Computer Internet network security News

Introduction Most people have heard of software licensing and pay per view television, but possibly not connected it with a development in technology called Digital Rights Management (DRM). To understand what DRM is trying to achieve you first of all need to understand intellectual property. Intellectual property To understand digital rights you need to remember that books, plays, pictures, films and so on (including this paper) are subject to copyright or intellectual property rights. By international agreements such as the Berne Convention countries recognize these rights and provide a framework that allows copyright holders to have uniform rights in different countries and to be able to enforce them. Whenever you buy a book, hear a modern recording played on television or see a film a payment is being made to the copyright holders of the work. You will find significantly more detail on intellectual property rights (IPR) on the web site http://www.wipo.int/. The site provides a comprehensive information resource about the work of the World Intellectual Property Organization (WIPO). Now intellectual property rights were important in the book and film trades, but television, DVD, computer software and computer games have had such a significant effect on world trade that the World Trade Organization (WTO) has a special section of its activities devoted to dealing with intellectual property rights called Trade-Related aspects of Intellectual Property Rights (TRIPS) and more information on the world negotiations are at http://www.wto.org/english/tratop_e/trips_e/trips_e.htm. You can gather from this that several industries consider intellectual property to a very big deal indeed. Demand for digital rights management So now when we talk about digital rights management we are talking about works of intellectual property that are processed by digital computers (or even analogue ones). There are many many industries producing copyright works that are held on and processed by computers. That includes anything processing cassette tapes, VCR, CD-ROM, DVD, flash cards and so on. There are even laws that create rights in databases as collections of information. The copyright holders (owners) found that the original computer systems, broadcast television and cassette tapes, records and VCR machines made no attempt to stop people from copying their work and even selling it on with the owner getting paid the royalty that IPR law gave them. This started in the late 1980’s, and grew significantly with the introduction of music standards such as MP3 which did not prevent copying, but did make mass market copying very easy. Other owners selling ‘expensive’ works such as financial analyses of companies or markets found that people would purchase one copy and then make copies of it to pass on to their friends for free. When the reports were printed they were photocopied, but making them digital made the copying easier and faster. The IT industry saw a massive opportunity to be able to make significant amounts of money if they could find one or more ways to control what the person who had licensed a digital work (when you buy a book in theory you license it, and the same goes with a picture or a photograph) did with it.

DRM controls as against IT controls Obviously the things that you would want to control were any form of access and use, and particularly to prevent any attempt to remove the controls. So controls often provided are: – reading the item; – number of times; – start and end dates for reading; – printing the item; – at all; – poor quality printing; – number of copies; – altering the item; – changing information content; – removing copyright marks; – copying the item; – making copies others can use; – copying parts of the work; – taking screen dumps as copies; – running the item as a program; – running the item on one computer; – only allowing one user to run the item; – limiting the number of CPUs the item may use. These controls are a long way from the original IT type controls on files which (for those not instantly familiar with them) still are: – read; – write; – append; – delete; – execute. Now as you can see, it’s quite a different list of controls with quite a significant impact. DRM and charging mechanisms When DRM systems first came out there was a strong move to be able to license significant amounts of the information found on the Internet, and to charge for every conceivable use of an item, as well be able to pass on enforceable rights from one rights holder to another. Original owners were also to be recompensed through micro-payments mechanisms that would transfer their proportion due each time an aspect of their work was sold/licensed. This was proposed so that owners would receive an accurate payment for use. Did that make it work? Well, this is where the detail gets a bit more complicated. The only mechanism that computer systems have for enforcing controls when the computer operating system is not in control (which is almost all the time with the Internet) is encryption. If you don’t encrypt (make secret) the thing you are trying to protect then your (lack of) protection mechanism will soon be detected and either all the works you were trying to protect will suddenly become freely available on the web (as happens more often than you might think) or they will be shared amongst private groups of users freely.

Now encryption requires a number of disciplines if it is going to be successful. It also imposes quite an overhead on a system. For instance, whilst the user would not worry about the time it takes to decrypt a file (say a document, spreadsheet, .pdf file) because the amount of information is in reality quite small, but if they are waiting for the decryption of streaming video or voice the heavy encryption currently used can harm performance. Certainly the average DVD would not perform well using a PC to decrypt all its information using, say triple DES. Encryption also requires the control of cryptographic keys. Some people who have installed or re-installed Microsoft Windows will have typed in a long series of letters and numbers (a.k.a. a cryptographic key). But DRM system often require you to be in contact with a server that is monitoring user requests and comparing them with dynamically imposed controls (such as continuing to subscribe to a service). Cryptography allows strong controls, but it also imposes overheads and technical difficulties. The early DRM systems failed simply because they were too expensive for the amount of money they could reasonably collect. This idea of cost may sound rather strange, but the cost of mounting the servers, the processing overhead and the amount of connectivity required to operate those systems was simply too much compared to the amount of money they could realistically collect. Can you make it work? Cryptography can work effectively in a number of situations. But at the moment, micro-payments simply isn’t one of them. Using cryptography to control the actions of a user who has paid a substantial amount of money for the product will work where micro-payments will not. Cryptography will let you control a number of events. But it depends upon how effective your cryptography is. A number of disasters have already overtaken those who either chose to implement poor algorithms or failed to understand that you have to do something significantly better than password protection if you are going to protect something that has significant value for your business. It is not necessary for this paper to do more than state that many of the ‘industry standard’ solutions failed to recognize the real management issues of cryptography and therefore failed to provide the protection that they seemed to claim. Later solutions to DRM implementation have been more successful. Although it is fair to note that right owners need to think through what it is that they are licensing their customers for. And to make sure that their licensing is consistent with current international agreements. (Issues of international rights are the subject of a separate paper.) Moving forwards Decoupling DRM from micro-payments has enabled a more effective control suite to be provided that on the one hand supports industry objectives and on the other hand is acceptable to users. Users were not willing to work on the basis of micro-payments, but are more willing to buy a service that is delivered over a period of time. It seems, from current market feedback, that whilst users do not like restrictions on their ability to share information with others, and to have it locked down to a specific computer, they will accept those kinds of limitations. What they are not happy about are situations where they have to be online to remote servers before they are able to use information that, as far as they are concerned, they have purchased, and should be able to access at any time, and for all time. These requirements are at odds with the ideas of the ‘pay per view’ community from the record and film industries, who see a massive market opportunity if they can charge for each and every use of an item as against having sold it to a customer for permanent use. (In other words they may prefer the model of the DVD/Video shop to that of the customer buying a the item and being able to use it forever thereafter.)

Conclusion DRM offers industry information providers, which include the financial industries, analysts, consultants, programmers (applications, games) database owners and so on, as well as the record and film industries, with significant potential. DRM significantly extends the old IT controls and provides a much finer grained control over the ability of the user to make use of an item. Attempts to link finer grained control to micro-payments controls has not been successful so far, and may prove to be unattainable in the longer term because the cost of operating the mechanism exceeds the possible income per transaction. Speculation that web costs are zero may be correct for the end user, but studies have demonstrated that information service providers actually pay to have their information made available on the web. The correct mechanism to implement DRM will vary significantly with the delivery requirement. Services that require high speed decryption still need to be implemented in hardware if they are to work in an online situation. Realtime services can only be delivered using dedicated hardware, and owners requiring this service should be aware of this limitation.

Copyright digital right, digital right management, DRM security

PDF Security and DRM Packages in Depth Comparison

Security and Digital Rights Management (DRM) systems try to protect copyrights and digital contents by limiting access by users to contents. They provide facilities for electronic publishers to distribute their precious contents to prevent any illegal distribution and usage.

In this article we\’re about to analyze features, weaknesses and restrictions about variety of DRM, Protection and Security packages for Adobe Portable Document Format (PDF). The comparison is based on system analysis, personal experiences and the provided information and demos in vendors websites.

The comparison is based on several parameters including:

Licensing methods:

Offline Licensing : Licensing without need for License servers and Internet connection which is suitable for offline users.

Standalone Licensing : This licensing method is usually provided as a License Generator application. This method is suitable for small businesses or individual self-publishers.

Standalone Web-Based Licensing : In this method all required licensing and user management components are hosted on Publisher web servers.

Hosted Web-Based Licensing : In this method all required licensing and user management components and pages are hosted on DRM vendor website.

Indirect Licensing : Indirect licensing is usually used to provide reseller mechanisms for protected pdf documents redistribution.

Distribution Controlling Mechanisms:

User-Based Identification: This identification is usually based on user information, and passwords which are provided by DRM users. This method provides a minimum distribution management control but ease of use.

Computer-Based Identification: This authorization system is based on user computer. There are several hardware information which is commonly used by DRM vendors including : Hardware Serial Numbers (Mainboard, CPU, HDD, MAC), Volume Serial Numbers and specific hardware information. This method provides maximum security and distribution management control over the protected pdf documents.

Domain Authorization : Support for domain licensing instead of per user/computer authorization. In this method, licenses are server based using online Licensing server. This method is ideal for internal company document security and local networks.

Protected Document Features:

Protected PDF Changes : User ability to insert comments, notes, attachments or modifications on a protected pdf.

Combined Licenses : Support for Combined licenses which are required to open a protected pdf document. Each license may come from a separate server or publisher.

Offline Viewing : Support for the protected pdf documents to be accessible for offline users.

Support Embedded PDF Contents : Support for embedded contents (flash, video, sound, 3D models and ..), to be used within a protected pdf pages.

Supported User Rights:

Printing Rights : Support for users printing rights.

Page Print Count : Limitations on number of pages user can print from protected pdf documents.

Clipboard Rights : Limitations on accessing the system clipboard when opening a protected pdf document.

Opening Count : Limitations on number of times user allows to open a protected pdf.

Timing:

Expiration Dates : Expiration time controlling system.

Working Times : Support for opening time limitations for protected pdf documents. This method is ideal for implementation of trial based systems for protected pdf documents.

Security Level:

Reversing Protection : Protection against Reverse Engineering methods and tools.

Screen Grabbers Protection : Protection against screen grabber programs and Print Screen.

Virtual Machine Detection : Locking the protected pdfs to Virtual machines (VMware, Virtual PC, Wine and …)), will cause security holes in Computer-Based Identification systems. Locking a protected pdf to a virtual machine is equal to loosing protected pdf distribution control as virtual machine hardware info and serial numbers are not unique.

Virtual Printers Detection : Detecting virtual printers and preventing users from printing to these printers. Virtual printers are usually used to convert printing outputs to standard portable document file formats like PDF, PostScript or … Printing to a virtual printer will completely unprotect the protected pdf document by saving a raw documents as the result of printing outputs.

DRM Removers : Programs which can attack/remove the security/protection systems from protected document.

Integration:

Standalone Programming Interfaces : Standalone Programming Interfaces (APIs) are used by programmers to link and integrate current systems with DRM Security, Protection and Licensing features.

Web-Based Licensing Interfaces : Web-Based Licensing interfaces are placed on DRM vendor website.

Installation: Components, Plug-ins or DRM Managers needed to be installed on user computer in order to access the protected contents.

Supported Operating Systems: Supported operating systems for opening protected documents.

Supported PDF Viewers: Supported operating systems for opening protected documents.

Pricing: Prices for drm package.

FileOpen Publisher

Vendor Description :
FileOpen Systems develops digital rights management software to prevent unauthorized viewing, copying and printing of digital documents. Documents encrypted with FileOpen software are native PDF and will display seamlessly in Adobe Reader–no passwords or external viewers are necessary.

Overview :
FileOpen Publisher is a plug-in based drm and protection system for Adobe PDF documents. The protected PDF documents are standard pdfs and they\’re accessible within Standard Adobe Reader. The licensing systems are based on license servers which can be hosted on your own servers or FileOpen servers.

Website: www.fileopen.com

Licensing methods:

Offline Licensing NN
Standalone Licensing NN
Standalone Web-Based Licensing YY
Hosted Web-Based Licensing YN
Indirect Licensing NN

Distribution Controlling Mechanisms:

User-Based Identification YN
Computer-Based Identification YY
Domain Authorization NN

Protected Document Features:

Offline Viewing YY
Combined Licenses NN
Protected PDF Changes NN
Support Embedded PDF Contents YY

Supported User Rights:

Printing Rights YY
Page Print Count NN
Clipboard Rights YY
Opening Count YY

Timing:

Expiration Dates YY
Working Times NN

Security Level:

Reversing Protection NN
Screen Grabbers Protection NN
Virtual Machine Detection NN
Virtual Printers Detection NN
DRM Removers :

Advanced PDF Password Recovery

http://www.planetpdf.com/mainpage.asp?webpageid=1540

Integration:

Standalone Programming Interfaces YY
Web-Based Licensing Interfaces NN

Installation: Additional DRM Plug-in needs to be installed on Adobe Acrobat/Reader for users.

Supported Operating Systems: Windows , Macintosh

Supported PDF Viewers: Adobe Acrobat/Reader 5.x +

Pricing: Start From $2,995

Lizard Safeguard

Vendor Description :
Lizard Safeguard PDF Security is for publishers of high value or confidential information published in PDF format, whether for sale to the public or internal control and protection, where a higher degree of security and control is required – beyond simple pdf password protection. There are no passwords for you to send, or for users to enter, manage, forget, or pass onto others.

Overview :
Lizard Safeguard is based on a secure viewer “Lizard Safeguard PDF Viewer”. The protected documents (.pdc) are not in standard pdf format and they are not accessible using Adobe Acrobat/Reader. The licensing systems are based on license servers which can be hosted on Locklizard or your own servers.

Website: www.locklizard.com

Licensing methods:

Offline Licensing NN
Standalone Licensing NN
Standalone Web-Based Licensing YY
Hosted Web-Based Licensing YY
Indirect Licensing NN

Distribution Controlling Mechanisms:

User-Based Identification YY
Computer-Based Identification YY
Domain Authorization NN

Protected Document Features:

Offline Viewing YY
Combined Licenses NN
Protected PDF Changes NN
Support Embedded PDF Contents NN

Supported User Rights:

Printing Rights YY
Page Print Count NN
Clipboard Rights YY
Opening Count YY

Timing:

Expiration Dates YY
Working Times NN

Security Level:

Reversing Protection NN
Screen Grabbers Protection YY
Virtual Machine Detection NN
Virtual Printers Detection YY
DRM Removers :

LockLizard PDC Un-Protector

Integration:

Standalone Programming Interfaces YY
Web-Based Licensing Interfaces YY

Installation: Lizard Safeguard PDF Viewer needs to be installed on user system.

Supported Operating Systems: Windows , Macintosh

Supported PDF Viewers: Lizard Safeguard PDF Viewer

Pricing: Start From $2,495

PDF Security OwnerGuard

Vendor Description :
PDF Security OwnerGuard provides Security, DRM, Copy Protection, Licensing and Distribution Management solution for Adobe PDF Documents. This product is made especially for internal company documents security and publishers of high value information published in PDF format.

Overview :
OwnerGuard is not based on plug-in or custom viewers. OwnerGuard DRM implementation seems to be based on external security/drm layers for Foxit and Adobe Reader. The protected pdf documents are not standard pdf files but they\’re accessible using standard Adobe Reader and Foxit Reader. The protection and licensing systems are provided as standalone applications and also as server APIs for integration.

Website: www.armjisoft.com

Licensing methods:

Offline Licensing YY
Standalone Licensing YY
Standalone Web-Based Licensing YY
Hosted Web-Based Licensing NN
Indirect Licensing YY

Distribution Controlling Mechanisms:

User-Based Identification NN
Computer-Based Identification YY
Domain Authorization YY

Protected Document Features:

Offline Viewing YY
Combined Licenses YY
Protected PDF Changes YY
Support Embedded PDF Contents YY

Supported User Rights:

Printing Rights YY
Page Print Count YY
Clipboard Rights YY
Opening Count YY

Timing:

Expiration Dates YY
Working Times YY

Security Level:

Reversing Protection YY
Screen Grabbers Protection YY
Virtual Machine Detection YY
Virtual Printers Detection YY

Integration:

Standalone Programming Interfaces YY
Web-Based Licensing Interfaces NN

Installation: PDF OwnerGuard License Manager needs to be installed on user system.

Supported Operating Systems: Windows

Supported PDF Viewers: Adobe Acrobat/Reader 3.x + , Foxit Reader 2.x +

Pricing: Start From $1,995

Drm-x PDF Packager

Vendor Description :
Haihaisoft DRM-X provides cost-effective and secure on-demand DRM service that you can easily protect, publish, and sell your documents. It gives you total control over who accesses your digital content and under what terms, enabling you to increase revenue, bring products to market faster, and attract new customers.

Overview :
Drm-x PDF Security is based on a secure viewer “Haihaisoft PDF Reader” and “Haihaisoft Multimedia PDF Reader”. Haihaisoft PDF Reader security rate is acceptable but Haihaisoft Multimedia PDF Reader just decrypts the protected pdfs to a temp location and open using Acrobat Reader as Inside OLE application. The protected documents are not in standard pdf format and they are not accessible using Adobe Acrobat/Reader. The licensing system is based on license servers which are hosted on Haihaisoft servers.

Website: www.drm-x.com

Licensing methods:

Offline Licensing NN
Standalone Licensing NN
Standalone Web-Based Licensing NN
Hosted Web-Based Licensing YY
Indirect Licensing NN

Distribution Controlling Mechanisms:

User-Based Identification YY
Computer-Based Identification YY
Domain Authorization NN

Protected Document Features:

Offline Viewing YY
Combined Licenses NN
Protected PDF Changes NN
Support Embedded PDF Contents YY

Supported User Rights:

Printing Rights YY
Page Print Count NN
Clipboard Rights YY
Opening Count YY

Timing:

Expiration Dates YY
Working Times NN

Security Level:

Reversing Protection YY
Screen Grabbers Protection NN
Virtual Machine Detection NN
Virtual Printers Detection NN

Integration:

Standalone Programming Interfaces NN
Web-Based Licensing Interfaces NN

Installation: Haihaisoft PDF Reader needs to be installed on user system.

Supported Operating Systems: Windows

Supported PDF Viewers: Haihaisoft PDF Reader

Pricing: Charges are Per License

Drumlin PDF Security

Vendor Description :
The Drumlin PDF software and DRM service provides a complete and cost-effective PDF security solution. It includes a free PDF reader with built-in military-strength encryption, wide-ranging secure publishing (\’writing\’ a secure PDF file), coupled with a free central Digital Rights Management (DRM) service.

Overview :
Drumlin PDF Security is based on a secure viewer “Drumlin PDF Reader”. The protected documents (.drmx) are not in standard pdf format and they are not accessible using Adobe Acrobat/Reader. The licensing systems are based on license servers which are hosted on Drumlin servers.

Website: www.drumlinsecurity.co.uk

Licensing methods:

Offline Licensing NN
Standalone Licensing NN
Standalone Web-Based Licensing NN
Hosted Web-Based Licensing YY
Indirect Licensing NN

Distribution Controlling Mechanisms:

User-Based Identification YY
Computer-Based Identification YY
Domain Authorization NN

Protected Document Features:

Offline Viewing YY
Combined Licenses NN
Protected PDF Changes NN
Support Embedded PDF Contents NN

Supported User Rights:

Printing Rights YY
Page Print Count NN
Clipboard Rights YY
Opening Count YY

Timing:

Expiration Dates YY
Working Times NN

Security Level:

Reversing Protection YY
Screen Grabbers Protection NN
Virtual Machine Detection NN
Virtual Printers Detection NN

Integration:

Standalone Programming Interfaces NN
Web-Based Licensing Interfaces NN

Installation: Drumlin PDF Reader needs to be installed on user system.

Supported Operating Systems: Windows, Macintosh

Supported PDF Viewers: Drumlin PDF Reader

Pricing: Charges are Per License

Virtium Protectedpdf

Vendor Description :
Protectedpdf provides publishers of e-books, research reports, educational texts and other electronic content with an innovative approach to PDF security. The protectedpdf technology empowers companies to secure their PDF documents against misuse, piracy and unauthorized sharing.

Overview :
Protectepdf security and drm systems are implemented inside protected pdfs using embedded javascript and a drm overlay pdf layer which provides a minimum security but maximum ease of use for users. Protected pdfs are in standard pdf format and they\’re accessible using standard Adobe Acrobat/Reader. There is no additional software installation needed for users. The licensing systems are based on license servers which can be hosted on your own servers or Virtium servers.

Website: www.protectedpdf.com

Licensing methods:

Offline Licensing NN
Standalone Licensing NN
Standalone Web-Based Licensing YY
Hosted Web-Based Licensing YY
Indirect Licensing NN

Distribution Controlling Mechanisms:

User-Based Identification YY
Computer-Based Identification YY
Domain Authorization YY

Protected Document Features:

Offline Viewing YY
Combined Licenses NN
Protected PDF Changes YY
Support Embedded PDF Contents YY

Supported User Rights:

Printing Rights NN
Page Print Count NN
Clipboard Rights NN
Opening Count YY

Timing:

Expiration Dates YY
Working Times NN

Security Level:

Reversing Protection NN
Screen Grabbers Protection NN
Virtual Machine Detection NN
Virtual Printers Detection NN
DRM Removers :

Protectedpdf DRM Overlay PDF Layer can be removed using Adobe Acrobat Full

Integration:

Standalone Programming Interfaces YY
Web-Based Licensing Interfaces YY

Installation: No additional software installation needed.
Supported Operating Systems: Windows , Macintosh
Supported PDF Viewers: Adobe Acrobat/Reader 6.x +
Pricing: On Demand

Computer security analyses DRM security, pdf, pdf security

 Any technology used to protect the interests of owners of content and services (such as copyright owners). Typically, authorized recipients or users must acquire a license in order to consume the protected material—files, music, movies—according to the rights or business rules set by the content owner.

Major entertainment companies are using “digital rights management,” or DRM (aka content or copy protection), to lock up your digital media. These DRM technologies do nothing to stop copyright pirates, but instead end up interfering with fans’ lawful use of music, movies, and other copyrighted works. DRM can prevent you from making back ups of your DVDs and music downloaded from online stores, recording your favorite TV programs, using the portable media player of your choice, remixing clips of movies into your own home movies, and much more.

To the extent DRM interferes with perfectly legal uses of digital media, it’s plenty bad enough. But thanks to the lobbying of the major media companies, DRM is now backed up by the Digital Millennium Copyright Act (DMCA). If you circumvent DRM locks or create the tools to do so, even to enable noninfringing fair uses, you might be on the receiving end of a lawsuit. The DMCA has been a disaster for innovation, free speech, fair use, and competition.

And Congress is now considering new laws that go beyond the DMCA, mandating DRM in a wide array of digital media devices and personal computers, giving entertainment industry lawyers and federal bureaucrats veto power over new gadgets.

Hollywood and the music industry have always attacked new technologies that help you get more from your media—these industries brought lawsuits against the VCR, DAT recorder, the MP3 player, and the PVR. Today, these media giants want to use DRM to take away your legitimate fair use and home recording rights, hoping to sell those rights back to you later. Worse still, recent DRM has invaded users’ privacy and created severe security vulnerabilities in computers.

D, Glossary of computer security D, digital-rights, digital-rights-management, DRM security, Glossary-of-computer-security

The use of debuggers to analyse malicious or otherwise unknown binaries has
become a requirement for reverse engineering executables to help determine
their purpose. While researchers in places such as anti-virus laboratories have
always done this, with the availability of free and easy to use debuggers it has
also become popular with corporate security officers and home users.
One of the main purposes of a debugger is to allow the user to control the
execution of a binary in such a way as to determine what instructions or
commands the binary is executing. During malware analysis the user can modify
what the binary is trying to execute, or prevent it all together.

Computer-security coding, debugger, decocing, Development, DRM security

A court in Finland ruled last week that it is not a violation of that nation’s anticircumvention law to circumvent CSS, the copy protection system in DVDs. Mikko Valimaki, one of the defense lawyers, has the best explanation I’ve seen.
Finnish law bans the circumvention of “effective” DRM (copy protection) technologies. The court ruled that CSS is not effective, because CSS-defeating tools are so widely available to consumers.
The case is an interesting illustration of the importance of word choice and definitions in lawmaking. The WIPO copyright treaty required signatory nations to pass laws providing “effective legal remedies against the circumvention of effective technological measures that are used by authors in connection with the exercise of the rights …” Reading this, one can’t help but notice that the same word “effective” describes both the remedies and the measures. The implication, to me at least, is that the legal remedies only need to be as effective as the technological measures are.
The Finnish law implementing the treaty took the same approach. In language based on an EU Copyright Directive, the Finnish law defined an effective technology as one that “achieves the protection objective” (according to Mr. Valimaki’s translation). The court ruled that that doesn’t require absolute, 100% protection, but it does require some baseline level of effectiveness against casual circumvention by ordinary users. CSS did not meet this standard, the court said, so circumvention of CSS is lawful.
U.S. law took a different approach. The Digital Millennium Copyright Act (DMCA), the U.S. law supposedly implementing the WIPO treaty, bans circumvention of effective technological measures, but defines “effective” as follows:

a technological measure `effectively controls access to a work’ if the measure, in the ordinary course of its operation, requires the application of information, or a process or [...]

Read more at Ed Felten

DMCA DMCA, DRM security

On Saturday I gave a talk (”Rip, Mix, Burn, Sue: Technology, Politics, and the Fight to Control Digital Media”) for a Princeton alumni group in Seattle. The theme of the talk is that the rise of information technology is causing a “great earthquake” in media businesses.
Many people believe that the biggest impact of IT is that it allows easy copying and redistribution of all types of content. To some people, this is the only impact of IT.
But I argue in the talk that the copying issue is only one part of IT’s impact, and not necessarily the biggest part. The main impact of IT, I argue, is that computers are universal devices that can perform any operation on digital data (except those operations that are inherently undoable and therefore can’t be done by any device).
I stress universality over copying in the talk for two reasons. First, it’s a point that most people miss, especially non-techies. Second, it lets me hint at the most important tradeoff in copyright/tech policy, which is how copyright sometimes stands in the way of developing powerful technologies for creating and communicating. Most people are quick to see the advantages of strong copyright in the digital world, but slow to see the price we’re paying for it.
This debate — whether IT is primarily a copying machine, or a creative tool — seems to run deeply throughout the online copyright debate. Those who see copying as the main impact of IT don’t much mind restricting digital technologies to further their copyright aims. But those who see creativity as the main impact of IT aim to protect the vitality of the IT ecosystem.
I come down on the creative side. I think the biggest long-run effect of IT [...]

Read more at Ed Felten

Computer security events, Copyright, DMCA Computer security events, Copyright, DMCA, DRM security

[Other posts in this series]
We predicted in past posts that AACS, the encryption system intended to protect HD-DVD and Blu-ray movies, would suffer a gradual meltdown from its inability to respond quickly enough to attacks. Like most DRM, AACS depends on the secrecy of encryption keys built into hardware and software players. An attacker who discovers a player’s keys can defeat the protection on any disc that works with that player. AACS was designed with a defense against such attacks: after a player has been compromised, producers can alter new discs so that they no longer work with the compromised player’s keys. Whether this defense (which we call “key blacklisting”) will do much to stop copying depends how much time elapses before each leaked key is blacklisted.
Next week marks three months after the first compromised player key appeared on the Internet (and more than five months after cracks for individual discs began to appear). Discs slated for release on Tuesday will be the first to contain an update to AACS that blacklists the leaked keys.
What took so long? One limitation comes from the licensing agreement signed with player manufacturers, which requires that they receive ninety days’ notice before their keys are blacklisted, so that they have enough time to update their products.
Customers who obtained the new discs a few days early confirmed that the previously leaked keys no longer worked. It seemed as if AACS had recovered from the attacks just as its designers intended.
However, a new twist came yesterday, when SlySoft, an Antigua-based company that sells software to defeat various forms of copy protection, updated its AnyDVD product to allow it to copy the new AACS discs. Apparently, SlySoft had extracted a key from a different player and [...]

Read more at J. Alex Halderman

Computer-security DRM security

Four years ago I wrote about a company called Music Public Broadcasting:

In today’s Los Angeles Times, Jon Healey writes about a new DRM proposal from a company called Music Public Broadcasting. The company’s claims, which are not substantiated in the story, give off a distinct aroma of snake oil.

I went on to document the snake oil indicators: (1) the flamboyant, self-promoting entrepreneur, newly arrived from another field; (2) the vaguely articulated theoretical breakthrough, described in mystical terms unintelligible to experts in the field; (3) the evidence that the product hadn’t been demonstrated or explained to its customers; (4) the claims to invalidate an accepted, fundamental principle in the field — but without really explaining how it is done. As one potential customer said, “If it’s not snake oil, it’s pretty awesome.”
Now the same company, having adopted a new name, is floating an equally improbable legal theory: that Microsoft, Apple, Adobe, Real, and anybody else making music download tools is legally required to license the company’s technology. Their theory is that these target companies are “avoiding” the use of their anti-copying technology — avoiding it in the sense of not buying it — and the Digital Millennium Copyright Act prohibits avoidance of copy protection. In other words, the target companies have a legal obligation to buy the company’s technology and, on the same theory, any other technology that claims to stop infringement. Snake oil purchases are now mandatory.
If you believe this company’s legal claim is any more solid than its technical claim, I have a bridge to sell you — and let me assure you that you’re legally compelled to buy it.

Share This

Popularity: 35% [?]

Read more at Ed Felten

DMCA DMCA, DRM security

People have had lots of objections to Digital Rights Management (DRM) technology — centering mainly on its clumsiness and the futility of its anti-infringement rationale — but until recently nobody had complained that the term “Digital Rights Management” was insufficiently Orwellian.
That changed on Tuesday, when HBO’s Chief Technology Officer, Bob Zitter, suggested at an industry conference that DRM needs a name change. Zitter’s suggested name: Digital Consumer Enablement, or DCE.
The irony here is that “rights management” is itself an industry-sponsored euphemism for what would more straightforwardly be
called “restrictions”. But somehow the public got the idea that DRM is restrictive, hence the need for a name change.
Zitter went on to discuss HBO’s strategy. HBO wants to sell shows in HighDef, but the problem is that many consumers are watching HD content using the analog outputs on their set-top boxes — often because their fancy new HD televisions don’t implement HBO’s favorite form of DRM. So what HBO wants is to disable the analog outputs on the set-top box, so consumers have no choice but to adopt HBO’s favored DRM.
Which makes the nature of the “enablement” clear. By enabling your set-top box to be incompatible with your TV, HBO will enable you to buy an expensive new TV. I understand why HBO might want this. But they ought to be honest and admit what they are doing.
I can think of several names for their strategy. “Consumer Enablement” is not one of them.
Share This

Read more at Ed Felten

Computer-security DRM security

Remember last week’s kerfuffle over whether the movie industry could own random 128-bit numbers? (If not, here’s some background: 1, 2, 3)
Now, thanks to our newly developed VirtualLandGrab technology, you can own a 128-bit integer of your very own.
Here’s how we do it. First, we generate a fresh pseudorandom integer, just for you. Then we use your integer to encrypt a copyrighted haiku, thereby transforming your integer into a circumvention device capable of decrypting the haiku without your permission. We then give you all of our rights to decrypt the haiku using your integer. The DMCA does the rest.
The haiku is copyright 2007 by Edward W. Felten:

We own integers,
Says AACS LA.
You can own one too.

Here is your very own 128-bit integer, which we hereby deed to you:
[can’t display integer]
If you’d like another integer, just hit Shift-Reload, and we’ll make a fresh one for you. Make as many as you want! Did we mention that a shiny new integer would make a perfect Mother’s Day gift?
If you like our service, you can upgrade for a low annual fee to VirtualLandGrab Gold — and claim thousands of integers with a single click!
Share This

Popularity: 35% [?]

Read more at Ed Felten

DMCA DMCA, DRM security

The user revolt at Digg and elsewhere, over attempts to take down the now-famous “09 F9 …” number, is now all over the press. (Background: 1, 2) Many non-techies, including some reporters, wonder why users care so much about this. What is it about “09F9…” that makes people willing to defend it by making T-shirts, writing songs, or subjecting their dotcom startup to lawsuit risk?
The answer has several parts. The first answer is that it’s a reaction against censorship. Net users hate censorship and often respond by replicating the threatened content. When Web companies take down user-submitted content at the behest of big media companies, that looks like censorship. But censorship by itself is not the whole story.
The second part of the answer, and the one most often missed by non-techies, is the fact that the content in question is an integer — an ordinary number, in other words. The number is often written in geeky alphanumeric format, but it can be written equivalently in a more user-friendly form like 790,815,794,162,126,871,771,506,399,625. Giving a private party ownership of a number seems deeply wrong to people versed in mathematics and computer science. Letting a private group pick out many millions of numbers (like the AACS secret keys), and then simply declare ownership of them, seems even worse.
While it’s obvious why the creator of a movie or a song might deserve some special claim over the use of their creation, it’s hard to see why anyone should be able to pick a number at random and unilaterally declare ownership of it. There is nothing creative about this number — indeed, it was chosen by a method designed to ensure that the resulting number was in no way special. [...]

Read more at Ed Felten

DMCA DMCA, DRM security

I wrote yesterday about efforts by AACS LA, the entity that controls the AACS copy protection system used in HD-DVD and Blu-ray discs, to stop people from republishing a sixteen-byte cryptographic key that can unlock most existing discs. Much of the action took place at Digg, a site that aggregates Web page recommendations from many people. (At Digg, you can recommend pages on the Web that you find interesting, and Digg will show you the most-recommended pages in various categories.
Digg had received a demand letter from AACS LA, asking Digg to take down links to sites containing the key. After consulting with lawyers, Digg complied, and Digg’s administrators started canceling entries on the site.
Then Digg’s users revolted. As word got around about what Digg was doing, users launched a deluge of submissions to Digg, all mentioning or linking to the key. Digg’s administrators tried to keep up, but submissions showed up faster than the administrators could cancel them. For a while yesterday, the entire front page of Digg — the “hottest” pages according to Digg’s algorithms — consisted of links to the AACS key.
Last night, Digg capitulated to its users. Digg promised to stop removing links to the key, and Digg founder Kevin Rose even posted the key to the site himself. Rose wrote on Digg’s official blog,

In building and shaping the site I’ve always tried to stay as hands on as possible. We’ve always given site moderation (digging/burying) power to the community. Occasionally we step in to remove stories that violate our terms of use (eg. linking to pornography, illegal downloads, racial hate sites, etc.). So today was a difficult day for us. We had to decide whether to remove stories containing a single code based on a cease and desist [...]

Read more at Ed Felten

DMCA DMCA, DRM security