best youtube video ever

Is this the best YouTube video ever?. The power of the amateur is here to stay!

more drm

A couple of things I didn’t mention in the last post.

Some people think that if you keep the player keys secret you can just set up a website where people upload their videos and get them cracked by a web service, or that it’s feasable for the attacker to just crack all the titles himself. Apart from the fact that it doesn’t scale, AACS has traitor-tracing algorithms that can track down the individual player or software instance used to decrypt the movies. This includes the case of a central web services. If tracked down, a jail sentence could be the result, which would make people think twice about uploading cracked movies. You could try and avoid that by using a stolen player or fake cc number, but that just increases the crimes you’re guilty of to include theft and/or card fraud so not many people are likely to do it.

Others think that if you compromise the PS3, the scheme is broken because Sony will never revoke the PS3 BluRay key. The point is, there isn’t one PS3 key (or shouldn’t be if AACS was implemented as designed). Instead they can revoke the exact piece of metal that was attacked, closing the hole without inconveniencing any other owners.

Finally, some people think breaking hardware security is a matter of using a logic analyser. In reality it requires at minimum a scanning electron microscope which are pretty hard to obtain – it often requires much more, such as working in an entirely dark room to avoid tripping light sensors that will cause the chips to self destruct, or the ability to remove wire meshes. Breaking hardware security is generally so expensive that industrial espionage, blackmail, etc will always be easier.

on drm

Via Slashdot we learn that HD-DVD/BluRay protection is cracked. Or is it?

Reading the comments or the interview, you’d think the whole scheme had come tumbling down like a house of cards. Slashdotters want to believe that so badly, it almost feels like it’s true.

Well, AACS is not cracked. It probably never will be – the mathematics is sound, and is basically an extension of CSS with the weak point (limited key revocation) removed. They might discover a weakness in key generation again or something similar, but it seems unlikely. Given the set of massive flukes that were required to beat CSS, with each revision of the scheme it becomes less likely to break.

DRM schemes in particular tend to make people spout a lot of crap. Here’s the short’n’skinny:

1. This guy has not cracked AACS. He has written a program that can extract title keys from a weakly protected player. The whole reason AACS exists is to solve this very problem of poorly made players. I suspect there are not that many HD-DVD/BluRay players out there right now, so it won’t be hard to figure out which one he is debugging and revoke it. It’ll mean a software upgrade for the early adopters, but who cares?
2. More software players will be cracked in future, but it’s not inevitable any player can be cracked. Having spent many hours in the debugger myself, I know that increasing complexity of an app by a small amount is simple and following that small increase in complexity as an attacker is hard. It can be done, I’ve done it myself, but every time you add another anti-debugger check, encrypt another piece of code, or hide the data you need inside other pieces, the number of attackers that can/will continue drops. As there is a finite number of motivated people to start with, it is in fact possible for that number to reach zero. Then you win, at least for a time. This is especially true if the software is adaptive, that is, the protections can be changed by the programmers at any time, Warden being a good example of that.
3. Hardware protection is much harder to beat than software protection, for obvious reasons. Satellite TV encryption has remained unbroken for years, which proves the point that DRM can work (giving you data you can’t access unless you pay is what it does, after all). Vista supports streaming encrypted data direct to the video card, which largely solves the problem of exposed title keys and as the type of people who play BluRay videos are likely to want to do so on new machines that can handle the requirements.

There are three mistakes people make when thinking about DRM.

you give me the data and the key, therefore I can beat you

Wrong. You might be able to beat them, but you might not. It’s possible to make a scheme so hard to beat that nobody manages it. Defeating the smartcards using by Rupert Murdochs satellite companies requires you to find a vulnerability in the microprocessor on the chip, then obtain a dump of its memory, then reverse engineer an unknown instruction set, then look for a weakness in the software on the smartcard, then somehow manage to turn all of that into a repeatable hack. There is tremendous profit involved for people who can manufacture then sell the final tool or program, but despite the millions up for grabs cracks are long since history. Severe jail terms for those involved act as an additional deterrant (we’re not talking DMCA here, we’re talking Economic Espionage Act).

the analog hole exists, therefore I can beat you

Sure, go ahead and point a video camera at the screen and make your own video copy. It might even be good quality! Point is, nobody cares. DRM is meant to discourage copying at scale. If it requires somebody to set up a darkroom, a HD camera and to “rip” videos in less than real-time, so few people will do it the impact on sales won’t be significant. You win the battle but lose the war. If all it requires is for you to click a few buttons, then you get every video being uploaded to LimeWire and that’s a bigger problem. The iTunes DRM is defeatable by burning to CD then re-ripping, which would in theory lead to all the iTunes tracks being available via peer to peer. Yet it still sells millions of tracks.

drm is anti-consumer so nobody will accept it

Wrong. People already accepted it en-masse when DVDs first came out, when the iTunes Music Store came out, when World of Warcraft came out, and when satellite TV came out. Most people can’t even explain what DRM is, let alone argue that it’s bad. Well implemented DRM does not inconvenience people much, beyond the “inconvenience” of having to pay for media. A lot of DRM is not well implemented but that says more about the people implementing it than anything else.

I don’t know if the RIAA, the MPAA, the book publishers, and so on will keep persuing DRM until they win. The struggle might wear them out, they might give up. Nonetheless, the fact that the TV companies were successful shows it can be done. Also, even though in the software realm copy protection and anti-hack programs are fallible, they are still used which implies the value they give outweighs their cost.

Eventually, it seems likely that commodity PCs will move all the vulnerable parts into hardware. The TPM already does this for key storage, but it can’t do streaming decryption. Secure Audio Path/Secure Video Path allow you to move audio/video decryption into hardware, meaning only the key manipulation part is still in software. Combine the two and it’s not a stretch to ensure the keys are never “in the clear” in the processor at all. Even if that’s still required, Intels LaGrande already allows a program to insulate itself from other programs and the kernel at the hardware level, which makes debugging it into a hardware cracking problem rather than a software one. It’s only shipping in some chips right now, but presumably it’ll end up in all their chips at some point.

Desktop computer users have got this mentality that DRM can always be defeated, re-enforced by a history of weak schemes that were eventually cracked (even though it took years to beat CSS, something often forgotten). It seems likely that eventually they’ll be proven wrong.

on platforms

I’ve worked for Google for about 4 months now, perhaps a bit less. In that time, my thinking on the future of computing has changed (because I’m sad I think about this a lot).

This thinking is the result of a vague feeling that the existing client platforms have all run out of steam. Windows Vista, OS X and the latest Linux distros are all, give or take a few details, pretty much the same. Most of the new features are not inspiring. Apple are doing some good work in UI design, but it’s mostly just polishing the edges and in some cases, they are just coming up with fancy workarounds for deeper problems (expose, time machine, etc).

Progress seems slow. The Big Problems that we’ve known about for years don’t get solved. There are 3 big problems that interest me:

• Usability
• Security
• Environmental impact

I’ll only talk about usability today.

Usability

Luis Villa articulated one side to this long before I really understood it, which just goes to show that he’s smarter than me and in about 5 years I’ll probably wish I’d gone to law school. Some things are easy to do with web apps, and hard or impossible to do with client side apps. Of course the opposite is also true, but in general, when an app can be implemented as a web app, it usually is. This says to me that most people prefer it if they can get it.

Luis says:

Three big things:

• Web development/deployment is easy, and desktop is not.
• Web development makes certain things easy; primarily location independence and collaboration.
• Desktop development has advantages web devel does not (rich inter-app integration, localized search, etc.) but taking advantage of them is a PITA.

Luis is thinking from a developers perspective so it’s fair enough that he doesn’t mention the user experience in all this. But what I’ve realised in the last 4 months is that a well written web app gives a significantly better user experience than the equivalent client app. This is the opposite of conventional wisdom, which is that web apps are “less rich” and therefore somehow worse.

The way web apps beat client side apps works like this:

1. Firstly, people love speed. I knew this in a vague sort of way before, but now I can quantify it. Every millisecond you can shave off an operation will increase your userbase. Most good clientside developers know this, but web apps let you actually watch traffic come and go as latency changes. The correlation is remarkable and it really focusses the mind on making things happen NOW.

2. Secondly, less is more. Web apps make it hard to pull off stuff we take for granted in the desktop world – customisable toolbars, tree views, file dialogs, tab widgets etc. This is a good thing.

   The “richness” that we (programmers) love, is despised by many people. They’ll never tell you that if you ask, because they won’t know how to express it, or even what’s wrong. Instead the people who do understand it and have learned all its quirks and odd little features will tell you how important it is. This is really misleading. Don’t be fooled.

   A classic example of this is tree view controls. Programmers love trees. We think about them all the time, we see them everywhere we go. To us a tree is the most natural thing in the world. Because we love trees so much, it’s an obvious step to represent them in the user interface in some way. Like, say, by using a tree view widget. Some people love tree widgets so much they spent weeks recreating them in DHTML and JavaScript. Big mistake! Usability studies and real world experience indicates time and time again that lots of people have difficulty with trees. Some people will just avoid using them completely. Most will maybe use the top level of the tree, but won’t go in for nesting (ie they’ll have Documents/Foo and Documents/Bar but not Documents/Foo/Bar).

   Because trees are such a PITA to recreate using HTML, most people don’t bother with them in their web apps. They find some other way of doing it. GMail uses labels, Flickr uses tag clouds, the web itself uses search. Most web apps just somehow avoid it entirely. All those users who never really cared much for tree views but couldn’t really identify why are suddenly happier. They can’t explain it but somehow they know this new thing is better than the old thing.

   This follows for quite a few other kinds of client side UI construct that are now avoided because they are known to be bad. MDI, multi-level tab widgets, and incredibly complicated pref panes for instance. Once upon a time, MDI and multi-level tabs was the height of cool. Everybody wanted them. Nowadays they are avoided like the plague. How many other widgets that we take for granted will follow this fate? The humble toolbar, perhaps, which is cursed with ugly and small buttons identified only by an obscure picture? Is the “less is more” web solution of hyperlinks and image buttons sized in proportion to their importance going to replace them? I hope so.

3. Luis touches on deployment but doesn’t discuss it further. Havoc Pennington also talks about it in the context of well behaved desktop apps. One of the good yet annoying things about the Mac is that many apps now ship with Sparkle and auto-update themselves. It’s a slick little library and works well, but unfortunately it shows release notes before doing the update and generally requires user interaction/thought. Once all your apps use this, you quickly realise that (a) every app has bazillions of small releases and (b) every developer lists every change in excruciating detail.

   Web apps don’t install. They don’t update. They just appear when you need them and magically get better over time. In a world where people don’t even want to wait 2 seconds for something to appear, this is a HUGE deal! Software installation and update is, even in the best cases, slow fragile and annoying. Better to dispense with it entirely (as ZeroInstall tries to do).

4. Often, web apps have more information, so can do a better job. For instance GMails spam filtering can take advantage of knowing who is in your address book, whether a message is part of an existing thread you took part in, and so on (disclaimer: i am not saying it actually does this, just that it could do theoretically). The traditional server/client split prevents this setup, reducing the quality of the spam filtering for everyone.
5. Final point. There is no cult of consistency in web app development. You are free to create something as ugly or beautiful as you are able. Users really respond to looks, all companies know the importance of appearance and brand but traditional client side development makes it hard to achieve this. Apple, Microsoft and many other companies therefore waste millions of dollars whilst each app creates their own widget toolkit to get a distinctive look. The web recognises the importance of style from the get-go.

There are many things web apps cannot do, but perhaps to bring about the fundamental improvements I talked about in a previous entry the right solution is to extend the web (as opposed to Luis’ approach of making a client side platform that has the same advantages as the web).

the global baby bust

The global baby bust

Summary: Most people think overpopulation is one of the worst dangers facing the globe. In fact, the opposite is true. As countries get richer, their populations age and their birthrates plummet. And this is not just a problem of rich countries: the developing world is also getting older fast. Falling birthrates might seem beneficial, but the economic and social price is too steep to pay. The right policies could help turn the tide, but only if enacted before it’s too late.