Prof. Lenz has posted a reaction on my previous entry:
If a DRM system is based on obscurity, it violates basic crypto design principles. See Wikipedia on Kerckhoff’s Law.
Indeed, that is exactly what DRM does – from Cory Doctorow’s DRM paper: “Because DRM is based on “security through obscurity” — that is, in hiding from a user the way that it works — it is inevitably broken in short order [...].” Ernest Miller’s commentary on Engadget’s Jack Valenti interview refers to exactly this problem: Valenti thinks the problems with DRM will be solved with stronger algorithms – Miller comments that Valenti is “unclear on how cryptography works,” meaning that simply stronger algorithms won’t take the flaws in the DRM threat model away.
Actually, one advantage of open source software for security related programming is exactly that it follows Kerckhoff’s Law as a default.
So, if there is any influence the development model has on the effectiveness of DRM, it is probably the other way around.
I am sure it’s impossible to move DRM systems away from the “security through obscurity” approach (cfr. supra): they simply would stop functioning as DRM. So yes, in the case of DRM, open source production does mean that people are able to hack through the DRM even faster.
Doctorow believes that no DRM can be effective, ever. [...]
So do I. I don’t believe there is a non-hackable type of DRM. This doesn’t mean however that all DRM systems can be hacked right now – ploughing through obfuscated code takes time. It also doesn’t mean that all DRM systems of which the flaws are known are constantly compromised: most of them “work” fine (cfr. the DRM inside chaku-uta, game cartridges, iTunes songs, etc.), simply because the consumer doesn’t care, or doesn’t know any better. And that is what the DRM deploying entertainment business knows too.