[Infowarrior] - Pushing the impossible

Tue Sep 4 19:06:00 UTC 2007

Pushing the impossible

Movie studios believe they can create the perfect copy protection system.
But it would be easier to go faster than the speed of light, says Cory
Doctorow

    * Cory Doctorow
    * Guardian Unlimited
    * Tuesday September 4 2007

http://www.guardian.co.uk/technology/2007/sep/04/lightspeed

Ask a certain kind of security-minded geek about "copy protection"
technology and chances are they'll tell you that it's flat out impossible.
They might even avow it with the same certainty that physicists employ when
they say you can't travel faster than the speed of light.

That level of certainty can be a little daunting, especially since our
intuition tells us something different. We can imagine accelerating and
accelerating and accelerating until our speed exceeds 299,792,458 m/s  hey,
just rev the old spaceship up to 299,792,457 m/s, open up the throttle a
little and voilaŠ we've just proven generations of physicists wrong.

The thing is that when they say that you can't travel faster than the speed
of light, they're talking about the fundamental principles of physics: it's
impossible to get beyond lightspeed, even if science fiction movies help us
conceptualise it.

In the same way, we can imagine building progressively better software locks
for movies, music, ebooks, and software until we hit on one that even the
wiliest hacker can't defeat. But, just like the physicists, the geeks who
say that DRM can never reach this point are speaking about fundamental
principles of information science. It's impossible to get that far.

To understand this, you need to understand a little bit about cryptography -
the mathematics of scrambling and descrambling information.

Modern industrial cryptography consists of three crucial components: first,
a "cipher" - a system for scrambling messages. These are always public and
never secret or proprietary. Banks, spies, retailers, child pornographers
and your web browser all use the same basic set of ciphers. That's because
the only way to prove that a cipher works is to expose it to public scrutiny
and see if any clever bastard can spot a flaw in it.

It's a little counterintuitive to think of full disclosure as a prerequisite
for security, but it is a basic tenet of cryptography  and it has been so
ever since Alan Turing and the lads at Bletchley Park broke the Nazi ciphers
and spent the rest of the war reading Hitler's secret dispatches and
snickering to themselves.

Second, there is a "ciphertext" - a blob of data that has been encrypted
with the cipher.

Finally, and crucially, there's the "key". This is a very small piece of
information - usually less than 1000 characters - that is kept secret from
all but the legitimate senders and receivers of the information. The key is
the secret bit of information that the cipher uses to unscramble the
ciphertext.

As a system, it works brilliantly. You can download an email privacy program
that uses standard, public encryption algorithms to scramble your email so
that only its intended recipients can read them. You know that messages can
only be read by the authorised sender and the authorised receiver because
you are the only ones who know have the key.

It's great for email, but it can never work for movies, TV shows or music,
because in the case of "copy protection" the receiver is also the person
that the system is meant to guard itself against.

Say I sell you an encrypted DVD: the encryption on the DVD is supposed to
stop you (the DVD's owner) from copying it. In order to do that, it tries to
stop you from decrypting the DVD.

Except it has to let you decrypt the DVD some of the time. If you can't
decrypt the DVD, you can't watch it. If you can't watch it, you won't buy
it. So your DVD player is entrusted with the keys necessary to decrypt the
DVD, and the film's creator must trust that your DVD player is so
well-designed that no one will ever be able to work out the key.

This is a fool's errand. Because the DVD player has the key, it's always
possible that it can be extracted by academics, hardened hackers  or just
kids who are in it for the glory.

One hacker known as Muslix64 got the keys to the HD-DVD system he owned.
Then he did the same trick again with a Blu-Ray player  this time without
ever being in the same room as it. He just had a mate email him the contents
of the computer's memory, captured while it was playing a Blu-ray disc.
Muslix64 reasoned that if the computer was unscrambling the Blu-ray disc, it
must have the key in its memory somewhere. He did a quick search of the file
and hey presto, Blu-ray was broken.

And the thing is that if a DRM is broken once, it's useless. The breaker can
put his copy of the movie, music, ebook, or software online on a peer to
peer network or fileserver, and from there anybody can "break" the copy
protection simply by downloading a copy. It's a one-shot deal.

DRM is supposed to force those unwilling to pay into buying, rather than
nicking, their media - but once the cheapskates can search for a cracked
copy on Google, it is meaningless.

This means that ultimately, DRM only affects people who buy media honestly,
rather those who nick, borrow or cheat their way to it. In turn that means
that the people who ultimately bear the inconvenience, cost and insult of
DRM are the paying customers, not the pirates.

There are some fundamental truths in the universe. We cannot travel faster
than light, and we cannot make a copy protection system that is uncrackable.

The only question is: how long will paying customers stay when the companies
they're buying from treat them as attackers?

· Cory Doctorow is an activist, science fiction author and co-editor of the
blog Boing Boing.