The next document format battleground [LWN.net]

Recent weeks have seen a great deal of debate over Microsoft's OpenXML document format. This format, which is headed for standard status, is a complex beast. Some have questioned whether it will ever be able to create independent implementations of OpenXML which are truly interoperable with each other. Others ask whether it is right for the free software community to even try. To many members of our community, the right path is to encourage the use of OpenDocument, which already has standard status and implementations in free software. Why get onto another document format treadmill when a better solution is already available?

These questions are valid, they deserve full consideration. But they may also, to an extent, be missing the real point. It is entirely possible that the document format battles are done; even if OpenXML is not a perfect standard, it is far more open than its predecessors. While Microsoft is not inclined to make life easy for those who would interoperate with its file formats, the company may well have realized that obscure formats have outlived their usefulness as a way of maintaining desktop domination. This might just be a battle we have won, even if the victory is rather more messy than we would like.

Before we charter an aircraft carrier for our "mission accomplished" party, however, it is worth reflecting on different forms this fight could take in the future. Cory Doctorow gave us a good hint in this InformationWeek article on "information rights management." IRM is a feature touted by Microsoft for a few years now which has the potential to complicate life considerably in the future.

IRM offers some interesting features to people who are worried about the information they put into their documents, presentations, and spreadsheets. With IRM, the document owner can specify exactly who can read a particular file, and under what conditions. Access can have an expiration time attached to it - or it can be revoked at any time. Actions like printing can be restricted. For anybody who feels the need to control information, these features cannot fail to be appealing.

But these features only work if the client plays along, and free software clients have not always distinguished themselves in this area. Or, rather, they have distinguished themselves very well by serving the needs of their users. Even if a programmer implements the "this document can only be printed once" flag, somebody else, perhaps after having lost their one printing opportunity to a particularly nasty paper jam, will hack it out. Clearly, Microsoft must prevent the creation of free applications which can read IRM-protected documents or it will be unable to live up to the promises it has made for that technology.

Microsoft has a couple of weapons at its disposal (beyond pure obscurity) which can be used against any potential free IRM implementation. One is the DMCA, which, in the US (and countries which have implemented similar laws), can be employed against those who bypass access restriction mechanisms. Anybody who posted code that, say, allowed the user to cut and paste text out of an IRM-protected document would likely face an unpleasant reception in the US. They would be in a situation much like that faced by Dmitry Sklyarov, who bypassed similar restrictions in PDF files, a few years ago.

Of course, the Sklyarov case did not necessarily work to Adobe's advantage in the end, and Microsoft might wish to avoid a similar storm of bad publicity. So, as Cory's article points out, Microsoft might pursue a different option: the use of the trusted computing module (TPM) increasingly being built into new computers. With the remote attestation feature of the TPM, it is possible to refuse to pass decryption keys to any system which cannot be shown to be running approved software. This system would be quite tight and hard to defeat - it might just work. And it would no longer matter how "open" the document format is.

The full remote attestation scenario requires the cooperation of the entire system, starting with a "secure" BIOS which initializes the TPM properly. Most systems do not currently operate in this mode, so the realization of this threat will not happen in the immediate future. One should not, however, forget that the TPM has been designed to support just this mode of operation. It does not take all that much paranoia to imagine that these capabilities will not go unused forever. "Trusted computing" has yet to touch most of us, but we ignore it at great risk. Among other things, it could make the current discussion of open document formats entirely moot.

(Log in to post comments)

The next document format battleground

Posted Dec 14, 2006 5:16 UTC (Thu) by khim (subscriber, #9252) [Link]

This generation of "trusted systems" will not work. The sad truth is that it'll probably work good enough to make a lot of people miserable but not good enough to stop "pirates".

How ? Why ? Take a look on Nintendo DS and PSP. Both consoles are implementing this kind of protection: you can only run "trusted", "signed" code. Result ? Both are cracked. PSP was cracked via buffer overflow so it's not so interesting, but DS was cracked in pretty ingenious way: bypass device is first feeding the device with "correct" data (to make TPM-like part of it happy) and then - hacked version (presumably from the same memory location; or so DS thinks).

This kind of attack will work for any TPM-enabled system (as long as CPU and TPM are separate and you can put switch device between memory, TPM and CPU) - but the next generation is not so easy to crack...

puddles [OT]

Posted Dec 19, 2006 3:55 UTC (Tue) by roelofs (subscriber, #2599) [Link]

I wonder who will be the first high profile person to fall victim to the scenario of "I dropped my laptop in a puddle and destroyed it and now I can't read the backups of my documents" ?

Laptops appear to be considerably more robust against such treatment than one might naively expect. A cow-orker has twice drowned his (left sitting in a backpack with several inches of water at the bottom), and after drying it out a bit, he found that it continued (and continues) to run. The only real drawback was the water that seeped into the LCD-display layers (ugly but readable display), and even that went away after a few weeks.

Of course, if the laptop happened to be running at the time, or if its battery happened to live on that side of the case, then maybe it wouldn't have been so pretty...

Greg

The next document format battleground

Posted Dec 22, 2006 16:17 UTC (Fri) by langerlui (guest, #42376) [Link]

Some of the 'advantages' of IRM can be observed already today within M$ office:
- When you have a document with embedded fonts, the system will not allow you to edit the document (since fonts are protected by copyright).
- If you skip one version of the software (e.g. go from Office 2000 to Office 2003 by skipping Office XP), many documents (e.g.those with embedded fonts) will not open at all.
So IRM is also a means to deny users access to their own documents, not to speak of the preservation issues.

IRM _not_ aimed at the home user

Posted Dec 21, 2006 13:05 UTC (Thu) by robbe (guest, #16131) [Link]

Some people in this thread (marduk, felixfix) seem to assume that
this feature is aimed at the home user. But think about the "corporate
desktop" for a moment -- a significant percentage of IT managers are
drooling about this control fantasy.

As the TPM bit is appearing in mass-market hardware today, I think the
price premium in two or three years will be small or non-existent. The
software using it will probably cost more, but said managers will gladly
pay for the added control.

End-user hassle is not that imporant, because they will just be forced by
their bosses. Compare it to other "security features" like, say, having
to change your password every 7 days: PITA, may not make you more secure,
but looks good in reports for upper management and stockholders!

The next document format battleground

Posted Dec 14, 2006 15:07 UTC (Thu) by yodermk (subscriber, #3803) [Link]

Can anyone clarify how this IRM will work with an open format? I'm not sure I fully understand it. Some scenarios ...

Ok, so you have an OpenXML format that is "protected." Would it be true that only a process that is known to be "good" can open it? Would there be something like SELinux in the Windows kernel that gives certain processes the ability to read these files? I assume Notepad could not open it? Or WinSCP to copy it to a Linux box?

Could one use the Windows file manager to copy it to a USB flash drive? Could the NTFS driver under Linux read it? If so, would it not get the same OpenXML file?

Or would the whole file be stored encrypted on disk, in which case it isn't exactly XML or "open"?

TPM, DRM, IRM won't pass the DivX test

Posted Dec 14, 2006 16:20 UTC (Thu) by felixfix (subscriber, #242) [Link]

Does anyone remember DivX, the original one? Special DVDs which disintegrated after 48 hours, which required special DVD players which cost $100 more, which required a phone line to phone home with the DVD registration, and which would not let you play the DVD on any player other than the one it was first played on?

Imagine the poor salesman trying to explain to a customer why he should spend $100 extra for a player which restricts your choices and has to be near a phone. Not only can't your kids take the rented DVD into their bedroom to watch it a second time, they can't take it to their neighbor's house either. That would be mighty popular, and can you imagine the poor frazzled parent caught by surprise by this feature? And try to explain to the video rental store owner why he should stock DVDs that the customer doesn't have to bring back, and why it is a good thing that the customer doesn't get an easy chance to rent another.

Now imagine how well things would have gone if the salesman had tried to hide those facts. Even if only 1 out of 100 customers had griped and demanded their money back, it would have been a disaster for the stores, losing money on every complaint, scaring off potential customers who saw the angry slow moving complaint line running out the door, and souring their reputation for years.

The same thing will happen with TPM and DRM and IRM. Imagine even 1 out of 100 customers calling Dell to complain they can't do something they used to be able to do with their old computer and being told it's because of the new TPM and DRM and IRM that the customer did not have to deal with on their old computer. Enough people will demand their money back to get class action lawyers excited, and the mere prospect of that will make Dell think twice about refusing refunds.

This DRM stuff WILL NOT FLY. It's like speeding laws. You can catch one or two speeders and hope the rest slow down a little, but if you actually tried to enforce the speeding laws, if cars actually had to be built with computerized government controlled governors which could not speed, enough people would stop buying new cars that retrofits would be required, and then all hell would break loose. It simply would not work. SPeed limits would be raised and/or the governors would be ripped out.

Sheeple will only put up with so much.

TPM, DRM, IRM won't pass the DivX test

Posted Dec 15, 2006 16:52 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

I think you misinterpret the demise of Divx. The sales pitch for Divx is easy: you pay an extra $5 for a machine (the actual cost of adding the technology to a player in mass production), an extra $1 for a video rental, and suffer the inconvenience of the player using your phone line. In return, you can skip the return trip to the video store and pay for only one night even if it takes you 3 days to get around to watching it and another 2 to get back to the video store. Furthermore, today's new releases would always be on the shelf.

I think that would have been hugely popular.

The number of video renters who watch a movie on multiple machines in one day is small enough not to matter.

But Divx was a spectacular failure. The reason: marketing. It only had one major backer, Circuit City, which had no presence in the video rental market. CC does equipment and video sales. Indeed, the original sales pitch was not what I said above, but, "Add a DVD to your collection for under $5 (and then in small print: plus $2 every time you watch it). Even though even that, with the extra $100, was probably cheaper than what video collectors do today, that form of ownership definitely did not satisfy video collector psychology, and it flopped.

Video rental dealers were upset about the loss of return trips, not to mention accidental multi-day rentals, but that wouldn't have mattered because as in any competitive market, sellers don't get to choose what they sell.

The Divx analogy doesn't apply to the matter of people unwittingly buying new computers with TPM that won't do everything the old computers did. With a Divx upgrade, you're not giving up anything -- if you pay the one-viewing price for a Divx disk, it's perfectly obvious that you're getting only one viewing. If you want an unlimited copy, you can get that too for the traditional unlimited copy price.

I think the public will sell out its rights to do flexible things with software pretty cheaply and IRM will be hugely popular, just as Divx would have been if not for the marketing failure.

off topic

Posted Dec 18, 2006 13:46 UTC (Mon) by gravious (guest, #7662) [Link]

sheeple :)