Archive for the ‘DRM’ Category

Do You Feel Chilled? W3C and DRM

Monday, February 13th, 2017

Indefensible: the W3C says companies should get to decide when and how security researchers reveal defects in browsers by Cory Doctorow.

From the post:

The World Wide Web Consortium has just signaled its intention to deliberately create legal jeopardy for security researchers who reveal defects in its members’ products, unless the security researchers get the approval of its members prior to revealing the embarrassing mistakes those members have made in creating their products. It’s a move that will put literally billions of people at risk as researchers are chilled from investigating and publishing on browsers that follow W3C standards.

It is indefensible.

I enjoy Cory’s postings and fiction but I had to read this one more than once to capture the nature of Cory’s complaint.

As I understand it the argument runs something like this:

1. The W3C is creating a “…standardized DRM system for video on the World Wide Web….”

2. Participants in the W3C process must “…surrender the right to invoke their patents in lawsuits as a condition of participating in the W3C process….” (The keyword here is participants. No non-participant waives their patent rights as a result of W3C policy.)

3. The W3C isn’t requiring waiver of DCMA 1201 rights as a condition for participating in the video DRM work.

All true but I don’t see Cory gets to the conclusion:

…deliberately create legal jeopardy for security researchers who reveal defects in its members’ products, unless the security researchers get the approval of its members prior to revealing the embarrassing mistakes those members have made in creating their products.

Whether the W3C requires participants in the DRM system for video to waive DCMA 1201 rights or not, the W3C process has no impact on non-participants in that process.

Secondly, security researchers are in jeopardy if and only if they incriminate themselves when publishing defects in DRM products. As security researchers, they are capable of anonymously publishing any security defects they find.

Third, legal liability flows from statutory law and not the presence or absence of consensual agreement among a group of vendors. Private agreements can only protect you from those agreeing.

I don’t support DRM and never have. Personally I think it is a scam and tax on content creators. It’s unfortunate that fear that someone, somewhere might not be paying full rate, is enough for content creators to tax themselves with DRM schemes and software. None of which is free.

Rather than arguing about W3C policy, why not point to the years of wasted effort and expense by content creators on DRM? With no measurable return. That’s a plain ROI question.

DRM software vendors know the pot of gold content creators are chasing is at the end of an ever receding rainbow. In fact, they’re counting on it.

Speaking of Wasted Money on DRM / WWW EME Minus 2 Billion Devices

Friday, June 24th, 2016

Just earlier today I was scribbling about wasting money on DRM saying:


I feel sorry for content owners. Their greed makes them easy prey for people selling patented DRM medicine for the delivery of their content. In the long run it only hurts themselves (the DRM tax) and users. In fact, the only people making money off of DRM are the people who deliver content.

This evening I ran across: Chrome Bug Makes It Easy to Download Movies From Netflix and Amazon Prime by Michael Nunez.

Nunez points out an exploit in the open source Chrome browser enables users to save movies from Netflix and Amazon Prime.

Even once a patch appears, others can compile the code without the patch, to continue downloading, illegally, movies from Netflix and Amazon Prime.

Even more amusing:


Widevine is currently used in more than 2 billion devices worldwide and is the same digital rights management technology used in Firefox and Opera browsers. Safari and Internet Explorer, however, use different DRM technology.

Widevine plus properly configured device = broken DRM.

When Sony and others calculate their ROI from DRM, be sure to subtract 2 billion+ devices that probably won’t honor the no-record DRM setting.

Pride Goeth Before A Fall – DMCA & Security Researchers

Friday, June 24th, 2016

Cory Doctorow has written extensively on the problems with present plans to incorporate DRM in HTML5:

W3C DRM working group chairman vetoes work on protecting security researchers and competition – June 18, 2016.

An Open Letter to Members of the W3C Advisory Committee – May 12, 2016.

Save Firefox: The W3C’s plan for worldwide DRM would have killed Mozilla before it could start – May 11, 2016.

Interoperability and the W3C: Defending the Future from the Present – March 29, 2016.

among others.

In general I agree with Cory’s reasoning but I don’t see:

…Once DRM is part of a full implementation of HTML5, there’s a real risk to security researchers who discover defects in browsers and want to warn users about them…. (from Cory’s latest post)

Do you remember the Sony “copy-proof” CDs? Sony “copy-proof” CDs cracked with a marker pen Then, just as now, Sony is about to hand over bushels of cash to the content delivery crowd.

When security researchers discover flaws in the browser DRM, what prevents them from advising users?

Cory says the anti-circumvention provisions of the DMCA prevent security researchers from discovering and disclosing such flaws.

That’s no doubt true, if you want to commit a crime (violate the DMCA) and publish evidence of that crime with your name attached to it on the WWW.

Isn’t that a case of pride goeth before a fall?

If I want to alert other users to security defects in their browsers, possibly equivalent to the marker pen for Sony CDs, I post that to the WWW anonymously.

Or publish code to make that defect apparent to even a casual user.

What I should not do is put my name on either a circumvention bug report or code to demonstrate it. Yes?

That doesn’t answer Cory’s points about impairing innovation, etc. but once Sony realizes it has been had, again, by the content delivery crowd, what’s the point of more self-inflicted damage?

I feel sorry for content owners. Their greed makes them easy prey for people selling patented DRM medicine for the delivery of their content. In the long run it only hurts themselves (the DRM tax) and users. In fact, the only people making money off of DRM are the people who deliver content.

Should DRM appear as proposed in HTML5, any suggestions for a “marker pen” logo to be used by hackers of a Content Decryption Module?

PS: Another approach to opposing DRM would be to inform shareholders of Sony and other content owners they are about to be raped by content delivery systems.

PPS: In private email Cory advised me to consider the AACS encryption key controversy, where public posting of an encryption key was challenged with take down requests. However, in the long run, such efforts only spread the key more widely, not the effect intended by those attempted to limit its spread.

And there is the Dark Web, ahem, where it is my understanding that non-legal content and other material can be found.

Flashback: Breaking Coffee DRM in 2014

Friday, December 11th, 2015

Cory Doctorow tweeted a post from 2014: Defeat Keurig’s K-Cup DRM with a single piece of tape.

It’s difficult to imagine a more environmentally unfriendly coffee maker than those by Keurig.

For every cup of coffee it brews, it adds to landfill waste. Yeah, for every cup, the environment is incrementally diminished. Not by much for any one cup but imagine the thousands of cups per day that pour (sorry) from Keurig machines.

Normally I enjoy stories of breaking DRM efforts but in this particular case, it only encourages more environmentally unfriendly companies to spring up manufacturing the same wasteful products as Keurig.

The best way to deal with a Keurig machine is to superglue or weld the damned thing shut. That will decrease the demand for more outlets selling environmentally unfriendly forms of coffee. Well, not just one machine, there needs to be an epidemic of people sealing off their own machines.

Working from home I do quite well with a late 1950’s/mid-1960’s drip pot that requires only hot water and coffee. Nothing disposable except for coffee grounds and they go in the compost heap. Well, and the coffee bag that goes into recycling.

Make 2016 the year when the conspicuous consumption and waste of Keurig coffee machines ends.

PS: A common pot of coffee also saves time by narrowing the range of choices: the coffee is hot and black or the pot is empty. Fewer choices, quicker turn around at the coffee machine. 😉

Defeating DRM in HTML5

Saturday, May 11th, 2013

You may heard that the W3C is giving the WWW label to DRM-based content vendors in HTML5: W3C presses ahead with DRM interface in HTML5

From the post:

On Friday, the World Wide Web Consortium (W3C) published the first public draft of Encrypted Media Extensions (EME). EME enables content providers to integrate digital rights management (DRM) interfaces into HTML5-based media players. Encrypted Media Extensions is being developed jointly by Google, Microsoft and online streaming-service Netflix. No actual encryption algorithm is part of the draft; that element is designed to be contained in a CDM (Content Decryption Module) that works with EME to decode the content. CDMs may be plugins or built into browsers.

The publication of the new draft is a blow for critics of the extensions, led by the Free Software Foundation (FSF). Under the slogan, “We don’t want the Hollyweb”, FSF’s anti-DRM campaign Defective by Design has started a petition against the “disastrous proposal”, though FSF and allied organisations have so far only succeeded in mobilising half of their target of 50,000 supporters.

I could understand this better if the W3C was getting paid by the DRM-based content vendors for the WWW label. Giving it away to commercial profiteers seems like poor business judgement.

On the order of the U.S. government developing the public internet and then giving it away as it became commercially viable. As one of the involuntary investors in the U.S. government, I would have liked a better return on that investment.

There is one fairly easy way to defeat DRM in HTML5.

Don’t use it. Don’t view/purchase products that use it, don’t produce products or services that use it.

The people who produce and sell DRM-based products will find other ways to occupy themselves should DRM-based products fail.

Unlike the FSF, they are not producing products for obscure motives. They are looking to make a profit. No profit, no DRM-vendors.

You may say that “other people” will purchase those products and services, encouraging DRM vendors. They very well may but that’s their choice.

It is unconvincing to argue for a universe of free choice when some people get to choose on behalf of others, like the public.

DRM/WWW, Wealth/Salvation: Theological Parallels

Thursday, March 14th, 2013

Cory Doctorow misses a teaching moment in his: What I wish Tim Berners-Lee understood about DRM.

Cory says:

Whenever Berners-Lee tells the story of the Web’s inception, he stresses that he was able to invent the Web without getting any permission. He uses this as a parable to explain the importance of an open and neutral Internet.

The “…without getting any permission” was a principle for Tim Berners-Lee when he was inventing the Web.

A principle then, not now.

Evidence? The fundamentals of RDF have been mired in the same model for fourteen (14) years. Impeding the evolution of the “Semantic” Web. Whatever its merits.

Another example? HTML5 violates prior definitions of URL in order to widen the reach of HTML5. (URL Homonym Problem: A Topic Map Solution)

Same “principle” as DRM support, expanding the label of “WWW” beyond what early supporters would recognize as the WWW.

HTML5 rewriting of URL and DRM support are membership building exercises.

The teaching moment comes from early Christian history.

You may (or may not) recall the parable of the rich young ruler (Matthew 19:16-30), where a rich young man asks Jesus what he must do to be saved?

Jesus replies:

One thing you still lack. Sell all that you have and distribute to the poor, and you will have treasure in heaven; and come, follow me.

And for the first hundred or more years of Christianity, so far as can be known, that rule, divesting yourself of property was followed.

Until, Clement of Alexandria. Clement took the position that indeed the rich could retain their goods, so long as they used it charitably. (Now there’s a loophole!)

Created two paths to salvation, one for anyone foolish enough to take the Bible at its word and another for anyone would wanted to call themselves Christians, without any inconvenience or discomfort.

Following Clement of Alexandria, Tim Berners-Lee is creating two paths to the WWW.

One for people who are foolish enough to innovate and share information, the innovation model of the WWW that Cory speaks so highly of.

Another path for people (DRM crowd) who neither spin nor toil but who want to burden everyone who does.

Membership as a principle isn’t surprising considering how TBL sees himself in the mirror:

TBL as WWW Pope