MobileRead Forums - View Single Post - eReader.com Vice President on DRM and its Obstacles

hacker · 09-30-2004, 10:25 AM

This is the most assinine method of "protecting" an electronic work I have ever seen.

When (not if), this encryption method is breached, the ability to get the credit cards numbers back out of the system will be immediately made publically known. Whomever thought of this method needs to be drawn-and-quartered.

Secondly, you can just as easily take a PayPal credit card account, or a Debit Card account, open one up at a bank, put $20.00/USD in it, and purchase the book, under a false or forged name if you wish. Once you get one of eReader.com's works, with the "credit card" number out there for others to poke and prod at, reversing this encryption method becomes possible.

Using "encryption" for DRM is a braindead, non-scalable solution. Now, to properly solve this problem, they could take the credit card number, hash it with a specific seed, such as the name of the book and purchase date, then md5 that, and apply that as the key.

Since md5 has something like 340282366920938463463374 (1<<128) possible hashes, and is imposslble to "decrypt" (because it is encoded, not encrypted), you can now properly secure the book, using a purchaser's credit card, and not expose their actual card to anyone who happens to break the weak encryption method that eReader.com is using. Encryption algorithms are being broken all the time. With faster, more-capable computers, this becomes easier and easier. A one-way hash is the only secure way around this.

The other problem with this solution, is that it does not scale, when the encryption method is broken, and eReader.com has to replace it with another solution, all existing copies of purchased works immediately break, because the checking that the application must do now uses a different method. Sure, it can use both, but now you have to deal with two sets of registration "keys" for the two kinds of material that you purchase through eReader.com.

I'm all for protecting the rights of copyrighted works and the authors of those works, but the only people who suffer from implementing these poorly thought-out methods, are the innocent people.

And lastly, lets not forget that DRM does not stand for "Digital Rights Management", it stands for "Digital Restriction Management". It doesn't manage your rights in any way, because it doesn't give you any additional rights, it takes them away.

I'll be staying away from anything eReader.com produces, and I'll be strongly recommending to users and all of my clients to do the same.

09-30-2004, 10:25 AM	#3
hacker Technology Mercenary Posts: 617 Karma: 2561 Join Date: Feb 2003 Location: East Lyme, CT Device: Direct Neural Implant	This is the most assinine method of "protecting" an electronic work I have ever seen. When (not if), this encryption method is breached, the ability to get the credit cards numbers back out of the system will be immediately made publically known. Whomever thought of this method needs to be drawn-and-quartered. Secondly, you can just as easily take a PayPal credit card account, or a Debit Card account, open one up at a bank, put $20.00/USD in it, and purchase the book, under a false or forged name if you wish. Once you get one of eReader.com's works, with the "credit card" number out there for others to poke and prod at, reversing this encryption method becomes possible. Using "encryption" for DRM is a braindead, non-scalable solution. Now, to properly solve this problem, they could take the credit card number, hash it with a specific seed, such as the name of the book and purchase date, then md5 that, and apply that as the key. Since md5 has something like 340282366920938463463374 (1<<128) possible hashes, and is imposslble to "decrypt" (because it is encoded, not encrypted), you can now properly secure the book, using a purchaser's credit card, and not expose their actual card to anyone who happens to break the weak encryption method that eReader.com is using. Encryption algorithms are being broken all the time. With faster, more-capable computers, this becomes easier and easier. A one-way hash is the only secure way around this. The other problem with this solution, is that it does not scale, when the encryption method is broken, and eReader.com has to replace it with another solution, all existing copies of purchased works immediately break, because the checking that the application must do now uses a different method. Sure, it can use both, but now you have to deal with two sets of registration "keys" for the two kinds of material that you purchase through eReader.com. I'm all for protecting the rights of copyrighted works and the authors of those works, but the only people who suffer from implementing these poorly thought-out methods, are the innocent people. And lastly, lets not forget that DRM does not stand for "Digital Rights Management", it stands for "Digital Restriction* Management". It doesn't manage your rights in any way, because it doesn't give* you any additional rights, it takes them away. I'll be staying away from anything eReader.com produces, and I'll be strongly recommending to users and all of my clients to do the same.