[E-Lang] Fwd: Schneier's Views on DRM?

Dan Moniz dnm@pobox.com
Sun, 05 Nov 2000 23:47:51 -0500 

[ Interesting. Bruce has come very close in a lot of his writings of late 
to the capability-based security side of the fence without saying as much. 
This article, although not Schneier's own, but in reference to it, makes 
note of InterTrust as DRM. Honestly, and maybe I'm tooting my own horn 
here, but InterTrust is copy protection, which they believe is digital 
rights management. I think that's wrong. They're copy protection. *We're* 
rights management.
--dnm ]


>X-Flags: 0000
>Delivered-To: GMX delivery to dnm@gmx.li
>X-Sender: rah@ibuc.com
>Date: Sun, 5 Nov 2000 21:00:24 -0500
>To: Digital Bearer Settlement List <dbs@philodox.com>
>From: "R. A. Hettinga" <rah@shipwright.com>
>Subject: Schneier's Views on DRM?
>Sender: <dbs@philodox.com>
>List-Software: LetterRip Pro 3.0.7 by Fog City Software, Inc.
>List-Subscribe: <mailto:dbs-on@philodox.com>
>List-Digest: <mailto:dbs-digest@philodox.com>
>List-Unsubscribe: <mailto:dbs-off@philodox.com>
>
>
>--- begin forwarded text
>
>
>From: "Frank Sudia" <fsudia@home.com>
>To: "Digital Commerce Soc" <dcsb@ai.mit.edu>
>Subject: Schneier's Views on DRM?
>Date: Sun, 5 Nov 2000 16:58:11 -0800
>Sender: bounce-dcsb@reservoir.com
>Reply-To: "Frank Sudia" <fsudia@home.com>
>
>Dear DCSB,
>
>I respect Bruce Schneier and his achievements (the book, 2fish, the Co,
>etc.)  And it's refreshing that he has the guts to give his honest opinions
>about the many truly bad products in the burgeoning security market.
>
>However, I think it might be helpful to point out that his comments (within
>the last few months) about client-side enforcement of security rules have
>seriously missed the mark.  In brief, Bruce has argued that all clent-side
>digital rights management, metering, and watermark software, etc. is flawed
>"in principle," because the users can always defeat it, and should hence be
>abandoned as a technology concept.
>
>No one would argue that Windows or any other leading PC operating system is
>secure against software attacking other software.  As one leading
>cryptographer said to me at the RSA show, this place should be "shut down
>for fraud," because most products were running on Windows, and hence their
>security claims were weak.  (As long as worms and buffer overflows, etc. can
>allow attackers to gain total control of your machine...)
>
>At present, PC operating systems are so insecure that Bruce is right.  DeCSS
>type exploits will often defeat "technical protection systems" (TPS).  But
>it is also possible "in principle" for major PC makers to engineer new
>chipsets that support seamless "secure execution," with genuine assurances
>(to both the client and app vendor) that PC client software is running
>unmodified.
>
>Thus far no PC makers have gotten serious about providing secure execution.
>It's tricky to do, creates warranty problems, and could create a support
>nightmare, from users losing their passwords, etc.  (I surmise this is why
>Microsoft is reluctant to implement real security.  A blocked user is an
>unhappy user, and phone support is out of the question, etc.)
>
>However, if a new chipset came out that supported secure loading and
>upgrading of apps, certs, root keys, etc. then all forms of client rule
>enforcement for digital rights management and metering would suddenly be
>entirely enabled!
>
>The DRM horses left the gate a couple of years ago, filing patents by the
>score, so it's late to catch them.  But anyone who followed Bruce's advice,
>and didn't get his product designed and patent filed on his rule schema, was
>a fool.  Because whenever secure execution finally arrives, it will be too
>late to design and patent a DRM rule schema.
>
>That being said, DRM is probably "ahead of itself," and there may be a
>shakeout, etc.  But please note that it is NOT impossible "in principle" to
>enforce rules and run secure software on a client PC -- just not in the
>current chipset generation.  Sooner or later the technical and business
>problems surrounding secure execution will get solved, and at that time DRM
>schemes could flourish, assuming there is a real market for them otherwise.
>
>Apologies if I've misstated Bruce's view, or he issued a retraction that I
>missed.  This is not (per se) a "Buy" recommendation on InterTrust.  Now
>back to work.
>
>Cheerio,
>Frank
>
>www.sudialab.com
>
>
>
>
>For help on using this list (especially unsubscribing), send a message to
>"dcsb-request@reservoir.com" with one line of text: "help".
>
>--- end forwarded text
>
>
>--
>-----------------
>R. A. Hettinga <mailto: rah@ibuc.com>
>The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
>44 Farquhar Street, Boston, MA 02131 USA
>"... however it may deserve respect for its usefulness and antiquity,
>[predicting the end of the world] has not been found agreeable to
>experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'


--
Dan Moniz <dnm@pobox.com> [http://www.pobox.com/~dnm/]