> In his software class, Dan had learned that each book had a copyright monitor that reported when and where it was read, and by whom, to Central Licensing. (They used this information to catch reading pirates, but also to sell personal interest profiles to retailers.)
> It was also possible to bypass the copyright monitors by installing a modified system kernel. Dan would eventually find out about the free kernels, even entire free operating systems, that had existed around the turn of the century. But not only were they illegal, like debuggers—you could not install one if you had one, without knowing your computer's root password. And neither the FBI nor Microsoft Support would tell you that.
Let's not forget the widening gap between "advanced user" and "developer", created by schemes like code signing, forced app-store distribution models, and the gradual removal of "only developers will need them" features from software. While there are arguably security benefits to such closed ecosystems, it also makes it much harder for users to be in control of their computers - which includes modifying and writing new software for them.
Compared to a PC today, the original IBM PC/XT/AT was amazingly open. All versions of DOS came with a basic debugger, which could also be used to write short Asm programs. I remember these being popularly published in the computing magazines of the time, and there was a general attitude of openness around that.
Perhaps the average user today doesn't care, but what astounds me is how much freedom we've given up in pursuit of security and safety. We seem to have gone down a path (or the corporations have led us down one) in which we're lead to believe that having responsibility and freedom is a bad thing, and that we'd be happier - blissfully ignorant - if we let these corporations (and governments) take over for us.
We've gone in a security model that Bruce Schneier calls Digital Feudalism. We give up rights to have large centralized organizations take care of our security for us. In exchange we give them data that they are allowed to sell. This is both for devices and for services (notably Web 2.0).
There are arguably benefits to this arrangement. Prostitutes have pimps, even though they cut into profits without taking much personal risk or providing much labor, because pimps do provide a safety mechanism. Likewise, vassals gave up large portions of what they produced for security from their lords and kings.
We've returned to this arrangement because:
1.) Paying is painful and copying software is easy. Instead of making money from you, Web 2.0 have monetized you as a target for advertisers. Web services are 'in' because that's the only way software can't be pirated. Much of our software today displays GUIs on a screen but runs on other computers because of this reason. The new Office products all run in the cloud, MMOs offer the same deal, and games like Diablo III can only run when in constant connection to the internet, even though there's no technical reason why that should be the case. XBox One tried to (and backpedaled from) make the xBox always on always connected. Other streaming video game and content services try the same. Essentially, the internet has become glorified TV (minimally interactive), with more channels.
2.) The internet is the Wild Wild West. Security professionals have been yelling for ages that the rush to release and the need to compete together with closed source development was making the world an insecure place. Essentially every layer of our computing stack is insecure. Attestation of computer intrusion is ridiculously hard. And there's money (and geopolitical power) to be had. We designed things insecure from the start, and continue to do so. Individuals can't stay secure on their own. It's not possible. So up with the lords and vassals - we know it sort of works from history.
I do think the average user cares. I don't think the average user is informed.
> Web services are 'in' because that's the only way software can't be pirated.
That is cognitive dissonance. If your revenue is derived from advertising then users installing ad blocking software is revenue-equivalent to users pirating your software. The fact that it's legal for users to do when piracy is not provides no support for argument that ad-supported services are on stronger financial footing.
The reason ad-supported services are winning is much simpler. Users prefer them to paying. So if one competitor is "free" (with ads) while another is charging money, the market picks the free one. But ad-supported services don't inherently require centralization or feudalism anyway.
> The internet is the Wild Wild West.
The internet has never been the wild west. Modern computing devices are dramatically more secure than physical things like your house or your car. The internet is so far away from the wild west that we consider even the possibility of a security breach under rare circumstances to be a serious vulnerability and work quickly to close it. And the feudal lords are the ones making it worse -- is it even possible to patch a vulnerability on an un-rooted iPhone which is too old for Apple to patch it officially?
Having said that, I don't disagree that the reasons you're listing are the ones used to justify feudalism, they just happen to be factually incorrect.
Modern computing devices are dramatically more secure than physical things like your house or your car.
Er, no. You can't break into my house from another country. Moreover, my computer is also a physical thing in my house, so it cannot easily be more secure than the house itself.
The patching of possible security breaches has become a weekly ritual. And there are hundreds of thousands of unpatched compromised computers sloshing around in botnets.
> You can't break into my house from another country.
An attacker could certainly pay someone to break into your house from another country in much the same way as they pay their ISP to deliver malicious packets to your computer.
> Moreover, my computer is also a physical thing in my house, so it cannot easily be more secure than the house itself.
That isn't strictly true. If your device has full disk encryption using a strong password, physical access doesn't get you much in the way of accessing the data.
It's easy to confuse this with the explanation of why DRM can't work, but they aren't the same thing. To access data you need either the plaintext, or the ciphertext and the key. DRM fails because you need one or the other in order to watch the content, which means an attacker inherently has in his possession what is necessary to get the data. But a locked or turned off device with disk encryption only gives the attacker the ciphertext without the key, which is an entirely different situation.
> The patching of possible security breaches has become a weekly ritual.
That's kind of my point. Nobody recalls your car windows when they're discovered to be vulnerable to the "blunt force with heavy object" attack.
> And there are hundreds of thousands of unpatched compromised computers sloshing around in botnets.
Hundreds of thousands out of billions is what, 0.01%?
> If your device has full disk encryption using a strong password, physical access doesn't get you much in the way of accessing the data.
Well, even if assuming that all your software is bug free, someone with physical access can either replace the unencrypted boot image with a compromised one which gives him remote access or install a hardware keylogger and come back later for the disk and password.
In the hypothetical situation of a targeted attack and attacker with physical access, FDE only protects you if you never turn on your computer.
If an adversary has physical access to a computer, they can get basically anything. In unencrypted scenarios they can pull out drives and mount them in their own run time (OS). If the device is also running then coldboot attacks can allow the encryption to be attacked.
Finally, there is the eventual cracking of many encryption algorithms via cryptanalysis and moores law.
Cold Boot is hard to implement, and can be mitigated by putting the 16kb of key memory on the L2/L3 cache or some other piece of memory that instantly clears on power off.
With FDE and memory encryption, how else can you get pass this?
Thing is, you would know if someone broke into your house with a rock through the window. Breaking into your computer, or breaking the encryption of your data on some server, can be done without nobody noticing for years.
Securing your data is a completely different problem, and a much more difficult one, than securing your house.
The amount of knowledge, skill, and effort to gain access to your computer from another country vastly outweighs the amount of skill and effort required to break your window and carry it out the front door.
> > Web services are 'in' because that's the only way software can't be pirated.
> That is cognitive dissonance. If your revenue is derived from advertising then users installing ad blocking software is revenue-equivalent to users pirating your software. The fact that it's legal for users to do when piracy is not provides no support for argument that ad-supported services are on stronger financial footing.
It is not difficult to foresee a world in which "forging the appearance of a website" is illegal and userscripts and userstyles are forbidden as well. How many sites try very hard to block right click to hide their code?
There are five actors that can modify the appearance of a website:
* the author,
* the server,
* the network,
* the browser,
* the user (instructing a browser's add on).
By definition the author can do whatever they want.
But what if the server started serving slightly different pages, maybe with advertisements? This is happening now with hosted blogs and publishing platforms; it is frowned upon but accepted.
The browser is in a similar situation. When Internet Explorer wanted to modify the received HTML to "enrich it", there has been a big backslash from authors «Microsoft thinks they can improve my writing. This makes me want to get a gun and go to war.» «With smart tags, Microsoft is able to insert their ads right into competitors’ sites.» (http://alistapart.com/article/smarttags )
So the authors are against modifications to the way their sites appear. Their remaining problem is _the user_. Authors cannot force the user to see what they produced: users have the freedom to install an ad-blocker or strip the CSS away. But we have to realize that this may be only a temporary situation. With the app-ification of the web, userscripts and userstyles are gone. And the content producers are happy about this.
>>It is not difficult to foresee a world in which "forging the appearance of a website" is illegal and userscripts and userstyles are forbidden as well. How many sites try very hard to block right click to hide their code?
Not illegal, but made technically impossible. That will be the logical Result of the EME Standard, combined with WebCrypto where the Website owner, not the user controls the browser.
All of these users chanting about how great netflix "HTML5" is do not understand the long term game that is being played for control over the web browser
Interesting perspectives, so here's another volley.
I think "users prefer ads to paying" is not a full explanation: I did include "paying is painful". If that's all there were - just upfront cost, how do we deal with the trend of connected software (Diablo III, etc) and devices whose primary developer feature is DRM?
The internet totally is the WWW. Well, it's an analogy. So no, it's not. But the analogy is useful in its most spirited form. There is no truly enforceable law and criminal and conspiratorial enterprises run abound. It's questionable whether the Feudal lords are making it better or worse. (One way they make it better is by having direct accountability.)
> I think "users prefer ads to paying" is not a full explanation: I did include "paying is painful". If that's all there were - just upfront cost, how do we deal with the trend of connected software (Diablo III, etc) and devices whose primary developer feature is DRM?
Connected software is a different business model. It has certain advantages for the developer (like collecting a monthly fee rather than a one time payment), but how is that supposed to be providing any security or other benefit to the user?
> There is no truly enforceable law and criminal and conspiratorial enterprises run abound.
There are lots of enforceable laws -- probably too many. And the threat is vastly overhyped. Actual criminals and criminal organizations are the likes of Ted Bundy and the Zetas Cartel. The internet version of that is supposed to be weev and Anonymous? They're not even on the same planet.
Moreover, what is the feudal lord supposed to do any better than anyone else to prevent some jerk from cracking into a webserver and stealing private data? If anything the centralization makes it worse by creating juicer targets. If the bad guys compromise Apple or Google you're roasted, toasted and burnt to a crisp.
> It's questionable whether the Feudal lords are making it better or worse.
I have a hard time thinking of any way they could legitimately make it better that wouldn't work just as well without a locked boot loader.
> (One way they make it better is by having direct accountability.)
The fact that they aren't accountable is half the problem. At best the user can throw away their device and buy one from a different vendor, but that's hardly much consolation when you can't get your money back. And the app developers have even less leverage. The only way to opt out is to abandon hundreds of millions of prospective customers.
If the Internet is the Wild Wild West, are we (the early adapters, the knowledgeable users) the Native Americans? New Business are coming, destroying our way of life? Ruining our lands, exterminating certain breeds, making our traditional ways forever extinct?
Glad to hear someone air these thoughts out loud. I vastly preferred back when I could simply trade money for software. I don't like this new world in which I have to enter into a vaguely abusive intimate relationship with Google or whoever to pay for their product.
I find that my stance on this topic has changed as I have more money to pay for services. I used to vastly prefer free services. Now I would happily pay a few dollars. Unfortunately, a large portion of my privacy and anonymity has already been given up from past use of these free services, and I most likely will never be able to reclaim that. I can at any point choose to use a less invasive service, but the choice is not the same now that I view much of my anonymity already gone.
Piracy is a really huge part of it. Nothing is free. Pay for it or it finds someone who will pay for you.
... And If neither occurs, you won't get it at all. I've started to become increasingly convinced that huge scale piracy really did harm the quality of popular music. You can find some good obscure music today, but the average quality seems to have hugely declined in some objective way. Art is no more free than code, and good art really does cost more than bad art for all kinds of reasons... Fewer can make it, and quality takes time and sustained focus. Having some talentless tart squall into an auto tuner to a cliched catchy melody is cheap. Finding an Elizabeth Fraser and paying them to practice for 40 hours a week under the supervision of a professional choral voice instructor while you coach the band on composition in a recording studio is not. Why invest in a product nobody will pay for?
Funny how when I bring up the issue in the context of software everyone agrees. Of course people have to get paid somehow and of course polished products cost money. But on every forum including this one, nobody gets how there could be any relationship whatsoever between the quality of art and its ability to be financed. I think this comes down to one of the greatest myths about art: that it comes from some automatic and magical place and people either have it or they don't, and that artists make art solely out of duty to the muse. Like anything else art is a skill and doing it well requires practice, research, focus, coaching, even peer review, and all of that takes time during which many people including the artist must be supported. There is a component of inspiration but raw inspiration without the rest of it results in rough draft quality work that is only of value to the artist themselves.
Piracy undermines the ability to finance art just like it does in software. What's one of the first questions a VC asks about? Defensibility. In other words how will you protect your ability to monetize the value you create. You think investors only ask that question in software?
Art is subjective, code is not. Good code is testable. Good art is not testable.
Top40 music is palatable to many and is the exact result of what you describe: practice, research, focus, coaching, and peer review on a massive financed scale that "startup" bands could never afford.
Yet despite that, the indie music scene has never been more vibrant and alive than it is today. Instead of a small number of bands/groups producing music that all indie fans like, there's a huge pool of artists each producing their unique sound based on their own personal values of how music should be produced (including things like practice, focus, peer review, and other things not mentioned like experience, personality, and culture). That, to me, is art -- not a rehearsed manufactured production but an embedded experience unique to the artist you are listening to. That's what you heard in popular music until the mid nineties. The lack of quality popular music is not due to lack of craftsmanship.
The financial costs a young artist or group incurs to bring one or a few albums into the world are slim, but the cost in time is great, especially if they're also trying to keep food in their bellies by touring. But here's the thing - who can afford to do that for their whole careers? I think part of the costs parent is describing have to do with making art as a viable lifetime career, meaning, providing for healthcare and retirement. Sure, it's easier than ever for college-age people to put out some records, but if anyone is to make art a viable profession, money has to come from somewhere, and enough of it to make it viable as a living.
I also disagree with the OP about cost vs. quality. The key difference comes later when you're managing the artist. If the artist has talent then they also have a certain amount of leverage in the relationship. If you make them feel like a slave then they have an ultimate trump card: turning off the juice. (The "Atlas Shrugged" maneuver?) A talentless piece of meat plus auto tune gives you total leverage, which means risk mitigation and a more controllable product.
Right now the environment in the music industry is one of extreme risk aversion, which is something you see when the bottom falls out of an industry. You've arguably seen a much more risk-averse tech industry since the 2001 crash.
I think my points about piracy fit into a broader critique of the concept of "free" that I've been thinking about and that I've heard others talking about. Unlike previous critiques it's more of a liberal/progressive critique.
I don't know about the music, but Avatar, one of the most pirated movies of all times, was also one of the most financially successful. It seems like making quality movies still pays off.
Citing a single example isn't evidence. Also movies have been less affected than music, which got the brunt of it due to Napster's VC-funded normalization of bulk music piracy. Movies have their theater runs, while musicians can only get live revenue by touring (which is hard work).
Computing isn't a hobby anymore. Everything changes when big money is on the table. Back then the virus said "your PC is now stoned" and everyone just laughed. Now if your computer isn't totally locked down it's root level malware produced by professional career criminals that steals your financial data and conscripts your computer into a botnet to extort money from web sites.
I share these concerns but coming up with a way to be both open and secure is deeply hard. Companies like Apple have decided to just punt on the problem, especially in the mobile space. Not only does it save money on R&D while delivering a product that isn't instantly malware ridden, but it also gives them App Store revenue.
My point though is that its not just them ramming these models down our throats. Other factors are in play helping to seal the deal.
Most modern smartphones are bootloader locked. Circumventing those locks is arguably violating the anti-circumvention bits of the DMCA. Therefore, to install another OS, you have to break the law.
Worth mentioning is that it's illegal in the same way breaking the speed limit by 1MPH is illegal, i.e. technically against the law, but your chances for ending up in trouble for doing it are nil.
Speeding by 1mph isn't a practical or useful law to enforce. Creating a new OS and breaking the boot loader would require a group of people working together in some organized form, which would make it practical to target, and it'd probably be financially threatening to a larger company, which would make it useful to enforce.
In 2014, companies are the political and cultural entities in our society, and a law like this kills off a class of entity.
It might be illegal in _your_ country. But AFAIK reverse engineering or installing custom software on a device I bought is not illegal in Germany. Probably in most countries.
It's not reverse engineering that is illegal but "cirumventing a digital protection device" (modulo translation issues). What does Germany's implementation of the EUCD say?
The EUCD was the DMCA pushed through the EU by trade agreements. In some ways it's worse, since it lacks the safe harbor provision.
The end user situation isn't as bad though because there are other laws that protect you. In Sweden there is a provision that it is specifically allows it for interoperability reasons for example.
Funny you mention Germany though. It is one of the few countries that tried to outlaw "hacking tools", broadly defined as including a lot of reverse engineering tools you would use for the purpose you mentioned. I don't know what happened with that, perhaps the situation have improved?
>Funny you mention Germany though. It is one of the few countries that tried to outlaw "hacking tools", broadly defined as including a lot of reverse engineering tools you would use for the purpose you mentioned. I don't know what happened with that, perhaps the situation have improved?
Motorola tried to tell me my phone warranty was off because I requested the bootloader unlock code from their site.
Well, they're wrong. They cannot do that. It's illegal. I have every right to unlock my phone.
Europe really is different from the USA.
Something voiding the warranty or being illegal is quite different matter though. I'm pretty sure that disassembling your phone voids your warranty but I would be surprised if it was illegal.
Disassembling your phone only voids the warranty on the overall device, not on the individual parts. Also changing the software does not void the warranty of the hardware.
Also if a contract contains a clause forbidding you to disassemble, decompile, or debug something, then the clause is automatically void.
Exactly. Doesn't matter what Motorola says. The Terms they made me "read" and "agree" upon are void because they go against the law. I'm free to get rid of the Motorola software on my phone and replace it without voiding the 24 months warranty on my phone.
Warranties can be tied to limitations and restrictions the manufacturers make up. (There probably are some limitations to that to do with contract law. It surely is quite complicated, but voiding your warranty by unlocking your device doesn’t seem unreasonable to me.)
Warranties are voluntary and distinct from seller liability for defects in the product. That liability is legally required in the EU. The details of the implementation are different in different countries.
In Germany it’s like this: The seller (and only the seller) is liable and you have to go to the seller to make a liability claim. So if you bought your phone from Amazon you have to write Amazon, not Motorola. If you bought it from a carrier you have to go to the carrier. If you didn’t buy the phone directly from the manufacturer that manufacturer doesn’t have to do anything when you come to them with a defect phone. It’s the seller’s problem. (This is mostly to prevent a runaround, where seller and manufacturer both tell you each other is responsible for fixing the problem. This creates one entity that is clearly and obviously responsible and has to handle the problem.)
It’s for defects present when the device was sold and that’s it. (However, subsequent defects of some component because the device was delivered with some faulty or not up to spec components count, too.)
In the first six months the seller has to prove the defect wasn’t present when the device was delivered to not be liable. You, the buyer, don’t have to prove anything. That burden of proof, however, reverses after six months and up to 24 months (then there is no more liability), making it very hard in practice for buyers to prove after those six months that the defect was there when the device was sold. (However, courts have relaxed the requirements for that. Buyers usually don’t need to get some expensive expert opinion or something like that. If you can make a very good and informed argument for your case you should usually be covered.)
The seller can repair or replace the device. Buyers don’t have right to get their device replaced when it’s possible to repair it. If repairing and replacing fails a number of times (I think three) the buyer can demand their money back.
That’s the liability. A legal requirement and very complicated – and also wholly distinct from warranties.
By unlocking your phone you may have voided your warranty, but you certainly didn’t void the legal liability of the seller.
Yeah looks like that was the argument that held up until just a few years ago. I remember it being 'illegal' (like breaking the speed limit) at that time. As of 2010 it appears to have changed. Note that it IS illegal to modify a phone so that it connects to a carrier it wasn't 'intended' to connect to.
I looked it up and am wrong as of 2010 when the Registrar of Copyright of the Library of Congress ruled that, in fact, it was legal to jailbreak iPhones and other smartphones. Apologies, I will remove the comment above.
Except, even if Stallman didn't realize this, the story is mostly about state violence ("you could go to prison for many years for letting someone else read your books", "free operating systems ... were they illegal") where DRM is used as a tool to control and monitor people.
DRM itself is not good or bad. As everything else, it can be abused, as Sony and Adobe showed us, or can be used for good (or neutral), for example, to allow indie shareware developers to let us try their software before purchasing a little registration code (I know, not free software, but let's not start this debate for now).
It's a logical error to say that DRM itself is evil when some of the instances of it are evil.
DRM is a "smart contract", a protocol for enforcing a contract without laws or violence. When you read that a person goes to prison for breaking DRM, realize that it has nothing to do with DRM, it's about state using violence to protect a failed smart contract, which is the opposite of the purpose of such smart contract.
>DRM itself is not good or bad. As everything else, it can be abused
We're going to have to disagree on this. DRM, any DRM, no matter how benign, places the computer in an adversarial role against its user and owner. There is no circumstance in which this is a healthy relationship, and there is further no circumstance in which DRM is added to something that DRM couldn't be removed entirely and therefore enhance the value of whatever it's attached to.
This is one of the things I fully agree with RMS on. DRMing something means it's broken by design.
"DRM is a "smart contract", a protocol for enforcing a contract without laws or violence."
No it isn't, because DRM fundamentally cannot enforce the contract it is supposed to; you can't allow people to view something while preventing them from copying it. DRM only "works" if circumventing DRM is made illegal; DRM is an attempt by copyright holders to introduce legal restrictions on fair-use copying and on copying devices with substantial non-infringing use. DRM is entirely legal and political, not technical.
That's a good argument, thank you! I'd argue that for DRM to work reasonably well (without coercion), it doesn't need to be perfect, it can work in the same way password stretching works: you don't get the absolute protection, but influence the cost (value). For example, when applied to software, DRM can be stripped, but then you'll be receiving the executable from a possibly untrusted source. However you are spot on that currently DRM is mostly legal and political, but I don't think that's the inherent property of it.
* * *
Unfortunately, seeing my comments downvoted makes me uncomfortable to continue discussion here on HN, as (when applied to reasonable comments) it provides instant feedback that you're going against the popular opinion, and I'd rather avoid such feedback, so I'll go think about it more and then write a blog post or something.
DRM doesn't work nearly as well as password stretching. I can sit down for a few hours with IDA and crack nearly any DRM scheme.
With password stretching, the result of how long attacks will take is predictable and they can actually be made difficult or require more hardware (and at larger expense) rather than simply requiring a more skilled attacker.
It's not a good argument. DRM is an executable contract. Contracts cannot enforce themselves. That is why we have police, courts, etc. The fact that it is an executable contract makes it more difficult to circumvent than a paper one, but circumvention is still circumvention.
> It's a logical error to say that DRM itself is evil when some of the instances of it are evil.
All of the instances of DRM are evil, because all of the instances of DRM'ed stuff prevents practical and unlimited sharing.
In the digital world, any limitations on copying bits are akin to virtual restraints and locking information away. It prevents you from doing anything else than what the golden prison allows.
Well, to get his money from under his mattress would require you to break into his home. That's different from him storing his money under your mattress.
The statement "there's not much to complaint about when those 3rd parties f* up, if you used them voluntarily." taken in general can refer to pretty much everything we encounter in everyday life. There are lot of implicit contracts made, and breaking some of them could be recognized in court (there's the concept of acting in bad faith).
In this particular case, JenLaw et al. have all the rights to be mad at Apple because of the broken ToS/implicit contract that said "this is my data, it's only backed up and will not be shown to third parties". Whether or not they have shown practical wisdom by using the service is a whole another matter.
That's basically the crux of disagreements around the "victim blaming" concept. People confuse two different things here - morality of whether something should be done, and the probability it will happen in practice. If I get mugged under the bridge in the middle of the night, I'm not morally at fault for being mugged (it's something that shouldn't be done), but I also haven't shown practical wisdom by going alone at night under the bridge in dangerous area (by doing so I increased the probability it will happen to me).
As far as I remember though, the "breach" was not on Apple's part but on the victims who chose weak passwords; can we blame Apple for this ? Except maybe for a lack of forceful education ?
The original sentence becomes "Jennifer Lawrence shouldn't have stored sensitive information externally without using a minimum of good security measures" in this vision.
> As far as I remember though, the "breach" was not on Apple's part but on the victims who chose weak passwords; can we blame Apple for this? Except maybe for a lack of forceful education?
In this case I guess we can blame Apple only for the "lack of forceful education"/crappy security ideas (security questions in 21th century, really?).
There is one funny thing about the Fappening - there was this movie[0] released few months ago, that featured a couple making a sex tape that ends up accidentally distributed to their extended families and friends thanks to iPads and cloud backup. The best line from the trailer:
- It went up! It went up to the cloud!
- And you can't get it down from the cloud?
- NOBODY UNDERSTANDS THE CLOUD! It's a fucking mystery!
Hah. You say that now. And then the bank messes up, and your savings account is empty. You're not going to complain? I think not. I think you're going to be screaming at the top of your lungs, calling lawyers, and so on.
Indeed, if you come from the assumption that it's evil to limit the sharing of information/software, then DRM is evil, because that's the exact purpose of it. However, in this case, login systems, encryption, etc also evil because they prevent the sharing of information. Speaking of which, why do you lock information away from Adobe? Also, pass me your HN password, please :-)
But even if DRM's purpose is evil, it's still doesn't invalidate my argument: that it's a tool for peaceful enforcement of contracts (something you might not like), the exact opposite of the state's violent enforcement of contracts. The latter is the problem in Stallman's story, not the former.
Hmm, I was talking about DRM in the context of published information.
Obviously, in the case of private and/or sensitive information, you don't release anything to the public, so I'm not sure the protections (login system, etc...) can still fit in the definition of DRM.
Digital Rights Management (DRM) is a class of technologies that are used by
hardware manufacturers, publishers, copyright holders, and individuals with
the intent to control the use of digital content and devices after sale.
With publications, you give an access to other people (a restricted one if DRM is involved). It's not the same as not giving access to anyone but yourself.
The argument of copyright is that 'published' information is not public. It is still owned by its creator (or more often by one of the corporations that employ them), you just get a very limited license to do certain things with it, like reading it and maybe creating personal backups, but not other things, such as sharing it with others, either for free or as part of a commercial venture.
This distinction between owning and licensing information didn't use to be necessary in the publisher's business model for popular culture, because the cost (and, equally importantly, the profit margin) of distribution was significant: authors made and continue to make far less than their publishers, with rare exceptions.
The cost of distribution of digital information is so low that consumers will do it for free (BitTorrent). And since the power of publishers primarily derives from their ability to distribute copies, that is what they attempt to preserve, even though they do a lot of other things that continue to be valuable in today's digital world, like financing and advertising. This (not entirely irrational) attempt to preserve a dated business model is in turn perceived by consumers as a clampdown on their rights, leading to a backlash to the established publishing industry and enabling the (so far limited) success of new services like Spotify and Netflix, which don't have to take into account any reconceived notions of what their business is. People associate licensing an ebook with buying a treebook, but they tend to associate streaming with borrowing a book in the library.
>People associate licensing an ebook with buying a treebook //
People don't just associate it. Companies offer e-books for sale. Amazon says "Kindle Purchase" and give a price for the e-book: that's a subtle sort of fraud if they really mean you can "Kindle license" and to offer a "licensing fee" rather than a price.
Companies want people to think they are purchasing stuff because otherwise people would be reluctant to "buy". Unfortunately the largest companies have been able to play this fraud long enough to establish the system; only now are people realising that what they thought they had bought doesn't technically belong to them and the rights they thought they had are not in place. Like I said, it's a subtle fraud.
What's more egregious is that the copyright deal has been corrupted. With DRM companies are saying their work will not enter the public domain eventually - that means they've failed to uphold their end of the copyright deal ... why then are the demos upholding their end, there is no compulsion to if the contract has already been broken.
There is no protection for works which have been crippled so they can not enter the public domain; the contract has gone. It would be good if the legal system could come in line with the reality of this situation.
Yes, locking private information is not DRM. But if you separate "private" information from "published" information, then for DRM to become [logically] evil, you should restate your claim about why is it evil to prevent unlimited sharing, because the generic "virtual restraints" on bits no longer works.
God love the EFF, but they're using this as a platform to talk about one of their favorite hobby horses, and that's kind of obscuring the problem. Read the original article in which this was discovered -- this has nothing to do with DRM.
Adobe is collecting data about every ebook on your system, regardless of whether it's using DRM and even regardless of whether it's even being managed by the Adobe Digital Edition reader. (And for an added security bonus, they're sending it in plain text.) If you install and launch the new version of ADE, it's going to do this whether or not every single ebook you have on your system is DRM-free.
This is certainly an electronic privacy issue, but it's not a DRM issue just because Adobe Digital Editions supports Adobe DRM, and the EFF's headline is a little disingenuous. Adobe's rationale for this collection is indeed claimed to be related to licensing, but the biggest problem is how wide a net they're casting and how intrusive this information is -- ironically enough, if it was only sending this information about DRM-encumbered books, it'd arguably be much less of a scandal. (Although the fifty-eight people in the world using Adobe DRM would still have every right to be pissed.)
Since Adobe is not selling books, how do they benefit from parsing this data? If not for DRM-style tactics?
Are they selling it to third parties? Unless this is the case, then I'd say their obsession with DRM and rights management is the primary issue. Without of course discrediting that digital surveillance is the new standard.
As I said (well, quoted), it is for licensing -- Adobe is apparently trying to support some kind of "metered licensing," in which you might pay by how long you keep a book out or even by how far you read in it. Is that the same as DRM? In practice, mostly, since it's hard to see how that particular scheme would work without DRM. (But licensing is not the same as DRM, right? I buy a lot of DRM-free tech books, but that doesn't give me license to put those books up for free on my web site.)
But I'd nonetheless argue that the primary issue is not that Adobe is implementing new licensing schemes of dubious value. It's that Adobe implemented them in an exceedingly invasive way. I don't use Adobe Digital Editions unless I absolutely have to, but until now that's been because the software is awful, not because it's philosophically objectionable.
I'd also argue that it may not be entirely fair to describe Adobe as "obsessed with rights management"; they're providing a platform for publishers, and using DRM -- or not -- is the publishers' choice. The chances are high that the "metered licensing" concept was borne of publisher request, not an Adobe plan to make everyone's life difficult. Making everyone's life difficult is just Adobe's standard execution plan.
I think the reasonable link to DRM is that the only reason you would ever consider Adobe Digital Edition reader is if it is forced upon you by DRM requirements.
If not for DRM you could chose a different not-crappy platform.
One can only hope this blows up for Adobe the same way that Sony's music rootkit did. The sooner companies understand that DRM is a universally hated technology, the sooner we can all move on.
Sony's response to their rootkit fiasco ... specifically Thomas Hesse's statement that: "Most people, I think, don't even know what a rootkit is, so why should they care about it?" changed my buying behavior in a major way. I absolutely avoided spending money on Sony products and services wherever possible. It's a small way of showing disapproval, but it was one that worked for me, and took a little less revenue away from Sony.
It changed my behaviour, too. Between the rootkit, what they did to Lik Sang and the Other OS issue with PS3... I have boycotted Sony and will not reconsider after the third strike.
It also made me question what I bought from other people. Instead of generally accepting some limitations, I now will not buy anything that does not allow me to use what I purchased however I see fit. That now includes software. Fortunately Humble Bundle and GOG stepped up to be suitable alternate sources of gaming entertainment.
I find I don't even miss the more restrictive services anymore. Most of the spending there ended up being habit rather than desire.
That's an unusually direct move, as usually companies won't be so upfront about essentially saying "we want to keep you uninformed about our technology, so we can leverage it to control you better." The more common approach is to make a doublespeak-laden statement about "better experience", "convenience", and "security".
Abolishing DRM will require new breed of company. Only a few can still be profitable without it (Mozilla, anyone?). Those who can't should also be abolished together with DRM as outdated and obsolete (especially the worst offenders like Amazon or Adobe).
Amazon chooses to offer that option. They're big enough now that they could get away with, for instance, charging a larger fee to publishers who apply DRM, or reducing their fee iff you don't apply DRM.
Amazon has the same reason to do that that Apple did when dropping DRM from the iTunes music store.
And no, Amazon's mission is not to serve their publishers, because their publishers aren't the ones giving them giant piles of money. Their publishers give them products to sell; their customers give them money for those products. Amazon's mission is to get as much from their customers as possible. Whether they can get more from their customers with or without DRM is a reasonable question, but the publishers only come into it if there's a belief that a significant number of publishers would leave.
Apple faced two pressures which forced them to drop DRM from their music store: (1) Amazon MP3 who used lack of DRM as a point of differentiation over Apple and (2) the threat of regulatory action in Europe due to lack of interoperability.
Amazon today is in the same position in terms of ebooks as Apple was with music at the time - it uses DRM to lock customers into its hardware product, in turn driving further purchases towards its own store. This may or may not be a revenue-maximising strategy for them but it certainly looks like a market share-maximising strategy. Apple is also in a similar position again trying to drive purchases to its own store.
At the same time, regulatory action on competition has been more focused on contractual terms and price collusion/fixing than on interoperability; regulators will probably want to wait a while after sorting that mess out to observe whether they see competition acting effectively or not before addressing interoperability in ebooks.
For the same pressures and reasons to cause DRM to be dropped from ebooks, I think it will take an outside competitor (probably a new entrant) without a significant stake in hardware AND with substantial buying power to break this cycle. I can't think of an obvious candidate to do this today but perhaps I'm missing one.
In a perfect world, that would be true. But this isn't a perfect world, and Amazon is a publicly traded company, so their mission is to make money for their shareholders. That _may_ mean doing what is best for the people buying goods & services from them, but if serving the publishers over the readers benefits shareholders of AMZN more that the other way round, then they are obligated to do that.
I don't think this inference is justified. It's also not nice.
My guess psykovsky just thinks that this is too lame of a trick to be called a hack, being a part of documented Google Search functionality, which explains his comment equally well while not suggesting he doesn't know what the word means.
Maybe people should read the user manual before actually using the tool.
This isn't a trick, it's just using google the way it was programmed to be used. Those are documented features of the google search engine, they are no "hacks".
Did you read the user manual for Google? Even if, the fact is, most people don't.
This is a trick insofar as most of the people don't know it. There are no obvious links to any kind of Google Search manual, and those features are not clearly advertised anywhere, so they can be treated like tricks of "those in the know".
There are many meanings to word hack, and while some uses are more stretched than others, this one isn't that bad. Want to pick on something really meaningless? Try "growth hacking".
BTW. Creative uses of those features are actually called "google dorks" and are collected in a database[0].
Right. Or wrong. Why do I even bother answering...
You remind me of my 12 year old son. He also fetches the most ridiculous notions from who knows where to justify some of the silly things he does and says.
> Despite our dislike of DRM, we have come to believe Firefox needs to provide a mechanism for people to watch DRM-controlled content. We will do so in a way that protects the interests of individual users as much as possible, given what the rest of the industry has already put into place. We have selected Adobe to provide the key functionality. Adobe has been doing this in Flash for some time, and Adobe has been building the necessary relationships with the content owners. We believe that Adobe is uniquely able to bring new value to the setting.
Well, no, they added DRM to Firefox. They say so as much in as many apologetic ways that they can.
But agreed. There's a spectrum between DRM-only software and DRM-capable software. Adobe is DRM-only. Firefox is DRM-capable. Whether that's good or bad, and whether they could help it, is guaranteed debate and rabbit hole we want to avoid getting into.
Firefox will support closed-source DRM, but it won't distribute it:
As plugins today, the CDM itself will be distributed by Adobe and will not be included in Firefox. The browser will download the CDM from Adobe and activate it based on user consent.
I play pirated copies of games I bought and own on steam because I don't want steam to know how many hours I play my games, when I play them, from what place etc. I consider that is not anyone's business.
Adobe's spyware isn't that different from what gamers have accepted with Steam unfortunately. Will book readers accept it, the way gamers did, or will they fight back? Unlike video games, there are alternatives, that are still popular (buying books on paper). I don't ever intend on spending any $ on a drm'd book when I can have it on paper for the same price without DRM.
>> "I play pirated copies of games I bought and own on steam because I don't want steam to know how many hours I play my games, when I play them, from what place etc. I consider that is not anyone's business."
Just a hypothetical:
If the developer was giving you a discount on Steam because they could collect this information would you still buy it from Steam and then pirate it (getting the discount but not providing the information) or would you pay full price somewhere else? Not judging, just curious.
I buy games because I support the developers. I've spent full price money online on games that could've been bought for cheaper in physical form (amazon.fr is almost always cheaper than steam prices actually unless Steam is going through a sale. Regular prices on steam are always more expensive than getting the box delivered at your door). So, no. I wouldn't trade my privacy for cheaper prices, since the one reason that makes me "honest" and buy games in the first place is spending my money on things I like. I bought all the classic RPG I liked, and already owned in physical forms, on gog.com, just to show an interest in what I saw as a dying genre. Plus the fact that they are the only gaming platform that is DRM-free. Then I supported the kickstarter renaissance (Wasteland, Torment etc).
I've put my steam profile on private, but if you could see it, you would see almost no game past 1hour of play because I never play games from steam. I only buy them on steam, then I download a copy that will not violate my privacy. Because for as long as I breath I will not let anyone intrude on my privacy. Also, when given the choice between steam and gog, I obviously chose gog.com.
It doesn't make sense. On one hand you're against violating your privacy. But on the other hand you are still supporting financially the very same developers who are OK with such violations when they offer their games through Steam. You're still increasing their Steam sales numbers, so obviously they will continue to publish their future content on this platform.
> I only buy them on steam, then I download a copy that will not violate my privacy.
There's a third choice - don't buy the games that violate your privacy and don't play them. You've pointed out great ways to support developers that don't violate privacy (GOG.com, Kickstarter) - why not stick only to these? Unless, your urge to play a video game is bigger than your integrity.
> There's a third choice - don't buy the games that violate your privacy and don't play them. You've pointed out great ways to support developers that don't violate privacy (GOG.com, Kickstarter) - why not stick only to these? Unless, your urge to play a video game is bigger than your integrity.
I support these options when they are available. But when you have a certain taste for specific niche of games, sometimes there is no alternative. Kickstarter has managed to bring back the classic top down, turn based party RPGs, which is fantastic, but I haven't seen any developer try to bring genres like RPG sandbox (ala Skyrim) or grid based, turn based dungeon crawlers (MMXL, which has one of the most annoying DRM, is the first game to be released in the genre in decades) to Kickstarter yet.
Sure, I'm making a dent on my integrity by buying these games but I don't see it as a great evil as long as we're still able to fight against privacy-invading schemes. If that option was no longer there, I would stop playing these games. I also feel that the developers deserve the support, they aren't responsible for the publishers requirements. I don't wish for them to go out of business, I'm optimistic that the growing success of Kickstarter and gog as a platform might change their mind in the long term, I don't think it's all black & white where we either support kickstarter or support DRM published games.
I'll remind you that many of the current great kickstarter developers come from a classic DRM supporting background. Obsidian, for example. Their last RPG, Fallout New Vegas, depended on Steam as their DRM. They saw the success of kickstarter, started their own project on it (Pillars of Eternity), succeeded in crowdfunding it and might end up relying more often on crowdfunding their games in the future. Pillars of Eternity will be DRM-free.
Now the question is, do you think it would've been better if no one had bought their games before? You think it would have been better if they had gone out of business? I do not believe so. PoE exists today because Obsidian could afford to build itself as a studio and recruit some of the best developers of the genre.
Showing support for crowdfunding, buying games on gog.com will help these developers free themselves from the shackles of the bad publishers. Boycotting developers that are still kept in shackles will not do anything but destroy their livelihood. Particularly as publishers are very likely to blame piracy when the games don't sell well.
The fact that a lot of pre-established developers are turning to crowdfunding bodes well for the future in my mind.
> But when you have a certain taste for specific niche of games, sometimes there is no alternative.
There absolutely is. You can just not play. Video games aren't an essential commodity; they are a luxury.
Just because I need to edit a photo using a Spot Healing Brush and I don't like cloud-based subscription doesn't mean I get to pirate Photoshop.
> I also feel that the developers deserve the support, they aren't responsible for the publishers requirements. [...] Now the question is, do you think it would've been better if no one had bought their games before? You think it would have been better if they had gone out of business? I do not believe so. PoE exists today because Obsidian could afford to build itself as a studio and recruit some of the best developers of the genre.
Except there are independent developers who succeeded without the need of going through classic big-house publishers: Mojang (before their acquisition by Microsoft) and Grinding Gear Games are two popular examples. Both of them did so with their first games. They built their reputation from scratch - nobody bought their games "before" because there were no such games.
And yes, there's nothing wrong with going out of business if you're doing a bad job and somebody else can do it better.
> Boycotting developers that are still kept in shackles will not do anything but destroy their livelihood.
On the other hand, it will promote the livelihood of those developers who took risk and published their games independently. It also isn't black and white where we either support old studios or they go bust and there are no more new games whatsoever.
One more thing. It might be a long shot, but if you're interested in grid- and turn-based RPGs, maybe give Dofus or Wakfu a shot. I'm saying it's a long shot because a) they are MMORPGs; b) they are subscription-based; c) they look cartoonish, almost anime-like. But they can get surprisingly complex and fascinating plus they are refreshing takes on seemingly played-out fantasy role-playing genre. They weren't on Kickstarter because they were developed by an indie French company for 10 years.
> Just because I need to edit a photo using a Spot Healing Brush and I don't like cloud-based subscription doesn't mean I get to pirate Photoshop.
The comparison is disingenuous, I buy all the games I play at their full price, some games I've even bought twice (all the classics available on gog with the DRM removed).
> Except there are independent developers who succeeded without the need of going through classic big-house publishers: Mojang (before their acquisition by Microsoft) and Grinding Gear Games are two popular examples. Both of them did so with their first games. They built their reputation from scratch - nobody bought their games "before" because there were no such games.
Sure, but not all types of games can be made with a small and inexperienced team. Something like Minecraft, which is mostly procedural content, or a diablo like cannot be compared to a lengthy RPG.
> And yes, there's nothing wrong with going out of business if you're doing a bad job and somebody else can do it better.
If they made a good game, and all that's bad about it is the drm scheme, is that really a "bad job"?
> One more thing. It might be a long shot, but if you're interested in grid- and turn-based RPGs, maybe give Dofus or Wakfu a shot. I'm saying it's a long shot because a) they are MMORPGs; b) they are subscription-based; c) they look cartoonish, almost anime-like. But they can get surprisingly complex and fascinating plus they are refreshing takes on seemingly played-out fantasy role-playing genre. They weren't on Kickstarter because they were developed by an indie French company for 10 years.
Unfortunately, I'm pretty averse toward MMOs in general, I don't like games over which I have no control, that could be shutdown at any moment, or change in a way I might not like in a patch (as MMO have a high tendency to constantly go through rebalance, skill changes etc). I don't mind the anime-like stuff when the gameplay is good though, although I'll always feel games would be better without it. I don't mind buying and playing games on console platforms like the 3DS when I know that at some point in the future they will be emulated and thus ensure the long term archiving and playability of the games, so I've had experience with games like Etrian Odyssey IV, which have bad (in my opinion) graphic style, but classic gameplay that has been long forgotten on the PC. I like big dungeon mazes and having to draw my own maps, it's a nice throwback to the era of games like Wizardry and older Might&Magic. The closest to that in the world of indies on PC is Grimrock, but the combat is real time and pretty badly done, consisting of a mumbo jumbo dance where you step back and forth in a hit and run fashion.
Overall, I'm willing to compromise with DRM, as long as there's a way, be it in the present (like with most PC games) or in the future (like 3DS games) to eliminate it. This is also why I didn't buy into the newer generations of consoles, with Moore's law more or less coming at an end, I don't think we'll ever be able to emulate Playstation 3 games, for example, at a decent speed. Current handhelds, while not being emulated yet, are still within the realm of possibility. For home consoles, CPU just aren't progressing fast enough, single core performance seems like it'll reach a standstill soon and it already takes a high end CPU to fully emulate something like the PS2, nevermind thinking about something like the Cell.
I don't play a lot of games, but those I do play and enjoy tend to be games I enjoy revisiting decades later. For that matter, I'm currently replaying Wizardry 6 as I'm in a heavy dungeon crawling mood. This is also partly why, to me, it is important for the possibility of getting rid of DRMs to exist.
Other than not liking MMOs, I do have a varied taste in RPGs. I can go from games like Wizardry, to gridbased/tactical RPGs like Jagged Alliance 2 and Fire Emblem, to sandboxes like Skyrim. RPGs are pretty much the only genre of games I play.
I disagree. I can always pay the monthly subscription equivalent of the old standalone license and then just torrent the DRM- and cloud-free version of Photoshop. The developer still technically gets paid, but I'm under no illusion that my actions are in any way justified.
> a diablo like cannot be compared to a lengthy RPG.
I tried to look up how "lengthy" this game exactly is going to be and I'm not content with my results. "Our goal is to make it as long as possible with the funding that we get from Kickstarter" is as bland response as it can get. And from the look of it Pillars won't have a decent voice acting. Path of Exile does, not only main characters taunts, but also NPC dialogs and environmental lore (journals, statues, inscriptions, etc.). Recently, they released an expansion pack which added more story and fully voiced NPCs. In my book this "Diablo-like" can hold candle to a "lengthy RPG" just fine.
I really hope Pillars succeeds, but I'm going to hold my judgement until it's fully released.
> If they made a good game, and all that's bad about it is the drm scheme, is that really a "bad job"?
Apparently it is, since it's such a deal-breaker for you and you actively seek DRM-free games. And it's ok, because user experience is extremely important. Even if the gameplay is good, technical obstacles which won't let players enjoy the game will absolutely ruin its opinion. It was especially evident with always-online games that had problems during the launch (Diablo III, SimCity).
> Unfortunately, I'm pretty averse toward MMOs in general (...)
Ah, well. They're not for everyone. I'm not a big fan of them myself; I prefer to go at my own pace and often end up playing them like in a single-player mode.
Interesting point with emulation; I haven't considered that.
> Other than not liking MMOs, I do have a varied taste in RPGs.
What about roguelikes? Again, they might not be for everyone, but I had tons of fun with classics like Nethack and ADOM.
> I disagree. I can always pay the monthly subscription equivalent of the old standalone license and then just torrent the DRM- and cloud-free version of Photoshop. The developer still technically gets paid, but I'm under no illusion that my actions are in any way justified.
I am not looking for justifications. I am passionate about what I like, and what is essentially cultural content, rather than a tool. I don't see games the way I look at software, I see no need to "preserve" software. I do see a need for open formats, supporting interoperable standards etc though. But I really don't care if an old version of photoshop, or whatever, stopped working in a few decades. I'll still want to be able to run my favorite classics. I don't want a world where the things I bought and greatly enjoyed might stop working at some point. I am not looking for a moral justification or law or whatever. I don't care. It is just something I am passionate about. I buy the games not because the law requires me to do so, I buy them because I love them, because I want to support the developers, even if I don't like the DRM.
> I tried to look up how "lengthy" this game exactly is going to be and I'm not content with my results. "Our goal is to make it as long as possible with the funding that we get from Kickstarter" is as bland response as it can get. And from the look of it Pillars won't have a decent voice acting. Path of Exile does, not only main characters taunts, but also NPC dialogs and environmental lore (journals, statues, inscriptions, etc.). Recently, they released an expansion pack which added more story and fully voiced NPCs. In my book this "Diablo-like" can hold candle to a "lengthy RPG" just fine.
Do you have any experience with branching storyline content ? RPGs like PoE are extremely difficult to do well because we're talking about a particular flavour of RPG, that of "Choice&Consequence", where you can have an impact on the storyline, the way you handle quests, the way the world react to your actions etc. PoE comes from the Fallout/Arcanum/Mask of the Betrayer lineage of RPG when it comes to that kind of content. All these games tend to have as a side effect a certain amount of bugs despite all the testing and Q/A that goes through, it's inherent to the genre and both Fallout and Arcanum are still getting new fan patches to this day, which is a testament to the complexity involved. I have never seen a game with a certain amount of branching that wasn't overly complex to handle. What games like Fallout/New Vegas/Arcanum did with branching simply does not compare to what happens in games like modern Bioware stuff, or Bethesda. The epilogue details all the actions, and the consequences they brought, to all the places you visited, the characters you interacted with etc. The games have a lot of reactivity. The number of variables to keep a track of is overwhelming. This isn't like games where the gameplay doesn't go beyond monster bashing.
Things like voice acting are honestly not in my list of priority in a game, any game. Voice acting doesn't add complexity in development either, it requires more funds to be spent on actors, funds I'd prefer to see being spent on more quests, more branching complexity, more testing and polishing.
> What about roguelikes? Again, they might not be for everyone, but I had tons of fun with classics like Nethack and ADOM.
Nethack is a favorite of mine but I don't have any experience with ADOM.
A lot of great RPGs subgenres to go through and too little time.
Where does the DRM part come into play? The description sounds like it could be applied to just about any automatic sync-your-progress-across-devices feature, which is a hugely desirable feature IMO (my Kindle would be worth a huge amount less without it, since books almost always take multiple reading sessions to finish), and it's also very useful for movies/TV...
Two ways: (1) the uploaded information appears to include book licence details; if the book-scanning aspect is true then this amounts to scanning for DRM-stripped or otherwise out-of-licence material. (2) Details are light on the new DRM scheme Adobe introduced in DE3, but some are claiming it to involve requiring always-on network connectivity; if that is true, then this information leak may be linked, or at least may not be blockable w/o also preventing access to DRMed books.
> Second, sending this information in plain text undermines decades of efforts by libraries and bookstores to protect the privacy of their patrons and customers.
Someone needs to sue Adobe over this. That way we can stop such future invasions of privacy from DRMed machines in the future.
Also, Microsoft will do much of the same with Windows 10, collecting data not just on ebooks, but any file you might open, and even characters you may type. Digital Editions is one app. Windows 10 is a whole OS, which makes the whole thing a lot scarier:
Is that only for the preview or also for GA? Why would any corporate customer agree to this policy? Maybe it's only for the free version of Windows 10, the one targeted at $200 Chromebook clones?
The private equity members of Microsoft's board have been advocating for more focus on cloud services and less on Windows, e.g. recent moves to support Apple devices.
sans file monitoring (though windows has been offering to send heuristics and file signatures though windows defender for a while now)
isn't that stuff that most already have signed away on? iOS's autocorrection for their keyboard, and cloud processing for siri? and same for android's TTS, STT engines (both are cloud-based by default if I'm not mistaken)? (and the google keyboard)
without asking the user to agree to such things, microsoft can't enter the mobile device arena to the same degree as competitors
Not that I think it's good that mobile OSes spy on you, Windows 10 will a desktop operating system. Desktop OSes have not traditionally been known to spy on you.
"If software and hardware could be ‘sealed’ in some way to prevent an attacker from examining data in main memory, even if the attacker had administrator level privileges on the machine, not only could the confidentiality and integrity of data in the cloud be protected, but the algorithms and design of cloud hosted applications could also be hidden from prying eyes."
When SGX gets implemented in a future processor, will the users once again fight strongly against it, or will they submissively accept it without resistance, looking only at the claimed "security benefits"? I really hope it'll be the former.
Reading the rest of that article and the linked Intel documents just... gives me a very bad feeling about the direction things are heading.
I work for a company that has to deal with a fair number of online cheaters and fraud. It would be great if we could know who we were really dealing with for our financial transactions, or failing that, have a secure execution environment for our code so we'd have a solid place to stand on. Unfortunately the state of security on PCs is so miserable that they simply cannot be trusted.
Game consoles actually do this kind of thing; the security architecture is rooted in hardware, partly to maintain the paywalls for entry to the console's market, and partly to ensure that the environment is secure against bad guys.
Of course the moment you have system like this on a commodity PC you also enable a bunch of tracking, DRM and lockout stuff that is near trivially exploited by state-level actors and companies to whom you are just chattel to be sold or rented out. And that sucks really hard.
I don't expect the masses to make good choices about security systems; they can be mislead, outright fooled, or simply drawn into poor decisions by trinket-class rewards. It's depressing.
Devil is in the details, e.g. in all processors or optional? Can hardware owners set root keys? How will enclaves interact with client Hyper-v, Yosemite OS X hypervisor, html5 drm, open-source virtualization & crypto, etc.
Protecting content from users is a failed game. This kind of protection is useless. At the very least, they need to decrypt information before it passed through our eyes and ears - that's the weak link in the chain.
I think the weak link in the chain is only after decryption, but before uncompression (for lossy formats, so books excluded). See, for example, [1] and [2], where the authors look at randomness and entropy measures of I/O to find where the decrypted-but-compressed buffers are.
It seems like virtualization is about to become useless in the future and CPU-emulating+jit compiling systems are the future, because SGX can't be virtualized.
> If software and hardware could be ‘sealed’ in some way to prevent an attacker from examining data in main memory, even if the attacker had administrator level privileges on the machine
1. all it takes is one DRM free copy on bittorrent to make this scheme fail
2. how would they prevent me from grabbing images on the screen and turning them back into books? Or scanning a physical book.
3. blind people need to do this conversion anyway, to run the text through text to speech
Remember, it only takes one DRM-free copy on filesharing to make the DRM invasion a useless failure.
So far I've seen very little evidence that this will work. Unless some true mechanism can be found for remotely verifying that you are loading your code into a known environment then there's no way to know that you're running in a secure enclave in the first place.
The best attempt I've seen is sending a computation to be performed by the remote side and trying to infer the state of the CPU cache based on how long it takes to answer. If the timing is off then the cache must have been in an unexpected state and therefore unexpected code must have been executing on the machine. It's clever, but not practical.
What has Intel come up with that's any better? What's described in your link could simply be emulated in software. How would the remote side know the difference?
SGX includes microcode-based crypto which allows an enclave to both sign and encrypt things using keys based on a hash of the contents of the enclave and some master private key locked away in the CPU. I haven't looked into exactly how this works (although I'd love to defeat it some day when it's released...), but it can't be emulated in software unless you manage to extract the private key.
So, Intel plans to embed a key, signed by some well known root key, in each CPU. I might have skipped over a step or two here, but basically the idea is that only Intel would have the necessary signing key to be able to spoof attestations?
Whoever wants to run their code in the enclave would send over a sort of bootloader, which would be responsible for acquiring the signed attestation from the CPU and sending it back. If the signature is good, then the actual code to be run in the enclave can be uploaded.
Something about this feels wrong... but then again if Intel wanted to backdoor its CPUs we'd all be screwed anyway, so it's hard to see how this feature could hurt.
If applications want anti-virus to be able to get at their data, then they'll just have to provide an explicit interface to do that.
If this becomes widely deployed, that root key would be pretty valuable!
So long as we can insert a [Xen] Hypservisor between the OS and the processor, I'm confident someone will find a way to make it do what someone else doesn't want it to.
Hypervisors aren't just for virtualizing servers, you can use them for all sorts of things, like intercepting system calls.
The cited SGX analysis was written by a Qubes/Xen developer:
"Intel SGX is essentially a new mode of execution on the CPU, a new memory protection semantic, plus a couple of new instructions to manage this all. So, you create an enclave by filling its protected pages with desired code, then you lock it down, measure the code there, and if everything's fine, you ask the processor to start executing the code inside the enclave. Since now on, no entity, including the kernel (ring 0) or hypervisor (ring “-1”), or SMM (ring “-2”) or AMT (ring “-3”), has no right to read nor write the memory pages belonging to the enclave."
How often is the enclave validated? Could modified DRAM be used that would return one set of data to the enclave validation, and another the rest of the time? What would have to be done to the CPU cache?
".. the processor automatically encrypts the content of SGX-protected memory pages whenever it leaves the processor caches and is stored in DRAM. In other words the code and data used by SGX enclaves never leave the processor in plaintext."
"..once the key is obtained, it is available only within the SGX enclave. It cannot be found in DRAM or on the memory bus, even if the user had access to expensive DRAM emulators or bus sniffers. And the key cannot also be mishandled by the code that runs in the SGX enclave, because remote attestation also proved that the loader code has not been modified.."
Fortunately Kindle DRM is so trivial to remove. I wish it had none but at least I know my books are mine forever and my reading habits are not being actively tracked if I use free non-Amazon ebook software.
Amazon seems to turn a blind eye to it, probably because so few readers can be bothered using de-drm software.
I learned to de-DRM my Amazon books due to the concerns of their licencing. Now I can put them on my phone and listen to the books with TTS. The kindle App for Android doesn't have the feature...
Adobe is taking a pummeling this week. This news is nicely timed for the launch week of Affinity Designer, a serious competitor to Illustrator on the Mac App Store for casual and not-so-casual users who don't use Adobe products heavily enough to justify the cost of a monthly subscription. I tried it yesterday and was ready to cancel my Creative Cloud single-app subscription after about 20 minutes of experimentation. It's more than sufficient for my vector graphic needs as an indie developer.
Yup, I'm stoked on Affinity Designer. It also nicely promotes Serif software as an alternative to the Creative Suite. Serif has a lot of educational customers and casual users and probably would have more if people knew about them and their prices. I'm going to revisit their stuff. It's been about 10 years since I checked out their page layout program. But Affinity is fantastic. They put in a lot of great ideas into it in the UI. Xara on Windows and Affinity on Mac will be my go-to apps for vector drawing. Illustrator for me is basically just an app for conversion to make sure a file is ready to share. I hate working in it, clunky app.
I don't mind Affinity Designer at all, but it's still missing a lot of functionality I've become used to in Photoshop. I enjoy the speed and the interface, but the lack of in depth bitmap transform tools was a bit disappointing. They were however very responsive in the Beta and I imagine they'll keep that momentum up. If they manage it they might be a very capable alternative to Adobe Photoshop and Adobe Illustrator.
I could be wrong, but it seems to me that DRM is useless. People who like to pirate will pirate, no matter what safeguards you put in place, it's been proven over and over. It's just a nuisance for people who want to obtain media legally. If I paid for something, why can't I use it on any device I own with any software? It makes the purchase so much more valuable.
Given the scale of incompetence required to have your 'spyware' transmitting common and expected book data and metadata in plaintext, I have to say we should employ Hanlon's Razor here, and not attribute to malice what can adequately be explained by stupidity.
That said, there's probably a little malice in there, too. And either way, this is probably a crippling blow to this branch of Adobe.
Richard Stallman explained it a decade earlier in a piece worth reviewing now and then -- https://www.gnu.org/philosophy/right-to-read.html.