DRM Speech givin to MS

Rew

Well worth the read even if it is 15 pages long.

Ill post the first page or so.

http://craphound.com/msftdrm.txt

Greetings fellow pirates! Arrrrr!

I'm here today to talk to you about copyright, technology and
DRM, I work for the Electronic Frontier Foundation on copyright
stuff (mostly), and I live in London. I'm not a lawyer -- I'm a
kind of mouthpiece/activist type, though occasionally they shave
me and stuff me into my Bar Mitzvah suit and send me to a
standards body or the UN to stir up trouble. I spend about three
weeks a month on the road doing completely weird stuff like going
to Microsoft to talk about DRM.

I lead a double life: I'm also a science fiction writer. That
means I've got a dog in this fight, because I've been dreaming of
making my living from writing since I was 12 years old.
Admittedly, my IP-based biz isn't as big as yours, but I
guarantee you that it's every bit as important to me as yours is
to you.

Here's what I'm here to convince you of:

1. That DRM systems don't work

2. That DRM systems are bad for society

3. That DRM systems are bad for business

4. That DRM systems are bad for artists

5. That DRM is a bad business-move for MSFT

It's a big brief, this talk. Microsoft has sunk a lot of capital
into DRM systems, and spent a lot of time sending folks like
Martha and Brian and Peter around to various smoke-filled rooms
to make sure that Microsoft DRM finds a hospitable home in the
future world. Companies like Microsoft steer like old Buicks, and
this issue has a lot of forward momentum that will be hard to
soak up without driving the engine block back into the driver's
compartment. At best I think that Microsoft might convert some of
that momentum on DRM into angular momentum, and in so doing, save
all our asses.

Let's dive into it.

--

1. DRM systems don't work

This bit breaks down into two parts:

1. A quick refresher course in crypto theory

2. Applying that to DRM

Cryptography -- secret writing -- is the practice of keeping
secrets. It involves three parties: a sender, a receiver and an
attacker (actually, there can be more attackers, senders and
recipients, but let's keep this simple). We usually call these
people Alice, Bob and Carol.

Let's say we're in the days of the Caesar, the Gallic
War. You need to send messages back and forth to your generals,
and you'd prefer that the enemy doesn't get hold of them. You can
rely on the idea that anyone who intercepts your message is
probably illiterate, but that's a tough bet to stake your empire
on. You can put your messages into the hands of reliable
messengers who'll chew them up and swallow them if captured --
but that doesn't help you if Brad Pitt and his men in skirts
skewer him with an arrow before he knows what's hit him.

So you encipher your message with something like ROT-13, where
every character is rotated halfway through the alphabet. They
used to do this with non-worksafe material on Usenet, back when
anyone on Usenet cared about work-safe-ness -- A would become N,
B is O, C is P, and so forth. To decipher, you just add 13 more,
so N goes to A, O to B yadda yadda.

Well, this is pretty lame: as soon as anyone figures out your
algorithm, your secret is g0nez0red.

So if you're Caesar, you spend a lot of time worrying about
keeping the existence of your messengers and their payloads
secret. Get that? You're Augustus and you need to send a message
to Brad without Caceous (a word I'm reliably informed means
"cheese-like, or pertaining to cheese") getting his hands on it.
You give the message to Diatomaceous, the fleetest runner in the
empire, and you encipher it with ROT-13 and send him out of the
garrison in the pitchest hour of the night, making sure no one
knows that you've sent it out. Caceous has spies everywhere, in
the garrison and staked out on the road, and if one of them puts
an arrow through Diatomaceous, they'll have their hands on the
message, and then if they figure out the cipher, you're b0rked.
So the existence of the message is a secret. The cipher is a
secret. The ciphertext is a secret. That's a lot of secrets, and
the more secrets you've got, the less secure you are, especially
if any of those secrets are shared. Shared secrets aren't really
all that secret any longer.

Time passes, stuff happens, and then Tesla invents the radio and
Marconi takes credit for it. This is both good news and bad news
for crypto: on the one hand, your messages can get to anywhere
with a receiver and an antenna, which is great for the brave
fifth columnists working behind the enemy lines. On the other
hand, anyone with an antenna can listen in on the message, which
means that it's no longer practical to keep the existence of the
message a secret. Any time Adolf sends a message to Berlin, he
can assume Churchill overhears it.

Which is OK, because now we have computers -- big, bulky
primitive mechanical computers, but computers still. Computers
are machines for rearranging numbers, and so scientists on both
sides engage in a fiendish competition to invent the most
cleverest method they can for rearranging numerically represented
text so that the other side can't unscramble it. The existence of
the message isn't a secret anymore, but the cipher is.

But this is still too many secrets. If Bobby intercepts one of
Adolf's Enigma machines, he can give Churchill all kinds of
intelligence. I mean, this was good news for Churchill and us,
but bad news for Adolf. And at the end of the day, it's bad news
for anyone who wants to keep a secret.

Enter keys: a cipher that uses a key is still more secure. Even
if the cipher is disclosed, even if the ciphertext is
intercepted, without the key (or a break), the message is secret.
Post-war, this is doubly important as we begin to realize what I
think of as Schneier's Law: "any person can invent a security
system so clever that she or he can't think of how to break it."
This means that the only experimental methodology for discovering
if you've made mistakes in your cipher is to tell all the smart
people you can about it and ask them to think of ways to break
it. Without this critical step, you'll eventually end up living
in a fool's paradise, where your attacker has broken your cipher
ages ago and is quietly decrypting all her intercepts of your
messages, snickering at you.

Best of all, there's only one secret: the key. And with dual-key
crypto it becomes a lot easier for Alice and Bob to keep their
keys secret from Carol, even if they've never met. So long as
Alice and Bob can keep their keys secret, they can assume that
Carol won't gain access to their cleartext messages, even though
she has access to the cipher and the ciphertext. Conveniently
enough, the keys are the shortest and simplest of the secrets,
too: hence even easier to keep away from Carol. Hooray for Bob
and Alice.

Now, let's apply this to DRM.

In DRM, the attacker is *also the recipient*. It's not Alice and
Bob and Carol, it's just Alice and Bob. Alice sells Bob a DVD.
She sells Bob a DVD player. The DVD has a movie on it -- say,
Pirates of the Caribbean -- and it's enciphered with an algorithm
called CSS -- Content Scrambling System. The DVD player has a CSS
un-scrambler.

Now, let's take stock of what's a secret here: the cipher is
well-known. The ciphertext is most assuredly in enemy hands, arrr.
So what? As long as the key is secret from the attacker, we're
golden.

But there's the rub. Alice wants Bob to buy Pirates of the
Caribbean from her. Bob will only buy Pirates of the Caribbean if
he can descramble the CSS-encrypted VOB -- video object -- on his
DVD player. Otherwise, the disc is only useful to Bob as a
drinks-coaster. So Alice has to provide Bob -- the attacker --
with the key, the cipher and the ciphertext.

Hilarity ensues.

DRM systems are broken in minutes, sometimes days. Rarely,
months. It's not because the people who think them up are stupid.
It's not because the people who break them are smart. It's not
because there's a flaw in the algorithms. At the end of the day,
all DRM systems share a common vulnerability: they provide their
attackers with ciphertext, the cipher and the key. At this point,
the secret isn't a secret anymore.

--

Matt Simis

Hard to know what to think of this... its switches from insightful and interesting to factually wrong.

"You guys sold them software that produced smaller, better-sounding rips that the MP3 rippers, but you also fixed it so that the songs you ripped were device-locked to their PCs."

Hes claiming his friends Ripped their CDs and enabled DRM protection... why would an end user enable DRM.. who were they protecting it from? Regardless, WMP warns you to back up licences and even provides an automated tool for doing so. They reformated their PCs (or lost them to a virus), tough luck, Im sure they lost other valuable content too.


"DRM systems are broken in minutes, sometimes days. Rarely, months."

Im not aware of any chink in DRM9/10s armour? Its been out nearly a year..


"Neither should you. Go build the record player that can play everyone's records."

MSFT dont make players... they merely provided one of several competing codecs and DRM solutions, intended to push the Music and Movie industrys to loosen their iron grips. Other companys make "players", that play multiple codecs, whatever consumers want. If its refering to SW players, then WMP already plays anything and everything once you install the codec. Out of the box it plays both unprotected MP3 and WMA.

I still dont buy the idea of comparing present day piracy to VHS.. VHS made lousy copies, there was no equivelent of the Internet for mass sharing VHS cassettes and VHS copying cost more in both time and equipment (presuming you have a PC already) than digital copying. Not really all that convincing a presentation.



Matt

BigEejit

interesting points he makes, some more so than others .... I doubt if Micro$oft execs would buy it though ... they have their business plan and theyre not going to change now because some tree hugger says they should

Mutant_Fruit

as inspiring as it is, i doubt it will have one bit of an effect. Microsoft have invested too much money to turn back without losing at least a few million.

Rew

It was given to MS Research not MS Corporate so the techies not the busniess plebs.

MS have all the money in the world to back track on anything they like.

DRM will always fail in some way, shape or form I think. Palladium may change that but I personally will never buy any Palladium or similar hardware and there hasn't been any mention of Palladium in a while now.

I dont think that things can keep going they way they are now. Non techies look for region free DVD players and are buying in other region DVD's off the net. Digital music sites are becoming more and more popular. Piracy is becoming more popular and accessible to joe blogs (eg: I was walking out of the cinema a few weeks ago and a traveler ahead of me looked at the Shrek 2 poster and said "Saw that weeks ago" as had I at the time).

Matt Simis

Originally posted by Rew
It was given to MS Research not MS Corporate so the techies not the busniess plebs.

MS have all the money in the world to back track on anything they like.

DRM will always fail in some way, shape or form I think. Palladium may change that but I personally will never buy any Palladium or similar hardware and there hasn't been any mention of Palladium in a while now.

I dont think that things can keep going they way they are now. Non techies look for region free DVD players and are buying in other region DVD's off the net. Digital music sites are becoming more and more popular. Piracy is becoming more popular and accessible to joe blogs (eg: I was walking out of the cinema a few weeks ago and a traveler ahead of me looked at the Shrek 2 poster and said "Saw that weeks ago" as had I at the time).

How do know the person in front wasnt a "nurd" also? Besides, movie piracy is restricted to those with BB at the moment, then of those its the people without stringent caps, and then off those people, its the clever folk that use P2P/Torrent systems. Non-techies do not represent a signifigant demographic (region-free players etc).

Also, afaik Palladium is being toned down and or canned.



Matt

Rew

Originally posted by Matt Simis
How do know the person in front wasnt a "nurd" also? Besides, movie piracy is restricted to those with BB at the moment, then of those its the people without stringent caps, and then off those people, its the clever folk that use P2P/Torrent systems. Non-techies do not represent a signifigant demographic (region-free players etc).

The person in front was very very obviously what I said they were and I cannt imagine they install broadband to caravans....

Saying that piracy is limited to techies with decent net access is pretty naive. There is a huge trade in physical media that circumvents bandwith and download limts. Only one person has to download somthing once then it spreads by hand. There are sites springing up selling piriates to the less techie, posting em out. (no downloads )

Go down to local makets and you will see them on sail there. I walked down Canal St in New York and I could have bought (on DVD with proper covers) any movie that was in the cinema at the time. Boradband there was so cheap and fast that people share it out on unsecured WiFi letting their neighbours sponge off it. The appartment we stayed in there were 9 available networks each 1~ mbit cable or equivlent.

There are FAR more reliable ways to download then P2P which more and more people are figuring that out every day...

Matt Simis

Well, I was really referring to online piracy, the only type DRM tackles. TPMs handle offline piracy. Ive never seen movies forsale here on street corners, prolly are if you know where to look. However, seeking out dark alleys and paying cash is far beyond casual, "everyday" piracy then.

I would imagine such sales will be stamped out in Western countries in the near future, real world pirates are easier to prosecute and catch than those online.



Matt

jesus_thats_gre

Originally posted by Matt Simis
Well, I was really referring to online piracy, the only type DRM tackles. TPMs handle offline piracy. Ive never seen movies forsale here on street corners, prolly are if you know where to look. However, seeking out dark alleys and paying cash is far beyond casual, "everyday" piracy then.


Matt

Go to any Car Boot Sale or Sunday Market and you will find pirate DVDs, CDs and games. This has been the case for years.

Rew

There were 2 guys arrested in Dundalk over the weekend at a car boot sale with somthing like €30,000 worth of copies (only just caught it on the radio)

Far from being stamped out its spreading like wild fire...

I will say that I dont agree with sombody making a profit from piracy, they deserve what they get but these days I think id prefer to get caught for drug dealing then large scale piracy. Big busniess is making sure that the penilties are very very heavy...

mr_angry

It only struck me how far things had gone when I found out my mates' Dad was downloading classical music off Napster in the late 90's. Pirates these days aren't Eastern European mafia-types in warehouses. They are young, middle-aged, and even old people in their homes doing this.

Frankly, I agree with the author that DRM is doomed to fail because you're giving the attacker everything they need to crack it. Add to that the fact that small-scale, personal-use piracy has become socially acceptable in the eyes of the general public, and that leaves a large problem for the relevant industries and the authorities to deal with.

Palladium has been ditched by M$ as far as Longhorn is concerned, but it may still make its way into Blackcomb. However, given the acceptability of personal-use piracy, and the expense of upgrading to these systems, I forsee non-DRM software being infinitely more popular than the planned DRM packages, and hence the problem only spiraling further out of control.

Matt Simis

Originally posted by Rew
There were 2 guys arrested in Dundalk over the weekend at a car boot sale with somthing like €30,000 worth of copies (only just caught it on the radio)

Far from being stamped out its spreading like wild fire...

I will say that I dont agree with sombody making a profit from piracy, they deserve what they get but these days I think id prefer to get caught for drug dealing then large scale piracy. Big busniess is making sure that the penilties are very very heavy...

Yes, but the comparitive ease of stopping real world piracy vs digital piracy means with a push from the local enforcement types it could be easily stopped. I dont think Ireland is a good example of this, figures from the bigger European countries would be more interesting.

This is getting well off the point of DRM, but imagine if anyone who reported incidents of "car boot" sale piracy that lead to an arrest was awarded a bounty, even a small one like EUR100? Every kid that saw a schoolmate or illegal street sale would be all over it till it became impossible to set up shop. Have the people fight crime, not just the lawmakers.

I think DRM should be given a chance, even if it is a chance to fail. Its the best solution at the moment, in the sense its the only one the music industry will accept. If people want to whinge, go whinge at them, not at the people working to solve a problem.

Personally I think ultra cheap, legal services like Allofmp3.com are the best option for the consumer and music industry alike. Even if they only offered DRM protected content, its the price that is the killer (FYI, AllofMP3 is *not* considered cheap in its native Russia).


Matt