Last year, New Zealand-based academic Peter Gutmann attracted a lot of attention with a "research paper": A Cost Analysis of Windows Vista Content Protection. I blogged it.
What's odd is that Gutmann doesn't seem to have used Vista, and some of the things he says (or is said to have said) are not true. For example, a NetworkWorld.com report last week's the USENIX Security Symposium is headlined: "Vista prevents users from playing high-def content, researcher says".
This assertion is so obviously wrong that you have to wonder what NetworkWorld.com thinks it's doing. There could be millions of people who have, with their own eyes, seen Vista playing high-def content from commercial discs (eg HD DVD) or downloads or stuff they've shot with their own HD camcorders.
"This is not commercial HD content being blocked, this is the users' own content," Gutmann said. "The more premium content you have, the more output is disabled."
Really? So we have a Vista researcher who didn't notice that, for example, the latest Vista fix-packs offer "better HD DVD/Blu-ray playback" (CDR Info).
Both Ed Bott and George Ou have now taken Gutmann to task on their ZD Net blogs. Ou mentions the popularity of Gutmann's paper and says bluntly: "There's just one little problem: Gutmann's theories are unsubstantiated and they're all wrong."
Ou says Gutmann's claims about CPU use have been disproven by tests at Anandtech, and that Ars Technica has "debunked some of Gutmann's other crazy claims". He concluded (before some ruder updates):
Peter Gutmann if you're reading this, have you even bothered to do any research before you make your claims? As for the media that keeps citing Peter Gutmann, have you guys checked the validity of Gutmann's claims? I have thoroughly debunked Peter Gutmann's claims and it's time we put this nonsense to sleep.
Last year, Vista was a bit of an unknown, but today it's the world's second most used operating system, after Windows XP. It must have reached New Zealand. Seems to me that Peter Gutmann should step up to the challenge, and either do the research needed to substantiate his claims or withdraw his paper. Seems to me that doing neither reduces his credibility to zero. Sorry.
Comments
Comments are now closed on this entry.
@ Jack
how do they measure OS market share? is it purely on sales? I work in the NHS and every machine I have seen recently has got either made for vista or XP sticker but they have all been rolled back to Win 2000.
OT, but I was interested to read the non-Gutmann Ars Technica bit in the light of what Cory was claiming down the page. - "The biggest trick the devil ever pulled was in getting folks to blame someone other than Hollywood for video DRM." Indeed.
@ Doctor
> how do they measure OS market share?
Partly it's sales statments: Microsoft says Vista has sold 60 million copies since the consumer launch, but that doesn't mean they are all installed. Partly it's from things like web-site hits, where Vista is around 6%.
It's sort of possible that there are more Linux users but they just never go online. However, I rather doubt it. Even if it were true today, it wouldn't be true in another month.
@CSClark
> Cory was claiming down the page. - "The biggest
> trick the devil ever pulled was in getting folks
> to blame someone other than Hollywood for video
> DRM." Indeed.
Yes. The Hollywood studios are absolutely responsible for video DRM. Apple is careful never to talk about it, but it will have to implement the same stuff in Leopard, so it will be interesting to see if it can do it better. I'm sure it's taken the Vista code apart, so it should....
"Seems to me that Peter Gutmann should step up to the challenge, and either do the research needed to substantiate his claims or withdraw his paper."
I feel it is important to note that Peter Gutmann had already posted a note on his site, which is relevant to this story, Mr. Schofield:
"On another note, it seems a bit of a war of words may be erupting with George Ou over at ZDNet. He decided (without ever hearing my talk or seeing my slides) that what I'd said in the slides was wrong. Quite a remarkable feat really, since he's never actually seen them. I offered to send him my slides with all the information in them as soon as I got back into the country, but he went ahead and posted his preconceived conclusions anyway, still without ever actually having seen the slides he's commenting on ..."
The comment may be read in full here:
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html
People should also be aware that Mr. Gutmann is not some kind of lunatic being put right by ZDNet bloggers but a university academic in Computer Science and a cryptography expert who has written some very useful software and who has some pretty impressive research under his belt. His homepage may be viewed here:
http://www.cs.auckland.ac.nz/~pgut001/
For myself I shall wait to see what is in Mr. Gutmann's slides, as George Ou would have better advised to do.
@ nulldevice
> I feel it is important to note that Peter
> Gutmann had already posted a note on his site,
I already gave a link to his site. His comment doesn't add anything. He does not, for example, say he was misquoted by NetworkWorld.com, and his paper is still up there. It's the paper that's being rebutted, not his slides.
In passing, if you asked me to send you a set of my slides I could do it in minutes, even if it was on my home PC, regardless of which country I was in. It doesn't take days to do this sort of stuff.
The NHS is still running on Win2k? Dear lord. Still, it's better than Oz Customs, which is just migrating from 98 to... Vista. Good luck to them, I say.
George Ou accusing *someone else* of FUD? Blimey. That's like you accusing posters here of being rude and offensive, Jack ;-)
The NHS is not running on Win2k. Different organizations with different approaches and requirements are running whatever version works for them.
@ Jack
thanks for clarifying that
Sorry if I did not qualify my post, I was only talking about the organisation I work in, which is one of the largest acute trusts in the country, and it uses W2K and Office 2000 across desktop machines and win XP on laptops,
@ whereistom
> George Ou accusing *someone else* of FUD? Blimey. ;-)
He uses Windows and says what he finds. I'm able to do what he does and see if he's telling the truth. I can live with that. People who don't like him should do what he does and show he's wrong. Usually they just resort to insults and flat-out lies, which means George's critics have a lot less credibility than he does.
If George says Vista can play an HD movie then you can get Vista and see if it does play an HD movie, and prove it (or not) by capturing a video or at least screen grabs. It's not rocket science.
But when Ou embroiled himself in the whole Mac wireless exploit foolishness a few months back, he wasn't exactly averse to telling "flat out lies" himself - "Apple never credits security researchers" was one that he could easily have validated simply by checking the notes with *any* of Apple's security updates.
I'm not saying that Ou is always wrong. But I am saying that his credibility takes regular hits (read some of his responses /mindless rants to comments on his blogs), and that there are people who's word I take more seriously when refuting any other claim (Ed Bott, for example).
Ou is not much better than most of the people he criticises. There are extremes at both ends of any of these debates, you know.
Gosh there's a lot of misleading threads and disingenuities that need disentangling here. Start with the easy one, the criticism of the heading, "Vista prevents users from playing high-def content, researcher says," which is clearly nonsense as Jack says. But Jack you, as a journalist who I imagine like other journalists on the Graun gets your stuff subbed by the subs, are very naughty to stick it to Gutman for that one! It's no more his fault that some stupid sub has come up with that, than it is when it happens on the Graun (and it does happen FREQUENTLY).
.
I'm sure you realise you are being a bit silly suggesting Gutmann has never used Vista; the problem with basing any universal declarations on either his or your own experiences is of course they are anecdotal: how many times have I seen something posted in a group only to get a bunch of, "This doesn't work," responses followed by another bunch of, "Oh, yes it does!" SERIOUS researchers/journalists need rather more than their own anecdotal experience. Gutmann's very thorough original paper goes into some technical detail (oh god, what detail!) about the fundamental strategies behind how HDCP in Vista works, and what the drawbacks of those strategies are for users, which seem untouched by anything you or these 2 have written. However, as you intimate, there is then the separate issue of the actual user experience and how that is manifested in different scenarios.
.
But let's actually clarify the situation. Vista has HDCP to 'protect' premium content. 'Premium' content being, theoretically, DRM high-definition video and audio. What that means in practise, is that Vista will only allow premium content to be rendered (played) at full quality provided every path within the PC along which it must travel and every connection to the output device (screen/speakers) is secure (ie. provides for encryption). Otherwise, it will only allow the premium content to be played at a degraded far lower quality. I assume that much is uncontroversial?
.
So, what are some of Gutmann's claims as to the ramifications of this? First, regarding the 'user experience'. Theoretically, if you have HD content that is not 'premium' (ie. not tagged protected) you should be able to play it regardless. However, a review of user experiences seems to indicate this is not always the case: certainly, a number of people claim they HAVE played back non-premium HD content at full quality but equally a number of people say they cannot. That could be for a number of reasons, but it comes down to how Vista decides whether or not a piece of HD media is premium or not. Aportion blame where you want, but Vista is currently not always correctly identifying non-premium content. And as soon as it thinks it's being asked to render premium content, unless every piece of relevant hardware in the PC and every path within and without is HDCP compliant it will only play a low-quality version.
.
The more hidden drawbacks are complicated, but it does seem to me they are hard to escape unless you change the fundamental laws of physics! To work, this HDCP system must do 2 things: it must decrypt encrypted content 'on-the-fly' (indeed, I think it can need encrypting/decrypting multiple times, no?) and it must constantly check to ensure that all the relevant hardware is HDCP compliant. Now, surely, however you cut it - if you are doing those things you MUST be taking away computer power from the tasks users actually WANT their computers to do if you weren't doing that? You are also requiring hardware manufacturers to focus less on providing the very best user experience they can, in order to facilitate the requirements of HDCP. Finally, because successful HDCP requires secrecy the full specifications for HDCP hardware cannot be open - and therefore 'open' or 'free' software and drivers fully supporting them can never be created.
.
Surely these are the fundamental issues which Gutmann has raised. If you think there is some flaw in the logic or an inaccuracy in the account of HDCP then please do tell us, but last week's release of patches that include "better HD DVD/Blu-ray playback" are hardly relevant are they? [though, had they been, giving Gutmann a WHOLE week to research, test, gather multiple user-experiences etc., could hardly be described as 'generous' on your part before accusing him of having "zero credibility"!].
.
As to whose 'fault' it is that we're lumbered with this awful mess, well I'm the LAST person that would seek to let the greedy corporate media off the hook! But you have to ask yourself, what would have happened if MS hadn't volunteered such a scheme. But instead a more limited one, much as per DVDs. Would Hollywood really have abandoned HD formats? I don't think so. On the other hand MS are a major provider of DRM, and on the current set-up 'open/free' software systems will never legally be able to play 'premium' content. Quite a blow to a competitor? But I freely concede that attributing the 'blame' is pure speculation Jack, and I hope we can stick to the more hard realities of Vista HDCP and its actual major shortcomings.
For pity's sake, EuroJohnny, I hope Word's wordcount is rubbish because it says you've just posted 1,746 words.
According to the T&Cs; I should probably remove it, but I'll leave it up to the proper mods who can remove my comment as well.
I think you should either start blogging or start limiting yourself.
Start a blog and you could post something here that gives a one paragraph and says "for the full 1,746 words, see my blog at" etc. If you won't do that, just give yourself a maximum of 400 words to make your point and then stop. 200 is better.
Not that many people will actually read 1,746 words, even if it's a well-researched exclusive cover story.
@ whereistom
> But when Ou embroiled himself in the whole Mac
> wireless exploit foolishness a few months back,
I bow to your superior knowledge. I'm not a regular reader of either, and I stayed well away from the wireless thing.
> There are extremes at both ends of any of these
> debates, you know.
True nuff ;-)
@EuroJohnny
... and a space works as well as a full stop for para spacing.
I take your point Jack, and will try to find briefer ways in the future (though this is nothing compared to the tracts we were exchanging, in a rather less 'productive, calm and rational' spirit a few weeks back ;-) ). But there is a fairly complex issue right at the heart of this is there not? And I wanted to try and get any discourse back to being based on some hard facts, rather than just the, "No it isn't! Yes it is! etc."
Fred2: Thankyou! [But why does this blog work differently to all the other CiF ones?]
"But when Ou embroiled himself in the whole Mac wireless exploit foolishness a few months back, he wasn't exactly averse to telling "flat out lies" himself - "Apple never credits security researchers" was one that he could easily have validated simply by checking the notes with *any* of Apple's security updates."
Gotta love these people who can't even honestly quote someone. Show me a single place where I said "Apple never credits security researchers"? I've only accused Apple of not treating David Maynor and Jon Ellch fairly and being underhanded.
http://blogs.zdnet.com/Ou/?p=451
Besides, what in the world does Apple have to do with this? Since you've misquoted me, I have to assume you only did it to discredit me.
George Ou - you're right, I'm sorry. I can't find that quote, I am mistaken, and I genuinely apologise for attributing it to you.
[Guardian mods - if the rest of this comment is too off-topic, too long, or is crossing the line of acceptable comment, please delete it. Please leave the above apology, though]
However, I am afraid that I still have little respect for your writing. I feel that your reporting of the whole Maynor issue overstepped a mark - it was filled with insults, inaccuracies (corrected when pointed out, but easily checkable before publishing them), and attacks against Apple and, worse, other journalists and bloggers.
From the very start, you took a standpoint that Apple were lying, even though there was no evidence to prove this (dissecting PR statements doesn't count). Despite the fact that Apple diligently credit security researchers, you presented what amounted to a conspiracy theory around a supposed treatment of Maynor. It was nonsensical, and got more so over time as you fought a rearguard action.
When Apple fixed a wireless exploit you took an unprofessional celebratory tone, and accused Apple of refusing to credit Maynor (http://blogs.zdnet.com/Ou/?p=326) - even though there is no evidence that the exploit was his, and certainly no evidence that it was based on code supplied by him. You didn't come across as a good journalist, but as a witch hunter.
So, to answer: "Besides, what in the world does Apple have to do with this?" - if I can't trust your writing in one situation, give me one good reason why should I trust it in another?
"Since you've misquoted me, I have to assume you only did it to discredit me"
Or because I was mistaken. But anyway - I'll say to you what I have said to Jack before: I have no position from which to "discredit" you. You're the paid technology journalist - all I am is a nobody writing comments on a blog. The standards to judge me against are (rightly) lower than those to judge you against. You are an opinion former, I am not. You have to triple check your facts to maintain your journalistic reputation - I have no journalistic reputation to maintain. If you don't want to be discredited, make sure what you write is factual and has integrity - people will make up their own minds about you no matter what I say.
Again, I apologise for misquoting you, but that doesn't change the fact that I cannot trust your writing.
It seems like this nonsense is never going to die. sigh.
>What's odd is that Gutmann doesn't seem to have used Vista,
I've been wondering where this interesting fact came from, because I've had it since shortly after it was released (obviously I didn't have it when I originally wrote the content-protection analysis in late 2006, since it hadn't been released yet and I wasn't about to pirate a copy). Overall it's quite nice, but I have the feeling it was released about 6-12 months too soon, particularly from the driver-support point of view. I'd guess I'm probably still using XP (or Linux) mostly, because a number of the cool toys I have don't have Vista drivers yet (that's why I was interested in the appearance of Atsiv, which I cover in the talk, since it looked like it might help with Vista driver availability).
>"There's just one little problem: Gutmann's theories are unsubstantiated and
>they're all wrong."
What he really should have said there is "My claims of what Gutmann said, which I've had to invent since I wasn't at his talk and declined his offer to see his slides, are ...".
>Ou says Gutmann's claims about CPU use have been disproven by tests at
>Anandtech,
Again, you need to make a distinction here: What George invented was disproven by tests, not what I said.
>He concluded (before some ruder updates):
You should have seen some of the private mail he's sent me :-). I actually deleted his initial message because I thought it was just crank mail.
>Peter Gutmann if you're reading this, have you even bothered to do any
>research before you make your claims?
Yup. However George has done no research whatsoever, since by his own admission in one of his articles he's admitted that he's never heard my talk and never read my slides. He's done zero research himself, and has had to invent the material he's attacking.
Quite a curious piece of, uh, "journalism" in my view.
>Seems to me that doing neither reduces his credibility to zero.
The reason I haven't released the slides yet is because it's been amusing watching the train wreck that George has built for himself by attacking material that he's never seen :-). It's also quite amazing seeing people agree with him.
Hang on, aren't you doing that too?
Peter.
Oh, and as an addendum, I think EuroJohnny's comment sums things up pretty nicely. For example:
>Aportion blame where you want, but Vista is currently
>not always correctly identifying non-premium content.
That's pretty much what I said in my talk, with quotes from a number of sources where people talked about running into problems when they tried to play back HD content.
"It seems like this nonsense is never going to die. sigh."
+
"The reason I haven't released the slides yet is because it's been amusing watching the train wreck that George has built for himself by attacking material that he's never seen :-)."
=
Spluh?
So what's the general story with these 2 guys Bott and Ou then? Are they just standard Microsoft/Windows fanboys, frothing and blustering against anyone with the temerity to question their heroes while playing the 'attack dogs' against any competitor? Or is there the possibility, one way or another, of a "closer relationship" with Redmond? Either way, they don't seem to have any credibility left but background is always SO interesting. Perhaps they should just stick to correcting hapless and ignorant sub-editors, on inaccurate headings, from now on.
@ EuroJohnny
> So what's the general story with these 2 guys
> Bott and Ou then?
Do some research: they are both well known and have loads of stuff online. It's a really bad idea to insult people and abuse their work from a position of ignorance.
PeterGutmann
> It seems like this nonsense is never going to die. sigh.
Thanks for commenting! However, you could easily kill off a lot of "nonsense". Seems to me you have had plenty of time to publish your Usenix talk and release your slides. As far as I can see, you have not disowned, contradicted or clarified the NetworkWorld.com report I quoted. This could be done in seconds.
> However George has done no research whatsoever,
> since by his own admission in one of his articles
> he's admitted that he's never heard my talk and
> never read my slides. He's done zero research himself,
> and has had to invent the material he's attacking.
It's your fault that George hasn't heard your talk (or read your notes, whatever) or seen your slides. It's also not true to say he's done "zero research". He has, for example, checked CPU use and power consumption on a test PC (http://blogs.zdnet.com/Ou/?p=673), which seems to be rather more than you have done.
> It's also quite amazing seeing people agree with him.
> Hang on, aren't you doing that too?
It's not as amazing as someone standing by doing nothing while their credibility is attacked.
As you'd probably guess, I got into this by seeing the NetworkWorld.com story, which had nothing at all to do with George. You appeared to be saying things I know aren't true -- which isn't necessarily your fault, of course -- so I looked around. But as I've just said, you've had plenty of time to say: "No, that's not what I was trying to say" or whatever.
Incidentally, your original paper has now expanded to around 25,000 words and practically no one is going to read it. Shovelling in even more notes and quotes isn't going to make your case better, it just means no one will bother to find out if you actually have a case or not.
Since you admit you hadn't used Vista when you wrote it, I think you should start again and do it better, shorter, and with working examples. At the moment, the working examples do not appear to be on your side. "Put up or shut up," as they say in school playgrounds ;-)
@ Jack
This is all way over my head. I remember reading the Guttman piece a while back, and it being too technical for me. However ...
"[Ou] declined his [Guttman's] offer to see his slides", puts a slightly different spin on things, if true.
@ fred2
> "[Ou] declined his [Guttman's] offer to see
> his slides", puts a slightly different spin
> on things, if true.
I can't think of any reason why Ou would do that: it is inconsistent with what I know about him and what he says.
Ou posted on his bog the following:
http://blogs.zdnet.com/Ou/?p=673
> [Update 8/16/2007 - Gutmann retreats and refuses to
> provide slides or any data to support his theories.]
> [Update 8/14/2007 2:45PM (cut) Peter Gutmann has
> posted a slam at the top of his "research" paper
> that I didn't wait for his slides. I find it funny
> that he has time to write a paragraph slamming me
> but he doesn't have time to post the slides and he
> doesn't have time to post any data to support his
> theories.
I haven't seen, or been offered, the slides either.
If I'd given that talk, I'd have posted the slides to myself on Gmail, just for back-up*, so it would take me 30 seconds to forward them to someone else. Even if they were stuck on my PC at home, it would take me less than 10 minutes to log in remotely and send them. Mr Gutmann has had more than a week.
* giving an important talk on a different contintent, I'd also have the slides on a hard drive, on CD, and on a memory stick. Are you going to tell me a known security expert would have only one copy, and it's not handy? Really?
If you go to the Usenix conference site, you can download the slides of the person who talked before Gutmann (Markus Jakobsson, Indiana University) and the slides of the person who spoke after Gutmann (Ran Canetti, IBM Research) on Wednesday, August 8, 2007. Why not his?
http://www.usenix.org/events/sec07/tech/
Does that put a slightly different spin on things?