Thatâs what I love about web technologies, the secrecy.
What is meant by Standardized DRM is an oxymoron ? I understand this for older technologies, like âshift each line according to this sequence : 1 5 7 42 9 0 2â, but what if your machine is connected to the internet ?
Surely one could write âthe dvd player has to call this ip, send this UID encrypted with the studioâs public key, and receive thatâ ?
Oh, but then you could send a UID that is always accepted instead of the actual one, or spoof the serverâs answer, I guess ^^
Assuming the standards will be shared with Google, Mozilla, MicroSoft and Apple, does that mean that others arenât allowed to write web browsers anymore? I mean, obviously I can code my own browser, but I canât make it compliant with their standard because I canât know what it is.
And do they seriously think that if they share the standards with the makers of the most popular web browsers so they can be implemented, that no one is going to leak them to the public? Itâs only a matter of time.
Finally, does anyone behind this understand that there is a cable coming out of my computer that goes to a monitor that could instead go to a video recording device? That there are cables that instead of going to speakers could go to an audio recording device? Are they going to put DRM in copper wire? (Iâm sure theyâre working on it)
They are certainly doing their best:
Wild weird stuff there - especially after the recent post about laws needing to be public.
Secret web standards is just the oddest idea Iâve heard this week. I really see this going badly for everyone - everywhere.
Yeah, Iâm sure they are. But Iâve had it explained to me by people who know better that if I have my hands on the hardware then true security is impossible. Intel can do whatever they want inside the cable but every monitor in the world has to be able to take that signal and turn it into video. If I buy any monitor in the world I have purchased a piece of hardware that has what I need to get around their security - that knows how to say, âSure, you are sending information to a monitor, itâs safe to send me the video!â I mean, I canât actually do it, but I know people who surely can, and a lot of people who donât know the first thing about DRM know me.
(And now on to hyperbolic ranting about how the W3C decision can be likened to murder)
This just drives me insane. They try to scare us into not buying pirated DVDs because the money fund terrorist organizations. If thatâs true, then somehow theyâve actually turned movies into the war on drugs. Are bodies piling up in a foreign nation because people want to watch North American movies in North America?
And even if terrorist groups were not selling pirated DVDs for cash Iâm sure the recording industry gave them the idea by claiming that they were doing it. The world has so many people who would be happy to sell DVDs and drugs and who really donât want to kill anybody. Somehow governments and standards bodies pass rules that ensure that only those who have an interest in murdering people can make profit off of certain segments of the economy.
âItâs your computer. Whatever steps the browser takes to obscure how it is playing the video back can be unpicked by you, at your leisure, so you can make a tool that gets around it.â
We have ways of solving that problem.
Itâs probably more accurate to say that âstandardized DRM that doesnât exert control over implementors is an oxymoronâ.
There are some in-house DRM schemes (Appleâs âfairplayâ and Amazonâs âI donât think it actually has a name, so Iâll just call it â451ââ, kept proprietary largely for ecosystem lock-in); but there are plenty of âstandardizedâ DRM schemes, CSS, AACS, Cablecard/Common Interface conditional access modules, etc.
However, all such schemes employ legal means (so-called âhook IPâ which must be licensed, use of DMCA-style law, both, or other) to control who implements the standard, mandate that they include all crippling and control features the standard provides for, and usually have one or more cartel organizations that hand out cryptographic blessings to conforming implementations.
As you say, the seriously retro âDRM through obfuscationâ schemes cannot be documented if they are to work; but strong crypto changed all that. You could have an OSS implementation of a crypto scheme if you wanted, so long as the root of control was in who signs the binaries. Sure, anybody could stub out the restrictions and compile a de-crippled version; but they couldnât get it signedâŠ
People will still be able to record DRM-hobbled video stuff. Thereâs CamStudio and Jing for starters.
So you return the signature of the original program when asked. IIRC, a similar trick was used on some IM client.
If signatures are needed to run, you just compile that bit out too. There needs to be something non-OSS in the chain for it to work.
The reply from the Netflix dude is reasonable in isolation, in that of course studios will never reveal their private requirements. The EME will have an âopen specâ, but it will be open in the same way that Dual_EC_DRBG is an open spec.
And still, no one will explain why this belongs in a W3C spec. Why couldnât the studios have gone with ECMA? Itâs pretty much the entire purpose of that standards body, to standardize what everyone except one or a handful of commercial interests canât standardize, wonât standardize, or donât care to standardize. They had to have the imprimatur of the W3C (and in the process utterly discredit an organization which helps bring together the thing that makes their distribution methods obsolete).
The pragmatic (but nasty and underhanded) approach the W3C took was to standardize the interface to the so-called âContent decryption moduleâ (Just donât call it a plugin! Plugins are filthy and Not HTML5, but CDMs are A-OK!). The interface itself is pretty trivial, and fully open, and doesnât have any control over the actual DRM process.
So, anyone who wants can add CDM interface support quite easily, no threat to OSS at all! But, if the CDM that a site wants isnât available? To bad, so sad. And it says, explicitly, that âCDM may use or defer to platform capabilitiesâ(so âstandardâ support that only works on browsers running in Windows with WMDRM available, or browsers running on iDevices with fairplay available, or Roku boxes with hardware-locked DRM of some kind, all doable). Further âCDM implementations may return decrypted frames or render them directlyâ: this means, in practice, that the area in the browser window occupied by a DRMed video may be (and likely will be, since handing unencrypted frames back to an untrusted browser would be idiotic), 100% under the control of the CDM, from decryption to framebuffer to monitor. In principle, one could even abuse this to implement arbitrary plugin-like capabilities within the CDM: youâve got a bidirectional data-transfer channel, and youâve got arbitrary control over an area of screen, and youâve got a binary black-box running whatever code you want, so re-implementing Flash, Java, Emacs Lisp, or anything else as a âCDMâ rather than a âpluginâ would be 100% doable. Ugly, outside the spirit of the standard; but totally within the letter of the standard.
You could even implement an entire âtrustedâ web browser (say a basic webkit build) inside the CDM, and wrap your entire website in DRM, finally defeating the wicked âright clickâ and âview sourceâ menaces once and for allâŠ
Closed Open Standard⊠yeah, thatâs going to work. This is why the corps can never get their technology right. If they try this crap the standard is going to fail and we, the implementers of internet standards, will have to drag them over to something functional and rational kicking and screaming. The corps gumming up the internet is a non-starter.
This is why I use lynx. You kids and your images.
Because by itâs nature DRM cannot be standardized, because that would mean giving away the means for anyone to defeat it. At the same time DRM as part of a âstandardsâ specification is also an oxymoron. This is the snake eating itâs own tail.
I just put a video camera in front of my screen. Beat that !
The worst part is that this was the concern that was voiced 15 years ago when DRM percolated into peopleâs minds⊠I remember long rants on Slashdot warning that eventually it would collide with the average joeâs ability to use their computer and subvert not just our freedoms but open standards.
Itâs not really a surprise that it happened, but itâs extremely unfortunate that anyone was able to prevent such a predictable outcome.
The W3C has revealed itself to be a limp dicked figurehead whoâs no longer relevant.
Yup all bullshit really, at the end of the day unworkable. Kurt Gödel proved that a long time ago, complexity will only help with leverage.
The real issue here is with those parties that are pushing for this âsugarâ. Really they arenât dissimilar from say the NSA and their efforts to undermine. What those that are pushing for this should be doing is to realise that what they produce isnât actually worth that much, it needs to be cheaper. Funny how those bodies that often view themselves as capitalists and are so quick to protect their business model donât seem to understand the basics of economies of scale.
Get that right and DRM wonât be needed in the first place, because people will actually tend to pay for your crap.
My feeling is while that the video camera on a box technology is promising, it needs more development effort before itâs ready for prime time.
