Stories
Slash Boxes
Comments

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Open Source DRM Solutions?

Posted by kdawson on Tue Jan 22, 2008 12:28 AM
from the using-the-force-for-good dept.
Feint writes "I'm working on an business platform for inter-company collaboration based on an open source software stack. As part of that platform I would like to integrate some sort of digital rights management for the documents in the system. The vast majority of articles about DRM are focused how good or evil it is to apply DRM to digital music or video. I haven't seen many articles address open source solutions for protecting business data like CAD / MS Office / PDF / etc. documents, which is a real need in business today. Can the Slashdot readership suggest some open source DRM offerings other than the Sun DReaM initiative, which hasn't had a release since Jan. 2007?"
+ -
story

Related Stories

This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • We call it... (Score:5, Informative)

    by Anonymous Coward on Tuesday January 22 2008, @12:32AM (#22134074)
    Public key cryptography. It won't protect work from being copied, but that's an endless battle anyways until the trusted computing platform is mainstream.
    • Re:We call it... (Score:5, Insightful)

      by asuffield (111848) <asuffield@suffields.me.uk> on Tuesday January 22 2008, @04:54AM (#22135560)

      but that's an endless battle anyways until the trusted computing platform is mainstream


      "trusted computing" nonsense won't change anything. It's just another pile of inconvenience for the paying users that will be snipped out entirely for the bittorrent version. Sony and Microsoft have been doing their best to build tamper-proof encryption-based hardware systems (playstation and xbox series), and they're all defeated by a modchip soldered onto the motherboard - you let the tamper-proof hardware do its thing and decrypt the data, then you snoop the data right off the memory bus on its way back from the chip.

      Hardware is no harder to attack than software, it just needs different tools. DRM cannot ever work.
      • Re:We call it... (Score:5, Interesting)

        by DHalcyon (804389) <lorenzd AT gmail DOT com> on Tuesday January 22 2008, @07:25AM (#22136294)
        Aditionally, at some point, people will just not put up with that nonsense anymore - with HDDVD players refusing to work with projectors or whatever because one little detail in the HDCP chain isn't exactly right, and other horror stories like this.

        The alternative is easier nowadays: Piracy - It Just Works. With sites like ThePirateBay and easy to use Bittorrent clients like uTorrent and the likes, and with fast net connections, pirating HD content is seriously becoming easier for average users than getting it in a legit way.
          • Re:We call it... (Score:5, Insightful)

            by div_2n (525075) on Tuesday January 22 2008, @10:16AM (#22137264)
            There is a fundamental technical problem with DRM which can't be solved that others have said before in various forms, so I can't claim this as my own:

            Encryption is all about securing data so you can send it safely from A to C without B being able to read it. The problem with DRM is that B and C are the same person.

            This reality will _never_ change despite what technology is being used. In order for our senses to comprehend the signal or heck even if it were sent as a direct data stream to our brain--the man in the middle is us and we can, if we so choose, mold that stream into whatever we want.
  • by Anonymous Coward on Tuesday January 22 2008, @12:33AM (#22134076)
    No.
  • I'm sure we could (Score:5, Interesting)

    by Improv (2467) <pgunn@dachte.org> on Tuesday January 22 2008, @12:33AM (#22134084) Homepage Journal
    I'm sure some of us could, but why would we want to? Design our own prison? Encumber data? Stop whistleblowers?
    • Real World Scenarios (Score:5, Interesting)

      by chill (34294) on Tuesday January 22 2008, @03:02AM (#22135032) Homepage Journal
      Make absolutely certain the drawings being used on the production floor are the correct revision. I mean on terminals on the line. And make sure no one printed a copy for "convenience".

      I.E. - Engineers and CAD designers are the only ones that can see pre-production drawings. Pre-production drawings are not accessible from line terminals, only engineering or conference room workstations. Line terminals can not print drawings, though they can print some other things. Line terminals and assembly people can't even open non-production documents.

      Considering many electronics assembly shops have people on staff that used to (like, last week) work for a competitor the possibility of moles in real. So, prevent documents from being opened by non-authorized personnel. Prevent drawings from being printed, copied to removable media, etc.

      I've had to deal with all of that in a manufacturing environment.
  • Hey, Guys! I want some help too!

    Do we have open-source Tasers? I'm also after open-source software to rig voting machines.

    I look in freshmeat and SourceForge - but they mostly seem to be oriented to freeing people, not locking 'em up.
  • It's an oxymoron (Score:5, Insightful)

    by Kjella (173770) on Tuesday January 22 2008, @12:35AM (#22134096) Homepage
    If it's open source, you can change it thus disabling any protection it might offer unless it's some hardware-backed signing. The system isn't designed for it either, just removing all the ways you could dump the information anyway would be big job. Just get Vista if you want an end-to-end DRM stack. In short, you want to give someone the DRM'd file, the instrcutions on how the DRM works and still want them to be unable to decode it on their own, bypassing any DRM? Not going to happen.
      • by msuarezalvarez (667058) on Tuesday January 22 2008, @01:22AM (#22134402)

        You are making the same mistake that people who insist on coming up with DRM schemes make...

        A DRM scheme is an attempt at giving someone the encrypted file and the decription key, with the intent of protecting the content against that precise someone. GPG, on the other hand, is a scheme which attempts to protect the encrypted files from those who do not have the decription key.

        It is not that difficult, really...

      • Re:It's an oxymoron (Score:5, Interesting)

        by david_thornley (598059) on Tuesday January 22 2008, @01:26AM (#22134432)

        DRM is a twisted variant of crypto. If Alice sends a message to Bob using GPG, Eve can't read it because she doesn't have the key. In this case, Bob is the intended recipient, and Eve is the unintended recipient. In the case of DRM, Alice encrypts software and gives it to Bob. So, if Alice doesn't give Bob the key, Bob can't use the software. If Alice does, then Bob can break the DRM, having both the key and the code.

        So, in DRM, Bob and Eve are the same person. DRM is not only socially undesirable, it's sexually perverse.

      • by cgenman (325138) on Tuesday January 22 2008, @02:07AM (#22134652) Homepage
        Gnu privacy guard and truecrypt both work on a fundamental level because there is an asymmetrical informational pathway. A key piece of information is missing, which keeps the information locked away. Similarly, the person who has all of the information to decrypt the information is completely trusted.

        On a theoretical level, you can't both give an open-source program all of the information required to decrypt a stream, and still prevent it from decryping the stream in ways that you don't approve of. The end user has all of the information required to have full control over the process.

        At some point hardware attachments may make open-source DRM possible by hiding some of the required information. Or we may reach some compromise of semi-open DRM. But until then, Open Source DRM appears to violate a fundamental law of information science, much like perpetual motion machines violate thermodynamics.

  • by robbak (775424) on Tuesday January 22 2008, @12:35AM (#22134102) Homepage
    You need to go find out what DRM is.

    DRM is about Alice/Bob/Eve cryptography where Bob and Eve are the same person. All DRM tries to work by hiding the Implementation - Universally, it fails.
    Open source is about revealing the implementation.

    OpenDRM. Just say Huh?!
  • by something_wicked_thi (918168) on Tuesday January 22 2008, @12:35AM (#22134106)
    DRM is security through obscurity. If you have the code, you can break any DRM, so there's no point in developing open source DRM. It's also why all DRM eventually fails.

    Use encryption if you want safety. But you still can't prevent the people who have legitimate access from doing whatever they want to the documents.
    • Use encryption if you want safety. But you still can't prevent the people who have legitimate access from doing whatever they want to the documents.

      Unless, and I think this is what he is after, you hire a group of armed commandos/Stallman look-a-likes (to keep it open source) to detail every end user of your media. With a gun to the head... making decisions about media becomes much more serious business.

      Open Source Stallman Commando: Don't even think about putting that in your shared folder! If this ends up on bittorrent, it's a 7.62mm round right to the groin!!!
      User: Oh my god... please don't kill me... (gets hit with the butt of the commando's rifle)
      Commando: One more word and I swear I pull the trigger!

      I'm not sure, but that may be the most workable DRM solution anyone has ever come up with.
  • RE (Score:5, Informative)

    by Anonymous Coward on Tuesday January 22 2008, @12:36AM (#22134116)
    I think the systems you're after are called Document Management Systems, like you'd find used for medical records under HIPAA.
    The only open source system I am aware is OpenKM[http://www.openkm.com/].
  • by Weaselmancer (533834) on Tuesday January 22 2008, @12:36AM (#22134120)

    Most people smart enough to program such a thing are also smart enough to know it can never work. People who do create/sell/push drm solutions are selling snake oil.

    Your best bet is to use PGP and simply encrypt your data, and trade public keys with your intended recipients. And plan ahead - once someone can see it, assume they can always see it. The whole "revoking a key" bit is the snake oil part of DRM.

  • by Nemilar (173603) on Tuesday January 22 2008, @12:37AM (#22134122) Homepage
    For all those who are saying "open source DRM" is an oxymoron, they should have a look at OpenIPMP [mutableinc.com], which is an open-source DRM solution for video formats. So there is a precedent for this kind of thing, although it may not be widely adopted.
  • Yes, this exists (Score:5, Informative)

    by Geoffreyerffoeg (729040) on Tuesday January 22 2008, @12:46AM (#22134184)
    "DRM" is not the search term you want, though, and it is in fact not what you want for business documents. You just want to set up a public-key infrastructure (PKI) and make sure people protect their private keys. This can be done by OpenPGP, GnuPG, etc.

    DRM makes it hard for people to leak a file. It does not spend very much effort, if any, on authenticating the initial owner of the file (for example, anyone who picks up a DVD can play it, although they can't copy it to a new DVD). In a business environment, you're usually far more worried about authenticating the file's recipient and making sure the original does not accidentally reach anyone else's computer, than about preventing a cooperative person from intentionally leaking the file. (In most cases, you do want to permit them to print, copy-and-paste, etc. the document. These would all be prevented by DRM because they all make it easy to leak the file.)

    The other failing of DRM, as I'm sure you've seen discussed, is that it's crackable by mere cleverness. If you're going to permit someone to view a file on screen (or hear an audio clip over headphones), you can always take a screenshot (or recording) and leak that. HDCP and so forth make the screenshot harder, but nothing prevents you from pointing a camera at the TV. It will be low quality but it will be a leak. PKI, on the other hand, is only crackable by brute-force searches of the key space, or (unlikely though possible) sufficiently smart mathematicians.
  • DRM in a nutshell... (Score:5, Interesting)

    by evilviper (135110) on Tuesday January 22 2008, @12:52AM (#22134234) Journal
    DRM depends on proprietary software. You are encrypting a file, then giving the user the key to decode it, while telling the program in question to decode the file, but only allow it to be used in one of a few ways (eg. display PDF, but don't print).

    Such a system is untenable with proprietary software (just need to find the right memory address), and absolutely impossible with open source software, as you can simply remove the line in the program that tells it what actions not to allow. (See xpdf). With proprietary DRM systems, the companies just hope it's difficult enough to decipher the compiled code of the proprietary programs, that it takes a while before someone finds the right spots in memory to probe/change, and publishes the details... Then, they make trivial changes to the DRM system, and call it a new, "fixed" version that everyone should start using quickly (before someone figures it out).

    The only thing DRM can do effectively, is to prevent the first opening of the file. After you send that first key (eg. via server), no matter what the DRM involved, the user can (trivially) strip the DRM off, and do whatever they want with the unencrypted file.

    If that is what you want... I would suggest using public-key encryption to protect the file instead of a commercial "DRM" system. Either PGP or SSL (keys in combination with a password) can make absolutely sure only the intended recipient can make use of the file, even if others obtain copies of it. If you are expecting any more control over what others do with the file, you are simply denying reality.

    All that said, here is one open source DRM system: http://www.sidespace.com/products/oggs/ [sidespace.com]
    • by Ayanami Rei (621112) * <rayanami.gmail@com> on Tuesday January 22 2008, @01:50AM (#22134568) Homepage Journal
      ... I suggest you put your wallet back in your pocket, and don't spend any more money on consultants, software, or IT staff hours spent configuring the free and non-free stuff in furtherance of your goals.

      Instead you should save your money and hire a lawyer instead who will draft up NDAs for you to have people sign in order to protect those documents/secrets you want tightly controlled.

      Technical solutions will not cut it. They never will. You are throwing your money away.

      Hire a lawyer, and only give the documents to people who ABSOLUTELY need it and is worth the time to get contracts involved with.
  • by Zombie Ryushu (803103) on Tuesday January 22 2008, @12:58AM (#22134264)
    We have had this discussion. There is no legitimate use for DRM. It has no right to exist. I have told people this before. DRM does not improve the security of corporate networks. Thats not what it is meant to do. DRM has just one purpose. to deprive people of the right to use the computers they own as they see fit. Securing documents and sensitive company data is to use good security practices. IPSec, Kerberos, PKI, that kind of thing.

    Point. Learn good computer security practices.

    I want DRM to dissappear from this world forever/
  • by jddj (1085169) on Tuesday January 22 2008, @01:01AM (#22134290)

    Here's what's become my business-side take on DRM: don't bother.

    DRM systems set the bar too high for honest users who just need to get some work done, and too low for malicious users.

    Corporate espionage in mind? Just make screen-captures. That won't work? Digital camera, anyone?

    You can't make it work, principally because there's no way to both show and not show the same document to an end user. The security is only as good as your trusted users are.

    You can also appeal to reason on financial grounds: the Hollywood studios are extremely motivated to make DRM work, have pored in millions and haven't hit on anything at all that prevents piracy.

    If they can't do it, you probably can't either, and should probably focus on differentiating your content by making it sticky and extremely easy to use.