DRM: Delusional Restrictions Management

I tried Ruckus a couple of weeks ago. It's actually a pretty cool service. They have a fairly wide catalog that contains enough — though definitely not all — of the music I like. At first, using Ruckus feels like stealing — you can get pretty much whatever music you want instantaneously. Slowly, though, I began to realize how it is that they can offer this service for free. Ruckus is laden with ads, and their music is shackled with digital rights management (DRM) software.

When you download music on Ruckus, you can only play it in the Ruckus Player software. The Ruckus player looks a bit like iTunes, but it is decidedly not the same. You can't burn your free music to a CD, you can't play it in iTunes and you certainly can't put it on an iPod. Ruckus uses DRM software to prevent you from doing any of these things because no one would pay for music otherwise.

DRM technology is basically encryption. Encryption methods try to make information unintelligible to unauthorized eyes, making them useful to Intelligence agencies like the CIA, which often want to send messages that are only readable by the intended recipient. They encrypt messages with some cipher using a password known only to them and the intended recipient. Similarly, DRM attempts to make music unintelligible to unauthorized devices and players. It does this by encrypting music with a secret password known only to approved players, so only the right devices can read the message, so to speak.

When a company like Ruckus or Apple employs a DRM strategy (music you buy on iTunes also has DRM software built in), they are trying to balance several competing goals. Apple, for example, needs to restrict your use of the music you buy in some ways so that record labels will allow them to sell it for 99 cents a track. Apple also wants you to have as much freedom as possible so that you feel their music is worth your money. But you shouldn't have too much freedom — if you could give your music to your friends then your friends would never buy music from Apple. Moreover, they need to employ a cipher that is not too complicated. Your iPod needs to be able to make sense of DRMed music; if the cipher were too complicated, then deciphering your music would be beyond the iPod's capabilities.

In balancing competing goals, Apple and Ruckus have made sacrifices. To ensure that the iTunes/iPod user experience was a pleasant one, Apple sacrificed a bit on the security of its FairPlay DRM software. As a result, there is freely available software that can remove the FairPlay DRM from iTunes music. To guarantee that their music would play on a wide range of devices, Ruckus chose Microsoft's PlaysForSure DRM. As many students know, free software called FairUse4WM is capable of stripping PlaysForSure.

The ciphers used by FairPlay and PlaysForSure are good ones — assuming you don't know the password, they are probably impossible to crack. FairUse4WM uses a clever workaround to avoid this problem. By leveraging a security flaw in Windows XP, FairUse4WM learns the password needed to decipher the music. Once it has the password, FairUse4WM can decipher all your free Ruckus tunes.

The point is a simple one — DRM is always part of a larger distribution system. The security of any system is limited by that of its most insecure piece. It does not matter how many deadbolts are on your door if your windows are open.

Every media distribution system, whether for music or movies, has left at least one window wide open. No matter how many restrictions your digital rights manage, you've got to let me play your music. If I can't play it, then it has no value to me, and I'd never pay for it. But if I can play it, then I can record it. Maybe I point a camera at my TV. Maybe I get elaborate recording software for my computer. It only takes one person with good enough recording equipment to leak high-quality DRM-free media to the Internet.