therning.org/ magnus

An excellent paper on the cost of DRM in Windows Vista has been making its rounds on the internet for a few weeks now. The topic’s been picked up by Security Now (episode 73 and episode 74). The former gives a nice background to the technical side and the latter has Peter Gutman, the author of the paper, as a guest.

This has triggered my writing something about my thoughts on the topic of DRM. Now, I don’t consider myself an expert on this topic. I’ve formed most of my opinions on DRM by reading things like Cory Doctorow’s excellent talk at Microsoft Research and the Darknet paper from Microsoft. I’ve also worked for a large consumer electronics company for almost 5 years, of which the last 18 months to 2 years on security-related issues in consumer devices.

Why do the consumer electronics companies do DRM?

For the last 50 years consumers have bought new devices for the simple reason that the newer devices had more features, were faster, had better resolution, better audio… in short this year’s models were better than last year’s models. So, why on earth would these companies be interested in bringing out models that are fundamentally flawed through DRM? The easy answer is Hollywood… but as a professor of mine used to say, “Every difficult problem has an easy answer… which is wrong”. Hollywood isn’t the answer in my opinion. Hollywood is only a convenient scape goat. The real answer is format control.

A company that controls a format makes money even when a competitor sells a device. Just think of the patent Philips and Sony had on CDs. That patent pulled in money on every CD sold, worldwide. Talk about a gravy train. Nowadays content formats involve a lot of companies and I guess it’s less lucrative because license money will have to be shared between more companies (just think of the MPEG group). DRM is still a fairly new area of standardisation and there’s a good chance of cashing in even more than on the format itself, especially if DRM is written into lawⁱ.

Consumer electronics companies and the broadcast flag

A while back the broadcast flag was beaten in the US. A court found that the FCC didn’t have the authority to introduce such a flag and the US was saved. At least for now. What wasn’t reported so widely on was the fact that when the broadcast flag was put on the table there was an outcry among the consumer electronics companies (a few other companies joined in as well). No, don’t be fooled, they weren’t considering the consumer, they weren’t interested in keeping TV the way it was. No, they were outraged because the suggested broadcast flag allowed only one DRM system. A system controlled by 5C (if I remember correctly). Companies not in the core group were facing extortionate licenses (basically giving up all IP to the core companies). No wonder they were outraged. Intense lobbying of the FCC followed and the outcome was that a set of DRM technologies would be “legal” in the US. That’s where the consumer electronics industry spent their time and money. They were fighting the possibility of 5C gaining a strangling grip in the market rather then stand up and try to do the right thing which would have been to work to make it possible to bring to market the best possible devices.

Consumer electronics companies and security

When working on security at the research branch of a consumer electronics company I quickly found myself “attached” to DRM-related projects. That was the only place where they were interested in security at all. Of course they weren’t interested in keeping consumers safe in a future where tellys have internet connections. No, the interest was solely in keeping customers out of the telly, preventing them to do interesting things with the boxes they bought. So, who paid for this sort of research project? The IP/standardisation department, that’s who. They practically poured money into DRM projects while the parts of the company that actually made devices showed little interest. (On a personaly note I have to admit that this aspect of security was one of the reasons why I left the company.)

End note

Well, I hope I’ve made some sense and that I’ve added something to the discussion about DRM that currently is taking place. Peter Gutman has done a great job in making people aware of it and I’m looking forward to see what happens once Vista really hits the homes. I’m of course hoping that there is broad disapproval and that Vista does appallingly based solely on its DRM.

1. This brings me to a rather paranoid theory of mine, involving the “unholy trinity” of software patents, DMCA-like laws and DRM that can be used to explain some companies’ behaviour. That would probably have to be the topic of another post though.[back]

Am I the only one who finds this absolutely terrifying?

If you haven’t seen DCLugi’s Snakes On A Plane auditions on YouTube you need to!

Bruce Schneier reported on this a while ago, I need to keep the link around. What to do when your neighbour is using your internet.

Our “honourable” EU politicians are finally worrying about the right things when it comes to Microsoft. Microsoft is all about lock-in, they’ll use security to achieve it if they can. Microsoft is of course responding. I wonder if they’re ever going to inhabit the same world as I am? Vista creating 100000 new jobs? Only if changing the title of a position from “Windows XP Developer/Administrator/Shithead” to “Windows Vista Developer/Administrator/Shithead” counts as “creating a new job”. I think Linux Journal is too kind when they call it Microsoft’s Masterpiece FUD. I think it only shows just how desperate Microsoft is to get Vista out the door.

Digital Rights Ireland are challenging the Data Retention Directive. I hope they are successful, I don’t there are many citizens in Europe who would be sad to see that invasive directive go away.

A good article on “open vs. closed” from the Financial Times—A closed mind about an open world. FT is increasingly “getting it”.

I couldn’t help but laugh out loud when reading this article trusted computing—Trusted computing a shield against worst attacks?. Let me see if I got it right. Phoneix Technologies, who happen to make a TPM module, pays analyst firm Trusted Strategies to have a report on digital attacks done. Then, surprisingly, the analysts come back and say that a TPM would have stopped most of those attacks. Who would ever read and put any faith in a report like this? Besides other analysts of course. I can’t help but think that the computer analyst firms are locked in a circle-jerk that’s paid for by computer companies. It is a very strange world we live in.

Thinking of writing a media app in Python? This seems like a good place to start.

Now, why are politicians repeating what the unrivaled masters of FUD say?

I thought our elected politicians were supposed to look out for our best interest, not suck up to foreign multi-nationals who have been found to indulge in nti-competitive behaviour.

It seems Microsoft is having problems getting the next version of their flagsship product into a state where it can be released and they’re grabbing for straws in order to pass blame. The business world seems fully capable of running on XP/2000—is has been for quite a while now—waiting a few extra months for Vista won’t hurt anyone but Microsoft.