Password-based DRM has a dim future

ardeegee · 06-05-2011, 06:11 PM

Okay, sorry for another DRM thread, but here's an article about how good jeepy ewes are at cracking passwords.

http://www.zdnet.com/blog/hardware/c...-useless/13125

Steven Lyle Jordan · 06-05-2011, 06:21 PM

Time to move on to biometrics.

ardeegee · 06-05-2011, 06:46 PM

Quote:

Originally Posted by Steven Lyle Jordan

Time to move on to biometrics.

They can have my fingerprints when they pry them from my cold, dead hand.

Shimarenda · 06-05-2011, 07:01 PM

Quote:

Originally Posted by ardeegee

They can have my fingerprints when they pry them from my cold, dead hand.

Fingerprints are passe. Prepare to have your iris scanned for every transaction.

Penforhire · 06-06-2011, 12:41 AM

I thought the answer to brute force methods was to limit the number of tries, at least in terms of tries per hour, if not completely locking access after three consecutive failures?

Steven Lyle Jordan · 06-06-2011, 09:09 AM

Quote:

Originally Posted by Shimarenda

Fingerprints are passe. Prepare to have your iris scanned for every transaction.

Fingerprint scanners are already here, small enough to include in the smallest digital hardware, relatively inexpensive and easy to use. Not that retina scans don't work, but fingerprint scanners are more efficient for verifying security on a portable device, and the tech is ready now.

Quote:

Originally Posted by Penforhire

I thought the answer to brute force methods was to limit the number of tries, at least in terms of tries per hour, if not completely locking access after three consecutive failures?

True.

anamardoll · 06-06-2011, 01:28 PM

Quote:

Originally Posted by ardeegee

Okay, sorry for another DRM thread, but here's an article about how good jeepy ewes are at cracking passwords.

http://www.zdnet.com/blog/hardware/c...-useless/13125

The only password-based ebook DRM I know is the B&N flavor. That combines credit card number and account name. In order to crack it, the cracking software has to have both.

Now, obviously, there's still a lot to work with here if you're interested in brute-forcing the thing. The account name is most likely going to be text only and the credit card number will be all digits. And so on.

But I don't see this article really having any bearing on DRM cracking on current methods. The gist seems to cover passwords only (without having to worry about username), and of the 8 digit variety. I don't know of an industry DRM that is that simplistic -- because it's been known for a LONG time that cracking 8 digits alone is pretty darn easy. It's the combination of username / password that increases the difficulty, along with "shut out" methods like how many attempts you get.

Or am I missing something?

Elfwreck · 06-06-2011, 02:43 PM

Quote:

Originally Posted by Steven Lyle Jordan

Fingerprint scanners are already here, small enough to include in the smallest digital hardware, relatively inexpensive and easy to use. Not that retina scans don't work, but fingerprint scanners are more efficient for verifying security on a portable device, and the tech is ready now.

The tech is there for device locking; the software's not yet developed (or if it is, very rare) for individual file locking. For a fingerprint-based ebook to work, you'd have to be able to enter your fingerprint at time of purchase/first download to encrypt the book to your ID. That means you can only buy books from a device that has a fingerprint scanner--no more purchases from most PCs, unless you buy a USB-based scanner.

Any ID tech has to be ubiquitous before it's useful. Credit card info, entered at purchase time, is usable by any site; fingerprint ID, requiring special hardware before purchase and special software at the website, is a much bigger hurdle to force on people.

pdurrant · 06-06-2011, 04:43 PM

Amazon's DRM is currently based on an eight character PID. It sounds like it might be possible to use GPUs to brute force that in a reasonable time.

But all this discussion of brute force cracking of DRMed content is pointless. It's never needed. Anyone buying a DRMed ebook (or other media) already has access to the password — whether it's a B&N Name & number password, an Amazon PID or an Adobert Adept key.

None of the current DRM removal tools require a brute force method to find the secret key. It's already known.

Steven Lyle Jordan · 06-06-2011, 05:40 PM

Quote:

Originally Posted by Elfwreck

The tech is there for device locking; the software's not yet developed (or if it is, very rare) for individual file locking. For a fingerprint-based ebook to work, you'd have to be able to enter your fingerprint at time of purchase/first download to encrypt the book to your ID. That means you can only buy books from a device that has a fingerprint scanner--no more purchases from most PCs, unless you buy a USB-based scanner.

Any ID tech has to be ubiquitous before it's useful. Credit card info, entered at purchase time, is usable by any site; fingerprint ID, requiring special hardware before purchase and special software at the website, is a much bigger hurdle to force on people.

All true. But that doesn't mean it's not do-able. Consumers have accepted other more involved technologies and purchasing methods, if it was presented to them as something they wanted, or that it got them something they wanted. Offer the right incentive, and you'll see biometric readers on all hardware devices faster than USB ports proliferated.

Technology has also been rolled out by the device manufacturers by mutual agreement; manufacturers then present the technology as an "accessory" that can be used, or not, as desired. Later, offers and incentives by other companies ("Use your printscanner to get a sneak preview of Angry Birds II: The Day of the Condor!"), and consumers begin using the tech that's been in front of them for some time.

mr ploppy · 06-06-2011, 05:53 PM

Quote:

Originally Posted by Elfwreck

For a fingerprint-based ebook to work, you'd have to be able to enter your fingerprint at time of purchase/first download to encrypt the book to your ID. That means you can only buy books from a device that has a fingerprint scanner--no more purchases from most PCs, unless you buy a USB-based scanner.

Or just download a pirate copy instead that doesn't need fingerprints, blood samples or any of the other nonsense publishers decide to inflict on their paying customers.

anamardoll · 06-06-2011, 05:55 PM

Quote:

Originally Posted by Steven Lyle Jordan

All true. But that doesn't mean it's not do-able. Consumers have accepted other more involved technologies and purchasing methods, if it was presented to them as something they wanted, or that it got them something they wanted. Offer the right incentive, and you'll see biometric readers on all hardware devices faster than USB ports proliferated.

I'd be interested in seeing THAT sale.

You've long had the inability to read your B&N books on a Sony device! Now, buy a Simple Touch USB Fingerprint Scanner (TM) so that you won't be able to read your books anywhere except on your finger coded device!!

I mean, maybe one person on earth would buy it. Maybe.

cfrizz · 06-06-2011, 07:00 PM

I like it!

Quote:

Originally Posted by mr ploppy

Or just download a pirate copy instead that doesn't need fingerprints, blood samples or any of the other nonsense publishers decide to inflict on their paying customers.

Elfwreck · 06-06-2011, 07:03 PM

Quote:

Originally Posted by anamardoll

I'd be interested in seeing THAT sale.

You've long had the inability to read your B&N books on a Sony device! Now, buy a Simple Touch USB Fingerprint Scanner (TM) so that you won't be able to read your books anywhere except on your finger coded device!!

I mean, maybe one person on earth would buy it. Maybe.

Some people would buy it if it were pitched right. "New: Harry Potter ebooks on the ThumbReader 2012!" And the sales pitch would imply that you just go online & buy books, and not mention that it works about like the RocketBook system: plug *device* online, and buy *through it*, instead of the standard "go online, download to hard drive" system.

And people would be happy until they get a Kindle SuperDeluxe for a birthday and want to read the second half of the series on that instead.

I think some hardware can be pushed on the public, and some can't, and this is one of the "can't" variety. Like those little "cat" scanners that read advertising barcodes... too obviously a case of "let's inflict annoying extra complicated steps onto the end user for corporate convenience!"

JSWolf · 06-06-2011, 07:15 PM

Quote:

Originally Posted by mr ploppy

Or just download a pirate copy instead that doesn't need fingerprints, blood samples or any of the other nonsense publishers decide to inflict on their paying customers.

You also have to pee in a cup and take a drug test too to get your eBooks.

06-05-2011, 06:11 PM	#1
ardeegee Maratus speciosus butt Posts: 3,292 Karma: 1162698 Join Date: Sep 2009 Device: PRS-350	Password-based DRM has a dim future Okay, sorry for another DRM thread, but here's an article about how good jeepy ewes are at cracking passwords. http://www.zdnet.com/blog/hardware/c...-useless/13125

06-05-2011, 06:21 PM	#2
Steven Lyle Jordan Grand Sorcerer Posts: 8,478 Karma: 5171130 Join Date: Jan 2006 Device: none	Time to move on to biometrics. Last edited by Steven Lyle Jordan; 06-06-2011 at 09:32 AM.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
DRM and future proofing in the UK	spinningdoc	Which one should I buy?	11	05-03-2011 07:34 PM
Adobe CS5 introduces password-protected ebook DRM	ebookreaders	News	13	12-15-2009 09:07 AM
DRM free future?	pwalker8	News	18	01-14-2009 09:19 PM
New York Times on the dim future of e-textbooks	Alexander Turcic	News	1	04-25-2006 07:16 PM
Welcome to the Future: Light-based Encryption	Alexander Turcic	Lounge	1	11-07-2003 09:48 AM

06-06-2011, 12:41 AM	#5
Penforhire Wizard Posts: 2,230 Karma: 7145404 Join Date: Nov 2007 Location: Southern California Device: Kindle Voyage & iPhone 7+	I thought the answer to brute force methods was to limit the number of tries, at least in terms of tries per hour, if not completely locking access after three consecutive failures?

06-06-2011, 04:43 PM	#9
pdurrant The Grand Mouse 高貴的老鼠 Posts: 74,450 Karma: 318076944 Join Date: Jul 2007 Location: Norfolk, England Device: Kindle Oasis	Amazon's DRM is currently based on an eight character PID. It sounds like it might be possible to use GPUs to brute force that in a reasonable time. But all this discussion of brute force cracking of DRMed content is pointless. It's never needed. Anyone buying a DRMed ebook (or other media) already has access to the password — whether it's a B&N Name & number password, an Amazon PID or an Adobert Adept key. None of the current DRM removal tools require a brute force method to find the secret key. It's already known.