Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
What is DRM doing in my garage? (arstechnica.com)
100 points by kmod on Dec 20, 2009 | hide | past | favorite | 9 comments


This article is really interesting. It made me think about something I was reading yesterday and how these legal principles might apply.

Emotiv is about to release their epoc brain-computer interface headset that uses EEG technology to attempt to divine intentions and emotions from thought alone. It has 14 electrodes and costs $299. You can read more about it at http://emotiv.com.

Anyway, the concept seems very interesting to me, and I was thinking it would be cool to use it for research or to play around with the SDK that it comes with. However, it turns out that the SDK only includes "interpreted" data from Emotiv's software, not the raw EEG data. For that, you have to pay $7500 for a license (or $2500 if you're a research institution), even though it sounds like it's the exact same device.

IANAL, but this article makes it sound like it would not be illegal to buy one and then circumvent whatever DRM scheme they've likely implemented to capture the raw data and use it however you want. In particular, these two lines about Lexmark's attempt to restrict 3rd party cartridges:

Because Lexmark's DRM only blocked access to the functions of the printer, not access to any copyrightable code, the court was unwilling to give its lockout behavior DMCA protection.

The judge concluded that "patent holders may not invoke patent law to enforce restrictions on the post-sale use of their patented product. After the first authorized sale to a purchaser who buys for use in the ordinary pursuits of life, a patent holder's patent rights have been exhausted... Because Lexmark's patent rights in its toner cartridges were exhausted by the authorized, unconditional sales of the cartridges to end users, Lexmark's attempt to impose single-use restrictions on the cartridges fails.

I'd love to hear what others think about the subject.


A friend of mine bought Emotiv SDK(the one with 16 electrodes) and mentioned that they are being extremely protective/restrictive on what you can do with the device (he also said it is very promising but the technology still needs a lot of work).

What I suspect is that the device, if it could reach real mass-production, would be very inexpensive to make, thus they are putting in all kind of pitfalls to prospective competitors.

Not that one can blame them for being so protective, but it could backfire in the long run, if a nimble competitor open sources most of the software and focuses on hardware or at the very least, makes developers job easier.


IANAL, but this article makes it sound like it would not be illegal to buy one and then circumvent whatever DRM scheme they've likely implemented to capture the raw data and use it however you want.

Based on the article, they will have a hard time! Emotiv's product is amazing, but at this stage what they letting through to developers is breadcrumbs. I am not sure - based on lurking in the forums for a while - if the EEG technology is controlling the outcome or is mostly the gyroscope with little support perhaps from EEG technology.


> only includes "interpreted" data from Emotiv's software, not the raw EEG data. For that, you have to pay $7500...

http://www.fsf.org/blogs/community/antifeatures

Reverse the specs, publish anonymously, screw the bastards where it hurts.


I think the article misses a critical point; to make a universal remote, no copying of any copyrighted material takes place. To activate a garage door opener, no copying of any copyrighted material takes place. So... copyright law simply does not apply; no copying is happening!

(The reason that software EULAs are theoretically valid is because you are making a copy of the computer program when you click the icon; from disk into memory. Since this copying is theoretically illegal the EULA allows it if you agree to certain conditions. I say "theoretically" because the law does not say this anywhere, and no US federal court has ever upheld this. But when you use a remote control to activate your garage door, there is no copying happening, so this is completely irrelevant.)

So anyway, non-issue. You can say whatever you want in an instruction manual -- but that doesn't mean it wouldn't be laughed out of court in 30 seconds if you tried to enforce it. My advice is to not do businesses with slimy vendors like this, however.

It is also worth noting that anyone who has ever been near a math textbook can design an algorithm to make it impossible for burglars to execute replay attacks on the garage door. The manyfacturer is trying to solve a math problem with copyright law, which is dumb, plain and simple.


I thought that was the exact point the article was making. For example:

In addition, Skylink argued that the rolling code was not DRM, since it did not protect access to some copyrighted computer code but to "an uncopyrightable process" (the opening of a garage door).

and:

By way of example, DVDs marked 'for home use' or 'non-commercial private use only' are not legally restricted as such. Unless there is a contract, those representations are not true. A given use, e.g., classroom showing, is permitted or infringing depending on copyright law, not what is printed on the packaging—unless there is a contract including that restriction. Rightsholders still print such claims on the packaging, however. They might as well print that infringers are obligated to forfeit their first-born child."


Hmm, must have skimmed past that...


This problem seems trivial at first, but what if the garage door opener runs out of batteries? Synchronization is lost then. Some method of resyncing has to be provided. It looks like that is what Skylink is taking advantage of. This backdoor seems like a built-in mechanism to resync the garage door opener.

It isn't really a math problem. This is real-world engineering. One has to weigh the cost and added benefit of the myriad of possible solutions. I agree with you that the company shouldn't resort to strong-arm legal tactics to keep its products secure, though.


The garage door opener in question is weak. It has rolling codes to deter replay attack, but its behavior in "resynch" mode is a classic example of security by obscurity: "Send two incorrect codes, then another off by three."

If you're going to have a protection against replay attacks, why are you going to have a resynch scheme so vulnerable? This may or may not not be vulnerable to replay attacks, but it sounds like something kids would use to authenticate entry to a treehouse!

This is especially sad, since freely available block ciphers could do a fine job with a challenge-response protocol, and wouldn't require a resynch function. One could assume that both the opener and the remote are securely in the hands of the owner, so both could be programmed with the same secret key.

Even without challenge-response, a more robust protocol should be possible with a little memory and a time stamp. Just keep a list of last few day's successful attempts, and don't accept any already sent. The encrypted hourly time stamp would be incorporated into the encoded passphrase, and a passphrase from the hour before or hour after would be accepted. A passphrase might consist of a number appended to it's inverse, appended to the timestamp.

The attacker cannot overrun the successful attempt record, because she cannot produce a new successful attempt without the symmetric key, and replaying the old one doesn't do anything.

To make this proof against losing the time synch, just do two things: 1) have the opener adopt the timestamp of the last successful attempt and 2) provide a time-resynch passphrase, which is activated by a different button, and which also results in a "already used" record in the case of a successful attempt.

EDIT: It's gotten to the point that I can imagine the lack of an idiotic law like the DMCA could be a strategic advantage for some other country, which will result in far greater technical innovation. (China, perhaps?)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: