Thursday, May 3, 2007

Digg.com: Publish and be Damned

As Kevin Rose, the founder of Digg.com, said on his blog last night, yesterday was a rough day for Digg.

Beset with lawyers armed with cease and desist letters, Kevin and his management team had to decide what action would best appeal to their community of users: remove published keys designed to protect HD-DVD titles from the site, or allow them to remain published.

For those of you not familiar with the story, the cracking of the HD-DVD code isn't new - it happened back in December and an application made by SlySoft Software has since been available since February that (ostensibly) enables users to "back up" their HD-DVDs.

So what changed? The bloggers at rudd-o.com have been trying to make people more aware of the issues surrounding the crack (and, apparently, succeeding). It appears someone from this site (or spurred on by the site) put up the initial post at Digg.com that contained the keys that unlock the HD-DVDs.

Initially, on the basis of receiving the C&D letter, the Digg guys made the decision to take down the keys. Then, late yesterday, they reversed this decision and reinstated the postings. Then, just to make things even more interesting, around 11pm, the site went dark.

Which brings me to the point of this blog.

Like the scientists who originally created the keys for the Hollywood studios to use to protect their assets, our company, Authentium, is in the trust business.

It makes me mad to think of the amount of development work that went into creating the protection mechanism - and how many assets have been placed at risk by the guys who cracked it.

As a CEO *and* long-retired ex-songwriter that is more amused than excited by my $9.17 annual royalty check (from a long-forgotten ditty written 25 years ago that fifteen years later somehow found its way into an Alicia Silverstone movie), I think I can understand how people that depend on copyright protection to pay a studio full of salaries must feel: not to mention all the single contributors who maintain families solely on the basis of royalty remittances.

However...

The value of an open market for information lies in the openness of that market. As the "Godfather", Bruce Schneier, likes to say: "Security through obfuscation isn't security." Security flaws get fixed faster when information about them hits the open market - and that is indeed what has occurred with the HD-DVD crack.

From a security perspective, once the keys have been published, the game is over. And the end result is: the security just wasn't good enough.

And what of Digg? It doesn't matter that Digg.com is in the business of "continuous publication" - the fact that the keys have been published *once* means that they have already propagated to at least a subset of the folks most interested in them.

In the end, this makes Digg no different from the newspapers of previous generations. The phrase "publish and be damned" still applies. And the value of a post-publication cease and desist letter remains what it has always been: zero.

Note: Newer HD-DVDs now use a different mix of multiple encryption keys - crackers, good luck copying that Shrek 3 DVD when it hits the shelves.

No comments: