Schneier on Security

Evil inside. What can I say? What more can you expect from a company like Intel?

Once upon a time I have sworn not to give my money to either MS or Intel for a long time to come and until today I have kept my promise. I guess I am going to keep it a little longer.

If I understand correctly, every CPU has had a CPU ID for a long time, but only now are they telling people how to use it.

I wonder if AMD will follow suite - perhaps they'll be forced to for compatibility, if nothing else?

Alex,
In early 1999 Intel introduced the Processors Serial Numbers (PSNs) on the PIII. After public outcry regarding privacy concerns, Intel, to avoid a landslide PR nightmare, "removed" the feature by turning it OFF by default.
This excellent article covers this topic and others privacy related examples:
http://www.autoidlabs.com/whitepapers/MIT-AUTOID-WH-016.pdf

I don't know that Intel's weaseling. Even if there are no processor features designed for DRM, obfuscated code will surely have tough compatibility problems with each processor upgrade. For instance, if you want your code to break under debuggers and emulators, relying on processor bugs or undocumented behavior is an attractive approach.

On the other hand, DRM features are coming eventually -- I wonder how many more times copyright holders will bet their dinero on trivially breakable software-only DRM.

This is a case of people not paying attention. Intel as been developing the technology, codenamed LaGrande, for several years and have not been at all quiet about it. A Google search for LeGrande on the Intel Web sires yields 152 hits ranging from press releases to technical documentation.

When Phil Schiller of Apple said that Mac OS for Intel wouldn't run on any old x86 box, people started speculating on how this might be done and folks finally started paying attention to LaGrande.

This is actually one of those dual-use technologies that Bruce likes to talk about. LeGrande can be used to add hardware secutity to a DRM, It can also be used to provide a hardware hook for a secure computing environment. In itself, it is a tool, neither good nor evil.

Forget the DRM, check out the 'Active Management Technology' features, including the ability to remotely redirect IDE. Some see a wonderful remote maintenance tool, I see a great new way to r00t boxes!

@Steve,

"In itself, it is a tool, neither good nor evil."

It is a tool that puts an enormous amount of power at the disposal of entities whose best interests may not coincide with mine. I don't believe they're malicious, just motivated by profit and "shareholder value".

The speed at which Intel refuted the statement indicates that consumers do not want this technology. Intel has competition from AMD, so consumer choice forced their hand.

I fear other parts of the IT industry are not similarly constrained, so we may end up with this stuff whether we want it or not.

It amuses me how the foes of DRM has portray the fight as a sort of moral crusade. At the end of the day what is the whole fuss about? Movies, songs, and TV shows. Do people have some sort of fundamental rights to unfettered entertainment? I don't think so.

Any technology which results in the general public consuming less Hollywood drivel gets my vote.

@Chung Leong

Unfortunatly it's about a whole lot more than just a bit of "unfettered entertainment" it is just the razor thin edge of a very large and very fat wedge, that coperates what to drive into your private life.

I will try to put it in perspective,

I am assuming that you drive a car, and that you probably belive you have the right to drive it where you see fit (whilst still respecting peoples private property).

That is the "Hollywood" view, ie there film is private property and they can decide how it is to be seen when exceter.

Although I do not have a particular beef with this view point, I am not to keen on the "Pay each time you view" asspect. What I especially don't like is the "view until date" aspect where the file / music/ whatever you have paid for ceses to work after a given date (Imagine all the books in your library sudenly becoming blank overnight).

The thing I very strongly object to is the view that "DRM" is a must and you must pay to use it, and except the judgment of the DRM holder.

Basically at the moment you can make your own film or music without let or hinderance (provided you do not enfringe on others copyright). This is basically like driving your car around as you see fit.

However with DRM you would only be alowed to record your music and play it on your own machine, you would not be able to give a copy to your "auntie Maude" etc.

It's a bit like having a car that you can only drive to your home and on the public roads. The car manufacture decides that you can only drive into a Tac'Omac restaurent not a KingWendy or even your local mom-n-pop Italian that you and your partner had your first romantic meal in.

The real issue with DRM is not actually protecting the artists rights, it's about big business tying you in or locking you down to their view of the world. If MegaMusic_Corp decide to revoke your right to record your own music and listen to it because it sounds fractionally like there latest DogBand their hyping then hard luck it's their DRM system and that's the way it's going to be.

Worse they could also stop you trying to prove to a Judge that infact you recorded your record 5 years ago and in fact the DogBand has infringed your copyright, because the judges DRM controled system cannot play it either.

We have already seen Judges make dessisions about web page content. Once when something was published it stayed published, if you did not like it you got a Judge to give you financial compensation, but the newspaper morges and libaries still held copies of the original artical. Now you get a Court ruling and all of a sudden the web page has to permanently expunge the content as though it never happened.

The level of controvosy this has caused so far is high, imagin what it is going to be like when MegaCorp has the same power without using a legal process.

Microsoft for instance has advertised document control facilities in up and coming versions of office, whereby a company can control it's documents such that they become perminantly "eyes-only" and will effectivly "self-destruct" after a given point in time.

Do you seriously think that MS has not retained some of that ability for it's self, so that it could make all of your private corespondence disappear if you decided to stop paying whatever new licence system they thought up in a few years time?

I could go on at length, but in reality DRM is about the theft of your existing rights, and holding you to ransom by those you have no control over.

Those who would gain most dress DRM up as stopping pirated versions of their IP, and neglect to mention all the benificial (to them only) side effects that will make your wallet scream in pain as they wring every last cent out of it.

If you want to know more about "Trusted Computing" in it's variant forms such as TCB / TCG / TCA / Fritz chip and other DRM related stuff go have a little hunt on Google or look at,

http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

It might give you something to seriously think about.

I find it ironic how DRM and all the associated crap can make an honest person become dishonest. I can't stand being told how I can use a product I obtained legitimately, and paid good money for.

I hate Intel, and I'm glad I don't use their products. I really hope AMD leaves this one alone, but I doubt they will. I'm sure industry pressure will force them to add the same bullshit to their products.

That whole concept of DRM is silly. It's like buying a house but in order to use it you'd also have to pay rent. As for music, when I buy a CD I'll listen to it whenever I want and wherever I want. And if I wish to lend it to friends who want to have a listen I will. Not only will DRM make you not own the stuff you buy but it also allows your usage of the stuff you bought to be tracked. At the end, it's consumers themselves who decide if they want DRM or not. If you don't like DRM then don't buy anything that has anything to do with it. Otherwise you're funding it and actually making it happen. Vote with your money.

Actually, there's nothing wrong with DRM. It is simply a different business model - you don't buy content, you rent it. DRM per se does not prevent others from sticking to old models. The market (i.e. the will of consumers) will decide which is the best for the consumers. So far consumers rejected DRM by simply not buying it in some market segments (DIVX) and being happy with it in other (Satellite TV & radio).

Now, the combination of DRM _and_ the "intellectual property" concept propped up by the government regulation is evil. It allows few large companies to lock the content nearly indefinitely while precluding others from reinventing or reconstructing the essense of the content.

Because the supposed benefits of copyrights and patents (i.e. government-granted monopolies) were never demonstrated, and in fact may be seriously deleterious (by inhibiting the market-based mechanism for selection of the best ideas and expressions), not to mention the damage to the civil liberties caused by the random attempts to enforce unenforceable, we should be biching not about private parties betting their own funds on particular business models, but about the goverment meddling with our liberties and the market by creating the legal fictions and monopolies (such as "intellectual property") out of thin air.

@Ari Heikkinen

One problem, with your idea,

"If you don't like DRM then don't buy anything that has anything to do with it"

There have been attempts to get legislation to enforce it into every new product. So far the attempts have failed but sooner rather than latter Money will talk and Politicians will vote it in....

Then you have the choice, life on their terms or no life at all.

Unfortunately the choices involved are much smaller than some people think. I have long held that certain technologies and services of many large companies, Microsoft and Intel in particular, should not really be considered private, and should not be so controlled by those companies. Technology has become so deeply embedded in so many areas of life that in my view, some of these services and products have become public services, and are fundamental requirements for daily life at many levels in first world culture. Microsoft has campaigned so hard and so long to get Wintel machines into so many places, it's become nearly impossible for many people to live without. It is no longer a choice for a company of any size, but a cost of doing business.

Computer systems used to be tools for science and research, then they became conveniences and toys. Now, for many people and institutions, computer systems are essential just for daily life.

Just like the phone systems used to be considered private, but reached the point where they were considered an essential element of the infrastructure and a critical part of normal public life, some computer systems have gone this way too. I believe some of these large companies are abusing the public trust by creating so much dependence on their products, and then restricting usage along private, for-profit measures.

I would like to see more anti-trust measures against some of these corporate giants, along the same lines as Ma Bell and utility regulations. I feel that once a technology or service becomes so pervasive and essential in daily public life, it should serve the public good rather than line the owner's pockets.

Mr. Robinson, you are the obfuscating the issue here. Analogies are unnecessary here, for the question is simple: Do owners of intellectual properties have the right to control access to their properties?

In a civil society, the answer is yes. While private property right is not absolute, deference is given to owner over other claimants. What the public desires and who owns the property are besides the point. Unless the public's welfare is at stake, the wish of the owner should be respected.

I do not see how public interest is served when you give a copy of a song to a friend or "auntie Maude." Just because you can do it before doesn't make it a right.

@Clive,

"Then you have the choice, life on their terms or no life at all."

That's always been the choice, conform to your society or leave and find another one.

The only differance now is that increasingly "they" are multinational corporations rather than governments, and that 'leaving' is becoming impossible due to the reach of said corporations.

@Chung,

"Do owners of intellectual properties have the right to control access to their properties?"

Fine, but if their rights under copyright law are going to be protected, then I want my "fair use" rights protected also.

Fair use is not a right. Just because an activity is sanctioned does not mean you have a right to do it. Copyright holders are under no obligation to allow fair use.

Although fair use is not defined as a right in the Constitution, it is firmly established as a right by case law. Therefore, in the courts it is treated the same as any right established by law, unless and until "they" get Congress to pass a law specifically destroying fair use.

Sorry: it's not "fair use" that is the "right" here. It's copyright. (Thus the name.) There is no natural law that says you ought to have control over the use and/or copying of something just because you created it. This is an idea developed by societies, and in Europe relatively recently at that (since about the Middle Ages).

So the question can just as well be viewed as whether we ought to continue to grant this right, whether or not we should extend it beyond what was previously possible given the technology of the day, or whether we should perhaps curtail it somewhat. Certainly technology is allowing us to grant further rights to copyright owners (such as a no-lending right) that were not envisioned by those who originally formed our copyright law.

There's a fascinating article on this here:

http://www.firstmonday.org/issues/issue6_9/scott/

Oh, and perhaps to put it a bit more clearly:

"Fair use" is not a right that we grant to individuals. It is the right to prevent that type of use that we have hitherto *not* granted to copyright owners.

I'm mostly worried that DRM will break my computer. At the moment, I can and do compile and run software on my Intel PC. With some DRM schemes, only "trusted" software can be run, or, if not "trusted" then it can't open certain files.
For example, MS could put DRM into Word such that files created with Word could only be opened with MS Word. But MS has no copyright over what I have written using their word processor. Why should I have to use a 'trusted' word processor to read my own words? The same is true for any other kind of file you might create. If I recorded myself making music with 'trusted' software, I might not be able to give it to someone who didn't own that same software. Why should ANYONE buy into this extreme form of vendor lock-in? The question should be "which program do *I* trust to open a file?" not "which program is the RIAA, MPAA, or MS willing to let me use?"
I run Linux on Intel. Will Intel trust Linux or apps I like to run on Linux? Today I can share files with people who run Wintel. Will that be true when they are all stuck using DRM hardware & software?
It's *not* about copyrights. That's the cover-story. It's about vendor lock-in and I'm not buying it.

@Quadro,

As I as I know, the courts have never established fair use as a right. Fair use is a doctrine for determining whether an action constitutes copyright infringement. Making a backup copy of a CD you already own is fair use--hence, not a copyright infringement. But as I said, because you can do something does not mean you are entitled to do it. If a record company decides to implement anti-piracy method to thwart that, you as the consumer, do not have a counter-claim.

You do not have rights to what does not belong to you, period. While you can argue that a news report, for instance, belongs to some extents to society as a whole, a pop song by Britney Spear or an episode of Desperate Housewives clearly do not.

@Chung Leong

My point (if you read my posts) is not that people do not have rights to their IP, they do, and where possible it should be REASONABLY protected.

What I object to is the use of the legal system to create a mechanisum whereby mine and others existing rights will be nullified. One of those being the right to my own IP, I find that entirely UNREASONABLE.

What has not occured to most people is that DRM is a pay to use service and you have no right to be included in it.

If the DRM owner has their system embeded into things by law then your rights are effectivly curtailed. Your own IP vanishes as you have no right to record it in a meanigfull way or perminance of existance.

From the point of an author this means that they cannot publish their work without the DRM owners permision, for a musician they cannot distribute their work without the DRM owners permision, and as a software developer you cannot develop code without the DRM owners permision.

Worse still even if you are allowed to publish it today by the DRM owner (at a price set by them), they could decide tomorow that it will not be usable (if you cannot continue to pay or you are in dispute with them).

Where is your legal recorse in all of this, well guess what you don't have one, you have been sold lock stock and barrell down the drain by your elected polititions for a barrell of pork....

It was once said "that freedom is seldom lost in one go" and that "the price of freedom is eternal vigulance".

Well perhaps it's about time people opened their eyes a bit and thought a little into the future, and not as they currently do "I didn't vote for it" by then it's to late.

As a Linux user on an AMD, I don't suppose any of this will bother me, neither will it work I presume.

I suppose my terminology was somewhat imprecise. While fiar use is primarily a tool for determining whether infringement has occured, it traditionally also includes certain actions that (I believe) are considered rights. For instance, the right of someone who has purchased copyrighted material to lend or sell his copy. Unfortunately I forget the name of this right, but it exists both in case law and as a matter of statute.

"If a record company decides to implement anti-piracy method to thwart that, you as the consumer, do not have a counter-claim."
With respect to making a backup copy, this is true, but I believe there is a provision which prevents them from stopping purchasers from selling their original (purchased) products, e.g. selling a used CD to a friend. If a CD would only work in one CD player (like product activation) it could cause a problem, although nobody would actually sue over it. This is why software companies (especially MS, to avoid bad publicity) that require activation will listen to, and usually accept, explanations of why a user is activating multiple times.

"You do not have rights to what does not belong to you, period."
Obviously not, although once you have bought a copy of, for example, a song, you have a right to use your copy. That's why I and many others refuse to buy song downloads, because you haven't actually bought anything.

@Kevin,

Wishful thinking I'm afraid.

For one, there is a bill to restrict internet access to "trusted" systems.

Accessing "trusted" documents will require "trusted" systems. Note that these "documents" could be Wordprocessor files, emails, web-pages, songs, movies, backups etc. Your digital camera could use DRM, meaning you can't even access your own pictures without someone elses approval.

Your PC/home entertainment system will check every DVD you play every time you play it to make sure it's not a pirate copy. Your viewing preferances will then be sold to the highest bidder.
Your system will check to see if you're allowed to fast-forward through the boring bits, or pause the movie, or use the DVD players zoom function, or turn on subtitles. And you thought region coding and the FBI warning was annoying.

I support copyright, and I support efforts to enforce it, but that enforcement shouldn't be so blatently one-sided. My fair use rights are just as valuable as the vendors copyright.

Imagine the interoperability problems caused by proprietary formats and software patents multiplied a hundredfold. Imagine all the new and wonderful ways vendors will be able to observe and control your use of their material.

Now tell me DRM won't affect you.

DRM is going to be extreemly expensive to implement. Trust me, those costs will be recovered. DRM isn't about copyright, viruses or company secrets, it's about MONEY!

@Quadro

I don't see any legal basis for prohibiting CDs that only work in one CD player, provided that they're properly labeled as such. The ill-faded DIVX system would seem to contradict your assertion. When you buy something, you have a right to what was sold, which in the case of a DIVX disc, doesn't not include unlimited viewing.

@Chung Leong

I see from the comments of others and your own posts you are avoiding the central (hidden) issue about DRM.

i.e. Not that it protects the rights of the copyright holder, but it can and will be used to deny the same rights to others.

perhaps you would care to address the issue?

But I suspect you will not...

"provided that they're properly labeled as such"
If the product is clearly labeled as working in only one player, it's almost acceptable, but there has to be some provision for changing the registered player. For example, if I buy a new CD player, I should be able to transfer my collection to the new player, disabling the old one, and of course there would have to be limits on how often I could change players to prevent me from simply changing the registration every time I wanted to use a different player.

I'm not too familiar with the specifics of DIVX, but I believe that was more along the lines of pay-per-view (like cable has had for years) but on a disc that you own. You own the disc containing encrypted gibberish, and you buy the ability to turn that into a movie. Also, I believe the discs were not tied to a single player, but rather each watching of a disc was tied to the player.

[quote]
It's like buying a house but in order to use it you'd also have to pay rent.
[/quote]

This is what's called property tax. Don't pay the tax (rent), lose the house.

I remember DivX was the bright idea of Circuit City or The Good Guys, can't remember which since they're all the same. Anyways, the greedy bastards thought that it was somehow a good idea to sell you a product that you had to keep paying to use.

You could Pay-per-View for a few dollars, or buy a code that would unlock the disk permanently. The player had to be plugged into a phone line for verification, and I'd assume the code was not transferable to other machines.

And what happens when a vendor goes out of business? Does your media stop working since it can't verify that it's a 'legal' copy?

"This is what's called property tax. Don't pay the tax (rent), lose the house."

Not the same at all. Tax is imposed by the government, not the seller of the house. The rent analogy is correct, because the rent would go to the people you bought the house from, just like the DRM use fees would go to the people you bought the media from.

"or buy a code that would unlock the disk permanently."

I didn't know that. I'm sure the permanent unlock code would be restricted to one machine, and the code to verify each pay-per-view showing would be as well, but (for just PPV) the disc should be capable of being activated independently for multiple viewings (paying each time) on several players.

"And what happens when a vendor goes out of business? Does your media stop working since it can't verify that it's a 'legal' copy?"
Yes. When Intuit started using activation for TurboTax a couple years ago, part of the backlash against it came from people who were concerned that their tax records would be useless if they were audited and could not reactivate the software.

I agree all of you about DRM, TPM, etc...

I just want to add some experiences that I get from my PCs:
- Silently, they control all of your PC from router, firewalls, and NIC (network interface card). I catch and sniff "em when they trying to shutdown my PC's from remote distance, although I shut off all services in WinXP SP2, even turn off shutdown PC functions in Console Management, but they still can do that due to their DRM, TPM building in their drivers. In new Linksys router, they can turn on again when I turn off remote WAN access. Voilà !!!

- ATI Video Card is nut, because they implaint all of DRM, Macrovision protection inside it drivers. That's why you cannot see the best video capture quality. They conflict with their concurrent Nvidia as well. If you have Nvidia card, and you want to test ATI card, just plugin and run as well, the problem appears only when you uninstall ATI drivers and use back your Nvidia card. Test it, Reverse it, and you will see it.

People please watch back many reviews and movies about invasion privacy on net and computer industry. They can change your life in total. You will be a criminal if they like you to be. You don't steal anything, but they can condemn you if they don't like you at all.

I won't upgrade PC anymore. I keep my PC's as long as people fight back all of these invasive stuffs out of my life, and ofcourse your lives too.

Thanks in reading my infos.

PS: Hope so my comment can remain as long as they will shutdown it. I try to write it as I can in many forums but apparently they delete my comments the day after. Hope so someone can read it. Thanks again!!!