|
Original IBM anouncement
Register Article Reprint:
14 January 2001
Update: 14:08 GMT
The Register Biting the hand that feeds IT
[trans.gif]
Search The Register
___________ Go! [trans.gif]
Advertisement
[1]AceQuote for hardware
[2]The latest Apple and PowerPC news
[3]Hardware Round-up
Advertisement
IFRAME:
[4]http://ad.uk.doubleclick.net/adi/theregister.co.uk/hardhome;area=ha
rdhome;pos=1;sz=468x60;tile=1;ord=648364?
[5][hardhome;area=hardhome;pos=1;sz=468x60;tile=1;abr=!ie4;abr=!ie5;or
d=648364?]
_________________________________________________________________
CPRM on hard drives - IBM takes a spin
[6]By: [7]Andrew Orlowski in San Francisco
Posted: 24/12/2000 at 11:08 GMT
A squadron of heavily armed IBM spin bombers left their hilltop base
at Almaden, Ca at the end of last week. Their destination - Vulture
Central. Their mission - to disarm public outrage at the proposed
inclusion of CPRM copy control mechanisms into hard disks. The bombers
were loaded with a good-natured arsenal of flattery, non sequiters,
and laser-guided hand waves.
Normally we'd send such missives straight to the bit bucket, but on
this occasion, they're worth airing. Not just because this is spin of
a subtle quality that we rarely hear - although it is - but it gives
the best clue yet of how the industry will attempt to massage public
concern on the subject. And to be forewarned is to be forearmed, we
reckon.
Before we get stuck in, however, acquaint yourselves with the CPRM
proposals at first hand. The T.13 committee makes documents freely
downloadable, and the two you really want to read are the latest
[8]Content Protection of Recordable Media proposal and a 24-slide
[9]Presentation by the same author, Jeff Lotspiech of IBM's Almaden
Lab, which gives a bird's eye view of the subject. Another useful
document is [10]an article in IBM Research's own house magazine Doh!
[shouldn't that be Think - ed.] where CPRM's twin brother CPPM is
discussed. This explains the mechanics of CPRM in layman's terms, but
of how sophisticated the system is, and the challenge it presents to
would-be hackers.
But as you peruse the T.13 documents, ask yourself "Why is this even
here?". ... And ask yourself the same question at regular intervals in
the next few paragraphs.
Go away folks, there's nothing to see
"What they[4C] 're asking for in the ATA standard is not to
incorporate content protection but to reserve some space in the spec
for calls or functions that content protection that others could call
upon," insists Mike Ross, spokesman for IBM's Alamaden Labs. But
Lotspiech's cryptographic structure for CPRM is well defined already.
The system interface is also defined in the CPRM technical proposal:
in excruciating detail, as you can read in the references above.
"CPRM is NOT tied to a fixed location on the disk," says Ross. "The
Media Key Block can be placed anywhere that is convenient for the
manufacturer."
Wow, we thought: this guys's good. This guy's really good.
But it's nonsense of course, and what can most charitably described as
a straw man. Recall that there are two areas that CPRM can be said to
reside - and here, use page 10 of the presentation above. The Media
Key Block (which is most of that megabyte) is in a read-only area, and
the Media Unique Key (which uniquely identifies the disk) is in a
"hidden area". Both are what is called "vendor space" - the part that
handles out of bounds sector swapping, and that's separate from the
file system itself. It's a puzzling assertion, as we don't remember
claiming that CPRM is tied to a physical location on the disk
ourselves, but we did point out - and the specification points out -
that CPRM physically locks signed media into a given location, driving
a bus through the concept of file system abstraction.
Hard disk experts tell us that at a device level, when issuing a write
command you don't really know where you putting it, so there's a
couple of levels of abstraction going on here. But CPRM in ATA breaks
one of them, and that in itself is only the beginning of where the
proposal is so fundamentally redraws the computer landscape.
As Ross confirms: "All of the content files can be moved, copied, even
renamed -- in their encrypted form. CPRM only insures that the
protected files are played or viewed only by compliant software or
devices" [our emphasis, natch].
As for the short-term damage to commodity RAID, file optimisation,
backup, and potentially imaging software too, Ross says "These are
good points, these issues will have to be addressed in the marketplace
and you're absolutely right - but these have not even been discussed
yet."
Porky packets
IBM insists that the proposals are intended to secure content on
removable media, and that hard disks aren't really the target:
although in Ross' words "Would a hard drive benefit from the calls
requested here? Absolutely - so you could take that to the next step"
But let's look at the context for a second. There's ATAPI - the spec
for removable media, and then there's ATA - the spec for hard disks.
They're closely related, and share semantical similarities, but also
differ significantly. ATAPI is a packet format. What's being proposed
isn't ATAPI - it's ATA, and contains information that ATA devices
need, but that ATAPI devices don't. In other words, the specification
can be rolled into fixed, ATA devices right off the bat.
So how mandatory are these specifications? Dave Anderson of the Object
Based Storage Device group - he's also Seagate's storage architect,
but was speaking to us with his OBSD hat on - points out that not all
of the SCSI command set has been implemented. Even where the commands
have obvious benefits. It's a good point, but it's also worth
remembering that the SCSI design philosophy (do more) differs from ATA
mores (keep it simple) with the consequence that the ATA spec is much
more closely adhered to by manufacturers. It's a far simpler spec, and
being a mass market, doesn't tolerate wibbles. CPRM's backers point
out that it's an optional mechanism, and needs to be turned on
explicitly: for example a "compliant" CPRM drive may yet be programmed
to reject calls by compliant applications to write secure media to
disk.
The T.13 committee next meets in Irvine in February. It's already seen
three drafts of CPRM, which may give opponents of the scheme hope that
it can be delayed further. Equally, we suspect, CPRM's backers may
hope that the pre-Xmas furore will be forgotten as we nurse new
century hangovers in just over a week. But CPRM in ATA poses
short-term problems for several classes of current software and IT
practices, long-term threats to accepted consumer free use practice
and to basic computer science principles such as file system
abstraction, and could particularly divisive for free software in
particular - as Richard Stallman has pointed out. In short, it has the
potential to make the Clipper Chip saga look like a pre-show warm-up,
and we wouldn't bet on this story going away anytime soon. As the
Grinch discovered: "Oh, the noise! That's one thing he hated! The
NOISE! ®
Related stories
[11]Stealth plan puts copy protection into every hard drive
[12]Linux lead slams 'pay per read' disk drive plan
[13]Copy protection hard drive plan nixes free software - RMS
[reg_bullet.gif] [14]Today's top stories
[reg_bullet.gif] [15]The Week's Headlines
[reg_bullet.gif] [16]Discuss in The Register Forum
Sections
[17]Front Page
[18]Hardware
[19]Semiconductors
[20]Software
[21]Networks
[22]Internet
[23]Business
[24]Bootnotes
[25]The Week
[black.gif]
[26]Register Merchandise
[27]BOFH 2K+1: Whole Shebang [trans.gif]
[28]Flame of the Week [trans.gif]
[29]Register Info [trans.gif]
[30]Cash Register [trans.gif]
[31]Register Full Coverage [trans.gif]
[32]Register Links [trans.gif]
[33]Hardware Round-up [trans.gif]
[34]The Vulture Central Mailbag [trans.gif]
[35]The Mac Channel [trans.gif]
[black.gif]
[36]The Register Forum
If you want daily updates on news, enter your email address below,
then click the 'Join List' button. [37]Powered by ListBot
_______________ Click here to join our mailing list
_________________________________________________________________
[38]Story Index [39]Story Index
References
1. http://www.ace-quote.com/partners/partnership_reg.asp
2. http://www.theregister.co.uk/content/39/index.html
3. http://www.theregister.co.uk/content/25/
4. http://ad.uk.doubleclick.net/adi/theregister.co.uk/hardhome;area=hardhome;pos=1;sz=468x60;tile=1;ord=648364?
5. http://ad.uk.doubleclick.net/jump/theregister.co.uk/hardhome;area=hardhome;pos=1;sz=468x60;tile=1;abr=!ie4;abr=!ie5;ord=648364?
6. mailto:andrew.orlowski@theregister.co.uk
7. mailto:andrew.orlowski@theregister.co.uk
8. ftp://fission.dt.wdc.com/pub/standards/x3t13/technical/e00148r2.pdf
9. ftp://fission.dt.wdc.com/pub/standards/x3t13/technical/e00152r0.pdf
10. http://www.research.ibm.com/resources/magazine/2000/number_2/solutions200.html#two
11. http://www.theregister.co.uk/content/2/15620.html
12. http://www.theregister.co.uk/content/2/15655.html
13. http://www.theregister.co.uk/content/2/15682.html
14. http://www.theregister.co.uk/
15. http://www.theregister.co.uk/content/29/index.html
16. http://www.delphi.com/endian/start/
17. http://www.theregister.co.uk/content/1/index.html
18. http://www.theregister.co.uk/content/2/index.html
19. http://www.theregister.co.uk/content/3/index.html
20. http://www.theregister.co.uk/content/4/index.html
21. http://www.theregister.co.uk/content/5/index.html
22. http://www.theregister.co.uk/content/6/index.html
23. http://www.theregister.co.uk/content/7/index.html
24. http://www.theregister.co.uk/content/28/index.html
25. http://www.theregister.co.uk/content/29/index.html
26. http://www.theregister.co.uk/content/31/11666.html
27. http://www.theregister.co.uk/content/30/index.html
28. http://www.theregister.co.uk/content/21/index.html
29. http://www.theregister.co.uk/content/31/index.html
30. http://www.theregister.co.uk/content/13/index.html
31. http://www.theregister.co.uk/content/32/index.html
32. http://www.theregister.co.uk/content/24/index.html
33. http://www.theregister.co.uk/content/25/index.html
34. http://www.theregister.co.uk/content/35/index.html
35. http://www.theregister.co.uk/content/39/index.html
36. http://www.delphi.com/endian/
37. http://www.listbot.com/
38. http://www.ace-quote.com/partners/partnership_reg.asp
39. http://theregister.domainbuster.com/
|