I’ve always thought that DRM only remained unbroken so long as no hacker was interested in breaking it
This has always been true; why break the weak DRM on a low-quality 'Netflix' stream when you can do an HDTV rip or even a Blu-ray rip?
But the instant you create exclusive content that everyone wants on such a service, the DRM will be broken faster than you can say "DMCA".
The downside of this is it lets companies delude themselves (and others) into thinking that their DRM is "secure", when in reality it is simply that nobody cares about them.
There's also the odd case where BD was never properly broken, because it's never been needed. People have just depended on broken players, which has worked remarkably well so far.
I think this is what shows that DRM really is hopeless. For DRM to work, it has to work every time. For DRM to be broken, it only needs to fail once. After one guy has extracted the media, it can then be distributed to the world even if nobody else can break the DRM.
Not really. The content providers only have to hold the line (a) on high-quality and (b) during the new-release window. It's true that eventual failure is inevitable, but the economic case for DRM doesn't rely on permanent protection.
Considering it rarely takes a week for a popular games DRM to be broken the window between copy protection and the lack there of does not necessarily mean much. What many people forget is there will always be leechers out there but there are also people who will make the moral choice and buy the content.
PS: I will torrent a show I my DVR fills up or something. But, I don't cancel cable and download everything and I still pay to see movies in the theater. Why? Because there is no penalty for downloading it just becomes a moral choice and that's where I draw the line.
> Considering it rarely takes a week for a popular games DRM to be broken the window between copy protection and the lack there of does not necessarily mean much.
It means a lot because the majority of a game's total sales will be in the first 3 weeks. After one month, you're more or less done. Very few games have any sort of tail, let alone a long one. [EDIT: I'm speaking in general for high-profile retail games]
Assuming that even a small percentage (say 1%) of pirates will try piracy first but will resort to paying if the piracy option fails, then having DRM that is unbroken for the first week could mean the difference of $millions in revenue.
I can point to games that I did not buy specifically because they had horrible DRM. Most notably Crisis 2 and Spore which I had reordered and then canceled after I read how bad the DRM was. Granted the fact they both got many poor reviews also helped that decision. But, DRM costs company's significant amounts of money to deploy and also costs them sales.
Now done well or even just unobtrusively DRM clearly can work, most notably with consoles, phones, and Steam. My point is simply buying 48, hours which is considered a success in many DRM circles, does not mean you actually benefit monetarily you need to look beyond time to crack in expectations that it will be cracked and how enticing you can make the guided cage. It's possible to make always on DRM orders of magnitude harder to crack but doing so will cost you many upfront sales some of whom will wait for that first crack unless being online is already inherent to game play.
Morals aren’t just for when you decide that killing people is a bad idea.
I think it’s morally right to not jaywalk when there are children around. That’s even less harmless than downloading files, but it’s still a moral question.
Maybe my statement needs to be modified a bit, but the general idea still holds. DRM needs to work to prevent (a) and (b) for everybody, whereas if just one person can break the DRM with high-quality results during the new-release window, they lose.
That's true, of course, but modern DRM schemes anticipate exactly that, and so they put lots of effort into making it cost-prohibitive to break the scheme in under 2 weeks.
Maybe it's the case that everyone has backed off Blu-Ray because of Slysoft, but either way: BD+ has protected the new-release window for Blu-Ray disks in several instances (you can check out the Slysoft message boards to see when that's happening).
If you want to see an example of an (as far as I know) unbroken DRM scheme, look at the modern crypto cards in satellite TV systems.
You totally hit the nail on the head: DRM 'works' if it makes it difficult to get access to content, not impossible. And of course, I say that having spent the majority of my teenage years reversing DRM. Nobody believes that DRM will hold up forever, but there's a huuuuge imbalance here that favors the DRM creators, which is that it's really, really easy to put together modifications on a DRM system that make a reverser's life hell. For a while, iTunes was rolling out a new version of their store page crypto with every release (and deprecating the old one) so I'd have to go and reverse it to keep my iTMS client working; I may have kept up for a while, but eventually I stopped because it simply took too much damn time, and they won in the end with a fairly small amount of work from their side.
That imbalance means that DRM will always work, even if it doesn't 'work'.
While I'm pretty sure you already know this, I doubt many people on this thread do:
The BD+ scheme that protects Blu-Ray disks was designed by very, very smart people (outside the content industry) to make it maximally easy to update the protection scheme, potentially on a title-by-title basis, without ever having to ship new players (and ideally never having to update player firmware).
I read the Wikipedia entry on BD+ to see what made it special. Sounds like it's essentially a way to implement DRM on the disc rather than in the player by having the player provide a virtual machine which executes arbitrary DRM code on the disc. However, it seems like this would be defeated permanently by simply implementing the virtual machine in the hypothetical DRM unlocker. Has it simply been too difficult to fully reverse engineer, or is there some other hurdle in the way beyond that?
I can't comment in any detail here, but the problem of implementing the particular VM that BD+ programs are written to is not a trivial one, more akin to implementing a simulator for an entire X86 execution stack including the chipset, microarchitecture, and all the MSRs than it is to writing a JVM. Get anything wrong and you fail to derive keys.
This actually seems to paint a nice picture where everybody wins. Content producers win because DRM only needs to work for a short time. Everybody else wins because it can still be cracked in relatively short order.
If you merge these 2 aspects: DRM first, free(er) one later, you could get most of the money, and the PR bonus of being DRM free, which, as more people get annoyed by cumbersome DRM, could even give you a 2nd sales bump.
The problem would be to avoid the situation where it's released, and nobody buys it for the first week/month/whatever, and then it's immediately distributable.
The answer might lie in the 'ransom model', which is a bit like kickstarter, except "Once we've made $n million or sold 5M copies, we'll open it up"
You then get that money almost guaranteed (avoiding the simple delayed purchase option), and if done carefully, you might even hit your targets before it's cracked, which if you can do that with any regularity, crackers may just stop bothering (Or they'll take it as even more of a challenge - hard to say)
The crypto cards in modern satellite TV systems haven't remained unbroken. I know of several people personally that are pirating satellite TV right now. It just required a lot more work and physical access to hardware and not just a simple software hack.
The other thing about satellite TV is that once broken for one person the knowledge has to be given to many other people for them to gain anything from it. With breaking Blu-Ray one person has to rip it to 1080p video and the rest can download it...
This isn't so much a refutation of my comment as it is a quibble about what it means to be "broken". A little over a decade ago, any moron could visit one of several web sites, pay around $100, and have shipped to them everything they needed to watch DirecTV for free.
Today, you apocryphally know of several people who are pirating satellite TV.
I'm going to go ahead and call this one for DirecTV.
Sure, it is a lot more limited to just certain people (mostly hardware hackers) but that doesn't mean it isn't broken.
Sure, call it for DirectTV/Dish, I would definitely agree that they have raised the bar significantly. I know several of the people working at Dish that are working to make it even harder (and they do toy with the hackers :P).
We still consider md5 broken, even-though finding collisions that make a real world difference is still considered difficult and isn't done by the layman.
This attitude is one reason nerds have such a hard time reasoning about software protection.
The fact is, DRM isn't an academic exercise. It's software written in order to make content producers money by (for the most part) protecting the new-release window of new titles (or, in DTV's case, by making it riotously expensive to pirate satellite TV).
Nerds look at the graph of facts around any given DRM scheme, create the all-pairs shortest path of conclusions in their head, discover one or more cases in which the DRM scheme isn't perfect, and declare it "broken". But business owners could care less: as long as the title is making more money, DRM was a win for them.
Somewhat tangentially: MD5 is still unbroken in some constructions.
MD5 is broken, but the concept of cryptographic hashes is solid. There's no theoretical problem with the idea of a function where f(a) != f(b) implies a != b to an extremely high probability. The only trick is coming up with real-world systems which approach the theoretical ideal.
DRM, on the other hand, is a theoretical impossibility. It aims to show content without allowing it to be copied, which is a concept that makes no sense. In practice it can work to an extent, but this is only done by coming up with real-world systems which run in the opposite direction from the theoretical ideal.
I'm not at all convinced that business owners couldn't care less. They keep raising the bar, both technologically and legally. Breaking DRM, even for purposes that would otherwise be legitimate, has been illegal in the US for over a decade now. And this is ultimately the crux of the problem, and what causes people to frustratedly declare that DRM is a broken concept. It is a crime to express certain mathematical concepts, and the only reason that's the case is because businesses make up for the lack of theoretical rigor in DRM by bringing in the power of the law.
Imagine if the cryptographic community's response to the break of MD5 was to lobby for a law that made it illegal to generate hash collisions or create or distribute code that could do that, because theory prohibited anything substantially better than MD5 from being produced. MD5 is still a useful hash through the present day and well into the future, but in that hypothetical and counter-factual situation, I think it would be reasonable to call the concept of cryptographic hashing broken.
We're talking past each other. I'm stipulating that DRM is "broken theoretically" and arguing that it doesn't matter.
I'm also pointing out that MD5, though "broken" is actually cryptographically viable in some constructions --- in other words, there are cryptographic applications of MD5 that have no known viable attacks, even though MD5 is itself a weak hash. It's a tangent, but I thought a telling one: even though the nerdy vantage point is "MD5 is broken, avoid at all costs!", the reality is that it still works in some settings. Just like DRM.
Finally, if you want to reason through the legalities of DRM laws, start thinking in terms of contract law instead of technology. The reason content owners would like it to be unlawful to break DRM is that they shouldn't need to incur an arms race merely to enforce otherwise binding contracts. The fact is that it is entirely lawful to make access to an entertainment title conditioned on acceptance of a contract not to distribute the title. Violating that contract is unlawful. DRM exists in order to make it harder to violate binding contracts. In fact, the laws regarding DRM even anticipate the hardships DRM creates for normal users, and creates exceptions for breaking DRM in cases of interoperability and security research.
It is no case a "crime" to express mathematical concepts, except under exceedingly silly definitions of the term "mathematical concept" (any piece of content can of course be described mathematically; that doesn't make it lawful for me to steal and publish your credit card number).
The illegality of distributing a title without permission has nothing to do with contract law. It's a basic principle of copyright. No contract needs to be in place, explicit or implicit, to prevent that.
DRM does not solely exist to make it harder to violate that law. DRM also exists to prevent use of the buyer's own rights. DRM prevents fair use as well as infringement, and I'm pretty sure the media companies consider this to be a feature, not a bug.
When I say "mathematical concepts", I'm talking about algorithms, not content. I think that e.g. the core of DeCSS qualifies as a mathematical concept, and it's illegal to express it under current US law, although that law is widely ignored.
I don't believe it actually helps them economically, though Hollywood has a pretty funky take on accounting so you never know. I can't imagine a sane business being glad that they were able to successfully delay selling things for X months.
I understand the rational explanations for that, but I'm just as sure that people aren't that rational. Essentially, they're trying to be too good at the negotiating game. Ever been too good at a game? Nobody wants to play with you any more.
"When StarForce 3.0 was released, it initially provided extremely strong protection - the StarForce 3.0-protected game Splinter Cell: Chaos Theory was uncracked for 424 days.[11][12] It also marked a significant step up in the effort required to reverse engineer it.[13]"
Starforce, for those here not familiar with it, is essentially a very competently designed kernel rootkit: it installs a VM in kernel mode triggered by interrupt handlers, hooks nt!SwapContext to track every execution context on the system, and basically runs as a resident service to decrypt functions in game titles on demand.
Since the pirates are going to re-encode anyway, there is no reason they have to do that -- Netflix is software, and they can just grab the image and sound data after the program has decoded them.
Are they decrypted from the stream or screencapped and transcoded? If it's the latter, then that's trivial and doesn't require breaking anything, it just causes a good bit of degradation.
Holy crap! I thought Requiem hadn't been updated in years!
Thanks for the links.
*edit
The onion site seems to have a heck of a time serving files. I've been trying for an hour and have yet to get a valid zip. Some kind soul is seeding out a torrent of all three archives (windows, mac, and source)
There's one thing about cracking DRM that has me puzzled. Consider DRM on music, for instance. Suppose we have a 4 minute song, stored as an MP3 with DRM.
The ideal crack results in a 4 minute audio file, without DRM, that is the same audio quality as the input MP3, and is about the same size.
If we didn't care about size, there would be an easy way to crack the DRM. Just play back to music and capture the digital audio stream, and store that as a WAV file, or compress it with a lossless compressor. That preserves the audio quality, but the file is bigger.
If we are willing to give up some audio quality, we can do the above, but use an MP3 encoder. That should get is back down to near the original size, but the decoding and re-encoding as MP3 will cause some audio degradation.
Let's think about the MP3 format in an abstract way for a moment. Consider the set of all possible 4 minute audio streams. Define a given stream as being "perfectly representable" as an MP3 of bit rate B if there exists an MP3 encoding at a rate of B that decodes perfectly to that stream.
A general purpose MP3 encoder takes an input stream, and produces an MP3 file that decodes to a perfectly representable stream that is close to the input stream--ideally only differing in ways that people can't hear.
So here's the question--if the input stream to an MP3 encoder is perfectly representable, why is the output usually a file that decodes to a different perfectly representable stream?
It seems to me it should be possible to design an MP3 encoder with the property that under the operation of encoding followed by decoding, the perfectly representable streams are fixed points. I'll call such an encoder "representation preserving".
With such an encoder, removing DRM from an MP3 file consists simply of playing it back using whatever is normally used to play files with that DRM system, capturing the digital output stream, and then re-encoding with a representation preserving MP3 encoder. The result will by a DRM-free MP3 with exactly the same quality as the MP3 you started with, and compressed to about the same file size.
The mathematical term you're looking for is Idempotence [1].
I'm speculating that the difficulty of such a feat depends on how many free variables an encoder has to choose from.
For example, in the case of a compressor, there are probably quite a few arbitrary choices that can be made at the compressor side that make little difference to compression quality in general -- but may make reproducing the exact same result difficult. The search-space might be very large.
I'll also speculate, though, that even if perfect reproduction is not possible, a compressor that's designed to work on the digital output of a decompressor of the same algorithm can probably be designed to do a better job on that particular example.
I can confirm that yes, it has been cracked. Happily it is (as far as I know) not yet illegal for me to remove DRM protection from books I've purchased, although I'm sure that will change soon.
I think in the USA, the DMCA has made it illegal to break the copy protection on copyrighted work?
It may or may not be against the iBook EULA, which might make you in breech of contract, or make you guilty of using a computer system without agreement.
I am not in the USA, but yes, I think you are correct about the DMCA.
Unfortunately, after looking into things it seems that the law in Sweden also prohibits breaking DRM. There is a provision that if I am unable to otherwise use the content, I am allowed to break the copy protection. However, the law also prohibits making and spreading software that is capable of breaking copy protection, so that sort of contradicts that escape route (since they can just say that the illegal act was figuring out how to break the copy protection, not the actual breakage).
I am not a lawyer, but the DMCA makes an exception for compatibility. So I believe you have the right to break the DRM on a Kindle book so that you can read it on Linux.
I'm with you. I purchase my books but I'm not too fond of Apple's ebook reader. I'll finally be able to get those books into other apps. And, maybe I'll start buying more -- novel concept. :)
I'm interested to see if this will be true for books as well. Taken in a continuum of attention required, you start with music, then to movies,and finally to books. As a result my ability to consume books is one to two orders of magnitude lower than music. That seems like it could impact the economics of discover-then-purchase that music "piracy"/"free marketing" has wrought.
Regardless, I think it will always be good for the long tail authors.
Surprised that websites are barely picking up on this, since the solution has been out for roughly two weeks now. Requiem works great and it takes a matter of seconds to complete, regardless of whether you're removing DRM from a book or TV show.
Glad to see Brahms finally getting some much-deserved recognition.
This has always been true; why break the weak DRM on a low-quality 'Netflix' stream when you can do an HDTV rip or even a Blu-ray rip?
But the instant you create exclusive content that everyone wants on such a service, the DRM will be broken faster than you can say "DMCA".
The downside of this is it lets companies delude themselves (and others) into thinking that their DRM is "secure", when in reality it is simply that nobody cares about them.