Microsoft Prepares Office Lock-in 1127
An anonymous reader writes "NEWS.COM has an article describing Office 2003's DRM features for documents. This will not only coerce those running older versions of Office to upgrade, which has been a problem for MS in the last few years, but it will also shut out competing software, such as OpenOffice. Now think about this for a second. Even if the developers of a competing office suite could figure out how to get their software to open an Office 2003 document, doing so would be a DMCA violation, since they'd be bypassing an anti-circumvention device. I certainly hope the OpenOffice team will kick development into high gear. If there was a time we need a viable competitor to Office, it's now."
Interoperability is protected by DMCA (Score:5, Informative)
Jay (=
not by default... (Score:5, Informative)
It's really targeted at businesses which make heavy use of Active Directory already (or would switch to doing so), so that Finance people can restrict access to sensitive salary documents and such. Most people, even if they can apply DRM to a document, won't choose to do so. How many people change the rights for their local drives to remove access for 'Everyone'?
Re:The straw that broke the PHB's back? (Score:5, Informative)
RTFA (Score:5, Informative)
for the first time will include tools for restricting access to documents created with the software. Office workers can specify who can read or alter a spreadsheet, block it from copying or printing, and set an expiration date.
Users get to set it. It's not automatic.
Re:The straw that broke the PHB's back? (Score:3, Informative)
Re:Interoperability is protected by DMCA (Score:5, Informative)
If it was possible for a user who shouldn't have access to a file to use another application to read it, then that app would be in violation of the DMCA because it is a circumvention device.
If it respected all the DRM nonsense, then it would probably fall under the interoperability portion of the law. At least that's the way I read it.
Re:Interoperability is protected by DMCA (Score:2, Informative)
That must come as a tremendous relief to the people who distributed DeCSS source code for watching DVDs under Linux.
Re:not by default... (Score:3, Informative)
Is saving sensitive documents in a directory that's read/write restricted to people in the Finance group not good enough? It seems to work just fine here.
it requires configuring Windows Server 2003 and ensuring both the creator and reader of the document have access/accounts on the Rights server.
So you have to upgrade to server 2003 to take advantage of this, and lock in further to one company. This sounds like a bad solution to a problem that's already been solved for years..
Re:It's actually important to do this. (Score:4, Informative)
if your law firm does this, you need to switch to a competent law firm right away.
Rule #1 in business and in law, NEVER EVER Trust anyone.
#2 is Double check everything.
Here, send me my recent bill in word format for me to review before you send it to me, no, I won't modify it.
Re:I don't see the problem here. (Score:4, Informative)
You'd have to cripple the entire operating system while the document is open
Not really, the applications do most of the limiting, and since you HAVE to open the restricted document within a trusted application, it can stop you: printing, faxing, taking screen shots of that application (you can arrange the windows in such a way that a screen shot will miss that window altogether, its all there in the win32 api and probably moreso in the extensions office 2k3 gives), it can limit copy-and-paste.
So the only real way you can defeat this is by opening it in a non trusted application, and you can bet yo0ur ass that its encrypted, tho how long that will remain unbreakable is another arguement entirely.
So, in summary, you havent read the article and are jsut spouting off things you think you can do to get around stuff. (They clear up most of your arguements in the article).
Re:wait a minute... (Score:3, Informative)
What's the big deal? (Score:3, Informative)
Re:MOD PARENT UP +1 INFORMATIVE (Score:3, Informative)
And typing documents out again? I think someone will notice you copying word for word a document over a period of time, and ask you why you arent doing what other work you have to do. Basically it will take a lot longer for you to copy the doc, and there is a much better chance of you being discovered. (and think jsut how much information is removed from the business on a impulse by a disgruntled emplyee, much more than what is removed based on a well thought out and timescaled plan)
Re:Circumvention allowed for interoperability (Score:3, Informative)
No. Specifically not, in fact. What would be legal would be for the OOo team to crack the encryption in order to build a DRM client that was compatible with the Microsoft DRM server (or, for that matter, a server compatible with the MS DRM client).
Re:Mostly FUD (Score:5, Informative)
I was there at TechEd 2003 when a VP of Verisign took the stage during the keynote address and announced these features.
It is not dumb client-server authentication. It is a public key encryption package. You need access to a centralized server for typical key management operations, including looking up the public keys of parties with whom you have not communicated in the past.
However you will certainly be able to access the documents in a disconnected fashion, as long as your local keystore contains the right information.
Oh and at the time they also announced that the USPS would be supporting a stamping feature for this. Just like today, you can take a document and send it through the mail (to yourself) just to get it stamped with the current date. The USPS will digitally stamp the document with their current date/time. They didn't go into details on how this would work, but I imagine it's a typical hash/signature style function...
READ THE FRIGGEN LAW (Score:3, Informative)
Don't just assume and feed absurd conspiracy theories. READ THE LAW.
http://www.loc.gov/copyright/legislation/dmca.p
Re:There is no problem but Slashdot (Score:3, Informative)
LinuxSecurity [tinyurl.com] - All the Linux vulnerabilities Slashbots don't want you to see
You are such a troll! Most of those vulnerabilities are for applications! Many of them are just freaking bug reports! If Microsoft was held responsible for all the non-Microsoft applications then you'd be comparing apples with apples.
GNU/Linux distros include all those applications. But you don't have to install them!
Take a minimal Windows install and a minimal Debian GNU/Linux install. Or take a Windows box and load up a selection of applications from various vendors and a selection of stuff from downloads.com, and compare it with a reasonably complete Debian install. Then I will be able to take your criticisms seriously. As it is, you are overly critical.
Do some research everyone! (Score:5, Informative)
This is just Public Key Cryptography based on open and documented standards!
How do I know? I was there when it was announced. In early June at TechEd 2003 in Dallas Texas. Some Korean VP of Verisign showed it off. His accent gave it a very scary "All your base are belong to us" kind of feel, but there it is.
Here's the press release from that day:
http://www.verisign.com/corporate/news/2003/pr_
Please read this before you spout off one more cockeyed comment on how Microsoft is evil cause you won't be able to read this on the plane or how it's proprietary and noone will ever understand it or work with it ever again.
Re:Mostly FUD (Score:3, Informative)
VB-type scripting in Spreadsheets - OpenOffice (Score:4, Informative)
http://www.openoffice.org
Re:Mostly FUD (Score:5, Informative)
Re:Mostly FUD (Score:2, Informative)
IF your company is running Server2003, and IF you use Office2003, etc. then the document can carry permissions that will for example allow you to read but not print or forward the document. It's the tight integration of Server2003, Office2003, ActiveDirectory, and the XP or 2000Pro OS that allows serious control by the document author within the company.
THAT is the point - to sell the huge companies on using (buying into) the WHOLE enchillada from MS. The special features only work there.
READ THE ARTICLE, people. (Score:2, Informative)
Now, I can certainly see where people would WANT the ability to control distribution of specific key security-sensitive documents. And in those cases, sure you'd want tight controls on who could read it (and, what they would use to read it). So this would make sense.
But this isn't just a plain old proprietary document lock-in. Probably 99% of documents will still be non-DRM'd and open, and the 1% that aren't, well the people who enabled the DRM don't WANT joe l337 haxx0r reading them.
Re:DMCA Violation - Not in my NSHO. (Score:3, Informative)
`(A) to `circumvent a technological measure' means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner; and
`(B) a technological measure `effectively controls access to a work' if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.
As is clear, the DMCA ONLY applies when the copyright holder does not give authority to circumvent the technological measure.
My point is that the copyright holder is not Microsoft, so they cannot enforce this provision. If I write a document in Office 2003 and encrypt it, then choose to decrypt it myself, I am essentially granting myself authorization, since I am the copyright holder. MS can not sue, as the Slashdot post alludes, under the DMCA, since they are not the copyright holder. The DMCA's scope is limited to breeches against the copyright holder.
DMCA allows reverse enggineering (Score:2, Informative)
It's not *that* bad (Score:5, Informative)
This feature can be activated by selecting "Document Permissions" from either the toolbar or the File menu. Documents are NOT created with this feature enabled by default, although there might be some random little option somewhere to make it the default option.
In Word, this feature enables you to specify which people can read it, and it automagically turns off Print Screen and Printing if I remember correctly, and maybe the clipboard too. In Outlook this prevents you from forwarding or copying the text to clipboard too.
As for home users being able to use it, for the purposes of the beta Microsoft allowed users to use their .net passport as the method of authenticating users, in addition to whatever 2k3 server they might have had. I'm not sure if they're going to allow .net passports after the Office 2003 launch, but only time will tell. Office 2003 users will have to download some additional program (will probably also be on the CD too) to gain access to restricted documents.
For what it's worth, here's what the microsoft help document has to say on the issue:
DMCA (Score:1, Informative)
Yet more alarmist FUD (Score:5, Informative)
The technology is designed to enable secure document transfer between trusted parties. For instance, documents containing trade secrets or engineering specs for a company's latest greatest apps. The creator of the document can secure it so only specified people can read it, limiting potential leaks outside of the company, or the document falling into the wrong hands.
It is not enabled by default and it requires an internal infrastructure to implement (Windows Server 2003 with Windows Rights Management) so the average joe blow isn't going to even be able to use it.
As for "competing products" not being able to read these secured documents, well that's the whole point right? If you're publishing secure documents, you're securing them for a reason, and you're only going to want those who can read it to read it.
There could be an argument for Microsoft to publish an open standard for interoperation, but this is America, not a socialist state, so that argument is a little weak.
Personally, I think this is a cool feature, and one I'm personally going to be using for my day to day work.
Re:Processed log food is shit (Score:2, Informative)
I'm getting an error reported half way down the file. If I edit the first record in a certain way, the error goes away.
If that's not dogshit, I don't know what is.
Re:Disgruntled employees (Score:3, Informative)
Window's EFS has a recovery key so an "administrator" can recover the files. In a simple networked environment, this would typically be the domain Administrator, or anyone else the admins designate. These users can unencrypt (and thus read/recover) a deleted user's files. I would guess that IRM-protected files would be recoverable through a similar method.
Re:Mostly FUD (Score:3, Informative)
Exactally. The server public keys are part of the User ID, along with an expiry date and the users keys. The server address book along with public keys are on the server. The user gets a local copy of the address book and keys if they wish, otherwise the keys can be compared when next they are on-line.
Re:Yet more alarmist FUD (Score:4, Informative)
Um, no it is not. The point that unauthorized users shouldn't be able to read the documents. Competing products should be able to read them, provided they know the required keys and can access the DRM server. This requires that MS documents the encryption format. Just as GnuPG etc do.
PDF unencrypting solution (Score:5, Informative)
Googling for pdf_sec.ps along with "Adobe" or whatnot should give you more info.
The submitter didn't RTFA (Score:5, Informative)
According to the article, it is not the default behavior for O2K3 to use Information Rights Management. In fact, in order for Office to lock a document, there has to be a Win2K3 Server running the rights manager suite somewhere on the LAN...
Nothing to see here... move along...
Interesting Idea (Score:2, Informative)
None of this seems to me to be anything bad, it is just a way of controlling who has ready access to documents. While reading the comments, I thought about how it could be implemented as an open source system. If I get free time I may look into prototyping it. Here's what I've come up with so far:
You will need three components generally:
A server-side daemon
This tracks what documents are registered against it, who should be allowed to use it and when and so on. It stores the private keys of the documents, and also public keys of all the potential users. When a user requests a document, it issues a challenge, which they encrypt with their public key, and send back. This is how it knows the user is valid (unless their key has been stolen). It then sends the key that allows the document to be decrypted, assuming all the rights are OK.
A client-side daemon
This is less important, and could probably be removed entierly, but will do caching and allow things like offline access. It acts as an intermediate between the local application and the main server. It will cache the keys and so on, for the time period that they are allowed. It may also store user credentials for a while, so that passwords don't have to be reentered. Ideally, the user password will decrypt the key used for authentication against the main server.
A client-side application
This is the application, OpenOffice, or whatever. When it wants to open a locked document, it goes through the process of asking the client-side daemon for a key. The daemon either replies with the key, or queries the user for a password and then returns the key. This may involve asking the server for the key if it has never been queried before.
This is just off the top of my head, and there are a lot of details missing. What it won't protect against is someone who legitimatly has access to the document running off with it, but it would make it very difficult for anyone to see it who wasn't supposed to have access to it. If desired, you could also have flags for 'no printing', etc, but they would have to be respected by the application so couldn't be relied upon.
One other thing that may be of interest from this is that there sometimes may be no need to distribute an entire document, just a token, and if the person tries to access the token, the latest version of the document is fetched from the server. This could be another way of dealing with dynamic documents.
I might look into this further some time. If you are interested, email me, and I'll find a place to document stuff.