Microsoft Prepares Office Lock-in

An anonymous reader writes "NEWS.COM has an article describing Office 2003's DRM features for documents. This will not only coerce those running older versions of Office to upgrade, which has been a problem for MS in the last few years, but it will also shut out competing software, such as OpenOffice. Now think about this for a second. Even if the developers of a competing office suite could figure out how to get their software to open an Office 2003 document, doing so would be a DMCA violation, since they'd be bypassing an anti-circumvention device. I certainly hope the OpenOffice team will kick development into high gear. If there was a time we need a viable competitor to Office, it's now."

out of the water

[NetMagi]

With this coming at the same time that linux seems to really be taking a foothold. .at least in the corporate desktop I think people fed up with MS BS may finally start to do something about it.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Mostly FUD

[Anonymous Coward]

This article emphasizes the role of DRM in commercial settings. It's perfectly reasonable for corporate customers to want to control access to their documents in the workplace, and that's what the Office 2003 DRM features are targeted towards. It's just a dumb client-server authentication scheme, people.

Put away the aluminized headgear. This is not an anti-consumer technology, or even a consumer-oriented one.

Only when the document creator chooses to lock it.

[pe1chl]

My impression from this document is that it is an optional feature, only active when the creator of the document specifies who can read it.
When the creator thinks it should only be readable on Windows 2003, and not on other software, that is his responsibility. And it is the responsibility of the reader to reject such documents as unusable.

This is hardly new. We use StarOffice 5.2 at work, and it cannot open password-protected documents from Office 95 or 2000. This is amongst the least problems when using that package in a mixed Office-StarOffice environment.

Re:The straw that broke the PHB's back?

[marktoml]

It may backfire by simply forcing companies not to want to upgrade or to delay upgrade decisions.

That'll be true for a while.

[Anonymous Coward]

If I receive documents from suppliers and clients that I can't read, then I will ask them to send it again in another format, and they won't have a problem with that for now.

But five years from now, when everybody buying a Dell or Gateway machine has the latest version of Office bundled with their machine, I will likely be the only guy who can't read their documents, and their sympathy will have disappeared. I'll have to upgrade.

There's no particularly good way out of this using the marketplace; the marketplace will dictate it.

I don't see the problem here.

[AzrealAO]

This is a feature some people want. It'd not on by default (how could it, be, since it requires a properly configured server to do the rights management).

It'll let businesses lock their documents down, for internal use. Nothing at all here gives any indication that all documents created will have DRM forced on. If a business or user doesn't want to use it, don't turn it on.

MS strategy

[NetMagi]

Another thing to think about is this: Notice MS hasn't been soo forthcoming lately about linux as a competitor. I think maybe their "near silence" means they are actually getting worried.

In adding this to office, they are really going to separate the market. I bet they figure, if they do this, whoever jumps on board will likely STAY on board due to the fact that switchig to open-source in the future after you've already got a bulk of documents done in this "new office" will be MUCH harder.

I think they just drew a line in the sand. . and they figure they are KEEPING whoever doesn't cross now

This is news?

[AnotherSteve]

New version of [Software] has [feature1..featureN] that will make it incompatible with previous versions. Observers say that [Company] hopes this will drive sales of [Software].

Whatever.

It's Optional

[athakur999]

The DRM features will be optional, if you don't want to use them then don't use them. Presumably, if you save a file without DRM it'll save it as a regular .DOC file.

Re:The straw that broke the PHB's back?

[UberOogie]

Dream on.

Call me a cynic, but I've lost count of the number of times that MS forced upgrade cycles were going to be the end of the company. It hasn't yet, and won't be in the future, even with this. Enough people and companies will pay to make it a non-issue. Watch.

Before everyone gets totally bent...

[tgd]

Where does it say *all* docs will be protected?

If its just docs you choose to use DRM with, then whats the problem? You choose to do that knowing the limitations because it makes sense for your use case. If thats a problem, you don't use it.

If I, as a company, choose to require all outgoing docs to have DRM, its my need to protect my information thats locking people in, not Microsoft.

And for what its worth, I don't use a speck of Microsoft software outside of work, and wouldn't. But lets get real here.

It's actually important to do this.

[tjstork]

Law firms, especially, need this feature.

Right now they have to assume that a word document is unaltered upon receipt from a client. Now, with DRM, they can guarantee it. They also need to control distribution of documents and readability.

Pretty much every major corporation will want this feature once they understand it.

So, instead of fighting DRM, jump on the bandwagon, and have --better-- rights management in Open Office.

I'm not actually convinced that you need to have compatability between Office suites. Really, most people can use their existing MS Office to edit their Office documents and their new Office to edit their new documents. That way, if the old Office license is expired by Microsoft, everyone can complain to MS about how they can no longer read their documents, whereas, Open Office would theoretically never have that problem.

So, I would educate customers that file compatibility is not particularly necessary.

Calculated Risk

[SteveX]

Of course it's a calculated risk.. Some people will hate the DRM, but a lot of companies will really like it. Being able to say that a document can only be opened by managers in your company, for example, is worth lots of PHB points.

Very stupid

[JediTrainer]

The server software will record permission rules set by the document creator, such as other people authorized to view the document and expiration dates for any permissions. When another person receives that document, they briefly log in to the Windows Rights Management server--over the Internet or a corporate network--to validate the permissions.

I read this as follows:

You cannot read a document when not connected to the internet. If, by some chance, a DDOS attack is launched against a company's 'Rights Management Server' (which MUST be exposed to the 'net), or it is otherwise hacked into and shut down, then ALL of the documents with this 'feature' in them will cease to function.

Pardon me, but it is utterly stupid to rely on a single server/service to remain running just so I can read something. A DDOS attack can literally shut down a company at this point.

Re:The straw that broke the PHB's back?

[bokelley]

At the same time, Microsoft has been fairly savvy in protecting its {monopoly|competitive advantage} without really ticking off the media. The Messenger lockdown is pretty blatant, and I haven't seen much public outrage - primarily because the people using Trillian et al are not the mainstream (yet). The big companies that are locked into their Microsoft investments make choices every 2-5 years when they upgrade their desktops. If Microsoft can create FUD - by claiming incompatibility or building it into new products - then they can hold off OpenOffice for another few years. I wonder if the EU would see this as anti-competitive (the US won't/can't do anything even if it does).

Re:Interoperability is protected by DMCA

[bwh265]

strictly speaking your right, but.. (or is it butt? ;)) the DMCA allows slapdown letters first, and litigation to prove, in court, with lawyers and other expensive accoutrements, that you are legally allowed to do what you did.

The DMCA is not based on the criminal code assumptions of innocence until proven guilty, rather you must prove that the infraction (and reverse engineering IS an infraction) is explicitly permitted within the code.

bwh

DMCA Violation - Not in my NSHO.

[the-banker]

Basically, the copyright holder of the document that is digitally encrypted is the person and/or company that is responsible for it being authored.

Since the DMCA forbids circumventing a device to protect copyright, it is irrelevant since the person doing the circumventing is:

1. Opening their own document, and as the copyright holder they can't very well be infringing upon themselves (though if this were possible no doubt the RIAA would find a way, but that is another topic).

2. Opening a document gievn to them by the copyright holder, in which they have been granted express use of the document.

Even larger than this, however, is the fact that the copyright holder DID NOT implement the DRM technology. A third party cannot unilaterally implement DRM technology on behalf of copyright holders to protected works that do not even exist yet.

I guess what I am saying is that MS (holder of the DRM device) cannot sue PersonX because they do not own the copyright to the protected work.

All this being said - did Judge Jackson have incredible foresight into the possible transgressions of a Microsoft monopoly, or are we really dealing with yet another Bush Administration pandering to large corporations? Each time I read something like this I wonder how our political representatives can be so blind to the societal harm of a software monopoly.

Three letters: P. D. F.

[fz00]

MicroSoft is in my opinion doing a wrong thing by making their documents unsharable. WordPerfect documents can be shared almost seamlessly from versions 6 thru 11. Forcing everyone to upgrade to share documents is expensive and impractical. People should start encouring exporting to PDF to make their documents sharable and hopefully Adobe won't do something as stupid as this.

Re:out of the water

[garcia]

First of all, DRM wouldn't be a requirement for all documents, it would most likely be a "feature".

Second, what the hell does Linux have to do w/Anti-DRM and people switching? Linus has specifically stated that he has no opinion either way. If you want it, woo, if not, woo. People aren't sick and tired of DRM and it's not BS (no matter what "we" think)

Linux is taking a foothold because other software companies have expensive software.

You think that an alternative to Office is going to help? There have been alternatives (Corel, etc) did it matter? Do you think because they are creating a new version of Office it will render the other files incompatible? That would be really really dumb for MS to do (no ability to bring in your old stuff? retype? what?)

The only reason for a switch is PRICE. Honestly, no matter what bullshit people spread on here about how good OO, SO, etc, are, they aren't what MSO offers. Not even close.

Until the OO, SO, etc, get some strong following and somehow create something better than Office, no one is going to care unless it is money related and even then, I doubt a few hundred dollars is going to matter...

Just my worthless .02

Just a little FUD

[YrWrstNtmr]

Even if the developers of a competing office suite could figure out how to get their software to open an Office 2003 document, doing so would be a DMCA violation, since they'd be bypassing an anti-circumvention device.

Hold on a bit. Does this article say that any and every Office2003 doc can only be opened on a system connected to a Win Server2003 LAN?

No, it doesn't.

Only those docs which the auther wants locked down, for their own personal reasons.
"But rights-protected documents created in Office 2003 can be manipulated only in Office 2003."

Similarly, if a document (any doc, from any program) is encrypted, breaking that encryption would presumably be a 'violation' of the DMCA.

Let's not jump to conclusions here.
(But of course, actually reading the article is a bit beyond /. sensibilities)

Re:It's actually important to do this.

[JediTrainer]

Right now they have to assume that a word document is unaltered upon receipt from a client.

I don't know about your area, but I think that a number of the bigger law firms around here (such as Torys [torys.ca]) has all their documents stored in PDF format. If they need to prevent changes, it's a simple matter to sign the document before sending it anywhere.

Re:Mostly FUD

[Martin Blank]

So the executive flying to L.A. won't be able to access the documents while on a 4-hour flight. Nor will he be able to do so from the hotel unless they open up the firewall to let him access the authentication server--something that seems inherently dangerous considering it's Microsoft we're talking about.

Do you think MS doesn't even use their own software? Their executives spend a lot of time jetting around the world for various reasons, be they business, lobbying, or vacation. I doubt they would be so short-sighted as to not put some method of permission caching in place. Personally, I see this being used in corporate law departments and in R&D divisions, where the ability to lock people out of something even if they do have possession of it would be invaluable.

Besides, if it's hard to use or if there's not a real need for it, people simply won't use it. A lot of features get his treatment -- how many places do you know of that have even tried to implement the shared editing features?

Re:I swear...

[molarmass192]

Integration with Excel
Integration with Powerpoint
Integration with Outlook, and by extention,
Integration with Exchange


All of which are irrelevant if you're looking to replace MS Office in the first place.

How about perfect compatibility with everyone in the business world.

You haven't exchanged docs between Office 97 and Office 2K much because there are plenty of incompatibilities that arise between the two without even counting document corruptions.

Re:not by default...

[glesga_kiss]

Is saving sensitive documents in a directory that's read/write restricted to people in the Finance group not good enough? It seems to work just fine here.

Depends on how good your staff/security is. A virus/exploit, reply-all cockup or a misplaced disk all blow directory access out of the water. A much better system would be who can open the doc in the first place.

Re:I don't see the problem here.

[vondo]

In fact, this could be a great opportunity for OpenOffice or something like it. Imagine a suite that would lock documents such that they could only be decrypted by someone with the right certificate, but that it's done in an open fashion so any program could implement it. Plus, users would have the assurance that the security model is well audited (as opposed to MS Office which has used very weak encryption in the past.

The point is, MS can do this, but a Free/Open project could do it better.

Disgruntled employees

[Petronius]

for the first time will include tools for restricting access to documents created with the software. Office workers can specify who can read or alter a spreadsheet, block it from copying or printing, and set an expiration date.

this will be great when someone quietly locks 10 years worth of documents he created before getting laid off... a week later, after his Win* user ID has been deleted, his boss will loooooove the new DRM features implemented by Microsoft.

Re:I don't see the problem here.

[jmichaelg]

Is anyone thinking out there?

Clearly you're not. The problem is clearly stated - any competitor that attempts to reverse engineer the format so that a user can edit their documents with another tool besides Word is SOL. Unless Msoft makes the code to edit the documents public, not bloody likely, then it's just another attempt to lock up the office market.

Damn, I wish Jackson had kept his yap shut.

DRM for business documents is a valuable tool

[maynard]

A few facts and then an opinion:

1) DRM technology will be available to businesses which choose to run a DRM server on Windows 2003. It will not be enabled by default.

2) The technology will allow a management (or really the top level key holders) to limit document access rights to specific individuals or a group within the organization. A very valuable feature for many businesses.

3) Without a doubt, MS will abuse this technology to lock their customers into the new Office document format, which they will further abuse to limit document exchange from MS to third party applications.

The problem here is not 1) and 2). Those are perfectly reasonable features that most businesses want to buy. The problem is 3), the vendor lock-in issue. The Open Office project could write the same kind of DRM services into their suite, while at the same time offering document portability to those who hold top level keys to an organization's documents. IMO, this is where they should go long term, since it's obvious MS has hit upon a valuable technology - but like they're always abt to do, they're first instinct is to use the new technology to lock their customers in rather than sell their customers on their new features, quality engineering, and support. Businesses want both the DRM controls and document portability across a wide range of applications. MS always fails their customers in this regard and that's one reason why they've got such a bad reputation.

JMO.
Maynrd

Re:It's actually important to do this.

[oGMo]

Law firms, especially, need this feature.

Right now they have to assume that a word document is unaltered upon receipt from a client. Now, with DRM, they can guarantee it. They also need to control distribution of documents and readability.

Don't be silly. This can easily be done already. PGP sign and/or encrypt your documents, and your clients can verify they get there intact, and only authorized recipients can read them.

Or did you want your clients not changing them? Wait, same deal applies. You've got the original signature, anyone who gets the document can verify it's in its original state.

Hint: when you give the data to someone, you can't restrict what they do with it. I don't mean it in terms of a rights, just simple physics. Grandiose complex schemes like this one are easy targets; if you rely on them, when they break, you're in trouble. Litigation won't make secrets secret again, or undo damages.

Embrace, Extend, Register with the DMCA.

[johnthorensen]

Well, looks like Microsoft finally figured it out. DRM file formats and protocols have been on my mind for quite awhile as potential tools that they could could use to *specifically* target Open Source. Here's why:

What Microsoft will do with the Word DRM is "license" the technology to other commercial interests that wish to maintain file compatibility. They know that THIS is the wedge they can drive into things to split off the open-source projects, because A) no self-respecting open-source project would license MICROSOFT technology, and B) even if they would, they likely couldn't afford it.

Look for this to happen with the next round of media file formats as well. On a more sensationalistic note, what if MS bribed say, NVidia to DRMize their hardware interface. Nobody could then make calls to that hardware without either having a license or violating the DMCA. Again, commercial interests can afford the license, but do you think RedHat and such would like to bankroll Open Source's hardware compatibility licenses? Perhaps at first, but eventually I think not...

Watch out.

-JT

Surely you jest?

[kylef]

This kind of blatent abuse of the law is just another step towards neo-monarchism, and more loss of freedom for the common person.

OK. Let me get this straight. A private company introduces software that basically introduces built-in encryption for word documents, spreadsheets, and email. This technology is designed to allow companies to prevent emails and documents from accidentally "leaking" to the press or into the hands of corporate spies. This won't even affect the home user AT ALL because home users don't have the necessary software to make use of IRM anyway (it requires a separate Windows 2003 Server in addition to MS's Information Rights Management software).

And the availability of this product is somehow an example of "blatant abuse of the law"? I think some people here are suffering from some kind of paranoia.

Re:Mostly FUD

[Skapare]

In order to ensure that older versions of Office or Word cannot read a DRM restricted document, they have to make it "incompatible" in some way. If they do that by having a few fields that will choke older programs, it still won't do anything to prevent developers of other office productivity software from making it readable in theirs. So Microsoft will almost certainly have to encrypt the document, and serve up the key from the DRM server (using a proprietary protocol, of course). That encryption is involved makes it the kind of rights-restricting scheme the DMCA makes illegal to re-engineer. And don't think Microsoft doesn't know this; they are not dumb. They will try to do at least as much as they can get away with (and perhaps more, which we can then pounce on). Be sure you use the word "interoperability" more, now.

My big fear is that this new protocol and server will be full of the kinds of bugs that Microsoft traditionally puts in new software expecting the public to help them debug it. Imagine the impact when people assume this DRM will protect their confidential documents (such as health records, bank records, and such), and stop using other methods. In a few years we'll see lots of these documents not only cracked, but cracked via the internet en masse. Oh the horror.

DRM - the surefire way to destroy IT

[cheros]

Okayyyy, let's look at this properly. You have data going in, data going out, and all of that over a series of devices (servers, gateways, firewalls, desktops, maybe tape streamers etc etc). All of this stuff has to be DRM enabled not to create a hole in this scheme. Am I the only one to spot a rather obvious problem here?

You are busy with sprinkling multiple single points of failure into the IT that has to support your business, and you don't have a way of disabling it for diagnostics if it dies for some reason (and it will, you're not exactly talking about mature technology here). Worse - someone else DOES have an on/off switch to your own Intellectual Property. So, the next time you have en equipment failure or the next time your accounts department forgets to pay MS protection money (just to give it a different name), imagine what's going to happen. Given that you have signed away all redress by accepting the usual shrinkwrap EULA you just *may* have a problem.

Try explaining that one to your shareholders. Oh, and try claiming that off your corporate insurance. You'll probably get a cheque: about $1 for the entertainment you've given them. You may, however, get taken to the cleaners for liabilities yourself (for example, if you happen to host data for other people). I can really see a bright new market emerging for China and Korea for non-DRM equipped kit. Once the consequences of DRM dawn on corporate America you won't be able to sell a DRM enabled piece of kit for more than scrap value, but as usual we will have to make the mistake first before we realise what mess we got ourselves into.

Re:Very stupid

[Richard_at_work]

Ever heard of VPNs? Bingo. And where does it say that this is a single server, my understanding from other sources is that it can be clustered or distributed over several locations.

Forward In-Compatibility: Nothing New

[DaRat]

It's nothing new for companies to introduce products which save files in a format that older versions can not open. It is rare for a company to do that with every new version, but it happens.

To expect that a person using Microsoft MiscProduct 1.0 will be able to open a file in MS MiscProduct 10.0 format is a bit much. Now, if MS MiscProduct 10 couldn't save in something that MS MiscProduct 1.0 could read, then you might have more room to complain.

Re:RTFA

[david_reese]

From the first paragraph:

for the first time will include tools for restricting access to documents created with the software. Office workers can specify who can read or alter a spreadsheet, block it from copying or printing, and set an expiration date.

Users get to set it. It's not automatic.

For now... but they can always change that. Who's to say that our helpful friends in Redmond won't "default" this behavior in newer versions, after it's been pseudo-released in this version? It's not like they don't have a history of doing this same sort of behavior (see DOJ vs. Microsoft).

Cut-and-Paste Strikes Again

[r4lv3k]

Will cut-and-paste violate the DMCA?

If I have a document that doesn't allow printing or forwarding, what keeps me from pasting the text somewhere else and printing or emailing it? You can do that with Acrobat's print-protected PDFs, and it has had "DRM" for some time now.

Okay, maybe they thought of that... just maybe. One could still take screenshots and run it thru OCR software.

Who would do that, you ask? Well, anyone interested in distributing the information badly might do it. And if the whole point of this DRM is to prevent that sort of mischief, it is a false sense of security.

And it wouldn't be too difficult... An auto-scrolling screenshot capture tool could pull it off quite nicely.

r4lv3k

No need to over react - this changes nothing

[Osrin]

Surely a user will have the choice of pushing the DRM button or not... if they don't push it then the playing field is still level, if they do push it then they did so for a reason.

Re:Mostly FUD

[mlrtime]

Isn't this exactly what Lotus Notes does with mobile users and its databases?

Take off the tinfoil hat

[Overly Critical Guy]

This feature is off by default. Certain companies will want to lock-in their documents. This is a 100% complete non-issue.

Re:out of the water

[jedidiah]

Like much of what Microsoft comes up with (or steals), this seems to be something that started out as a reasonably good idea and then got ruined by Microsoft management. A generalized document/file security & decryption service actually makes some sense. However, there's no reason to limit yourself to msoffice files when considering sensitive corporate data. So instead of making something that might be generally useful to everyone, they decide instead to make this service a club that they can use to force people to buy crap they don't really want.

The Free Software community should respond with a more generalized version of this concept and make it callable/embedable module that can be used for ANY corporate data and not just spreadsheets.

Re:Only when the document creator chooses to lock

[bpowell423]

You're not looking at it the right way. All they have to do for vendor lock-in is to make the Office 2003 file formats for .doc, .xls, etc incompatible with previous versions and use some form of encryption. Doesn't matter how good the encryption is, it'll be illegal to decrypt it (DMCA). We use a cad program at work that silently encrypted our cad files. Simply opening and saving the file with the new version of the software upgraded the format to the encrypted version (without you knowing about it). There was an outrage against the company (not Microsoft) after all the users figured out what had happened, but it was too late. All those files can now be opened in that application only. We only found this out when we wanted to switch to a different cad system, and the files couldn't be converted. Of course, we always have the option of redoing all that work in a new cad system! My guess is that if you use Office 2003, you'll be locked in to MS Office forever, unless you're willing to re-create your documents in something else.

Re:I don't see the problem here.

[jmv]

Is there a Win32 API call to prevent all cameras from working.

Re:Mostly FUD

[rking]

Wasn't all of this said before when Microsoft put the activation "features" into some of their software? That still seems to be around.

Yes, but it did cause more problems than it solves, if only because it hasn't solve any problems at all. Everyone pirates the 'professional' versions that don't feature product activation.

Analog my friend...

[sterno]

Or you just get out your trusty camera and take a picture of it. If you want to get higher tech, capture the EM signal generated by the monitor. It's just like bypassing music DRM by recording from a line out. This sort of security will stop casual snoops, but somebody who wants the information will get it.

Re:I don't see the problem here.

[velkro]

So... you install Windows in VMWare, install DRMOffice, open document, and screen cap the VMWare session. Or use Terminal Services, rdesktop, vnc, insert_favourite_dmca_circumvention_tool_here...

Re:A Solution: Report piracy

[MImeKillEr]

Every time you see someone using a pirated version of a Microsoft product in a system that helps maintain the lock-in, mailing you Word docs or similar, inform the Business Software Alliance.

And how do you know they're using pirated copies? Does the word document's headers contain anything special that says as much? No, it doesn't.

Like it or not, piracy is good for software vendors. The more people you have using it, the more mainstream it becomes.

After everyone's hooked, you move to a registration scheme similar to XP's (take Adobe for example -- the next version of PhotoShop).

Unless and until GPL applications with the same features (and ease-of-use) come along, people are going to stick to what they know. No GPL application will have an easy fight getting users of pirated software to convert. By the time the GPL program is out, the users are used to the other application's menu structure and use. Unless said application mirrors the pirated program exactly, people will resist changing.

Information flow NIGHTMARE!

[Tsu Dho Nimh]

Oh wow ... given the numbers of PHBs who already password protect presentations and send them out without the password, which they promptly forgot, this should be a productivity enhancer.

• The critical presentation EXPIRES the night before you need it.
• The only person with the rights to open a document is sick and didn't make the meeting.
• The BIG customer tells you that they are not about to upgrade their servers and corporate software just to read your documents and tells you to provide material they can read or forget it.
• They will have to have FULL-TIME rights managers, who track who is entitled to read whose documents.
• And a full-time Search and Rescue team to retrieve lost documents, crack lost passwords, etc.

No suprises here

[raw-sewage]

Quoting the article:

Dan Leach, Microsoft's lead product manager for Office, said rights management features were built into the new Office based on ongoing discussions with customers.

"We asked people what types of things would you like to do that you can't do now, and what they said is they'd like to spread large amounts of information around to more of their people--but they have concerns that the wider they spread information, the more likely it is to become available to the wrong people," he said.

...So they cooked up the least compatible solution possible. Sorry, I'm either preaching to the choir or just venting, but Microsoft's business strategy is a game of answering the following question:

What can we do to best eliminate competition or exploit our monopoly while passing it off as innovation or being customer driven?

I feel that the article actually puts Microsoft's new scheme in a positive light! This needs as much bad press as possible! When will the general population realize that Microsoft is very rarely innovative? And that virtually every business move of theirs is in the interest of stifling competition?

If Microsoft didn't have a monopoly, they couldn't pull off half of the stuff they do.

There are many ways to solve the user's problem above that do not involve vendor lock in or forced obsolescence. In fact, this could be the killer app for Linux and all of open source: integrated crypto for the Linux kernel and OpenOffice.org. Make security inherent in the total system, but use established crypto systems. DRM can be delivered with open source!

I once heard that Burger King never does location research. They just wait for McDonald's to build a restarant and then BK builds their own nearby. Well, open source might as well use the market research that Microsoft makes available---let open source deliver customer solutions that actually benefit the consumer.

I believe there is something to be said for not caring whether or not open source gains market share. Well, I don't care about market share, but I would like to be able to use my Linux desktop and not worry about compatability with everyone else. I'd like to be able to receive documents from my friends and co-workers and not have to request a non-proprietary data format. I'd like to be able to buy hardware with OEM-level Linux support. I'd like to be able to recommend Linux to my friends without caveats. Unfortunately, these things won't be possible until Linux has significant "market share". I would nearly bet my life that Microsoft's Office monopoly is what keeps open source from gaining significant market share. I think that, any more, MS Office enables the Windows monopoly! Microsoft knows this and they are milking it for all it's worth.

Microsoft is no different from any other company faced with a similar situation: they recognize a critical event in their market (the emergence and spiraling popularity of open source) and they realize they must take drastic measures to keep or increase their market share (lock everyone else out at any cost). Such a monumentous undertaking will require Microsoft to put a lot at stake. Unless open source---and educated consumers in general---respond with equal effort, Microsoft will come to own your digital world.

Re:I swear...

[soft_guy]

Track changes, adding comments, tables, creating templates for various purposes, outline views, etc.

Its not that anyone uses every feature, but every feature is someone's favorite, and they cry if it isn''t there.

One place where I worked had one guy who knew a lot about Word and his job was to create all kinds of templates for everyone else. There was all kinds of junk that we ended up using regularly that I don't even know how to use unless it is in his template.

Re:I don't see the problem here.

[Lodragandraoidh]

DRM must encrypt the data, which would make reading the document, even with a hex editor, a losing proposition.

If we agree that it is encrypted, then reading M$ documents will require duplicating their domain authentication and encryption for DRM - not likely to be released by M$.

Needless to say, someone will probably break it anyway. I have to laugh at some of these folks who are saying 'this is the solution to all of my document exposure problems'. DRM is not a panacea; your documents are only secure if you keep them off of electronic media, off of the net, and locked up in a vault. Once you send it off into the ether, all bets are off - DRM or no DRM.

Re:Mostly FUD

[Gaardenzwerch]

So the executive flying to L.A. won't be able to access the documents while on a 4-hour flight. Nor will he be able to do so from the hotel unless they open up the firewall to let him access the authentication server--something that seems inherently dangerous considering it's Microsoft we're talking about. Employees may not be able to work from home

Anyone that is willing to accept this kind of annoyances must have very sensitive data.

Now if I had any secrets to protect, I'd prefer encrypted files that are en/decrypted by a supplementary layer of my filesystem when I access them. I'd certainly not trust any security features from Redmond, as there will be cracks available before the first beta is out.

On the other hand, if I were to try to steal data from a competitor, the perspective of being sued for DRM breach wouldn't turn me off when I'd want to expose myself to being busted for espionnage

Re:Problem for MS in a different way

[MImeKillEr]

Many times I have been sat at my desk and read something that is internally confidential to my company posted on an external web site... this is hugely damaging for the company and it's reputation. As a senior exec I would buy off on anything that allows me to keep my confidential information confidential.


Somehow, someway stuff will get leaked. Its inevitible. Whether it be by accident, carelessness or malice - it'll get leaked.

Sure, this'll slow it down. But how much do you want to bet that MS will offer MSDN users tools to break the docs? How long before some CEO or CIO forgets his/her password and needs to get into a protected doc?

It'll happen. And when it does, the info will make it out. This is simply a band-aid.

Re:Office 2003 DRM: It's Very Cool and Not Insidio

[sharekk]

The DRM feature in Office and Outlook enables a user to prevent emails and documents from being forwarded to and viewed by people not specified by the sender/creator.

I presume this means that every email you forward to me has to be read in outlook. Somehow I don't think Microsoft will write a plugin for lotus notes (what I'm stuck using at work) or PINE or mutt. So now I'm forced into using a Microsoft product which I'll have to pay for to read all those emails. And a couple of versions in the future I may no longer be able to copy/paste between half my emails and documents because people got used to leaving the DRM button checked. And I won't be able to make easy backups of my email because the DRM thinks I'm making illegal copies and sending them on...
If I want to keep something anonymous I just tell people in person. I'd much rather do that than deal with all the potential hassle.

Re:Mostly FUD

[drakaan]

Yeah, NTFS permissions are *really* handy...unless you mount an NTFS partition (read-only, of course) on Linux (or something else) and copy the files.

We're talking about file security when the document specifically *can* be copied, and the only way to accomplish that is to use a proprietary (ugh), non-human-readable (ugh, at least to me for documents), application-bound, centrally-authenticated document management system. All of which sucks, IMHO.

If it's supposed to be distributable and secret or subject to "rights" management then it probably shouldn't be in electronic format.

Re:I don't see the problem here.

[Courageous]

So the only real way you can defeat this is by opening it in a non trusted application,...

No, he's correct. You'd have to cripple the entire operating system while the document was open. For example, you'd have to ensure that VRAM was inaccessable to the users, that nothing was paged out, that the memory of the application itself never stored the document in unencrypted form (impossible, if it's displayed), and so forth.

But in any case, nothing my digital camera can't defeat.

C//

Re:Business Orientated Positive Feature

[dzym]

If OOo had this feature before MS Office, I bet you could have enticed quite a few businesses over from the Office series jsut based on IRM.

Except open source is generally stuck into a copy-what-MS-has mode, because MS is one of the biggest R&D spenders in the industry. Generally, that does mean MS is at the forefront making the innovations.

Document Management System

[nigelc]

Many years ago, I worked for a company called PCDocs, who made a variety of document management systems. For those of you whose answer to "Document Management" is EMACS, here's a short blurb about the capabilities of a doc management system from PCDocs [pcdocs.com] website:

Hummingbird DM?, a core element of Hummingbird Enterprise, is a content management platform that enables knowledge workers to receive the right information when and where they need it. Powerful search tools and web access ensure content is available across global organizations, while versioning and security profiles safeguard document integrity. Add Records Management to oversee the content lifecycle while minimizing risk, plus companion solutions for Collaboration, Workflow, Imaging, Web Publishing, and Engineering file management...

This nasty Microsoft "advance" is just a continuation of building document management features into what started life as a fairly decent word processor. By the way, such systems typically allow a user to check out a document (eg to a laptop) so you can read the controlled information on the plane if you want.

There are a lot of companies that want this level of control over their sensitive documentation. This isn't new. This isn't dangerous. This isn't going to lead to Microsoft taking over the world.

Re:Why upgrade?

[JohnFluxx]

it might backfire. I don't know how it works, but if you encrypt it, it might also be counted as a signing it.

So you whip out your digitial camera, takes pictures of the document, save the document to a floppy, and show the photo's to the judge. They order for the password to be given to view the document (or whatever) and because it is signed, it is proof that it did come from the accused and it unaltered.

Re:That'll be true for a while.

[JWW]

If they want to still be your supplier, they won't be able to dictate it, you can demand that they send you the documents in the appropirate format for you.

I think we'll see more pdf's due to things like this.

As for your clients, well, there you're screwed, they will demand the new formats, but you can always try to send them pdfs. But in the end you will have to do what they want.

I keep finding more and more reasons to dislike Microsoft. I mean, how the hell are there people out on slashdot who can actually continue to stick up for them (M$ employees excluded).

Re:The straw that broke the PHB's back?

[Enucite]

Try out OpenOffice 1.1
Startup time is much lower--it starts faster than MS Office on the Windows machines I've seen--and it has many new features.
It's still in the RC stage, so you may want to wait until the official release; but it's much better than 1.0 so--depending on the number of users you're managing--you may consider moving to it now and upgrading to the final release when that's out.

Prohibited by law from accessing your own document

[Anonymous Coward]

So I buy an Office license under XP today. I write a book (well... if I stop drinking and whoring it *might* happen so just go with it for now).

Coupla of years later, I decide when the popup message appears "You must pay your $25 to Lord Gates for another year of use of Office" that I don't want Office that bad, and remove it from my computer.

Later, I want to open my OWN FRIGGING BOOK that I wrote. Now I use Linux and some nice GPL Word reader and the DCMA police show up? Geez!

The DMCA is allegedly intended to protect the AUTHOR's rights in the intellectual property. Breaking the "access restrictions" that Cindy Smith put on her document w/o her permission (assuming she has not transferred them or given someone else fair use rights) violates HER IP rights... not Microsoft's. Microsoft should not be able to invoke the DMCA to prevent someone from producing a product for Cindy (or anyone she wants to allow) to read or access her own works.

Re:An end to Whistleblowers...

[j-turkey]

Now, if we had a culture of doing the right thing, being honest and trusting, then there would be no issue with having such DRM capabilities being built into an office software package... Of course, that kind of feature would never be used in such a world as there wouldn't be any reaon, if people could be trusted.

So you're anti-DRM...but what you wrote seems anti-crypto too. Is crypto OK to use just so long as "evil corporations" stay away from it? Crypto is for everyone...plain-old-folks-like-you-and-me, scientists, inventors, admin assistants, doctors, lawyers, salesfolk, plumbers, students, and yes -- corporate officers. Did you have the same reaction when PGP or GPG was released? It isn't like this is the first crypto to come to the Windows world. "Bad people" could've had their hands on it before just now. If this comes down to your not liking MS' implementation of it, don't use it. Otherwise, everyone who has ever written an encryption scheme for general consumption has had to think about the repercussions of "bad people" using it...and again, it's not like it wasn't available before (and it's been done quite well -- so well, that I do not believe that the NSA is able to break much of it).

In your rationale for keeping DRM away from businesses you point to their general dishonesty. It seems like you're suggesting that every officer at every company is corrupt...and I don't think that you could be any more wrong. Come on...is everyone who tries to sell a product or service (and make a buck in the long run) an evil empire run by an evil genius?

Sorry to vent this off onto you, but I'm getting kinda tired of the contention that every businessperson (and everything associated with it) being "evil". So some guys were (and are) dirty. Some psychiatrists take advantage of their patients to extort money and sex from them. Are they bastards? Sure -- but it does not say a single thing about the lot of them. How many executive officers do you know? How many of these people that you know (not know of, but actually know) are "evil corporate bastards"? Can you actually prove it?

I'm not asking you to go back to work and hug your CFO, but just think about what you're saying.

IANAEO
I Am Not An Executive Officer (or even close!)
I do use, and encourage the use of strong encryption for everyone.

-Turkey

P.S. Wouldn't this be alot easier if strong encryption just didn't work when the evil bit's set?

Teach people about freedom to preserve your own.

[jbn-o]

But five years from now, when everybody buying a Dell or Gateway machine has the latest version of Office bundled with their machine, I will likely be the only guy who can't read their documents, and their sympathy will have disappeared. I'll have to upgrade.

There's no particularly good way out of this using the marketplace; the marketplace will dictate it.

If you give up on freedom, precisely what you describe is likely to happen because people are not going to give up word processing or editing databases, so they'll go with whatever software is available to meet their needs. There is another path: teach people the value of software freedom.

The Free Software movement proves that "the marketplace" is not the almighty immobile force you describe (or perhaps you're just interpreting too much in terms of the marketplace in order to make it appear unchanging; hence whatever happens it will be seen through that lens). When the GNU project began, many people said nobody would write software without being paid and when people are paid to write software, they are being paid to write non-free software. History clearly shows those people were wrong. In fact a number of the organizations that distribute non-free software now use the GNU Compiler Collection (gcc) as their chief compiler, and ship part of the rest of the GNU operating system too. People have been paid to write Free Software and governments are getting the idea that their people's ability to communicate freely using a computer rests on using Free Software.

I think the key is to teach more people about software freedom. Take this opportunity to show people that with Free Software you won't be beholden to any proprietor's interests. As the pool of people using Free Software grows your chances for being able to get by with Free Software grows too.

Adobe has done this for years...

[pointbeing]

Actobat has had these features for years. I find it interesting that all the howling begins when MS decides to follow suit.

Anybody with more than cursory Acrobat experience knows you can restrict reading, editing, printing and even the Windows clipboard when you create a PDF.

Re:I don't see the problem here.

[tambo]

Great - so you can disable the feature that's not practical.

So many of Microsoft's technologies fit that description:

• System Restore
  
• Indexing Service
  
• Office Binder
  
• Office Fast Find
  
• !@#$ing office assistant (now assaulting you both in Office and in your Windows XP file searches!)
  
• the much-vaunted voice-command feature in XP
  
• the software firewall in XP
  
• fixed-disk compression (does anyone use this?)
  
• Office document properties
  
• HTML content in Outlook (does this actually benefit anyone except spammers?)
  
• Active Desktop (a/k/a "the ability to animate your desktop"... ugh, just what I need)

You know, it's a miracle that Microsoft sells any software at all, when 80% of its features turn out to be nonfunctional or pointless. If they dumped all of their resources into just increasing stability and security, and implementing a few features that users actually request, their business would skyrocket.

- David Stein

Monarchy???

[El]

Uh, wouldn't corporate domination be called something like "autocracy"? I don't know of any corporations headed by a king! In fact, by definition, corporations are owned by shareholders... which in the US means that over 50% of the population are at least indirectly in charge of these evil corporations! If you don't like what a corporation is doing then convince a significant portion of the population to boycott that corporation's products! The problem is not that there's some evil conspiracy between government and corporate interests, the problem is that 99.9% of the people clearly don't give a shit! Educate them!

Re:Change the headline.

[ewhac]

"Encryption features" does not imply a server requirement. Indeed, all of what is in MS's proposed feature set can be accomplished through intelligent deployment of OpenPGP-compliant encryption. No proprietary formats (or proprietary servers) necessary.

Obviously, encryption would require changes to the file format.

This is also incorrect. File format is orthogonal to encryption. Indeed, PGP and GnuPG can encrypt Word files today -- you don't need to wait for Microsoft's broken and incompatible implementation to get it.

Schwab

Illegal only in the US.

[emil]

Most nations do not have a DMCA. The decryption work will simply be performed outside the sphere of influence of this facism.

Microsoft could choose to emulate Adobe and trigger an FBI investigation of OOO within the borders of the US. In doing so, they would trigger a fight with Sun.

Sun is much larger than Elcomsoft, and it would be the fight of the century. It might actually be the key moment where the IT industry overthrows the DMCA (as should have happened some time ago).

When Sun wins (Microsoft legal will find a way to screw it up), the DMCA will suffer a mortal blow. Congress would be extremely unwise to attempt to strengthen it; those who endorse such an action will face the wrath of some well-organized lobbiests.

Microsoft, choose your battles carefully.

Re:An end to Whistleblowers...

[Bas_Wijnen]

There's tons of perfectly legitimate uses for this technology

Any legitimate use it implements is also in GPG, which doesn't have the problem that it provides better possibilities for doing illegal things.

anyone who doesn't like it can go use OO or just ignore the feature.

Wrong. I don't like it, my boss sends me a protected document anyway. Should I just ignore that document?

Sony bundles Open Office.

[emil]

A DRM push by Microsoft might drive a few more OEMs into this camp.

Potential Legal Issues

[nurb432]

Companies cant just have pertinent documents expire at will. This is the same thing as electronic paper shredding..

They also must provide access to the courts when subpoenaed. " sorry we cant seem to access that file" wont fly..

However this will help lock in Microsoft's control of the office suite market.

How long before they try to lock out online access? With the help of the Homeland Security Department, it might be possible ( you can only use 'approved' software.. and hardware )

Next project...

[rnturn]

... at home will be to prepare some response letters to the various vendors, banks, etc. that the missus and I have a business relationship to inform them that if they send us any communications that is in a Microsoft format that we will be taking our business elsewhere. If they are unable to provide information to us in a non-proprietary format, I will make it a crusade to find someone who can. I should not have to pay a company several hundred dollars for a product that I would not otherwise choose to purchase merely so I can read someone else's business communications. To date, I have been able to accept their Microsoft-based communications because of the interoperablilty provided by OpenOffice. If Microsoft pulls this little stunt and they expect me and my family to willingly go along and purchase their software, they've got another thing coming.

I fully expect that my friends will understand this far more readily than any businesses to whom I express these feelings. They may think they have us by the short hairs... What's next? I'll have to buy a Microsoft phone so that I can receive phone calls because they use a proprietary signaling format?

After I deal with the first business that I'm forced to drop because they insist on sending me documents in a DRM-enabled Microsoft format, my local, State, and Federal policitians will receive their copies. And I suggest that everyone do something similar. Inform businesses that you are no longer able to do business with them if they require that you use a specific vendor's product for business communications. When businesses realize that they are pissing off enough of their customers, and we let them know it, perhaps this crap will end and Microsoft will find that they risk losing their business customers. And if enough every-day citizens -- you know, John and Jane Q. Voter -- begin complaining to their elected representatives that they are being adversely affected by the DMCA, then changes will occur.

Re:I don't see the problem here.

[tambo]

This is going to happen, too many people at the selling end like it.

To a limited extent, I agree with you.

In general, corporate secrecy is a good thing - companies aren't going to invest billions in R&D unless they know that they can protect their trade secrets. It's not a good thing when it comes to protecting fraud or spoliating evidence, but that's different.

So, I'm also in favor of allowing companies to secure their electronic documents - just as they lock up their paper documents and are careful about giving out the keys.

But in a technical sense, the mechanisms of doing this should be in the file store, not in the application. Either someone can access the information, or they can't.

Enforcing security on a per-application basis is needlessly complex, and as a result, is hopelessly, hopelessly error-prone. Meanwhile, it imposes grievous inconveniences on the users. And (not coincidentally), it breaks all of the old hardware and software with which the files were used, requiring everyone to upgrade everything. That is a terrific waste of resources.

- David Stein

Re:Mostly FUD

[Stephen Samuel]

Yes, and as such it seems entirely stupid. So the executive flying to L.A. won't be able to access the documents while on a 4-hour flight. Nor will he be able to do so from the hotel unless they open up the firewall to let him access the authenticatio

I'm just waiting for the horror stories from the first MS customers who have their server crash, and then lose all access to critical documents. Even if they have backups, they'll still lose access to recently created documents that don't have their rights backed up. (talk about logic-bomb central!)

Either that, or we'll end up finding out just how much of a sham MS's "protection" of those documents is.

Re:The Caching Issue

[tambo]

The only thing this "DRM" provides is the ability to mass-distribute a document within a company without worrying that someone might be on a mailing list that they're not supposed to be on... since everyone has to authenticate to read the attached document, they'd have to use an authenticated account to read it.

Yeah, that worked really well for the Germans in WWII, didn't it? ;)

Seriously: As a general security concept, it's a bad idea to put information into the hands of everyone and rely on an encryption scheme to ensure that only authorized individuals can decrypt it. Encryption schemes get broken; even the guys who created RSA encryption have suggested methods of weakening it (e.g., quick analysis that narrows the brute-force search space for the key.) It's infinitely safer to control who has it in the first place.

- David Stein

Re:Office 2003 DRM: It's Very Cool and Not Insidio

[Ogerman]

The DRM feature in Office and Outlook enables a user to prevent emails and documents from being forwarded to and viewed by people not specified by the sender/creator. That's all this feature is.

100% Wrong. You clearly do not understand how proprietary DRM systems work. All 'security' whatsoever hinges upon the assumption that the client's application will play by the rules. Once you have the sent document and the decryption key(s) on your computer, all faith is in the application software. The moment that someone releases a hack for the new Office and Outlook that allows a user to access the plaintext or override the "do not copy / re-send / print" flag, all supposed DRM security will be entirely worthless. It is truly this simple: If you can read it, you can copy it. The DRM being proposed here is security through obscurity. Microsoft is betting that people won't find the proverbial "key hidden under the doormat." Even if this DRM system was eventually backed up by hardware (which doesn't look very likely at this point), people could still take a picture of the screen and use OCR to recover the text.. that is until the hardware itself is cracked.

Furthermore, I would like to point out that not all of your e-mail recipients use or want to use Outlook. Anyone who doesn't won't be able to read your emails, so enabling DRM isn't really a viable option anyhow.

I want to control who has access without having to expose the recipient to the mystery and overhead of encryption.

What you're asking for is an impossible pipe dream. For the reasons explained above, you will never be able to have true control over what someone does with information you send them. Using encryption, you can protect that information up to the point where they receive it, but you cannot reliably keep them from sending it to someone else. The best you can ever hope to do is build trust among the people you communicate with.

By the way, you cannot avoid the "overhead" of encryption. It's the foundation of any DRM system. The only difference is that the new Outlook / Office / etc. will try to make it mostly invisible to the user. You'll still need keyrings, signing, and passphrases if that encryption is to be of any value whatsoever.

So, in summary:
1.) proprietary DRM systems are not very cool
2.) proprietary DRM systems are, in fact, insidious. They do not offer true security but they DO try to force people to all use the same email, office, whatever software.

MS DRM like Anti-Lock Breaking

[t_allardyce]

"If you're a senior executive and you're carrying around your five-year business plan, you probably want to have that information secured so only you can read it," he said.

If you're carrying around very sensitive data the only methods you should be relying on are tried and tested encryption, and physically restricting access

Businesses can lock down such documents now with third-party tools such as encryption software, but embedded rights management tools in the document creation software are much easier and more likely to be used, Gartenberg said.

"The harder you make security to use for the end user, the less people are going to use it," he said.

The safer you make people feel, the more risks they will take - someone said that about anti-lock breaking systems

I really think this will back-fire

[kannibul]

You know, when I come across a document that I can't open, I ask the creator to send me one that is compatible with what I am using.

For example, we use MS Office 2000 at work - if someone emails me or a user a Microsoft Works file (.wks I think) - I ask them to contact the sender and have them save it in MS Word compatible format.

Basically, as I see it, Microsoft is going to pursuade more people to NOT upgrade to the latest verion since it would be incompatible with the previous versions of Office - plus, you don't have the option to save it in a "compatible format".

At least, this is how I am reading it.

All I know is, if MS is making this an issue, then what I would recommend is to NOT upgrade, but to purchase something like 10 licenses for it, and have some people act as the go-between in the instance that there is an issue.

That, or just skip it entirely, and stick with what we have. There's always RTF/TXT format, or HTML.

Re:Surely you jest?

[Crispy Critters]

'A private company introduces software that basically introduces built-in encryption for word documents, spreadsheets, and email...And the availability of this product is somehow an example of "blatant abuse of the law"?'

You miss something. These features are awarded special protections under the law. The concern is that MS is trying to use a loophole to extend these special protections beyond what they were meant to be. This is an abuse of the law. The features themselves are not at issue, but the effect of the features in the context of the DMCA.

And stop calling me Shirley.

Re:The straw that broke the PHB's back?

[lessgravity]

I've been using OpenOffice on my home machine now for about 4 months and I love it. I am starting the push (since I'm an IT Manager) for our company to look at it as an alternative to upgrading Office. It will be difficult to convince those in management away from their precious Excel. centrifugalforce [blog-city.com]

MS master stroke

[ciphertext]

If you had a monopoly on desktop productivity and wanted to draw people to use your server software, what better way to do that than offer them a carrot! I don't know if this will prevent the copying of documents (you could open Open Office 1.1 and the the Office suite side by side and CTRL-C and CTRL-V until you got all of what you wanted) if you have sufficient authority to read them. What it does do is cause the IT departments of large companies with an interest in DRM to think twice about the Windows Server 2003. If they use the new Office and want to use the DRM they MUST use windows server 2003. You can't use Red Hat, NetBSD, FreeBSD, OpenBSD, SuSe, Solaris, (insert OS here...). I see this as another attempt by MS to exercise their muscle to gather up monopoly share. We need a few corporations the size of IBM, HP, GM, GE, etc... to stand up and say "No thanks. We are just fine with what we have now.". Even better would be if those companies said "No thanks. We believe we are going to switch over to a Linux desktop with OpenOffice or StarOffice, because what it will save us in licensing will cover the cost to redeploy and retrain. Also, we won't be locked in to one vendor for our products.". Too bad that won't happen.

Re:Mostly FUD

[BobTheLawyer]

it doesn't make hiding documents easier, it just provides an excuse for why they're not readable, and it's an excuse which isn't going to impress a court very much.

Re:Illegal only in the US.

[sean23007]

(Microsoft legal will find a way to screw it up)

No offense, but are you being stupid just for fun? Say what you will about Microsoft's crappy products, but their attorneys are absolutely unsurpassed. These guys don't just go about "finding ways to screw things up." They go about finding ways to convince judges and juries that the alleged infractions are merely illusions and that punishment would somehow stifle competition and innovation. The only thing Microsoft does well is litigate.

Re:That'll be true for a while.

[Anonymous Coward]

I keep finding more and more reasons to dislike Microsoft. I mean, how the hell are there people out on slashdot who can actually continue to stick up for them (M$ employees excluded).

Many people owe their careers to learning how to apply some MS proprietary solutions. For a few grand, you can buy an MSCE and make a good living without having to be especially skilled. A threat to MS is a threat to their careers because it devalues their skill base. MS has done a great job of building a legion of professionals utterly dependent upon MS solutions for their careers.

This caught me on a slow day, so here it goes...

[Dave21212]

this caught me on a slow day, so here it goes... your comments or criticisms are appreciated !

Think about:

The system is ultimately ineffective (screen shots anyone?, hand made copies?, pocket cell-phone cameras?), and false security is worse than none

It requires additional infrastructure (cost) and software upgrades (cost) then locks you in to the M$ implementation

Companies (financial) will have to manage (cost) the new documents to meet compliance issues (ie: you can NOT have documents that are required to be kept for compliance be protected from copying or have them expire - and how do you stop it?)

Single point of failure:What if the DRM server is down (temporary downtime company-wide for M$ Office)

What if the DRM server crashes and can't be restored (permanent loss of important data)

Will M$ provide a backdoor (for Law Enforcement, PATRIOT ACT, etc), what if it's leaked ?

THIS IS A DOCUMENT MANAGEMENT ISSUE - not a security problem, people need EDM/ECM not more gimmicks !

'Hacking' into the document to provide interoperability or to recover data may be a FEDERAL OFFENSE under DMCA

What about search/rescue for the users who screw up and lock themselves or others out of documents accidentally ???

Forced upgrades (al la Win2K) just to continue to use YOUR OWN (DRMed) corporate assets

Louts Notes has had a (less user-friendly) version of this since R2 [slashdot.org], and very few shops use it (encryption keys)

On the bright side:

There are a huge number of users/customers/vendors/partners who will not be able to use the DRM documents (requires upgrade), so it will take years to even marginally implement for external communications (which is one of the main items people want it for in the first place)

Some obvious possibilities for abuse include:

Stopping Whistleblowers (Enron, Pentagon, Worldcom/Arthur Anderson, Whitewater)

Erasing potential evidence: stockbroker send you bad advice in a doc that expires in 30 days

Erasing potential evidence: boss tells you to do something unusual that gets you into trouble

Erasing potential evidence: employees colluding to do things detrimental to a company (embezzle?)

Mafia can us it for betting slips, other low-level secure comms

Word/Excel macro viruses could be set to self-destruct to protect the guilty

Restricting fair-use rights

The Terrorists could use it !

See Also:
http://www.securityfocus.com/columnists/165 [securityfocus.com]

Re:Mostly FUD

[digital photo]

It is arguable that being in a "business mode" is what will cause compatibility problems and reinforce the monopoly. Business mode is thinking that you need whatever it is that is compatible with everyone else. Since business mode implies that you "think smart" and try to antiipate what technologies will be used, you go with what's new and what looks good, from a business point of view.

In the current climate of security sensitivity, not necessarily security awareness, business minded folk are going for what will "protect their IP".

The herd will lumber towards "DRM" as a means of "potecting themselves" and get landlocked. Or in this case, locked in one application.

This isn't new. MS has done this before with Word by repeatedly changing the format of the documents to make it as incompatible with other word processors as possible.

It looks like they are going to try it again, just under a different guise, with a different business case.

Re:Illegal only in the US.

[Anonymous Coward]

Really? Find me a lawsuit filed against MS where they were found not-guilty. Seriously, try it. If you *do* manage to find one, I'll be very interested.

DMCA woes: wrong!

[Tom7]

Even if the developers of a competing office suite could figure out how to get their software to open an Office 2003 document, doing so would be a DMCA violation, since they'd be bypassing an anti-circumvention device.

No, wrong. Circumvention only happens if it is done without the authority of the copyright holder. Since an office file opener could be used to open your own documents, or documents that others want you to open, there exists a substantial non-infringing use, so the software would not be a circumvention device.

Re:Information flow NIGHTMARE!

[dublin]

The DRM features I see actually described, in the article (did anyone actually bother to read it?) and through a couple of links in other posts above, are not terribly troublesome. Unfortunately, the paranoic responses here obscure that reality.

In fact, what MS has here is really nothing more than an MS implementation of a PGP equivalent with an authentication server and app hooks that know just a little bit about how the assigned rights relate to the nature of the files they're dealing with.

Let's take these paranoic rantings one at a time, shall we?

The critical presentation EXPIRES the night before you need it.

Could happen. You could also set the permissions on the file so that you can't read it. Why should this tool be a panacea to eliminate human stupidity? It won't be. This is a "power tool" - power tools can kill.

The only person with the rights to open a document is sick and didn't make the meeting.

Again, this one could happen, but if it does, it just shows that your group has woefully inadequate processes and procedures for assigning access to documents. (And how this is significantly different from that person having the copies in his briefcase and the source file in a non-open subdirectory on the server is not clear...) One presumes (since this is based on AD) that those higher in the auth chain could always override such assignments. In fact, this is one real benefit to a server-based auth method - it's effectively impossible to leave things locked up forever, or have rogue employees leave working time bombs.

The BIG customer tells you that they are not about to upgrade their servers and corporate software just to read your documents and tells you to provide material they can read or forget it.

This one would only happen if you were stupid enough to try to cram you auth methods down your customer's throats. You can do that with suppliers (although it's a losing move), but never customers. Generally, I expect this will not be widely used between companies, especially given the difficulties in establishing trust (both technically and humanly) between organizations.

They will have to have FULL-TIME rights managers, who track who is entitled to read whose documents.

You've never worked in the real world, have you? These people already exist, and have for better than 40 years, going back to NASA and the military-industrial complex. Their function is called "Configuration Managment" (do a Google search [google.com]), and the idea is that these people determine what is kept, where, how, for how long, and who is allowed to use it in what ways. These are vital things any organization needs to do to manage information on a non-trivial scale, regardless of whether that work is building stealth bombers or growing organic kumquats.

And a full-time Search and Rescue team to retrieve lost documents, crack lost passwords, etc.

If it's any good, cracking will be fruitless. (I'll hold my judgment in reserve until I see MS implement real safety, but AD, for all its warts, has some really cool and elegant aspects. It's really too bad there aren't any interoperable alternatives.) As I mentioned above, the recursive nature of rights flow in AD (or any other decent auth system, such as Novell's Netware or NDS) should allow any employee's boss or other delegated person to override and/or reset rights.

In all, this is a decent solution to a very real problem. Unfortunately, it will certainly not be interoperable or standards-based, at least until and unless the Samba guys ever get a real interoperable AD replacement. And in big "enterprise" accounts, this will be a compelling feature that may persuade some customers to upgrade, something they are loathe to do now.

It's worth noting that there's no reason the same features couldn't be done in a completely open way if someone wante

Re:That'll be true for a while.

[in4mation]

A LOT MORE SPEED IS What Open Office needs... and then you will get wider adoption. I try to use Open Office but its a really painfull process and usaually end up using Word when I have some serious documents to bang out.

5 Questions Customers Should Ask Microsoft

[Glasswire]

1) Will DRM or other features in the new Office break backward compatibility with earlier Word/Excel/etc formats? In other words, will opening and editing and saving a Word 97 file in the new Word prevent older Word versions (or 3rd party applications) to open that file later?

2) Will Microsoft make any encoding APIs freely available to the public for 3rd party applications to open and use those files?

3) If the answer to 2) is no, will Microsoft license any encoding APIs to 3rd parties and will these be non-discriminatory?

4) If the answer to both 2) and 3) is no, will Microsoft agree not to invoke legal action in the event that 3rd parties reverse engineer any encoding APIs?

5) If the answers to all of 1) through 4) is no, is Microsoft not concerned about US or EU anti-trust authorities ruling that the Office file strategy is anti-competitive?

Businesses won't stand for this

[budGibson]

Business people are well aware of the dangers of lock-in and looking for alternatives. Witness the recent adoptions of linux for the desktop (government of Munich), the moves by Asian governments (Japan, Korea, China) to create a non-proprietary OS, the moves of industry groups to adopt open standards (CELF in Japan, the embedded market in general).

The tendency here is to view Microsoft as all-powerful. However, as revealed by the recent Fortune opinion piece summarized here [fortune.com], Microsoft cannot come up with new products that genuinely win people over. Business people have revolted over the forced upgrade terms they put through a year ago. People are walking away from their forced lock-in at all levels. If anything, this move will just speed up the process.

There are Ways to Resist

[serutan]

Whenever someone sends you a Word 2003 document you can't read, do what you do when someone sends you any other type of document you can't read. Reply that you can't read it and ask them to send you a non-protected format that you Can read, such as RTF.

Re:Disgruntled employees

[Anonymous Coward]

Actually, you start to get into one of the scenarios where Microsoft's de facto monopoly is possibly a huge liability for a corporation.

Consider that many industries are under regulations which pertain to document retention and destruction. Now, let's introduce document infrastructure that possibly causes the company to violate these regulations (like in your example).

Now, the "monopoly" factor enters here: Because it's *Microsoft*, it's regarded as the only option. So the fact that it may lead to a legal crisis will be overlooked by counsel, as the IT pinheads cream in their pants to upgrade to the latest offering from Microsoft.

Microsoft has disclaimed all responsibility for this of course, and the IT folks don't get fired for buying Microsoft, and counsel will never admit that it was a mistake.

Had there been a number of alternatives, the IT folks just might start getting fired for making the poor, possibly criminally negligent, decision to use Microsoft products.

Unfortunately there are NOT a number of viable alternatives, and the few that exist are generally dismissed simply because they are "not Microsoft".

If you introduce a genuine incompatability, enforced by hard crypto and protected by the DMCA,
you might just end up in a predicament where you CANNOT use any office software, because you have conflicting requirements.

Re:Illegal only in the US.

[Jody Goldberg]

Much as I wish this was true, history disagrees.

Gnumeric can read encrypted xls files. The mechanism for doing it was largely worked out by Caolan McNamara for .doc files, whose notes are public. He now works on OOo, which does _not_ support encrypted files. Sun/OOo has the knowledge, but clearly their legal team has squashed the notion. You don't mess with MS' legal team lightly. Money may not buy happiness or love, but it can definitely purchase one heck of a lot of lawyers.

Re:The straw that broke the PHB's back?

[William Baric]

We allready use OpenOffice for all our end user's here

How did you make the switch? I did some tests with OpenOffice and some of my clients who don't want to spend money on licences... It's hell! Not because OpenOffice is bad (I don't use MS Office anymore) but because most people are completely computer illiterate. As soon as the smallest thing changes they're lost! Half of them think that File/Print/Select PDF printer is too complicated so they keep sending SXW files to people who use MS Word. The worst part is since they try to find a excuse for their incompetence they're constantly bitching OpenOffice (and me, of course). If OOo had a perfect MS Word filter I guess change in a large (i.e. more than 2 people) organization could be possible but until then it's a lot of trouble and in a short term period paying for an MS upgrade cost a lot less than switching to OOo (particularly because people would use the "I'm learning the new program" excuse to not do their work).

Re:DMCA woes: wrong!

[Frobnicator]

Wrong! ... Since an office file opener could be used to open your own documents, or documents that others want you to open, there exists a substantial non-infringing use, so the software would not be a circumvention device.

Yes, he is partly wrong, but so are you. It may be true that the circumvention device clauses are satisfied. Unfortunately, we don't have to look far to see how companies and projects that fit that exception are still prosecuted/persecuted and even killed.

This would be a good target for a bunch of SLAPP suits [nolo.com] against the developers -- if they chose to implement it. The potential gain for Microsoft and others ("We bankrupted 30 contributers to OpenOffice for DMCA violations. We're sending you a DMCA notice. You wanna be bankrupt next?") far outweighs their potential cost ("We paid $250,000,000 in the cases we lost, but it's just an investment for product lock-in and extra FUD against developers.") .

Just being on the right side of the law does not mean that you will survive a massive legal attack from a multi-billion dollar company. Anti-SLAPP laws are in effect in most states but the DMCA altered the USC, which is the federal law, so those state laws could be carefully avoided.

Examples:

• DeCSS [harvard.edu] (multiple cases, some still in appeal)
• kazaa [com.com] (in court and dying)
• napster [go.com] (dead)
• CopyWrite [retailtrafficmag.com] (alive, after expensive years in court and an expensive appeal)
• Lessig about Fox fair use problems, MyMP3, Napster [openp2p.com] (in court & private settlements, dead, dead)
• DRM Conference transcrpt [berkeley.edu] (discusses dead & dying, but legal, projects)
• Embedded fonts [cmu.edu] (alive, but at a big cost and avoidance of court)
• A student's paper with summaries of other cases [tulane.edu] (United States v. Sklyarov, Lexmark v. Static Control Components , Felton v. Recording Industry Ass'n of America) and several interesting hypothetical physical-world comparisons to the law (locking keys out of your car == loss of ownership of car until you present the Automobile Protection Assocaition with a proper court orders allowing you to jimmy the lock).

The unfortunate fact is that just because it is legal, and even if it is right, both StarOffice (Sun) and the contributors to OpenOffice (including Sun) could both face deadly lawsuits from Microsoft if they attempt compatability.

Strategic lawsuits (gray-area, predatory lawsuits), "death by lawsuit", and even Google's lists of Allegedly Unethical Firms [google.com], Corporate Accountability [google.com], and corporate criminals [google.com] show how corporations are attacking and killing projects, even when the projects or public participation are the right and legal thing.

So while you are right that such a project would be legal, you are wrong in your implied statement that it would be a safe thing to do.

frob

Re:An end to Whistleblowers...

[NickFortune]

So you're saying because a handful of companies are doing bad things and snooping secrataries break the rules and could save the day we shouldn't implement this feature? There's tons of perfectly legitimate uses for this technology and anyone who doesn't like it can go use OO or just ignore the feature.

I think the point is more that the rules of evidence seem to be somewhat lacking in the face of such a syatem. Granted, once an investigation is underway a court can order a company to produce all releveant docuemnts. The trouble is that some evidence is gnerally needed before an official investigation may be begun. Generally this means written evidence, which may be hard to come by if all relevant docs are automatically encrypted.

So it's not about whether "we" should or should implement this feature - its about how it will be used and what mechanisms will need to be defined to provide a check for possible corporate malfeasance. Lord knows its hard enough to pin anything on a big corp as it is, even if, like Enron, they've been caught red handed. It's a little scary to think of how much harder it might become under such a scenario, and personally, I'd just as seen someone was thinking about the issue before the first case comes to trial. Someone who isn't a corporate lawyer in charge of cover-ups, that is.

Besides, Kenneth Lay didn't have a clue what was going on in Enron (or so his PR firm says) - what makes you think he'd be smart enough to use this feature?

Because a lot of people don't believe he's being entirely honest when he says that. And we think if he's smart enough to use a shredder, he's probably smart enough to use the encryption feature. I mean if there's one thing MS do well it's idiot-friendly interfaces... It'll probably ship on-by-default. In fact, if the intention is to break backwards compatibilty (again!) and force upgrades then it'll probably be not only on but mandatory.

DRM and encryption

[David Jao]

A private company introduces software that basically introduces built-in encryption for word documents, spreadsheets, and email.

You have it quite wrong. DRM is not encryption. It is amazing to me that people so often confuse the two.

Encryption is the art of securing a communication that both parties want secret. An example of encryption is the Pentagon-Kremlin hotline.

DRM is the art of securing a communication that only the sender wants secret. The whole point of DRM is that you are trying to keep the communication from leaking even in the face of an adversarial recipient.

The distinction is a really big deal! It's the whole reason why DRM is so difficult (and, to some, so objectionable).

Disclosure: I work for Microsoft, in the cryptography/anti-piracy/DRM group.

Re:Then OpenOffice.org should implement it FIRST

[200_success]

Digital rights management requires a whole closed system to make it hard to crack.

It's not possible to implement many features of DRM management using open-source software -- it's too easy for someone to code a loophole when the source is available.

For example, what if you wanted to mark a document was as read-only and unprintable for everyone except the author? If OpenOffice.org supported DRM like this, one would simply hack the program to to disregard such restrictions. It would be a sure bet that someone would create a DRM-circumventing variant, and the DRM-enforcing version would quickly become irrelevant.

Anarchy in the UK, US, EU, ...

[TomDLux]

If a nation publishes a law in a format which I cannot legally read except by purchasing a specific product, and I refuse to make that purchase, how can I be expected to obey the law?

Re:I don't see the problem here.

[Viol8]

If VMware implement a perfect virtual PC then there simply is no way for an OS running within this VM to know if its real or not.
There simply is NO WAY for MS to prevent Windows running in a properly written virtual PC. Sure the could check the type of virtual drivers
loaded but then it would be a simply task for VMWare (or whoever) to modify them so the check doesn't work.