>It is my honest opinion that DRM is a malignant tumor growing upon various forms of media, and that people that either implement or enforce implementation are morally repugnant and do no good to society. With that in mind, I was sad to learn in May 2021 that the original extension would soon be rendered obsolete.
I really can't agree more. I don't use, and never have, services that require DRM. I buy my games from gog.com and itch.io and the like, get media from free-to-air television and state broadcasters, and buy music either from the artist or from good and reputable music labels like hyperion.co.uk. I buy books in a dead-tree form, or as DRM-free PDFs. I will simply not buy, use, or support DRM and I occasionally tell firms that I am not giving them business because of their inane corporate decisions.
This might seem like a hard rant, but all of these binary blobs can be broken with varying degree of difficulty -- as this person's work shows -- because DRM is fundamentally pointless. It's such a waste of human endeavor! Think how many CPU cycles are burnt doing this! Estimate what the total cost of HDCP + Widevine + DRM etc is on the planet! It is pointless, insulting, and frustrating!
I dunno, it gave this person a lot of trouble and the result is maybe a very narrow victory that doesn't practically matter? And this is the lowest level of widevine security - L3 which is basically assumed to be owned. Good luck with L1 which uses trusted compute primitives. DRM has won.
And I'm saying this as someone who agrees DRM is a threat to society as we're taking things that the world could otherwise have for free and denying it them so we can instead charge a small % for it. So we're intelligent enough to build this kind of technical sophistication but we are unable/unwilling to figure out a different model for financing it.
If you know where to look L1 content can be readily downloaded, including the original 4K streams. As usual the net effect of DRM is to make the paid service inferior to piracy. That's not what I would call "wining".
I don’t understand how it can ever be secure unless you let some DRM representatives basically come and do inspections.
Fundamentally, you are going to show a video and play an audio stream. Fundamentally, it can be recaptured perfectly because it must be displayed and played perfectly. There is simply no way around it. DRM can only make life hard for the regular Joes.
> I don’t understand how it can ever be secure unless you let some DRM representatives basically come and do inspections.
Oh god, that’s a level of hell I haven’t even imagined. I wonder if the future could ever become as dystopian as that for real. What it would take for that to happen, and how.
I don't know, but assume, that the movie studios do this for movie theaters.
Seems to work pretty well, since too my knowledge those are only ever leaked by audience members pointing a hidden camera at the screen (with all the quality issues that entails).
In theory DRM could be mathematically perfect. However DRM relies on actual implementations both in software and hardware and shares a lot with broader security. Software implementations can have bugs but it’s relatively easy to ship fixes. The hardware level however is where it becomes very difficult to ensure a valid implementation of “secure compute” or “trusted zones” which are key to DRM and general security, particularly from an agent with physical access. It costs money to ship new fixed hardware, if it’s even possible. Then even if a given hardware implementation is correct there are ways to physically glitch the hardware to skip the checks. ESP32 chips had an issue like that where the hardware encryption was correct but simply “glitching” the voltage at the correct time could cause the processor to skip the encryption check entirely [1]. It’s very difficult and costly to make hardware immune to all such attacks. Small seemingly unrelated physical details can become novel ways to break the encryption system (like specter).
Ultimately I’ve come to believe that DRM and it’s cousin of system security is an economic game. So DRM useless in that it will probably be cracked after some time, but that time can translate to revenues or control until that point. It depends on how much money you have to throw at either hardening and cracking systems. It’ll likely become harder (i.e. more expensive) in the future to crack hardware DRM in the future as the technology becomes more sophisticated and classes of vulnerability are discovered and mitigated. But then the cracks become more valuable both for anti-DRM or anti-security.
How can DRM ever be perfect? It relies on your computer to be able to decrypt the data so it an never be "mathematically perfect" like regular encryption can be.
Current DRM is all about shoving the decryption part as deep in to a chip as possible and betting on the fact that it is physically too hard to extract that info. So it will always be exploitable with some amount of effort.
The DRM implementation and algorithm could be "perfect" in a mathematical sense, but as you point out they tend to rely on a PUF in the silicon hardware. Currently very hard to extract but not completely so. However, say a system had a quantum based PUF then it could be unclonable due to QM. Such a system could still be potentially cracked by causing issues in the processor itself like with the ESP32s. Which was my point, since there's a physical system to work in it'd be impossible in a practice to make perfect. Hence it boils down to economics.
It doesn't boil down to economics at all. Even if you push a googolplex dollars into perfecting it. If you wanted you can still relatively easily snoop the electrical signals that control an LCD to reconstruct the video. This is not possible to encrypt and never will be.
It could only be described as "mathematically perfect" in the sense that without the decryption key, the encrypted data is no more useful than random bytes.
But DRM fundamentally needs to have the decryption key available at the end user's device - which at least in my opinion, makes it better described as "provably mathematically impossible".
You still have to deliver the new keys to the clients. As long as the client can decrypt the file, the client can also decrypt and dump it to storage. And if the top pirates keep their methods secret, you can change the keys all you want and not know how they are extracting them each time.
Pay NZ$20/mo for Netflix in UHD, or fuck around on pirate sites to make sure none of the people making the series and films I'm enjoying, while hoping that no-one has dropped an entertaining payload in the site ads or the files I'm downloading is "piracy is more convenient"?
The downvotes are for a shit take disconnected from the reality of people who aren't determined not to pay for something.
It sure is when I can load an entire show on a Plex instance and can sync it on my mobile device without any arbitrary limitation (like how many episodes I can sync, or synced copies that expires after a while which I experienced abroad on Netflix).
This has nothing with a determination not to pay or to have studios go out of business. This has everything to do with artificially restricting me from being able to watch the content I pay for in a manner which is convenient to me. I have no interest in buying into a proprietary ecosystem of shitty software just to watch a TV series.
Whenever a service provides content in a way which I can access DRM free, I make sure to reward them for it by voting with my wallet. I sometimes also tell them to make sure they understand that one of the factors in my decision to give them money was the fact that they offered the content DRM free. But not because I wanted to re-upload it for free via bittorrent or show it in a cinema to all my friends, but precisely because I wanted to watch it on my computer without having to install crazy whitebox crypto nonsense.
I don't think normalising having to run someone else's crazy whitebox crypto nonsense on your computer is a good idea. Even if most people don't know or care.
This seems to be confirmed by the fact that most torrent sites have 4K copies of brand new streaming only content while no publicly known exploits exist.
Since you are running the exploit locally without affecting other peoples machines, I imagine it would be close to impossible to work out what exploit they are using.
Are those actual decrypted copies of the original stream, though? Or did they just re-record the output? For the latter you'd only need to break HDCP, right?
Well but there's likely to be at least a small quality difference, and a considerable a quality per file size difference, because the video would need to be re-encoded.
Broken TZ does not mean the algorithms are broken, only that exploits exist to bypass TZ. Fixing the exploits doesn't break anything about the algorithms for decode / decrypt.
Yep. I remember when Blu-ray "required" Windows Vista because it had better DRM APIs then a few months later the studios gave in and allowed playback on XP... which was immediately cracked. Ultimately you have to meet customers where they are which is old devices.
DRM is always pointless because the content has to be converted to analog form at some point. So, it gets decrypted in the DistrustZone, decompressed, then encrypted again before it goes over HDCP to your display, which then decrypts it to show it on the screen. Couldn't you capture the LVDS signal that the display panel receives? And even if you don't do that, isn't every version of HDCP cracked already so you could use a capture card instead?
The last bastion of DRM is forensic watermarking (so they can trace the leaked video back to your device) and key revocation (so your device won't play any new content). These techniques are so complex that they aren't used much.
So they trace the ripped video file to a particular throwaway account that was registered with a prepaid card, then what? And if you're determined enough, you could as well rip multiple copies on behalf of multiple accounts and average out the pixel colors.
> you could as well rip multiple copies on behalf of multiple accounts and average out the pixel colors.
Can you show that this can reliable get rid of the fingerprinting? This particular method could be countered by only including the fingerprint info in a few random frames, then you'd be able to retrieve the account info of all the accounts that participated in ripping. I don't think finding a method to counter any sort of fingerprinting is as easy as "just averaging the pixels".
It's my understanding that most schemes actually use very low frequency encoding with a large amount of error robustness built in (probably involving Haar wavelets) in order to maximize the probability that it survives re-encoding. Still, these schemes are not faultless: if you have two devices, and are knowledgeable enough to break the DRM twice for the same content, you're probably smart enough to take the md5 and shasum of the resulting bitstreams and diff them. Any discrepancy results in signal processing transforms until they have the same hashes...
If they can get the content key out of TZ, they don't even need the per-device key, and TZ based decoder anymore.
They just straight decrypt any files, which were at some point laying in the open on CDNs.
I believe, sooner or later it will come to the point when the only way left for DRMed content to work will be to have each stream individually encrypted, and watermarked at the backend at an enormous computational expense.
Watermarking is the kind of DRM I'm 100% okay with.
Please, sell me a watermarked but DRM-free video file that I can use with any player on any device. If I share it, you'll know it was me, but otherwise I have complete freedom. Win-win.
Isn't it also incompatible with the distribution model? Because personalizing video for every customer is hard to scale for companies that rely on reducing cloud costs
I took conradev to mean "the model of distributing the same content to everyone via traditional (passive) CDN".
Movie theater watermarking is done during playback, but if Netflix was going to do watermarking, it would have to be done prior to delivery of streamed bits or it would be susceptible to the same "it's just software" attacks as any other local software-only approach to DRM.
I think if DRM didn't exist piracy would be just as rampant (i.e. not very, since for the average joe it seems more convenient to just go on netflix or amazon prime or whatever) and people would still get paid.
People are against DRM not because they don't want to pay for content, but because they want to be able to play the content they pay for. And not in breach of the license they have been sold.
I have every interest in participating in the content market and paying people to make content. I have no interest in having to buy special proprietary hardware or run special proprietary code on my computer just to do it.
>we're taking things that the world could otherwise have for free and denying it them so we can instead charge a small % for it
Are we? Where are the studios making feature-length movie-quality content and putting it on YouTube to be supported by ad money? There isn't even an equivalent to TV in that form factor. All of the new content that requires any sort of production budget (actor salaries, non-trivial special effects) is on platforms with subscription fees and DRM to require those subscription fees because we can't have these things for free.
Seriously though, those of us who don’t like DRM need to switch messaging from “It’s bad AND it’s pointless/useless!” to “It’s bad!” The “it’s pointless” part has clearly been interpreted as a challenge, and now we’ve got incredibly invasive junk creeping in at all levels of hardware and software, and it’s not actually inconveniencing everyday consumers that much (hackers and powerusers are a different story), and it’s working better all the time.
I’m not sure exactly how to make this argument these days, but smugly saying “DRM will always be pointless in the end!” isn’t actually true, and I feel like we need to focus on the fact that the measures being taken to make it not pointless are impinging on both user privacy and the ability of open ecosystems (like Linux distros and more open hardware) to be useful for everyday media playback.
DRM is merely a symptom of the copyright disease. People actually want to believe data is scarce when it's not. When proven wrong, they make technology to force scarcity. It makes products and services worse for everyone and even then it barely works.
The only way to stop this is to abolish copyright.
I agree that our current copyright system is certainly out of hand, but it does serve a purpose. Out of curiosity, what system would you suggest in its stead?
Maybe patronage schemes? Crowdfunding? I have no idea. I just know that we can't go on like this.
The only way to enforce copyright in the 21st century is to destroy computing freedom. I'd rather sacrifice the entire copyright industry than have computers that only run software they approve.
> every song from Amazon MP3 is DRM-free and encoded in high-quality 256-kbps MP3 format. This means that they will play on any MP3 player, so you don't need to worry about file format compatibility or licenses that expire.
The production costs in music are orders of magnitude lower than those for video. It takes far fewer people far fewer days to record a song than a TV show or a movie. The equipment involved in recording, mixing, and special effects are all dramatically cheaper, which also makes the entire process more accessible and enables scales that do not exist for most media.
A business model for one thing does not generalize.
Sell things for money generalized pretty well in basically every other field. It actually generalized pretty well in video too. This is just adding "remove the DRM". It'll be fine once all the old studio execs retire...
The price of music is dramatically lower. Its consumption model is entirely different - a song may be played dozens of times on a radio station or a streaming platform, each performance for pennies. Video, on the other hand, is predominately a single-shot mechanism. There's enough new content that almost no customers will watch the same piece of video multiple times. You have to make back all of your revenue in that initial purchase. Combined with higher production costs, you need higher prices. You also need a guarantee people will have to pay those prices to justify the investment and even begin the process. DRM is such a guarantee.
First, streaming services charge people money and sell them a thing: access to music. Not liking it won't make that different than movie tickets.
Second, the price is identical. Streaming providers charge $10/month (or very close to it) regardless of what the content is. Also, albums when new are $10-$20, and movies new are $10-$20.
Very few stores choose not to enforce copyright. Those that do have smaller selections of works for sale because copyright holders refuse to sell their stuff there. The result is still a service that's inferior to copyright infringement.
> Those that do have smaller selections of works for sale...
Did you not see the name in the link? More to the point, can you point me to a major music store which does use DRM? I'm not aware of one. Perhaps you've been pirating music so long you missed the shift? It happened around 2009.
Here's an article from 2014 about the steps to remove DRM from your pre-2009 library. Tl;Dr, delete and redownload from Apple, no DRM! This is Apple's recommended approach.
Yes, I did see your link. I guarantee you if I search certain songs in there, they won't even sell them to me because of where I live. No doubt all the pop stuff is there but I don't like that stuff.
In any case, I don't listen to music very often. When I want to listen to something, I just look up specific songs on YouTube. I never cared enough to "pirate" music but I can tell you that the quality of "pirated" music is orders of magnitude higher than whatever is sold by Amazon. The people in those communities go to truly incredible lengths to ensure they have the highest quality audio possible. Companies generally just want to push out a release for the lowest possible cost.
I care more about films, series, video games and software in general. You'll find that in those categories DRM is the rule.
How do you feel about "effective DRM"? For example, an online RPG where you pay a monthly subscription to play with others in the same world.
You could play single-player, or reverse engineer it and try to create a private server and modified client to play with others who choose to use the same modified client, but unless the implementation is unusually poor, the "DRM" is pretty much unavoidable if you want to play on the official servers.
That’s not really DRM, that’s actively providing a service. Some studios try to tie in single player experiences with online components as a form of DRM but those are invariably quickly cracked and are often a source of embarrassing launch day failures so they’re not that common.
That depends a lot on whether or not the servers do actually provide value (e.g. a decent MMORPG – in my life I've played Eve and WoW, until about 2007) or are just egregious (I have a legal license for Adobe's Creative Suite CS6, and I'm sure as hell not upgrading).
The point of DRM isn't to prevent piracy, but to control manufacturers, who cannot legally break DRM, so they have to comply with whatever the DRM licensing cartel demands.
Prevent screenshots, prevent skipping ads, prevent recording (remember VHS recorders?), enforce region locking.. so many legal activities can be effectively made illegal, since manufacturers cannot both support DRM, and offer these options.
> This might seem like a hard rant, but all of these binary blobs can be broken with varying degree of difficulty -- as this person's work shows -- because DRM is fundamentally pointless.
I think that this ease of circumventing DRM is actually an indirect, but major, reason why movie theaters will never really go away. Online streaming new movie releases is great for direct-to-consumer business, but it comes with the risk of losing control of your distribution due to ease of piracy. Why would a frugal person pay $30 for "premier access" to a new movie on Disney+ when they can just go to Pirate Bay and torrent a perfect-quality rip for free? It's much easier to keep AMC Theatres in line than a global network of average Joes.
DRM is not about piracy. Content producers know that all their content ends up on PirateBay anyway, and know DRM causes them support costs and lost customers.
For content distributors DRM is still worth in because of the power it gives them in dictating how the content can be viewed. They can demand hardware manufacturers to give them prominent placement, or be blocked. They can sell the same content over and over again for every screen type and platform individually, with rules and prices at maximum each will bear. They can set their own rules, instead of relying on general provisions of the copyright law.
But the point is that DRM doesn't give content producers power over how content can be viewed. I could, if I wanted, go on The Pirate Bay and torrent Black Widow for free, and watch it however, wherever, whenever I want, regardless of whatever DRM Disney+ has on their streaming. It doesn't matter whether hardware manufacturers are restricted from displaying DRM content, because they can be bypassed entirely.
But that happens only after they've already sold the finely-carved distribution contracts, got branded TV remotes, and kickbacks they wanted. The legally-operating companies that sign contracts need to act like DRM is real, because the law says it's real.
I used to go to the movie theatres all the time and spend $30+ to see a movie in the Dolby Digital Experience and the like, but it’s easier for me to pirate than it is for me to sign up for whatever streaming service and watch a movie there. They’re always available immediately after release in the highest quality.
>It is my honest opinion that DRM is a malignant tumor growing upon various forms of media, and that people that either implement or enforce implementation are morally repugnant and do no good to society. With that in mind, I was sad to learn in May 2021 that the original extension would soon be rendered obsolete.
I really can't agree more. I don't use, and never have, services that require DRM. I buy my games from gog.com and itch.io and the like, get media from free-to-air television and state broadcasters, and buy music either from the artist or from good and reputable music labels like hyperion.co.uk. I buy books in a dead-tree form, or as DRM-free PDFs. I will simply not buy, use, or support DRM and I occasionally tell firms that I am not giving them business because of their inane corporate decisions.
This might seem like a hard rant, but all of these binary blobs can be broken with varying degree of difficulty -- as this person's work shows -- because DRM is fundamentally pointless. It's such a waste of human endeavor! Think how many CPU cycles are burnt doing this! Estimate what the total cost of HDCP + Widevine + DRM etc is on the planet! It is pointless, insulting, and frustrating!
</rant>.