to any kind of removable media. And from contacting competitors in any way just to describe the contents of the document to competitors.
Most corporate-secret theft or destruction cases are an inside job. Competent IT staff (such as the kind that companies large enough to have valuable secrets can afford... not that they do, but they *can*) can, reasonably well, lock down a network from intrusion.
The much harder, and more common, problem is with ex-employees or unfaithful employees sending documents and secrets to competitors. Any scheme intended to squelch this is entirely defeated if permissions are cached.
Think of the ways that you can defeat this scheme:
* Print out the document and send it however you like.
* Take screenshots and send the images as JPEGs.
* Use the built-in fax modem to fax it somewhere.
* Copy the text into the clipboard and paste it into another app.
The exploits are endless. You'd have to cripple the entire operating system while the document is open.
I needn't contemplate the absurdity of Microsoft trying to get into the information-security business. Obviously, that's not their goal. Even if it were, it will frequently be at odds with their function of providing a usable operating system.
In other news... demand on eBay for installation discs for Office 2000 skyrocketed...
You know, I find it stunning that anyone upgraded at all to Office XP. It's understandable for those who bought (read: were coerced into buying) it with a new desktop system, but upgrading? Why bother? Office 2000 was fairly stable (as stable as MS products get, anyway) and offered basically the same functionality. Anything beyond that is just bloatware.
DVD is great for consumers - for a (quite reasonable) one-time fee, we get permanent ownership of media. We get to watch it infinitely; we get to show it to others; we get to sell the DVD if we don't want it.
That's great for us, but the MPAA hates that part. They're all about limiting our uses of their media for their advantage. Even DVD has media controls - they can explain away Macrovision as preventing VHS copying, but what about region coding? They really wanted DIVX to succeed, but consumers balked and the technology wasn't there. They would have loved a DRM-based mechanism, where the DVD only plays in one player.
Why is the MPAA so crazy about controlling its media? Easy - profit maximization. C'mon, they're the kings of repeatedly profiting from the same medium! How many versions of Star Wars were released? Like, 20? We even had three separate VHS releases. DVD is even worse: first the DVD, then the SE/LE/Superbit/Director's Cut, then the Limited Edition with the funky packaging...
Take this to its next logical step. In the broadband/Palladium era, instead of selling you the DVD for $15, the MPAA will have the option of charging you: (a) a $20 annual subscription fee; (b) a $20 fee for an ad-free media player on your computer, or a $100 fee for a set-top (pirate-proof) device for your TV; and (c) a $5 fee for each viewing of the movie, plus (d) a $2 fee for accessing the special features for a 24-hour period.
Meanwhile, you can't publicly criticize the films or take screen captures without jeopardizing your subscription license ("The MPAA hereby exercises its option under the contract, part XXIV(c)(iii)(a)(2), to withdraw your license to its copyrighted material...")
End result: The movie industry doesn't sell you content and move on. They nickel and dime you for the privilege of viewing their entire library at rental fees. Even Gigli breaks even. They'd be suckers not to do it.
Why hasn't this happened so far, you ask? The MPAA hasn't had the technology available to offer such an option.
Why would we accept this option, you ask? Same reason you rolled over and accepted a $4 charge for Caller ID. They'll raise the prices on DVDs to something absurd, or they'll stop selling them altogether. So, you can take the option they give you, or you can choose never to see a movie at home again.
Now we come to the real crux of the problem. You are a Jew.
Ah, the folly of assumptions.
I'm not Jewish. My stepfather is Jewish, and I inherited his name, but that's about it. I was raised Catholic, and promptly broke with that tradition when I started thinking for myself.
My ancestry is mostly German and British, and I'm now an atheist. This is probably a far cry from what you imagined, and I'm pleased to disappoint you.
Quit your whining. This is a good thing people and it's an example of what makes capitalism great.
Sure... if you subscribe to the theory that a class-based culture is a healthy thing.
If you've read this gentleman's writings, you'll glean that this isn't just another routine shift in employment - we're heading toward a watershed event, a singularity. In the past, as old industries became obsolete, the work force laid off from one profession got dumped into the "generic labor" pool... y'know, the Walmart greeter, etc. What Marshall Brain is arguing - quite insightfully - is that the "generic labor" pool itself will be obsolesced, which has never happened before. What happens when the only jobs are those that you need serious skill and training to perform? What happens to the 90% of the population who has no such skills and can't develop them?
Moreover, and even worse: People claim all the time that the economy has survived everything before it, and will adapt. But some trends, promoted by such shifts, have just continued to go in an unhealthy direction. One of them is the concentration of wealth: the increasing percentage of resources owned by a tiny fraction of society. Another is the shift in wealth from individuals to corporations - never before has the economy dealt with gargantuan bodies like AOL-Time-Warner.
The impact of these trends is unknown, and ominous.
I suspect that we're heading toward a two-class society, comprised of the working skilled and the unemployed masses. Already, these two groups exist and rarely interact, but the differences are growing more visible stark by the day.
Ah, but you misinterpret. I didn't argue that we should put up with software licenses tied to individuals. I argued that we should put up with software licenses tied to specific computers - but not for only one computer.
Microsoft touts its market dominance at every opportunity - to support its FUD ("don't use Linux, go with the market leader!") and to control software and hardware developers relying on this computer-technology bottleneck ("either it runs according to our spec or it doesn't run.")
Hell - they even use it in this exact same context: "If Linux breaks, you can't call anyone. You can try getting some help from the Linux weirdos on some IRC channel, but good luck to you. Now in the unlikely event [ha!] that Microsoft software breaks, you have one source of qualified assistance [at $1.99 per minute, no doubt.]"
So it's disingenuous, at best, for Bill to now claim that his self-proclaimed role as figurehead is being unfairly used against him by suing Microsoft for its defective products. It's not unfair - it's the down side of positioning yourself as the standalone market leader. It's blatant doublespeak for Bill to destroy all the competition (illegally) and then claim that he's being singled out.
If this law would be to put into use, we would have more of a problem with people stealing credit cards. I agree with what they are trying to do, but this looks like (to me) as if it's going to promote exploits.
Look at the flip side. This would be a nice analogue to other credit-reporting laws. If you pull your credit report, you'll see a nice list of every other person who's accessed it. (Well, except the federal government, under some Patriot-act shenanigans; but that's an exception.) Having a record of every application that's sent my credit card number out, and the recipients of this very private info, would be very useful.
Y'know, I was just thinking this exact same thing on Friday - that the software industry is having a serious identity crisis at present. They can't figure out what products they're selling, and how they're doing it. They're mostly driven by the profit motive: How can we generate more profit? Which is great if the answer is, "build a better product" - but crap if the answer is compulsory upgrades, limited-time licenses, or license audits.
But there's a big one missing, particularly important in light of Symantec's foolhardy announcement:
The software can be installed on multiple machines.
I own a notebook and a desktop home server. I use both of them basically as a unit - sometimes literally, via Terminal Services or Synergy. They achieve different purposes - the server provides infrastructure (holding data, managing requests from other users [e.g., web pages], network security, MP3s), while I run actual applications on my notebook.
With this setup, it only makes sense to have a roughly identical set of software on each. I don't want my word processing solely on my notebook, and I don't want all of my security apps solely on my server.
So it's exactly that reason why this product-activation crap is odious. If I want two functionally-identical machines, I have to buy two operating systems, two word-processing packages, two versions of TurboTax and Symantec. similarly, with DRM, I'll have to buy two licenses for every piece of media I want to play. Others will follow down this path to the seedy underworld of profit-driven software.
It only seems fair that I expect to pay only once per software package. After all, I'm one guy; I'm never typing on both machines at the same time. Now, I understand why software companies are reluctant to release software that can be installed a trillion times, because it tends to get purchased, like, eight times, and then widely distributed on IRC. But at the same time, they're smacking down guys like me.
So with that in mind, I propose: Let software be installed on multiple machines. That number can be limited, and it can be small. Ten is fine - if I install software on more than ten machines, I should probably be purchasing a site license. But one is insufficient, in this day of frequent multiple-computer ownership.
Slashdot Mirror
Wow, it looks like you're right. I'm usually on top of the whole urban-myth thing (I'm a regular visitor of snopes2.com), and in fact I did a few quick net searches to refresh my memory of this event for a law school class about four years ago. But my searches now reveal this to be a myth - you are correct.
:)
Thanks for the info.
- David Stein
Regardless of the implications of this:
1) This is, to put it concisely, goddamn cool. We've been hearing for years about how countries might wage some kind of hax0r-cyber-warfare on each other, but aside from a few isolated instances (e.g., the U.S. disabling Iraqi computers in 1992 by introducing a hardcore virus via, of all things, printer driver software), we've dismissed it as futurist hogwash. But it may be happening now. If so, it's an historic moment in computer science.
2) This is better for people than having any country invade or bomb another. This type of invasion may be a precursor to that one - but if, in the future, a country can be brought to its knees with minimal loss of life by just wrecking its computer infrastructure, then that is a good development of history.
- David Stein
Yeah, even I don't consider it a troll post - and I wrote the post that generated his response. :)
- David Stein
If the BIOS can be flash-updated, how does the system know whether a valid DRM-approved upload just occurred?
Nah, that part is easy. You can just cryptographically sign every BIOS release. Every valid BIOS release, including the one that comes with the device, will accept a flash ROM update only if the new ROM can be decrypted with the manufacturer's 65,536-bit public RSA key.
Windows XP has featured this for a while. Ever try to update a device driver and have Windows present you with: "This device driver is not signed and may be unsafe"? In Windows, it's just a warning; in DRM hardware, it will be a strict bar to accepting the flash update.
- David Stein
I still don't understand the point. After all the effort, money, and inconvenience it can be heard (audio) or seen (video). In either case, people can and will convert that to non-DRM formats such as MP3 or Mpeg. Then it's business as usual. So what's the point?
You're misunderstanding this whole conflict.
We've had videocameras and audio recorders for decades. Why did media producers only go ape-sh*t over media protection about five years ago? Aside from the occasional stupid quote ("the VCR is to TV production as the Boston Strangler is to the woman alone" is a gem) or a crackdown on pirates somewhere in Asia, the *AAs were perfectly content to sell tape-dubbable CDs at exorbitant prices.
Here's the difference. Given the choice between a shaky-video, scratchy-audio VHS tape of a movie captured by handheld videocamera and a DVD, the average Joe will buy the DVD. But given the choice between an audio CD and a ripped MP3 that sounds the same, the average Joe will download the MP3.
Reason: Digital media can make an identical-quality copy with almost no effort. DRM is designed to stop that. So even if the video can be captured or the audio recorded, the quality will be terrible, and the annoying effort required to capture the media will limit the amount of it that's available.
- David Stein
Legislate it.
/. for a while, and we haven't had an article relevant to the issue in some time.
The following observation is off-topic (feel free to mod it as such), but I've been wanting to mention it on
My mind boggles at the amount of attention that our governmental officials are spending legislating copyright issues. All of the time that the Fritz Hollingses have spent legislating in favor of media producers could have been spent, y'know, fixing the more important parts of our legal system.
America has terrifically important issues with current laws. With smart, well-thought laws, we can get some movement on reform of corporations, accountants, and stock traders - which is the primary reason that our economy still sucks. We could make some attempt at proportionality in punishment and fairness in the use of the death penalty. We could review our understanding of the First Amendment and reach a more consistent, fair, agreeable approach to the myriad issues therein. We could balance the budget and figure out how to pay off the debt; we could address unemployment and homelessness. We could fix Medicare, the tax system, social security, and our power grid.
Instead, our government is hell-bent on making sure that music doesn't get copied illegally.
Does this make any sense? How is this consistent with the government's stated purpose of being "of the people, by the people, and for the people?" Is the government accomplishing anything besides diverting time from more worthy goals in order to cater to business interests?
I find it repulsive that our government can find time to weigh in - heavily - on copyright issues while Kenneth Lay walks the streets unchallenged.
- David Stein
But thats not going to happen. There is no government agency that can legislate "only signed OS's can use the internet". There are no hardware manufacturers willing to piss away billions of dollars in revenue so the entertainment industry can make a paltry couple of extra million.
You're vastly underestimating the momentum behind this thing.
You know the *AAs' current actions? Suing Napster, cracking down on Kazaa users, non-rippable audio CDs? Why do we think they're foolish? That's right, because they're a whole lot of effort for not much copyright enforcement.
The *AAs know this, too. These are really just treading-water exercises - making an attempt to squelch the big offenders, and plant the idea in peoples' minds that piracy = theft. It's all they can do, and everyone knows it.
Their long-term strategy has to focus on making media completely non-rippable. Digital encryption will be how digital media is distributed in the future. By digital media, I mean all digital media that big corporations want to protect - music, movies, streamed video (i.e., all TV shows), electronic texts, you name it. It's the big gun that media producers intend to wield in the future.
This isn't conspiracy-theory stuff. It's sound business sense. Just look at the trends and listen to the *AAs talk about the future of distribution - it's obvious.
- David Stein
Embedding DRM in hardware is great news - it ensures that DRM will die a huge, flaming death.
Any protection mechanism of this scope - designed to work on many kinds of media, on all kinds of hardware, and on a host of operating systems - is bound to be full of holes when it's first released. Even Microsoft's audio-processing filters can be used to strip out DRM (i.e., to transform a locked sound file into an unprotected stream.)
Since this is known, the only really sensible way to implement an encryption method like this is to engage in an arms race with hackers. Release a first version, let hackers rip it to shreds, then release DRM v2.0 with those holes patched. Lather, rinse, repeat. If your encryption system has a sound basis and you're patching it in a smart, sensible way, the hacks will have to get more and more creative. Soon users will have to go to great lengths to defeat the scheme - mod chips, soldering connections onto circuit boards - so you've essentially made it tight enough that casual users won't bother. You can then crack down on the big sources of hacked media (e.g., large file-sharers on Kazaa), and voila, your scheme is fine.
But here's the key: Inherent in this arms race is the ability of the protection scheme to evolve in a robust way to patch holes. You can't do that if you create a hardware platform. Every new generation of DRM will (a) have to be backwards-compatible, in which case it can be broken on hardware running the older (unsecured) version; or (b) not be backwards-compatible, in which case you're breaking all of the old hardware.
Practical example: Look at today's media players - Quicktime Player, WMP, RealPlayer, DivX player. When new encoding mechanisms are invented for them, users have to grab a new version of the player, or at least download new codecs, to interpret files encoded under the new scheme. The new media won't play on the new players. This is greatly annoying, but users put up with it because it's software and it's easy to update.
Hardware is no such thing. Every time you release DRM version x+1, users have to download new drivers for their video card, sound card, hard drive, and bus and flash-update the ROMs on each device. Forget it. Users aren't going to put up with having to update their hardware devices every six weeks.
So, be happy: embedding DRM in hardware ensures the grand defeat of the whole thing.
- David Stein
The best opposition to this would be and Open Source BIOS. I've no idea if this is possible, likely, or already being done. It simply seems like the best response to DRM enabled BIOS.
Well, DRM and open-source technology aren't mutually exclusive. Indeed, any protection of this scope (e.g., relying on a flawless interaction between the CPU, the hardware devices and drivers, and the OS) really should be so securely implemented that publishing the details doesn't weaken it - i.e., "obscurity isn't security."
(Whether or not this level of coordination is achievable is an interesting point to consider. The fact that Microsoft's implementation of DRM is breakable by a routine, authorized use of their DirectX processing-filter functions is striking.)
- David Stein
You mean, voluntarily? As in: Not just because they couldn't figure out how to turn them off? :)
- David Stein
The only thing this "DRM" provides is the ability to mass-distribute a document within a company without worrying that someone might be on a mailing list that they're not supposed to be on... since everyone has to authenticate to read the attached document, they'd have to use an authenticated account to read it.
;)
Yeah, that worked really well for the Germans in WWII, didn't it?
Seriously: As a general security concept, it's a bad idea to put information into the hands of everyone and rely on an encryption scheme to ensure that only authorized individuals can decrypt it. Encryption schemes get broken; even the guys who created RSA encryption have suggested methods of weakening it (e.g., quick analysis that narrows the brute-force search space for the key.) It's infinitely safer to control who has it in the first place.
- David Stein
This is going to happen, too many people at the selling end like it.
To a limited extent, I agree with you.
In general, corporate secrecy is a good thing - companies aren't going to invest billions in R&D unless they know that they can protect their trade secrets. It's not a good thing when it comes to protecting fraud or spoliating evidence, but that's different.
So, I'm also in favor of allowing companies to secure their electronic documents - just as they lock up their paper documents and are careful about giving out the keys.
But in a technical sense, the mechanisms of doing this should be in the file store, not in the application. Either someone can access the information, or they can't.
Enforcing security on a per-application basis is needlessly complex, and as a result, is hopelessly, hopelessly error-prone. Meanwhile, it imposes grievous inconveniences on the users. And (not coincidentally), it breaks all of the old hardware and software with which the files were used, requiring everyone to upgrade everything. That is a terrific waste of resources.
- David Stein
So many of Microsoft's technologies fit that description:
You know, it's a miracle that Microsoft sells any software at all, when 80% of its features turn out to be nonfunctional or pointless. If they dumped all of their resources into just increasing stability and security, and implementing a few features that users actually request, their business would skyrocket.
- David Stein
Like I wrote in follow-up to a similar comment, unless they DRM-protect users' eyeballs and find a way to DRM-protect every type of camera on the market, this is pointless.
Hell, if you're trying to steal corporate secrets, it's probably easier to take a photo of each screenful of information than to print every page, since there's less chance of discovery.
That said (written) - I do remember once hearing a half-baked scheme by the RIAA to embed a watermark into every music file, such that just playing the music would shut down the recording feature of any DRM-respecting audio recorder within earshot. But even the RIAA is not that stupid - they're awfully stupid, but even they recognized this as a no-fly idea.
- David Stein
Actually, I did read the article, but it has little detail. On the points that I mentioned, the article goes no further than just reading, "The corporation can block printing."
Plus - you're kidding, right? A word processing program that requires network authentication before you can print anything? My god, this is Microsoft - after almost a decade, they still can't get normal workgroup-computer-discovery file-sharing-permissions functionality working reliably.
Fine - disable my ability to print. If things are that touchy, we'll also have to stop people from taking digital camera photos of computer screens. And from copying the file to any kind of removable media. And from contacting competitors in any way just to describe the contents of the document to competitors.
- David Stein
Permission caching? Isn't that self-defeating?
Most corporate-secret theft or destruction cases are an inside job. Competent IT staff (such as the kind that companies large enough to have valuable secrets can afford... not that they do, but they *can*) can, reasonably well, lock down a network from intrusion.
The much harder, and more common, problem is with ex-employees or unfaithful employees sending documents and secrets to competitors. Any scheme intended to squelch this is entirely defeated if permissions are cached.
- David Stein
No, it really won't.
Think of the ways that you can defeat this scheme:
* Print out the document and send it however you like.
* Take screenshots and send the images as JPEGs.
* Use the built-in fax modem to fax it somewhere.
* Copy the text into the clipboard and paste it into another app.
The exploits are endless. You'd have to cripple the entire operating system while the document is open.
I needn't contemplate the absurdity of Microsoft trying to get into the information-security business. Obviously, that's not their goal. Even if it were, it will frequently be at odds with their function of providing a usable operating system.
- David Stein
In other news... demand on eBay for installation discs for Office 2000 skyrocketed...
You know, I find it stunning that anyone upgraded at all to Office XP. It's understandable for those who bought (read: were coerced into buying) it with a new desktop system, but upgrading? Why bother? Office 2000 was fairly stable (as stable as MS products get, anyway) and offered basically the same functionality. Anything beyond that is just bloatware.
- David Stein
Ah, but you misjudge the *AA mindset.
DVD is great for consumers - for a (quite reasonable) one-time fee, we get permanent ownership of media. We get to watch it infinitely; we get to show it to others; we get to sell the DVD if we don't want it.
That's great for us, but the MPAA hates that part. They're all about limiting our uses of their media for their advantage. Even DVD has media controls - they can explain away Macrovision as preventing VHS copying, but what about region coding? They really wanted DIVX to succeed, but consumers balked and the technology wasn't there. They would have loved a DRM-based mechanism, where the DVD only plays in one player.
Why is the MPAA so crazy about controlling its media? Easy - profit maximization. C'mon, they're the kings of repeatedly profiting from the same medium! How many versions of Star Wars were released? Like, 20? We even had three separate VHS releases. DVD is even worse: first the DVD, then the SE/LE/Superbit/Director's Cut, then the Limited Edition with the funky packaging...
Take this to its next logical step. In the broadband/Palladium era, instead of selling you the DVD for $15, the MPAA will have the option of charging you:
(a) a $20 annual subscription fee;
(b) a $20 fee for an ad-free media player on your computer, or a $100 fee for a set-top (pirate-proof) device for your TV; and
(c) a $5 fee for each viewing of the movie, plus
(d) a $2 fee for accessing the special features for a 24-hour period.
Meanwhile, you can't publicly criticize the films or take screen captures without jeopardizing your subscription license ("The MPAA hereby exercises its option under the contract, part XXIV(c)(iii)(a)(2), to withdraw your license to its copyrighted material...")
End result: The movie industry doesn't sell you content and move on. They nickel and dime you for the privilege of viewing their entire library at rental fees. Even Gigli breaks even. They'd be suckers not to do it.
Why hasn't this happened so far, you ask? The MPAA hasn't had the technology available to offer such an option.
Why would we accept this option, you ask? Same reason you rolled over and accepted a $4 charge for Caller ID. They'll raise the prices on DVDs to something absurd, or they'll stop selling them altogether. So, you can take the option they give you, or you can choose never to see a movie at home again.
- David Stein
Now we come to the real crux of the problem. You are a Jew.
Ah, the folly of assumptions.
I'm not Jewish. My stepfather is Jewish, and I inherited his name, but that's about it. I was raised Catholic, and promptly broke with that tradition when I started thinking for myself.
My ancestry is mostly German and British, and I'm now an atheist. This is probably a far cry from what you imagined, and I'm pleased to disappoint you.
- David Stein
Quit your whining. This is a good thing people and it's an example of what makes capitalism great.
Sure... if you subscribe to the theory that a class-based culture is a healthy thing.
If you've read this gentleman's writings, you'll glean that this isn't just another routine shift in employment - we're heading toward a watershed event, a singularity. In the past, as old industries became obsolete, the work force laid off from one profession got dumped into the "generic labor" pool... y'know, the Walmart greeter, etc. What Marshall Brain is arguing - quite insightfully - is that the "generic labor" pool itself will be obsolesced, which has never happened before. What happens when the only jobs are those that you need serious skill and training to perform? What happens to the 90% of the population who has no such skills and can't develop them?
Moreover, and even worse: People claim all the time that the economy has survived everything before it, and will adapt. But some trends, promoted by such shifts, have just continued to go in an unhealthy direction. One of them is the concentration of wealth: the increasing percentage of resources owned by a tiny fraction of society. Another is the shift in wealth from individuals to corporations - never before has the economy dealt with gargantuan bodies like AOL-Time-Warner.
The impact of these trends is unknown, and ominous.
I suspect that we're heading toward a two-class society, comprised of the working skilled and the unemployed masses. Already, these two groups exist and rarely interact, but the differences are growing more visible stark by the day.
- David Stein
Ah, but you misinterpret. I didn't argue that we should put up with software licenses tied to individuals. I argued that we should put up with software licenses tied to specific computers - but not for only one computer.
- David Stein
Microsoft touts its market dominance at every opportunity - to support its FUD ("don't use Linux, go with the market leader!") and to control software and hardware developers relying on this computer-technology bottleneck ("either it runs according to our spec or it doesn't run.")
Hell - they even use it in this exact same context: "If Linux breaks, you can't call anyone. You can try getting some help from the Linux weirdos on some IRC channel, but good luck to you. Now in the unlikely event [ha!] that Microsoft software breaks, you have one source of qualified assistance [at $1.99 per minute, no doubt.]"
So it's disingenuous, at best, for Bill to now claim that his self-proclaimed role as figurehead is being unfairly used against him by suing Microsoft for its defective products. It's not unfair - it's the down side of positioning yourself as the standalone market leader. It's blatant doublespeak for Bill to destroy all the competition (illegally) and then claim that he's being singled out.
- David Stein
If this law would be to put into use, we would have more of a problem with people stealing credit cards. I agree with what they are trying to do, but this looks like (to me) as if it's going to promote exploits.
Look at the flip side. This would be a nice analogue to other credit-reporting laws. If you pull your credit report, you'll see a nice list of every other person who's accessed it. (Well, except the federal government, under some Patriot-act shenanigans; but that's an exception.) Having a record of every application that's sent my credit card number out, and the recipients of this very private info, would be very useful.
- David Stein
Y'know, I was just thinking this exact same thing on Friday - that the software industry is having a serious identity crisis at present. They can't figure out what products they're selling, and how they're doing it. They're mostly driven by the profit motive: How can we generate more profit? Which is great if the answer is, "build a better product" - but crap if the answer is compulsory upgrades, limited-time licenses, or license audits.
But there's a big one missing, particularly important in light of Symantec's foolhardy announcement:
The software can be installed on multiple machines.
I own a notebook and a desktop home server. I use both of them basically as a unit - sometimes literally, via Terminal Services or Synergy. They achieve different purposes - the server provides infrastructure (holding data, managing requests from other users [e.g., web pages], network security, MP3s), while I run actual applications on my notebook.
With this setup, it only makes sense to have a roughly identical set of software on each. I don't want my word processing solely on my notebook, and I don't want all of my security apps solely on my server.
So it's exactly that reason why this product-activation crap is odious. If I want two functionally-identical machines, I have to buy two operating systems, two word-processing packages, two versions of TurboTax and Symantec. similarly, with DRM, I'll have to buy two licenses for every piece of media I want to play. Others will follow down this path to the seedy underworld of profit-driven software.
It only seems fair that I expect to pay only once per software package. After all, I'm one guy; I'm never typing on both machines at the same time. Now, I understand why software companies are reluctant to release software that can be installed a trillion times, because it tends to get purchased, like, eight times, and then widely distributed on IRC. But at the same time, they're smacking down guys like me.
So with that in mind, I propose: Let software be installed on multiple machines. That number can be limited, and it can be small. Ten is fine - if I install software on more than ten machines, I should probably be purchasing a site license. But one is insufficient, in this day of frequent multiple-computer ownership.
- David Stein