As my readers know, I’m not the biggest fan of consumer DRM. I hate being treated like a criminal when I’m not, and I don’t believe anyone has the right to control more of my systems than I do. Something about my security being compromised to provide better security for some corporate entity whose products I may or may not purchase just bugs me.

A while back I posted how the Barenaked Ladies distribute their content without DRM. Not for free, but once you buy it you’re free to use it as you wish. I like that.

Now, thanks to TechCrunch, we learn that Madonna is leaving the record labels and working with Live Nation to distribute content directly. Nine Inch Nails, Radiohead, and a few others are also jumping the record label ship. Yahoo! Music stated they won’t distribute music with DRM.

With MySpace and other social networking sites for promotion, low-cost digital distribution of content either directly to consumers or through online stores, and general frustration and anger with record company pricing, practices, and treatment of artists, it’s hard to see how the companies will survive. It won’t be an immediate death- years if not decades, but now that some of the biggest names in the business are running into independence the writing is clearly on the wall.

And the record companies can take their damn DRM with them.

Now it’s time to get cracking on the MPAA…

Saturday night my wife and I headed downtown to catch the Barenaked Ladies concert here in Phoenix.

After 10 years of working/running event security I still have a hard time enjoying myself at concerts, but for once I relaxed and had a good time. BNL might make a good alternative when Buffett finally orders that first marg at the big tiki bar in the sky. BNL used to play Boulder a lot before they were big, and I’ve been to a few shows, but this was the first one where I wasn’t working that I could settle into.

But I’m not just writing this to show you all how completely caucasian my musical tastes are. BNL is doing something different with their recordings. Very different, and it could change music and DRM.

BNL sells their music only in completely unprotected formats (MP3 and FLAC). At the latest show they were selling the album on a regular flash drive. After reading the BoingBoing post on the drive I really regret not buying one. BNL encourages their fans to karaoke, remix, video, and whatever else their music. They engage their listeners and try and build a community. And, best of all in my book, they record every single live show and sell them online; again, without any DRM.

They are also actively campaigning against DRM in Canada (eh), with real results. From BoingBoing:

The USB key is part of the BNL political/technical/social picture. Recently, BNL front-man Steve Page founded an upstart association for Canadian musicians and labels that takes the radically sensible position that DRM sucks, fans shouldn’t be sued, and musicians should work the the Internet, not against it.

 

This has had widespread political ramifications in Canada. The departure of all the Canadian labels from the Canadian Recording Industry Association has left CRIA in the awkward position of only representing multinational, US-centric music companies. When CRIA hits up Parliament for special favours, they speak against the stated position of the Canadian-owned labels and Canadian musicians.

Now why the heck would a band want to distribute their music without any copy protection?

Because BNL recognizes that only a miniscule percentage of bands make any significant money on their studio recordings. It is well established that most bands are mostly broke. The studio absorbs nearly all the profits, often leaving a band with pennies on the dollar. Bands make their cash on tour, not in the studio, and (sometimes) through other merchandising. We’ve all heard the stories of the broke rock stars that made pennies per album (although I think it can be more like $1 per album, if they ever manage to earn back the advance, after studio fees). I’m too lazy tonight to dig up the numbers, but you can all Google it yourself.

A small percentage hits “megaband” status and makes a killing, usually on the second or third album when they have some negotiating power.

What brings people to concerts? Good, accessible music. DRM only protects the bottom line of the studio distributing the music; relatively little of that goes back to the artist.

The Grateful Dead were one of the best examples of this. Not only did they allow recording of shows, but they actively encouraged the community to record and trade their music. They even set up special recording areas at some shows where fans set up tripods and high quality directional mics. This community turned them into the top touring band in history. They engaged their fans, they didn’t criminalize them.

BNL encourages fan interaction and leverages the Internet to distribute directly. Rather than relying on a tiny percent of a studio release, fans can pay $13.99 for a high-fidelity copy of THEIR show, recorded right from the mixing board. Fans can remix and lay down video soundtracks to their heart’s content.

They make their money on the experience; not a single copy of a song recorded in a studio. Every show; every acoustic set; every ringtone becomes an opportunity to engage fans and make money.

When we finally cut the cord from CDs it’s hard to see the value of the major studios. When fans have the choice between music they can integrate into their lives, and music they have to pay an extra $.99 to transfer to their cell phones (while getting sued), the choice seems easy.

You’d better be one hell of a band to treat your fans like crap.

Today it takes bands with an “installed base”, like BNL, to start cutting the cord. But MySpace and other sites show that our reliance on traditional sources for new music could easily decline.

BNL recognizes that securing your product away from your customers isn’t good business. They’re building a new model, and bringing music into the digital age.

In The Non-Geeks Guide to Consumer DRM: Why Your New TV Might Not Work With Tomorrow’s DVD player I concluded that current consumer DRM systems are more effective at restricting consumers’ rights than protecting content. Today we’ll look at the security consequences of consumer DRM from the consumer’s perspective. As DRM is ever increasingly embedded in consumer technologies and computer systems it drives dramatic changes in how we, the public, interact with content of any type- free, commercial, or self-created.

As I’ve mentioned before, one of the first presentations I ever created and delivered to an audience was on what I called, at the time, convergence security. This was over 5 years ago and the focus was on the security implications of digital convergence- what happens as the lines between the Internet, wired, wireless, television, consumer devices, and enterprise systems blur into a digital static of data, content, and connectivity. While “convergence” mostly died as yet another overused .boom term, the core concepts are becoming reality today; from video clips on corporate smart phones to digital distribution of… pretty much everything. Being the mid-life of Napster I looked at DRM and came to six conclusions:

1. If you can see it or hear it, you can convert it to a digital copy. It might not be “digitally pure”, but for most people it’s more than good enough.
2. Once a single unlocked copy is created, there’s no way to stop global distribution.
3. The only way to prevent digital copies of high-quality analog content is to embed hardware enforcement into every single device that accesses or displays content.
4. If DRM is too onerous consumers will be driven to illicit content. Less out of a desire for “free” and more from a desire of “use”.
5. Successful content owners will implement “good enough” DRM mechanisms that limit casual infringement, while supporting flexible customer use. These will be included as part of value-add services that are so compelling they draw consumers to the legal services, leaving illicit file trading to those what wouldn’t buy the content anyway.
6. Consumer electronics companies will never embed enforcement controls in all devices- while in the interest of the content owners, the increased costs and decreased usability are against the interest of consumer electronics manufacturers.

You can sum it all up with the rule of “it only takes one”. It only takes one pristine, unlocked copy and the scope of the Internet supports uncontrolled global digital distribution. Consumers need to be incented, beyond a mere inclination (or fear) to abide by the law (remember- everyone speeds) and restrict themselves to purchased, protected content.

I was right, and I was wrong. I thought I was being cynical, but I wasn’t even close to cynical enough. As we’ll see during our exploration of the consumer security implications of DRM the industry is moving forward with plans for complete control of content and the restriction of consumer’s use rights. While this may, under certain interpretations, be within their right as copyright holders, this control is coming at the expense of consumer security.

While consumer DRM doesn’t fundamentally conflict with consumer security, current DRM mechanisms often enforce content control at the expense of security. Why?

Comprehensive Digital Rights Management is only possible if the content owner controls both the form of the content, and all hardware and software used to access the content. Thus for rights to be enforced, the content owner needs control of whatever music player, DVD player, TV, monitor, stereo, TiVo, etc. that you use to play it.

That might seem acceptable, however restrictive, but this is digital content. Content we access using our personal and professional computers and devices. Systems that, to enforce rights, content owners need to control; thus intruding beyond mere content players into the hub of modern digital life.

(more…)

As a security professional I admit that I normally assume someone I’m dealing with isn’t necessarily honest; especially if they’ve done something to draw my attention. I learned early on that most humans have an unbelievable capacity for deceit, and they use it on a daily basis. In many cases the individual is so believable because they’ve convinced themselves that what they’re doing/saying is either the truth (when it’s clearly not), or they’re justified for some bullshit reason (like “the man” has been keeping them down). No- you really don’t deserve to steal my bike out of the garage because I make more money than you (despite coming from a bankrupt family as a kid) or because I was dumb enough to leave the door open. (Yep, even us pros screw up sometimes and pay the price).

I’ve also discussed, usually in the context of security screening, how, in certain cases, it’s better to assume everyone is a threat and apply strict controls across the board. It’s not the right approach in every case, but there are times when it’s definitely appropriate.

Now Microsoft and Universal are taking the same approach and assuming we’re all a bunch of pirating criminals. In a simply astounding move, MS will pay Universal for every Zune sold. Anyone stupid enough to buy a Zune will pay a $1 tax because, and I quote:

Universal said it was only fair to receive payment on devices that may be repositories for stolen music.
…
“It’s a major change for the industry,” said David Geffen, the entertainment mogul who more than a decade ago sold the record label that bears his name to Universal. “Each of these devices is used to store unpaid-for material. This way, on top of the material people do pay for, the record companies are getting paid on the devices storing the copied music.”

But wait, are we, the lowly consumers, the real criminals? This next statement sounds like the old Mafia bosses roaming the streets of Jersey City where I was a medic:

When the companies initially licensed Apple’s fledgling iTunes service, “they didn’t figure he’d make tens of billions of dollars from the iPod,” said Mr. Gordon, author of the book “The Future of the Music Business.”

“This time they’re saying, ‘Well, we want a piece.’ ”

Ah. Now I understand. It’s a protection racket.

That’s like the auto manufacturers paying the gas companies a few extra bucks for every car sold on the off chance you’ll steal some gas from the pump someday. Or computer manufacturers paying every single software company in the world a tax on the off chance we’ll copy their software.

How does it feel to be a criminal?

Never mind- we all know who the real crooks are.

(Truth is this might just be MS screwing with Apple since the music companies now want a piece of the iPod- which hurts Apple a lot more than a $1 on something no one will buy anyway).