The DRM Scorecard

An anonymous reader writes "InfoWeek blogger Alex Wolfe put together a scorecard which makes the obvious but interesting point that, when you list every major DRM technology implemented to "protect" music and video, they've all been cracked. This includes Apple's FairPlay, Microsoft's Windows Media DRM, the old-style Content Scrambling System (CSS) used on early DVDs and the new AACS for high-definition DVDs. And of course there was the Sony Rootkit disaster of 2005. Can anyone think of a DRM technology which hasn't been cracked, and of course this begs the obvious question: Why doesn't the industry just give up and go DRM-free?"

Geeks do- everyone else doesn't.

[Atlantis-Rising (857278)]

Just because the ability exists to crack it, doesn't mean that the average Joe on the street can do so.

It discourages casual copying, nothing more, but I can't imagine it was intended to do any more. Nobody's that stupid.

Re:Geeks do- everyone else doesn't.

[QuantumG (50515)]

Music execs are.

Re:Geeks do- everyone else doesn't.

[Atlantis-Rising (857278)]

Never assume stupidity for what can be explained as malice.

To do otherwise is naive at best.

Re:Geeks do- everyone else doesn't.

[QuantumG (50515)]

No, they really are dumb.

"You mean you can supply me with uncrackable protection from unauthorized copying?"

"That's right!"

"Wow, and I don't really understand all this stuff, but when it gets cracked later this month I'll keep sending you your checks."

Re:Geeks do- everyone else doesn't.

[Atlantis-Rising (857278)]

That's a naive view. Even if they believed that the first time, (which anyone with a little common sense would not have), it's even less likely they believed it the second, or the third, or the fourth time.

Given that assuming everyone in the entire media industry has the combined intelligence of a bowl of fruit is irrational and unreasonable, malice (although not exactly the "Buwahahaha evil" type of malice) is the most reasonable explanation.

Re:Geeks do- everyone else doesn't.

[bersl2 (689221)]

No, I think that the reason they keep doing this is economic.

If they determine that the cost of adding DRM (licensing fees, lost sales, etc.) is less than the benefit (more legal purchases in place of casual copying), then they can say that DRM helps them (in the short term). I think that they have believed this to be the case.

Re:Geeks do- everyone else doesn't.

[bendodge (998616)]

Someone older and wiser once told me that, "Locks keep honest people honest."

Re:Geeks do- everyone else doesn't.

[someone1234 (830754)]

DRM keeps honest people frustrated, pirates rich (those who sell cracked stuff to Average Joe), and the RIAA look stupid.

Keys work locks

[Don_dumb (927108)]

Locks are a good way to keep honest people honest, but they should be simple and unobtrusive. The reason why we have key locks on our front doors instead of complicated biometric systems (this may be the wrong audience for this comment) is that they are simple, cheap and less prone to failure.

Remember the front door is public, the lock is public but only the owners have the key. The front door system works because not everyone who can get to the door has the key. DRM simply doesn't work because you have the content, the lock and the key.

Re:Geeks do- everyone else doesn't.

[Opportunist (166417)]

I don't think it's stupid as in having the intelligence of a slightly age slice of toast. It's more allowing themselves to be BS'ed.

Here's music exec Joe Shmoe. He's fairly intelligent when it comes to business related topics. He has a masters in BA. He doesn't understand jack about all that computer stuff, but that's not his biz. His biz is music.

Then here's Alex. He may or may not have a degree, but he sells Joe the DRM tools for his music. He knows both, commerce and computers.

Joe realized that Alex' DRM tools were cracked. Alex knows that too, and he knows well that the spin of "we make it uncrackable" doesn't hold water. But he also knows how Joe thinks. His selling strategy thus is:

1. Cracking DRM is another burden, which keeps a few more people from copying.
2. Cracking DRM has been made illegal, which keeps another few more from copying.
3. Our DRM solution costs less than the losses due to illegal copying.

Joe understands that. And thus Joe buys.

Re:Geeks do- everyone else doesn't.

[shark72 (702619)]

That's an interesting viewpoint.

Are you also of the opinion that auto industry executives hold the naive view that auto theft-deterrent systems are infallible?

When I first got into the Apple warez scene in the early 80s, I asked somebody older and wiser why, say, they bothered to put copy protection on Wizardry when clever guys like me could easily crack it.

"Because," he pointed out, "if the copy protection prevents just one person from copying it, it's done its job."

And that's why copy protection on CDs and DVDs exists today: to deter casual copying. Much to their disadvantage, most people out there just aren't as technically adept as Slashdot readers.

Can you clarify why you believe that folks who use DRM don't understand this? It requires quite a stretch, but if you think you have solid evidence, I'd like to hear it.

Re:Geeks do- everyone else doesn't.

[QuantumG (50515)]

I'm a reverse engineering guy. I can and have cracked programs. Do I still do this? No. Because there are people out there who have a whole lot more fun doing it than I would.. so I just use their stuff. Same with DVD copying. You don't have to be "skilled" to use DVD Shrink.. in fact, it's trivial, and millions of people do.

So take this "deter casual copying" crap and smoke it. If the residents of MySpace can work out how to copy and trade DRM'd stuff then anyone can.

Re:Geeks do- everyone else doesn't.

[ubermiester (883599)]

The question is not whether people can do it, its a matter of whether they actually will.

To get DRM-less content, they need to:

• know that a crack exits
• know how to get it
• khow how to use it
• AND...feel as though it was really worth it to go through all that trouble so they can avoid paying for someone else's work.

Each step filters people, and those people pay. Simple as that.

The real question is how long the RIAA will take to realize that there are alternatives to this model.

Re:Geeks do- everyone else doesn't.

[QuantumG (50515)]

You're assigning your motives to others. The majority of people don't copy to avoid cost. They copy because of the social good it does. Your friend likes a song/movie/game, you offer "I'll make you copy", now both you and your friend can enjoy the song/movie/game.

Re:Geeks do- everyone else doesn't.

[FooAtWFU (699187)]

Are you also of the opinion that auto industry executives hold the naive view that auto theft-deterrent systems are infallible?

Some car insurance companies hold this viewpoint, officially. It lets them get away with paying fewer claims one way or another. "But your car couldn't have been stolen, you must have been negligent and left the keys in." Or something to that effect.

Re:Geeks do- everyone else doesn't.

[Fordiman (689627)]

""Because," he pointed out, "if the copy protection prevents just one person from copying it, it's done its job."

And that's why copy protection on CDs and DVDs exists today: to deter casual copying. Much to their disadvantage, most people out there just aren't as technically adept as Slashdot readers."

'Cept most are adept enough to just download a copy from someone whose already cracked and transcoded it.

Re:Geeks do- everyone else doesn't.

[by Anonymous Coward]

"Just because the ability exists to crack it, doesn't mean that the average Joe on the street can do so."

Ummmm, lets think about that:
1) It only takes ONE person to "crack" and copy music, a movie, etc. and make it available to all the average Joes.
2) It only takes ONE person to create a patch or an app and every average Joe can use it.

Where do these newbies come from on here? Sheeez.

Re:Geeks do- everyone else doesn't.

[Atlantis-Rising (857278)]

I realize that. That was not the point.

The point was that the RIAA/MPAA is taking a dual-pronged approach, as is visibly obvious- they are targeting torrent sites with an offensive barrage of lawsuits to prevent downloading and they are targeting the media with an offensive barrage of DRM to prevent casual copying which is decentralized and untraceable.

Is this approach effective? To some degree, yes, it is. Will it ever be 100% effective? No, it will not.

Re:Geeks do- everyone else doesn't.

[QuantumG (50515)]

Maybe you haven't been paying attention, but the RIAA/MPAA are losing.

Re:Geeks do- everyone else doesn't.

[imtheguru (625011)]

Mod parent up.

This is indeed the root of any high-distribution system and is applicable to several domains--piracy, drugs, airborne diseases. It only takes one copy on a viable transmission medium to start the ball rolling.

All bank vaults and locks have also been cracked

[EmbeddedJanitor (597831)]

There is no uncrackable security technology. This does not make them worthless.

A mechanism that is difficult to crack (whether that is a physical lock or DRM or password) makes it harder for the cracker and reduces the likelihood of someone actually doing the cracking. That removes casual crackers from the equation.

It also makes the cracking act more deliberate and makes it far harder for someone to claim: "That diamond got in my pocket.... I just found it on the sidewalk and thought it had been thrown out." or "Oh that music on my MP2 player... I thought it was free!"

Re:All bank vaults and locks have also been cracke

[langelgjm (860756)]

Oh that music on my MP2 player.

Was someone a little strapped for cash?

Re:All bank vaults and locks have also been cracke

[danpat (119101)]

Unfortunately, the analogy doesn't quite hold. Breaking into bank vaults is more like performing a brute force attack on a DRM scheme, every time you wanted to break it. DRM schemes don't work like that. Typically once a scheme is compromised, it becomes possible for anyone subject to it to break it almost instantly. All it takes is for someone to write a quick tool that automates the cracking process and all the barriers presented by the DRM scheme pretty much fall away.

I'd say that DRM schemes are like having one giant bank vault. Yes, it will eventually get compromised, and once it is, everything inside is trivial to take.

This is called "the Smart Cow problem"

[Spy der Mann (805235)]

From Wikipedia [wikipedia.org]:

The Smart Cow Problem describes the method by which a group of individuals, faced with a technically difficult task, only requires one of their number to solve the problem. Having been solved once, an easily repeatable method may be developed, allowing non-technically proficient entities to accomplish the task. The term Smart Cow Problem is thought to be derived from the expression: "It only takes one smart cow to open the latch of the gate, and then all the other cows follow." [1]

This has recently been applied to Digital Rights Management (DRM), where, due to the rapid spread of information on the internet, it only takes one individual to defeat a DRM scheme to render the method obsolete. [2]

      1. ^ http://www.wired.com/news/business/1,60901-0.html [wired.com] Buck a Song, or Buccaneer? , retrieved 2007-02-13
      2. ^ http://www.wired.com/news/digiwood/0,1412,67556,00 .html [wired.com] Give Your DVD Player the Finger, retrieved 2007-02-13

Re:All bank vaults and locks have also been cracke

[Nazlfrag (1035012)]

Even given the proper tools, it's a major pain in the arse for Joe Blow to decrypt CSS for example. The average consumer has trouble burning a data CD, let alone decrypting and copying DRMd content. It doesn't stop him downloading the divx torrent though, so I guess the bank vault is open even if just a fraction actually do the crack.

Fundamentally, you're spot on. It is a hell of a lot worse than bank vault security. You can't have the party it's secured against also the one it decrypts for. It just makes no sense! All DRM is crackable by definition, they know this, they just want to make it as much of a hassle as possible.

Re:All bank vaults and locks have also been cracke

[Eravnrekaree (467752)]

I dont like the analogy of a bank vault at all. Its not like people are breaking into a video store and stealing videos. These are usually people who have lawfully purchased a video and want to use it for their own private purposes but this has been restricted by DRM. DRM circumvention is often an attempt for a consumer to simply use something they legally purchased for their own private use, such as making back up copies or playing it on their computer, or copying to their ipod. I dont see any problem with that unless they are distributing it to others, Once a person has legally obtained some work, it should be theirs to do as they please with it for their own private use.

We already have copyrights to protect the producers of works. DRM is going too far as it restricts the users rights to use something for their own private use, for which they have legally purchased.

Re:Geeks do- everyone else doesn't.

[mark-t (151149)]

And the irony of all this is that the industry isn't even hurt by typical casual copying, which is often be done for the private use of the copier anyways.

Re:Geeks do- everyone else doesn't.

[langelgjm (860756)]

It discourages casual copying, nothing more, but I can't imagine it was intended to do any more. Nobody's that stupid.

Of course not. That's why the MAFIAA and similar parties use the legal system to fill the holes that technology can't. If you can't actually stop everyone from doing it, simply make it illegal, and sue anyone who gets past the initial hurdles.

DRM and IP law, the technological and the legal - the two work in tandem, but I would say that the end goal is perfect control over content. Anything less than perfect control is, after all, simply an unexploited opportunity for profit.

The only thing not cracked yet...

[Iphtashu Fitz (263795)]

Frivolous lawsuits. Until the RIAA finally realizes that its lawsuit tactic isn't working it's the only attempt at DRM that hasn't been made completely useless yet. Unfortunately I don't see that happening unless/until they lose bigtime in multiple court cases.

You mother fuckers are pissing me off

[by Anonymous Coward]

I have this massive pile of digital rights that I really need to manage. Yet every fucking piece of management software I download has been hacked. There's not even any patches for this shit. How the fuck am I, as a concerned citizen, supposed to manage my rights?

Re:You mother fuckers are pissing me off

[v1 (525388)]

you're trolling, but with a valid point. The bottom line is that the idea itself is fundamentally flawed. You cannot give the public limited access to information that requires their full access (however carefully managed you make it) without making it vulnerable to defeat. The only true three purposes at this point are (1) to make casual infringement difficult enough to be inconvenient, (2) to prevent use of IP in a way that you really don't feel like letting them use it, and (3) to give them a legal defense. (if you fail to defend your IP you tend to lose it in court)

They know how evolution works. The most draconian systems they come up with today will be childs play eight years from now. So in reality, for as nasty as they look now, they will be almost pointless 10 yrs from now. (look at CSS...) So what they're doing now really this isn't any worse than CSS was when it was made, relatively speaking. Six years from now we will look at this and yawn, as we feed a spindle of old blue rays into a reader (at 25 seconds each) and download our entire collection to our data cube.

The only thing really not broken... yet

[Actually, I do RTFA (1058596)]

Is Blueray. That's going to last another decade.

DRM isn't supposed to be foolproof

[cavetroll (602361)]

The point of DRM isn't to hinder in any noticeable way the large groups that are responsible for most of the copyright infringement that takes place, rather the aim is to annoy and infuriate the average 'consumer' to the point where needlessly buying extra copies of $ITEM is the path of least resistance.

The same effect has been observed in software for years, Windows XP had an activation thing built in, anyone who knew what they were doing would bypass it, anyone who didn't (and didn't know anyone who did) would eventually go and buy superfluous copies of software they already owned.

Bad arguments and bad reasoning

[timholman (71886)]

Okay, let's try Alex Wolfe's argument in a different context:

"When you list every major law implemented to "protect" life and property, they've all been broken. Can anyone think of a law which hasn't been broken, and of course this begs the obvious question: Why doesn't society just give up and go law-free?"

DRM doesn't have to be perfect to do its job, anymore than law enforcement has to be "perfect". It just has to be effective enough to keep Joe Average from copying the file. Whether or not DRM is actually "good" or "bad" for media producers is a completely different argument, but Wolfe's sophomoric reasoning does nothing to address it.

Re:Bad arguments and bad reasoning

[Braino420 (896819)]

"When you list every major law implemented to "protect" life and property, they've all been broken. Can anyone think of a law which hasn't been broken, and of course this begs the obvious question: Why doesn't society just give up and go law-free?"

Oh what is this, a law analogy? What are you new here? Nerds don't understand laws, they understand cars. Watch and learn:

When you list every major car safety feature implemented to "protect" life and limb, they have all failed. Can anyone think of a car safety feature which hasn't failed, and of course this begs the obvious question: Why doesn't society just give up and go seatbelt-free?

DRM is doing it's job

[dirk (87083)]

No one ever expected DRM to stop all copying. That was never it's purpose. The purpose of DRM was to curb copying, which it has done. Everyone realizes there will always be a way to get around DRM (or anything else really) if you really want to. But if you can implement DRM and stop 50% or 75% of copying, that is a big improvement. That is exactly what they did. They implemented a solution that will reduce copying by the average person, which means more money in their pockets since less people are copying CDs and giving them to friends (and no, I'm not claiming every person who copied a CD would go and buy it, but certainly some of them will).

DRM works under the same concept as locking your car. IF someone really wants in, they will get in. But it certainly cuts down on the casual person who will take an easy opportunity, but doesn't care enough to put in the effort to get around the measures you put in place.

Cable HDTV DRM

[nukem996 (624036)]

Last I looked Cable HDTV DRM still hasn't been cracked which sucks if you want to use a myth box. You can only get an HDMI with HDCP signal out which I also don't think has been cracked. I really hope they do crack it so I can watch the HDTV that I pay for on my computer whenever I want. As a side note I once talked to my friend(who works for comcast) about driving a GNU/Linux driver for the CableCard. He told me it would be hard and was 100% sure we would be taken to court. The CableCard apparently looks to make sure the hardware using it is certified. Cracking that shouldn't be to hard but apparently the deal that at least comcast has with the content providers is that if there DRM is cracked they have 30days to fix it otherwise they have to recall all devices with the DRM capability and destroy them. Then they can issue new ones with newer DRM, otherwise they risk losing that content.

Re:Cable HDTV DRM

[afidel (530433)]

HDCP has been cracked but unless you have a display with DVI and no HDCP support it does you very little good. The problem is the HDCP protected signal is a full bandwidth signal, not the compressed OTA or disk steam, and there is currently no system available that can really deal with capturing that much data in real time that is in the consumer price range.

Why DRM?

[Crypto Gnome (651401)]

DRM is just "an electronic lock".

There's a well known saying "Locks secure you against honest people" (or words to that effect).

The hard-core/organized/professional criminals have the skills, technology and motivation to bypass these "security measures".

Remember people, locks aren't about making you secure, they're about making you FEEL secure.

s/locks/airport security screening procedures/
s/locks/the department of homeland security/ (well, that and political empire-building and creating a police-state by stealth)

Smokey The Bear Says: Only YOU can prevent the violation of your civil rights "in the interest of National Security".

Certainly there are some things which come to mind

[zuki (845560)]

Perhaps this has already been mentioned, but the dongle systems that protect many Mac music applications and plugins seem to have held up so far, as in either iLok [ilok.com]
or some of the Synchrosoft dongles. Logic Pro 7 is not really something that has been cracked yet either, to my (admitedly limited) knowledge.

From what I recall reading, when H2O did manage to [k] Nuendo, it took them so long that I think they said
they were not going to bother doing it more, as the process was just too annoyingly time-consuming.

Theoretically, these systems could probably be made to protect anything which is a software-based application. Not sure if this qualifies as DRM, rather than just some 'copy-protection'
technique but certainly it has helped ensure that many small developers of quality audio plug-ins survive because their creations cannot be cracked.

Z.

A Long-Standing Illusion

[ewhac (5844)]

Copy protection systems have been around a lot longer than the recent crop of Defective Recorded Media would suggest.

There's only one copy protection system I know of that hasn't been (meaningfully) cracked, and that's MediaCipher, created by Motorola for the cable TV crowd. Ironically, it was one of the first ones ever created. (Of course, it helps that the boxes implementing MediaCipher are only rented -- never sold -- to end-users.)

Copy protection next showed up in a major way for computer games, most notably for the Apple ][ computer. This fetish briefly spread into applications software as well as games, until the users thundered, "No Fscking Way." It took about four to six years for this to shake out.

Despite the fact that there is no conclusive evidence that copy protection has any meaningful impact on sales, anti-copying measures are still used extensively, but by no means universally, throughout the games industry. In particular, Unreal Tournament's initial anti-copying measures are little more than perfunctory, and are later dropped entirely.

Near as I can determine, copy protection advocates claim as axiomatic that unsanctioned copying will depress sales to livlihood-threatening levels. They cleave to this axiom with a fervor usually associated with religious fundamentalists. However, every time this axiom is honestly examined, mitigating or even entirely contradictory evidence is discovered. Yet the myth persists.

It's not the technology we need to combat (since Turing proved it can never work). It's the defective thinking.

Schwab

Apple iTunes Video

[IdahoEv (195056)]

Last time I checked, you can strip the FairPlay DRM from iTunes music files pretty easily, but nobody has released a tool that does the same for video files purchased from iTunes.

So ya can't yet burn that episode of "Lost" you bought on iTunes to a DVD.

You know

[SoulRider (148285)]

one definition of insane is doing the exact same thing over and over and expecting different results.

To read my post

[Geekbot (641878)]

To read my post please enter the first word from pages 6, 27, and 32 from the manual.

The Answer: Greed Makes You Stupid

[rudy_wayne (414635)]

"this begs the obvious question: Why doesn't the industry just give up and go DRM-free?"

The entire entertainment industry is so consumed with greed that they are no longer able to think clearly. The failure of DRM is so painfully obvious, but the MPAA, RIAA, BSA, etc. are so blinded by greed that they can't see it. To them, the failure of DRM is proof that they need bigger badder DRM along with bigger badder laws to punish people. This is what greed does to you.

The secret to success is simple: make a good product and sell it at a fair price. But when you are bkinded by greed and convinced that you're losing billions of dollars to "piracy", you think that the secret to success is to control your precious "intellectual property" with the most draconian iron-fisted methods possible.

It has nothing to do with content protection

[Groo Wanderer (180806)]

It is all about enforcing a monopolistic distribution channel, a walled garden. They are trying to get all of the pie, not just a chunk. I went into more detail here:
http://www.theinquirer.net/?article=29161 [theinquirer.net]

              -Charlie

Re:DirecTV

[Dun Malg (230075)]

I don't think DirecTV's DRM has been cracked since they replaced it a few years ago.

DirecTV encryption isn't classical "DRM". It's a live, encrypted delivery system rather than a chunk of data in a fixed medium, which makes it a moving target. It would be quite possible (though not exactly trivial) to record a given segment of the data stream and hack the particular key used to encrypt it, thus "breaking the DRM" on that particular block of content. This could not be done in a timely enough manner (i.e. in real time) to make it worthwhile, though, which is why no one does it.

Re:HDMI

[sssssss27 (1117705)]

From Wikipedia:
"Cryptanalysis researchers demonstrated fatal flaws in HDCP for the first time in 2001, prior to its adoption in any commercial product. Scott Crosby of Carnegie Mellon University authored a paper with Ian Goldberg, Robert Johnson, Dawn Song, and David Wagner called "A Cryptanalysis of the High-bandwidth Digital Content Protection System". This paper was presented at ACM-CCS8 DRM Workshop on November 5, 2001.[1]

The authors conclude:

"HDCP's linear key exchange is a fundamental weakness. We can:

* Eavesdrop on any data
* Clone any device with only their public key
* Avoid any blacklist on devices
* Create new device keyvectors.
* In aggregate, we can usurp the authority completely."

It must be noticed, however, that for this attack you first have to break Blom's scheme (the linear algebra based key exchange system). In the case of HDCP you need a minimum of 39 device keys in order to reconstruct the secret symmetrical master matrix that has been used to compute all device keys.

Around the same time that Scott Crosby and co-authors were writing this paper, noted cryptographer Niels Ferguson independently claimed to have broken the HDCP scheme, but he did not publish his research, citing legal concerns arising from the controversial Digital Millennium Copyright Act [1].

The most well-known attack on HDCP is the conspiracy attack, where a number of devices are compromised and the information gathered is used to reproduce the private key of the central authority.

The Alice and Bob analogy

[Spy der Mann (805235)]

No, it's flawed because it CAN be cracked easily: The decrypting key is in the firmware contained in your DVD player.

In cryptography, we have an explanation using Alice and Bob [wikipedia.org]. Alice is communicating with Bob, while Eve (eavesdropper) tries to decrypt the message. Alice and Bob have the key to decipher the message, but Eve doesn't. She wants to decrypt the communication *without* the key.

A --- E --- B

Alice in this case, is the Digital Media producer (or encrypter), and B is your DVD. You're Eve. The problem with DRM is that Eve *HAS* the key. By cracking the DVD software (some disassembly, debugging and you're done), Eve can obtain the key from Bob.

A --------- B E

This is the problem with DRM. It's flawed by design. The DMCA is a legal "patch" to this algorithm, punishing Eve if she gets the key from Bob. The problem with DMCA is that the punishment doesn't apply to all countries, and trying to enforce it results in attacking freedom of speech.

Re:Locks are for Honest People

[tkrotchko (124118)]

"They give people who know what is right permission to do the right thing."

George Orwell just called and said he owns the IP to "newspeak", and he's giving you permission to do the right thing and stop stealing it.