
What is DRM doing in my garage? - kmod
http://arstechnica.com/tech-policy/news/2009/12/what-is-drm-doing-in-my-garage.ars
======
ryanwaggoner
This article is really interesting. It made me think about something I was
reading yesterday and how these legal principles might apply.

Emotiv is about to release their epoc brain-computer interface headset that
uses EEG technology to attempt to divine intentions and emotions from thought
alone. It has 14 electrodes and costs $299. You can read more about it at
<http://emotiv.com>.

Anyway, the concept seems very interesting to me, and I was thinking it would
be cool to use it for research or to play around with the SDK that it comes
with. However, it turns out that the SDK only includes "interpreted" data from
Emotiv's software, not the raw EEG data. For that, you have to pay $7500 for a
license (or $2500 if you're a research institution), even though it sounds
like it's the exact same device.

IANAL, but this article makes it sound like it would not be illegal to buy one
and then circumvent whatever DRM scheme they've likely implemented to capture
the raw data and use it however you want. In particular, these two lines about
Lexmark's attempt to restrict 3rd party cartridges:

 _Because Lexmark's DRM only blocked access to the functions of the printer,
not access to any copyrightable code, the court was unwilling to give its
lockout behavior DMCA protection._

 _The judge concluded that "patent holders may not invoke patent law to
enforce restrictions on the post-sale use of their patented product. After the
first authorized sale to a purchaser who buys for use in the ordinary pursuits
of life, a patent holder's patent rights have been exhausted... Because
Lexmark's patent rights in its toner cartridges were exhausted by the
authorized, unconditional sales of the cartridges to end users, Lexmark's
attempt to impose single-use restrictions on the cartridges fails._

I'd love to hear what others think about the subject.

~~~
sireat
A friend of mine bought Emotiv SDK(the one with 16 electrodes) and mentioned
that they are being extremely protective/restrictive on what you can do with
the device (he also said it is very promising but the technology still needs a
lot of work).

What I suspect is that the device, if it could reach real mass-production,
would be very inexpensive to make, thus they are putting in all kind of
pitfalls to prospective competitors.

Not that one can blame them for being so protective, but it could backfire in
the long run, if a nimble competitor open sources most of the software and
focuses on hardware or at the very least, makes developers job easier.

------
jrockway
I think the article misses a critical point; to make a universal remote, no
copying of any copyrighted material takes place. To activate a garage door
opener, no copying of any copyrighted material takes place. So... copyright
law simply does not apply; no copying is happening!

(The reason that software EULAs are theoretically valid is because you are
making a copy of the computer program when you click the icon; from disk into
memory. Since this copying is theoretically illegal the EULA allows it if you
agree to certain conditions. I say "theoretically" because the law does not
say this anywhere, and no US federal court has ever upheld this. But when you
use a remote control to activate your garage door, there is no copying
happening, so this is completely irrelevant.)

So anyway, non-issue. You can say whatever you want in an instruction manual
-- but that doesn't mean it wouldn't be laughed out of court in 30 seconds if
you tried to enforce it. My advice is to not do businesses with slimy vendors
like this, however.

It is also worth noting that anyone who has ever been near a math textbook can
design an algorithm to make it impossible for burglars to execute replay
attacks on the garage door. The manyfacturer is trying to solve a math problem
with copyright law, which is dumb, plain and simple.

~~~
ryanwaggoner
I thought that was the exact point the article was making. For example:

 _In addition, Skylink argued that the rolling code was not DRM, since it did
not protect access to some copyrighted computer code but to "an
uncopyrightable process" (the opening of a garage door)._

and:

 _By way of example, DVDs marked 'for home use' or 'non-commercial private use
only' are not legally restricted as such. Unless there is a contract, those
representations are not true. A given use, e.g., classroom showing, is
permitted or infringing depending on copyright law, not what is printed on the
packaging—unless there is a contract including that restriction. Rightsholders
still print such claims on the packaging, however. They might as well print
that infringers are obligated to forfeit their first-born child."_

~~~
jrockway
Hmm, must have skimmed past that...

------
stcredzero
The garage door opener in question is _weak_. It has rolling codes to deter
replay attack, but its behavior in "resynch" mode is a classic example of
security by obscurity: "Send two incorrect codes, then another off by three."

If you're going to have a protection against replay attacks, why are you going
to have a resynch scheme so vulnerable? This may or may not not be vulnerable
to replay attacks, but it sounds like something kids would use to authenticate
entry to a treehouse!

This is especially sad, since freely available block ciphers could do a fine
job with a challenge-response protocol, and wouldn't require a resynch
function. One could assume that both the opener and the remote are securely in
the hands of the owner, so both could be programmed with the same secret key.

Even without challenge-response, a more robust protocol should be possible
with a little memory and a time stamp. Just keep a list of last few day's
successful attempts, and don't accept any already sent. The encrypted hourly
time stamp would be incorporated into the encoded passphrase, and a passphrase
from the hour before or hour after would be accepted. A passphrase might
consist of a number appended to it's inverse, appended to the timestamp.

The attacker cannot overrun the successful attempt record, because she cannot
produce a new successful attempt without the symmetric key, and replaying the
old one doesn't do anything.

To make this proof against losing the time synch, just do two things: 1) have
the opener adopt the timestamp of the last successful attempt and 2) provide a
time-resynch passphrase, which is activated by a different button, and which
also results in a "already used" record in the case of a successful attempt.

EDIT: It's gotten to the point that I can imagine the lack of an idiotic law
like the DMCA could be a _strategic advantage_ for some other country, which
will result in far greater technical innovation. (China, perhaps?)

