consulting question....

[Ray Dillinger]

At a dinner party recently, I found myself discussing the difficulties 
of DRM (and software that is intended to implement it) with a rather 
intense and inquisitive woman who was very knowledgeable about what 
such software is supposed to do, but simultaneously very innocent of 
the broad experience of such things that security people have had.  
She was eager to learn, and asked me to summarize what I said to her 
in an email. So I did 

And it turns out that she is an executive in a small company which is 
now considering the development of a DRM product.  I just got email
from her boss (the CEO) offering to hire me, for a day or two 
anyway, as a consultant.  If I understand correctly, my job as
consultant will be to make a case to their board about what hurdles 
of technology and credibility that small company will find in its 
path if it pursues this course.

So now I need to go from Dinner party conversation mode to
consultant mode and that means I need to be able to cite specific
examples and if possible, research for the generalities I explained 
over dinner.  I'll be combing Schneier's blog and using Google to 
fill in details of examples I've already cited to get ready for 
this, but any help that folks could throw me to help illustrate 
and demonstrate my points (the paragraphs below) will be much
appreciated.

I explained to her that the typical experience of monitored or
protected software (software modified for DRM enforcement) is that
some guy in a randomly selected nation far outside the jurisdiction 
of your laws, using widely available tools like debuggers and hex 
editors, makes a cracked copy and distributes it widely, and 
that current efforts in the field seem more focused on legislation 
and international prosecutions than on software technology.  Software-
only solutions, aside from those involving a Trusted Computing Module
(which their proposed project does not - She seemed unaware of both 
the Trusted Computing Platform and the controversy over it) are no
longer considered credible.  I cited the example of DeCSS, whose 
crack of players for DRM'd movies used techniques generally 
applicable to any form of DRM'd software. 

I explained that in the worst case, such software works by making 
unacceptable compromises of security or autonomy on the machines where
it is installed, citing the infamous and widespread Sony Rootkit, (and 
IMO also the TCM system, but I didn't go into that messa worms at
dinner) and that these compromises usually become public and do 
serious damage to both the credibility of DRM systems generally and
the cash flow of the companies that perpetrate them (ISTR Sony wound
up losing something over 6 million in the US judgement alone on that 
one, and spent considerably more than that on legal fees in the US 
and several other nations). 

Finally, I explained the cheap attacks available to a sysadmin who 
does not want his DRM'd software reporting its usage statistics; for 
example having a firewall that filters outgoing packets. 

Does anyone feel that I have said anything untrue?

Can anyone point me at good information uses I can use to help prove 
the case to a bunch of skeptics who are considering throwing away 
their hard-earned money on a scheme that, in light of security
experience, seems foolish?

Ray Dillinger


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: consulting question.... (DRM)

[John Gilmore]

It's a little hard to help without knowing more about the situation.
I.e. is this a software company?  Hardware?  Music?  Movies?
Documents?  E-Books?  Is it trying to prevent access to something, or
the copying of something?  What's the something?  What's the threat
model?  Why is the company trying to do that?  Trying to restrain
customers?  Competitors?  Trying to build a cartel?  Being forced to
do it by a cartel?  Is their product embedded?  Online?  Hardware?
Software?  Battery powered?  Is it on a phone network?  On the
Internet?  On no network?  What country or countries does the company
operate in?  What jurisdictions hold its main customer bases?  How
much hassle will its customers take before they switch suppliers?
What kind of industry standards must the company adhere to?  What
other equipment or data formats do they have/want to interoperate
with?

Most DRM is probably never cracked, because the product it's in
never gets popular enough that anyone talented wants to crack it.
If they only sell a thousand units, will they be happy?  Or do they
hope/plan/need to sell millions of units?

Most DRM exists to build a cartel -- to make an artificial monopoly --
not to prevent *customers* from copying things, but to prevent
*competitors* from being able to build compatible or interoperable
equipment.  This is largely because US reverse-engineering law makes
such a cartel unenforceable in court, unless you use DRM to make it.

 Can anyone point me at good information uses I can use to help prove 
 the case to a bunch of skeptics who are considering throwing away 
 their hard-earned money on a scheme that, in light of security
 experience, seems foolish?

Why should we bother?  Isn't it a great idea for DRM fanatics to
throw away their money?  More, more, please!  Bankrupt yourselves
and drive your customers away.  Please!

It's only the DRM fanatics whose installed bases of customers
are mentally locked-in despite the crappy user experience (like
the brainwashed hordes of Apple users, or the Microsoft victims)
who are troublesome.  In such cases, the community should
intervene on behalf of the users -- not to prevent the company
from wasting its time and money.

John

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com