Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Open Source DRM Solutions?

kdawson posted more than 6 years ago | from the using-the-force-for-good dept.

Security 369

Feint writes "I'm working on an business platform for inter-company collaboration based on an open source software stack. As part of that platform I would like to integrate some sort of digital rights management for the documents in the system. The vast majority of articles about DRM are focused how good or evil it is to apply DRM to digital music or video. I haven't seen many articles address open source solutions for protecting business data like CAD / MS Office / PDF / etc. documents, which is a real need in business today. Can the Slashdot readership suggest some open source DRM offerings other than the Sun DReaM initiative, which hasn't had a release since Jan. 2007?"

Sorry! There are no comments related to the filter you selected.

We call it... (5, Informative)

Anonymous Coward | more than 6 years ago | (#22134074)

Public key cryptography. It won't protect work from being copied, but that's an endless battle anyways until the trusted computing platform is mainstream.

This coward is correct! (3, Informative)

TheMiddleRoad (1153113) | more than 6 years ago | (#22134152)

Public key is the way to go. Place the keys on smart cards or smart USB keys. Encrypt files individually, not just as volumes. OK, it'll be a pain in the ass. Maybe PGP Enterprise will help?

Re:This coward is correct! (1)

calebt3 (1098475) | more than 6 years ago | (#22134288)

USB keys
One word: IronKey [thinkgeek.com]

Re:Open source Scientology's OTIII,in its entirety (1, Funny)

Anonymous Coward | more than 6 years ago | (#22134908)

|

Last time that was posted, there was a DMCA complaint. Careful.

Re:We call it... (0)

Anonymous Coward | more than 6 years ago | (#22134866)

saying DRM is pointless is easy to do, so...

Open Source DRM? (5, Funny)

Anonymous Coward | more than 6 years ago | (#22134076)

No.

I'm sure we could (5, Interesting)

Improv (2467) | more than 6 years ago | (#22134084)

I'm sure some of us could, but why would we want to? Design our own prison? Encumber data? Stop whistleblowers?

Re:I'm sure we could (3, Insightful)

s4m7 (519684) | more than 6 years ago | (#22134514)

Well, that's the rub isn't it, OSS being conceptually antithetical to DRM. Most open source licenses (hi BSD guys) require contributing your own work back to the collective good.

I second the earlier idea that encrypting your data is the best option, and submit for review the existence of libcrypt [gnupg.org] as an efficient means of accomplishing said goal.

Re:I'm sure we could (1)

neuronautDOTorg (1224612) | more than 6 years ago | (#22134638)

this is a tired and typical response

Unclear On The Concept of "Open?" (5, Funny)

Jeremiah Cornelius (137) | more than 6 years ago | (#22134090)

Hey, Guys! I want some help too!

Do we have open-source Tasers? I'm also after open-source software to rig voting machines.

I look in freshmeat and SourceForge - but they mostly seem to be oriented to freeing people, not locking 'em up.

Re:Unclear On The Concept of "Open?" (1)

Plutonite (999141) | more than 6 years ago | (#22134360)

Too bad for you I've *patented* the idea of open sourcing tasers a long time ago. What, why are looking at me like that?

Too busy (3, Funny)

VampireByte (447578) | more than 6 years ago | (#22134534)

Why would anyone want to defer from working on their open source poison that causes slow-and-painful death for cute puppies?

Why not simple passwords? (2, Insightful)

Nemilar (173603) | more than 6 years ago | (#22134092)

Passwords can be applied in any number of ways. You can base it on pgp keys, if you want to limit the specific people who have access to the documents; or, you can do a one-size-fits-all solution, just applying a password to a file, and giving that password to those who need access.

It's an oxymoron (5, Insightful)

Kjella (173770) | more than 6 years ago | (#22134096)

If it's open source, you can change it thus disabling any protection it might offer unless it's some hardware-backed signing. The system isn't designed for it either, just removing all the ways you could dump the information anyway would be big job. Just get Vista if you want an end-to-end DRM stack. In short, you want to give someone the DRM'd file, the instrcutions on how the DRM works and still want them to be unable to decode it on their own, bypassing any DRM? Not going to happen.

Re:It's an oxymoron (1, Insightful)

wizardforce (1005805) | more than 6 years ago | (#22134314)

If it's open source, you can change it thus disabling any protection it might offer unless it's some hardware-backed signing.
then I guess we don't have anything like an encryption program of some sort like say gnu privacy guard or maybe truecrypt.

Re:It's an oxymoron (3, Insightful)

msuarezalvarez (667058) | more than 6 years ago | (#22134402)

You are making the same mistake that people who insist on coming up with DRM schemes make...

A DRM scheme is an attempt at giving someone the encrypted file and the decription key, with the intent of protecting the content against that precise someone. GPG, on the other hand, is a scheme which attempts to protect the encrypted files from those who do not have the decription key.

It is not that difficult, really...

Re:It's an oxymoron (2, Insightful)

wizardforce (1005805) | more than 6 years ago | (#22134496)

you assume I was ignorant of this, I was merely pointing out that there exists a system to keep those who don't have the key from decrypting the data. I didn't say *anything* about DRM being an option because as you said, DRM is the combination of encryption and the hiding of the key which is stupid on many levels. What I suggest is that if you want data to be unreadable by people who shouldn't have access then you must encrypt the data and keep the decryption key available to only the people you want to have access- hiding it in software doesn't work.

Re:It's an oxymoron (5, Interesting)

david_thornley (598059) | more than 6 years ago | (#22134432)

DRM is a twisted variant of crypto. If Alice sends a message to Bob using GPG, Eve can't read it because she doesn't have the key. In this case, Bob is the intended recipient, and Eve is the unintended recipient. In the case of DRM, Alice encrypts software and gives it to Bob. So, if Alice doesn't give Bob the key, Bob can't use the software. If Alice does, then Bob can break the DRM, having both the key and the code.

So, in DRM, Bob and Eve are the same person. DRM is not only socially undesirable, it's sexually perverse.

Re:It's an oxymoron (3, Funny)

s4m7 (519684) | more than 6 years ago | (#22134468)

So, in DRM, Bob and Eve are the same person. DRM is not only socially undesirable, it's sexually perverse.

hey now, keep your Judeo-Christian mores to yourself. Some /. folk like the idea of Bob and Eve being the same person.

Re:It's an oxymoron (1)

wizardforce (1005805) | more than 6 years ago | (#22134532)

I wasn't suggesting the use of DRM I was suggesting that they encrypt their data and only give the key on a need to know basis. that's responsible, DRM on the other hand is stupid.

Re:It's an oxymoron (3, Informative)

Eivind (15695) | more than 6 years ago | (#22134604)

The problem is -- with DRM the intended recipient and the potential attacker is THE SAME PERSON. Which is mathemathically impossible to solve using crypto.

Crypto works because you give the decryption-key to the intended recipient, but others don't know it, and can't easily guess it since it's a large random string.

But with DRM, you give the recipient the file *AND* the decryption-key, and then say: You may use this key to decrypt the file and display it on your screen; but not to decrypt it and print it on your printer ! (for example)

That is fundamentally impossible to enforce. The decryption-algorithm does not care what happens to the file AFTERWARDS.

Re:It's an oxymoron (1)

Planesdragon (210349) | more than 6 years ago | (#22134920)

That is fundamentally impossible to enforce. The decryption-algorithm does not care what happens to the file AFTERWARDS.
No, not really. It's just fundamentally impossible to enforce in the wild.

In a controlled business environment, this can be setup so that any attempt to break the DRM sends a clear signal to the company of an employee's activities. And if you can't think of reasons where a business wouldn't want DRM, I say you're just limiting your ideal of what kind of company would use Open Source Software if they could.

Re:It's an oxymoron (4, Insightful)

cgenman (325138) | more than 6 years ago | (#22134652)

Gnu privacy guard and truecrypt both work on a fundamental level because there is an asymmetrical informational pathway. A key piece of information is missing, which keeps the information locked away. Similarly, the person who has all of the information to decrypt the information is completely trusted.

On a theoretical level, you can't both give an open-source program all of the information required to decrypt a stream, and still prevent it from decryping the stream in ways that you don't approve of. The end user has all of the information required to have full control over the process.

At some point hardware attachments may make open-source DRM possible by hiding some of the required information. Or we may reach some compromise of semi-open DRM. But until then, Open Source DRM appears to violate a fundamental law of information science, much like perpetual motion machines violate thermodynamics.

Re:It's an oxymoron (1)

Alsee (515537) | more than 6 years ago | (#22134956)

gnu privacy guard or maybe truecrypt

The article asked for DRM.
Neither of the packages you mentioned involve or support DRM.

-

Also note: (2, Insightful)

SanityInAnarchy (655584) | more than 6 years ago | (#22134788)

If the hardware signing is not controlled by the user, it's generally not considered Free Software, although it may well be open source.

But that is pretty much the only way to give someone the source, but not the content -- assuming you are trying to protect content. If you are trying to prevent people from copying your code, then you completely missed the point of "open source".

I would very much like to see a followup article, or a clarification, or some comment by the guy who made this post, to find out just what the living Hades he was thinking to come up with this idea. This is even worse than the last Ask Slashdot, where the guy was asking how to run a consolidated, distributed network -- also a contradiction in terms, except in a very limited context (something like Coda for a distributed FS, so there's no "servers")...

Maybe we're missing some context here? Because I'm going to have to cry if this is actually, say, an MBA who thinks "Open Source" is a good idea because he gets free labor and "DRM" is good because they need to "protect their rights," and why can't he have both?

Talk about a contradiction in terms. (5, Insightful)

robbak (775424) | more than 6 years ago | (#22134102)

You need to go find out what DRM is.

DRM is about Alice/Bob/Eve cryptography where Bob and Eve are the same person. All DRM tries to work by hiding the Implementation - Universally, it fails.
Open source is about revealing the implementation.

OpenDRM. Just say Huh?!

Re:Talk about a contradiction in terms. (2, Funny)

KeyboardMonkey (744594) | more than 6 years ago | (#22134392)

Tell him he's DReaMing.

Re:Talk about a contradiction in terms. (0)

Anonymous Coward | more than 6 years ago | (#22134986)

So that means Bob is a cross-dresser?!?

open source (1, Insightful)

Anonymous Coward | more than 6 years ago | (#22134104)

I don't think it means what you think it means.

OSS is about the open minded sharing of ideas, DRM(TM) is(TM) about(TM) the(TM) close(TM) minded(TM) restriction(TM) of(TM) ideas(TM).(TM)

Isn't that an oxymoron? (4, Interesting)

something_wicked_thi (918168) | more than 6 years ago | (#22134106)

DRM is security through obscurity. If you have the code, you can break any DRM, so there's no point in developing open source DRM. It's also why all DRM eventually fails.

Use encryption if you want safety. But you still can't prevent the people who have legitimate access from doing whatever they want to the documents.

Re:Isn't that an oxymoron? (0)

Anonymous Coward | more than 6 years ago | (#22134182)

Right, so look at what the Sophie People are doing with their open source document creation system http://www.sophieproject.org/ [sophieproject.org]
Then look at the source code, then think about DRM, then think about how the heck you would protect a document once the
software has unlocked things so it can render graphics, and textual data to the display device.

Re:Isn't that an oxymoron? (4, Funny)

explosivejared (1186049) | more than 6 years ago | (#22134226)

Use encryption if you want safety. But you still can't prevent the people who have legitimate access from doing whatever they want to the documents.

Unless, and I think this is what he is after, you hire a group of armed commandos/Stallman look-a-likes (to keep it open source) to detail every end user of your media. With a gun to the head... making decisions about media becomes much more serious business.

Open Source Stallman Commando: Don't even think about putting that in your shared folder! If this ends up on bittorrent, it's a 7.62mm round right to the groin!!!
User: Oh my god... please don't kill me... (gets hit with the butt of the commando's rifle)
Commando: One more word and I swear I pull the trigger!

I'm not sure, but that may be the most workable DRM solution anyone has ever come up with.

Ob. Pulp Fiction (1, Funny)

Anonymous Coward | more than 6 years ago | (#22134614)

Jules: Open Source, Motherfucker! Do you use it?

Isn't that accountability? (1, Funny)

Anonymous Coward | more than 6 years ago | (#22134348)

"Use encryption if you want safety. But you still can't prevent the people who have legitimate access from doing whatever they want to the documents."

Like install a logic bomb.

RE (5, Informative)

Anonymous Coward | more than 6 years ago | (#22134116)

I think the systems you're after are called Document Management Systems, like you'd find used for medical records under HIPAA.
The only open source system I am aware is OpenKM[http://www.openkm.com/].

Open Source ECM (5, Informative)

smerkel (932584) | more than 6 years ago | (#22134494)

You should also check out http://www.alfresco.com/ [alfresco.com] . It was started by some of the founders of Documentum and Interwoven. It does some interesting Enterprise Content Management foo, which may be of use to you.

Open Source DRM is Oxymoronic (1)

phantomcircuit (938963) | more than 6 years ago | (#22134118)

There is a reason that DReaM hasn't had a release since January 2007.

Re:Open Source DRM is Oxymoronic (0)

Anonymous Coward | more than 6 years ago | (#22134502)

Ahh, but you are forgetting the Sun "moving target" method of management!

* manager who approved it has been given a new shiny object to play with
* team who worked on it has been laid off
* team who worked on it has been redirected to some other project that has an equally short TTL
* conflicted with some other internal group/partner product and therefore had to die
* Sun assumed that since it is open source now, other people will take care of it even though no one really cared

You're probably in for a disappointing search (5, Informative)

Weaselmancer (533834) | more than 6 years ago | (#22134120)

Most people smart enough to program such a thing are also smart enough to know it can never work. People who do create/sell/push drm solutions are selling snake oil.

Your best bet is to use PGP and simply encrypt your data, and trade public keys with your intended recipients. And plan ahead - once someone can see it, assume they can always see it. The whole "revoking a key" bit is the snake oil part of DRM.

Re:You're probably in for a disappointing search (1)

RobBebop (947356) | more than 6 years ago | (#22134606)

My recommendation would be PGP, too. That would be the way to go. As long as the members of your company can secure their private/public keys, you can keep good control over who will have access to what.

If the members of your company fail to secure their keys? Well...

Responsible Behavior [xkcd.com] : "I got too drunk. I screwed up, bad".

There is a precedent for open source DRM.. (5, Informative)

Nemilar (173603) | more than 6 years ago | (#22134122)

For all those who are saying "open source DRM" is an oxymoron, they should have a look at OpenIPMP [mutableinc.com] , which is an open-source DRM solution for video formats. So there is a precedent for this kind of thing, although it may not be widely adopted.

Re:There is a precedent for open source DRM.. (2, Informative)

evilviper (135110) | more than 6 years ago | (#22134344)

For all those who are saying "open source DRM" is an oxymoron, they should have a look at OpenIPMP, which is an open-source DRM solution for video formats.

It is still an oxymoron.

If you see my comment [slashdot.org] posted shortly after yours, I mention OGG-S/Media-S. They are, at least, honest about their "open source" DRM system. In their FAQ they explain while it is GPL'd, you can buy a (closed-source) license so that it's anything other than a public-key encryption system. ergo: Open source DRM is an oxymoron.

They called it WHAT? (0)

Anonymous Coward | more than 6 years ago | (#22134576)

Open iPIMP? Who named that thing, anyhow?

Let's Say It Again (0)

Anonymous Coward | more than 6 years ago | (#22134138)

DRM is ultimately an unwinnable situation. Cryptography is meant to prevent Eve from listening in on Alice and Bob by using something only Alice and Bob know. In this situation, you are both Bob (the player who has the key) and Eve. If you can derive from your hardware or software what Bob knows, game over, and the past few years have shown us that you can ALWAYS derive what Bob knows.

Give up on this unworkable system.

Easy solution (3, Insightful)

Anonymous Coward | more than 6 years ago | (#22134144)

How about trusting the people you give documents to?

Re:Easy solution (4, Insightful)

EXMSFT (935404) | more than 6 years ago | (#22134440)

You work by yourself, don't you? :-)

Yes, this exists (5, Informative)

Geoffreyerffoeg (729040) | more than 6 years ago | (#22134184)

"DRM" is not the search term you want, though, and it is in fact not what you want for business documents. You just want to set up a public-key infrastructure (PKI) and make sure people protect their private keys. This can be done by OpenPGP, GnuPG, etc.

DRM makes it hard for people to leak a file. It does not spend very much effort, if any, on authenticating the initial owner of the file (for example, anyone who picks up a DVD can play it, although they can't copy it to a new DVD). In a business environment, you're usually far more worried about authenticating the file's recipient and making sure the original does not accidentally reach anyone else's computer, than about preventing a cooperative person from intentionally leaking the file. (In most cases, you do want to permit them to print, copy-and-paste, etc. the document. These would all be prevented by DRM because they all make it easy to leak the file.)

The other failing of DRM, as I'm sure you've seen discussed, is that it's crackable by mere cleverness. If you're going to permit someone to view a file on screen (or hear an audio clip over headphones), you can always take a screenshot (or recording) and leak that. HDCP and so forth make the screenshot harder, but nothing prevents you from pointing a camera at the TV. It will be low quality but it will be a leak. PKI, on the other hand, is only crackable by brute-force searches of the key space, or (unlikely though possible) sufficiently smart mathematicians.

Encryption, but why do you need it? (1)

teh moges (875080) | more than 6 years ago | (#22134202)

Implementing something like this, you need to understand why it needs to be implemented.
Most of what you want can be implemented by encrypting/decrypting on the fly as files are opened by signed in users. That is how most programs work. If that won't work for you then you need to organize how the program/files will be accessed in order to establish what control is needed.

open... drm... (1)

debatem1 (1087307) | more than 6 years ago | (#22134204)

If a technology is going to be designed to deliberately suck for the consumer, it might as well suck as hard as it possibly can. Just go closed source.

Security? For Documents? (0)

Anonymous Coward | more than 6 years ago | (#22134208)

How would leakers be able to get the goods on corporate misdeeds if there was tracking and protection?

Why would you want to assist corporate overlords at the expense of well-meaning (but misguided) geeks everywhere making such leaks more difficult?

DRM in a nutshell... (5, Interesting)

evilviper (135110) | more than 6 years ago | (#22134234)

DRM depends on proprietary software. You are encrypting a file, then giving the user the key to decode it, while telling the program in question to decode the file, but only allow it to be used in one of a few ways (eg. display PDF, but don't print).

Such a system is untenable with proprietary software (just need to find the right memory address), and absolutely impossible with open source software, as you can simply remove the line in the program that tells it what actions not to allow. (See xpdf). With proprietary DRM systems, the companies just hope it's difficult enough to decipher the compiled code of the proprietary programs, that it takes a while before someone finds the right spots in memory to probe/change, and publishes the details... Then, they make trivial changes to the DRM system, and call it a new, "fixed" version that everyone should start using quickly (before someone figures it out).

The only thing DRM can do effectively, is to prevent the first opening of the file. After you send that first key (eg. via server), no matter what the DRM involved, the user can (trivially) strip the DRM off, and do whatever they want with the unencrypted file.

If that is what you want... I would suggest using public-key encryption to protect the file instead of a commercial "DRM" system. Either PGP or SSL (keys in combination with a password) can make absolutely sure only the intended recipient can make use of the file, even if others obtain copies of it. If you are expecting any more control over what others do with the file, you are simply denying reality.

All that said, here is one open source DRM system: http://www.sidespace.com/products/oggs/ [sidespace.com]

And if you WANT more... (5, Informative)

Ayanami Rei (621112) | more than 6 years ago | (#22134568)

... I suggest you put your wallet back in your pocket, and don't spend any more money on consultants, software, or IT staff hours spent configuring the free and non-free stuff in furtherance of your goals.

Instead you should save your money and hire a lawyer instead who will draft up NDAs for you to have people sign in order to protect those documents/secrets you want tightly controlled.

Technical solutions will not cut it. They never will. You are throwing your money away.

Hire a lawyer, and only give the documents to people who ABSOLUTELY need it and is worth the time to get contracts involved with.

A great disturbance (1)

kcbanner (929309) | more than 6 years ago | (#22134254)

There is a great disturbance in the open source world, as if millions of voices cried out in terror and were suddenly silenced.

I tagged this WTF... (0)

Anonymous Coward | more than 6 years ago | (#22134258)

Because DRM is, by definition, security by obscurity. The submitter wants something that can't exist in this universe. Awesome!

Have we not discussed this before? (3, Insightful)

Zombie Ryushu (803103) | more than 6 years ago | (#22134264)

We have had this discussion. There is no legitimate use for DRM. It has no right to exist. I have told people this before. DRM does not improve the security of corporate networks. Thats not what it is meant to do. DRM has just one purpose. to deprive people of the right to use the computers they own as they see fit. Securing documents and sensitive company data is to use good security practices. IPSec, Kerberos, PKI, that kind of thing.

Point. Learn good computer security practices.

I want DRM to dissappear from this world forever/

Re:Have we not discussed this before? (0)

Anonymous Coward | more than 6 years ago | (#22134368)

Just because you've "told people before" doesn't mean everybody heard you. Besides, you're just plain wrong. DRM can keep all kinds of confidential data, especially financial data, from ever reaching the wrong people. Security can always, always be breached, and another layer of it doesn't hurt anybody except malefators.

Re:Have we not discussed this before? (1)

davester666 (731373) | more than 6 years ago | (#22134410)

Um, if your medical records are in a computer, you probably want them protected by some kind of DRM system [at least I do].
If your taxes are in a computer, you probably want them protected by some kind of DRM system [at least I do].
If your bank records are in a computer, you probably want them protected by some kind of DRM system [at least I do].

You are probably arguing about having DRM systems which are applied to products that are 'sold' to you. And by sold, I mean, you purchase the product in a manner that makes it seem as if you 'own' the product after the purchase.

Re:Have we not discussed this before? (2, Informative)

msuarezalvarez (667058) | more than 6 years ago | (#22134450)

What you want is those medical records/taxes/bank records encrypted or otherwise secured. DRM is a very specific thing which is not that.

Re:Have we not discussed this before? (1)

davester666 (731373) | more than 6 years ago | (#22134584)

DRM, at least as I believe it is being used in this discussion, is short for "digital rights management". This can be interpreted in a much wider perspective than just as it is applied for DVD's or iTMS purchased files.

I would include a hospital system where the accounting department can list what tests have been performed for you, but can't see what the actual test results are, as having DRM.

Banking systems have DRM as well. When you go to a cashier, and try to do a transaction over a certain limit, they will have to call over a manager, who will have to type in some password for the transaction to complete. Heck, an ATM is a DRM system. you put in a card and a PIN, you have the 'right' to view your balances, withdraw some portion of them, etc.. Unless I clone your card and steal your PIN, presumably I can't acquire the 'right' to do these things to your accounts.

I think these kind of DRM systems are both reasonable and prudent.

DRM systems as applied to consumers [such as that used for DVD's, HD and BlueRay, DRM'ed iTMS songs], that is the kind of DRM that should be abolished.

Like Walmart should have been totally smacked down for what they pulled when they shut down their online video 'store'. Basically, if any of the movie files you purchased from them need to be re-validated [say, if you change too many components in your computer or switch to a newer computer], these movies you "purchased" will no longer be playable. So you still have the video, but you are no longer permitted to view it. Walmarts current answer: you were stupid enough to buy it, you are stupid enough to accept this.

Re:Have we not discussed this before? (1)

stor (146442) | more than 6 years ago | (#22134842)

DRM, at least as I believe it is being used in this discussion, is short for "digital rights management". This can be interpreted in a much wider perspective than just as it is applied for DVD's or iTMS purchased files.
Well you'd be broadening the definition of DRM. Digital *Rights* Management is about protecting author's *copyright*

I would include a hospital system where the accounting department can list what tests have been performed for you, but can't see what the actual test results are, as having DRM.
That's called "Access Control". It's a fundamental part of computer security. DRM is not.

Heck, an ATM is a DRM system. you put in a card and a PIN, you have the 'right' to view your balances
I doubt there's an actual law that says you have this _right_. If I insert my card, enter my pin and the ATM suddenly goes out of service and spits out my card, can I sue my bank due to a _violation of my rights_?

-Stor

Re:Have we not discussed this before? (1)

jawtheshark (198669) | more than 6 years ago | (#22134902)

I would include a hospital system where the accounting department can list what tests have been performed for you, but can't see what the actual test results are, as having DRM.

That's not DRM, that's simply proper access right management on a system/database. So, the user is authenticated and only that is checked. However, do realise that the accountant can take all the data he can see out of the database, and infinitely copy it, print it, email it, etc.... That's what digital rights management is about: to restrict more than Read/Write rights.

Access right management exists in open source implementations, but that's because they are basically authentication problems, which is "part of security". However, due to the nature of open source, anyone wanting so could make a postgresql/mysql or GNU/Linux that totally disregards access rights. As far as I know, the NTFS filesystems ACLs simply get ignored when mounted on a Linux machine. However, that doesn't help a potential attacker, because to use his "hacked up" software, he needs physical access to the server.

Heck, an ATM is a DRM system. you put in a card and a PIN, you have the 'right' to view your balances, withdraw some portion of them, etc..

No, this again is authentication. You use a token + password to authenticate yourself. (Security Token [wikipedia.org] . Would you have full access to the computer on the ATM (you do not), you could do all you want with the data. Copy/Paste it, print it out, email it (if the thing is connected to the Internet, which I hope it isn't). So, again, no DRM. ATM security boils down to "secure the machine that it's tamper-proof" (physical security), authentication and finally encryption (connection to the database, and hopefully the database itself)

Re:Have we not discussed this before? (1)

Zombie Ryushu (803103) | more than 6 years ago | (#22134498)

You still haven't been paying attention. DRM is not a part of computer security.

Re:Have we not discussed this before? (1)

EXMSFT (935404) | more than 6 years ago | (#22134484)

The three technologies you mentioned don't protect a document independent of location. The first two can protect it over the wire. Yes, PKI can conceivably be used to encrypt and decrypt the document as well. But the problem is if Alice gives it to Bob, and Alice doesn't want Carol to see it - because it's company confidential information. But Bob is a gossip, especially when he's flirting with Carol at the watercooler, so he saves it and emails it to Carol. Who promptly emails it to her actual boyfriend, who works as a reporter at the Seattle Times. Microsoft actually makes a technology that does this (Rights Management Services) - and with the exception of the analog hole, it works quite well to ensure that Carol only gets a blob of binary goo - and OS-wide, blocks Cut|copy operations as well as screenshots.

Re:Have we not discussed this before? (1)

setagllib (753300) | more than 6 years ago | (#22134556)

Now imagine that somewhere in Microsoft Research, somebody is working out how to make sure you can't even speak the document's contents out loud, let alone transcribe it into another document for non-DRM stoarge.

Re:Have we not discussed this before? (1)

EXMSFT (935404) | more than 6 years ago | (#22134582)

yes... the analog hole... she knows many avenues...

Convince your business not to waste the money. (4, Interesting)

jddj (1085169) | more than 6 years ago | (#22134290)

Here's what's become my business-side take on DRM: don't bother.

DRM systems set the bar too high for honest users who just need to get some work done, and too low for malicious users.

Corporate espionage in mind? Just make screen-captures. That won't work? Digital camera, anyone?

You can't make it work, principally because there's no way to both show and not show the same document to an end user. The security is only as good as your trusted users are.

You can also appeal to reason on financial grounds: the Hollywood studios are extremely motivated to make DRM work, have pored in millions and haven't hit on anything at all that prevents piracy.

If they can't do it, you probably can't either, and should probably focus on differentiating your content by making it sticky and extremely easy to use.

Re:Convince your business not to waste the money. (1, Interesting)

Anonymous Coward | more than 6 years ago | (#22134428)

Yeah, Microsoft has two sorts of DRM system - document rights managment (as implemented in MS Office) and Digital Rights Management (all the media protection). This is all about the former, not about the latter.

I agree you cannot stop a determined legitmate user from overstating their boundries; but it can be a backstop to stop a legit user from accidentally forwarding important information to gmail.com. You're trying to help trustworthy users avoid mistakes.

The other situation that I've heard of it is ensuring trustworthy users do NOT use old versions. No matter where or how this old document is, if it checks with the server that this document has expired, the software will not show it to the user. (I can think of companies that abosultely must NEVER use old manuals - drug manufacture, engineering companies etc etc.)

Sure a malicious user could circumvent this, but they know full well they should not.

Re:Convince your business not to waste the money. (1)

rastoboy29 (807168) | more than 6 years ago | (#22134518)

Well put, but what do you mean by "sticky"?

Re:Convince your business not to waste the money. (2, Interesting)

jddj (1085169) | more than 6 years ago | (#22134650)

Sticky as in "get the eyeballs stuck firmly to the content". That could mean a lot of different things depending upon the content that someone's trying to protect.

In the case of a web site, it could mean going from a login business model to an ad-supported model; with your content in the open instead of hidden behind a login, users are free to fall in love with it and return daily.

In the case of an analyst report, it could mean that instead of trying to protect the report to the hilt, you instead use wide adoption of the open report to position your firm as experts in the field, thus to sell seminars, training, consulting.

You can't use stickiness to fix the problem with every type of content (sensitive internal financial documents? Yeah, you probably don't want them sticky, but with or without DRM, what are you doing distributing those to anyone you don't trust completely?)

The idea with stickiness is that you make users adhere to the content, return to your site, your business, etc.

Re:Convince your business not to waste the money. (0)

Anonymous Coward | more than 6 years ago | (#22134540)

>Digital camera, anyone?

Wake me when you figure out a way to photograph and redigitize ten million records. LOL

DRM or ACL (1)

Anarchitect_in_oz (771448) | more than 6 years ago | (#22134332)

Do you want to control the copyrights
or do you want to control the access rights?

It would seem to be 2 different issues.
Do you really want to send this data out in to the wilderness to lots of people you don't trust on the hope they might pay you?

Or are you more looking for a system where trusted colaberators can freely share information in a more flowing fashion.

 

Re:DRM or ACL (1)

ardiri (245358) | more than 6 years ago | (#22134362)

Do you want to control the copyrights
or do you want to control the access rights?


This is really the issue at hand here. DRM that prevents people from copying software is protection via obscurity. open sourcing this means nothing and is a complete waste of time. DRM to control access rights can simply use configuration files and digital signatures - these algorithms can be public. if a user changes the configuration file (access rights), they are blocked from using the material because the signature will fail. This is a technique we use to control access rights for our products.

Re:DRM or ACL (1)

Anarchitect_in_oz (771448) | more than 6 years ago | (#22134552)

Exactly if someone can read/see/hear a document when they copy it, in some way shape or form.
What is really important in these sorts of situations is stopping an altered version of that document getting mixed in the official stream and causing confusion.
If as a bonus you can have a document that self destructs (so to speak) when it goes out or date or can't be varified that would be a major plus.

I know working on $xxx million construction projects big issues crop up with if people don't use the current information. Systems to do this across the vast number of organizations and people involved are sorely lacking or just not well done and as the saying goes "fuck ups are so much worse at 1:1".

Levels of cryptography? (1, Interesting)

sherl0k (1215370) | more than 6 years ago | (#22134334)

When utilizing something like PGP, why not have multiple levels of permissions? If a user has a password of X, he gets read access, if it's Y there's full access. If you don't have either, you can't even open the document.

I don't know if PGP supports something like this but I don't see how it could be a major failure.

Re:Levels of cryptography? (1)

evanbd (210358) | more than 6 years ago | (#22134380)

And the difference between "read" and "full" is what, again? We're not talking about a file system here; we're talking about a document that you've given the other person, that you're trying to allow them to "read" but not "read".

As another poster put it, DRM is the Alice / Bob / Eve problem... where Bob and Eve are the same person. It can't work long term, and to the extent it works in the short term it's by hiding the implementation.

Re:Levels of cryptography? (1)

Anarchitect_in_oz (771448) | more than 6 years ago | (#22134630)

Well the difference is that the copy if altered can't be dropped back in to the system then used by another party in the belief it's the true document.

It's about pollution of trusted information.

Re:Levels of cryptography? (1)

evanbd (210358) | more than 6 years ago | (#22135000)

That's usually not called DRM. DRM is usually designed to control access to a document that resides on someone else's computer, not one you control. If the goal is merely to provide trust, then of course some sort of PKI is a good answer. If, however, the goal is "you can read this document but you can't modify it and use it elsewhere without my permission" then he's as doomed as the record companies.

Re:Levels of cryptography? (0)

Anonymous Coward | more than 6 years ago | (#22134386)

If you can read digital information at all, you can duplicate it, and if you can duplicate it, you can edit that duplicate however you like.

Read access is identical to full access in every way that matters to DRM.

Minimal DRM (2, Informative)

Repton (60818) | more than 6 years ago | (#22134358)

There's basically two kinds of DRM in the world: DRM that's been broken and DRM that no one has cared to break.

So, that said, here's some python DRM you can use which I am releasing into the public domain:

def issue_licence(filename, from_date, to_date):
_f = open("%s.key" % filename, 'wb')
_pickle.dump((from_date, to_date), f)
_f.close()

def check_licence(filename):
_try:
__(from_date, to_date) = pickle.load(open("%s.key" % filename))
_except IOError:
__return False
_return from_date <= datetime.date.today() <= to_date

(replace _ with spaces)

Sadly, it is left to lawyers (0)

Anonymous Coward | more than 6 years ago | (#22134406)

You state "a business case" for your need for DRM.

Well, that is your only recourse.

1) Have recipients sign an NDA, telling them you will sue if you can prove they "leak" stuff.

2) Prove it!

Now that's the tricky part, but slapping DRM on a document isn't going to help. I think all you are left with is being sneaky and sending out "marked" copies to all recipients. Of course it can't be an obvious mark, or they will just remove it. Also, if a "leaky" recipient gets more than one copy he can diff them to clean it up.

Slashdotters will just say "trust your recipients", of course that doesn't work, because if you have to share with any organization with more than X employees, some number of them will be scumbags, for whatever reason. The document will be leaked, if only because "they can".

Re:Sadly, it is left to lawyers (1)

DustyShadow (691635) | more than 6 years ago | (#22134592)

You act as if getting customers to sign an NDA is a walk in the park. Unless your product is in high demand, good luck with that buddy.

A simple DRM solution (1)

Anomolous Cowturd (190524) | more than 6 years ago | (#22134414)

After someone has seen the restricted document, inflict severe head trauma, wiping it from their memory. If you're not willing to go that far, DRM is pretty pointless.

Counterintuitive (1)

bitspotter (455598) | more than 6 years ago | (#22134436)

The main purpose of Free and Open Source software licensing is to insure that all of a device's native capabilities are always available to the user.

The main purpose of DRM is to insure that some of a device's native capabilities (eg, the ability to copy bits) are //not// available to the user in specific circumstances.

THAT is why FOSS DRM does not really exist (and why nobody uses Sun's DReaM). It's not about software quality control - it's a flaw in the designed intent of these systems that you can point out based on the //licensing// used, without even considering any code at all.

You can't expect to design a "technological protection measure" that one commits a felony to bypass, and then release it under a license that expressly permits them to bypass it.

Look at the patents (0)

Anonymous Coward | more than 6 years ago | (#22134456)

Search the USPTO for DRM patents sometime:

http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=0&f=S&l=50&TERM1=drm&FIELD1=&co1=AND&TERM2=&FIELD2=&d=PTXT [uspto.gov]

Just start reading some of the claims. Every variation and every nuance of just about any DRM scheme has been patented up the whazoo. Any company that even starts to think about implementing or using a DRM solution, open source or not, is just begging to get sued into oblivion.

Your Customers Will Not Like DRM (1)

WallyDrinkBeer (1136165) | more than 6 years ago | (#22134458)

Hey dude.

DRM is usually a pain for your customers. Some people like me buy stuff and try to use it and begin to really hate DRM. I hate DRM so much, I use linux at home. I'm willing to give up a decent OS just to be rid of DRM.

I'm sure your a nice person, I'm just trying to warn you: If you put your DRM junk in my app, I will download your source, and make it save without the DRM.

Then I will fork it and put it on sourceforge. If you're looking for it, it will be called the same with _free or _liberty on the end.

I will then spam your forums telling your customers that you are a liar and a thief and are using DRM to spy on your customers. Which is fairly accurate, you're putting DRM in their app you sound like a real bastard.

Go closed source or the forkers will get you.

Thanks for your concern.

Here's an open source project that tried to put horrible banner ads in their app: http://sourceforge.net/forum/forum.php?thread_id=1877483&forum_id=618307 [sourceforge.net]
Now they're trying to unopen source it hehe.

Issues Surrounding DRM (1)

Ontology42 (964454) | more than 6 years ago | (#22134462)

As the buzzwords further proliferate within this industry, I have a subtle recommendation for you.

1. Implement a good role based administration system, say Kerberos with a Mysql Back end then use Samba to serve the windows boxes on your network, cheaper than Windows Server 2003 / 2008 and highly scaleable, you'll just have to figure somthing out for enforcing security policies from the directory side or use e-Dir from Novell.
2. Get said roles into a good documentation management solution
(Document management solutions are available from everyone, Microsoft; Novell (Suse), Xerox)

Find out which methods and processes work best for what type of media you are storing, a good example for projects and documents may be Wiki's with editing and administrative domains over trees run by the appropriate responsible parties.
Most of all do your Resarch, keep your management in the loop and use their input to guide you.

Oh brother, not this again (2, Informative)

dmorelli (615543) | more than 6 years ago | (#22134470)

Cory Doctorow was been over this a couple of years ago when Sun came up with the (I'm guessing abandoned) idea of an Open Source DRM. Here, go read why it's oxymoronic: DRM != SSL [boingboing.net]

Any protection scheme where your customer and your attacker are the same party, doomed to failure, IMO.

Do not buy any DRM-encumbered products. Make a statement about this by not participating.

By Neruos (0)

Anonymous Coward | more than 6 years ago | (#22134492)

The only way to keep data secure is to keep the method or key secure. I've developed 2 encryption apps that basicly function like a container compression app (like winrar, winzip, etc). I would keep the encryption and compression types completely secret. Since I do not own the copyrights to the work, I can not go into great detail, but it can be done.

Like anything, once the data is out of the bag, your security drops. You cant prevent everything.

Container Object
-mathmatical object (is based on a set of rules on where to place the 'header' information, instead at the front and end of file.
-detail object (contains the encryption info, expire data info, server authentication info, key authentication info, compression info, password key info)
-file object (contains all the files using the detail object)
-checksum object (validates the file to the original file for security)

Container Application
-functions like winzip (has a windows explorer shell, a MS outlook shell and a IE shell).

Oh...I've got this one. (1)

gandhi_2 (1108023) | more than 6 years ago | (#22134520)

You see... my friend. What you've got to do is block it at the source. I mean, really get in there. Block it at napster. Firewall it at the Internets. Lobby congress and firewall it at the ISP!

You've gotta transcend the user experience and do what ever it takes to protect those revenue streams! It's that important!

May I suggest XCP?

--Sony BMG.

That is not logical. (3, Interesting)

Quebec (35169) | more than 6 years ago | (#22134600)

can we produce a black whiteness?
can we produce a filled emptyness?
can we produce a hard softness?
can we produce a rich poverty?
can we produce an Open DRM?

err... not really?

one open DRM system (0, Troll)

philmack (796529) | more than 6 years ago | (#22134622)

I know of one DRM system that is totally open. You can put any document in it that you want. They have a website at http://goatse.cz/ [goatse.cz] that shows all of the great things about DRM.

Re:one open DRM system (1)

gaderael (1081429) | more than 6 years ago | (#22134700)

Only in this case DRM means Dank Rectum Manipulation.

The only real answer (1)

dbIII (701233) | more than 6 years ago | (#22134642)

The only real answer to protecting business data is not to give it away. Give people a demo version of software and not a full version that's enabled with a key for instance if you don't want them to use the full version.

Licence limiting software is a real pain and time sink. I've been halted in the last couple of weeks by one with a Y2K bug of all things, have others limited to dongles on real parallel ports (USB converters have a different memory address to a parallel port in MS Windows) and have to keep a licence server on Redhat 7.3 due to another bit software that handles licences using an experimental linuxthreads implementation dropped eight years ago. One thing that is incredibly frustrating is that the licence software is almost always easily bypassed by very obvious means but it is against the licence agreement to do it without permission - the software only suceeds in punishing the honest.

The important thing with documents is if you do not want the recipient to look at it then do not give it to them. Portions can be copied and pasted out

DRM, From an information management point of view (0)

Anonymous Coward | more than 6 years ago | (#22134668)

Alot of you seem keen on bashing DRM, and yes I may agree when it comes to fair use etc on Music and video. But in a corporate scenario, there are many valid reasons for DRM. For instance, I may wish a collegue to read a document but not be able to forward it on, or print it. I may wish a collegue to view a document, but only for a limited time, as it is a draft and I don't want them to get confused over which document they have is live.

These simple scenario's are not covered by PGP or PKI infrastructures which are about allowing access to the document, and securing its transport. it is about the permissions on the use of the document itself. If you send an email to a collegue, in which you say something you don't want repeated, then with DRM, they would not be able to forward it, or print it. At which point it expired after 1 viewing. Please explain to me how this would be done with a PKI infrastructure and PGP.

You may not agree with the concept of this, but in the business community it is common place to secure a document from being printed or forwarded. Industrial Espionage is rife, which is why most orgs will use some form of PKI for the forwarding of sensitive information outside or they have an extranet which is secured via SSL or the like.

If you are going to reply here, and do so with gusto, I would suggest you read and understand the question and then you can reply much more intelligently. The question was about a business environment, and not you illegally gained music, and was about DRM, not PKI security or encryption.

I understand what he wants.... (2, Insightful)

FlyingGuy (989135) | more than 6 years ago | (#22134682)

In business there are things like trade secrets, documents, drawings and the like that you have to distribute to a jobber or some other outside entity to accomplish a task, but you really only want the outside entity to have them for the amount of time that they actually need them to get a task completed.

Typically this has been accomplished via NDA's or other legal agreements. It appears that in some instances they want more then a "promise" to destroy the information when it is no longer useful for the legitimate contracted purpose. Sort of like the old "This tape will self destruct in 10 seconds" gag from mission impossible.

The problem is that it really cannot be accomplished. You can use PGP or IronKey (tm) as others have suggested but that only prevents the material from being easily viewed by 3rd parties and does not address the "self destruct" desire.

I really cannot think of a way to make that happen. Every method that I can think of requires the destruct method to either be built into the data ( as a code block ) but even then something has to execute that code, and that is simply worked around.

It basically has to come down to trust. Either you trust the outside entities that you deal with or you don't. When I was in the military I had access to classified materials, and I was looked over from front to back top to bottom, my friends and neighbors were interviewed as well as my Principal from High School.

Sadly, I think the last 8 years of the current administration have re-enforced the notion of mistrust and it has found its way deep into the culture of corporate America.

Re:I understand what he wants.... (1)

SeaFox (739806) | more than 6 years ago | (#22134862)

In business there are things like trade secrets, documents, drawings and the like that you have to distribute to a jobber or some other outside entity to accomplish a task, but you really only want the outside entity to have them for the amount of time that they actually need them to get a task completed.

Typically this has been accomplished via NDA's or other legal agreements. It appears that in some instances they want more then a "promise" to destroy the information when it is no longer useful for the legitimate contracted purpose. Sort of like the old "This tape will self destruct in 10 seconds" gag from mission impossible.

Perhaps what he is seeking is plausible deniability for documents. Something that would prevent someone from making a legitimate copy of a document to prove something. Take the earlier story [slashdot.org] about the U.S. stealing nuclear secrets, in response to the FIA request, the FBI said "we don't have a document by the designation". If it wasn't for the signed document by and FBI official confirming it does exist, this wouldn't be a story. The FBI could just claim the accuser was some anti-government crackpot. And people would believe it or chalk it up to a conspiracy theory for the lists. Nothing more. Even if the person remembered the text of the document, unless the press was able to verify key facts from what they said it's still his word against theirs.

You can block printing, saving, copying, etc the file itself without too much work assuming you had control of the filesystem or OS of the viewing machine and are using encryption, or had a special viewer application created for viewing the document. But people have brought up screen shots and digital cameras. I can't take plain screen shots of movies playing in VLC (without using VLC's capture function) because the video is played through a layer of hardware acceleration. It doesn't exist on the normal display level. Creating levels of abstraction like between the display device and OS might be one avenue to investigate.

Digital cameras are sensitive to different wavelengths of light than the human eye. What if the monitor put out a huge amount of light at wavelengths beyond human vision, but within that of a camera? The digital camera would have difficulty taking pictures of the document since it would see the screen as all bleached out.

I'm not saying it would be possible to create Total Information Security. But as long as they prevent creating a copy of the document that looks halfway authentic, the rest will be PR/damage control.

file-system not DRM dummy (1)

Alan Doherty (87875) | more than 6 years ago | (#22134726)

i think the author totally misses the point? if your talking how do you restrict access by group/individual etc to the files this is a function of ther file-system used NOT DRM pick a good filiing system and anyone can choose which users/groups they want to be allowed read/write/whatever access their files {DRM is supposed to be a method of making a copy of a file useless to anyone but the intended reader or an uncopyable file, this requires the creator and the reader use a file format that allows the creator to create a unique copy per reader and the reader being unable to alter the recieved copy, not much use for files in an office i'll bet!!} thus each form of DRM needs a file creation tool and a file display tool and a secret algorithim for making it only possible to display it with the correct hidden key, open source solutions would therfore be improbable as the key/hash/function could be reverse engineered by reading the source}

DRM isnt useless (1)

Tweekster (949766) | more than 6 years ago | (#22134770)

Just trying to use a DRMed file is useless

Just try using adobe ebooks, (not the protected pdfs) but the actual ebooks being sold. EBX_HANDLER errors and no real way to remove that crap

A publisher should not have the power to say you cannot print a file, but sadly they do.

oooh (1)

rastoboy29 (807168) | more than 6 years ago | (#22134844)

am I the only one who gets the willies from their calling such a thing "dream"?

Just use encryption (1)

BeanThere (28381) | more than 6 years ago | (#22134938)

For company documents, this problem has already been solved, just any of the many encryption solutions available ... I don't think there is any major need in normal business use that DRM fulfills that regular encryption based solutions do not. (Actually your request just sounds like a FUD-style attempt to 'legimitise' DRM, good luck with that around here.)
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?