flewellyn: (Default)
[personal profile] flewellyn
As my bio says, I am a computer person, in much the same way I am an oxygen-using person. Computers and programming and technology in general fascinate me, so naturally I care a great deal about what goes on in the computer world.

One of the up-and-coming ideas, currently being advanced by the RIAA and MPAA, those same paragons of consumer advocacy that brought us the Digital Millenium Copyright Act, is Digital Rights Management, or DRM. Also known in the free software community as "Digital Restrictions Mangement", this technology is intended as a set of hardware-based cryptographic tools which will allow the computer to verify that the user is actually authorized to use certain content. In other words, a CD or DVD would be encrypted, and unless your DRM chip could verify that you had a legit copy, you couldn't use it.

Obviously, this has some people rather upset. It's a very domineering tactic, and among other things, makes it so that you no longer own the computer you buy, or the CDs or DVDs. You would use them only in the way that large, monolithic corporate interests want you to, and they could have complete control over what you were allowed to view and listen to on your computer.

At least, that's the idea. There is one teensy little problem with DRM: there is no way it could actually work.

I am not a cryptographic expert (amateur enthusiast at best), but to me the problem boils down to one of key distribution. It's very easy to build cryptographic tools, open source or not, without compromising the security, because knowing the cypher algorithm does not necessarily help you break the encryption by itself; you need the keys, or a means of producing those keys.

Traditional cryptography, also known as symmetric key cryptography, has one key which is used for both encrypting and decrypting messages. The problem there is, symmetric key cryptography has the small problem that the same key is used for both encrypting and decrypting, which means that key has to be secret at both ends. So, if the two ends are far apart, you have this problem of sending the key to the other person; how do you get it there without it being intercepted?

The newer forms of asymmetric cryptography, called "public key" cryptography, were designed to alleviate this problem. This splits the single key into TWO keys: one for encrypting, and one for decrypting. Having the encrypting key does not allow you to decrypt messages that were encrypted with it; only the decrypting key can do that. The idea here is that, basically, you distribute the encrypting "public" key far and wide, while keeping the decrypting "secret" key to yourself. Thus, anybody can encrypt a message to the holder of the secret key, but only the holder of that key can decrypt those messages. This is a very elegant solution to the basic problem of key distribution, assuring that the messages are kept private for the intended recipient.

But here's where the problem comes in. Since it was invented, cryptography has always assumed that, while the message you encrypt may be intercepted by untrusted parties, the person you intend the message for can be trusted. DRM is about locking down content, not about ensuring privacy of messages; it flips around the usual case in cryptography by distrusting the recipients. In order to make sure content is only decryptable by authorized people, you'd have to ensure that only those authorized people had access to the keys needed to decrypt. If it's public key, asymmetric cryptography, you'd have to distribute those keys somehow to the authorized people.

And any way you do that, whether by embedding them in the content or by separately enabling them, nothing prevents those authorized people from redistributing the keys to other people! Since, in DRM, the recipient is not trusted, this means that key distribution becomes a catch-22: if you don't distribute keys, then nobody can read your content, and they have no reason to buy it; but if you do distribute keys to purchasers, then they can redistribute them, everyone can read your content, and they have no reason to buy it.

Locking down the spec for DRM, requiring it in ROM, building it into the operating system...none of these things will help. The core issue is, the keys have to exist on the recipient's machine in order to read the content, and once there, they can be discovered and put to "unauthorized" use. Granted, 9 out of 10 computer users may not have the knowhow to do this, but it only takes one or two to discover the method and propagate it. DRM as a content restriction method is doomed to fail.

The technology could be put to legitimate, useful purposes, mind you, as a way for the owner of the machine to secure it against running untrusted binaries; this would allow you to, for instance, "sign" all the programs you want to be runnable with a little authorization key, and then the computer would simply refuse to run any unsigned program. This would be a huge boon for securing a system...but for the system's owner, not some third party. That, I think, would be a very good use of built-in cryptography in a computer, and should be encouraged.

But the stone cold fact is, if you have physical access to a computer, that computer cannot be secured against you. And frankly, if you're the one who bought it, I think that's a good thing.

Date: 2006-03-23 05:14 am (UTC)
From: [identity profile] xuincherguixe.livejournal.com
Ah yes, gotta love computer laws. You give money to some people, and they get to decide how you use the product.

It's like if you where given a screwdriver, but you could only use it on one particular brand of screw. And if you do, then you'll be breaking the law.

If they install a thing so that it can only be used on that one particular kind of screw, and you find a way to tamper with that, you are again breaking the law.

They give the argument that it's really expensive to make these screw drivers and screws, and that they have to protect themselves from dirty stinking evil communist hippies that hate everything good and wholesome. And yet it's still just a fucking screwdriver.

Instead of jamming the justice system already unable to cope with stuff that isn't even that important, how about these people find some relatively effective ways of 'protecting' their media. And when people break it, not throw a big fucking hissy fit.

Stuff like this is just going to push free software more, and these guys are going to make even less money.

Date: 2006-03-23 11:06 am (UTC)
From: [identity profile] iagor.livejournal.com
Awesome post! Memo to self: when writing cyberpunk, consult flewellyn.

You know what bugs me? The anti-piracy software on some PC games that have to periodically access the PC during play, (and crash it) forcing the slow-down of sloth proportions. Or the type of anti-piracy software which prevents your CD drive from actually accessing the disk. I remember one of the games I bought recently would only run in the cd-burner. When I contacted the customer rep, he stated it is due to antipiracy software installed on the disk. Fine, protect against the antipiracy. But if you make your product unsuable by implementing it, then you have done the job a bit too well.

Date: 2006-03-23 02:43 pm (UTC)
From: [identity profile] flewellyn.livejournal.com
Reason #247 why Flew does not use proprietary software.

Date: 2006-03-23 01:08 pm (UTC)
From: [identity profile] parrhesia.livejournal.com
Very well put, Flew!

I'd always thought of it - I'm obviously not on the same level of technical knowledge that you are, but it's basically the same idea - as a simple problem of viewability. Once you can hear or see their product, you can always use some sort of means to copy that output. Of course, they're trying to 'fix' that by making secure 'secure' connections to your monitor and othersuch convoluted solutions...but if they could just get around the fact that no one would buy it if they couldn't see it or hear it at all, then they'd be totally safe and happy! :p


Date: 2006-03-23 03:33 pm (UTC)
From: [identity profile] lucretiasheart.livejournal.com
I'm gravely disturbed by how our culture is becoming more and more dominated by vast McSuperCorporations whose sole purpose is to amass more and more of the culture under their gathering skirts! They fight to reduce ownership of ANYTHING (except the worth of the shares of their McSuperCorp) and create endless cycles of RENTAL AGREEMENTS. It's getting ridiculous when they try to make people rent the right to listen to a song, or watch a movie-- to assure that the money owed them is never "done."

The way things are going, I can easily imagine a world where we'll be renting everything: clothes, houses, cars, dental work... The point being of course, that if you don't OWN something, it can be taken away from you by the few or one who does own it, and that threat over one's head is supposed to induce complicity.

Instead, the harder they squeeze, the more they directly encourage consumer rebellion-- piracy, smugging, and freeware black markets. They seem incapable of grasping that their greed is what fuels the problem. (Beginning with CDs that take $2 or less to produce with songs, including packaging!-- and charging $11-$23 for them! And they wonder why people download music for free!??)

Re: rent-a-society

Date: 2006-03-23 06:47 pm (UTC)
From: [identity profile] flewellyn.livejournal.com
I share your disgust for the corporatists. I think Abraham Lincoln was right when he foresaw corporations as the greatest threat to democracy the world would ever know.

Date: 2006-03-23 03:35 pm (UTC)
From: [identity profile] kimberly-t.livejournal.com
Very geeky indeed, but you made the subject perfectly understandable to this not-quite-computer-illiterate person! Well done.

Date: 2006-03-23 06:48 pm (UTC)
From: [identity profile] flewellyn.livejournal.com
Thank you! That's gratifying to know. I enjoy describing things like this to people in ways they understand...it's no FUN knowing something if you can't explain it to anyone.

Date: 2006-03-23 06:11 pm (UTC)
From: [identity profile] cherrypep.livejournal.com
While I agree with the core point, I think I would just like to add that there really are methods for keeping the key on a recipient's machine that make it really, really tough to haul the key itself out again, replicate it for the use of others, etc. This is in a way fortunate, because it is the same sort of tech that makes the 'good' side of crypto tech, eg security as in banks, workable. I'd talk more about this and its limitations but I have to bugger off to my russian class, so instead I will post later.

Anyway it is an absolutely nutso idea to assume that, once unlocked, you can secure a stream from being redirected in unexpected ways; the term 'dream on' definitely comes to mind at this point, as it should have done to the collective bonce of the entertainment industry.

Date: 2006-03-23 06:47 pm (UTC)
From: [identity profile] flewellyn.livejournal.com
Quite true, quite true.

Although, even if they put the key on a chip, a hardware hacker could use a logic probe and soldering iron to get around this issue. Wire the outputs so that they always send the "accept" signal, for instance.

The real problem, of course, is that the entertainment industry wants complete control of the market. It's not about "piracy", it's about preventing competition.

Date: 2006-03-24 10:39 am (UTC)
From: [identity profile] cherrypep.livejournal.com
If it is expecting an 'accept' signal you could do that... it gets a bit trickier if it is actually expecting some intermediate product of cryptographic significance.

So for example if you add a layer to it such that the accept signal that it is expecting also has to be digitally signed (and is unique in each instance) then the ability to intercept/reproduce that signal won't be too much help. (This is all assuming that one can build chips that cannot be reverse-engineered. This is probably impossible - but I think one can build chips that cannot be reverse-engineered without some *very* surprising hardware.) You could do worse than watch the XBox DRM fun; www.xbox-linux.org. (Good article to start 17 mistakes microsoft made in the xbox security system).

Previous generations of hardware could mostly be reverse-engineered because they were designed to do a job in a straightforward and efficient manner. It is only recently that we have got the idea that we would be better off creating sneaky hardware, and for my money the only sensible reaction to it is simply to refuse to buy any such shitboxes.

If enough of us refuse to buy in, some Chinese company will come up with a pre-hacked version. This already happened with DVDs, region encoding, macrovision; around here you can walk into Tescos supermarket and buy a noname DVD player costing probably less than 40 quid that will ignore region encoding like it never happened.

Apropos of little enough, I met a guy from Plextor a while ago who was boasting about how the super-high density CD burning functionality, crypto functions, etc, on their drives would never be supported using Linux; the reason why as I recall was because the hardware in question simply won't answer the metaphorical telephone until you hail it the right way... so you are stuck with a black box that does nothing until you give the magic word. I doubt that he is right, since someone could surely reverse-engineer the Plextor drivers if they were really feeling up for a laugh, but then that would be totally illegal in the US if not in Europe. Either way, I told him that I'd be advising my office to avoid their proprietary features like the plague...

Date: 2006-03-24 12:26 pm (UTC)
From: [identity profile] flewellyn.livejournal.com
Reverse engineering to get something to work that you purchased is not illegal in the US. At least, not right now. But yeah, that kind of sneaky nonsense...well, it's a good reason to boycott a manufacturer.

Even if you have some very sneaky hardware, though, you can probably figure out a lot with a logic probe and some testing.

posting as me this time :-)

Date: 2006-03-24 01:00 pm (UTC)
From: [identity profile] cherrypep.livejournal.com
Uh... it depends how you interpret the DMCA. It's all a matter of what that something is.

Basically, under the DMCA you can reverse engineer only where and when it is necessary to achieve interoperability and when there are no other ways provided to achieve said interoperability; you have to ask first of course. And when you have reverse engineered, then be very careful to ensure that the results of that do not break any copyright law before distributing them (argh; if you remember, the argument regarding CSS was 'trade secret', and MS cut off the guy who uploaded the XBox firmware pretty quickly on copyright grounds).

Furthermore, the DMCA only permits reverse engineering for program to program interoperability. Reverse engineering for program to data interoperability, or indeed any other reason whatsoever, is not covered; since last time I looked, DVDs and the like were 'data' not 'program', then I would be very surprised if it would be legal to reverse engineer to get it to work.

See Universal Studios vs Corley...

Date: 2006-03-23 08:55 pm (UTC)
From: [identity profile] densaer.livejournal.com
DRM will always, always be foiled because the cryptostream, as you mentioned assumes that Alice and Bob are both trusted parties. All DRM assumes that "Bob" (the consumer) is the adversary, and so if Bob needs to have access to the protected content, there's gotta be a point where that content isn't protected anymore, and can be captured in an unprotected form.

There's also the scenario where Alice attacks Bob. The Sony DRM debacle showed that not only was Alice (err, Sony) trying to protect its content, it really didn't care what happened to Bob in the course of doing so. DRM uber alles.

DRM is ultimately just going to keep honest people honest. I use iTunes to purchase DRM'd protected music, and there are ways around the DRM should I ever want to do so. But this brings up the other point... DRM cannot be so over-the top as to prevent consumer adoption. The really draconian DRM schemes out there have failed because consumers don't want to deal with it (remember DIVX discs?)

Date: 2006-03-24 01:02 am (UTC)
From: [identity profile] spooke.livejournal.com
Very interesting and very easy to follow. Well done, koi!

One thing in particular that troubles me about the increasing paranoia of media distributers is the concept of people no longer owning what they buy, or having the freedom to do what they like with it. I can see how it might be inconvenient for the distributers, but... seriously, buying DVDs that can only be viewed a certain number of times before becoming unreadable? Making it illegal to watch a video with more than 20 other people, or at a school, without a special license? Only being allowed to install software you've bought on one of your computers?

Along with their policy of heavy-handed lawsuits and tech support/customer service being outsourced to other countries or entirely nonexistent, it seems like they want to drive everyone into wholesale piracy. I feel that if you buy something, you own it, and they have no further say on what you do with it. You can set it on fire and eat it, use it as a urinal cake or

Fortunately the Danes tend to agree, so most CDs, DVDs and software can be borrowed at the library and legally copied. The copyright lawyers jumped like they'd been goosed and were shocked, shocked, when the government made the creation and possession of mp3s legal... as well as the copying of any digital media in the library.


Date: 2006-03-24 01:04 am (UTC)
From: [identity profile] spooke.livejournal.com
Er, that should have been use it as a urinal cake or play it to an audience without it being their business.

Date: 2006-03-24 01:09 am (UTC)
From: [identity profile] flewellyn.livejournal.com
Yes, but you live in a civilized country.
From: [identity profile] kytsune.livejournal.com
Let's have it out, shall we? Elementally, allowing a third-party to control thy access to media, programs, or whatever without being able to have any influence or even a say in that control is universally a bad thing.

I believe that this video, which I think is absolutely lovely, makes an excellent point to this fact, and I always include it whenever I bring up the concepts of DRM and "Trusted Computing."


(Tis thee that I love, Google.)
From: [identity profile] flewellyn.livejournal.com
ELF! You live!

It's the Elfa! *squeezle*

And that's a wonderful video link. Thanks for showing me!

When might I talk to you more?


flewellyn: (Default)

July 2014

13141516 171819

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated May. 29th, 2017 03:58 am
Powered by Dreamwidth Studios