Windows DRM: A Response to the Disinformation

This is a response to a series of articles by George Ou and Ed Bott of ZDNet stretching over a period of more than a month. I'll try to stay away from the assorted personal attacks in George and Ed's articles and just outline the details.

It all started with an email from George Ou, who decided, without ever hearing my talk on content-protection issues or seeing the slides for the talk, that what I'd said in the slides was wrong. I offered to send them to him, but by then he'd gone ahead and posted his conclusions anyway, still without ever actually having seen the slides that he's commenting on. Later he changed his story to claim quite emphatically that he wasn't attacking the slides at all, which seems a bit contradictory since the material wasn't present anywhere but the slides.

Dealing with him was quite weird in a number of other ways as well. For example whenever anyone anywhere posted something that happened to agree with his position, I'd immediately get a gleeful email from him crowing about it. I never even saw the articles, because George would beat me to them every time. It's as if I had my own personal "news about George Ou" news-clipping service provided for me by ZDNet.

He even went so far as to lodge a formal complaint about me with the University, although since I'd been trying quite hard to ignore him (both he and Ed even mentioned this in their blogs), I'm not really sure what he complained about (details of complaints are treated as confidential). Maybe he was upset because I wasn't paying any attention to him.

Ed's tactics were slightly different. He posted his initial comments on a blog whose existence I wasn't even aware of (and therefore had no way of responding to) and then summarily declared victory in a later blog posting based on the fact that I didn't reply. The only communication I had from him in that time was a long lecture that he sent me about professionalism (!!).

In this entire time, neither George nor Ed ever tried to obtain the slides from me ("I never asked for his slides" - George Ou), the actual material that started this whole thing. I've sent out copies of the slides to every single person who asked for them, but neither Ed nor George ever bothered contacting me to get the slides that they were attacking or to do any fact-checking whatsoever for the material they were posting to their blogs. Indeed, all I got from Ed was a long sermon on professionalism.

Ed's most recent missive came in multiple instalments, since most of it makes for somewhat tedious reading I've provided a brief commentary on the main points as an appendix for people who really feel the need to go through it all, but I've just included a quick summary here to save space. So let's see what Ed's justification is for claiming that "Everything you've read about Vista DRM is wrong":

In all this mass of trivia there's one major thing missing that would justify the title that he's chosen to use: Any attempt at all to address the central thesis of the content protection analysis, that trying to seal shut (portions of) the historically open PC architecture in the name of DRM is technically a really bad idea, and one that's bound to fail. As Bruce Schneier put it, "Trying to make bits uncopyable is like trying to make water not wet". So the DRM will fail, and all that'll be left is the collateral damage. I'm not sure if this is merely an accident or deliberate, but in his entire multi-page writeup Ed has completely, utterly failed to address the central issue of content protection/DRM. That's quite a major target to miss, completely.

At least his ZDNet colleague George Ou is unequivocal about DRM: "FOR THE LAST TIME, I want the DRM on my system so I can play my DVDs, HD DVDs, and Blu-ray like MOST people" (George Ou, email of 2 September 2007).

As people may have noticed, I've mostly kept quiet about this for the more than a month that the George and Ed tag team has been pursuing it. I really, really, really didn't want to get dragged down into their ongoing vendetta. I hoped that after more than a month of this they'd finally get tired of it and find some new hobby. Unfortunately, it looks like they're going to drag this thing on and on and on without end... and I really don't want to play their game. Perhaps others could respond to them on my behalf. To this end I've posted the slides at http://www.cypherpunks.to/~peter/vista.pdf, although no doubt this'll precipitate another avalanche from the Ed and George tag team (sigh).

In the meantime I'll leave you with this final piece of wisdom from George Ou, ZDNet's technical director:

You know, you are a f***ing moron. End of discussion.

(the original form was without the asterisks, I've cleaned it up for publication). In any case since he's applied the same label to luminaries like Bruce Schneier and others (George Ou, email of 2 September 2007), I think I'm in pretty good company there :-). (For completeness I've included some extracts from George's missives in an appendix).

Digg This Digg this delicious Post to del.icio.us slashdot Post to Slashdot

Appendix 1: Short response to Ed's article

>"Because Gutmann has no hands-on experience with this technology"

Actually I do have direct, hands-on implementation experience, which I could have told him if he'd ever contacted me to fact-check any of what he wrote.

>Here's the information on this exact monitor

So this is where his strategy of going for a nine-month-old writeup rather than the current one starts to pay off. At the time I'd checked the specs for the monitor and there was no mention of HDCP over DVI. That's precisely why I chose to use it as an example of this issue in the first place (I arbitrarily picked Samsumg because I have two Samsung LCD monitors on my desk, they make nice monitors). Now that I'm aware of the updated information I've updated the slides.

To replace them I did a quick check of an online store with 1920x1080/1200 (i.e. full HD resolution) monitors with digital input, it only took a few minutes to find more examples. Going down the list there's the Philips 230WP7NS (no mention of HDCP in the data sheet, although it does mention the Vista certification), the Acer AL2416W (for which there's no definitive statement one way or the other, so I'll skip that one), and then the HP LP2465, for which again there's no mention of HDCP in the technical specs. In fact the slides already contain a direct quote from someone who bought an HP Media Centre PC and couldn't play back the HD movie that was included with the PC because the monitor doesn't support HDCP. Actually the old writeup that Ed's chosen to attack includes this too.

If the specs for any of those change, just keep going down the list, it's not as if there's a shortage of HD monitors that aren't actually HD-with-HDCP. (In fact as numerous users have found out the hard way, even if your monitor has HDCP support that's no guarantee that it'll actually work with premium content. See this thread for some examples, which in turn references a (currently) 374-page-long (!!!) thread on another site covering further issues).

This points out the real problem with digital video output, it doesn't matter which specific monitor you choose to use as an illustrative example, what's important is that there are a large number of people out there who have bought, and who are continuing to buy, LCD panels for which the content- protection will block premium content over the digital link.

>Vista will indeed display HD content on this monitor over the D-Sub and
>component video outputs

That's the famous (or notorious) analog hole, which has nothing to do with digital output - both D-sub and component video are analog, not digital outputs. Again, there are several quotes in the slides pointing out exactly this fact, that users had to resort to using old analog monitors or links because digital-out was blocked. In fact the same quotes are in the older writeup too...

>So, this is "stupidly large (for a computer monitor)"?

So "Everything you've read about Vista DRM is wrong" is based on a disagreement over whether a 46" LCD panel is an appropriate size for a desktop monitor. OK.

>will only load drivers signed by Microsoft

That was an attempt to condense the driver signing process into a single sentence because of its complexity and (I would guess) lack of interest to most readers. For example the WHQL process produces drivers signed by Microsoft, but you can also use WHQL test signatures, or sign non-WHQL drivers yourself, or use KMCS test signing, or manually change the system configuration to allow unsigned drivers to be loaded, or .... The attempt to simplify this probably condensed it a bit too much, which is why in the slides I covered in in around seven full slides, although that may have been going a bit too far in the opposite direction (these are the slides that Ed never bothered asking me for, since it's easier to attack a nine-month-old, rather out of date, writeup).

Further details are in the slides, but what happens is that Vista's content protection requires that premium content flow through an identified kernel, which has all of its modules signed... actually this is still far too complex to summarise quickly (which is probably why my initial attempt went a bit too far in shortening things), the Kernel-Mode Code Signing Walkthrough doc alone is 56 pages long, the Digital Signatures for Kernel Modules on Systems Running Windows Vista doc is 23 pages, and the Code Signing for Protected Media Components in Windows Vista doc adds another 13 pages. I think I'll defer to either the original Microsoft docs or the slides for this.

>There's no problem playing back HD video and listening to the accompanying
>audio over this type of connection.

So you've played back premium (DRM'd) audio over S/PDIF out? This seems to directly contradict Microsft's own words on the matter:

Protected audio content is definitely protected. You can't play DRM- protected content over S/PDIF because that would give you a zero- degradation copy that you can do whatever you like with (Matthew van Eerde, MSDN).
>Today, any commercially available Blu-ray or HD DVD player will play back
>just fine over a component connection.

Again, the wonders of choosing to attack an old writeup rather than the current material: The story "First Blu-ray disc drive won't play Blu-ray movies" was straight from CNET.com, but obviously things have changed since it was published.

>Nvidia's decision to drop support for a feature called Full Screen Video
>Mirror,

Which is exactly what I say in the slides (I even quote someone saying this). These are the slides that Ed never bothered to get from me, instead choosing to target an old writeup, although I may have mentioned this before.

>And despite the fact that Nvidia appears to blame Windows Vista's new output
>protections for this change

If you can't trust the people who write the drivers for the graphics cards and who design and manufacture the GPUs, who would you suggest as a source of information?

>First step on the road to totalitarianism?

I must admit I got somewhat lost here when he started talking about forced labour camps and the secret police. If anyone has any idea what he's on about here maybe they can comment.

>No, microsoft has not placed content protection above all other requirements

Someone from Microsoft pointed this out to me as well, and I've updated the slides (do I need to say it again :-) to cover this. If you look at the ordering of the entries, which start at:

that does look awfully like it's priority-ordered, but apparently it was just coincidence that it was ordered from "supports content protection" down to "has a correct driver version number in the DLL". Fair enough, so it was just coincidence.

>published at the CEPro website in March 2007

And again we see the advantage of choosing to attack an old writeup rather than the current version: Some of the things linked to (in this case) six months ago have changed.

>For example many sound cards built on C-Media chipsets (which in practice is
>the vast majority of them) support Steinberg's ASIO (Audio Stream I/O),

You're right, that was confusingly worded, since it seems to use first "many" and then right after it "most" to refer to the same thing. The "vast majority" actually refers to support of Steinberg's ASIO on C-Media devices, and specifically I was thinking of the ASIO4ALL driver (alongside C-Media's own ASIO drivers). I specifically chose C-Media as an example here because they're rather well-known for their high-end audio chipsets like their Oxygen HD audio processor... mmm, Auzentech X-Meridian, which I specifically mention in the slides... that Ed never bothered to get from me (sorry if that one's getting old :-).

As of this writing he hasn't posted his third instalment yet, but if it follows the pattern of the scraped-together collection of trivia in the first two I'm assuming it's just more of the same.

Appendix 2: Comments from ZDNET's technical director George Ou

For completeness, here are longer excerpts from George Ou's email that I've quoted above. Since he published my private email on his blog, I assume he has no problems with me doing the same for him. This was from an exchange with a third person that was BCC'd to others (including me - since it was BCC'd I don't know who else copies ended up with). The entire exchange is extremely long (it just goes on and on and on) and gets old very quickly, so I've just included the parts that I've quoted above to provide context.

George's opinion of security guru Bruce Schneier:

From: George Ou <george_ou@lanarchitect.net>
Sent: Sunday, September 02, 2007 3:54 PM
To: XXXXXXXXXXXXX
Subject: RE: Gutmann Vista DRM paper uses shoddy Web Forums as source

[...]

Schneier is a moron if he thinks telling Hollywood no will force them to use
non-DRM content.  All you need to do is look at the CableCard fiasco. You give
Hollywood the finger and they give you the finger right back because they'd
rather NOT have any content on the PC to begin with.  Like Apple, Microsoft
will humor Hollywood so they come join the party.  Once they're in, they'll
get screwed out of their DRM protections because Microsoft won't patch the DRM
holes and let their customers bypass DRM.  The latest DRM stripper for Windows
Media has worked for almost 2 months now and Microsoft hasn't patched it yet.

[...]

George

George's opinion of the original poster, who tried to correct some flaws in George's, uh, 'logic':

From: George Ou <george_ou@lanarchitect.net>
Sent: Sunday, September 02, 2007 4:38 PM
To: XXXXXXXXXXXXX
Subject: RE: Gutmann Vista DRM paper uses shoddy Web Forums as source

Nothing you've said is valid and your stubbornness to concede a point just
makes you look stupid in the face of overwhelming fact that I've thrown your
way.  All you've been doing is regurgitate Gutmann's crackpot theories.  I'm
tired and I've been patient long enough.  Now spend some time and digest what
I've explained.  You can choose to continue being a brainless crackpot and
choose to believe what you like.  Or you can try what I've suggested and see
if it's really true.

George's thoughts on DRM:

From: George Ou <george_ou@lanarchitect.net>
Sent: Sunday, September 02, 2007 6:07 PM
To: XXXXXXXXXXXXX
Subject: RE: Gutmann Vista DRM paper uses shoddy Web Forums as source

FOR THE LAST TIME, I want the DRM on my system so I can play my DVDs, HD DVDs,
and Blu-ray like MOST people.

You don't want it, more power to you.  I've given you the links to the
software you need get avoid enabling MFPMP at all.  I've shown you the lower
CPU utilizations using cheaper hardware.  I don't know what else you want.

When I've already busted Gutmann's key assertions and wrote you 8 emails
rehashing what I've already explained in my blog and you have the gall to ask
me to prove it again, it makes me think there's something wrong between your
ears and you just like to hear yourself pontificate.  Gutmann is an academic
clown and if you want to be his follower, be my guest.  I've had all the
patience I can handle from people like you and I don't want to repeat myself
for the 10th time.  Gutmann's theory is finished and busted, end of
discussion.

George's opinion of my talk at Usenix Security:

From: George Ou <george_ou@lanarchitect.net>
Sent: Sunday, September 02, 2007 1:02 PM
To: XXXXXXXXXXXXX
Subject: RE: Gutmann Vista DRM paper uses shoddy Web Forums as source

[...]

It is a known fact that this moron flew halfway around the world declaring
that Vista causes global warming because it consumes more power.  I've PROVEN
that to be false and I've PROVEN you people wouldn't know the difference
between a child process taking credit for the CPU load being done on behalf of
the parent process WMP11 if it hit you in the face.  You just demonstrated
that despite me explaining it to you slowing bullet point by bullet point and
yet you still don't understand it and you're still holding up your SPECULATION
over my research data.

So thank you for demonstrating for me what a bunch of freaking morons you are.

George

(the "bunch of freaking morons" includes Bruce Schneier and Charlie Demerjian of the Inquirer, whom he refers to in a preceding email).

And finally here's ZDNet's technical director signing off (again, censored so this page doesn't get blacklisted):

From: George Ou <george_ou@lanarchitect.net>
Sent: Sunday, September 02, 2007 7:03 PM
To: XXXXXXXXXXXXX
Subject: RE: Gutmann Vista DRM paper uses shoddy Web Forums as source

You know, you are a f***ing moron.  End of discussion.

(Since this was posted I've had a number of emails pointing out that George has acquired quite a reputation for this sort of behaviour, sometimes in private mail and sometimes on public blogs. If you've got any choice examples of his wit and wisdom, do send me a link or the text of the email, if there's enough interest I'll post the most amusing ones here).