It seems that lately general public is exposed to more and more examples of how DRM can screw up their computers. Sony mess was just the start. It was the eye opener for many people. But if you try really hard, you can probably find huge security holes in any DRM on the market right now. One was just identified in iTunes DRM.
Cory Doctorow sums it up better than I ever could:
An objective of good security is to protect users from attackers who want to prevent the user from controlling her computer. DRM — like that in iTunes — is a system for allowing remote parties (e.g. entertainment companies) to enforce their policy on your computer. Once you design the system to let anyone apart from the owner to control it, you open up the possibility that someone other than the owner will end up controlling it.
As with Sony’s rootkit, every DRM has the potential to create this kind of vulnerability. Imagine if Yale manufactured every door-lock so that a “master key” from Yale could open it. So long as no one except Yale knows about the master key, you’re safe (assuming you trust Yale). But someone always finds out — that kind of secret is too valuable to remain a secret. Once a bad guy knows that there’s a single technique that can be used to access every door with a Yale lock, it’s only a matter of time before the attacker develops a crack.
DRM systems are an attractive nuisance, the cracker’s best pal. They are, at root, systems for giving control over your computer to someone other than you. That’s an invitation to disaster.
And there you have it. DRM is a flawed concept. Is is possible to make DRM that is both effective, and secure? So far, evidence suggests that it is not. Unless someone designs a perfect, unbreakable and secure DRM system we might need to scrap this techology sometime in the future. Yay! Happy, happy, joy, joy!
Side benefit of the DRM mess: as the public gets exposed to more and more DRM security and usability issues, they also gain valuable experience which will allow them to understand the threat of tcpa.
