Is Interoperable DRM Really Less Secure?

Crouch and hold writes "Are closed DRM schemes like FairPlay more secure than interoperable ones? Based on the number of cracks, it doesn't look like it. 'When it comes to DRM, what history actually teaches us is that one approach is no more secure than the other in practice, as they relate to the keeping of secrets. Windows Media DRM has had fewer security breaches than Apple's FairPlay, yet WM DRM is licensed out the wazoo: there are more than a dozen companies with WM DRM licenses.'"

Hang on, you can't have it both ways...

[spoco2]

Windows Media DRM has had fewer security breaches than Apple's FairPlay, yet WM DRM is licensed out the wazoo: there are more than a dozen companies with WM DRM licenses.

Hang on... so in this case, where it's a Microsoft product that's fairing better you apparently can being into play the 'well, it's not used on nearly as many devices as the Apple version' shtick. Yet when OSX fares better than Windows in virus threats you aren't allowed to use the exact same and just as legitimate argument that Windows is installed on VASTLY more machines than OSX, and as such is a MUCH greater target for compromise?

How does that work?

Re:Hang on, you can't have it both ways...

[rolfwind]

Not defending Apple's DRM, but give it a break. Apple/Linux have decent internet marketshare compared to Windows on the internet - where are the actual security breaches?

The summary states both PlaysForSure and Apple's DRM has breach, not just the one or the other.

Re:funny

[applegoddess]

Never said anything to the contrary, in fact I agreed with you: http://slashdot.org/comments.pl?sid=221484&cid=179 44918 [slashdot.org]

Re:+5 informative

[networkBoy]

True enough, but I've always looked at it as such:
Closed DRM == one set of eyes for the "good" guys (arguably the bad guys in this case but whatever) == pwned by the freedom fighters.
licensed DRM == several sets of eyes, eyes with different corporate mentalities, eyes with different outlooks, thus sorta like OSS == less breaches.

-nB

Re:fairplay vs. wm?

[PapayaSF]

Doesn't mean anything when you consider the market share of Apple vs. all of the Microsoft-licensed stores combined. Clearly people will be cracking the more-popular DRM, and that happens to be Apple's FairPlay.

Indeed, and let's also note that a sample size of 2 is rather small to support the conclusion that licensing a DRM system doesn't make it less secure. From a purely statistical standpoint, isn't it obvious that the more people who know about a secret, the less likely it is to stay a secret? You can't license a DRM system without telling more people exactly how it works.

And to get conspiratorial for a moment, what if a competitor of Apple's decided to sabotage iTunes by releasing its secrets? That would be easier if there were licensees to target for espionage. Or what if the major labels set up an iTunes competitor, licensed FairPlay, then "accidentally" leaked the secret? They could then pull their music from iTunes, leaving themselves as the only legal source for the music.

I don't think those scenarios are likely, but I tend to believe Jobs when he says he doesn't want to take the extra risk.

Does it really matter?

[gd23ka]

DRM is in of itself not secure because it will get cracked wide open each and every time
somebody comes up with a scheme. Take the digital broadcast / subscriber card hacker arms
race. They are already light years ahead of whatever Apple or Microsoft are cranking out
and they will be well prepared if "trusted computing hardware" comes out.

These people have phisticated lab equipment and are capable of cutting the chips wide open,
manipulating chip fuses, patching rom masks etc. They will extract Disney's latest singing
and dancing monkey mascot together with the accompanying mermaid from any and all DRM scheme.

Jobs' statements seem contradictory

[nobodyman]

Jobs' statements seem to boil down to this:

"We want music without DRM. But we can't license FairPlay, 'cus hackers would... remove the DRM. The DRM we claim we dont really want. Yeah."

Yeah I'm being trite, but I still find think it's a contridiction to campaign for DRM-free music while claiming that you're worried about your DRM being compromised.

My hunch is that Fairplay is less about iPod lock-in and more like Zune lock-out. iTunes is your classic loss-leader* as it really only exists to add value to the iPod, which they make a tidy profit on. That being the case, there's no upside for Apple to sell at-cost music for devices they don't sell. The model would have to change, and I suspect that 99-cent downloads would become a thing of the past.

*Yes yes... i know that $0.99 downloads are more profitable than CD sales, but that's only for the MAFIAA. Apple only makes a few pennies off of that $0.99

Re:You missed a bit

[Budenny]

See it now?

Not really. First, they would be careful who they licensed in such a case - bonds posted and so on.

Second, if you imagine the size of this in the real world, the record companies might have the right to withdraw the catalogue, but that would increasingly seem self defeating. All that would happen is, Apple would have to fix it going forward. Maybe by withdrawing the license? Maybe by firmware updates for everyone else. Don't start arguing there are no technical solutions, there will be.

Whatever the spin, there can be no serious doubt that the point of Fairplay as implemented is to lock in users to a combination of Apple software, the Apple music store and the Apple players. This is why sooner or later it will crash. The longer it goes, the worse the crash will be.

Re:It could just be poor implementation

[Anonymous Coward]

IMHO, it is not that FairPlay is not well implemented, but rather it wasn't designed to be an "industrial strength" DRM in the first place. Right after iTunes (Music) Store opened, we learned that Jobs argued that DRM would be cracked regardless and it only took one person to crack it to render DRM useless. The essense of that argument backed by load of cases of failed download business won Apple the least restrictive license at that time: iTunes songs were playable on 3 computers and unlimited number of iPods, can be burned in the same playlist 10 times before you need to re-do the playlist (it's 5 computers and 7 times now) and unlimited burns to Audio CD. The DRM is there to discourage casual illegal sharing. It was a different approach from Microsoft's which was designed to satisfy content owners' desire for an unbreakable DRM because Microsoft was more interested in selling licenses for the DRM.

That leads me to believe that Apple never tried to design a complex, industrial strength DRM to lock down content which might consume Apple's engineering and developer resources. They are not interested in spending lots of money in a hacking-patching war with hackers. Rather, it's designed to be light and easily (and cheaply) updateable.

Re:+5 informative

[TheSunborn]

DRM is a flawed concept because you have to give the key to decrypt the stuff to people you don't trust(Your customers)

DRM is currently trying to hide the fact that each customer have the key, by hiding it deep down some complicated software, but hiding the key, don't solve the problem, that anyone really looking for it, will find it. (And once a single user have found it, it(Or the content it decript) can be shared with anyone).

Security Through Obscurity

[thedbp]

Ahem. This is going to feel mighty good.

The only reason that PlaysForSure isn't cracked all the time is because no one really uses it on a large scale. Since Apple dominates the DRM music field, and most DRM'd music sold is from Apple and includes FairPlay, then of course people are going to attack FairPlay more than PlaysForSure. If it were the other way around, PlaysForSure would be just as insecure as FairPlay.

I don't really believe that, of course - but it was nice to turn the whole security through obscurity argument around for once so Windows fanboys could see how freaking STUPID it is.

Not a question of interoperability vs. security

[RetiredMidn]

Whether a DRM scheme (or any other software implementation) for that matter is more or less secure because of interoperability is in the margins; security is a question of implementation, not licensing. (Some have made the point that open schemes are subject to more scrutiny and more likely to identify flaws early; perhaps so, but I still argue that the difference is probably marginal.)

The point Jobs raised in his essay is that it's harder to propagate fixes to software that is broadly licensed across many vendors, which in turn means that vulnerabilities remain in the field longer. He also asserts that this could threaten the agreement between Apple and music companies, although you might want to add salt to that to suit your tastes.

Re:+5 informative

[SeattleGameboy]

You are not comparing apples to apples.

While FairPlay only deals with download purchases, WMDRM not only handles purchased downnloads, but subscription downloads as well.

And while it is true that the number of "purchases" by iTunes dwarfs that of any other music services, if you count the number of subscription downloads, the numbers are much much closer.

Not to mention than subscription DRM is much harder problem than the straight purchase download DRM.

There is only one reason Apple is not licensing FairPlay - to protect its vast market share in portable music device sales.

Re:+5 informative

[DECS]

Sure throw in subscriptions. 25,000 subscribers = 1 DRM key each. You don't get to count individual songs, because once they stop paying they lose them all.

Surely you realize that Microsoft's PFS and Zune are not making money because of ultra low revenues? That's why all the stores are tanking, and none of them brag about how many subscribers they have or songs they are selling.

Subscription/Rental DRM is harder to manage; it makes the player a less attractive product. And it's far more onerous.

Apple had eaten up market share long before the iTunes Store opened. Most iPod users aren't even using the iTS to a great extent - 25 songs on average is not holding people to the iPod. Outside regions with a store, there are plenty of people still buying iPods.