DRM – Tales from the Crypto


DRM should always be a choice

MMj02365270000[1] Jesper’s recent frustration with a bug in the DRM support on his Windows Media Center Edition (MCE) system demonstrates a couple of basic truths in system reliability:

  1. Complexity negatively impacts reliability.
  2. DRM contributes to complexity.

Clearly, this means that DRM makes systems less reliable than they would be without DRM.

So, why can’t Jesper simply kill the DRM component in his MCE system and have a more reliable system, without the worry of DRM? Because there’s two kinds of DRM, and this is the bad kind.

First of all, let’s review a basic tenet of client-server security. If the server is owned by someone who wants to secure data, all security decisions must be made at the server – client-side security is no security for the server’s owner, unless the server can guarantee that the client is owned by the same individual.

So, with DRM, the content provider wishes to protect his material, and make it available to content consumers – this means that either the content provider needs to not rely on the client for security, or must expect that his security will be broken.

As I’ve mentioned time and again before, this means that DRM is broken in the consumer marketplace – although it works very well for business, because there is an ownership of the client environment. To those willing to break contract with the content provider, or to alter the client or the content, DRM is a barrier to overcome.

Now to the two kinds of DRM.

I haven’t found any documentation that talks about the two kinds of DRM, so I’ll give them names here – Passive DRM and Active DRM. Please accept my apologies if there are other terms for these that I should be using – and correct me, if you can.

Passive DRM protects its content from onlookers who do not have a DRM-enabled client. Encryption is generally used for Passive DRM, so that the content is meaningless garbage unless you have the right bits in your client. I consider this "passive" protection, because the data is inaccessible by default, and only becomes accessible if you have the right kind of client, with the right key.

Active DRM, then, would be a scheme where protection is only provided if the client in use is one that is correctly coded to block access where it has not been specifically granted. This is a scheme in which the data is readily accessible to most normal viewers / players, but has a special code that tells a DRM-enabled viewer/player to hide the content from people who haven’t been approved.

Passive DRM offers a choice to consumers between these two options:

  1. Drop all DRM features and support, so that you can’t view the protected content, but you also don’t have the added complexity.
  2. Include DRM features and support, so that you can view the protected content, at the cost of increased complexity.

An example of Passive DRM is that of a DVD’s protection, where the content is encrypted, and can be decrypted by any device that has an appropriate CSS key.

Active DRM, by comparison offers the following non-choice:

  1. Install the DRM client, adding to complexity, and be blocked from seeing some ‘protected’ content.
  2. Don’t install the DRM client, keeping complexity low, and allowing you to see all content, including that which is protected.

Sony’s DRM for CDs is an example of Active DRM, and a great example of why Active DRM is bad. Put the CD in an ordinary player, and there’s no DRM, because the CD player can’t load the attached software. Put the CD into a PC, and you’re blocked from making copies of the CD, plus you’ve installed an extra root-kit that makes your computer more vulnerable to attack.

Both of these DRM examples have, of course, been cracked. In the first case, that of DVDs, the CSS keys are provided on DVDs, and can be decrypted if you can get just one key by attacking a DVD player. In the second case, of course, you simply play dumb and say "I don’t run non-music content from music CDs" (or you disable AutoPlay).

But there’s a difference to the consumer. Because Active DRM requires all clients to be made compliant, or its ‘protected’ content has no protection, there is an imperative on the content providers to force compliance from all clients.

You see this in Jesper’s MCE example, in that he is unable to use his MCE system to view content that he could happily have viewed with a cheap TV. That’s right – a high-priced personal video recorder is beaten in capabilities by a cheap TV. All because his MCE system was forced to have the Active DRM client software installed – and cannot have it uninstalled even when it is shown to be the cause of a catastrophic failure in the system.

If Passive DRM had been in place – if the output of the Comcast OnDemand signal had been encrypted, then it would not have displayed on an ordinary TV, and maybe Jesper’s MCE would still have crashed when it tried to display it, but Jesper could have removed the DRM component, abandoned his ability to watch Comcast OnDemand, but gained a reliable system from his MCE box by doing so.

For a system like MCE, that’s marketed as an appliance, reliability is of paramount importance.

Only Passive DRM gives the consumer the choice to improve their own reliability. Only Passive DRM is appropriate and ethical; Active DRM requires that content producers assert that they have some form of ownership or control over devices that, by rights, belong entirely to the content consumers.

To paraphrase an old sore, if you think that DRM will solve your problem, you now have two problems. If you think that Active DRM is the solution, you have three.

Steve Jobs on DRM: "You go first"

I’ve read a lot in the press about how “Apple’s Jobs calls on music industry to drop DRM“:

“Steve Jobs on Tuesday called on the four major record companies to start selling songs online without copy protection software to thwart piracy known as digital rights management (DRM).”

Okay, so for a man whose main recent claim to fame is that he’s made the population switch from wearing black earbuds to white, to be calling for an end to DRM strikes me as a little odd – after all, iTunes doesn’t sell any songs without DRM [I’ll revisit this point in a moment].

So, I go and read his actual words (warning for those of you on a slow link – for a site that displays only text, it loads a lot of graphics – even the three title words are a graphic) – it takes me a long time to reach something that can actually be interpreted as “DRM is bad” – Steve asks us to “Imagine a world where every online store sells DRM-free music”, and says “This is clearly the best alternative for consumers, and Apple would embrace it in a heartbeat.”

He goes on to note that, as I’ve mentioned a number of times (but I don’t think he got the idea from me necessarily), “DRMs haven’t worked, and may never work, to halt music piracy”. I’ll be charitable, and assume that his use of “may” there is an expression of what DRM is able to do, and not the often-used synonym for “might” (go re-read the sentence, substituting either “can” or “might”, to see the difference it makes to the meaning).

 Jobs’ final paragraph, quoted below, is going to be the message we take from this posting:

“Much of the concern over DRM systems has arisen in European countries.  Perhaps those unhappy with the current situation should redirect their energies towards persuading the music companies to sell their music DRM-free.  For Europeans, two and a half of the big four music companies are located right in their backyard.  The largest, Universal, is 100% owned by Vivendi, a French company.  EMI is a British company, and Sony BMG is 50% owned by Bertelsmann, a German company.  Convincing them to license their music to Apple and others DRM-free will create a truly interoperable music marketplace.  Apple will embrace this wholeheartedly.”

So the messages from Steve Jobs are:

  • Four companies “made him do it”, but his store adds DRM to all music, whether from those four companies or not.

  • Apple plans to lead in the removal of DRM by following on after everyone else removes DRM. If Microsoft is criticised for “embrace and extend”, I think Apple should be criticised here for “you extend, then we’ll embrace” (presumably as quickly as they “embraced” the new version of Windows that landed as a surprise on them last week, despite being available to all other Windows software vendors since early last year?)

  • Europe owns the world’s ability to hear music. Only Europeans can usher in an age of audio freedom.

  • Apple doesn’t have the power, or the spine, to tell music producers “okay, you’ve had a taster of the online distribution format, now we’re going to phase out DRM over the next three years, and you can either deal with a lack of DRM, or yank your music off the store, and deal with the fact that your artists aren’t being listened to on iPods any more.”

This isn’t a call to arms, it’s a position paper – it’s a statement that Apple is subservient to the content producers, rather than the content consumers. The “customers” in iTunes are the music producers, the “products” are the consumers.

It’s a reminder that Apple has turned from a company that leads the world by making bold changes, into a company that wants to follow where others lead – if that’s alright with you.

Rights Management Services in Windows Vista

In December 4’s edition of eWeek, Jim Rapoza writes a piece titled “Mine! All mine!“, in which he decries the inclusion of Rights Management Services (RMS) in Windows Vista, comparing it to the rather unsuccessful launch of Circuit City’s DivX DVD player (not to be confused with the subsequent codec, DivX, that has been put into DVD players now on the market).

DivX was a protection measure that allowed Circuit City to “rent” a movie to you for watching over a couple of days, after which time the player would no longer play the disk that you had in your possession. Pretty much nobody bought a player, and Circuit City gave up on the idea – so much so that a group of openness advocates took the name and used it to make a codec for compressing movies, which is now used in more pirated movies than I care to mention.

Jim ends his article “As the history of the now-dead DivX player shows, people don’t like systems that tell them how and when they can use content.” – this would be appropriate commentary if, like the dead DivX player and disk format, the new system provided no extra features outside of RMS that made it worthwhile.

Windows Vista, with added RMS, plays existing – and new – DVDs with the same quality that you ever got before, and RMS features only come to play if the following conditions are met:

  1. You use an application that uses RMS features.

  2. The application is asked to open a piece of content that has been protected by RMS.

If the content could previously have been opened without requiring RMS, it can still be opened without activating RMS – RMS is not forced on you by the operating system, nor even by the application – it is forced on you by the provider of the content. Unlike Circuit City’s defunct DivX, this is not intended for commercial use, but for corporate use – where the purpose is to remind your honest employees that they shouldn’t be printing or forwarding sensitive email without permission, and to remind your dishonest employees that they’re about to do something that will get them fired.

Like all DRM, it can’t be made perfect – you can always take a photo of the screen, or stick a tape recorder’s microphone close to the speaker – but by having to go these more extreme routes, rather than simply printing the message, or copying the audio file, you demonstrate that you’re willing to ignore the wishes and rights of the content provider, and will happily pay the consequences.

RMS will not be the death of Vista, and its inclusion by default may even improve its adoption in corporate circles, where such protection is appropriate. RMS can be downloaded and installed on other platforms, too, should you wish to protect your documents from users of current operating systems.

If you find that content is unnecessarily protected with some form of DRM – whether it’s RMS, or some other standard – take it up with the content provider. Microsoft is in the business of making and selling technology that its customers want to buy. In this case, the customer is the content producer, and they want to buy a copy of Outlook that they can use to send their employees proprietary and confidential information with something significantly more intrusive than a “please don’t copy or print this message”.

Clay Aiken wants my PC for Christmas

So my wife bought a Christmas CD – she likes Clay Aiken.

Aw heck, I should admit I like Clay Aiken. The “geek turned good” from American Idol, poster-boy for special-education causes, and, well, the boy can sing.

But this time, he’s gone too far – he wants to own my PC.

Say wha?

Yes, you heard me, he wants my PC for Christmas. Apprently, it’s not good enough that I buy his music and play it, he wants to make sure that I run some piece of software designed to prevent me from playing his CD in any normal media player.

Here’s the proof:

Oh, my word – an “appropriately configured computer”? What they mean is “a computer set to auto-run anything you slam in the drive, and with you logged on as administrator, so that it’ll run our software and take over your machine before you get a chance to listen to the golden-throated, toussle-haired nerd-boy whom you paid ten good bucks to listen to”.

But these guys can be trusted right? How about I follow the link and see what they have to tell me to reassure me that they are acceptable custodians of my computer. What do I see?

“It has come to our attention that a security vulnerability may exist with regard to Version 5 of SunnComm’s MediaMax content protection software.”

Later, these hypocrites even have the nerve to tell me how bad it is that Apple won’t make it easy to move their tunes from their copyright protected CDs to the iPod.

So, as you guys know by now, if you’ve been reading my blog, I really dislike DRM for home use – so I’m returning Clay’s CD.

Clay doesn’t need to own another PC, and he certainly isn’t getting mine – has he got yours?

No, I don’t want your -bleep- software

Freeware and shareware seems to come laden with 'extras' these days.

The DivX video player comes with Firefox and the Google Toolbar.

QuickTime (another movie player, graphic viewer and patch inducer) comes with iTunes.

Nero comes with the Yahoo! toolbar.

Can we please come up with a standard registry entry that I can set, which says "I download exactly those tools which I need – don't install any optional tools which are not intrinsically a part of the software which I am currently installing"?

I'm really sick and tired that I have to be awake and alert for every software installation, just in case someone manages to sneak a piece of software onto my system that I don't want.

I don't want Firefox; I don't want any extra toolbars; I don't want iTunes (because I like my music "unprotected" from my apparent inclination to thieve by choosing when and where I play music I've bought); I don't want anything but the software I downloaded.

Is that really too much to ask?

When the inevitable happens, is it really news?

The BBC has an article about the cracking of Microsoft’s DRM protections for Windows Media format files.

As I’ve mentioned before, “DRM works in exactly one scenario: when the owner of the rights also controls the behaviour of those subject to DRM”.

Because the music producers have no effective recourse to punish music purchasers for software they might install on their systems, or changes they might make to data, there is effectively no barrier to the purchasers’ ability to circumvent DRM – it may be merely a matter of intercepting the DRM software at a point after it has accepted the licence, and saving that state.

Personally, I believe that this is a good thing – when you sell me software or music, I should be able to move that software or music from one medium to another, so that I don’t end up with the situation I complained about last month, of having to find a way to get a duplicate of something that the manufacturer no longer wishes to sell me (but which I still have rights to possess).

DRM for the home is doomed to failure – over and over again.

I’ll predict it now – whatever change Microsoft makes to their DRM to overcome this, it will either be hopelessly intolerable to use, or it will be broken inside of a year – and there will be a new news item on the topic.

Kurzweil’s DRM killer

Okay, so it's really a device for allowing blind people to read signs, menus, receipts, etc, without having to drag the print to a scanner.

But consider that this will effectively scan and read any print that is visible anywhere, and you realise that this device is a handy little DRM beater.

Mind you, so is a digital camera with good resolution – or a non-digital camera, for that matter.

Or a person with a notepad and pen.

Once again, this just underlines that DRM is workable only in the situation where you have extra, non-technological controls over the people with whom you share the DRM-protected material.

DRM is nothing more than a reminder to honest participants that they should not be passing copies around.

It is sad that many in the publishing industry are convinced that it is a panacea, and will prevent copyright infringement. The pirates simply continue to copy the bits (DVDs have DRM, but if you simply copy the bits exactly, the DVD created plays without complaint), and it's only those people that want to move content to different devices (i.e. non-DVD storage, such as a laptop hard-drive, for power-friendly viewing) that are prevented from doing so.

What do you call a "security measure" that has no effect on security, but substantially reduces usefulness for people who are legitimate users?


DRM – safe for work, but please not at home.

Here’s a theme you’ll have heard from me a dozen times if you’ve been following my Usenet traffic:

“When I buy software, or music, or videos, I want to buy the content, not just the plastic it comes on.”

What do I mean by this?

Simply that I don’t want to find myself restricted as to what I can do with the software, music, videos, etc.  If I buy a DVD, I want to be able to watch it on my choice of device, in my choice of country, and (if necessary) in my choice of format.

With the recent news of Sony’s unpleasant intrusion into home computers (or this link for an American version), it’s a reminder for me to say this again – my computer is my computer, and I’ll thank you – any of you – to leave me to decide and actively accept what software to install on it.

Yes, Sony may include a licence on their CDs – but who reads them?  Who even expects that an audio CD (not a software title) will install software on their machine?

The key point to my mind is that I, the system administrator on my home computer, cannot hope to maintain the security and reliability of my system if I cannot know when software is installed, and be able to remove what software I choose to no longer be there.  If Mark Russinovich, a hugely capable developer, cannot remove the software from his system without losing access to parts of his system, what hope do the rest of us have?

Digital Rights Management, or DRM, is frequently put forward by music companies as the next best thing since sliced bread.  It’s not, and it’s not even remotely appropriate for home use, or for preventing privacy.

DRM works in exactly one scenario: when the owner of the rights also controls the behaviour of those subject to DRM.  That almost always means “work”, where the rights owner can discipline, and eventually terminate, those that refuse to respect the DRM restrictions on content.  To attempt to apply it to home use, where there is no such control, is to ignore that basic limitation of DRM.

And, quite frankly, it’s insulting.  I don’t feel like pulling out the “innocent until proven guilty” argument in its entirety, but as a legal and honest purchaser of all manner of electronic content, I feel insulted that I am then limited as to my use – not merely limited as to illegal copying and distribution, but limited as to what should be legal – copying for my own use in different devices.

I believe in this so strongly that I have made sure that the software I sell is controlled by those who pay for it.  You can move our software from one machine to another, and we ask only that you use no more copies than you have paid for.  We assume that we can trust our legitimate customers.  We put a few limits into the freely-distributed version, only because if we don’t, nobody buys (trust us, we’ve tried).  Even the honest need a few reminders some times.