Open Source DRM Solutions? 369
Feint writes "I'm working on an business platform for inter-company collaboration based on an open source software stack. As part of that platform I would like to integrate some sort of digital rights management for the documents in the system. The vast majority of articles about DRM are focused how good or evil it is to apply DRM to digital music or video. I haven't seen many articles address open source solutions for protecting business data like CAD / MS Office / PDF / etc. documents, which is a real need in business today. Can the Slashdot readership suggest some open source DRM offerings other than the Sun DReaM initiative, which hasn't had a release since Jan. 2007?"
Why not simple passwords? (Score:2, Insightful)
It's an oxymoron (Score:5, Insightful)
Talk about a contradiction in terms. (Score:5, Insightful)
DRM is about Alice/Bob/Eve cryptography where Bob and Eve are the same person. All DRM tries to work by hiding the Implementation - Universally, it fails.
Open source is about revealing the implementation.
OpenDRM. Just say Huh?!
open source (Score:1, Insightful)
OSS is about the open minded sharing of ideas, DRM(TM) is(TM) about(TM) the(TM) close(TM) minded(TM) restriction(TM) of(TM) ideas(TM).(TM)
Easy solution (Score:3, Insightful)
Have we not discussed this before? (Score:4, Insightful)
Point. Learn good computer security practices.
I want DRM to dissappear from this world forever/
Re:It's an oxymoron (Score:2, Insightful)
Re:It's an oxymoron (Score:4, Insightful)
You are making the same mistake that people who insist on coming up with DRM schemes make...
A DRM scheme is an attempt at giving someone the encrypted file and the decription key, with the intent of protecting the content against that precise someone. GPG, on the other hand, is a scheme which attempts to protect the encrypted files from those who do not have the decription key.
It is not that difficult, really...
Re:Easy solution (Score:5, Insightful)
Re:It's an oxymoron (Score:3, Insightful)
Re:I'm sure we could (Score:4, Insightful)
Well, that's the rub isn't it, OSS being conceptually antithetical to DRM. Most open source licenses (hi BSD guys) require contributing your own work back to the collective good.
I second the earlier idea that encrypting your data is the best option, and submit for review the existence of libcrypt [gnupg.org] as an efficient means of accomplishing said goal.
Re:It's an oxymoron (Score:5, Insightful)
On a theoretical level, you can't both give an open-source program all of the information required to decrypt a stream, and still prevent it from decryping the stream in ways that you don't approve of. The end user has all of the information required to have full control over the process.
At some point hardware attachments may make open-source DRM possible by hiding some of the required information. Or we may reach some compromise of semi-open DRM. But until then, Open Source DRM appears to violate a fundamental law of information science, much like perpetual motion machines violate thermodynamics.
I understand what he wants.... (Score:3, Insightful)
In business there are things like trade secrets, documents, drawings and the like that you have to distribute to a jobber or some other outside entity to accomplish a task, but you really only want the outside entity to have them for the amount of time that they actually need them to get a task completed.
Typically this has been accomplished via NDA's or other legal agreements. It appears that in some instances they want more then a "promise" to destroy the information when it is no longer useful for the legitimate contracted purpose. Sort of like the old "This tape will self destruct in 10 seconds" gag from mission impossible.
The problem is that it really cannot be accomplished. You can use PGP or IronKey (tm) as others have suggested but that only prevents the material from being easily viewed by 3rd parties and does not address the "self destruct" desire.
I really cannot think of a way to make that happen. Every method that I can think of requires the destruct method to either be built into the data ( as a code block ) but even then something has to execute that code, and that is simply worked around.
It basically has to come down to trust. Either you trust the outside entities that you deal with or you don't. When I was in the military I had access to classified materials, and I was looked over from front to back top to bottom, my friends and neighbors were interviewed as well as my Principal from High School.
Sadly, I think the last 8 years of the current administration have re-enforced the notion of mistrust and it has found its way deep into the culture of corporate America.
Also note: (Score:3, Insightful)
But that is pretty much the only way to give someone the source, but not the content -- assuming you are trying to protect content. If you are trying to prevent people from copying your code, then you completely missed the point of "open source".
I would very much like to see a followup article, or a clarification, or some comment by the guy who made this post, to find out just what the living Hades he was thinking to come up with this idea. This is even worse than the last Ask Slashdot, where the guy was asking how to run a consolidated, distributed network -- also a contradiction in terms, except in a very limited context (something like Coda for a distributed FS, so there's no "servers")...
Maybe we're missing some context here? Because I'm going to have to cry if this is actually, say, an MBA who thinks "Open Source" is a good idea because he gets free labor and "DRM" is good because they need to "protect their rights," and why can't he have both?
Re:We call it... (Score:5, Insightful)
"trusted computing" nonsense won't change anything. It's just another pile of inconvenience for the paying users that will be snipped out entirely for the bittorrent version. Sony and Microsoft have been doing their best to build tamper-proof encryption-based hardware systems (playstation and xbox series), and they're all defeated by a modchip soldered onto the motherboard - you let the tamper-proof hardware do its thing and decrypt the data, then you snoop the data right off the memory bus on its way back from the chip.
Hardware is no harder to attack than software, it just needs different tools. DRM cannot ever work.
You need to define your business need first (Score:3, Insightful)
You should really first see if the disadvantages outweigh the benefits, from what I read you're simply after some method to protect information from disclosure. Well, encrypt it. Just don't use any DRM related solution because you're inflicting a serial chain of single points of failures on your business, and it'll screw any backup and recovery strategy as well. Just don't. You really don't know just how much trouble you're heading for.
Re:We call it... (Score:4, Insightful)
I'm not aware of a mod-chip for the PS3. Your summary of how mod-chips work is incorrect anyway. And there isn't an off-chip bus carrying unencrypted data around on a real TCP. Get a clue.
Sure, maybe a million-dollar lab can open the chip inside a suitable vacuum and snoop the internal busses; for most people that's out of range, and the kind of people who run million-dollar labs don't tend to allow their use just to warez the latest game.
There's a clear economic message here - can you see it yet? When the cost of breaking DRM is higher than the profit to be made, DRM wins. It doesn't have to be perfect.
Now get with the program - DRM is a clear and present danger to our way of life. Don't sleepwalk into it.
Re:We call it... (Score:4, Insightful)
There's a clear economic message here - can you see it yet? When the cost of breaking DRM is higher than the profit to be made, DRM wins. It doesn't have to be perfect.
Well it allows DRM vendors to sell DRM systems. The technical difficulty of breaking DRM has to be higher than the average executive at a record company.
However, there are at least four aspects to the problems for DRM to actually work as you have described, i.e. as 'resistance' that stops the kids from copying enough for them to get on the bus, queue at a checkout and go home again.
1. Politics: The majority of people don't believe in the propaganda of the content industries. Even those that think they do, don't appear able to act on their beliefs.
2. Communication: You only have to break it once, then the means of circumvention can be spread at the speed of Ethernet.
3. Physics: It is harder and slower to build and deploy restrictions than destroy them.
4. Sociology: The productivity of a grown-up working in an office with paperwork, clocking out at 5, family commitments etc, is far lower than some dedicated student working 24 hours per day to get their Blue-ray player to 'work'.
Re:I'm sure we could (Score:4, Insightful)
So when you share your name, address and credit card number (commonly considered 'personal data') with Amazon, under the 'information wants to be free' principle they can share it with whoever they want?
When you share your passport, National Insurance and driver's licence numbers, family details and NHS numbers [bbc.co.uk] with the MoD when you apply to join the armed forces, it's not such a big issue if they then (inadvertently) share it with the public?
The vast majority of your personal data will be shared with some person, company or organisation at some point. That's the whole point of having personal data in the first place. It then stands to reason that the definition of 'privacy' is that it is not then shared any further.
Re:We call it... (Score:3, Insightful)
As soon as your encrypted file is transformed into sound (good old analog sound). I can copy it. The quality loss can become almost insignificant (for most people IMHO) if you have a relative good installation.
kids will soon rediscover what we used to do with K7 and other Analog medium if numeric-to-numeric copy becomes too hard. it will be numeric-analog-numeric.
It does mean that your DRM song shouldn't produce any sound in order to be 100% safe. IMHO
Re:We call it... (Score:5, Insightful)
Encryption is all about securing data so you can send it safely from A to C without B being able to read it. The problem with DRM is that B and C are the same person.
This reality will _never_ change despite what technology is being used. In order for our senses to comprehend the signal or heck even if it were sent as a direct data stream to our brain--the man in the middle is us and we can, if we so choose, mold that stream into whatever we want.
From the trenches (long) (Score:3, Insightful)
I make a living selling copyable software which has no DRM or copy protection, so I'm taking a bunch of time to explain how I'm doing that in the hopes Slashdot minds will find it interesting. This isn't hypothetical, it pays my bills. I'm betting it will continue to do so...
The software is mostly plugins for Logic etc. (Audio Unit format) but I'm also getting some other tools together like an animation program. This isn't free software- I'll talk pretty freely about how I do what I do but I don't distribute the code, and I pick some software products to give away at no cost and other products to sell, never for more than $60 before VAT etc. (lots of my sales are overseas, I'm in the USA)
Almost every (every?) commercial plug-in maker uses DRM, sometimes insanely intrusive stuff. There's stuff that has to dial home in order to be 'authorized' and you only get 3 or 4 goes before it is shut off, there's stuff that uses one of several dongles (iLok is the most common but there are others), etc.
I use NOTHING- once you have the plugin, I expect you to use it, back it up for safe keeping, use it on whichever computers you need it, including the new Logic nodes for DAW clustering that Apple's come up with. There isn't a line of code in there to take the plugin away from you, ever. It's a matter of principle.
At the same time, I expect people not to copy these to their friends, put them on websites, anything like that. You are only supposed to get them from me. It's done through a variation on DRM by Kagi Shareware, who are my store-runners: they have a thing they'd like to see people use more, called Kagi's Digital Download Service. This could be open source if people wanted one like it- how it works is, a purchaser is given a temporary download URL. It's open for X downloads or X days and then it's no longer valid, so if someone posted one of these somewhere it would go dead quickly. The neat thing is, if there's a problem and someone emails me I can check my copies of the Kagi receipts, and see if a sale went through. If it did- the reply email contains a copy of the thing they bought- I don't have to wait for Kagi's systems to be fixed, because the customer only needs the plugin, not access to some authorization server.
This brings me to my point about DRM, one I take very seriously- I've been thinking about this for some time having been a Slashdotter from way back. (that's easily proved, at any rate
There are two ways you can get a person to do something- push them or entice them. DRM is strictly push-ville. The big assumption you make there is that the enticement is basically infinite- the person MUST buy your thing, or steal it, so it's all about getting really tough with them to compel them not to steal it.
I make a different assumption, and it's paying my mortgage. I may not be putting out lots of open source code (though anyone from an OSS project wishing audio tips is welcome to talk with me endlessly) but I assume the person must CHOOSE to buy your thing or steal it.
No matter who it is, they still must choose. It doesn't matter if they're 14, have never bought something before, and have found my stuff on an FTP site somewhere- even if the choice seems compellingly obvious, people CHOOSE to copy stuff that's not intended to be copied. (to use the non-thief terminology)
I get to make choices as well. For instance, current law is very friendly to me talking to such an FTP site and telling them, please remove those files now. It's easy to monitor, they'd have no real leg to stand on, and I'd be entitled to want that done since it's my stuff.
The site itself CHOOSES to include my stuff (if they can get it) or not to bother- or
Re:We call it... (Score:2, Insightful)