Looks like Intel included a little bonus DRM treat in SB, and are now tying their tongues in knots trying to explain it---here is an Intel blog post (http://blogs.intel.com/technology/2011/01/intel_insider_-_what_is_it_no.php) where they attempt to further de-clarify the tech. Apparently at one SB presentation (sorry, can't find the link, it was some AU Website) they shut down the Q&A when people wouldn't leave them alone about it.

This seems like a fairly straight-forward advancement of "Trusted Computing" jack-assery, but I'm rather baffled though that they decided to announce it as a feature. One can only assume that they're completely oblivious to the sophistication of customers (or at any rate a vocal minority) regarding "DRM" schemes, or they thought that trying to sneak it by us would induce more customer ire when it was inevitably discovered. I say this because if it's successful AMD will surely adopt (Hollywood has no reason to shut them out), and if not, Intel has to eat all the shit for it.

More disturbing is that, after searching high-and-low I can find no more technical description than, "Think of it as an armoured truck carrying the movie from the Internet to your display, it keeps the data safe from pirates, but still lets you enjoy your legally acquired movie in the best possible quality". No white papers, no nothing. Does anyone have any info as to how exactly they've implemented this, and on what basis we can assume it's not a rather ghastly built-in security flaw?

Sorry if this thread is redundant, I searched around the Site a bit and didn't turn anything up.

when will companies like this learn, users are their customers, not hollywood, not the riaa

when will companies like this learn, users are their customers, not hollywood, not the riaa

Indeed, and as many have pointed out, Intel and Apple are both bigger than Hollywood.

It can be argued that since Hollywood refused to bring movies on computers without DRM, implementing DRM is actually providing a service to their customers.

Of course, you may think Intel or Apple are able to "persuade" Hollywood into abandoning DRM, but apparently all past experiences told us the opposite. Hollywood don't care whether you can play a HD movie on a PC or not. So it's is actually pretty simple: if you don't want to watch movies on your PC, then these DRM has no effect on you. If you do want to watch movies on your PC, then these DRM provide you the way to do so (legally). If you want to watch DRM-less movies, then you should be the one to persuade Hollywood, because you are their customers, not Intel nor Apple.

And when you change your PC and none of your legally bought but DRM locked movies play, or when the content provider decides to shut their service, who is going to give you back your money? Oh that's right, no one, because you didn't buy the content you thought you bought, you only "licensed" it under terns that allow the content cartels to tell you to take a running jump whenever they feel like it.

Why are big industries to enamoured of the glitz of Hollywood and their relatively small markets that they are willing to drop their pants (and that of their customers) at the drop of a hat?

As long as no one has to use this DRM via the backdoor, it will be a non-issue, but lets not pretend it's anything more than DRM on the chipset in order to suck up to the content cartels.

And when you change your PC and none of your legally bought but DRM locked movies play, or when the content provider decides to shut their service, who is going to give you back your money? Oh that's right, no one, because you didn't buy the content you thought you bought, you only "licensed" it under terns that allow the content cartels to tell you to take a running jump whenever they feel like it.

If you don't like it, why pay for the service?

Why are big industries to enamoured of the glitz of Hollywood and their relatively small markets that they are willing to drop their pants (and that of their customers) at the drop of a hat?

Simple. Right now streaming HD movie only happens on set-top boxes, which is (supposedly) secure (at least to those Hollywood guys). By providing a DRM system on a PC, it's much easier to persuade the Hollywood guy that PC can act as a secure set-top box for streaming HD movies. So that's a potential good business for Intel.

I still don't get this "Intel shouldn't bow to Hollywood!" argument. It's not Intel that requires Hollywood to have DRM, it's Hollywod. So if you don't like DRM, complain to the Hollywood guys.

Ah, I didn't make myself clear. I have no interest in the movies, don't care at all. The problem with this statement:

...So it's is actually pretty simple: if you don't want to watch movies on your PC, then these DRM has no effect on you.

Is that as I see it the only way for this technology to work is for Intel to allow anyone with a certificate Ring -1 level access to my machine. Meaning for example that if I went to Sony's website they could install an HVM rootkit (meaning their own kernel!!!) and forevermore run my entire OS and all my data in a virtual machine. Compound that by the fact that I have no idea who has or can get a key.

That, is the problem. Caveat is that I don't know how it works because Intel won't say, but this is certainly what they're describing.

Is that as I see it the only way for this technology to work is for Intel to allow anyone with a certificate Ring -1 level access to my machine. Meaning for example that if I went to Sony's website they could install an HVM rootkit (meaning their own kernel!!!) and forevermore run my entire OS and all my data in a virtual machine. Compound that by the fact that I have no idea who has or can get a key.

That, is the problem. Caveat is that I don't know how it works because Intel won't say, but this is certainly what they're describing.

This is not accurate. First, we already have a ring -1 in x86 CPU, that is, the hypervisor for those with virtualization support. Second, to my understanding Intel Insider is only protecting memory pages coming in and out of the GPU's hardware decoder, so the "rootkit" worry is not an issue here. If this happened to be an issue, then I believe Intel will be able to provide a switch to turn off this function for those who don't need it.

Also, do you really know what your computer is running right now? Even without these DRM? I believe most people can't be sure. There are just too many ways for a rootkit to hide itself. Can you be certain that your OS is not currently running on top of a malicious virtual machine?

This is not accurate. First, we already have a ring -1 in x86 CPU, that is, the hypervisor for those with virtualization support. Second, to my understanding Intel Insider is only protecting memory pages coming in and out of the GPU's hardware decoder, so the "rootkit" worry is not an issue here. If this happened to be an issue, then I believe Intel will be able to provide a switch to turn off this function for those who don't need it.

Yeah, that's what I'm saying, the rootkit (in this case, the one installed by the content provider) is the hypervisor. You can't hide memory pages without being below the host OS because you have to manipulate it, in other words you have to be in ring -1. Otherwise subverting the protection would be trivial, right? Memory dump, API hook, etc...

Also, do you really know what your computer is running right now? Even without these DRM? I believe most people can't be sure. There are just too many ways for a rootkit to hide itself. Can you be certain that your OS is not currently running on top of a malicious virtual machine?

No, man, that's what freaks me out! The worst part is there is by design no test bit to determine whether HVM is enabled or not (Vt-x or AMD-V), so the ISA can actually lie to you. And this is exactly what I'm saying, it sounds to me like Intel Insider goes beyond that and allows software access to the HVM bits in the chip. I know that sounds insane but I'm not seeing how else you could do what they're doing. This is for example pretty much how BD+ works: it grants hypervisor status (something analogous) to anyone with a key. Now that's kind of whack, but whatever, what's the worst that can happen, your player breaks.

But Intel wants to do that with a device that contains my identity, my work, and information about everyone I know. I don't really care if someone keylogs my BD player, but my PC is a whole different deal. Now I'll stop ranting, because I know you have a different idea about how Insider works, I just don't quite follow what it is from above.

No, man, that's what freaks me out! The worst part is there is by design no test bit to determine whether HVM is enabled or not (Vt-x or AMD-V), so the ISA can actually lie to you. And this is exactly what I'm saying, it sounds to me like Intel Insider goes beyond that and allows software access to the HVM bits in the chip. I know that sounds insane but I'm not seeing how else you could do what they're doing. This is for example pretty much how BD+ works: it grants hypervisor status (something analogous) to anyone with a key. Now that's kind of whack, but whatever, what's the worst that can happen, your player breaks.

If you are worried about this, why stop here? Why not ask Intel and AMD to abandon all virtualization technology? (You can actually disable virtualization in BIOS)
My point is, for those who want this thing, it's not bad for them to have it. For those who don't want, they should be able to disable it. How is this a bad thing?

I actually think the post was reasonable, but it does say it was edited.

Die DRM, Die. :mad:

If you are worried about this, why stop here? Why not ask Intel and AMD to abandon all virtualization technology? (You can actually disable virtualization in BIOS)
My point is, for those who want this thing, it's not bad for them to have it. For those who don't want, they should be able to disable it. How is this a bad thing?

Yes if I could buy a chip without virtualization tech I absolutely would, and I would pay a premium for one (okay maybe not on a laptop). This insider thing in my opinion does not add value anywhere near commensurate the risk it imposes (and to me adds no value). As to disabling these things, that's not guaranteed to remain an option, and a lot of people won't know it exists. Intel Insider sounds to me like it may be enabled by a magic packet, e.g. a direct path from ring 3 to ring -1, and I think that sucks.

You say, how is this a bad thing as an option? Well, I'm basically coming at this from a security perspective, the more people with secure, fault-tolerant computers the better. It's not a moral absolute, God didn't tell me this, it's just an engineering ideal--and I cede the point--it's just an ideal. The principle of least privilege, is in my opinion a very good idea. VT I think has enough value to justify itself in some cases (not the way intel did it though), but Insider does not. Now granted I don't and can't know the specifics, but my reason is basically this: If it doesn't get cracked it's a black box and I have to assume my computer is compromised at all times at the highest level. In truth of course this is already the case, but it's just soooo much more so. And then if it does get cracked, say 10 years down the road when it's rolled out and everyone's using it, it's a freakin' security apocalypse. And since it's content protection people will be highly incentivized to crack it.

Again, in a set top box I don't care, because it's their scheme to protect their stuff. In my box it's their scheme but it's my stuff.

Also, if somebody changes their mind and decides it is DRM, then in many countries it would be illegal to disable it.

You say, how is this a bad thing as an option? Well, I'm basically coming at this from a security perspective, the more people with secure, fault-tolerant computers the better. It's not a moral absolute, God didn't tell me this, it's just an engineering ideal--and I cede the point--it's just an ideal. The principle of least privilege, is in my opinion a very good idea. VT I think has enough value to justify itself in some cases (not the way intel did it though), but Insider does not. Now granted I don't and can't know the specifics, but my reason is basically this: If it doesn't get cracked it's a black box and I have to assume my computer is compromised at all times at the highest level. In truth of course this is already the case, but it's just soooo much more so. And then if it does get cracked, say 10 years down the road when it's rolled out and everyone's using it, it's a freakin' security apocalypse. And since it's content protection people will be highly incentivized to crack it.

I think you are just reading too much into it. It's quite possible that Intel Insider is simply a hardware based decryptor which allows only a specialized program running in a sandbox (i.e. not able to control anything outside the sandbox). Making it too broad actually could undermine its own security.

Also, if somebody changes their mind and decides it is DRM, then in many countries it would be illegal to disable it.

Actually, no. Disabling Intel Insider would make programs using it to stop working, so it won't be illegal to disable that (it's only the case if, by disabling it, the program using the DRM still works).

I think you are just reading too much into it. It's quite possible that Intel Insider is simply a hardware based decryptor which allows only a specialized program running in a sandbox (i.e. not able to control anything outside the sandbox). Making it too broad actually could undermine its own security.

You may be right. As to encryption, they can already do AES in hardware; as to the sandbox, I'm curious how they'd implement it. Honestly I think the most probable outcome is that it will do nothing to curb piracy and only annoy paying customers. Mainly I'm not a big fan of hidden things on chips, and I'm rather suspicious of their attitude towards security given the way they designed Vt-x.


Actually, no. Disabling Intel Insider would make programs using it to stop working, so it won't be illegal to disable that (it's only the case if, by disabling it, the program using the DRM still works).

I don't know, the DMCA for example, "criminalizes the act of circumventing an access control, whether or not there is actual infringement of copyright itself (http://en.wikipedia.org/wiki/Dmca#Title_III:_Computer_Maintenance_Competition_A ssurance_Act)". It would have to be tested in court, but I do think you could bring case based on that.

If you don't like it, why pay for the service?



I won't, but others will, thinking they've bought a product. Then when some company announces they are not making enough money and are shutting down the service, users are screwed - as has happened with several music services run along the same lines.

How many of these "hollywood-friendly" services are going to tell you up front that if they close down or don't want to continue the service, you've lost all that content you thought you'd bought? None of them.

I won't, but others will, thinking they've bought a product. Then when some company announces they are not making enough money and are shutting down the service, users are screwed - as has happened with several music services run along the same lines.

How many of these "hollywood-friendly" services are going to tell you up front that if they close down or don't want to continue the service, you've lost all that content you thought you'd bought? None of them.Same thing with Steam. The problem aint the hardware enabling (more secure) DRM-laden services but users blindly flocking to them.

Yes if I could buy a chip without virtualization tech I absolutely would, and I would pay a premium for one (okay maybe not on a laptop). This insider thing in my opinion does not add value anywhere near commensurate the risk it imposes (and to me adds no value)..

You can still buy CPU's without virtualization from both AMD and Intel. Even in Sandy Bridge (http://www.anandtech.com/show/4083/the-sandy-bridge-review-intel-core-i7-2600k-i5-2500k-core-i3-2100-tested/2 ).

It may not be the performance level you may want, but that's another argument entirely.

I don't know, the DMCA for example, "criminalizes the act of circumventing an access control, whether or not there is actual infringement of copyright itself (http://en.wikipedia.org/wiki/Dmca#Title_III:_Computer_Maintenance_Competition_A ssurance_Act)". It would have to be tested in court, but I do think you could bring case based on that.

Implicit in that, is the ability to play the media or whatever with the protection disabled. Presumably disabling that feature in Intel CPU's wouldn't also strip the protection on the file or allow it to be played unprotected. As CPU's exist with the technology, disabling it can't be considered facilitating the removal or circumvention of the DRM as a person could download/copy the file to a CPU without that feature and proceed with potentially stripping the DRM.

Regards,
SB

You can still buy CPU's without virtualization from both AMD and Intel. Even in Sandy Bridge (http://www.anandtech.com/show/4083/the-sandy-bridge-review-intel-core-i7-2600k-i5-2500k-core-i3-2100-tested/2 ).

It may not be the performance level you may want, but that's another argument entirely.
Yeah, you got me. :oops:



Implicit in that, is the ability to play the media or whatever with the protection disabled. Presumably disabling that feature in Intel CPU's wouldn't also strip the protection on the file or allow it to be played unprotected. As CPU's exist with the technology, disabling it can't be considered facilitating the removal or circumvention of the DRM as a person could download/copy the file to a CPU without that feature and proceed with potentially stripping the DRM.

Regards,
SB

I'm just reading it prima facie. It would doubtless come down to precedent, if any exists. The DMCA has certainly inspired a lot of legal craziness (http://www.eff.org/wp/unintended-consequences-under-dmca).

I think intel should look back at a similar situation : region encoding on dvd drives

Hollywood: "Hello I wonder if you would mind some extra expenditure in modifying your drives in a certain way"

Dvd Drive Maker: "Well we are always open to suggestions from our customers"

Hollywood: "Oh we arnt a customer"

Dvd Drive Maker: "you not, er ok. So this alteration it's just something that will appeal to our customers and help increase sales"

Hollywood: "god no in fact if your product is next to a similar product that doesn't incorporate our little modification 99% of buyers will choose the other product"

Dvd Drive Maker: "So it will cost us money and it will reduce sales ?"

Hollywood: "Bingo you've got it"

Dvd Drive Maker: "Thats a fantastic idea we will get on to it right away...."

The problem is, there would be no market for DVD drives if there's no Hollywood support. You'll have those "data only" DVD drives which work only in computers, and "video only" DVD drives which only works in set-top boxes (i.e. DVD players), and guess which one has larger market. Basically, if DVD went this way, we would have very expensive DVD data drives and relatively cheaper video drives.

But we had region free dvd players and they were usually cheaper

But we had region free dvd players and they were usually cheaper

Not in the US...

There were plenty of region free DVD players available in the US. It's how I first heard about the 'Apex' brand.

But we had region free dvd players and they were usually cheaper

This is not the point of my argument. My argument is, DVD drive makers have to satisfy Hollywood's demand, because they need Hollywood, not because they are stupid or weak. Hollywood don't really need them, because they don't really like this home theater idea anyway (see how they opposed VHS when it's released). Of course, you may argue that home video is a big market that Hollywood can't ignore, and that's true, but if there is no home video at all (i.e. there is no VHS nor DVD) it's quite possible that Hollywood may be able to make even more money from licensing movies to TV stations.

I think though to some extent they view it as an additional revenue stream--in other words, pure gravy.