Archive for October, 2000

Copyprotection doesn’t work

Tuesday, October 17th, 2000

Yes, copyprotection-schemes, be it for software, be it for content does not work — ever. And here’s why.

Encryption doesn’t work this way

Encryption may be looked at as a solution to the problem, but really isn’t. You could theoretically use public-key cryptography to encrypt your data, with a public-key only known to your program or hardware. This is what CSS is in DVD. However, due to the nature of cryptography something has to know the key on the client side. And if your software knows it, somebody might reverse-engineer it.

Encryption allows essentially two (!) modes:

    client		transfer	server
    cleartext		cleartext	encrypted
    cleartext		encrypted	encrypted

The first case is like telnet — you connect, send your password in cleartext, it is encrypted on the server and compared to a already encrypted password. The second being the case with Secure-Shell (ssh). In this case the cleartext-password is key for a challenge which is exchanged through the network. The password is not sent through the network in this case, and thus relatively secure. The idea of having everything everywhere encrypted doesn’t work — you’d need some further
method of encrypting the cleartext on the client-side (this is what some people do who encrypt password-lists in order just to remember one password). Somewhere something has to know a cleartext-password. Hiding this password is what the DVD-industry was trying to do, and the Music-industry is trying to enforce on MP3, and the Electronic-book-industry is trying to achieve.

To explain a bit further: You’ve got the encryption key, the media is encrypted. The user obviously needs a decryption-key in order to use the media. You can of course, hide this key somewhere, but at least the software or hardware needs to have the cleartext-key somewhere some time — and if something on a system you don’t control has your key, the owner of that system might get it.

You don’t control the user’s computer

That means, the user is free to run whichever software he wants — and he has the ability to change everyting on it. This goes even further, hardware isn’t safe either. Suppose your hardware knows your key, the media can only be decrypted with that hardware — but there’s nothing to insure the already decrypted data flowing into the system is not intercepted and saved to disk. So you’d need not only to control the application which interprets the data, but the control the whole operating system which the data passes. This might be indeed seem possible with dedicated hardware (like an e-book), but even this can be circumvented, at least by hardware-engineering — and since you
need to put new data into your hardware, at least a one-way street of communicating to that device already exists, opening possibilities of bugs which could be exploited, for instance to modify the firmware.

Techs can do it

No matter how good you are, how sophisticated your copyprotection- measures are. Somewhere out there is someone who is better and who will break it. It may take minutes, or it may take a year or two, but it will be broken. And if you make the mistake of not treating people which do not belong to the 99 percent of your intended consumers equally, this percent will be the one to break it, “because it wouldn’t run on hem pet-operating system of choice”. If you open a technology,
all you probably need is to supply software for one system. People will automatically want it on their system and produce programs for it. If you “close” the technology, you will have to provide software for probably 20 operating systems, since some Amiga-(or whatever-)hacker will break it in order to be able to use it as well. Furthermore, the free-software community won’t like it anyway and probably crack it because
of the sole fact that it’s closed, in order to write free software which accesses your data. And history tells you quite clearly that absolutely all copyprotection-measures have been broken so far. Software-copyprotection, dongles, DVD, Microsofts “secure” sound format, CD-copyprotections and so on. Everything.

Copyprotections is costly

So why even develop copyprotection if it only costs money and will be broken anyway? And besides of every copyprotection-measure being broken, things get sold anyway. Take CD’s: Everyone can copy them, convert its content to MP3 or whatever; but they’re being sold quite nicely. Of course, you probably loose 20 percent of your “possible” sales, but hey, you still got 80 percent — and you don’t even need to worry about copyprotection and such. And possibly, due to the higher acceptance, you might even sell more than if it were copy-protected…

Proprietary things won’t sell

This is actually quite a heavy argument: What if your consumers won’t buy your hardware/software because it doesn’t work like they’re expect it to do? If they can’t load your MP3-player with the sounds they want, they probably won’t buy it. Today, every hardware-MP3-player can download music from a PC. Nobody will buy one if it can’t. The same will apply to e-books. So you need to comply to the users wishes in order to make your technology widespread. Going even further: Videotext (VTX/BTX) never took off — because it was proprietary and nobody except the various telcos were allowed to change something. On the other hand, the internet just stormed everything, because of open technology. Everyone can do what he wants with the underlying technology, because its open. And the same applies to any technology developed. Everyone can read and write a CD. If you can’t do this with DVD, people won’t use it on a broad base. DVD actually now has chances of becoming the next standard because its encryption was broken.

Choice: Niche-Technology or Killer-Application

It sums up to this. Keep it private and it gets its niche, or open it and make it the next killer-app. MP3 already is, DVD could be next, e-books won’t until their encryption is broken.

Update: DVD Companies don’t get it

Although this hasn’t really to do with copyprotection (DVDs may be copied 1:1 without touching the content scrambling system), css is used to make it impossible to use a DVD-player which has not agreed to the terms of the DVD-CA, and it makes it impossible to copy the movie (or parts thereof) onto other media than DVD. The issue is about the same as with copyprotection, as it denies you certain use of the data. The companies behind DVD, Columbia Pictures Industries, Inc., Disney Enterprises, Inc., Metro-Goldwyn-Mayer Studios Inc., Paramount Pictures Corporation, TriStar Pictures, Inc., Twentieth Century Fox Film Corporation, United Artists Pictures, Inc., United Artists Corporation, Universal City Studios, Inc., Warner Bros., a Division of Time Warner Entertainment Company, L.P. and their respective lawyers, Sargoy, Stein, Rosen & Shapiro still don’t get it and try to get every site to remove the css-decoder. The least thing we can probably do is to put it on a page and wait until they write us. If they need to write to 10’000 of people, they probably realize that this makes just no sense. Oh, and I’ll remove above link as soon as someone writes me — on paper.

Peter Keel, 13.11.1999

Addendum: MPAA tries to intimidate ISPs?

Indeed, the MPAA wrote, probably. Not on Paper, but an email,
from mpaa23@pacbell.net. And not to me but to my provider. Since I know my provider pretty well, I got it forwarded right away, here’s the Mail from mpaa23@pacbell.net, where mpaa23@pacbell.net allegedly speaks on behalf of the MPAA. Shift-click on the link to get the whole mail, including headers. A bad joke? Why would the MPAA not use its own domain (mpaa.org)? Why would it send an anonymous email? There is no name at the bottom of the message. How do they get the idea that killer.discordia.ch somehow should have the IP-Address of 193.246.253.10 (which is the DNS-server of my provider, and in no way home of my webpages)? Aren’t they capable of even doing a simple whois-query?

This leaves me with two possibilities: Either somebody is playing a stupid joke, or the MPAA is a completely clueless bunch of morons who aren’t even capable of doing a whois-query, who cannot maintain (or or aren’t even capable of letting it maintain) a mailserver on their own, and worst of all, don’t send their mails to the person who allegedly infringed their rights, but sneakily send it to its provider, in the hope to intimidate it, so he would pull the plug.

I’m currently researching which laws their css (not DeCSS!) violates, and it seems clear that the “fair use” right is completely violated, though the implications with the (probably unconstitutional, even according to US-law) US-DMCA (Digital Millenium Copyright Act) are not clear. Here in switzerland there is no DMCA, but there is a “fair use” right, and there is a right to reverse-engineer…

Peter Keel, 26.9.2000

Addendum: I got a letter on Paper!

Due to a misconfiguration of my snailmail-accounts, I only got the letter (on paper) from the MPAA today. As pormised, I removed the CSS-Decoder from my page. The link above goes now to a general Site about CSS/DeCSS. Of course, you can get DeCSS there. At least the MPAA hat something to do and to spend the money they’ve garnered. Here’s the Mail I sent to mpaa23@pacbell.net.

A note to the MPAA: I removed DeCSS because I promised to do if you write me on paper. You did, so I removed it. And no, the Link to the foreign site won’t magically disappear if you write me again, we’ve had that, try something else. Like a) bribing me, b) bribing swiss politicians into accepting your DMCA c) any other measure you think is adequate to censor free speech, kill privacy, violate the constitution and destroy democracy. Your greed and lack of scruple is just unbelievable, read my (earlier) essay on YOU: Conquistadores on the Internet, but maybe the title is a bit misleading, since you’re really a predator in the real world too, ripping apart human rights for financial gain.

Peter Keel,

2000-10-17