November 17, 2005

More On Open Source DRM

Chosaq has a follow-up on the question if it is possible to write effective DRM software as an open source project. My comment to that post (see also my earlier post of August 2005):

If a DRM system is based on obscurity, it violates basic crypto design principles. See Wikipedia on Kerckhoff's Law.

Actually, one advantage of open source software for security related programming is exactly that it follows Kerckhoff's Law as a default.

So, if there is any influence the development model has on the effectiveness of DRM, it is probably the other way around.

Open source production does not mean having your DRM "hacked even faster". It means that your security is not in obscurity, where it has no business to be in the first place. It means that your project will not be hacked the moment someone finds out that all it takes is pressing the shift key.

Actually you are probably right that it is for the very least very difficult to build effective DRM on the PC platform. The latest SONY case shows that consumers rightfully won't put up with the necessary level of taking over their machines.

However, there are other possible platforms that are better suited or designed for DRM in the first place.

Doctorow believes that no DRM can be effective, ever. That obviously means that it makes no difference if the necessarily uneffective DRM is developed as open source or not. That in turn removes most of the relevancy of his comments on this particular point.

You need to believe that there can be such a thing as effective DRM in the first place if you want to talk about which production method is suited better to build it.

Posted by Karl-Friedrich Lenz at November 17, 2005 11:14 PM