Forgot your password?
typodupeerror
Security

Open Source DRM Solutions? 369

Posted by kdawson
from the using-the-force-for-good dept.
Feint writes "I'm working on an business platform for inter-company collaboration based on an open source software stack. As part of that platform I would like to integrate some sort of digital rights management for the documents in the system. The vast majority of articles about DRM are focused how good or evil it is to apply DRM to digital music or video. I haven't seen many articles address open source solutions for protecting business data like CAD / MS Office / PDF / etc. documents, which is a real need in business today. Can the Slashdot readership suggest some open source DRM offerings other than the Sun DReaM initiative, which hasn't had a release since Jan. 2007?"
This discussion has been archived. No new comments can be posted.

Open Source DRM Solutions?

Comments Filter:
  • We call it... (Score:5, Informative)

    by Anonymous Coward on Tuesday January 22, 2008 @12:32AM (#22134074)
    Public key cryptography. It won't protect work from being copied, but that's an endless battle anyways until the trusted computing platform is mainstream.
    • Public key is the way to go. Place the keys on smart cards or smart USB keys. Encrypt files individually, not just as volumes. OK, it'll be a pain in the ass. Maybe PGP Enterprise will help?
    • Re:We call it... (Score:5, Insightful)

      by asuffield (111848) <asuffield@suffields.me.uk> on Tuesday January 22, 2008 @04:54AM (#22135560)

      but that's an endless battle anyways until the trusted computing platform is mainstream


      "trusted computing" nonsense won't change anything. It's just another pile of inconvenience for the paying users that will be snipped out entirely for the bittorrent version. Sony and Microsoft have been doing their best to build tamper-proof encryption-based hardware systems (playstation and xbox series), and they're all defeated by a modchip soldered onto the motherboard - you let the tamper-proof hardware do its thing and decrypt the data, then you snoop the data right off the memory bus on its way back from the chip.

      Hardware is no harder to attack than software, it just needs different tools. DRM cannot ever work.
      • Re:We call it... (Score:4, Insightful)

        by Anonymous Coward on Tuesday January 22, 2008 @05:40AM (#22135800)
        You're being highly inaccurate. Your definition of "work" is "work perfectly". This is not the aim of DRM. DRM aims to make it difficult to copy stuff around.

        I'm not aware of a mod-chip for the PS3. Your summary of how mod-chips work is incorrect anyway. And there isn't an off-chip bus carrying unencrypted data around on a real TCP. Get a clue.

        Sure, maybe a million-dollar lab can open the chip inside a suitable vacuum and snoop the internal busses; for most people that's out of range, and the kind of people who run million-dollar labs don't tend to allow their use just to warez the latest game.

        There's a clear economic message here - can you see it yet? When the cost of breaking DRM is higher than the profit to be made, DRM wins. It doesn't have to be perfect.

        Now get with the program - DRM is a clear and present danger to our way of life. Don't sleepwalk into it.

        • Re:We call it... (Score:4, Insightful)

          by Marcion (876801) on Tuesday January 22, 2008 @06:30AM (#22136072) Homepage Journal
          The problem with DRM is that it is a narrow technical solution to an wide ranging, largely non-technical, problem.

          There's a clear economic message here - can you see it yet? When the cost of breaking DRM is higher than the profit to be made, DRM wins. It doesn't have to be perfect.

          Well it allows DRM vendors to sell DRM systems. The technical difficulty of breaking DRM has to be higher than the average executive at a record company.

          However, there are at least four aspects to the problems for DRM to actually work as you have described, i.e. as 'resistance' that stops the kids from copying enough for them to get on the bus, queue at a checkout and go home again.
          1. Politics: The majority of people don't believe in the propaganda of the content industries. Even those that think they do, don't appear able to act on their beliefs.
          2. Communication: You only have to break it once, then the means of circumvention can be spread at the speed of Ethernet.
          3. Physics: It is harder and slower to build and deploy restrictions than destroy them.
          4. Sociology: The productivity of a grown-up working in an office with paperwork, clocking out at 5, family commitments etc, is far lower than some dedicated student working 24 hours per day to get their Blue-ray player to 'work'.
          • Re: (Score:3, Insightful)

            by oliderid (710055)
            Well it allows DRM vendors to sell DRM systems. The technical difficulty of breaking DRM has to be higher than the average executive at a record company.

            As soon as your encrypted file is transformed into sound (good old analog sound). I can copy it. The quality loss can become almost insignificant (for most people IMHO) if you have a relative good installation.
            kids will soon rediscover what we used to do with K7 and other Analog medium if numeric-to-numeric copy becomes too hard. it will be numeric-analog-n
          • Re:We call it... (Score:5, Insightful)

            by div_2n (525075) on Tuesday January 22, 2008 @10:16AM (#22137264)
            There is a fundamental technical problem with DRM which can't be solved that others have said before in various forms, so I can't claim this as my own:

            Encryption is all about securing data so you can send it safely from A to C without B being able to read it. The problem with DRM is that B and C are the same person.

            This reality will _never_ change despite what technology is being used. In order for our senses to comprehend the signal or heck even if it were sent as a direct data stream to our brain--the man in the middle is us and we can, if we so choose, mold that stream into whatever we want.
      • Re:We call it... (Score:5, Interesting)

        by DHalcyon (804389) <lorenzd AT gmail DOT com> on Tuesday January 22, 2008 @07:25AM (#22136294)
        Aditionally, at some point, people will just not put up with that nonsense anymore - with HDDVD players refusing to work with projectors or whatever because one little detail in the HDCP chain isn't exactly right, and other horror stories like this.

        The alternative is easier nowadays: Piracy - It Just Works. With sites like ThePirateBay and easy to use Bittorrent clients like uTorrent and the likes, and with fast net connections, pirating HD content is seriously becoming easier for average users than getting it in a legit way.
  • by Anonymous Coward on Tuesday January 22, 2008 @12:33AM (#22134076)
    No.
  • I'm sure we could (Score:5, Interesting)

    by Improv (2467) <pgunn@dachte.org> on Tuesday January 22, 2008 @12:33AM (#22134084) Homepage Journal
    I'm sure some of us could, but why would we want to? Design our own prison? Encumber data? Stop whistleblowers?
    • by s4m7 (519684) on Tuesday January 22, 2008 @01:40AM (#22134514) Homepage

      Well, that's the rub isn't it, OSS being conceptually antithetical to DRM. Most open source licenses (hi BSD guys) require contributing your own work back to the collective good.

      I second the earlier idea that encrypting your data is the best option, and submit for review the existence of libcrypt [gnupg.org] as an efficient means of accomplishing said goal.

    • Real World Scenarios (Score:5, Interesting)

      by chill (34294) on Tuesday January 22, 2008 @03:02AM (#22135032) Journal
      Make absolutely certain the drawings being used on the production floor are the correct revision. I mean on terminals on the line. And make sure no one printed a copy for "convenience".

      I.E. - Engineers and CAD designers are the only ones that can see pre-production drawings. Pre-production drawings are not accessible from line terminals, only engineering or conference room workstations. Line terminals can not print drawings, though they can print some other things. Line terminals and assembly people can't even open non-production documents.

      Considering many electronics assembly shops have people on staff that used to (like, last week) work for a competitor the possibility of moles in real. So, prevent documents from being opened by non-authorized personnel. Prevent drawings from being printed, copied to removable media, etc.

      I've had to deal with all of that in a manufacturing environment.
    • what about your own personal data ? is the "information wants to be free" movement at odds with people that want privacy and security (see other active topic) ?
    • why would we want to?

      In order to build secure systems for our own reasonable purposes. It would be really nice if I could have a system which is not hackable except by me, but is truly hackable by me. And you could have yours.

      • "Not hackable" is not reasonable, and has never worked well. Verifiable to match a public signature, and encrypted against people without private keys, is fairly doable with PGP and other public key encryption techniques. But it's been very awkward to build them into public components, partly due to old patent issues with RSA, and partly due to direct harassment by US government and others against any encryption techniques they cannot easily break or hold the private keys to.

        Take a good look at the history
  • by Jeremiah Cornelius (137) on Tuesday January 22, 2008 @12:34AM (#22134090) Homepage Journal
    Hey, Guys! I want some help too!

    Do we have open-source Tasers? I'm also after open-source software to rig voting machines.

    I look in freshmeat and SourceForge - but they mostly seem to be oriented to freeing people, not locking 'em up.
  • Passwords can be applied in any number of ways. You can base it on pgp keys, if you want to limit the specific people who have access to the documents; or, you can do a one-size-fits-all solution, just applying a password to a file, and giving that password to those who need access.
    • by donaldm (919619)
      Shared passwords are a great way to loose information since eventually they are going to end up in the hands of an unauthorised person. Even with passwords and a special browser that is configured not to print it is always possible to save and print the information. Basically if you can see it, hear it or even touch it you can copy it, all you can really do is to trust the user to be ethical.

      If you want to limit documents or files to specific users why not use ACL's then you never have to worry about pass
    • Re: (Score:3, Interesting)

      by cp.tar (871488)

      Passwords can be applied in any number of ways. You can base it on pgp keys, if you want to limit the specific people who have access to the documents; or, you can do a one-size-fits-all solution, just applying a password to a file, and giving that password to those who need access.

      Recently I was considering a solution to a professional problem that included some sort of DRM[1], albeit of a temporary sort.

      As a part-time translator, I have in several occasions worked for people who got their translations, but failed to pay up. Some of my colleagues have had even worse problems of that sort.

      The idea was, if they don't pay, have the file self-encrypt or self-destruct. Of course, since they could easily just copy and paste the contents in a new document, all this is really moot. Actua

  • It's an oxymoron (Score:5, Insightful)

    by Kjella (173770) on Tuesday January 22, 2008 @12:35AM (#22134096) Homepage
    If it's open source, you can change it thus disabling any protection it might offer unless it's some hardware-backed signing. The system isn't designed for it either, just removing all the ways you could dump the information anyway would be big job. Just get Vista if you want an end-to-end DRM stack. In short, you want to give someone the DRM'd file, the instrcutions on how the DRM works and still want them to be unable to decode it on their own, bypassing any DRM? Not going to happen.
    • Re: (Score:2, Insightful)

      by wizardforce (1005805)

      If it's open source, you can change it thus disabling any protection it might offer unless it's some hardware-backed signing.
      then I guess we don't have anything like an encryption program of some sort like say gnu privacy guard or maybe truecrypt.
      • by msuarezalvarez (667058) on Tuesday January 22, 2008 @01:22AM (#22134402)

        You are making the same mistake that people who insist on coming up with DRM schemes make...

        A DRM scheme is an attempt at giving someone the encrypted file and the decription key, with the intent of protecting the content against that precise someone. GPG, on the other hand, is a scheme which attempts to protect the encrypted files from those who do not have the decription key.

        It is not that difficult, really...

        • Re: (Score:3, Insightful)

          by wizardforce (1005805)
          you assume I was ignorant of this, I was merely pointing out that there exists a system to keep those who don't have the key from decrypting the data. I didn't say *anything* about DRM being an option because as you said, DRM is the combination of encryption and the hiding of the key which is stupid on many levels. What I suggest is that if you want data to be unreadable by people who shouldn't have access then you must encrypt the data and keep the decryption key available to only the people you want to
      • Re:It's an oxymoron (Score:5, Interesting)

        by david_thornley (598059) on Tuesday January 22, 2008 @01:26AM (#22134432)

        DRM is a twisted variant of crypto. If Alice sends a message to Bob using GPG, Eve can't read it because she doesn't have the key. In this case, Bob is the intended recipient, and Eve is the unintended recipient. In the case of DRM, Alice encrypts software and gives it to Bob. So, if Alice doesn't give Bob the key, Bob can't use the software. If Alice does, then Bob can break the DRM, having both the key and the code.

        So, in DRM, Bob and Eve are the same person. DRM is not only socially undesirable, it's sexually perverse.

        • by s4m7 (519684) on Tuesday January 22, 2008 @01:33AM (#22134468) Homepage

          So, in DRM, Bob and Eve are the same person. DRM is not only socially undesirable, it's sexually perverse.

          hey now, keep your Judeo-Christian mores to yourself. Some /. folk like the idea of Bob and Eve being the same person.

        • I wasn't suggesting the use of DRM I was suggesting that they encrypt their data and only give the key on a need to know basis. that's responsible, DRM on the other hand is stupid.
      • Re:It's an oxymoron (Score:4, Informative)

        by Eivind (15695) <eivindorama@gmail.com> on Tuesday January 22, 2008 @01:57AM (#22134604) Homepage
        The problem is -- with DRM the intended recipient and the potential attacker is THE SAME PERSON. Which is mathemathically impossible to solve using crypto.

        Crypto works because you give the decryption-key to the intended recipient, but others don't know it, and can't easily guess it since it's a large random string.

        But with DRM, you give the recipient the file *AND* the decryption-key, and then say: You may use this key to decrypt the file and display it on your screen; but not to decrypt it and print it on your printer ! (for example)

        That is fundamentally impossible to enforce. The decryption-algorithm does not care what happens to the file AFTERWARDS.
        • That is fundamentally impossible to enforce. The decryption-algorithm does not care what happens to the file AFTERWARDS.

          No, not really. It's just fundamentally impossible to enforce in the wild.

          In a controlled business environment, this can be setup so that any attempt to break the DRM sends a clear signal to the company of an employee's activities. And if you can't think of reasons where a business wouldn't want DRM, I say you're just limiting your ideal of what kind of company would use Open Source Software if they could.

      • by cgenman (325138) on Tuesday January 22, 2008 @02:07AM (#22134652) Homepage
        Gnu privacy guard and truecrypt both work on a fundamental level because there is an asymmetrical informational pathway. A key piece of information is missing, which keeps the information locked away. Similarly, the person who has all of the information to decrypt the information is completely trusted.

        On a theoretical level, you can't both give an open-source program all of the information required to decrypt a stream, and still prevent it from decryping the stream in ways that you don't approve of. The end user has all of the information required to have full control over the process.

        At some point hardware attachments may make open-source DRM possible by hiding some of the required information. Or we may reach some compromise of semi-open DRM. But until then, Open Source DRM appears to violate a fundamental law of information science, much like perpetual motion machines violate thermodynamics.

      • by Alsee (515537)
        gnu privacy guard or maybe truecrypt

        The article asked for DRM.
        Neither of the packages you mentioned involve or support DRM.

        -
    • Also note: (Score:3, Insightful)

      If the hardware signing is not controlled by the user, it's generally not considered Free Software, although it may well be open source.

      But that is pretty much the only way to give someone the source, but not the content -- assuming you are trying to protect content. If you are trying to prevent people from copying your code, then you completely missed the point of "open source".

      I would very much like to see a followup article, or a clarification, or some comment by the guy who made this post, to find out j
  • by robbak (775424) on Tuesday January 22, 2008 @12:35AM (#22134102) Homepage
    You need to go find out what DRM is.

    DRM is about Alice/Bob/Eve cryptography where Bob and Eve are the same person. All DRM tries to work by hiding the Implementation - Universally, it fails.
    Open source is about revealing the implementation.

    OpenDRM. Just say Huh?!
    • Re: (Score:2, Funny)

      Tell him he's DReaMing.
    • Re: (Score:3, Informative)

      by Jugalator (259273)

      OpenDRM. Just say Huh?!
      OpenIPMP (it's even on SourceForge!) or PachyDRM?
    • Re: (Score:2, Interesting)

      by dhavleak (912889)

      All DRM tries to work by hiding the Implementation - Universally, it fails.

      That's not true. Obfuscation is just one of the layers in any DRM system (and also in security in general). Relying on obfuscation alone is what's bad practice -- not the presence of obfuscation itself.

      DRM technologies work on essentially the same principles as PGP. The content being protected will usually be encrypted/decrypted using a symmetric key. This key is then protected using PKI (i.e. the content key is encrypted using each user's private key) -- that's the key management part of it.

      I do agree tha

  • by something_wicked_thi (918168) on Tuesday January 22, 2008 @12:35AM (#22134106)
    DRM is security through obscurity. If you have the code, you can break any DRM, so there's no point in developing open source DRM. It's also why all DRM eventually fails.

    Use encryption if you want safety. But you still can't prevent the people who have legitimate access from doing whatever they want to the documents.
    • by explosivejared (1186049) <(moc.liamg) (ta) (deraj.nagah)> on Tuesday January 22, 2008 @12:50AM (#22134226)
      Use encryption if you want safety. But you still can't prevent the people who have legitimate access from doing whatever they want to the documents.

      Unless, and I think this is what he is after, you hire a group of armed commandos/Stallman look-a-likes (to keep it open source) to detail every end user of your media. With a gun to the head... making decisions about media becomes much more serious business.

      Open Source Stallman Commando: Don't even think about putting that in your shared folder! If this ends up on bittorrent, it's a 7.62mm round right to the groin!!!
      User: Oh my god... please don't kill me... (gets hit with the butt of the commando's rifle)
      Commando: One more word and I swear I pull the trigger!

      I'm not sure, but that may be the most workable DRM solution anyone has ever come up with.
    • DRM is security through obscurity. If you have the code, you can break any DRM

      What do you need the DRM scheme's source code for? Most major algorithms are loosely guarded if not totally open secrets.

      DRM schemes rely on playback software and devices managing to keep their decryption keys hidden from their users... and so far, breaking them (finding a way to bypass safeguards and traps to locate plain-text keys) has always been a matter of days or weeks. Since OSS DRM would have no way of hiding the keys from

      • I should know better than to oversimplify on Slashdot.

        Yes, you need both the code and the keys to break DRM*. At least one of the two must be hidden. The point is that, with open source, both must be given in plain view, so it doesn't work.

        * Sometimes, you can even break it without the keys if the algorithm itself can be attacked.
    • by chill (34294)
      If you have the code, you can break any DRM, so there's no point in developing open source DRM. It's also why all DRM eventually fails.

      That is so wrong it isn't even funny. Hell, that is Microsoft's main argument about Closed Source vs Open Source. "If you could see the code, you could hack anything! Nothing would be safe!"

      You have (or can have) the code for GnuPG, but does that mean you can break the data encrypted with it. And no, DRM isn't special in that way.

      I have terminals at work on a production
  • RE (Score:5, Informative)

    by Anonymous Coward on Tuesday January 22, 2008 @12:36AM (#22134116)
    I think the systems you're after are called Document Management Systems, like you'd find used for medical records under HIPAA.
    The only open source system I am aware is OpenKM[http://www.openkm.com/].
  • There is a reason that DReaM hasn't had a release since January 2007.
  • by Weaselmancer (533834) on Tuesday January 22, 2008 @12:36AM (#22134120)

    Most people smart enough to program such a thing are also smart enough to know it can never work. People who do create/sell/push drm solutions are selling snake oil.

    Your best bet is to use PGP and simply encrypt your data, and trade public keys with your intended recipients. And plan ahead - once someone can see it, assume they can always see it. The whole "revoking a key" bit is the snake oil part of DRM.

    • by RobBebop (947356)

      My recommendation would be PGP, too. That would be the way to go. As long as the members of your company can secure their private/public keys, you can keep good control over who will have access to what.

      If the members of your company fail to secure their keys? Well...

      Responsible Behavior [xkcd.com]: "I got too drunk. I screwed up, bad".

    • I revoked your rights! Now go hide your eyes when you open that document.
  • by Nemilar (173603) on Tuesday January 22, 2008 @12:37AM (#22134122) Homepage
    For all those who are saying "open source DRM" is an oxymoron, they should have a look at OpenIPMP [mutableinc.com], which is an open-source DRM solution for video formats. So there is a precedent for this kind of thing, although it may not be widely adopted.
    • Re: (Score:3, Informative)

      by evilviper (135110)

      For all those who are saying "open source DRM" is an oxymoron, they should have a look at OpenIPMP, which is an open-source DRM solution for video formats.

      It is still an oxymoron.

      If you see my comment [slashdot.org] posted shortly after yours, I mention OGG-S/Media-S. They are, at least, honest about their "open source" DRM system. In their FAQ they explain while it is GPL'd, you can buy a (closed-source) license so that it's anything other than a public-key encryption system. ergo: Open source DRM is an oxymoron.

  • Easy solution (Score:3, Insightful)

    by Anonymous Coward on Tuesday January 22, 2008 @12:39AM (#22134144)
    How about trusting the people you give documents to?
  • Yes, this exists (Score:5, Informative)

    by Geoffreyerffoeg (729040) on Tuesday January 22, 2008 @12:46AM (#22134184)
    "DRM" is not the search term you want, though, and it is in fact not what you want for business documents. You just want to set up a public-key infrastructure (PKI) and make sure people protect their private keys. This can be done by OpenPGP, GnuPG, etc.

    DRM makes it hard for people to leak a file. It does not spend very much effort, if any, on authenticating the initial owner of the file (for example, anyone who picks up a DVD can play it, although they can't copy it to a new DVD). In a business environment, you're usually far more worried about authenticating the file's recipient and making sure the original does not accidentally reach anyone else's computer, than about preventing a cooperative person from intentionally leaking the file. (In most cases, you do want to permit them to print, copy-and-paste, etc. the document. These would all be prevented by DRM because they all make it easy to leak the file.)

    The other failing of DRM, as I'm sure you've seen discussed, is that it's crackable by mere cleverness. If you're going to permit someone to view a file on screen (or hear an audio clip over headphones), you can always take a screenshot (or recording) and leak that. HDCP and so forth make the screenshot harder, but nothing prevents you from pointing a camera at the TV. It will be low quality but it will be a leak. PKI, on the other hand, is only crackable by brute-force searches of the key space, or (unlikely though possible) sufficiently smart mathematicians.
  • Implementing something like this, you need to understand why it needs to be implemented.
    Most of what you want can be implemented by encrypting/decrypting on the fly as files are opened by signed in users. That is how most programs work. If that won't work for you then you need to organize how the program/files will be accessed in order to establish what control is needed.
  • DRM in a nutshell... (Score:5, Interesting)

    by evilviper (135110) on Tuesday January 22, 2008 @12:52AM (#22134234) Journal
    DRM depends on proprietary software. You are encrypting a file, then giving the user the key to decode it, while telling the program in question to decode the file, but only allow it to be used in one of a few ways (eg. display PDF, but don't print).

    Such a system is untenable with proprietary software (just need to find the right memory address), and absolutely impossible with open source software, as you can simply remove the line in the program that tells it what actions not to allow. (See xpdf). With proprietary DRM systems, the companies just hope it's difficult enough to decipher the compiled code of the proprietary programs, that it takes a while before someone finds the right spots in memory to probe/change, and publishes the details... Then, they make trivial changes to the DRM system, and call it a new, "fixed" version that everyone should start using quickly (before someone figures it out).

    The only thing DRM can do effectively, is to prevent the first opening of the file. After you send that first key (eg. via server), no matter what the DRM involved, the user can (trivially) strip the DRM off, and do whatever they want with the unencrypted file.

    If that is what you want... I would suggest using public-key encryption to protect the file instead of a commercial "DRM" system. Either PGP or SSL (keys in combination with a password) can make absolutely sure only the intended recipient can make use of the file, even if others obtain copies of it. If you are expecting any more control over what others do with the file, you are simply denying reality.

    All that said, here is one open source DRM system: http://www.sidespace.com/products/oggs/ [sidespace.com]
    • by Ayanami Rei (621112) * <rayanami@gmai[ ]om ['l.c' in gap]> on Tuesday January 22, 2008 @01:50AM (#22134568) Journal
      ... I suggest you put your wallet back in your pocket, and don't spend any more money on consultants, software, or IT staff hours spent configuring the free and non-free stuff in furtherance of your goals.

      Instead you should save your money and hire a lawyer instead who will draft up NDAs for you to have people sign in order to protect those documents/secrets you want tightly controlled.

      Technical solutions will not cut it. They never will. You are throwing your money away.

      Hire a lawyer, and only give the documents to people who ABSOLUTELY need it and is worth the time to get contracts involved with.
  • by Zombie Ryushu (803103) on Tuesday January 22, 2008 @12:58AM (#22134264)
    We have had this discussion. There is no legitimate use for DRM. It has no right to exist. I have told people this before. DRM does not improve the security of corporate networks. Thats not what it is meant to do. DRM has just one purpose. to deprive people of the right to use the computers they own as they see fit. Securing documents and sensitive company data is to use good security practices. IPSec, Kerberos, PKI, that kind of thing.

    Point. Learn good computer security practices.

    I want DRM to dissappear from this world forever/
    • by EXMSFT (935404)
      The three technologies you mentioned don't protect a document independent of location. The first two can protect it over the wire. Yes, PKI can conceivably be used to encrypt and decrypt the document as well. But the problem is if Alice gives it to Bob, and Alice doesn't want Carol to see it - because it's company confidential information. But Bob is a gossip, especially when he's flirting with Carol at the watercooler, so he saves it and emails it to Carol. Who promptly emails it to her actual boyfriend, w
      • by setagllib (753300)
        Now imagine that somewhere in Microsoft Research, somebody is working out how to make sure you can't even speak the document's contents out loud, let alone transcribe it into another document for non-DRM stoarge.
    • by chill (34294)
      ...to deprive people of the right to use the computers they own as they see fit.

      What about computers you don't own? For example, the ones people use at the office. The PC, and all the data on it, belong to the COMPANY, and not you.

      To do your job, you need to see data. You have no legitimate business need to print, copy or otherwise transfer that data anywhere. Other people have different needs with the same data.

      DRM assures the rights that each group needs are all that they get. Least privilege is what
      • by bit01 (644603)

        DRM assures the rights that each group needs are all that they get. Least privilege is what they call it.

        You're talking about normal operating system security. This has nothing to do with DRM. DRM is all about using technology to control an otherwise free agent when something is "sold".

        ---

        DRM'ed content breaks the copyright bargain, the first sale doctrine and fair use provisions. It should not be possible to copyright DRM'ed content.

  • by jddj (1085169) on Tuesday January 22, 2008 @01:01AM (#22134290) Journal

    Here's what's become my business-side take on DRM: don't bother.

    DRM systems set the bar too high for honest users who just need to get some work done, and too low for malicious users.

    Corporate espionage in mind? Just make screen-captures. That won't work? Digital camera, anyone?

    You can't make it work, principally because there's no way to both show and not show the same document to an end user. The security is only as good as your trusted users are.

    You can also appeal to reason on financial grounds: the Hollywood studios are extremely motivated to make DRM work, have pored in millions and haven't hit on anything at all that prevents piracy.

    If they can't do it, you probably can't either, and should probably focus on differentiating your content by making it sticky and extremely easy to use.

  • Do you want to control the copyrights
    or do you want to control the access rights?

    It would seem to be 2 different issues.
    Do you really want to send this data out in to the wilderness to lots of people you don't trust on the hope they might pay you?

    Or are you more looking for a system where trusted colaberators can freely share information in a more flowing fashion.

     
    • by ardiri (245358)
      Do you want to control the copyrights
      or do you want to control the access rights?

      This is really the issue at hand here. DRM that prevents people from copying software is protection via obscurity. open sourcing this means nothing and is a complete waste of time. DRM to control access rights can simply use configuration files and digital signatures - these algorithms can be public. if a user changes the configuration file (access rights), they are blocked from using the material because the signature will fai

      • Exactly if someone can read/see/hear a document when they copy it, in some way shape or form.
        What is really important in these sorts of situations is stopping an altered version of that document getting mixed in the official stream and causing confusion.
        If as a bonus you can have a document that self destructs (so to speak) when it goes out or date or can't be varified that would be a major plus.

        I know working on $xxx million construction projects big issues crop up with if people don't use the current info
  • Minimal DRM (Score:3, Informative)

    by Repton (60818) on Tuesday January 22, 2008 @01:15AM (#22134358) Homepage

    There's basically two kinds of DRM in the world: DRM that's been broken and DRM that no one has cared to break.

    So, that said, here's some python DRM you can use which I am releasing into the public domain:

    def issue_licence(filename, from_date, to_date):
    _f = open("%s.key" % filename, 'wb')
    _pickle.dump((from_date, to_date), f)
    _f.close()

    def check_licence(filename):
    _try:
    __(from_date, to_date) = pickle.load(open("%s.key" % filename))
    _except IOError:
    __return False
    _return from_date <= datetime.date.today() <= to_date

    (replace _ with spaces)

  • After someone has seen the restricted document, inflict severe head trauma, wiping it from their memory. If you're not willing to go that far, DRM is pretty pointless.
  • The main purpose of Free and Open Source software licensing is to insure that all of a device's native capabilities are always available to the user.

    The main purpose of DRM is to insure that some of a device's native capabilities (eg, the ability to copy bits) are //not// available to the user in specific circumstances.

    THAT is why FOSS DRM does not really exist (and why nobody uses Sun's DReaM). It's not about software quality control - it's a flaw in the designed intent of these systems that you can point
  • Cory Doctorow was been over this a couple of years ago when Sun came up with the (I'm guessing abandoned) idea of an Open Source DRM. Here, go read why it's oxymoronic: DRM != SSL [boingboing.net]

    Any protection scheme where your customer and your attacker are the same party, doomed to failure, IMO.

    Do not buy any DRM-encumbered products. Make a statement about this by not participating.

  • That is not logical. (Score:4, Interesting)

    by Quebec (35169) * on Tuesday January 22, 2008 @01:57AM (#22134600) Homepage
    can we produce a black whiteness?
    can we produce a filled emptyness?
    can we produce a hard softness?
    can we produce a rich poverty?
    can we produce an Open DRM?

    err... not really?
    • by EnsilZah (575600)
      So what you're saying is that the only way to achieve open DRM is by practicing zen buddhism?
  • The only real answer to protecting business data is not to give it away. Give people a demo version of software and not a full version that's enabled with a key for instance if you don't want them to use the full version.

    Licence limiting software is a real pain and time sink. I've been halted in the last couple of weeks by one with a Y2K bug of all things, have others limited to dongles on real parallel ports (USB converters have a different memory address to a parallel port in MS Windows) and have to kee

  • by FlyingGuy (989135) <flyingguy AT gmail DOT com> on Tuesday January 22, 2008 @02:11AM (#22134682)

    In business there are things like trade secrets, documents, drawings and the like that you have to distribute to a jobber or some other outside entity to accomplish a task, but you really only want the outside entity to have them for the amount of time that they actually need them to get a task completed.

    Typically this has been accomplished via NDA's or other legal agreements. It appears that in some instances they want more then a "promise" to destroy the information when it is no longer useful for the legitimate contracted purpose. Sort of like the old "This tape will self destruct in 10 seconds" gag from mission impossible.

    The problem is that it really cannot be accomplished. You can use PGP or IronKey (tm) as others have suggested but that only prevents the material from being easily viewed by 3rd parties and does not address the "self destruct" desire.

    I really cannot think of a way to make that happen. Every method that I can think of requires the destruct method to either be built into the data ( as a code block ) but even then something has to execute that code, and that is simply worked around.

    It basically has to come down to trust. Either you trust the outside entities that you deal with or you don't. When I was in the military I had access to classified materials, and I was looked over from front to back top to bottom, my friends and neighbors were interviewed as well as my Principal from High School.

    Sadly, I think the last 8 years of the current administration have re-enforced the notion of mistrust and it has found its way deep into the culture of corporate America.

    • by SeaFox (739806)

      In business there are things like trade secrets, documents, drawings and the like that you have to distribute to a jobber or some other outside entity to accomplish a task, but you really only want the outside entity to have them for the amount of time that they actually need them to get a task completed.

      Typically this has been accomplished via NDA's or other legal agreements. It appears that in some instances they want more then a "promise" to destroy the information when it is no longer useful for the leg

  • Just trying to use a DRMed file is useless

    Just try using adobe ebooks, (not the protected pdfs) but the actual ebooks being sold. EBX_HANDLER errors and no real way to remove that crap

    A publisher should not have the power to say you cannot print a file, but sadly they do.
  • For company documents, this problem has already been solved, just any of the many encryption solutions available ... I don't think there is any major need in normal business use that DRM fulfills that regular encryption based solutions do not. (Actually your request just sounds like a FUD-style attempt to 'legimitise' DRM, good luck with that around here.)
  • Either trust the people you show the documents, or don't show them to them. That's all you can do, realistically.

    Paranoia is contagious... if you show people you suspect that they're devious bastards, they'll arrange to be devious bastards. If you trust people for the most part, they'll be trustworthy. I'm not saying put everything on a publicly available website, but show your employees a little faith and they'll believe in you, and just keep a little eye out for things that aren't right. You don't nee
  • The ultimate user for DRM would be DoD. They don't use it. Maybe that should tell you something.
  • IBM TCPA (Score:3, Informative)

    by chill (34294) on Tuesday January 22, 2008 @03:31AM (#22135180) Journal
    If you're using systems with TCPA chips, then check out this overview [linuxjournal.com] and IBM's examples [ibm.com].
  • They're mutually exclusive. The only way to enforce DRM is to encrypt the contents and only permit decryption when authorized. But, to decrypt the content you have to have the decryption key present. If the software is open-source, anyone can simply change the code to dump out the decryption key. Once they have the key, they can decrypt the content exactly as if they were authorized to do so. Or, they can simply change the code so the enforcing application always gets back "Yes." as the answer to "Is this o

  • From wikipedia

    The earliest known invention of a phonographic recording device was the phonautograph, invented by Frenchman Édouard-Léon Scott de Martinville and patented on March 25, 1857.

    All it takes is for ONE dedicated geek to build a phonograph, the copy then hits the internet and it's game over. Not even locking down the hardware will help because a single output wire operating at 50khz or above will be able to reproduce the sound. You would have to sniff every single port on the computer for

  • One of the big problems with DRM is that it's a sexy technology.

    Technologists and businessmen just love the idea of being able to control other people in ways that were not possible before and that's why DRM keeps resurfacing. I know, I used to like DRM myself until I grew up and realized that it was simply not in my interest to live in a supposedly free society when DRM does end-runs around everything from first sale doctrine to fair use provisions to the copyright bargain to free enterprise. This is bec

  • by cheros (223479) on Tuesday January 22, 2008 @04:54AM (#22135566)
    Look, get DRM out of your head - I have yet to find a place for it, and I've only been in IT for 25 years, of which 15 in security. I have seen dongles (still in use in the CAD industry), I have seen floppy disks with laser holes (bypassed by TSRs), I have seen media with altered parameters (which neededs special drives: say hello to hardware maintenance hell), I have seen registration schemes..

    You should really first see if the disadvantages outweigh the benefits, from what I read you're simply after some method to protect information from disclosure. Well, encrypt it. Just don't use any DRM related solution because you're inflicting a serial chain of single points of failures on your business, and it'll screw any backup and recovery strategy as well. Just don't. You really don't know just how much trouble you're heading for.

  • by Chris Johnson (580) on Tuesday January 22, 2008 @01:48PM (#22140066) Homepage Journal
    OK, I think I need to toss a post out (to the wolves!) because the way I make my living is deeply enmeshed in the whole DRM chaos. I've got an unusual approach (well- for the business I'm in) and it's worth explaining how it specifically works because it violates some assumptions and makes others.

    I make a living selling copyable software which has no DRM or copy protection, so I'm taking a bunch of time to explain how I'm doing that in the hopes Slashdot minds will find it interesting. This isn't hypothetical, it pays my bills. I'm betting it will continue to do so...

    The software is mostly plugins for Logic etc. (Audio Unit format) but I'm also getting some other tools together like an animation program. This isn't free software- I'll talk pretty freely about how I do what I do but I don't distribute the code, and I pick some software products to give away at no cost and other products to sell, never for more than $60 before VAT etc. (lots of my sales are overseas, I'm in the USA)

    Almost every (every?) commercial plug-in maker uses DRM, sometimes insanely intrusive stuff. There's stuff that has to dial home in order to be 'authorized' and you only get 3 or 4 goes before it is shut off, there's stuff that uses one of several dongles (iLok is the most common but there are others), etc.

    I use NOTHING- once you have the plugin, I expect you to use it, back it up for safe keeping, use it on whichever computers you need it, including the new Logic nodes for DAW clustering that Apple's come up with. There isn't a line of code in there to take the plugin away from you, ever. It's a matter of principle.

    At the same time, I expect people not to copy these to their friends, put them on websites, anything like that. You are only supposed to get them from me. It's done through a variation on DRM by Kagi Shareware, who are my store-runners: they have a thing they'd like to see people use more, called Kagi's Digital Download Service. This could be open source if people wanted one like it- how it works is, a purchaser is given a temporary download URL. It's open for X downloads or X days and then it's no longer valid, so if someone posted one of these somewhere it would go dead quickly. The neat thing is, if there's a problem and someone emails me I can check my copies of the Kagi receipts, and see if a sale went through. If it did- the reply email contains a copy of the thing they bought- I don't have to wait for Kagi's systems to be fixed, because the customer only needs the plugin, not access to some authorization server.

    This brings me to my point about DRM, one I take very seriously- I've been thinking about this for some time having been a Slashdotter from way back. (that's easily proved, at any rate ;) )

    There are two ways you can get a person to do something- push them or entice them. DRM is strictly push-ville. The big assumption you make there is that the enticement is basically infinite- the person MUST buy your thing, or steal it, so it's all about getting really tough with them to compel them not to steal it.

    I make a different assumption, and it's paying my mortgage. I may not be putting out lots of open source code (though anyone from an OSS project wishing audio tips is welcome to talk with me endlessly) but I assume the person must CHOOSE to buy your thing or steal it.

    No matter who it is, they still must choose. It doesn't matter if they're 14, have never bought something before, and have found my stuff on an FTP site somewhere- even if the choice seems compellingly obvious, people CHOOSE to copy stuff that's not intended to be copied. (to use the non-thief terminology)

    I get to make choices as well. For instance, current law is very friendly to me talking to such an FTP site and telling them, please remove those files now. It's easy to monitor, they'd have no real leg to stand on, and I'd be entitled to want that done since it's my stuff.

    The site itself CHOOSES to include my stuff (if they can get it) or not to bother- or

He keeps differentiating, flying off on a tangent.

Working...