consulting question.... (DRM)

Bill Squier groo at old-ones.com
Wed May 27 09:53:53 EDT 2009 

This is getting a bit far afield from cryptography, but proper threat  
analysis is still relevant.

On May 27, 2009, at 4:07 AM, Ray Dillinger wrote:

> On Tue, 2009-05-26 at 18:49 -0700, John Gilmore wrote:
>> It's a little hard to help without knowing more about the situation.
>> I.e. is this a software company?  Hardware?  Music?  Movies?
>> Documents?  E-Books?
>
> It's a software company.
>
>> Is it trying to prevent access to something, or
>> the copying of something?  What's the something?  What's the threat
>> model?  Why is the company trying to do that?  Trying to restrain
>> customers?
>
> Its customers would be other software companies that want to produce
> "monitored" applications.  Their product inserts program code into
> existing applications to make those applications monitor and report
> their own usage and enforce the terms of their own licenses, for
> example disabling themselves if the central database indicates that
> their licensee's subscription has expired or if they've been used
> for more hours/keystrokes/clicks/users/machines/whatever in the
> current month than licensed for.
>
> The idea is that software developers could use their product instead
> of spending time and programming effort developing their own license-
> enforcement mechanisms, using it to directly transform on the
> executables as the last stage of the build process.
>
> The threat model is that the users and sysadmins of the machines
> where the "monitored" applications are running have a financial
> motive to prevent those applications from reporting their usage.

If this is really their threat model, it's ill-considered.  First, no  
reputable company in their right mind would play games with software  
licensing in an attempt to save a few dollars.  In fact, most  
companies bend over backwards with internal audits and other  
mechanisms to ensure they are in compliance.  The risk is far too  
great to do otherwise -- both to reputation and to the bottom line.

They may counter that they are attempting to nudge into compliance  
reputable companies that are simply not large enough or savvy enough  
to ensure their own compliance.  In this case, something far less  
complex than what is traditionally implied by "DRM" can be used.

Thus, the users you are now considering are members of _disreputable_  
companies.  Since DRM is easily circumvented, and the company is  
disreputable, you have a reasonable expectation that your DRM will be  
ineffective.

Second, sysadmins have no financial motive, unless they are also the  
owners.  It is irrelevant to the sysadmin whether the business pays an  
appropriate amount for licenses. His salary is still his salary.

Finally, large institutions (let's take financial firms as this is my  
area of expertise) will not install software that has hard expirations  
or other restrictive licensing mechanisms.  The reason is simple.   
These mechanisms cause outages -- sometimes because of snafus in the  
renewal of licenses, sometimes because of poor code quality in the  
enforcement mechanism.  At my firm, any such scheme is an immediate  
non-starter.

-wps

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list