Current Feed Content from 17 Nov 08 14:19
Cryptography isn’t DRM
2008-10-21T07:46:00Z
One of the commonest errors you see made in articles about information security is to equate the secrecy obtained by cryptography with the licensing control applied by DRM.
You will see plenty of ‘experts’ state that you can use cryptography to ensure the security of your information, when what they actually mean is that a recipient can check that what they receive has not been altered or falsified, and that unauthorized people cannot have read it first.
Now that isn’t DRM. When you, as the authorized recipient of encrypted information decrypt it, you can do precisely what you like with it. Copy it, send it to your friends (or even your enemies), alter it, anything you feel like.
But DRM is about very much more.
DRM has to deal with what you are allowed to do with information that you are authorized to receive. Generally you are not allowed to pass information on to others. (That is considered implicit in military systems, but is a physical or manual control, and you can’t apply that to electronic information. What the military do is make sure it can’t leave the system it is stored on, which is not an option if you’re selling eBooks.)
As importantly, you may not be able to make printed copies, or that might be allowed but a Copyright mark is prominently displayed when you do that. You might only be able to use the electronic information for a limited number of times (pay per view) or for a limited time period (documents for evaluation or for bidding for contracts).
Only DRM controls have the ability to ensure that the controls, or license terms that go along with the information actually get enforced.
Of course DRM also makes use of encryption technology both to be sure that nothing can be used unless the recipient is authorized, but that’s only the start of the story.
So next time someone tells you that all your security problems can be solved by encryption, just let them know better.Steve Mathews It’s a funny old world
2008-09-24T11:11:00Z
Although not the only person to use the quotation, Margaret Thatcher famously said those words to describe losing the election to be the leader of the Conservative Party and therefore the post of Prime Minister and First Lord of the Treasury.
And when you look out at the IT security industry you risk having the same feeling that she did.
Although not very surprising, people have gone out and solved problems that were easy, leaving the difficult ones to specialists whilst using marketing muscle to ‘persuade’ customers that their solutions fit the problems.
A good case in point would be the global adoption of the secure connection technology SSL (Secure Sockets Layer). Pedalled for many years as the certainty of a secure connection, it has been nothing of the kind. Yes, it very securely connects together two locations that do not know each other. And that’s the problem. You only think you are connected to the bank, and they only think they are connected to you.
It’s been a bit the same with DRM.
At one level it has been stunningly bad. The music and film copying brigades got it into their heads that just because in the cassette tape days you could tape anything off the radio or the record deck (mind you the quality was absolutely dreadful) and make copies (which were even worse – but you could do it!) then you had the divine right to copy anything. After all, let’s not worry about copyright.
And at the other end of the equation, DRM system providers did themselves no favours either. They tried to implement DRM that prevented people from making copies of their own works, or DRM that just enabled suppliers to charge different amounts for exactly the same product in different places around the world. Finally, DRM providers made the serious mistake of trying to embed themselves into operating systems, and behaving like viruses or hackers.
There has also been the dichotomy about use of DRM protected products – to print or not to print? I have discussed this with several eBook publishers and they have mixed views. At one level we all agree that the eBook has immense power and potential over the paper book – quick indexes; searching; linking both internal and external: all things a paper book simply can’t deliver. At another level, people just don’t really read eBooks the same way they do paper.
When did you last take your laptop to the lavatory so you could read something in peace?
And maybe that’s what’s lacking in the eBook development thinking? An eBook version of a training course is not quite the same proposition as the eBook version of a fashion magazine. And the eBook version of your broker’s guide to share trading is not the same as the latest best selling novel.
There are similarities, certainly, but a good guide would be found by looking at the ‘intended use scenario.’ Is the product intended primarily for social, domestic and leisure, or is it primarily for business?
Current document DRM systems are focused on business applications use (which includes handling formal business documents that may be used both at work and at home – the home element does not dominate the primary point that the business use dominates the rights and rights management). Business DRM is reasonably well scoped.
But many suppliers are leaping onto the DRM bandwagon trying to apply it to scenarios where the use (and the formality of use) is very different.
If you argued that when you buy a novel, when you have read it then you can give it, in its entirety (not a copy) to someone else that might be an acceptable use. But a business training course was never provided for that purpose. It was provided for a specific and limited use, often for a very restricted period of time. And the same concepts do not apply.
And some business documents are not being distributed for copying at all. Some are business secrets, some are documents disclosed because they have to be, but only to identified individuals, and so on. There is absolutely every reason for the distributor to want to be sure that the document is not copied, or forwarded to anyone, or maybe even printed.
But the DRM mechanisms are just the same. The secret is in who you apply them to and how you apply them.
Of course you will upset people by introducing DRM. All the people who think they should be able to copy and distribute your information for starters! And all the people who hate DRM just on principle (but please see the first group again also).
But maybe those are the very people you wanted to control in the first place?
It’s a funny old world, isn’t it?Steve Mathews DRM is a barrier to eBook adoption say students
2008-09-02T16:57:00Z
Being interested in opinions on the rights, wrongs, virtues and demerits perceived by many communities, I found the following article http://arstechnica.com/news.ars/post/20080828-study-students-need-open-source-e-textbooks.html to be of some interest.If you read the article, you start from an offered conclusion that student text books ought to be available under open source type Creative Commons licenses. But as you dig further down, you find out that students are complaining about the cost of text books.
The arguments seem to be:
-text books are too expensive anyway;
-you can’t print out much at a go;
-they have a short life;
-they cost as much as the print editions.So the complaints seem to be much more like those being used on film and music companies than they are about DRM itself.
Now I would have to agree that it seems very strange that it costs me the same to buy a book that I have for ever, or an electronic book which I only get to use for 6 months. At the same time the electronic book supplier might be offering me something rather different with the electronic book – things I just can’t do with the paper edition. Searching (it saves me having to read the whole thing although maybe I actually learn less?) and hyperlinking to other reference work, articles, forums and so on are things I just don’t get on paper, or images I can work with.
Why should I get upset about not being able to print the ebook? If I want a print edition then surely that is what I should have purchased to begin with. If I want to print information then I should expect to pay a premium (normally called a royalty) for the right to make copies of the book. That’s totally normal. And just the same as in the software world. It isn’t realistic to think I can buy some software for one machine and then put it on as many machines as I suddenly decide – hey man, that’s piracy.
So I am not totally convinced by the student’s arguments. Yes, we all moan about the price of things, from cars to condos and from tuna to text books. And that’s normal, good and healthy. And in the bargaining business you always start from an extreme position if you think you can get away with it, so, of course, a study that asks the students the right questions will get whatever result they feel like.
I’m equally certain that if you asked the College Professors who specified the books for the term and the course (and maybe even wrote them?) they would not be wanting to give away their work, even though they were paid to gain their expertise. And if you asked the publishers, they will have a view all of their own (but don’t ask me what it is because I haven’t asked them).
So bottom line, it’s popular to attack DRM because, hey, it stops me from doing my own thing. Everyone seems to think that buying something grants you the right to use what you bought anyhow you want. Well, that isn’t the case with automobiles, guns, software, drugs, or a whole load of other things. And so far there’s no proof ebooks are any different.
As a closing thought, the other day I had to spend 350 bucks to buy a paper book that is a definitive reference on company valuation methods. It is out of print, and there are only two companies who can supply it from stock. There are no electronic versions, and it is not in the library. Next? I would have liked an ebook version with search and hyperlinks but it isn’t available. And I bet if it was it would cost a damn site more than the paper edition – and I would have paid it!
Steve Mathews Is there such a thing as personal data anymore
2008-08-26T12:58:00Z
The other day we see reported in the press (in this case SC Magazine http://haymarket.puresendmail.com/hmiclick/4t6676cRbkg92yRmd0R8l9a2cRng1R4tbura/2/www.scmagazineuk.com/UK-Government-takes-rap-for-latest-data-blunder/article/115785/) that yet again personal data held by the UK government has leaked its way out into the public domain.In the past we have managed to hit tax claimants, car drivers, and student doctors. But just as we thought things were getting better they and their partners managed to hit a most unlikely and vulnerable sector of society – criminals.
It might well be jingoism to say, “Well, why should they get protection – so who cares.” But as we know, it turns out that there are wrong convictions, and not every prisoner is a paedophile, murderer, rapist or thief. Some are just people who couldn’t pay the mortgage.
And would we want people to be readily exposed to blackmail because of their pasts? Making it easier for other criminals to recruit them when they have served the punishment society exacted? Probably not a good idea.
What it also does is reinforce genuine and growing concern that information professionals and management simply do not have any grip on protecting the privacy of information. They may (and the Press may say they may not) have some grasp about access controls. But there seems to be no clue about how to stop the leaking and spreading of information that has been entrusted to them to manage.
And the biggest collectors and processors of really high value and fairly accurate personal data are - governments, whether national or local.
So the nightmare scenario is that governments give themselves the right to collect more and more personal information about people (not just their citizens), and consolidate it under the guise of (pick one or more for your own country as required) identity control, taxation, prevention of terrorism, then they are at the same time creating the opportunity for even bigger targets for hackers, and ever bigger losses of personal data.
But whilst there seems to be no effective way, if news stories are correct, of persuading government officials and the companies working for them to raise standards and take personal responsibility for losses, then you can forget having personal data.
Steve Mathews Customers demand DRM controls – it’s true
2008-08-19T16:11:00Z
Now even consultants would normally be hard pressed to find an argument that customers want DRM controls protecting information.If you believe the modern anti-DRM blog sites, DRM is akin to the works of the (please pick a suitable negative deity suited to your particular persuasion). Imposing controls on honest citizens is an affront to their dignity (let’s just not worry about speed traps because we don’t believe you can be trusted to obey the law).
But, and this is serious, there are sectors of the community that want the protection of DRM controls.
One important group is the individuals or organizations that are buying training courses so that they can train themselves or their people so they can carry out licensed services and demonstrate that they have proven capabilities and expertise. They are investing serious money in the enhancement and development of their staff and their businesses. The last thing they want to see is competitors being able to undercut them because they haven’t paid the proper fees. That is unfair competition from the unethical and unscrupulous. Why should the honest and law abiding suffer at the hands of the dishonest? Or is that the purpose of hacking?
Another group who demand DRM controls are those receiving confidential information. Because when confidential information leaks out, the finger pointing starts, and absent DRM controls that can act to identify the actual source of a leak, then the selection of a scapegoat can commence. So the presence of DRM controls helps protect the recipients of information, because it can help prove they were not the source of any leak or compromize. And when it comes to keeping your reputation as well as your job, DRM can prove invaluable.
And a third group who want DRM controls are those who need to receive information but the owner of the information wants some actual certainty the information will be looked after properly. In this group are the people who have to send out personal data that has to be human accessible. This is the fastest growing group, because US regulation is now getting much more stern about encrypting personal data in computers. It is now specifying that there has to be some management and control, and is going for tougher penalties to incentivise compliance. Naturally, people sending out DRM controlled information are better placed to easily prove they did a good job.
So before you show me another web site about how bad DRM is and how it is that nothing should be DRM protected, just think for a moment about the fact that it is essential in some industries, and, that without it, your personal data can still be handed around without anyone being able to stop it.
Steve Mathews When in doubt – shoot the messenger!
2008-08-06T16:59:00Z
Sophocles, in his work Antigone, said, "No one loves the messenger who brings bad news."This week provided more than it’s share of light entertainment with blogs of disinformation. Top of the list goes to the people who figure that Lizard Safeguard ought to work on every operating system known to man (or is that persons?). It says clearly on the box, works with PC and Mac – and nothing else. It’s rather like buying a book that’s published in English and then complaining because it isn’t in Danish (and likely never will be). It doesn’t run on an IBM mainframe either, btw.
And second error prize has to go to those who say it doesn’t work on the Mac. It does.
As a general rule, two out of three is pretty bad, but what about number 3?
“The system is unusable because it insists on always connecting to the Internet before you can use anything.”
It is true that you have to connect to the Internet the first time you open a document – it has to check that you are the bona fide purchaser, and it has to get the information needed to decrypt the document. After that, it totally depends on what the owner of the document has chosen to enforce. And nothing to do with LockLizard, because they can only enforce what the publisher defines as the rules. You don’t go round blaming Microsoft because your system administrator decided the frequency you update your logon password – so why blame LockLizard about the way the system administrator has configured their controls?
But, of course, the modern attitude is to use any possible reason to try and prevent people from implementing DRM controls, even though all the available evidence proves rampant piracy and theft of digitized information. So use every possible opportunity, no matter how ridiculous, to claim rights that don’t exist.
And don’t forget to blame the messenger! The DRM provider creates a toolkit that the publisher implements in whatever way they see fit. But of course the DRM provider is the evil guy because they are stupid enough to implement what the publisher said. It’s Hobson’s choice - damned if you do and damned if you don’t. If you are the DRM provider and you don’t enforce what your customer, the publisher, says, then they will soon be after you, and probably with good cause. But it seems that if you implement what the publishers want, then the people getting the information want to blame you for doing a good job!
Of course the attitudes are so different if what is being published is personal data – oh you should have taken the strongest possible means to protect it – what do you mean you didn’t check who was accessing the data. And so on. Just because it’s not your personal data, it doesn’t mean you have the right to do what you like with it – or does it?
Steve Mathews Web 2.0 - What’s wrong with using what you know?
2008-08-06T06:29:00Z
It has been interesting reading the blogs, analysts and industrial pundits who have decided that Web 2.0 is the best thing since ….. well, maybe Web 1.x? and that every being on the planet should endorse its concepts – sharing information, whether personal or corporate in places whether public or private.Team playing, that’s the thing. As long as we all work together the results will be bigger, better, quicker, cheaper, more FUN.
To try and avoid the risk of being a party pooper I put out a few inquiries (name the usual search engines) about Web 2.0 security. After all, before I go revealing whatever it is that I decide I’m going to reveal, I’d rather like a few ideas about who might get their sticky little hands on whatever I am posting. Well, Google muscled in with (around?) 160, 000, 000 entries, Yahoo hoisted 316, 000, 000 and MSN claimed 72, 800, 000. I admit it. I didn’t read them all, I just didn’t have the time.But the summaries on the first few pages, regardless of who I consulted, was just the same. No security, and no plan for security.
Now this is kind of worrying.
We are all supposed to bring in whatever we want and then share it (knowingly or otherwise) with a group of people we may (or may actually not) know, and that’s good.
Somehow I figure there’s going to be a ton of material that my CEO (wife, partner, children, friends and acquaintances – the list goes on) does not want me to give to other people. Yes, I know a couple of those photos after the hot tub might be a bit insensitive, but, hell, it happened didn’t it? And maybe I shouldn’t have published that extract about how we always get the best procurement price – but it is what we do, isn’t it?
You see, that’s the problem. We all coexist with and in many groups, all at the same time. But those groups are not connected by common views, objectives, rules or members. And it’s not clear if the members of each group even share common ideals. All Americans support America, of course. Except those who crash jets, or oppose foreign wars, or ….
So even when you think you know who the players are you don’t know what they will do with the information you give them, or what information you may have given them access to without your even knowing.
The problem is that Web 2.0 does not have DRM controls that help you decide the limits that can be put on the use of your information. It’s certainly the information super highway – but it’s all about sharing and none of it’s about control. Caveat orator – let the speaker beware – should be our watchword.
But no doubt, like the IT fashions and fancies that have gone before, it will require a lot of fingers to be burned before any security, let alone DRM gets added. So in the meantime, if you don’t want your information being shared about, get some DRM protecting what you have got, whilst you still have it.
Steve Mathews Does the death of music DRM mean the death of DRM itself?
2008-07-31T14:00:00Z
I am sure you will have read the article in efflux.com http://www.efluxmedia.com/news_Yahoo_Music_Dead_Another_Reason_To_Never_Buy_DRM_Protected_Tracks_21005.html warning of the death of the Microsoft music DRM by August 31, and Google by September 30 (2008).Their conclusion? “Digital rights management technologies are a failure commercially and technically. There are too many standards which are not interoperable, they restrict the customer's freedom to high degrees and they are an everyday nuisance to work with.”
Well wash my mouth out with soap (no I don’t mean SOAP which is another load of XML).
Let’s look at that rather broad conclusion.
There are too many standards? Excuse me? I looked up DRM standards in ISO (International Standards Organization, the people who figure out what is the standard for electric cable so you don’t blow your hands off touching the stuff, the rails that trains run on so that they stay running on them, and serious computer standards – you know, stuff that matters), and drew a blank. Now if someone had said manufacturer’s standards, I could buy into the argument.
An everyday nuisance to work with? Well, you might get paid to listen to music tracks. Or maybe they just mean you can’t readily copy tracks and give them away? (I bet you can buy a license to do that, but its costly.)
But what most people have yet to understand is that the DRM industry is seriously new, and that there is precisely no desire by major players (tape, CD, DVD, PDF and so on) to provide interoperable standards, when we haven’t even agreed what standards are being looked for, and why, or how they should be implemented.
The current market is in what the economists call the ‘prime mover’ phase. Literally, that means that the first into the market can do what they like, set any standards they feel like, and charge any price that suits them! The market has been there since the late 1990s. Not quite recently? And mainly because it has not suited any major player to see International Standards emerge, it has not changed.
Actually, rather than worry about the latest squabble about whose industrial standard should be dominant, we should be worrying about what sorts of DRM standards are going to emerge, and how to be able to influence them. They are rather like taxation – you can never stop a government from taxing you. That’s how they stay alive, by taking your money (and if the statistics are correct they get more money out of individuals than they get out of corporations, which ought to be rather worrying).
Despite what the pundits say, DRM is not going to go away. The people who create and sell intellectual property (IPR) have to make their livings from doing that. They are not going to give away their livelihoods any more than you or the pirates are going to. The people you really need to fear are those who do not need a day job to pay their way, or where the day job is so badly supervised that they can afford to waste their employer’s time whilst they pursue illegal interests.
And just as the Internet has moved from being a free information source (1995-2002) it is now increasingly a paid information source and what was previously free is no longer available unless you pay for it. If you examine information sources now they consist of sources that have been paid for as a matter of public interest (the Gutenberg series that have made much of the Classical repertoire (Shakespeare, Plato and many other Classical greats such as Chaucer) accessible to any and all. We applaud these measures. Even if modern schooling fails to inculcate any appreciation for works other than Homer Simpson, we agree that works out of copyright should be available to all – but MUST be assured as being the actual words, and not some Bowdlerism (Thomas Bowdler (July 11, 1754 – February 24, 1825) was an English physician who published an expurgated edition of William Shakespeare's work that he considered to be more appropriate for women and children than the original, and, according to some sources, actually made it more accessible!).
Apparently political correctness is not a new disease?
Seekers after truth deserve some measured verity. But you can’t deliver that without DRM. Because DRM is, as the Germans say, “A sword with no handles.” It does not merely control what a recipient can do with the information they receive, it verifies that the information they have gained possession of is truly coming from the claimed source – the publisher.
There is nothing negative in this for the publisher. Actually, for the publisher it is a comfort. Because otherwise how else can a publisher ‘prove’ what it is they actually published, given the modern world where information theft and the misuse of information are commonplace? The fact of DRM tools provides an abiding proof that they truly are the source of specific information, and that can help publishers obtain prosecution of unreasonable and irresponsible pirates on the one hand, and avoid prosecution for things they never did publish, on the other.
So think carefully before trying to consign DRM to the dustbin of history. It may be following closely behind such must have’s as death and taxes.
Steve Mathews Does organized piracy contribute to better markets?
2008-07-28T18:09:00Z
I read, from the July pages of www.StarNewsOnline.com that “The Pirate Bay, which is based in Sweden, presents a devilishly fearless challenge to American textbook publishers. It describes itself as an “anticopyright organization” and offers music, movies, television shows and software, as well as e-books like textbooks — not a single item of which, it boasts, has ever been removed at the request of a copyright owner.” Hmm. Sounds like Pirates?But how many economic analyses have you read that actually examined the effects of piracy on product markets? Probably very few.
Big hitters like the music, TV and film people complain about losses in their industries. Designer label clothes and perfume producers complain. Software manufacturers also complain.
But if you make a careful analysis, piracy always occurs when there are serious market pricing inequalities that are not addressed by regulation. Or to try to be a bit clearer, when you can buy a product in one country for x, and in another country for a half of x, there is a serious price inequality. If no action is taken to correct a price inequality, this creates the vacuum that pirates, being, at heart, just as serious capitalists as any industrialist, will naturally seek to fill.
This is not some vague modern theory. Rather it is a statement that has stood the test of time. When in the UK in the 1800s, it was decided by government to raise the tax on alcohol and tobacco to be significantly above that of France, somewhere only 14 miles away, pirates were handed a market second only to the government forcing you buy your postal service from them (and they did do that).
There are many more recent examples. Designer jeans manufacturers and perfume manufacturers won global legal battles that enabled them to enforce per country pricing for their products, and to be able to prevent countries purchasing at lower prices from reselling to other, higher priced countries.
The same has been true in the information world.
I cannot understand how it is that the same information can possibly have a different value in a different country. I agree, that, if translation into a different language from the source is necessary, then that might introduce a cost that has to be paid for, but I also assume that the seller will have thought about the effects of price on market before launching their wares, and will have worried about what price to set in order to make a viable return (please see economists for the math behind price/market/demand models, I don’t have the desire to write a book on it). To give you a practical example, the other day I paid over $350 for a book that it was essential I could read right now, was out of print, and only one supplier could deliver a copy next day.
The bottom line, as they say, is that any DRM controls built by man can be removed by man. It all depends on cost/effort/desire. Risk analysis. DRM controls over things that can be seen or heard can be ‘removed’ using a camera and a microphone. That cannot be prevented. There will be loss of quality, and, if your product has high embedded functionality (ability to search on information, links to other objects, embedded information) there may be critical loss of functionality that renders a copy of little or no value in the market place. You may also be using features such as dynamic watermarking, that significantly reduce the desire of legitimate users to allow pirates access to their materials because they may be personally identified as the source of piracy. Hopefully, in your DRM system, you are using features such as encryption, that can prevent trivial ways of accessing and copying your work(s).
But do please always remember that to a greater or lesser extent, if the cost and effort are low enough, and the desire is high enough, then copies of the basic information can be made. What can be stopped is stealing embedded functionality that the DRM controls also protect.
The greatest effector you can face is desire. If your market is students and your strategy is to charge premium price then you can expect a high ‘desire’ to break your controls. If you choose a lower price because you can sell year on year the same product, then you lower desire.
We sell our products at exactly the same price globally. There are no exceptions. There are no premiums. There are no discounts. At one level it’s a rough deal because poor economies have to pay ‘relatively’ more. But there is a level playing field. There is no market price fixing. We do not demand a different price in Chile from Canada, or in the United States from the United Kingdom. And maybe that’s part of the equation? Part of the equation of persuading people it’s not worth the bother of pirating information is to set prices that are both globally consistent and do not overly increase the desire to find a way to bypass them.
That’s not part of the choice of a DRM product supplier, although you might prefer to choose one that is realistic about what can be achieved and clear about being a DRM provider and nothing else.
Steve Mathews Getting too casual with information
2008-07-15T09:05:00Z
As can be the case, we have been rather overtaken by recent events – in my case an office move – actually only about a mile as the (insert the feathered creature of your preference) flies.Fortunately our office move really did happen over a weekend. And whilst it had precisely zero impact on our customers – everything carried on running seamlessly – that was not entirely the case for us staff.
Take me (please), for instance. For reasons that are so obvious I am not going to explain them, my shaver cord happened to be on my desk when the removers came. That is the last time I, or anyone else saw it. So the emerging beard can be explained by the fact that I am too tight to buy a new Braun top of the range machine without a fight!
And what has that got to do with information security?
Well, during last week the UK government published a whole series of reports (on the same day, so you know they had saved up all the bad news for a moment when they hoped nobody was watching) on how major government departments like the Inland Revenue (HMRC in the UK and IRS in the US) and the Ministry of Defense had managed to lose millions of people’s personal data and that none of it was protected in any way, shape or form.
The major thrust of the reports was that management did not consider that the personal data they held in trust was their responsibility to protect and therefore they did not see any need to spend any money at all on protecting it.
A second, and perhaps even more dangerous revelation was that government collected information that it subsequently used for purposes that were not consistent with what it had been collected it for.
It is, of course, now normal that neither government ministers nor civil service officials will be exposed as charlatans or hypocrites, and that nobody will have their careers ended because they clearly failed to live up to the standards (moral, ethical, documented or expected) that they pretended were in force. Governments and their officials should not pretend surprise when the electorate ignore them – if nobody is accountable then who cares who gets elected?
Well, with guidance like that from on high, what hope is there for the rest of us?
Usually we look to governments and big industry to show the way in both corporate and civil behaviour. After all, they make the law, and they enforce that law.
But right now their governance is, to put it mildly, severely lacking. If, to quote a very famous film, “Frankly, my dear, I don’t give a damn, ” then why should we believe them when they talk about Copyright and similar protections? It looks like a load of irrelevance, and anyone wanting information protection will have to go with what they can get. There’s no point in waiting for the prognostications of the governments, or the divinations of standards bodies (international or industry led) because it is totally clear that the leaders are not interested.
And that brings me back to the power cord. Nobody at the removers is interested in my problem. So I am going to have to sort it out for myself – and the beard itches!
Steve Mathews The case for Digital Rights Management
2008-04-01T11:31:00Z
There are many good and valid reasons why people wish to be able to publish and transmit information electronically. The rise of social web sites testifies to the willingness of people to make information available to selected individuals or groups.However, a willingness to share should not be interpreted as a wholesale license to all and sundry to freely make copies of electronic information and re-distribute it without even acknowledging the original ownership, or paying a Copyright fee.
Much has been made, in the technology world, of the concepts of Open Source, CopyLeft, Limited Rights and so on, as arguments for the desirability of making all electronically held information freely available to all comers. In the music receiving industry (as against the music publishing industry) there has been considerable pressure to make copying and redistribution a ‘right, ’ merely because it is difficult to prevent.
Such arguments are intellectually barren. They are like saying that because you own a gun you have a ‘right’ to shoot anything you like because it is difficult to stop you, or that because you can buy a car you can drive it anywhere you like and in any manner that you wish.
Because people suffer physical harm as a result of such poor behaviours we pass laws to take action if behaviour is unacceptable. Since Copyright is an economic right, we also have laws to protect Copyright owners from economic harm where behaviour is unacceptable.
So we must reject the claim that merely because you can do something then you automatically have the right to do it. (This was never true in Roman Law countries anyway.)
Empirical evidence suggests that computer users cannot be trusted to use information provided electronically only and solely for lawful purposes. Regrettably, it is essential to instil enlightened self-interest into the users of electronically provided information. This is essential, simply because, “Computers are all about copying.” (Prof. JAL Sterling and S Mathews in a paper on protocols and interfaces). Not only do computers facilitate copying, but they ensure that such copies are always perfect in every detail.
This creates significant problems whose Intellectual Property(IP) (whether being offered for sale or being made available for some purpose as the result of a commercial agreement or a ruling of a competent Court, or some other reason) is being distributed electronically. Agreements for the control of the use of IP are normally very precise, and set out to prevent unauthorized use. Given the propensity of users to do things because they can, it is essential to provide a system of controls (Digital Rights Management or DRM) that actively ensure that the permitted uses must be observed, and cannot be trivially ignored.
Similarly, those wishing to make their livings from selling their intellectual capacity (creating works by thinking) as opposed to their physical capacity (making objects) must have the ability to enforce their economic right. To suggest that all the world (tout le monde) cannot make their livings from publishing and selling on the Internet would be a travesty of the so-called knowledge-based economies. Whilst some may seek to demonstrate their intellectual capacities by ‘giving away’ the fruits of their labours as marketing in the hope of selling something else, not everyone has the luxury of such an indulgence. One cannot see authors such as JK Rowling agreeing, http://entertainment.timesonline.co.uk/tol/arts_and_entertainment/books/article3621625.ece seems to be an indication of her view about copying!
Academics (who, incidentally are paid to write, and often write as a matter of advertising, as do I) may claim that all intellectual capacity should be available for their study, comment, parody and so on. I wonder how many electronic copies of Deathly Hallows were provided free gratis to the academic community for that purpose? And without any limitation as to copying and being able to pass on?
The fact of the matter is that there are cogent economic and political reasons why DRM technologies are required to protect documents in electronic form, and it is wrong to suggest that that there should be no mechanisms enforcing the control of authorized use made available and put in place. Let those who wish to give away their work do so if they will, but allow those who sell their work to obtain fair and relevant recompense for their labours.
Steve Mathews National ID law without debate – achieving the unacceptable by the unscrupulous?
2008-02-06T18:48:00ZThose familiar with reading our columns know that we are not normally exercised by minor debates. But we are amazed by the report (which we rely upon as being true) by ZDNet at http://news.zdnet.com/2100-9588_22-6228910.html?tag=nl.e550 (correct at the time of publication) that the United States has mandated Federal identity controls on the back of a Bill ostensibly to do with "Emergency Supplemental Appropriations Act for Defense, the Global War on Terror, and Tsunami Relief, 2005."
Well, OK, we do have the text in there about the ‘Global War on Terror’ so I guess that this might be a fine argument.
But come on – get real – if you read the text it’s all about making the driver’s license the authorized Federally approved identity document!
Now I realize that in the USA if you do not have a driver’s license then you are probably some kind of low life that does not exist, so therefore you are of no significance, and obviously not a terrorist, and therefore we do not need to worry about you. After all, a terrorist could not possibly drive a car without a license just to deliver a bomb, could they?
Hey, but that’s only a social analysis that says that the downtrodden underclasses are not likely to be terrorists, so we don’t need to worry about them.
Let’s try thinking out of the box for a moment. Why would you want this legislation when the people you are trying to catch are running outside of the system in the first place? After all, history teaches us that criminals are generally outside the system because being inside the system is a highly negative advantage!
Think for a moment about the costs that are going to be involved in granting the Secretary of Homeland Security this (wild?) desire to collect, at the expense of the States, and therefore at the direct expense of the Citizen, without there being any demonstrable benefit from this to that citizen (unless you count the collection of information about law-abiding people, because no self-respecting terrorist of any kind would be caught by such a an obvious trap) provable personal identifiers to standards that have not been promulgated and security controls that have not yet been identified.
Yes, this bill will be the mother of all pork barrels to industries who strut their stuff about all manner of personal identification methods (despite the simple fact that there are no recognized international standards in this field, so anyone can claim anything they like – snake oil?) and the bill completely fails to say anything of any substance about standards, compliance, certification, accreditation and so on.
So we screw the US car driver for shedloads of money – is that a problem?
Well, if the punter is willing to pay, then I guess not. After all, that’s what a capitalist economy is all about. Capitalism is about what industry can screw out of consumers and governments can screw out of both (not maybe what Carl Marx actually wrote, but close enough).
So this may actually come down to cost. If the cost of implementing legislation that has not had public debate, is of questionable public benefit, has a cost that may not be appropriate to the actual benefit achieved (Since 9/11 precisely what has happened? Well at the current rate of experience, nothing.) then why are we bothering? Surely governments are being held to account for spending taxpayer money wisely and effectively.
But, of course, if this is really a bill to hand the Secretary a future blank check for getting funding, even if that office has so far failed to do anything tangible for the protection of the public, then it is completely understandable.
But then, you have to accept that by insisting on the registration of the law abiding (at an unknown, but certainly high cost to them personally) you can catch terrorists, who are, by definition, not law-abiding, and therefore outside of the system, then this is something you should go for. But please suspend the use of logic, finance, governance or anything similar.
On the other hand, if you feel like funding another Star Wars program personally, then step in line and vote.
Steve Mathews DRM is dead – Long live DRM!
2008-01-14T19:42:00ZIf you believed everything you heard from the music and film industries, you could get very confused very easily. And you could all be fooled into thinking that they are the only industries that exist when it comes to needing DRM (it’s a bit like saying that governments are the only organizations that need privacy!). So Amazon and Sony now say DRM is dead? Or is this nothing more than the usual marketing hype after a disaster?
Actually, music and film have had long, chequered and cyclical love/hate relationship with DRM, mainly because they were the first people to get seriously exposed to piracy, and to feel pain where it truly hurts – in the bank account. They got there in the 1960’s, long before the PC, or the iPod were more than the work of science fiction writers like Arthur C Clarke. The fact that it would take almost 50 years before book publishers and organizations woke up and smelt the coffee is just history.
Their first outing was the cassette tape. Up to then, copying a record was practically impossible, and although reel-to-reel recorders were around they were too expensive and difficult to use for normal mortals. But anyone could use a cassette, and everyone did. They tried suing people who sold cassette decks that would copy from one to another, but they failed, and thus started the hunt for the Holy Grail of the industry – a way of stopping people from copying music (and later film) so that they could charge premium rates for their wares.
Alas, it was not to be. They lost the cassette wars, and later the VHS wars. They won the DAT war (Digital Audio Tape) – remember it? maybe not, when the hardware manufacturers lost a fortune because no consumer would buy into it because the copying controls were so aggressive you couldn’t necessarily copy your own personal recordings. CD controls proved to be a lost cause, and DVD region pricing was outflanked by hardware manufacturers who were determined not to lose out on their own market opportunity this time around. I remember a big meeting in LA when the music industry said they were going to implement secure MP3! Laugh like a drain? Well, I must confess I was close to being thrown out of the meeting. Lately it seems that Sony decided on a rootkit approach to preventing copying that also opened up a serious hacking opportunity.
So maybe you should see the current position to be nothing more than posturing by an industry that wants to be the content deliverer to the mass consumer market, and has only one objective in mind – its own profitability.
That’s not to say that there’s anything bad about profit. All of us are in business (in a particular sense), and if we don’t show a profit, one way or another, then things are very bad indeed (see Charles Dickens on Wilkins Micawber).
And what most people (and organizations, for that matter) trade on is their intellectual property. In the ‘knowledge economy’ that is what we are selling. So we have to safeguard that IP or anyone and everyone (I used to say the World and His Wife, but apparently that is no longer Politically Correct, and saying it would render me liable to being excommunicated by the deity or politician of your choice) can rip (RIP – Requiescat In Pace or ‘you will rest in peace’) you off and make your personal trade value slightly lower than that of a Eunuch’s scrotum. (Apparently that is still Politically Correct!)
What one has to think about very carefully, is what value DRM controls provide to you (either as an individual or as a business) in order to say if they matter, and when it is that they matter.
The music/film industries are under the cosh because you can either copy their stuff, or you can’t. If you can buy a legal version, and then copy it by recording the sound or filming the picture on a seriously high quality screen then you are in business. And they are not.
But that is a problem for those industries. You can buy cracked codes for satellite TV systems with little or no effort or risk. Try eBay – if it’s too cheap can it be real?
But, for the document handling industries, things are only just beginning to warm up. Computing is all about copying. When you read this you are looking at a copy of what I wrote, in fact I am doing that when I watch the characters come up on screen in front of me. And that’s the major hazard for the PC and the Internet. Everything has been set up to promote copying. And the software does not give a ‘tuppeny damn’ whether the information is to be public, be controlled, or kept totally secret. Which is bad news if you are in the business of selling, or simply providing, information (your knowledge, expertise, capability, private advice to clients, tax return computations, price lists, sales manuals, repair manuals ….. the list seems endless).
So enter DRM. DRM is the only approach available that lets you specify not only who can see your proprietary information, but what use they can make of it. The film and music industries were interested in preventing copying, but you will likely need to be able to stop people using information after a particular date, or make sure they can only see it for a couple of times, or print it once, or any number of other things. Encryption does none of these things, it just prevents the un-anointed from being able to access information, not limit how and when they might use it.
So whilst the music and film businesses figure they need to flex their market in order to maximize their own profits, they are operating in a different environment. Commerce, industry, publishers, authors and ordinary mortals need DRM technology to protect their personal and commercial interests. They have nothing else. They are exposed to commercial or personal ruin by the uninhibited ability of the PC and the Internet to copy and re-distribute their information without any control at all.
So whilst the record industries declare DRM is dead, we say, “Long live DRM.”
Steve Mathews A brand new Whitehall farce?
2007-12-03T17:26:00ZWithout question, the doyen of the Whitehall farce from 1944 to 1969 was Baron Bryan Rix (made a life peer for his tireless work for the mentally handicapped). But he had the wisdom to appear at the Whitehall theatre, and deliberately set out to entertain and delight his customers.The twists and turns of another Whitehall farce, in this case starring Her Majesty’s Revenue and Customs (HMRC) and the National Audit Office(NAO), in what is about to become the long running Child Benefit Data Farce, can now be seen onstage at the BBC (and any number of other entertainment purveyors).Sadly, these jokers appear to lack all the skills of the Baron Rix. They do not entertain and delight their audience either. It did not appear to concern them that there are laws (the Data Protection Directive 95/46/EC, and the Data Protection Act 1998) that have to be considered before processing data.If we are to believe http://news.bbc.co.uk/1/hi/uk_politics/7108532.stm then the only concerns shown by all concerned were to save a few pounds (30 to buy some decent encryption software) and to skimp on proper delivery controls (it seems that HMRC don’t know what courier they used, or even if the courier ever got the missing CDs) – and, just for fun, it seems that at least 6 CDs have vanished and not just the two they first mentioned.Ah, now it sounds much more like the traditional farce. In the Rix farces, every time one of the main characters walks onstage some new disaster that was hidden from us is now revealed. And any additional characters are unwillingly dragged into a doom not of their own making. It seems that the NAO thought it was OK to regularly send all the data to their own auditors because NAO didn’t have the computer power needed to do their own audit work (?) and that was OK because the auditors were a ‘long standing strategic partner.’ To be scrupulous, the NAO did ask HMRC to remove unnecessary data, but HMRC refused, and so it’s all ‘their’ fault that the disks had unnecessary data.The HMRC web site makes the following statement about their exemptions from the Data Protection Act: “
•Section 29 ‘crime and taxation’
•Section 35 ‘disclosures required by law or in connection with legal proceedings’.
The application of exemptions is quite complex and if you require further information or assistance you should seek further guidance.”Well, now that’s quite clear, since we are entitled, as a matter of fact, to understand that what is listed publicly are truly the most important exemptions, and that all others are minor and trivial because if they were not then they should have been made just as clear. This is the same argument as is used in contract law, that if something is so important that you have to rely upon it in a Court of Law, then you must have made it utterly clear in the agreement, not hidden it away deep in some small print.
But back to the plot.So the NAO figure they are not responsible for their own actions of distributing disks that contained data that were not necessary for a specified business purpose, because it was not their data. It was the HMRC data. They gave us data we didn’t ask for so there was nothing wrong in us giving it to other people. Maybe there is going to be a glorious moment when Basil Fawlty walks on stage and tells us, “We were only obeying orders.” Or maybe that’s in Act 2. Thank goodness I booked triple drinks for the interval.Now OK, maybe you think I am being a bit harsh. But if you ever ask government for information about anything, the very first question is, “Who needs to know?” That is the bedrock of handling classified information. So why is it that UK government departments seem to have such a casual indifference when handling the personal (and, given what we know about threats such as identity theft) sensitive data of some 25 million people (not quite half the country in round terms). Well, in the true sense of farce, if there were not some things that are completely impossible to explain, or completely defy any form of logic, then farce would not work.I guess if you didn’t have a classical education you might miss the subtle difference between farce and tragedy. Ask any Greek. The difference is the number of dead at the end of the play. But if governments run true to form there will be no shortage of sacrificial goats.The really sad part of the whole play (remember, Shakespeare said, “All the world’s a stage, And all the men and women merely Players.”) is that the people actually at risk are, on the one hand, the people claiming child benefit, and on the other hand the taxpayer (because they are the real lender of last resort to any and every government). When the Northern Rock hit a hard place the British taxpayer picked up the bill. So much for the moral risk.Now maybe (or most likely) the people inside governments are too overcome with their own self-importance to notice that they are also taxpayers, or maybe they have inflation proof pensions, so they really don’t care about the implications of what they do, because they, uniquely, are where no amount of incompetence can harm them. In any event, you should be saying that only those who can be personally harmed by their decisions should be allowed to make decisions.So maybe that’s what the farce is. That really big organizations behave as if they are either outside or above the law, and have deep enough pockets that all they have to fear is press exposure, because nothing else can really harm them. And the tragedy is that public confidence continues to fall as electors see that governments serve themselves and not their electorates. Perhaps the Greeks were right after all?Steve Mathews Protecting personal data – lessons learned
2007-11-26T11:11:00ZI suspect that DRM users are feeling justifiably smug as the British Government is dragged down by their now stunningly publicised failure to abide by the European Directive 95/46/EC spelling out responsibilities which were obviously not fulfilled, whilst the DRM users, of course, are not.
You only need to examine two extracts from emails (admissible in law as evidence) between government officials to see the facts of the matter.
Another message, dated 13 March from an NAO official, with all names blanked out, says: "I do not need the address, bank or parent details in this download - are these removable to make the file smaller?"
and
It says: "I must stress we must make use of data we hold and not over burden the business by asking them to run additional data scans/filters that may incur a cost to the department."
It is entirely clear that the only concerns of the government officials concerned both as senders and as recipients were operational convenience and cost. In all the exchanges that were published there was never once a mention that personal, sensitive data should not be sent unless there were some overriding and legally justifiable reason for it to be done. To paraphrase the owner of the Windmill Theatre in London when threatened with closure merely because there was a war taking place, “They didn’t give a fiddler’s fuck” about personal data.
So yes, DRM users enjoy a massive confidence boost. If it comes to an investigation by regulators, they can point to the shambles of the UK government, and then show how (for a very modest cost that the UK government no doubt now dearly wishes it had paid) they have exceeded all possible regulatory requirements, and have ensured that only authorized recipients of their information could ever make use of it. It would have been impossible for anyone to steal DRM protected materials.
Problem is that it’s kind of difficult to claim glory by stopping people from stealing information. But it’s a lot better that appearing on CNN or the BBC and finding your lack of competence is in the gunsights?Steve Mathews Your personal data are safe with your government? But maybe not in the UK.
2007-11-22T08:54:00ZThis week (19 November 2007) must mark the lowest point in trust between UK citizens and their government. In what can, at best, be described as a stunning situation, the British Prime Minister was compelled to issue a personal apology both to the British Parliament, and to the 25 million people whose personal data had been casually sent, unprotected, from one government department to another, simply, if we are to believe Press reports, because EDS would have made an extra charge to depersonalize the information.Now I should tell you that we do not subscribe to the typical conspiracy theory type of approach. For one thing, conspiracy theory assumes that there is positive planning at the heart of what goes on. But if we are to learn anything from real conspiracies such as Watergate, then we should conclude that they were mainly incompetent, and suffered more from the laws of unintended consequences than ever they did from any real or realistic planning.
No, we take the view, however unpopular, that what happened in Her Majesty’s Revenue and Customs (HMRC) was nothing more than a massive attack of indifference and incompetence. Indifference, because it is utterly clear that the officials concerned did nothing more than password protect personal financial information relating to 25 million people (even though such methods are so comprehensively discredited that it is actually beyond belief that such a trivial, and, quite frankly, stupid method were chosen), and incompetence, because if you were to choose such a flawed method of protection you would take every possible step to ensure that the information could not possibly be lost or stolen.It seems that although they could have purchased simple encryption software from ArticSoft Technologies or PGP Corporation (if they were more comfortable buying US products just as they have the US supplier EDS for their systems) they chose not to use simple and very powerful encryption products that can be acquired trivially over the Internet for as little as $65.So that is what it comes down to. The agencies of UK government have been publicly shown to equate the importance of protecting the personal data of 25 million citizens as less that 30 quid (I apologize, I actually mean about GBP 32.50). So that is less than (well, actually it is off the bottom of my calculator) highly close to sod all per person. But to top it all, HMRC are expecting the banking sector to police the accounts of the people that may have been compromised.Now that really must just take the biscuit. Having disclosed the social security numbers, personal details, addresses, bank account details for 25 million people to person or persons unknown, these same UK government departments then tell the UK banks exactly who are the people drawing government benefit (enabling the banks to knowingly target them as a specific sector of the population, and pass that information to all their internal departments, tame credit card and insurance companies and – please insert the deity or persuasion of our choice here – forbid, any company they choose to declare as being appropriate without asking anyone at any time or for any reason) thus enabling the very same banks to alter credit ratings and plunge the already disadvantaged into greater jeopardy than before.What has this to do with DRM?Well, if HMRC had even the slightest glimmer of professionalism (or their suppliers, come to that) then they would have implemented an encryption system that ensure that only those authorized would be able to access controlled information, and that their authority to use could be carefully controlled.Because that is what DRM systems actually do. DRM does not merely determine who is an authorized user, but it determines what that specific authorized user is actually entitled to do with the information that they have received.Now had a DRM system been in place, none of the political disaster that has already caused the resignation of the head of HMRC, (but may yet claim one or more political scalps) would have happened, simply because the thief (or thieves) would not have been able to trivially access the personal records.And that is what is so depressingly wrong with what happened in the UK.There is no shortage of technologies and products available that could have prevented, beyond all reasonable doubt, the disaster that has happened. DRM technologies that are widely implemented, had they been used, would have made this episode a non-event. So why was nothing done?We must leave you to draw your own conclusions on this one. Spend GBP 32.50 and not have even the potential for a problem, or do not and get comprehensively exposed as being incompetent. It appears that the lemmings have voted.Make sure that you don’t leave your own business exposed. It may be almost impossible to sue a government for the kind of massive and studied indifference that the UK HMRC appear to have demonstrated over the last couple of months, but you can be certain that those self-same organizations will not hesitate to persecute (sorry, did I mean prosecute?) companies that fail to follow the higher standard.Steve Mathews To DRM or not to DRM – that is not the question!
2007-10-30T17:49:00ZThe pressure is on, as never before, to make enterprises accountable for the control and management of personal information on the one hand, and penalise them if they fail to take adequate measures to protect their internal information.In the US is where the rubber hits the road (or perhaps the Sarbanes-Oxley hits the California Act). And, slowly but surely, enlightened self-interest (do nothing and you get fined) is persuading people that DRM tools are actually a serious solution to some otherwise painful problems.Now, whatever you may or may not think about operating systems suppliers, they all do a fair job of providing controls for accessing information on internal networks and servers. But when information gets out of the enterprise – put on a laptop for senior management, or travelling salesmen, or engineers, or, has to be provided to people who are outside the enterprise – business partners, boards of directors, customers who receive personal or proprietary information, third parties who need to be able to see confidential information but must be prevented from passing it on; then they do not.The problem is simply that network control concepts always face inwards, assuming that there is some central administrator who has control over those authorized to use services. But they do not face outwards.On the other hand, DRM control systems are not interested in domains or IP addresses, or all those things that appear sacred to systems administrators. DRM is interested in identifying the machine that is being used to access controlled information. DRM is a different concept from the access control approach used by network administrators, because it works just as well regardless of where the PC is actually located and prevents unauthorized forwarding or modification.DRM is a continuing control concept, which is not available in traditional access control systems. Understanding the need for continuing control, is a vitally important concept in understanding and harnessing the true power of DRM.Normal access control technologies are ‘all or nothing’ in their approach. If you have the authority to read something that means you can copy it to wherever you like because your power to read cannot be curtailed. And if you can write it then you can change it to anything you like and then write it.DRM controls are much more granular, because they can extend beyond the authority of the person authorised to make use of information. So DRM controls are able to allow the authorized user to have access to information whilst also having the ability to deny them the authority to pass that information on to others. By comparison, pure encryption technology (often used to provide confidentiality or secrecy of information when it is being sent from one person to another) does not have the ability to prevent the authorized user from distributing the information they have received to all and sundry – anyone they choose and you as the owner of the information have absolutely no chance of stopping them from doing that!And that is why DRM controls, even though they have had such a bad press as a result of the way that the music and film industries have attempted to implement them, have a real value and role in protecting information both inside and outside the enterprise boundary. Enterprises have to be able to share information that is sensitive, from both commercial and personal information senses, without exposing themselves to liabilities because they did not take proper care to protect that information from theft or misuse.So the questions is not do we DRM, the question is “How soon do we DRM?”Steve Mathews Service Oriented Security – Fact or Fable?
2007-10-25T09:45:00Z“We need to move to an application security model that is external to the applications themselves, standards-based, and centralised. Service Oriented Security? RSA Conference London 2007.”Now one has to admit that, as a proposition, the idea that security can be ‘bolted-on’ to an application, after it has been developed, is the Holy Grail (with apologies to the many and various writers of similar religious fiction works from Mallory onwards) of security products manufacturers.Surely, they say, security is just another service, like networks, that you add on (granule by granule) as you happen to need it. After all, the OSI model said that you can apply security to each layer, so Service Oriented Security (SOS?) MUST be right.Unfortunately, like many industry mantras, it is a concept with some truth in it, but not enough to fulfil the grand plan being presented.Why?Well, for one thing, the greater part of application security has to be performed by the application. Only the application can possibly ‘know’ what information should be presented to whom, and in what circumstances.But, much more importantly, security is actually just one component in an overarching business process. And the security of the business process is achieved by many different methods, some manual, some procedural, some covered by insurance, some addressed by transferring liability for error.
You can’t retrofit technical mechanisms into business processes without making a significant change to underlying applications, because they usually do not even begin to understand the overarching security processes in place.(And that was the problem with the OSI model, actually. Each layer had its own security potential, but there was no possible way for the layers to communicate with each other. So it did not matter which layer you were, you had no idea at all what security – if any – the surrounding layers had or had not provided, you were on your own. So, naturally, each layer was either totally defensive, or totally uninterested. After all, if you look at the vast majority of SSL implementations, which are supposedly secure, they make no verification of the parties being connected and report few if any errors to the user, to avoid confusing them. And, which joker was it dreamed up the idea of having SSL certificates with wild cards in them to give you absolute site authentication?)So given all that, how do you propose to move security outside of the application?
Well, if you’re a database, you might well think that the important thing is the security of the connection of the application to the database. This kind of ignores anything to do with the data in the database, and the security implications it may possess, or if that data is right, but when you have a hammer, every problem is nail shaped. And I guess the same goes for being a web application, the important thing there is usually thought to be the connection to the user of the web system. But again there is no real understanding of security, just the small technical matter of connecting two points together.And that is what appliances have been doing for some time now. Connecting disjoint bits of overall business processes together. But if that is all that SOS is offering then it isn’t a revolution, and just barely an evolution.There was mention of standards based and centralised operation.
Well, take it from me, that if you want an international standard to back you be prepared to wait at least five years from starting the process. If you can put up with an industry standard it will be quicker, but may suffer from patents that prevent any real competition (and consequent lowering of price) except when it suits the major manufacturers that created it.And why centralised operation? This is the most confusing requirement of all. It flies in the face of how commerce and industry are organized. Admittedly, centralized and decentralized models for enterprises are as much a matter of fashion as the provision of IT methods and techniques, but why limit oneself to a centralized model? And why make it a fundamental? Well, again, if you are a database, and therefore the centre of the universe (sic) then it becomes obvious that you ‘need’ to be in charge of the security system. But what do you do when there are several databases? Do you happily combine them into a single central point of failure (sorry, point of control) or do you decentralize them. And if you do, what happens to the SOS solution? After all, security is also about not putting all your eggs in the one basket – consider defence in depth.In sum, security is not a trivial subject about providing a couple of mechanisms for connecting two Internet locations together. If you want to do that standards are already available, and how you choose to implement them will be the most significant factor in what you achieve, how they work, and how easy an attacker finds it to blow them away. If you want to talk about real information security where you get down to linking access and use to specifically authorized individuals with appropriate auditing and monitoring, then don’t hold your breath because we are going to be a while getting there at the application level.At the information shifting level, using standards such as OpenPGP (RFC 2440) we (as an industry) are already there delivering authenticity and secrecy of information transfer.
So it’s a bit difficult to see exactly what value add SOS delivers, but, maybe like PKI, it will prove an exciting journey?Steve Mathews Does DRM cross the boundaries of privacy?
2007-08-22T17:54:00ZAt the risk of sounding equivocal, the answer has to be yes and no.But to be much clearer – NO if it just records that a customer has registered to be able to use DRM controlled products from a publisher.But YES if the DRM is then used to track the times/dates at which the customer uses specific DRM controlled products.WHY? Very simply, a matter of commonly held beliefs that may be backed up by law.When you buy a book in a bookstore you reasonably expect that the seller will record who you are and what you bought. That seems fair enough. But you don’t expect the bookseller to also have the right to know where you were when you read chapter 1, or what time it was when you printed out chapter 35 because you didn’t want to take the laptop to bed with you.So why is it that some DRM sellers think that suddenly they have a divine right to ‘audit’ access and use? Or that this right exists merely because they are able to do it.Lessig is widely quoted with his statement that, “Code is law” because he is correct in the assertion that what actually happens in a computer is what the programmer implemented. And if the programmer didn’t know the law (in the UK they still cling to the fascinating idea that ignorance is no defence – now when it comes to things like the 10 Commandments I could probably go along with the idea, but, to be totally honest, to expect every person to have a detailed understanding of such things as, say, the Taxes Management Act 1970, is patently absurd) then he would do what logically appeared elegant in order to provide the best technical solution. Of course you must also bear in mind that if the programmer is not in your country, but in India or China, their approach to implementing the requirements of law may not be the law that you had in mind – and who is to say whose law should prevail on the Internet?But back to our real question. Can DRM prejudice privacy and does it matter?Well, in many nation states in the EU, for instance, law exists that states very clearly that you may not collect information for the purpose(s) of a contract unless it is necessary for the carrying out of that contract. Now I suspect that very few DRM suppliers would be able to show to a Court that the information they collected following the registration of a license to use was material to or essential to the conduct of the contract.In fact, I wouldn’t mind taking a bet that most companies totally fail to put the customer on notice as to what is happening, or give them an opt-out capability. After all, if product suppliers deliver something that’s free if you can put up with the advertisements but offer a more highly paid service without, then why is it that DRM using companies think they can collect information without agreement?Lessig is obviously right at one level. What the programmers write is indeed what happens. But that doesn’t actually make it lawful! If you don’t believe me then just see what happens if you sell products over the Internet to EU countries and fail to collect their VAT correctly. Of course, if you are big enough you can try to persuade authorities that what you are doing is either outside of their jurisdiction, or that you’re jolly nice really. But even the greatest (Microsoft?) have not had it all their own way toughing it out with the European Commission.So maybe DRM suppliers (and the customers buying their products) want to think very carefully indeed about what information they think they are entitled to collect, and whether their targets (or do I mean customers?) have the ability to opt out, either by contract or by choice.Now we at LockLizard take the view that collectable information should only be available where there is informed consent (or, no opt-out). Naturally this is a very controversial view to take. But then, DRM is actually a highly controversial subject – and if you don’t believe me ask Sony.Steve Mathews What price is a fair price?
2007-08-14T07:11:00ZYou know, I never cease to be confused by the arguments that people produce that they have the divine right (now this is a manner of speech and does not involve any deity of your choice) to cut and paste or make available for download, or copy or otherwise pass on to others information that they have obtained in a digital form. And just because they don’t agree with the price suppliers offer it at.I think the latest pronouncement, that some 27% of children in the EU think it’s OK to make copies of information that they know are unlawful is OK, because they figure that downloading a virus is a significantly more serious risk than getting prosecuted by the authorities, should be a matter of the gravest industrial concern.And the way the kids make their choice is what I call real risk analysis!But it’s rather like so many modern habits – littering, not cleaning up after your dog, keying someone’s car because you had a bad day so why shouldn’t some random other person, daubing graffiti on buildings, trains, or anything, just because you can.The argument actually is that if you can cause harm to other people (society included) and it is not practical to detect you or stop you, then that’s OK. Of course these self-same people go ape-shit (pardon my language) if it’s done to them, which is kind of surreal because surely if it’s OK for them to do it to other people then surely it has to be OK for other people to do it to them. Yes, I agree, I didn’t study politics, where it seems to be fine to bomb other people to force them to do what you want, but not fine if they bomb you. You see what happens when you try to use logic?But that’s not the point.The point is that stuff that’s available on the Internet doesn’t have to be bought. Now I realise that it rather wild thinking for some people. But actually you can try to negotiate with the seller on price for anything, but push comes to shove if you don’t like their price you have to walk away. For instance, go into McDonalds and see what deal you can do on a burger and fries. Now if they point you to the sign board and tell you that’s the deal, you have two choices – do the deal or not. But please do not winge about the price. If you don’t like it walk away. That’s your privilege. If people did not buy, then manufacturers would soon change their price.
After all, we are an unusual business. We charge one price, world over, for our products. We aren’t like software, hardware or DVD businesses who charge one price in the USA, double in Europe and less in the Far East. We figure that all the arguments about market pricing are total bs. But that, of course, is a commercial opinion we are entitled to take. However, we also take the view that our prices are reasonable (actually we know they are because our competitors always reduce their prices to match ours when they find out we are the opposition, and then they lose on functionality, but hey, that’s commerce) so we see no reason to make artificial differences.And maybe that’s the problem for consumers of DRM. Their answer to not liking a price is to pirate, because they are not willing to go without. They fail to understand that not buying product is the most powerful message you can ever send to a manufacturer. The food industry would soon take an interest in giving animals a decent life (and a decent death) if people refused to buy meat unless they could be certain the animals it came from had been looked after properly. The fashion and film industries would soon come into line if there was one price across the world, for what they are selling.
But, bottom line if you don’t like the price then don’t buy. Don’t figure that it’s your right to pay a different sum from what’s on offer. (Try telling your IRS you figure you should only pay 50% of what they want and see what happens?)So what is it that confuses me?Well, when governments decide to distort pricing by taxation I think that’s bad, and when manufacturers decide to distort pricing by demanding regional surcharges that’s also bad. Market distortions will always create an imbalance and act to create piracy, because piracy fills the vacuum that artificial markets create.
But if a fair price is in operation, that is equalized for all purchasers, then buying or not buying is down to how much you want the product. And that is down to you. So please do not bother me with whinges about how something is overpriced, and how you think it is your right to get it for less. You don’t have to buy, it’s your privilege and choice, but it isn’t a right.So look around to see what the best deal on offer is – you would be surprised how shopping around can do marvels on price. But don’t think you can decide what the sale price has got to be and then figure it’s your right to rip off the manufacturer just because you’re pissed at the price that’s on offer.Steve Mathews
feedcat.net promotes your content, measures audiences
and saving load of your server resources!
*