
How four Microsoft engineers proved that the “darknet” would defeat DRM - th0ma5
http://arstechnica.com/tech-policy/2012/11/how-four-microsoft-engineers-proved-copy-protection-would-fail/
======
SkyAtWork
(I ran engineering for a DRM firm for several years about the same time as
Peter put this out.)

It was pretty stunningly apparent at the time that the Internet was very good
for information sharing, that crushing Napster hadn't exactly stopped people
from sharing digital media, and that trying to make media exceedingly secure
and hard to use was not a winning strategy.

If you want a customer to pay for your product, you have to offer value - if
it's both more expensive and harder to use, you've made adoption pretty
unlikely. In '03, MP3 players were entirely prevalent, mostly didn't support
useful DRM, and the music industry mostly sold little silver discs which came
with no restrictions.

So it wasn't that the threat model to make music readily redistributable for
free was "the smartest black hats out there figure out how to crack your
crypto and DRM", it was "an average user rips a CD into MP3s and shares it".

As you might expect, it was frustrating to try to deal with the competing
demands from Hollywood at the time. People mostly didn't bother attacking the
DRM - they just went and created or file-shared to get the more usable files
without the protection layer. But there was still a great deal of insistence
that whatever content protection layer was put in could be a vault to keep
media safe forever, rather than a speedbump to piracy. (Meanwhile, of course,
CDs were raw bitstreams of high fidelity audio data...)

~~~
TheAmazingIdiot
I used to pay for content: movies, games, and some music. I didn't spend all
that much, but I did buy them.

Then, corrupted audio CDs were sold. My sister got bit by one. So we
downloaded it where it wasn't sold as damaged: Suprnova.

During that time, stupidity was occurring with DVDs with rotating CSS keys and
'bad block filled with data'. I was downloading films I wanted to archive, but
couldn't easily rip.

Games were not that bad, but soon became horrendous in terms of screw-user
checks, up to the point of driver breaking installs of trash-ware and other
nefarious garbage. I trusted the pirates more than the companies.

I've been burned enough times. Why pay for crap quality when free is better?

~~~
tptacek
Because the people that sweated and risked their livelihoods to produce these
titles didn't actually offer them to you for free; instead, they were coerced
into accepting free distribution when their work was illegally copied by
companies that fund themselves by viagra and Adult Friend Finder ads.

Meanwhile, almost universally, the offerings nerds entitle themselves to are
luxury goods that no person can claim an inherent right to access, so, not
only are content producers and financiers coerced into having their return on
investment redirected to porn ads and porn ad brokers, but that's happening
solely to provide nerds with access to luxuries. Most of which they could
trivially have afforded anyways.

But keep telling yourself piracy strikes some blow for justice. I don't know
the statistics but I'd have to guess at least 80% of nerds like us pirate
content every single week, and nobody wants to think of themselves as an
asshole. Rationalize however you need to.

~~~
illuminate
You can rant about "entitlement" all you wish, but the way to getting people
to stop pirating content is to provide an alternative method of distribution
than the one currently in place.

Steam, iTunes, Netflix, and perhaps one day HBO branching off into their own
content publishing business.

A season's worth Game of Thrones Blu-Rays costs what, $50?

To access a year's worth of premium cable content would cost ~$1000 to ~$1500.

"I don't know the statistics but I'd have to guess at least 80% of nerds like
us pirate content every single week, and nobody wants to think of themselves
as an asshole. Rationalize however you need to."

This is pretty much the antithesis of rationalizing. You're fine with the
system in place. Others are dissatisfied with piracy and want to support the
creators without the "luxury" of dropping more than a thousand bucks a year
for the one or two great shows worth watching on television.

~~~
tptacek
A season's worth of GoT Blu-Rays costs $50 1-2 years after the series has been
released on HBO. Content is much more lucrative during its initial release
window; it has a very definite time-value.

People aren't complaining and breaking the law to get access to GoT Blu-Rays
(well, actually, yeah some of them are). They're doing it to get access to GoT
episodes that aren't available anywhere but on pay TV, because HBO uses them
as an incentive to get people to subscribe to pay TV, which, when you think
about it, is the only way pay TV could possibly ever work.

~~~
bediger4000
You know, I made some socks for you to buy, to subsidize the production and
distribution of my artisan bleu cheese. My cheese startup failed, you filthy
pagan pirates, because you failed to buy my socks!

Come on. We're supposed to just suck it up when someone offers us something
for sale? You're kidding, that's not how markets work. If HBO does something
stupid, they get penalized for it in the market.

Beyond that, the debate here is about DRM. Institutionalizing DRM (legal
mandates, DMCA style legal penalties for "reverse engineering") probably
causes more damage to society as a whole than allowing some smaller monetary
amount of piracy. Clamping down on the civil rights of the populace as a whole
in order to prevent a tiny fraction of the populace from violating already
outrageous laws on "intellectual property" really isn't a good idea. Stupid
laws and stupid enforcement of stupid laws make people disrespect the law and
law enforcement.

~~~
tptacek
The DMCA does not criminalize reverse engineering; my field is based in large
part on routine reverse engineering of all sorts of software. While there is
some grey area and certainly some overreach in the DMCA anti-circumvention
mechanism, what it essentially criminalizes is an attempt to build a business
on devices that circumvent content protection.

As a sometimes-reverser, I'm ambivalent about this. I wouldn't howl if anti-
circumvention was eliminated (it won't be, but still). I'll howl with all the
other security researchers when it's abused to stifle research and disclosure
of security flaws (for the overwhelming most part, it isn't, but still).

I don't understand your sock/cheese metaphor at all. People can in fact bundle
socks and cheese. Nobody would in reality stick up for you if you stole the
socks to avoid the cheese. But nobody does bundle socks and cheese, because
that's moronic. It is manifestly not moronic to bundle Game Of Thrones with
ESPN.

~~~
TheAmazingIdiot
(I posted this a month ago)

How do you know, if you are that you are indeed breaking DRM vs just doing
complicated stuff with a firmware?

It seems obvious if there's PKI in there somewhere. But aside that, how do you
tell the difference?

Might I add that the old proposed "Broadcast Flag" would have been a bit in
the HDTV stream to signal no_copy. Changing that bit would have broken the
DMCA.

~~~
Natsu
BnetD managed to violate the DMCA merely by being unable to emulate the
authorization layer.

<https://www.eff.org/cases/blizzard-v-bnetd>

------
groby_b
I'm amazed this entire discussion here focuses on "DRM good" vs. "DRM bad".

The point is, it does not matter. We have entered a world where for pretty
much the first time, the marginal cost of creating a copy of something is
zero, for all intents and purposes. We don't have any economic theories (or
business models) that can deal with that yet.

DRM is simply a symptom of that. The question is not "can (and should) people
be prevented from resharing content", the question is, "what does content
creation look like in a world where everything is shared"

~~~
cynicalkane
Microeconomic models deal with negligible marginal cost products as a matter
of routine. I don't mean to be rude, but you've been taking the wrong
economics courses.

Another poster identified the issue: decentralized distribution, not low cost
of copy, is the sea change. In past times governments responded to low cost of
copy by legislating copyright. Now there's no practical way to centralize
distribution of _convenient_ copies of data.

Honestly, nerds fantasize about a world where all data is free, but
information creators just respond by making their data inconvenient to obtain.
Institutions of content creation have a high demand product; economically
there's no reason to expect them to roll over and give up on making money.

~~~
groby_b
That might well be - thankfully, nobody pays me for my economics expertise :)

What I meant by my statement is that the marginal cost is near-zero for
_everybody_. I've just learned that a better way to say that is "decentralized
distribution". I do appreciate you clarifying this. (I really do. It's rather
hard to say "thank you" over the Internet without coming across as the most
sarcastic person in existence)

And I don't expect content creators to roll over, but I _do_ expect to see a
significant shift in the industry. Because no matter how inconvenient the
access to the first copy is, the second one is free. At some point, that'll
need to be factored in, because it can't be prevented.

------
marshray
I just noticed that Microsoft has an opening for a "Privacy Strategist, Senior
- Trustworthy Computing"

[https://careers.microsoft.com/jobdetails.aspx?ss=&pg=0&#...</a> <a
href="https://twitter.com/adamshostack/status/274589817776525312"
rel="nofollow">https://twitter.com/adamshostack/status/274589817776525312</a><p>I
accepted a position at Microsoft a few months ago, and I'm feeling pretty
happy about it. I've been a merciless critic of MS in the past, but it appears
to me now that MS is one of the few large tech companies in a position to make
the consumer's privacy interests a competitive advantage in their
products.<p>One of my long-standing criticisms of the whole Trustworthy
computing initiative matched what was described in the article: that all this
research in computer security and TPM hardware on the motherboard was not
being used well in the interest of the consumer. With the very notable
exception of Bitlocker, "trustworthy" tended to mean that 3rd party interests
could expect the computer to act on their behalf and against the demands of
the system's actual owner.<p>If you are or know someone who can articulate
good arguments on behalf of the user and privacy, please show them this job
posting.<p>Thanks :-)

~~~
yuhong
"Trustworthy" and "Trusted" Computing are different.

~~~
wmf
Specifically, in MS-speak "trustworthy computing" means having fewer security
holes and "trusted computing" is basically DRM.

~~~
marshray
Yes, it's probably not directly related to TPM DRM per se. But this position
reads like it would involve privacy advocacy and strategy in general.

------
ChuckMcM
From the article:

 _"I'm now finding that for some kinds of content, the illegal is clearly
outperforming legal," Biddle said. "That blows me away. I pay for premium
cable. It's easier to use BitTorrent to watch Game of Thrones. HBO Go is
trying very hard to do a good job," he said, but the user experience just
isn't as good. Because HBO Go is a streaming service, he said, it's more
vulnerable to network congestion than simply downloading the entire episode
from the darknet."_

Fix this and you 'fix' piracy. Oh, and the fix isn't "shut down the darknet"
it is provide a better service.

~~~
tptacek
Piracy costs HBO less than "fixing HBO Go" would, since HBO is cross-
subsidized by subscriptions to cable.

The fix for piracy is to create compelling content under the "superior"
business models piracy advocates have so much faith in. Netflix is starting to
do this; over the next 10 years, lots of media/creative/production people are
going to get very rich figuring out how to produce and sell content online. In
the meantime, people should stop bitching about how hard it is to get Game of
Thrones; they sound ridiculous. Why on earth should anyone care how hard it is
to see a swords-and-sorcery soap opera?

~~~
illuminate
People aren't bitching about "how hard it is to get Game of Thrones", people
are bitching because they'd love to pay for it, legitimately, but without
subsidizing all the bundled crap .

I have zero interest in ESPN, Disney and "reality" television. I understand
fully why HBO is making more money than ever out of the bundlers' desperation,
and don't complain that they're "losing" money (which isn't the case) but I
would certainly prefer to be given the option to buy the content alone.

"In the meantime, people should stop bitching about how hard it is to get Game
of Thrones; they sound ridiculous. Why on earth should anyone care how hard it
is to see a swords-and-sorcery soap opera?"

The exact content is as irrelevant as your dislike of it. Dislike for Cable
television providers didn't originate with GoT.

~~~
tptacek
In other words, people are bitching because they'd love to pay what _they_
think GoT is worth, and not what GoT is demonstrably _actually_ worth to HBO.

Pay TV will eventually lose in the market as people (again, like Netflix)
figure out how to have compelling content created for the direct online
audience. But it won't lose until that happens.

Incidentally: I'm not the one who keeps bringing up Game Of Thrones.

~~~
pyre

      > I'm not the one who keeps bringing up Game Of Thrones
    

People aren't necessarily bringing it up because of the content. More because
the logistics of how it's distributed have been talked about before. By
bringing up Game of Thrones, the point is to discuss the issues around it, not
start a thread on the merits of the content itself.

------
Natsu
> Once a popular piece of information—say, a movie, a song, or a software
> title—"leaks" into the darknet, stopping its spread becomes practically
> impossible. This, the engineers realized, had an important implication: to
> prevent piracy, digital rights management had to work not just against
> average users, but against the most tech-savvy users on the planet. It only
> takes a single user to find a vulnerability in a DRM scheme, strip the
> protection from the content, and release the unencrypted version to the
> darknet. Then millions of other users merely need to know how to use
> ordinary tools such as BitTorrent to get their own copies.

There are quite a few people out there who _still_ don't understand this, who
believe that a "speedbump" will work. They see things like SatTV protection
schemes that are intact because people want content and they're not going to
take the hard way out until they have to. Like how the PS3 got hacked once
there was an incentive to.

I even remember one specific conversation with a security expert here on HN
telling me about how good the PS3's security was DRM working. I predicted it
would get hacked when necessary. This was not long before the hack. But it's a
fundamentally biased prediction: I only needed on lucky break in the security
to be right while they had to be perfect for me to be wrong.

That fundamental asymmetry, however, is exactly what makes the part I quoted
work.

------
negativity
Loathe as I am to thank Microsoft (as a company) for much of anything, I'm
glad to see that rational people actually work for them.

It's awesome to see sane-minded people shed light on the realities of what
information ultimately is, and how and why we share it.

You can't keep clamping down on people for whispering secrets in each other's
ears. To do so is to deny an individual of their own humanity. This is
especially true, with regard to trivial pastimes, like reading works of
fiction and experiencing the recording of music, sounds and abstract noise
that we create with the hopes that people will actually listen to them.

Hopefully, these aspects of human behavior will be embraced as normal facts of
life, rather than rejected as malicious and criminal. People who create
content, after all, are really paid thinkers in the Greek sense, and that
should be a truth that's understood by all these stubborn rights holders.

I hope the reaction to investigations like this will encourage tolerance of
file sharing, rather than harden the resolve to purge it from whatever society
we find ourselves living in decades from now.

Thank you, Peter Biddle, Bryan Willman, Paul England and Marcus Peinado!

------
jrochkind1
> Outside Microsoft, critics charged that Biddle's project represented the
> beginning of the end for the PC as an open platform. They feared that
> Microsoft would use the technology to exert control over which software
> could be executed on Windows PCs, freezing out open source operating systems
> and reducing users' freedom to run the software of their choice.

Nope, it's Apple that got there first with iOS.

I think the thesis on how the darknet would defeat DRM was correct... but only
assuming OS's and hardware that actually gave owners control of what software
they ran on the devices they own.

In a world where you void your warranty and possibly make it impossible to
upgrade your OS (_and_ possibly break the law in the US!), by 'jailbreaking'
your device so that you can install software on it without that software
having been given a stamp of approval by the device vendor... I'm not so sure.
And I suspect DRM was the real motivation for setting up the ecology this way
on iOS -- where Apple managed to succeed, both technologically and in the
court of public opinion, where Microsoft had previously failed, in doing
exactly what people were scared Microsoft was doing -- reducing users' freedom
to run the software of their choice.

And that's what looks like the future of consumer computing now, no? The idea
that a device owner should have the right to install whatever software they
want on their device... is going to seem a quaint relic of a bygone age in 10
years, and not just for 'mobile'.

~~~
__alexs
I thought jailbreaking was legal now? [1] It seems to me that both
jailbreaking and pirating iOS apps is a pretty common activity even among non-
technical people.

Obviously OS level DRM like iOS makes it harder for people but people still
seem very keen on doing it and the incentive to do so isn't going away.
Piracy, just like Shrinkage [2] is a fact of doing business.

[1] [http://www.wired.com/threatlevel/2010/07/feds-ok-iphone-
jail...](http://www.wired.com/threatlevel/2010/07/feds-ok-iphone-
jailbreaking/) [2] <http://en.wikipedia.org/wiki/Shrinkage_(accounting)>

~~~
jrochkind1
jailbreaking _phones_ is _possibly temporarily_ legal, as an exception to DMCA
by the Librarian of Congress which has to be explicitly renewed every few
years.

Jailbreaking tablets is not legal.

Providing or distributing software intended to help you jailbreak is also
illegal, even though jailbreaking may be legal.

See the EFF on this (and donate some money to them!):
[https://www.eff.org/deeplinks/2012/11/2012-dmca-
rulemaking-w...](https://www.eff.org/deeplinks/2012/11/2012-dmca-rulemaking-
what-we-got-what-we-didnt-and-how-to-improve)

------
rplst8
Yet we are moving towards an industry where "the fully re-programmable
computer" no longer exists.

~~~
chadgeidel
I don't see that. Sure - popular "computers" are not fully re-programmable,
but to say they will go away entirely is probably not true. There will always
need to be someone that "makes the magic" and, IMHO, this cannot be done on a
locked down device (nevermind the fact that developers wouldn't put up with a
computer they couldn't debug).

As long as there are folks like you and I that wish to have a computer (as
traditionally known) there will be vendors catering to our wishes.

~~~
bediger4000
I agree: someone "makes the magic". But what if it's like hydroponics and gro-
lights were during the worst Federal excesses of the "Drug War"? Anyone buying
a real computer (not an appliance) needs some kind of licensing and/or
certification. Manufacturing real computers requires certified and licensed
manufacturing and a different certification/licensing for design? The pace of
progress would slow dramatically. Since fewer and fewer people get into
programming, we won't have wild and crazy folks who try new and interesting
things all the time. No Moxie Marlinspike. No Jeff Bezos. No Marc Andreesen.
IT would become like making airplanes, hidebound, rigorously engineered by
crank turning second-raters. It would never ever change, except in terms of
marketing, like cigarettes.

This would be ideal for the status quo, and maybe even for a lot of consumers.
It would certainly be ideal for the corporate interests, the few that survive.

~~~
smacktoward
And yet the airlines move a huge volume of people from point A to point B
safely, reliably and inexpensively every day, at speeds and scale which would
stagger the airline moguls of the 1930s.

Does that make airplane nerds like me who think the DC-3 is a good
approximation of The Perfect Airplane (rugged, reliable, beautiful) sad? Sure
it does. But all those passengers aren't sad. A DC-3 trip from New York to
California was a bumpy, sixteen-hour flight with multiple stops for refueling.
The same trip on a 757 is a smooth ride above the weather that only takes a
few hours and has no stops. And it's cheaper too -- that 1930s trip would have
cost more than $4,000 in today's dollars. The 757 ride costs around $550.

This is what happens when industries mature: they become safer, cheaper, and
boring.

~~~
bediger4000
You say "mature", I say "reached the limits of efficient flight in 1963"
([http://www.empiricalzeal.com/2012/10/12/can-we-build-a-
more-...](http://www.empiricalzeal.com/2012/10/12/can-we-build-a-more-
efficient-airplane-not-really-says-physics/)). We're nowhere near what we can
do with computing, but we are with airplanes.

Safe, cheaper and boring may be an artifact of the physics of flight in
Earth's atmosphere, combined with an intertwined US defense and aerospace
industry. Why should we let corporate and government interests "unring" the
general computing bell? Why should we let corporate and government interests
stuff the genie of democratic publishing back in the lamp?

General purpose computing hardware got super cheap by way of the mass market,
and mass production. General purpose programming got cheap and universally
available by way of mass communication. In 1983 a C compiler on VMS cost some
thousands of dollars. Today, GCC and Clang and Pcc are free, and they do
optimizations that Tartan Labs could only dream about.

That's a hugely different path than the carefully-cultivated air travel
industry took. I think you're underestimating the effects of the FAA and the
DoD on how air travel looks today.

------
Create
<http://craphound.com/msftdrm.txt>

------
mtgx
Palladium - I remember that name. I only had my first computer for a year or
two, but I remember how it freaked everyone out. I'm glad it died.

And isn't ARM's "TrustZone" pretty much the same thing, or does it have a more
niche and different purpose?

~~~
Spearchucker
Palladium didn't die. It's the granddaddy of UEFI/SecureBoot.

~~~
pacaro
I worked on the Palladium/NGSCB team from 2002 to 2005 - ultimately the team
shipped BitLocker in Vista, but approx half of the team were siphoned off in
(IIRC) 2004 to work on Hypervisor so the engineering effort ended up
contributing to two pretty important OS features.

------
lectrick
I thought this was an amazing paper when it came out, especially considering
its source. And it's still amazing.

------
shmerl
It's time for industries to wake up and to ditch all kind of content DRM
altogether.

