Technology, Business & Cool Toys

Sun’s DReaM project, billed as an open source DRM format, smells like something that was dreamed up by Sun’s management without sufficient input from its engineers. It seems to me that if we use the term “open” in its ordinary sense–i.e. a publicly available standard that anyone is free to implement–“open DRM” is a contradiction in terms. DRM depends on its implementation details being secret in order to prevent unauthorized parties from accessing the content. My guess is that Sun’s management is on a kick to make all of their products more “open” and figured that if we can have open operating systems and open processors, why not DRM?

This hunch was confirmed by their recently released overview of the project. Consider this passage, for example:

Historically, proprietary end-to-end architectures have relied upon obscurity to avoid being cracked. Such systems are based upon a false foundation of security promises. Such systems have been cracked and will continue to be breached. Additionally, the opaque nature of these systems has led to monolithic system architectures (by nature) that presume delivery by a single vendor, which inherently increases costs through the lack of interoperability and adds difficulty when attempting to substitute one supplier for another. DReaM promotes the view that open system architectures will present greater opportunities for review and discussion of technology choices so that shortcomings can be better evaluated and corrected (“review & repair” versus “hope & pray”) to provide the greatest protection possible.

This is an argument that you’ll commonly hear in defense of open encryption standards. And in that domain, it’s absolutely correct: today’s best encryption standards rely on only the encryption key being a secret. Everything else about the internal workings of the standard are publicly available. That allows security researchers to examine and correct any flaws discovered in the algorithm. The oldest and most widely-used encryption standards are the most likely to be secure, because they’ve received the most scrutiny, and so the odds of someone finding a flaw in the future are quite small.

Whoever wrote this DReaM overview clearly took the standard argument for open crypto and applied it to DRM. He missed the fact that the problem that DRM is trying to solve is fundamentally different from the problem that traditional crypto is trying to solve.

Continue reading →

SHARE:

Steve Jobs is just a fountain of anti-DRM quotes. You might recall his 2003 comment that protecting digital content was impossible. Then there’s this comment from 2002:

Apple CEO Steve Jobs offered a critical view of the recording industry in an interview, following Apple’s acceptance of a technical Grammy award from the National Academy of Recording Arts and Sciences last week. As reported by Don Clark of The Wall Street Journal, Jobs suggested that recording labels need to make it easier for consumers to use their own music however they want. “If you legally acquire music, you need to have the right to manage it on all other devices that you own,” said Jobs.

I guess that by “all other devices,” he meant “devices manufactured by Apple.” And “however they want” meant “however the DRM maker wants them to.” Or maybe he changed his tune after he realized that DRM would help to make him the most powerful man in the music industry.

SHARE: 2 comments

Esther Dyson has an op-ed in the New York Times defending GoodMail. I agree with her insofar as she’s arguing this is an experiment worth trying, and that consumers are free to choose a different email service if they don’t like it. I think the anti-corporate hordes attacking this as the end of the open Internet are rather dramatically overstating their case.

However, on the merits of GoodMail itself, I don’t find her argument very persuasive. In particular, I don’t buy this part:

In the short run, AOL and others will serve as the recipients’ proxies. If they don’t do a good job of ensuring that customers get the mail they want, even from nonpaying senders, they will lose their customers. And in the long run, recipients will be able to use services like Goodmail to set their own prices for receiving mail. In my case, I’d have a list. I’d charge nothing for people I know, 50 cents for anyone new (though if I add the sender to my list after reading the mail, I’ll cancel the 50 cents) and $3 for random advertisers. Ex-boyfriends pay $10.

Although this concept sounds appealing in the abstract, I suspect she’d turn it off in a matter of days. After all, a very effective anti-spam solution, challenge/response filtering has been available for years. Such a system will be just as effective as Dyson’s hypothetical pay-for-email scheme at deterring spam, and it has the advantage of not irritating friends who are forced to sign up for some micropayment system. Yet hardly anyone uses it, because it’s too much of a hassle.

The fact is, we all get email from previously unknown addresses that we want to receive–receipts from online shopping, email lists, emails from long-lost friends, notifications from friends of changing addresses, etc. Any anti-spam system that requires the sender to do additional work (or pay extra) to send us email reduces the chance that such email will get through. And for at least certain classes of messages, that can be a serious problem. Which means that you’d have to look through your rejected emails periodically to ensure that none fell through the cracks.

The fundamental problem with these kinds of schemes is that they’re supposed to reduce the hassle of exchanging email. But while it may eliminate the hassle of dealing with spam, it introduces new and probably more significant hassles connected to the payment system. That’s not going to make anyone’s lives easier.

SHARE:

Cnet claims that Windows Vista “has the potential to demote spyware from a security priority to an afterthought.” Color me skeptical.

To be sure, Microsoft appears to be doing many of the right things. Users will no longer run as the administrative user by default, and Internet Explorer is getting an overhaul. When combined with a multitude of bug-fixes and a good firewall and anti-virus software, this will certainly cut down on the spyware problem.

But the article misses the point that spyware is fundamentally a problem of social engineering, not technology. Much of the time, spyware gets onto a user’s computer by deceiving the user about its origins or contents. All the technological improvements in the world won’t help the user who thinks she’s downloading, say, a new screen saver, without realizing that it has spyware attached. The user will now have to enter a password before the spyware will be installed, but if she was trying to install the software anyway, that’s not likely to protect her.

Moreover, the task of plugging all the holes in a previously insecure operating system is much harder than designing it to be secure in the first place. For example, a common vector of virii are ActiveX controls, a Windows-based browser plug-in that allows web pages to have interactive content. Because it’s tightly integrated with Windows, ActiveX is full of bugs that threaten the operating system’s security. Yet Microsoft cannot simply remove ActiveX because thousands of web pages use the technology. So they’re doing their best to patch up an inherently insecure technology.

So I think it’s great that Microsoft is taking security more seriously, and I hope they’re successful. But I don’t think spyware on Windows will be an afterthought any time soon.

SHARE: 2 comments

From IBM, the company that (allegedly) once told us there’s a world market for five computers, we now learn that the era of the “next big thing” is over:

“The fact is that innovation was a little different in the 20th century. It’s not easy (now) to come up with greater and different things,” Donofrio said. “If you’re looking for the next big thing, stop looking. There’s no such thing as the next big thing,” he added. That is not to say that the 21st century does not also require invention, creation and discovery, he said. But these days, people are looking for value that arises from a creation and not just looking at technology for its sake, he explained.

I don’t understand what the point of making statements like that. By definition, innovation consists of developing or discovering things that people previously didn’t know about. So the fact that Mr. Donofrio can’t think of any inventions simply means that the present era is exactly like all previous eras.

Here’s my prediction: we’re going to see several revolutionary technologies invented in the next 50 years. We don’t know what they are today, but they’ll seem obvious in hindsight.

SHARE: 6 comments

Google’s acquisition of Writely is another data point in support of Paul Graham’s thesis that hiring is obsolete. In a brilliant essay (and really, all of his essays are brilliant), he argues that for the smartest folks in the IT industry, it no longer makes sense to get a job at a big company:

The most productive young people will always be undervalued by large organizations, because the young have no performance to measure yet, and any error in guessing their ability will tend toward the mean. What’s an especially productive 22 year old to do? One thing you can do is go over the heads of organizations, directly to the users. Any company that hires you is, economically, acting as a proxy for the customer. The rate at which they value you (though they may not consciously realize it) is an attempt to guess your value to the user. But there’s a way to appeal their judgement. If you want, you can opt to be valued directly by users, by starting your own company. The market is a lot more discerning than any employer. And it is completely non-discriminatory. On the Internet, nobody knows you’re a dog. And more to the point, nobody knows you’re 22. All users care about is whether your site or software gives them what they want. They don’t care if the person behind it is a high school kid.

Graham thinks this model is the future:

I think this sort of thing will happen more and more, and that it will be better for everyone. It’s obviously better for the people who start the startup, because they get a big chunk of money up front. But I think it will be better for the acquirers too. The central problem in big companies, and the main reason they’re so much less productive than small companies, is the difficulty of valuing each person’s work. Buying larval startups solves that problem for them: the acquirer doesn’t pay till the developers have proven themselves. They’re protected on the downside, and they still get most of the upside.

SHARE: 4 comments

James DeLong links to a ridiculous Larry Ellison quote about open source software:

“Open source becomes successful when major industrial corporations invest heavily in that open source project,” Ellison said at a Tokyo news conference. “Every open source product that has become tremendously successful became successful because of huge dollar investments from commercial IT operations like IBM and Intel and Oracle and others,” he said. He highlighted his own company’s work in developing and promoting Linux, and said the operating system would not have enjoyed the success that it has without vendor backing. “There’s a lot of romantic notions about open source,” Ellison said. “That just from the air these developers contribute and don’t charge. Let me tell you the names of the companies that developed Linux: IBM, Intel, Oracle–not a community of people who think everything should be free. Open source is not a communist movement.”

Obviously, if a company sinks a billion dollars into a software project, it’s going to cause some improvements. But only a legendary blowhard like Ellison could believe that because his company donated some programmer time to the project that they therefore deserve all the credit for its success. In the first place, Linux is 15 years old. It didn’t begin receiving serious corporate support until 1999 or 2000–long after it had become a fully functional operating system. In the second place, “Linux” is not monolithic. Oracle has done work on the aspects of Linux that benefit his company, such as the file system. Other companies have done work on other aspects of the operating system. There are still other aspects that are still the province of volunteers.

So obviously, Linux would not have been as successful in the aspects that Oracle worked on without Oracle’s help. But so what? The same is true of each of the volunteers who contribute to various parts of the operating system. It makes no more sense to say that Linux is a purely corporate project than to say it’s an entirely volunteer-driven one. They both contribute, and they both deserve credit.

More to the point, Linux is the exception. Most open source projects do not receive substantial corporate support, just as Linux did not until after it had matured into a full-functional operating system. Perl, Apache, BIND, SendMail, Samba, the GNU tools, PostgreSQL, Python, PHP, CUPS, and dozens of other products are are all primarily decentralized, volunteer-driven efforts. And, in case these are not familiar names, these are all wildly successful open source products. They’re used daily by millions of people.

Of course, from Ellison’s perspective, a product isn’t “successful” until it generates a bunch of revenue on a coprorate balance sheet. But that’s precisely the point: for open source projects, the measure of success is how uesful it is, not how profitable it is. I realize it’s hard for Mr. Ellison to imagine that anyone could ever be motivated by anything other than money, but strangely enough, there really are people who enjoy developing software solely for the intellectual challenge it presents, and the pleasure of seeing it used by others.

Personally, I think contributing to a major open source software project sounds like a lot of fun, and I wish I had the time and expertise to do it. I guess that makes me a communist.

SHARE: 8 comments

I haven’t checked Declan’s site in a few days, but I see that he’s posted a couple of insightful emails about the Yahoo/AOL/Goodmail pay-for-email program I last week:

Imagine that you are an online service that needs to ensure that a customer order confirmation, or an equivalent critical transaction message, is delivered to the customer. Then imagine that you are offered a means of safely and reliably identifying this specific class of mail, so that it receives differential handling. The incentives for a company to pay to ensure that delivery are substantial. And that is what the recent announcement is about. It concerns a means of ensuring delivery of “transactional” mail. This is quite different from “marketing” mail and it is not in the least controversial.

This makes a lot more sense to me, and it makes me think my previous comments criticizing the program were too hasty. I thought it was a bad idea because much of the media coverage suggested that AOL’s long-term goal was to make all commercial bulk emailers pay postage if they wanted to reach AOL users. But it sounds like the purpose is rather different: it guarantees that high-value content like travel itineraries and bank statements will get through spam filters, while the treatment of other mail remains unchanged.

This is particularly important because many spammers do their best to emulate legitimate documents like bank statements, in the hopes of tricking users into clicking them. That makes it difficult for spam filters to tell the difference, and raises the risks of both false positives and false negatives. Not only do users benefit by getting their email expeditiously, but more importantly, the email would come with a “seal of approval” that will assure the user that the email is genuine.

If Declan’s commenter is right, this is not primarily about marketing emails, as the media reports I read implied. And it certainly isn’t targeted at bulk email in general. While companies certainly could use this service to ensure their monthly emails and such get through, many are likely to conclude it’s not worth the expense: 95% of their email likely makes it through already, and it’s probably not worth the cost to reach that final 5%. But on the other hand, when I purchase an airplane ticket, it’s pretty important that my itinerary reach my inbox. I bet Travelocity will be more than happy to kick in a quarter of a penny to make sure it reaches me.

So I take it back: this does sound like a promising concept. I should have done more digging before badmouthing it.

SHARE: