Sun Spearheads Open DRM 579
Steve from Hexus writes "If DRM is the future of controlling our media files, then perhaps the open source community can at the very least ensure that the dominant delivery system is an open standard. Hexus.net reports that Sun is spearheading a new open DRM project, which their lab workers and the open source community can contribute to. More information on project DReaM can be found at the Open Media Commons website." Tough call - DRM is coming (Or is already here), one way or another, and is better to work on creating something done right, or to object to it on moral grounds?
Does it work? (Score:3, Interesting)
Flawed prospectus (Score:5, Interesting)
If DRM is the future of controlling our media files
There is no 'our' media.
DRM is coming
Look, all of this is a nonsense. Really the world is splitting into two directions; those who believe passionately in freedom and control over their own lives and those who haven't quite woken up to the value of, or understood what that means.
There is nothing else. DRM is haxx0r bait to be circumvented and stamped on. It's there to protect the traditional structures, the big corporations primarily. Some smaller outlets may find a use for it occasionally, but it's not there for them. There is so much good media out there with no DRM and those outlets manage to survive and thrive so I think that reveals quite a lot.
Forced DRM is not compatible with any concept of normal use or freedom or control over one's own systems and files as far as I can ascertain.
As far as Sun goes, to be honest it's preferable in the sense that an open standard is probably better than a closed one, but all said it's working under the erroneous presumption that some sort of wooly, cowering compliance and affection for DRM is about to take over the world, which it won't.
Embrace, but not for the reason they think (Score:3, Interesting)
Isn't this a contradiction? (Score:1, Interesting)
That's why Linux will never be DRM compliant (which doesn't bode well for the future.. with DRM Bioses and processors on the horizon we may end up having to stockpile old hardware to run it on).
In the 'drm future' there isn't supposed to be any idea of 'open' just dumb devices that are little more than souped up DVD players.
DRM diametrically opposed to Free/Open Software (Score:3, Interesting)
Free Software can never implement any Digital Restrictions Management (DRM) technology. Why? Because, a piece of DRM-compatible software must take an encrypted content file, decrypt it, and pipe the output to a user interface such as a speaker or monitor. At the same time, the software must prevent the user, at any point in the above pipeline, from copying the unencrypted content to a file. This is a fundamental problem which all DRM schemes must solve. With Free Software or Open Source software any user can modify the source code so that the unencrypted content is saved to a file, thus breaking the DRM. Therefore, Free Software can never truly implement DRM. Conversely, any system which correctly implements DRM can never fully be Free Software.
I realize that Sun is talking about open standards, which are very different from Open Source or Free Software. However, their stated aim here is to make open standards which will allegedly be friendly to Open Source. However, I think I have already proven that this is bunk, because the concepts of DRM and Free Software/Open Source software are diametrically opposed.
Therefore, what is Sun's real goal here?
Does it use TPM? (Score:3, Interesting)
Now, I don't think that DRM has much use anyway, but where it does "work", it generally does so through obfuscation. I can't see the content providers springing for this. On the other hand, they've already been sold snake oil by other DRM vendors, so just maybe...
Realistically, though, the only way I can see open source DRM working at all is if it uses TPM in some way.
"Open" DRM (Score:2, Interesting)
Yes, you can distribute the algorithms openly, but in the end every single DRM system is going to be based on secret encryption keys. It is a felony in the United States for you to read/use such encryption keys for most purposes. This is how DRM works; because it cannot work in any other way, it depends on outlawing certain types of computation to undermine the general-purpose nature of computers. This is done via the DMCA in the United States.
Repeat after me: The only reason for DRM is to eliminate general-purpose computers, and to replace them with futuristic televisions. Why are all of the media industries so scared? Because finally, individual human beings all over the world are able to create and distribute information freely. Up until a few years ago, those media industries had a stranglehold on distribution of information. Everything was broadcast-only. Everything came from a few centralized sources.
DRM is their last hope to outlaw a future that's missing all-powerful information distributors. It is their last hope to turn computers into interactive TVs.
Don't be fooled by DRM that pretends to be "open" or "decentralized." By its very definition, DRM is always closed and centralized -- even if on the legislative level rather than the software level.
As for the inevitable cries of, "DRM has positive uses for system administration and security!": There is no good use of DRM which cannot be achieved with equal ease entirely in user-controlled software. So why don't you put your energy into making easy-to-use encryption systems, and enabling them by default in your applications, instead of scheming to make general-purpose computation illegal?
this could be good... (Score:2, Interesting)
Security Model? (Score:3, Interesting)
Re:Oh good grief... (Score:2, Interesting)
The original poster quite reasonably should fear a time when almost all knowledge and media of any sort is locked down and you have the choice between.... oh wait - no you won't have a choice.
Arbitrary limits like "you can copy this music 3 times" are not "fair use". If I'm not doing anything illegal with it, why should there be a limit at all? Why shouldn't I be able to listen to it or copy it to/from any device imaginable? Why shouldn't I be allowed to mix any piece of hardware I want with any software that I legally own?
Imagine if you bought a DRM car that said you are not allowed to have more than two passengers in the car at one time and only 50 different passengers over the life of the car, because every person you drive around in your car reduces the number of cars they sell since it might reduce the demand? What if they limited you in such a way that you could not alter your new Ford car with any custom modifications or improvements? What if you were only allowed to drive their cars on certain roads authorized by the manufacturer?
I actually like this <flame suit> (Score:4, Interesting)
A DRM technique that (a) I can leverage as much as the "big boys" to protect my own content, (b) preserves more of my fair use rights, is better than one that doesn't.
These techniques, generally involve encrypted content together with decryption keys possessed, but inaccessable to the end-user ("inaccessable" being a matter of effort, of course). In a flexible system, the user would be able, to transfer those keys, or a limited number of copies of them to playback devices, in a secure mechanism -- taking encrypted content to play at a friend's house should not be a hassle, for example.
Of course, given that key possession ultimately means that they can be discovered, to be effective, such a system would require content to be personalized to keys that an end-user already possesses, so cracking one does not crack the system. Given electronic delivery of content, this is not far-fetched.
Where open source DRM shines, though, is the ability to change the access mechanisms that playback or other decrypting devices offer. Fair use is not a static set of rights, but an ever-changing set: VCR-based timeshifting was "new" recognized fair use, for example. When "code is law", and the law is subject to change, it must be possible to change the codew as well.
Naturally, changed code to be loaded on a device that handles encrypted content would have to be signed by an authority the device trusts (or only be available to deal with content encrypted by the device owner), but this would open up community development of DRM code that respects new fair use rights (assuming the rest of the hardware supported them) -- I'm thinking of a fair use right to, for example, decrypted 720p analog video output where the previously permitted resolution was 480p), testing thereof, leaving only signing required to allow its widespread adoption.
The big current weakness in all DRM schemes is that while they may allow for preset fair uses, they can not anticipate and allow for future ones. I'd envisioned that the "DRM Carrot" should come with the "Fair Use Stick" -- manufactures of devices that use DRM should be obliged to modify them to support new fair uses as they are recognised, at their expense, in a timely fashion. Open sourcing the code makes this a lot easier.
Re:Oh good grief... (Score:4, Interesting)
Because without those artificial limits, too many people seem to think that "fair use" is giving a copy to 5,000 of their closest anonymous friends.
So now we have a point between "anyone can copy it as many times as they want and give it to as many people as they want" and "no one can copy it at all". Given the concerns of all the parties involved, creators, publishers, and users, then what is "fair"?
In short, too many abuse the system illegally. And yes, you pay for it, just like you "pay" for the security cameras, sensors, and guards at Best Buy. If no one shoplifted, then those "costs" would not need to be covered by those who did not.
BTW, the key to your "multiple device" problem would seem to involve "ownership" of the material involved. If everything you owned "knew" you owned it, then you could use it on any of "your" devices. Personally, I kind of like the idea of signing/encrypting downloaded digital work with the name and credit card number used to purchase it.
Yes, you can loan it to friends you trust... but they'd better be friends you trust.
Re:Who is the "root authority"? (Score:3, Interesting)
This software / there files only work if you have a Trusted Computing compliant computer. The Trusted Computing Group is the "root authority" for this hardware. It is impossible for ANYONE to create working interoperable hadrware without the Trusted Computing group's approval and getting their cryptographic signature to actvate your hardware. So this Trusted Computing Group has absolute power and control over the industry.
The Trusted Computing specification is that your computer must have an embedded "Public EK". That PubEK is the unique ID tag for your machine.
The Trusted Computing specification is that your computer must come with an embedded encryption key... the PrivEK.. and that you are forbidden to know your own key. When you first activate the chip it allso generates a Root Storage Key, and again you are forbidden to know your own key. In fact the hardware is boobytrapped to self destruct if you even TRY to read out your keys. Perhaps you've seen the IBM Thinkpad Man in Black [ibm.com] TV commercial? The one where they actually advertize the fact that the enforcement chip self destructs if you attempt to extract the chip.
The Trusted Computing specification sets up the Trust chip as a "spy" inside your computer. It is called Remote Attestation. The chip spys on all of the software you run and can then send a spy report to other people over the internet. You are prohibited from controlling or altering the content of this spy report. Your only choice is whether you want to "opt-in" and activate the system or not... to choose whether spy reports are sent or not. Of course if you do not activate the system and do not send the spy reports then the new software doesn't work at all. Not only are DRM files are completely unreadable and unusable, but any new software applications that installs using a Trusted Activation process will be unusuable unless you activate the Trust system and activate the spy reports. Without activating the system and sending the spy report other computers on the internet will simply refuse to talk to you. You are going to see MANY websites demand a spy report before you can view the webpage at all. By checking the spy report the website can ensure that you aren't using any pop-up blocker or any ad-blocker and that you can't save a copy of any pictures and text from the site and they can prevent Deep Linking and they can enforce registration and enforce cookies and track your identity and enforce proper refferer headers and enforce javascript prevent you from using a false user agent string to mimic a different web browser and to enforce that the site is displayed exactly they way they would like it to appear on your screen (which happens to mean that blind and visually impaired people will be unable to use special accessibility software to read the site and it will be impossible to run the site through translation software / translation website to read a foriegn language site). Etc etc etc. There are a million reasons websites will want to use the Trust system... and if you don't send the spy report then you can't view the wesite at all, you'll just get a helpful error message explaining how to "fix" your computer, an explanation of turn on the Trust system. It will be much like many current websites that refuse to display at all without cookies, instead giving helpful error messages explaining how to turn cookies on.
The hardware is designed to keep secrets against the owner and to be secure against the owner. Designed to deny the owner control over his computer once he "opts-in" and turns the system on. And of course if you don't opt-in then nothing works at all. You get locked out of your own files.
If independant producers have the same access/right/privileges as the big players, it makes for a much better solution.
Well, yeah... e
Re:That old (Score:3, Interesting)
That _*IS*_ DRM. In your scenario the Firefox team have implemented DRM, only in a proprietary half-assed easily-busted way. The intruder simply needs to modify the Firefox executable - either on-disk or in-memory - and the DRM implementation you propose is busted.
I would personally love to have DRM in Linux. For example, right now I can install a package on Debian and APT will check the signature of the package before installing it. That neatly solves the problem of installing a compromised package. However, once the package is installed there is no protection. If an intruder modifies a core binary like /usr/sbin/sshd then Linux will happily run the compromised binary. Programs like Tripwire can detect the modification but only after the event. If I run the compromised binary inbetween tripwire scans I'm screwed.
Now imagine a DRM-aware Linux. Not only is the package signed but so are the binaries. I import the Debian keyring into the kernel at boot time with "gpg --export > /proc/sys/keyring". The kernel loads the keys into the TCPA chip and the chip is then "locked down" so no additional keys can be loaded. Now when binaries are exec'd they are cryptographically verified by the kernel and the TCPA chip. If an intruder tries to run a compromised /usr/sbin/sshd the exec() fails and errors appear on my network management console. That sort of functionality can't be implemented with "md5sums and Selinux" (md5sums stuffed into the kernel is NOT equivalent).
Content restrictions are a small part of DRM, and as far as I'm concerned an utterly irrelevant topic of discussion. I don't pirate content and I have no sympathy for those people who do. From the point of view of creating secure computer networks and systems, I personally can't wait for DRM to be everywhere. Securing computer systems and keeping them secure is simply too expensive. The software should be doing a better job of protecting itself, and DRM is one tool that looks likely to help.