Open Source DRM Solutions?

Feint writes "I'm working on an business platform for inter-company collaboration based on an open source software stack. As part of that platform I would like to integrate some sort of digital rights management for the documents in the system. The vast majority of articles about DRM are focused how good or evil it is to apply DRM to digital music or video. I haven't seen many articles address open source solutions for protecting business data like CAD / MS Office / PDF / etc. documents, which is a real need in business today. Can the Slashdot readership suggest some open source DRM offerings other than the Sun DReaM initiative, which hasn't had a release since Jan. 2007?"

We call it...

Public key cryptography. It won't protect work from being copied, but that's an endless battle anyways until the trusted computing platform is mainstream.

This coward is correct!

Public key is the way to go. Place the keys on smart cards or smart USB keys. Encrypt files individually, not just as volumes. OK, it'll be a pain in the ass. Maybe PGP Enterprise will help?

Re:We call it...

but that's an endless battle anyways until the trusted computing platform is mainstream

"trusted computing" nonsense won't change anything. It's just another pile of inconvenience for the paying users that will be snipped out entirely for the bittorrent version. Sony and Microsoft have been doing their best to build tamper-proof encryption-based hardware systems (playstation and xbox series), and they're all defeated by a modchip soldered onto the motherboard - you let the tamper-proof hardware do its thing and decrypt the data, then you snoop the data right off the memory bus on its way back from the chip.

Hardware is no harder to attack than software, it just needs different tools. DRM cannot ever work.

Re:We call it...

You're being highly inaccurate. Your definition of "work" is "work perfectly". This is not the aim of DRM. DRM aims to make it difficult to copy stuff around.

I'm not aware of a mod-chip for the PS3. Your summary of how mod-chips work is incorrect anyway. And there isn't an off-chip bus carrying unencrypted data around on a real TCP. Get a clue.

Sure, maybe a million-dollar lab can open the chip inside a suitable vacuum and snoop the internal busses; for most people that's out of range, and the kind of people who run million-dollar labs don't tend to allow their use just to warez the latest game.

There's a clear economic message here - can you see it yet? When the cost of breaking DRM is higher than the profit to be made, DRM wins. It doesn't have to be perfect.

Now get with the program - DRM is a clear and present danger to our way of life. Don't sleepwalk into it.

Re:We call it...

The problem with DRM is that it is a narrow technical solution to an wide ranging, largely non-technical, problem.

There's a clear economic message here - can you see it yet? When the cost of breaking DRM is higher than the profit to be made, DRM wins. It doesn't have to be perfect.

Well it allows DRM vendors to sell DRM systems. The technical difficulty of breaking DRM has to be higher than the average executive at a record company.

However, there are at least four aspects to the problems for DRM to actually work as you have described, i.e. as 'resistance' that stops the kids from copying enough for them to get on the bus, queue at a checkout and go home again.
1. Politics: The majority of people don't believe in the propaganda of the content industries. Even those that think they do, don't appear able to act on their beliefs.
2. Communication: You only have to break it once, then the means of circumvention can be spread at the speed of Ethernet.
3. Physics: It is harder and slower to build and deploy restrictions than destroy them.
4. Sociology: The productivity of a grown-up working in an office with paperwork, clocking out at 5, family commitments etc, is far lower than some dedicated student working 24 hours per day to get their Blue-ray player to 'work'.

Re:

Well it allows DRM vendors to sell DRM systems. The technical difficulty of breaking DRM has to be higher than the average executive at a record company.

As soon as your encrypted file is transformed into sound (good old analog sound). I can copy it. The qu

Re:We call it...

There is a fundamental technical problem with DRM which can't be solved that others have said before in various forms, so I can't claim this as my own:

Encryption is all about securing data so you can send it safely from A to C without B being able to read it. The problem with DRM is that B and C are the same person.

This reality will _never_ change despite what technology is being used. In order for our senses to comprehend the signal or heck even if it were sent as a direct data stream to our brain--the man in the middle is us and we can, if we so choose, mold that stream into whatever we want.

Re:We call it...

Aditionally, at some point, people will just not put up with that nonsense anymore - with HDDVD players refusing to work with projectors or whatever because one little detail in the HDCP chain isn't exactly right, and other horror stories like this.

The alternative is easier nowadays: Piracy - It Just Works. With sites like ThePirateBay and easy to use Bittorrent clients like uTorrent and the likes, and with fast net connections, pirating HD content is seriously becoming easier for average users than getting it in a legit way.

Open Source DRM?

No.

I'm sure we could

I'm sure some of us could, but why would we want to? Design our own prison? Encumber data? Stop whistleblowers?

Re:I'm sure we could

Well, that's the rub isn't it, OSS being conceptually antithetical to DRM. Most open source licenses (hi BSD guys) require contributing your own work back to the collective good.

I second the earlier idea that encrypting your data is the best option, and submit for review the existence of libcrypt [gnupg.org] as an efficient means of accomplishing said goal.

Real World Scenarios

Make absolutely certain the drawings being used on the production floor are the correct revision. I mean on terminals on the line. And make sure no one printed a copy for "convenience".

I.E. - Engineers and CAD designers are the only ones that can see pre-production drawings. Pre-production drawings are not accessible from line terminals, only engineering or conference room workstations. Line terminals can not print drawings, though they can print some other things. Line terminals and assembly people can't even open non-production documents.

Considering many electronics assembly shops have people on staff that used to (like, last week) work for a competitor the possibility of moles in real. So, prevent documents from being opened by non-authorized personnel. Prevent drawings from being printed, copied to removable media, etc.

I've had to deal with all of that in a manufacturing environment.

Re:I'm sure we could

The whole DRM-idea is about "sharing" data (documents, music, video, ...), but with the sharer imposing usage restrictions on the shared data. That's where "information wants to be free".

So when you share your name, address and credit card number (commonly considered 'personal data') with Amazon, under the 'information wants to be free' principle they can share it with whoever they want?

When you share your passport, National Insurance and driver's licence numbers, family details and NHS numbers [bbc.co.uk] with the MoD when you apply to join the armed forces, it's not such a big issue if they then (inadvertently) share it with the public?

The vast majority of your personal data will be shared with some person, company or organisation at some point. That's the whole point of having personal data in the first place. It then stands to reason that the definition of 'privacy' is that it is not then shared any further.

Unclear On The Concept of "Open?"

Hey, Guys! I want some help too!

Do we have open-source Tasers? I'm also after open-source software to rig voting machines.

I look in freshmeat and SourceForge - but they mostly seem to be oriented to freeing people, not locking 'em up.

Too busy

Why would anyone want to defer from working on their open source poison that causes slow-and-painful death for cute puppies?

Re:Too busy

What? The tazers or the voting machines?

Re:Unclear On The Concept of "Open?"

Too bad for you I've *patented* the idea of open sourcing tasers a long time ago.

Don't sue me, bro!

It's an oxymoron

If it's open source, you can change it thus disabling any protection it might offer unless it's some hardware-backed signing. The system isn't designed for it either, just removing all the ways you could dump the information anyway would be big job. Just get Vista if you want an end-to-end DRM stack. In short, you want to give someone the DRM'd file, the instrcutions on how the DRM works and still want them to be unable to decode it on their own, bypassing any DRM? Not going to happen.

Also note:

If the hardware signing is not controlled by the user, it's generally not considered Free Software, although it may well be open source.

But that is pretty much the only way to give someone the source, but not the content -- assuming you are trying to prote

Re:It's an oxymoron

You are making the same mistake that people who insist on coming up with DRM schemes make...

A DRM scheme is an attempt at giving someone the encrypted file and the decription key, with the intent of protecting the content against that precise someone. GPG, on the other hand, is a scheme which attempts to protect the encrypted files from those who do not have the decription key.

It is not that difficult, really...

Re:

you assume I was ignorant of this, I was merely pointing out that there exists a system to keep those who don't have the key from decrypting the data. I didn't say *anything* about DRM being an option because as you said, DRM is the combination of encrypt

Re:It's an oxymoron

DRM is a twisted variant of crypto. If Alice sends a message to Bob using GPG, Eve can't read it because she doesn't have the key. In this case, Bob is the intended recipient, and Eve is the unintended recipient. In the case of DRM, Alice encrypts software and gives it to Bob. So, if Alice doesn't give Bob the key, Bob can't use the software. If Alice does, then Bob can break the DRM, having both the key and the code.

So, in DRM, Bob and Eve are the same person. DRM is not only socially undesirable, it's sexually perverse.

Re:It's an oxymoron

So, in DRM, Bob and Eve are the same person. DRM is not only socially undesirable, it's sexually perverse.

hey now, keep your Judeo-Christian mores to yourself. Some /. folk like the idea of Bob and Eve being the same person.

Re:It's an oxymoron

The problem is -- with DRM the intended recipient and the potential attacker is THE SAME PERSON. Which is mathemathically impossible to solve using crypto.

Crypto works because you give the decryption-key to the intended recipient, but others don't know it, and can't easily guess it since it's a large random string.

But with DRM, you give the recipient the file *AND* the decryption-key, and then say: You may use this key to decrypt the file and display it on your screen; but not to decrypt it and print it on your printer ! (for example)

That is fundamentally impossible to enforce. The decryption-algorithm does not care what happens to the file AFTERWARDS.

Re:It's an oxymoron

Gnu privacy guard and truecrypt both work on a fundamental level because there is an asymmetrical informational pathway. A key piece of information is missing, which keeps the information locked away. Similarly, the person who has all of the information to decrypt the information is completely trusted.

On a theoretical level, you can't both give an open-source program all of the information required to decrypt a stream, and still prevent it from decryping the stream in ways that you don't approve of. The end user has all of the information required to have full control over the process.

At some point hardware attachments may make open-source DRM possible by hiding some of the required information. Or we may reach some compromise of semi-open DRM. But until then, Open Source DRM appears to violate a fundamental law of information science, much like perpetual motion machines violate thermodynamics.

Talk about a contradiction in terms.

You need to go find out what DRM is.

DRM is about Alice/Bob/Eve cryptography where Bob and Eve are the same person. All DRM tries to work by hiding the Implementation - Universally, it fails.
Open source is about revealing the implementation.

OpenDRM. Just say Huh?!

Re:

OpenDRM. Just say Huh?!

OpenIPMP (it's even on SourceForge!) or PachyDRM?

Isn't that an oxymoron?

DRM is security through obscurity. If you have the code, you can break any DRM, so there's no point in developing open source DRM. It's also why all DRM eventually fails.

Use encryption if you want safety. But you still can't prevent the people who have legitimate access from doing whatever they want to the documents.

Re:Isn't that an oxymoron?

Use encryption if you want safety. But you still can't prevent the people who have legitimate access from doing whatever they want to the documents.

Unless, and I think this is what he is after, you hire a group of armed commandos/Stallman look-a-likes (to keep it open source) to detail every end user of your media. With a gun to the head... making decisions about media becomes much more serious business.

Open Source Stallman Commando: Don't even think about putting that in your shared folder! If this ends up on bittorrent, it's a 7.62mm round right to the groin!!!
User: Oh my god... please don't kill me... (gets hit with the butt of the commando's rifle)
Commando: One more word and I swear I pull the trigger!

I'm not sure, but that may be the most workable DRM solution anyone has ever come up with.

RE

I think the systems you're after are called Document Management Systems, like you'd find used for medical records under HIPAA.
The only open source system I am aware is OpenKM[http://www.openkm.com/].

Open Source ECM

You should also check out http://www.alfresco.com/ [alfresco.com]. It was started by some of the founders of Documentum and Interwoven. It does some interesting Enterprise Content Management foo, which may be of use to you.

You're probably in for a disappointing search

Most people smart enough to program such a thing are also smart enough to know it can never work. People who do create/sell/push drm solutions are selling snake oil.

Your best bet is to use PGP and simply encrypt your data, and trade public keys with your intended recipients. And plan ahead - once someone can see it, assume they can always see it. The whole "revoking a key" bit is the snake oil part of DRM.

There is a precedent for open source DRM..

For all those who are saying "open source DRM" is an oxymoron, they should have a look at OpenIPMP [mutableinc.com], which is an open-source DRM solution for video formats. So there is a precedent for this kind of thing, although it may not be widely adopted.

Re:

For all those who are saying "open source DRM" is an oxymoron, they should have a look at OpenIPMP, which is an open-source DRM solution for video formats.

It is still an oxymoron.

If you see my comment [slashdot.org] posted shortly after yours, I mention OGG-S/Media-S. T

Easy solution

How about trusting the people you give documents to?

Re:Easy solution

You work by yourself, don't you? :-)

Yes, this exists

"DRM" is not the search term you want, though, and it is in fact not what you want for business documents. You just want to set up a public-key infrastructure (PKI) and make sure people protect their private keys. This can be done by OpenPGP, GnuPG, etc.

DRM makes it hard for people to leak a file. It does not spend very much effort, if any, on authenticating the initial owner of the file (for example, anyone who picks up a DVD can play it, although they can't copy it to a new DVD). In a business environment, you're usually far more worried about authenticating the file's recipient and making sure the original does not accidentally reach anyone else's computer, than about preventing a cooperative person from intentionally leaking the file. (In most cases, you do want to permit them to print, copy-and-paste, etc. the document. These would all be prevented by DRM because they all make it easy to leak the file.)

The other failing of DRM, as I'm sure you've seen discussed, is that it's crackable by mere cleverness. If you're going to permit someone to view a file on screen (or hear an audio clip over headphones), you can always take a screenshot (or recording) and leak that. HDCP and so forth make the screenshot harder, but nothing prevents you from pointing a camera at the TV. It will be low quality but it will be a leak. PKI, on the other hand, is only crackable by brute-force searches of the key space, or (unlikely though possible) sufficiently smart mathematicians.

DRM in a nutshell...

DRM depends on proprietary software. You are encrypting a file, then giving the user the key to decode it, while telling the program in question to decode the file, but only allow it to be used in one of a few ways (eg. display PDF, but don't print).

Such a system is untenable with proprietary software (just need to find the right memory address), and absolutely impossible with open source software, as you can simply remove the line in the program that tells it what actions not to allow. (See xpdf). With proprietary DRM systems, the companies just hope it's difficult enough to decipher the compiled code of the proprietary programs, that it takes a while before someone finds the right spots in memory to probe/change, and publishes the details... Then, they make trivial changes to the DRM system, and call it a new, "fixed" version that everyone should start using quickly (before someone figures it out).

The only thing DRM can do effectively, is to prevent the first opening of the file. After you send that first key (eg. via server), no matter what the DRM involved, the user can (trivially) strip the DRM off, and do whatever they want with the unencrypted file.

If that is what you want... I would suggest using public-key encryption to protect the file instead of a commercial "DRM" system. Either PGP or SSL (keys in combination with a password) can make absolutely sure only the intended recipient can make use of the file, even if others obtain copies of it. If you are expecting any more control over what others do with the file, you are simply denying reality.

All that said, here is one open source DRM system: http://www.sidespace.com/products/oggs/ [sidespace.com]

And if you WANT more...

... I suggest you put your wallet back in your pocket, and don't spend any more money on consultants, software, or IT staff hours spent configuring the free and non-free stuff in furtherance of your goals.

Instead you should save your money and hire a lawyer instead who will draft up NDAs for you to have people sign in order to protect those documents/secrets you want tightly controlled.

Technical solutions will not cut it. They never will. You are throwing your money away.

Hire a lawyer, and only give the documents to people who ABSOLUTELY need it and is worth the time to get contracts involved with.

Have we not discussed this before?

We have had this discussion. There is no legitimate use for DRM. It has no right to exist. I have told people this before. DRM does not improve the security of corporate networks. Thats not what it is meant to do. DRM has just one purpose. to deprive people of the right to use the computers they own as they see fit. Securing documents and sensitive company data is to use good security practices. IPSec, Kerberos, PKI, that kind of thing.

Point. Learn good computer security practices.

I want DRM to dissappear from this world forever/

Re:

What you want is those medical records/taxes/bank records encrypted or otherwise secured. DRM is a very specific thing which is not that.

Convince your business not to waste the money.

Here's what's become my business-side take on DRM: don't bother.

DRM systems set the bar too high for honest users who just need to get some work done, and too low for malicious users.

Corporate espionage in mind? Just make screen-captures. That won't work? Digital camera, anyone?

You can't make it work, principally because there's no way to both show and not show the same document to an end user. The security is only as good as your trusted users are.

You can also appeal to reason on financial grounds: the Hollywood studios are extremely motivated to make DRM work, have pored in millions and haven't hit on anything at all that prevents piracy.

If they can't do it, you probably can't either, and should probably focus on differentiating your content by making it sticky and extremely easy to use.

Re:

Sticky as in "get the eyeballs stuck firmly to the content". That could mean a lot of different things depending upon the content that someone's trying to protect.

In the case of a web site, it could mean going from a login business model to an ad-supported

Minimal DRM

There's basically two kinds of DRM in the world: DRM that's been broken and DRM that no one has cared to break.

So, that said, here's some python DRM you can use which I am releasing into the public domain:

def issue_licence(filename, from_date, to_date):
_f = open("%s.key" % filename, 'wb')
_pickle.dump((from_date, to_date), f)
_f.close()

def check_licence(filename):
_try:
__(from_date, to_date) = pickle.load(open("%s.key" % filename))
_except IOError:
__return False
_return from_date <= datetime.date.today() <= to_date

(replace _ with spaces)

That is not logical.

can we produce a black whiteness?
can we produce a filled emptyness?
can we produce a hard softness?
can we produce a rich poverty?
can we produce an Open DRM?

err... not really?

I understand what he wants....

In business there are things like trade secrets, documents, drawings and the like that you have to distribute to a jobber or some other outside entity to accomplish a task, but you really only want the outside entity to have them for the amount of time that they actually need them to get a task completed.

Typically this has been accomplished via NDA's or other legal agreements. It appears that in some instances they want more then a "promise" to destroy the information when it is no longer useful for the legitimate contracted purpose. Sort of like the old "This tape will self destruct in 10 seconds" gag from mission impossible.

The problem is that it really cannot be accomplished. You can use PGP or IronKey (tm) as others have suggested but that only prevents the material from being easily viewed by 3rd parties and does not address the "self destruct" desire.

I really cannot think of a way to make that happen. Every method that I can think of requires the destruct method to either be built into the data ( as a code block ) but even then something has to execute that code, and that is simply worked around.

It basically has to come down to trust. Either you trust the outside entities that you deal with or you don't. When I was in the military I had access to classified materials, and I was looked over from front to back top to bottom, my friends and neighbors were interviewed as well as my Principal from High School.

Sadly, I think the last 8 years of the current administration have re-enforced the notion of mistrust and it has found its way deep into the culture of corporate America.

IBM TCPA

If you're using systems with TCPA chips, then check out this overview [linuxjournal.com] and IBM's examples [ibm.com].

You need to define your business need first

Look, get DRM out of your head - I have yet to find a place for it, and I've only been in IT for 25 years, of which 15 in security. I have seen dongles (still in use in the CAD industry), I have seen floppy disks with laser holes (bypassed by TSRs), I have seen media with altered parameters (which neededs special drives: say hello to hardware maintenance hell), I have seen registration schemes..

You should really first see if the disadvantages outweigh the benefits, from what I read you're simply after some method to protect information from disclosure. Well, encrypt it. Just don't use any DRM related solution because you're inflicting a serial chain of single points of failures on your business, and it'll screw any backup and recovery strategy as well. Just don't. You really don't know just how much trouble you're heading for.

From the trenches (long)

OK, I think I need to toss a post out (to the wolves!) because the way I make my living is deeply enmeshed in the whole DRM chaos. I've got an unusual approach (well- for the business I'm in) and it's worth explaining how it specifically works because it violates some assumptions and makes others.

I make a living selling copyable software which has no DRM or copy protection, so I'm taking a bunch of time to explain how I'm doing that in the hopes Slashdot minds will find it interesting. This isn't hypothetical, it pays my bills. I'm betting it will continue to do so...

The software is mostly plugins for Logic etc. (Audio Unit format) but I'm also getting some other tools together like an animation program. This isn't free software- I'll talk pretty freely about how I do what I do but I don't distribute the code, and I pick some software products to give away at no cost and other products to sell, never for more than $60 before VAT etc. (lots of my sales are overseas, I'm in the USA)

Almost every (every?) commercial plug-in maker uses DRM, sometimes insanely intrusive stuff. There's stuff that has to dial home in order to be 'authorized' and you only get 3 or 4 goes before it is shut off, there's stuff that uses one of several dongles (iLok is the most common but there are others), etc.

I use NOTHING- once you have the plugin, I expect you to use it, back it up for safe keeping, use it on whichever computers you need it, including the new Logic nodes for DAW clustering that Apple's come up with. There isn't a line of code in there to take the plugin away from you, ever. It's a matter of principle.

At the same time, I expect people not to copy these to their friends, put them on websites, anything like that. You are only supposed to get them from me. It's done through a variation on DRM by Kagi Shareware, who are my store-runners: they have a thing they'd like to see people use more, called Kagi's Digital Download Service. This could be open source if people wanted one like it- how it works is, a purchaser is given a temporary download URL. It's open for X downloads or X days and then it's no longer valid, so if someone posted one of these somewhere it would go dead quickly. The neat thing is, if there's a problem and someone emails me I can check my copies of the Kagi receipts, and see if a sale went through. If it did- the reply email contains a copy of the thing they bought- I don't have to wait for Kagi's systems to be fixed, because the customer only needs the plugin, not access to some authorization server.

This brings me to my point about DRM, one I take very seriously- I've been thinking about this for some time having been a Slashdotter from way back. (that's easily proved, at any rate ;) )

There are two ways you can get a person to do something- push them or entice them. DRM is strictly push-ville. The big assumption you make there is that the enticement is basically infinite- the person MUST buy your thing, or steal it, so it's all about getting really tough with them to compel them not to steal it.

I make a different assumption, and it's paying my mortgage. I may not be putting out lots of open source code (though anyone from an OSS project wishing audio tips is welcome to talk with me endlessly) but I assume the person must CHOOSE to buy your thing or steal it.

No matter who it is, they still must choose. It doesn't matter if they're 14, have never bought something before, and have found my stuff on an FTP site somewhere- even if the choice seems compellingly obvious, people CHOOSE to copy stuff that's not intended to be copied. (to use the non-thief terminology)

I get to make choices as well. For instance, current law is very friendly to me talking to such an FTP site and telling them, please remove those files now. It's easy to monitor, they'd have no real leg to stand on, and I'd be entitled to want that done since it's my stuff.

The site itself CHOOSES to include my stuff (if they can get it) or not to bother- or even to give me an exemption, more about that later.

I CHOOSE to concern myself entirely with this 'access control' and not at all with policing actual USERS and punishing anybody who received 'stolen goods', because I expect all my users to CHOOSE to trundle off to the website and buy whatever it is they need. This is such an unusual expectation that it's worth explaining why I'd say such a crazy thing.

Have you ever heard of a stompbox maker named Zachary Vex? He builds guitar effect circuits and puts them in handpainted boxes, to sell at boutique prices. Some of the circuits (like Super Hard On) are very, very simple. People have been known to ask his users to open the boxes and reveal the schematics. I've never seen this ploy work- Vex's users get mad at the person asking and refuse. They are protective, because Vex does such great things and is basically an artisan- despite using mass-produced electronic parts. He earned people's respect rather than demanding it. I know copies of his boxes exist- forgeries, in fact- but I don't believe these are seen as desirable in any sense, even if they were good copies (which they're generally not).

In digital land, all copies are perfect, so you can't really snark about pirate copies not having as good a sound ;) but some of the OTHER factors at play are possible for the software author. You have to try to do stuff that's really good, or better than that, has a personality that can be expressed and described. Ideally some of your techniques should really be hot stuff- I do a type of interpolation on effects like flanges and moving delay lines which does actually sound better than the typical nearest-neighbor interpolation. You have to be very responsive to customers and be willing to work directly for them, and ideally you make some form of commitment to them- for instance I give all customers lifetime free upgrades for anytime a new version of that product comes out. I can't guarantee I'll always be able to stay on top of plugin API developments 20 years from now but if I can it's free forever. Considering how broad my product line is, that is a commitment. Most companies SELL upgrades and some even force you to pay basically lease fees to have them available. Free forever is a hell of a commitment- what's in it for me?

It's the price I pay to have a userbase that doesn't WANT to 'steal from me'. That's where choice comes in, instead of force. Since I don't want to use DRM (apart from the simple 'access control' that stops me being shareware) it becomes my problem to create that enticement to pay me money for my work. If the world today includes the possibility that people might find my stuff somewhere for nothing, how do you make the enticement? By creating the proposition that I _deserve_ to be paid for the work, that it supports my doing other work, supporting the existing products... the idea is that if someone has my stuff they should think, "Gee, I SHOULD go and pay for some of these that I use a lot. Maybe not all, but I don't use all of them. But he's a good guy, he should get something. Maybe I'll get one of the $30 ones and keep using this $60 one... maybe I'll get the new $60 one that nobody has yet."

Who says people are totally virtuous? But if the guy thought that and did it, I'd be getting $60 from a guy who doesn't actually do business with the usual suspects. Big hostile DRM-happy companies are never, never sympathetic. The one thing I never want to see happen is for copying my stuff to seem more MORALLY proper to ANYBODY, even warez puppies. I want the warez puppies to be saying "cool guy- yeah, if you want to throw a few bucks his way that would be cool" even if they're not doing it themselves.

Because the final thing is, I only care about download links. I don't believe software really exists if it's not being used... if you are a collector copying software and you've got say Maya, that's a prize because it's valuable but if you can't use it and you're not distributing it further, isn't that kind of pointless? Software is like a verb. It exists to act. I will never bug warez puppies if they see fit to accumulate software of mine and just HAVE it- if they are cool enough to actually know how to use it, I'll maybe scold them, if they are setting out to redistribute it I'll get legalistic and make them stop, but to me software that's not used doesn't exist. DRM concepts have to take this into account. It's not patterns of data sitting there, it's whether they're being played, copied etc. that matters. You can get a lot of mileage out of simply managing the means by which the data gets out there.

Once people have it, you get coolness points for letting them do all they want with it, short of setting up a storefront- and for that, you try to sue the STOREFRONT, you don't try and make the data refuse to be in a store. The data is the commodity and should flow freely. It's the SOURCES of data that need to be 'managed' where necessary. It should always be easier and vaguely nicer to do the right thing.

If using a pirate product is actually more convenient to get than the real one, works better than the real one, is less interfering to workflow than the real one- that's a problem, and it sucks because it's poisoning the well for those of us who are trying to EARN respect. Though it also creates a rebellion factor, you might call it the Radiohead factor- "DUDE! I paid $50 for the Radiohead album! Take that, RIAA!"

Don't count on that- I don't get it, but I do have a bunch of users who don't feel ripped off. That will do :)