Adobe's ADEPT DRM Broken 273
An anonymous reader writes "I love cabbages has reverse-engineered Adobe's ADEPT DRM (e-book protection). On February 18, I love cabbages released code that decrypts EPUB e-books protected with ADEPT and followed that up on February 25, with code that decrypts PDF e-books protected with ADEPT. On March 4, I love cabbages was given a DMCA take down notice. And there's plenty of evidence he got it right. DS:TNG (Dmitry Sklyarov: The Next Generation)?"
and... (Score:5, Insightful)
Re:Hey, why not just steal GPL code? (Score:5, Insightful)
Non-sequitur
Opening up DRM'd media so that it can legally be used in more situations by someone with a valid license is not the same as rampant piracy. Removing DRM so that consumers have a choice over how and when to use content they have paid for is a great thing.
It is regrettable that these developments are also massive boosts for piracy, but without this sort of action there would be no DVD playback on Linux.
Re:Hey, why not just steal GPL code? (Score:5, Insightful)
Because sometimes (read: very often) the DRM will prevent the end-user from exercising rights he would have under standard Fair Use doctrines.
Re:and... (Score:5, Insightful)
Re:Hey, why not just steal GPL code? (Score:5, Insightful)
Re:Not really a new Sklyarov (Score:2, Insightful)
Since when was the definition of copyright infringement extended, so any tool that got passed ineffective access controls, could automatically be configured infringement?
The DMCA takedown rules should require a work to actually be infringing...
Perhaps they should start sending takedown notices to people finding and posting security exploits, that allow hackers to remotely execute code in their software.
Because you know, it's cheaper to silence people who have found flaws in your software than to properly designing your software in the first place, or actually taking an effort to fix the bug.
Re:and... (Score:1, Insightful)
DRM works about as well as gun control laws. It keeps honest people honest, and... well actually it doesn't even do that, since even honest people break or have an interest in breaking DRM now.
Re:Hey, why not just steal GPL code? (Score:3, Insightful)
True, that is copyright law for you. But the issue is whether the copyright holder can artificially expand his own rights or arbitrarily restrict the end users rights.
E.g. I recently encountered a company that sold pdf(?) documents you can only read with an active internet connection. Reading on the train/plane is impossible or very expensive.
Also true, but this part is about enforcing the law. You could substitute 'taking GPL code and subverting it' with 'throwing bombs','murdering innocent children' as well. Of course, that's insinuating copying is a very bad crime. Which it is not. It's mildly naughty.
Re:Not really a new Sklyarov (Score:4, Insightful)
Since when was the definition of copyright infringement extended, so any tool that got passed ineffective access controls, could automatically be configured infringement?
The DMCA takedown rules should require a work to actually be infringing...
Nope - DMCA defines extra crimes involving copyrighted works, but the crimes defined needn't be copyright infringement themselves. Namely, any program that facilitates the disabling of any copy protection device violates the DMCA. Doesn't matter how it does it or the technical details. I don't think there's any question that this program was breaking the letter (and hell, the spirit) of the law when it comes to the DMCA.
The problem is that the DMCA itself is a bad and unfair law. Bad and unfair laws result in bad and unfair application. You can either live with it, ignore it, or try to change it. Geeks don't have the lobbying power to change it, nor the will power to just live with it, so far the most part we just ignore that law, only complying as a token gesture as needed. I mean really - this guy has now complied with Adobe's takedown notice, but the code was released into the wild. At this point the cat is out of the bag.
Though really - why don't we start posting these things on foreign servers to begin with? Put it up on The Pirate Bay or something for goodness sakes. DMCA takedown notices mean little in areas where the DMCA doesn't apply.
GPL vs. DRM: DRM goes against the copyright spirit (Score:4, Insightful)
The thing is, the legal framework, the right of the copyright holder to issue a license, is the same for software with DRM as it is without.
As I understand it, the purpose of copyright is to secure for creators a limited time monopoly on the rights necessary for selling the creation, in return for them eventually enriching the cultural (and, in the case of software, technological) commons.
Some kinds of DRM prevent or obstruct use of the work in such a way that when the work enters the public domain, it doesn't enrich the commons in practice. It's like being given a car wreck that's in really bad shape: sure you can sell it as scrap metal, but it's worth so little that you're better off ignoring it.
For this reason, I think one can argue that DRM (with certain properties) goes against the spirit and purpose of copyright law, and the argument doesn't apply to GPL'ed software.
Re:and... (Score:5, Insightful)
That's not quite right.
To use Bruce Schneier's analogy, it's more like trying to make a safe secure.
There's not such thing as a secure safe. Ultimately, it is not the locks and thick walls of a safe that protects the safe's contents. It is what economists would call "opportunity costs". Why am I wasting my time praying I can cut through this damn thing with a thermal lance before people return for work on Monday morning when I could make easier money doing something else, like panhandling or flipping burgers?
Safes only need to be sufficiently secure that their contents aren't worth stealing; they needn't be any more secure than that. You don't buy a million dollar safe to keep your petty cash in, or for holding cheap costume jewelry. Likewise, DRM only needs to be sufficient secure that people don't bother getting around it. What the recording industry provides is not infinitely valuable, so DRM needn't be infinitely strong.
The obsession of the recording industry with unbreakable DRM isn't rational. It probably reflects a guilty conscience.
If I were creating a DRM scheme, for my content, I'd release the scheme with an exploit. An exploit that anybody could use, but which was a certifiable pain in the ass. It's going to be broken sooner or later, so why not remove the incentive to make a convenient exploit? Anybody who is chary of losing access to their DRM purchases is reassured that they will always have access to it, but the vast majority won't ever bother. Of course that means the content would appear illegal sharing sites, but that was going to happen anyway.
In a sense, that's where Apple is with Fairplay. It's been cracked for ages, but at $0.99/track, almost nobody bothers.
Re:Hey, why not just steal GPL code? (Score:4, Insightful)
Re:Hey, why not just steal GPL code? (Score:5, Insightful)
Opening up DRM'd media so that it can legally be used in more situations by someone with a valid license is not the same as rampant piracy.
As a rights-holder? Bull. Shit. "You have the right to use content provided you do so in a manner consistent with the license provided with it." That's the same basic principle protected in the GPL, as well as in DRM-licensing terms.
You fail (again). The GPL does not, in any way, restrict your use of the licensed code. It only restricts the way you redistribute that code (if you should choose to do so). And, newsflash, even if the GPL wanted to restrict your use, it couldn't, because the GPL is based on copyright law. A license can only grant you MORE freedom than is already allowed to you by copyright law. And copyright law regulates distribution, not private usage.
Re:Hey, why not just steal GPL code? (Score:3, Insightful)
It's rather comical that so many people out there are trying to break DRM and band themselves as allies of the open source movement in some way. The thing is, the legal framework, the right of the copyright holder to issue a license, is the same for software with DRM as it is without. If we have a legal system where copying images, songs and books is tolerated, then we also have a legal system where taking GPL code and subverting it will be tolerated as well.
The GPL is a license that dictates how a work can be copied and distributed - which was the intent of copyrights originally. To control who can copy and/or distribute a work, to make sure that the author actually gets something for their effort.
DRM, on the other hand, restricts how someone who already has a copy of the work is able to use it. DRM keeps me from reading my ebook on the device of my choice. DRM keeps me from listening to my music on the device of my choice. DRM keeps me from re-installing the software that I purchased because it has been activated too many times.
Most folks on here, and in the open source community at large, don't really have a huge problem with copyright. They may have issues with various current implementations or protection periods... But most folks are ok with the idea of an author/creator getting paid for their work in some way.
DRM though... DRM isn't about keeping people from making unauthorized copies. DRM is about selling people one copy of a movie for their DVD player, and a second copy for their PC, and a third copy for their iPod. DRM is about the middle-men (not the content creators) dictating how you use the content.
Mirrors (Score:2, Insightful)
One German mirror and one extra American mirror
PDF decryption tool: http://pastebin.com/f1cb3663c [pastebin.com]
http://nopaste.info/8ad6b71874.html [nopaste.info]
http://paste2.org/p/161270 [paste2.org]
key-retrieval tool: http://pastebin.com/f26972321 [pastebin.com]
http://nopaste.info/8b62e63436.html [nopaste.info]
http://paste2.org/p/161271 [paste2.org]
If you know of any other foreign pastebins,
mirror and post in this thread.
Fiduciary duty: includes a healthy business model (Score:3, Insightful)
They have a responsibility to their shareholders to do everything they can to protect a) their investment in creating the DRM in the first place, and b) the value of their licensed software and agreements with publishers.
Well, they have a responsibility to their shareholders to deliver a good return on investment.
You can try doing that in multiple ways. One of them is fighting a losing battle tooth and nail, another is coming up with a business model that works well in the environment it'll execute in.
I'm not saying Adobe is at one extreme and should move to the other. But you have to wonder whether fighting the DRM war is ultimately good or bad for business. If it's bad, not fighting it is their shareholder responsibility.
Re:Hey, why not just steal GPL code? (Score:5, Insightful)
Copyright law allows the rights-holder to determine the conditions upon which they are willing to give you rights to use the content.
Wow. You failed twice in a row, and some idiot mod still modded you up.
Copyright. Read it carefully. Say it out loud. It is literally the right to copy. Copyright only deals with redistribution, whether in original or modified form. It does not deal with usage. Get it into your thick skull already; copyright cannot stop you from using what you bought the way you want it. It only stops you from copying what you bought and giving it to others. (Fair use covers the part where you copy something for backup purposes.)
Seesh. Get it right, or go troll somewhere else.
Re:Hey, why not just steal GPL code? (Score:2, Insightful)
For instance, perhaps you're a rights-holder who wants to say "you cannot use this content to help kill people" to prevent the military from using it, or whatever).
Contract law isn't a candy store. I may want to stipulate that one sign over his arm, leg, and first born child but very few courts on this planet will enforce it. And there HAVE been licenses that forbid military use or government use but those are institutions that at least under some circumstances CAN disregard contract, copyright, or even patent law. This disregard is either extended by legislative fiat or they just do it and dare you to come enforce it.
So yes, there are wishes a rights holder may have that he can't enforce with either contract or copyright law. And in keeping with DRM, there are wishes a rights holder may have that won't be enforced by the laws of physics and mathematics either.
Re:Hey, why not just steal GPL code? (Score:4, Insightful)
So the manufacturer gets to decide how we use their product after we purchase it? Kellogs can prevent me from using their product to make Rice krispie squares? You don't believe in private property?
I think you need to think this through a little.
Uhhh (Score:3, Insightful)
Copyrights are like patents in software/hardware. They prevent you from improving upon a certain work and they effectively lock the competition
Actually that's completely upside down.
Patents, in theory, are a deal between an inventor and society. For a limited, government enforced monopoly the inventor must document and register his invention with the patent office. Others can look at those patents and build upon them as long they either license the patent, wait until it's expired or build upon it in a way that the patent is not violated.
Now, this is the theory of course which doesn't seem to be very much related to nowadays reality.
However, patents where certainly not invented to hinder innovation, actually - due its documentation requirements - quite the opposite.
Re:Took down the links, not the content.. (Score:5, Insightful)
Or on Freenet [freenetproject.org], where it is impossible for anyone to remove,
CHK@Lxdd7kNnDxsKDbJvN954w8VVTkyeXriXBc~CZQi7yh0,CpQsd8KQkbzeRnfpY4tprGAlt2LYjIKtwVdDYXWY~nE,AAIC--8/ineptpdf.pyw
CHK@0sthR-c3bxeDPtyRP4vLst4MKLAYunyPgL3DFgijAR4,GLU99yTKNtuIx9A54tvh20XisaAPwCcul58wTmTKjRE,AAIC--8/ineptkey.pyw
Re:Hey, why not just steal GPL code? (Score:3, Insightful)
Yeah, cause no one ever created anything before copyright law came along 300 years ago. Yeah.
Re:Hey, why not just steal GPL code? (Score:5, Insightful)
At this point this discussion should probably be modded Flaimwar, but from the biased opinion of a self-publisher and a GPL content consumer, I think both arguments are correct. GPL advocates need to differentiate why they should be able to disable the rights claimed by DRM content or else it comes off as "we want freedom to do what we want (in the interests of consumers) AND to prevent you from doing what you want (in the interests of producers).
Not respecting the rights that DRM imposes isn't too far off from not respecting the right that GPL imposes. Either copyright is valuable, or it isn't. Pick a side.... and know that you can't have your cake and eat it too. There are benevolent and greedy consequences on each side of the copyright argument.
Re:and... (Score:4, Insightful)
To extend this analogy, a PC is like a safe to which you have to hide the key in the same room. Because in order to allow legitimate users access, the decryption mechanism including key must be in a piece of software on the PC.
AFAIK all purely software based DRM schemes have been cracked within a few months so far (systems which hide the key in special hardware do better, see game consoles). And some people do it for the challenge, so the argument with opportunity costs does not work.
Now you have created an incentive to create a user-friendly wrapper for the pain in the ass exploit. Which probably requires less hacking skill.
re: DRM and the recording industry (Score:3, Insightful)
I completely agree with what you said, except as much as I dislike the recording industry and their tactics? I think their quest to find "unbreakable DRM" has more rationality behind it than you give them credit for.
The problem in their scenario is, they count on making their money via a high volume of music sales. (So to use one of your analogies, it's as though their business is costume jewelry sales. No individual piece would seem to be worth spending much money to protect, from a customer's perspective. Yet from their point of view, anything less than "unbreakable DRM" is like leaving their entire inventory sitting out on a table where anyone can walk by and help themselves to as many free pieces as they'd like to take.) DRM that's easily defeated by some free utility or music player plug-in is about as useful to the music industry as taping those pieces of costume jewelery down to the table with scotch tape.....
And really, that's why DRM is a hopeless endeavor. People implementing it WANT it to be like a safe, with thick walls that take hours to cut open, and a combination lock you'll stand no chance of randomly guessing the combination to. Yet it's not, because unlike a safe, once the first person goes through the effort to crack it open, they can transfer that ability to everyone else with VERY little effort. (Imagine a situation where magically, a cutting torch that cut through the wall of one safe could cut through ALL future safes instantly, after the effort was made on the first one. That's what DRM is like.)
Re:Hey, why not just steal GPL code? (Score:1, Insightful)
(mainly responding to GP post)
"The rights-holder is the sole arbiter of the "conditions of the distribution of their content"."
That is not true - I can't believe this gets modded "insightful". Copyright law does _not_ grant the authors unrestricted authority over what others do with their works - it only governs copying.
The immediate parent post explains it pretty well.
The only thing I would add is the issue of EULAs being binding licenses, which I think is how you would argue that the publisher acquires this extraordinary power to (your example) stop you from using the content in certain months. Doesn't it seem pretty strange to you that this "binding contract" is executed without any signatures, witnesses, notarization, or any of the other measures normally taken to ensure that a contract is enforceable?
And suppose someone just declines the EULA but figures out a way to use the product anyway? What legal basis does the author have to keep someone from just using the product? As long as you don't re-publish it, you aren't violating copyright law, and there isn't any "contract" the author can claim you have violated. "Because I said so" doesn't cut it as a legal argument, but that's basically what software makers are saying when they demand that their EULA be honored.
This why software and media publishers seek to use the DMCA - to criminalize activity that would otherwise be perfectly legal so as to enable themselves to dictate arbitrary terms on their customers. Let's ignore for the moment that the DMCA was pushed through as something that applies to *copy protection*, not EULA enforcement.
So, using the example above, the author might reason:
1. "OK, you aren't violating traditional copyright law in anything you are doing"
2. "No, you didn't agree to my EULA, so I can't hold you to that".
3. "AHA - thanks to the wonderful DMCA, I can sue you because your use of my product without the EULA constitutes illegal 'circumvention'.
But this only ought to apply if said technological circumvention is done to enable illegal copying. It *shouldn't* apply if you're doing something otherwise perfectly legal, like watching a movie (your own legally purchased copy, that is) in Linux. The DMCA is a bad law because it (arguably) criminalizes the technological circumvention methods themselves, not the actual illegal behavior.
So, the argument that rights-holders have unlimited authority to dictate terms falls down flat unless you rely on the DMCA, IMHO.
Stepping back a level, I would ask what you think we as a society should do?
You said:
"If they want to distribute content to you which you are forbidden to use in months which end in "Y" that is their right."
If that is the case, do you think that is a good thing? Do you want to be bound by arbitrary terms like that? Or should we have laws that guarantee that the purchaser can decide what uses are appropriate? If so, then we need to try to get the DMCA and similar laws repealed.
Re:Hey, why not just steal GPL code? (Score:4, Insightful)
Where did I agree to those terms and conditions when purchasing a DVD or CD @ Best Buy?
Re:and... (Score:4, Insightful)
DRM: the arctic for content. (Additional costs may apply. Subject to climatic variation.)
Re:Hey, why not just steal GPL code? (Score:3, Insightful)
You're looking at this entirely wrong. Rejection of the GPL and rejection of DRM are two entirely separate things.
DRM isn't a license, it's a mechanism to restrict the use of the copyrighted work. From a moral perspective, it's improper for consumers to be forced to purchase the same work for their Zune, iPod, generic MP3 player, car, computer and CD player. If, through DRM, music publishers thought they could get away with that they would. DRM is their weak attempt at this, with the false presumption that consumers won't fight back.
Again, from a moral perspective, bypassing DRM to use a legally purchased copyrighted work such as an audio recording or a movie on the device of your choice is not wrong - it is a prerogative. From a legal perspective, well obviously the current state of laws are out of touch with reality, as is the mindset of content producers(see Authors Guild recent statements regarding Kindle). In fact, on that note, I would love to see the Authors Guild representative tell a blind man face to face that he has to pay extra because of text to speech capability. Good fucking luck.
GPL is a license. The license doesn't restrict your use of the software and thus does not impose morally unfair conditions upon users of GPL software. If you downloaded the next Linux kernel and it had an addendum on the license that said "This software can only be used while wearing pink fuzzy slippers", I would wholeheartedly agree that users should ignore that portion of the license.
In many ways, the laws on the books are out of touch with common morality and consumer expectations of fairness. They will catch up eventually, I hope.
Re:Hey, why not just steal GPL code? (Score:3, Insightful)
Nonsense.
Sometimes I buy a DVD and it says "This DVD was sold subject to the condition that...." (usually something about playing in schools and prisons) and I think: "No it wasn't" - and it wasn't.
Just because it is written down doesn't mean it is true.
Sam
Re:and... (Score:5, Insightful)
Your attempts to make it a "certifiable pain in the ass" will be rendered as useless as the attempts to an DRM "uncrackable" will be. Instead of having to find a way to crack the DRM, they will start with one. Their only job will be to make it quick and easy. And if the "pain in the ass" method is too ugly to automate, they will properly crack your DRM and make it even easier. Since an exploit is already known, a "proper" crack might even be easier to create.
And Fairplay has been cracked for ages, but Apple keeps changing it to make it a PITA to always have access to the latest crack. That's where the future of DRM lies: change the codes every week and have devices that can download the latest codes. Pretty soon it just sucks to be an uncertified client. Sure, you can always find a way around it if you really need to (say you need to move your entire iTunes library to another computer because your old computer is being upgraded), but for casual piracy, not worth it.
-Dan