Post DRM

content.exe is evil

Thursday, February 16th, 2006

I occasionally run into people who think users should download content (e.g., music or video) packaged in an executable file, usually for the purpose of wrapping the content with where the content format does not directly support DRM (or the proponent’s particular DRM scheme). Nevermind the general badness of Digital Restrictions Management, requiring users to run a new executable for each content file is evil.

Most importantly, every executable is a potential vector. There is no good excuse for exposing users to this risk. Even if your executable content contains no malware and your servers are absolutely impenetrable such that your content can never be replaced with malware, you are teaching users to download and run executables. Bad, bad, bad!

Another problem is that executables are usually platform-specific and buggy. Users have enough problem having the correct codec installed. Why take a chance that they might not run Windows (and the specific versions and configurations you have tested, sure to not exist in a decade or much less)?

I wouldn’t bother to mention this elementary topic at all, but very recently I ran into someone well intentioned who wants users to download content wrapped in , if I understand correctly for the purposes of ensuring users can obtain content metadata (most media players do a poor job of exposing content metadata and some file formats do a poor job of supporting embedded metadata, not that hardly anyone cares — this is tilting at windmills) and so that content publishers can track use (this is highly questionable), all from a pretty cross platform GUI. A jar file is an executable Java package, so the platform downside is different (Windows is not required, but a Java installation, of some range of versions and configurations, is), but it is still an executable that can do whatever it wants with the computer it is running on. Bad, bad, bad!

The proponent of this scheme said that it was ok, the jar file could be . This is no help at all. Anyone can create a certificate and sign jar files. Even if a creator did have to have their certificate signed by an established authority it would be of little help, as malware purveyors have plenty of resources that certificate authorities are happy to take. The downsides are many: users get a security prompt (“this content signed by…”) for content, which is annoying, misleading as described above and conditions the user to not pay attention when they install things that really do need to be executable, and a barrier is raised for small content producers.

If you really want to package arbitrary file formats with metadta, put everything in a zip file and include your UI in the zip as HTML. This is exactly what P2P vendor ‘s Packaged Media File format is. You could also make your program (which users download only once) look for specific files within the zip to build a content-specific (and safe) interface within your program. I believe this describes ‘s Kapsules, though I can’t find any technical information.

Better yet put your content on the web, where users can find and view it (in the web design of your choice), you get reasonable statistics, and the don’t get fed. You can even push this to 81/19 by including minimal but accurate embedded in your files if they support it — a name users can search for or a URL for your page related to the content.

Most of the pushers of executable content I encounter when faced with security concerns say it is an “interersting and hard problem.” No, it is a stupid and impossible problem. In contrast to web, executable content is a 5/95/-1000 solution — that last number is a .

If you really want an interesting and hard problem, executable content security is the wrong level. Go work on platform security. We can now run sophisticated applications within a web browser with some degree of safety (due to Java applet and Flash sandboxes, JavaScript security). Similar could be pushed down to the desktop, so that executables by default have no more rights to tamper with your system than do web pages. is an aggressive approach to this problem. If that sounds too hard and not interesting enough (you really wanted to distribute “media”), go the web way as above — it is subsuming the desktop anyhow.

Redefining light and dark

Monday, November 28th, 2005

The wily Lucas Gonze is at it again, defining ‘lightnet’ and ‘darknet’ by example, without explanation. The explanation is so simple that it probably only subtracts from Gonze’s [re]definition, but I’ll play the fool anyhow.

Usually darknet refers to (largely unstoppable) friend-to-friend information sharing. As the name implies, a darknet is underground, or at least under the radar of those who want to prohibit certain kinds of information sharing. (A BlackNet doesn’t require friends and the radar doesn’t work, to horribly abuse that analogy.)

Lightnet, as far as I know, is undefined in this context.*

Anyway, Lucas’ definition-by-example lumps prohibited sharing (friend to friend as well as over filesharing networks) and together as Darknet. Such content is dark to the web. It can’t be linked to, or if it can be, the link will be to a name,** not a location, thus you may not be able to obtain the content (filesharing), or you won’t be able to view the content (DRM).

Lightnet contnet is light to the web. It can be linked to, retrieved, and viewed in the ways you expect (and by extension, searched for in the way you expect), no law breaking or bad law making required.

* Ross Mayfield called iTunes a lightnet back in 2003. Lucas includes iTunes on the dark side. I agree with Lucas’ categorization, though Ross had a good point, and in a slightly different way was contrasting iTunes with both darknets and hidebound content owners.

** Among other things, I like to think of magnet links and as attempting to bridge the gap between the web and otherwise shared content. Obviously that work is unfinished. As is making multimedia work on the web. I think that’s the last time I linked to Lucas Gonze, but he’s had plently of crafty posts between then and now that I highly recommend following.

Most Rights Denied

Saturday, November 5th, 2005

Ryan King has created a funny spoof of Creative Commons licenses–the Uncreative Uncommons
Humor Link Back Don’t Repeat 0.1beta3 license–compare to the Creative Commons Attribution-NonCommercial-ShareAlike 2.5 license. Can you use hu-lb-dr? Nope:

The UU license is itself availble under the UU license, which means, no. See stipulation #3: “You may not paraphrase, repurpose or in any way retell the content. It is like “telling someone else’s joke” and that’s not cool.”

Ha ha.

Someone ought to create a CC license deed spoof for EULAs and :

See the EFF’s A User’s Guide to EULAs for more ideas.

Infoanarchy, DRM and Celestial Jukebox

Monday, January 10th, 2005

On the brouhaha over Bill Gates’ interview with CNET at CES. The relevant bit:

[D]o you think intellectual-property laws need to be reformed?

No, I’d say that of the world’s economies, there’s more that believe in intellectual property today than ever. There are fewer communists in the world today than there were. There are some new modern-day sort of communists who want to get rid of the incentive for musicians and moviemakers and software makers under various guises. They don’t think that those incentives should exist.

And this debate will always be there. I’d be the first to say that the patent system can always be tuned–including the U.S. patent system. There are some goals to cap some reform elements. But the idea that the United States has led in creating companies, creating jobs, because we’ve had the best intellectual-property system–there’s no doubt about that in my mind, and when people say they want to be the most competitive economy, they’ve got to have the incentive system. Intellectual property is the incentive system for the products of the future.

The “communists” bit is the part that has gotten so many people worked up.

The Response. I enjoy calling out Gates’ idiocies as much as the next person, though much of the response I’ve seen has been a tad ebullient. Microsoft fans don’t create fascist art knockoffs when that company’s detractors incorrectly call it fascist. Glenn Otis Brown has the best response I’ve seen, posted on the Creative Commons weblog.

What Would Brezhnev Do? In a communist state would there be no financial incentives for artists? No, they’d simply be employed by the state. The Soviet Union took information control to extremes, including prohibiting use of photocopiers by scientists. I suspect that had the USSR survived to this day, the KGB would now be furiously trying to make Digital Restrictions Management work so as to gain access to a few of the wonders of computing without permitting open communication.

Advice to Gates. Call reformers anarchists rather than communists. For most people “anarchist” is derogatory and you wouldn’t be telling quite as much of a bald-faced lie.

The Real Issue. Forget labels. Gates’ substantial claim is that strong intellectual protectionism drives economic growth. Gates believes this. He isn’t simply shilling for MSFT’s latest strategy. It is on this point that Gates must be rebutted.

Apologies to you the reader and to Robert Nozick for this post’s overwrought title.

Individual Rights Management

Wednesday, December 29th, 2004

Cory Doctorow correctly lambastes those soft on DRM for the umpteenth time. The following excerpt sparked a thought:

DRM isn’t protection from piracy. DRM is protection from competition.

Reminds me of airport “security” and similar. In the essay IDs and the illusion of security Bruce Schneier makes a case (not nearly as forcefully as can be done) that

Identification and profiling don’t provide very good security, and they do so at an enormous cost.

I’d argue that most measures justified by “security” actually make us less secure, in part because of their enormous cost. Another time.

Anyway, I think there’s a nice (ugly) symmetry in the arguments of apologists for Digital Restrictions Management and the national security state. Both are really much about restricting competition.

[Schneier link via Anton Sherwood.]

Seybold DRM Roundtable

Tuesday, August 17th, 2004

Tomorrow I’ll be on a DRM panel at the Seybold San Francisco publishing conference. See my Creative Commons weblog post for more info.

No, I will not be talking about porn restriction management.

Porn Restriction Management to the Future

Wednesday, August 11th, 2004

The porn industry and porn consumers are often said to be early adopters of consumer technology, e.g., VCRs and modems. So to what extent is porn delivered with Macrovision, CSS, region codes, and other copy protection methods as relevant to the formats in question?

I searched briefly but didn’t turn up any good answers, just assertions like

We can expect DRM to become commonplace as more porn producers take measures to prevent pirating of their content.

and

I should add that the porn market is also hot for DRM, but not too many vendors want to call attention to that.

and others wondering or speculating that porn site competition will stop DRM:

Some websites have begun to encode pr0n with drm requiring you to download a license everytime you want to watch the movie. I’d just stop using those sites. They’ll get the hint when their traffic starts moving to sites with no drm. Hopefully. It doesn’t really make sense to drm a 10 second clip when it takes 20 sec. to dl the license.

I’m looking for data regarding DRM use for pornographic content. Please tell if you have any ideas or know a good place to ask, even if you’re reading this long after the posting date.

Update 20040813:Jake (last cite above) comments below that a company is already selling DRM to the porn market. Actually there are several. I’d be surprised if any DRM concern isn’t making some effort in this regard. My question has to do with whether many in the porn content industry are buying.

Tom W. Bell adds another guess:

My guess: No. Porn consumers seem content with cheaply produced and only modestly original works. Porn producers thus need not recover the sort of fixed up-front costs that plague the traditional film industry.

That’s my guess as well, but I have no evidence. Thus the query.

CC-Austin

Tuesday, March 23rd, 2004

Last week was a busy one for Creative Commons at SXSW, though perhaps not as busy as the week leading up to it.

The CC music panel attracted an if-you-don’t-use-DRM-you-hate-artists troll and hosted at least two interesting announcements: the CC Music Sharing “License” (actually a mere branding-for-music-people of the CC Attribution-NonCommercial-NoDerivs license, not a fragmentation) and physical artifacts from Opsound. Also check out Opsound’s Remix Ready logo/campaign:

Remix Ready
When you see this symbol it means that the artist has offered to provide uncompressed source material for remixing. If the files are available for download on a website, there will be a link you can follow, otherwise contact the artist by email to request the material you’d like to use. Please do be patient and allow the artist some time to respond. Obviously some specific materials may not be available. Have fun.

Great idea, and good segue to the CC film panel, at which the 4th Wall Films project was announced. The idea is to make film “source” — scripts, uncut footage, director’s notes — available for remixing. The panel engendered much excitement, and not just for 4th Wall. Film people seem to have a substantially different attitude than music people.

Heather Ford has a good writeup of both panels.

CC also hosted two parties with Magnatune and EFF-Austin. Jon Lebkowsky has many pictures of the first.