Slashdot Mirror

From what I've read, HDCP is about as powerful as ROT13 for content protection. I'm pretty sure it is already as good as broken... COMPLETELY broken... as in snoop the handshake between a small number of devices a few times and you can compute a single device key. Repeat for a fairly small number of distinct device keys (40) and you can then compute any possible key. All it takes is one modestly secure digital media format and you'll see HDCP strippers available in the back of Video Magazine or whatever for $30 apiece....

Protecting content with BD+ is solely intended to damage the fair use of individual consumers to make backup copies of their own media that they lawfully obtain. Anyone doing commercial piracy has been able to break HDCP and reencode trivially for a long time.... When are the media companies going to learn that playing games with technology to try to prevent legal copying only pisses off the customers?

While I think this issue is important, I personally haven't had the time to devote to really look at all the angles. I do know that this bill is supported by the EFF, computer scientist and e-voting critic Prof. Ed Felten and Ars Technica among a vast number of others. While the bill is by many accounts imperfect, the provisions for auditing and verification are a vast improvement on the current state of affairs, where we use black box machines and can have no confidence that our votes are tallied as they were cast. So I support the bill.

I think there's a reasonable argument to be had about whether we aren't better off just using paper (for reasons of transparency), but the point is that that argument can be had completely independantly of this bill. This bill clearly improves the current situation with electronic voting machines (DREs), and has no effect on whether or not you have to use DREs. From the EFF pages in support of H.R. 811:

An outright ban on DREs may or may not be possible with this Congress, but it is irrelevant to whether or not this bill should pass. Rep. Holt's strategy -- to convince Congress of the need to improve transparency in U.S. elections, regardless of technology -- is a sound one, one that many volunteers have expended extraordinary efforts to bring to fruition and one that could be on the verge of succeeding. Nothing has prevented or currently prevents now-vocal critics who are calling for an outright DRE ban from going through the process of drafting the appropriate legislative proposal and then soliciting the necessary support for it. But attempting to derail or hijack HR 811 as a vehicle to ram through an unlikely-to-pass DRE ban unnecessarily risks the passage of other important substantive requirements. And once again, nothing in HR 811 prohibits states from limiting the use of DREs of any kind or banning them altogether.

Moving to defeat this bill because you oppose electronic voting is foolish. It is a situation the perfect being the enemy of the good. This is something activists on many issues fall prey to that keeps them from being effective.

The folks over at Freedom to Tinker seem to think Safemedia is an elaborate hoax.

On the other hand, its CEO is testifying in front of Congress...

Ed Felten wondered the same: see is Safemedia a parody?

I couldn't find that Haiku

The article is misleading; the hacker posted the comment, not the site or its editors. I quoted the "Own Integers" Haiku ((copyright 2007 by Edward W. Felten)) as part of an Educational Post on the actual encryption. The F2T blog with the original seems to be Slashdotted... again. Imagine that.

I do admire BtCB sense of technical style.

I couldn't find that Haiku

The article is misleading; the hacker posted the comment, not the site or its editors. I quoted the "Own Integers" Haiku ((copyright 2007 by Edward W. Felten)) as part of an Educational Post on the actual encryption. The F2T blog with the original seems to be Slashdotted... again. Imagine that.

I do admire BtCB sense of technical style.

I couldn't find that Haiku

The article is misleading; the hacker posted the comment, not the site or its editors. I quoted the "Own Integers" Haiku ((copyright 2007 by Edward W. Felten)) as part of an Educational Post on the actual encryption. The F2T blog with the original seems to be Slashdotted... again. Imagine that.

I do admire BtCB sense of technical style.

As long as...great great tinkerers need to worry about the freedom to tinker, http://www.freedom-to-tinker.com/;
...the powerful such as Bill Gates keep investing in long-term research on how to lock people down;
...we leave it to the U.S. government to following the Constitution, including recovering the real purpose of copyright and patents by, e.g., repealing the DMCA;
We will need the likes of the GPL3 to give an option to reduce the inevitable temptation of vested interests to use DRM to subjugate people.

<html><header><title>You Own an Integer</title>
</header>
<body>
<h5> 44 67 DF 9B 0E C2 38 20 18 EE 1E 05 6F 49 CB 31</h5>
<!-- comment
Here is the ciphertext: 1302FFF479AC1849769A7B620A3BB81D6448FFC86FBB4B0059 AF5D564F058A1F6448FFC261B7184379803E6A1827EB5E2A02 FFEF61AD16
-->
</body></html>

1302FFF4 - 79AC1849 - 769A7B62 - 0A3BB81D - 6448FFC8 - 6FBB4B00 - 59AF5D56 - 4F058A1F - 6448FFC2 - 61B71843 - 79803E6A - 1827EB5E - 2A02FFEF - 61AD16 (ciphertext)
4467DF9B - 0EC23820 - 18EE1E05 - 6F49CB31 - 4467DF9B - 0EC23820 - 18EE1E05 - 6F49CB31 - 4467DF9B - 0EC23820 - 18EE1E05 - 6F49CB31 - 4467DF9B - 0EC238 (key)
5765204F - 776E2069 - 6E746567 - 6572732C - 202F2053 - 61797320 - 41414353 - 204C412E - 202F2059 - 6F752063 - 616E206F - 776E206F - 6E652074 - 6F6F2E (ascii hex)
We[SP]o - wn[SP]i - nteg - ers, - [SP]/[SP]S - ays[SP] - AACS - [SP]LA. - [SP]/[SP]Y - ou[SP]c - an[SP]o - wn[SP]o - ne[SP]t - oo.

Note that the line breaks of the poem (haiku copyright 2007 by Edward W. Felten) are encoded by a space-slash-space, rather than some manner of CR/LF combination.

<html><header><title>You Own an Integer</title>
</header>
<body>
<h5> 44 67 DF 9B 0E C2 38 20 18 EE 1E 05 6F 49 CB 31</h5>
<!-- comment
Here is the ciphertext: 1302FFF479AC1849769A7B620A3BB81D6448FFC86FBB4B0059 AF5D564F058A1F6448FFC261B7184379803E6A1827EB5E2A02 FFEF61AD16
-->
</body></html>

1302FFF4 - 79AC1849 - 769A7B62 - 0A3BB81D - 6448FFC8 - 6FBB4B00 - 59AF5D56 - 4F058A1F - 6448FFC2 - 61B71843 - 79803E6A - 1827EB5E - 2A02FFEF - 61AD16 (ciphertext)
4467DF9B - 0EC23820 - 18EE1E05 - 6F49CB31 - 4467DF9B - 0EC23820 - 18EE1E05 - 6F49CB31 - 4467DF9B - 0EC23820 - 18EE1E05 - 6F49CB31 - 4467DF9B - 0EC238 (key)
5765204F - 776E2069 - 6E746567 - 6572732C - 202F2053 - 61797320 - 41414353 - 204C412E - 202F2059 - 6F752063 - 616E206F - 776E206F - 6E652074 - 6F6F2E (ascii hex)
We[SP]o - wn[SP]i - nteg - ers, - [SP]/[SP]S - ays[SP] - AACS - [SP]LA. - [SP]/[SP]Y - ou[SP]c - an[SP]o - wn[SP]o - ne[SP]t - oo.

Note that the line breaks of the poem (haiku copyright 2007 by Edward W. Felten) are encoded by a space-slash-space, rather than some manner of CR/LF combination.

Ed Felten has an excellent series of posts about AACS on his freedom-to-tinker blog. Here's the URL for the first post in the series: http://www.freedom-to-tinker.com/?p=1104.

Ed Felten has an excellent series of posts about AACS on his freedom-to-tinker blog. Here's the URL for the first post in the series: http://www.freedom-to-tinker.com/?p=1104.

To those who are confused: it might help to read this.

I mentioned the routing issue. Routing around congestion is not really relevant to Stevens' point, which has more to do with the fact that at any given time, total bandwidth limits do exist, and congestion can occur as a result, and therefore some means of allowing for prioritised traffic (QoS guarantees) can in fact be important. (See Ed Felten's analysis, which I've just discovered, for a more detailed look at what Stevens was trying to say.)

The implication of not easily being able to expand capacity is arguable - Stevens didn't actually allude to that and it's not clear that he intended to. For what he was actually trying to communicate, his metaphor seems adequate.

As for scaling up, you'd have the same problem if you tried to scale up a single Ethernet cable connection to an entire wide-area network - you need to add switching infrastructure to make it work. I'm thinking high-speed control gates at the tube interconnection points, which detect pressure in the target tubes and routes flow accordingly. Don't disrespect the intertubes!

I think the uproar came about because many people (including myself to some degree) thought that the Senator really thought the internet was some type of series of tubes.

His comments don't seem to be so confusing when you actually listen to them

but when you start to look at what he is actually saying it gets a little worse

I'll grant that Stevens sounds pretty confused on the recording. But's let's give the guy a break. He was speaking off the cuff in a meeting, and he sounds a bit agitated. Have you ever listened to a recording of yourself speaking in an unscripted setting? For most people, it's pretty depressing. We misspeak, drop words, repeat phrases, and mangle sentences all the time. Normally, listeners' brains edit out the errors.

In this light, some of the ridicule of Stevens seems a bit unfair. He said the Internet is made up of "tubes". Taken literally, that's crazy. But experts talk about "pipes" all the time. Is the gap between "tubes" and "pipes" really so large? And when Stevens says that his staff sent him "an Internet" and it took several days to arrive, it sounds to me like he meant to say "an email" and just misspoke.

Why then the shock and ridicule from the Internet public? Partly because the recording was a perfect seed for a Net ridicule meme.

3ballot is cool, but unfortunately it has some serious flaws.

Here is a video showing how easy it was to bypass Diabold
voting machine security using a Home Made Key :

 
Minibar keys seem to fit the locks just right.

I am not sure if the USA should trust democracy to people who can't figure out how to put a lock on...

Read doom9, the rest of this /. thread, http://www.freedom-to-tinker.com/?p=1122, etc. It's quite puzzling that the manufacturers haven't yet used the full AACS spec.

The freedom-to-tinker.com link, at least, does not say that NNL key trees are not being used. It says that they are not using randomized processing keys, which is another matter entirely. It is weird that they are not using it, but it has nothing to do with lacking implementations in players, but with lacking implementations of the full standard when mastering new discs.

Or they could just use the cracked device to crack a big pile of discs, and release the keys for the individual discs.

This is unworkable due to being too big an effort. It might work now that releases are few, but if one of the formats grows to the same popularity as DVDs, that plan is impossible.

Do you have a reference for this?

It might, but it still wouldn't help the fact that as soon as they got the keys, they would be revoked, negating the usefulness of the attack.

The unique identification of many (soon to me most or all) inkjets and color lasers was not
done for you or me. It was done quietly for law enforcement to be able
to *find* the owner of any printed document.

The enormity of that type of underhanded removal of privacy is
just gobsmacking. And most vendors quietly went along with it.

This technology will no doubt be used in a similar vein - any
picture uploaded onto the internet can be traced back to *you*.

Freedom takes another blow.

That was GP's point -- that a bunch of players are offline, and so there is no way to patch them to make them able to play newer discs.

Only if they share the same key. My understanding of AACS is that a key would apply to only a few (or maybe one) player, so revoking the key won't break lots of players that haven't been compromised. Yes, the players will still have the flaw to _allow_ them to be compromised, but it you don't take advantage of that flaw then your player's key won't get revoked. This is a key difference between AACS and CSS - CSS allowed key revokation but the key was shared between a vast number of players (e.g. all players of the same model would share the same key) so the industry never made use of the revokation feature.

There is quite a good analysis of AACS on Freedom To Tinker that talks about this stuff.

Of course, I would be very interested to know how many key revokations AACS can handle. Since the title keys have to be encoded so that they can be extracted by all players except the revoked ones I imagine there must be some practical limit to how many revoked players can be excluded from a single disc. Maybe it'll get to the point where there are so many revoked keys that they have to start un-revoking some of the older ones...

No, A disc doesn't just contain a list of keys; it is encrypted such that only valid keys (i.e. keys not revoked when the disc was printed) can decrypt it. You can't just skip a step -- without a valid key, you can't decrypt the disc. Ed Felten has more info.

Sorry everybody, but it's not.

That said, they have got a player key now, so all disks published to date can be decoded.

Each player has its own player key, and each disk accepts any player key in its list (the player key is used to decode the volume key which decodes the film).

With this player key, they can decode any HD-DVD which has been printed already. However, as the key has now been compromised, future disks will not accept that player key. The software will have its player key updated, but the software will be tightened in an attempt to remove this loophole.

Take a look at the archives of http://www.freedom-to-tinker.com/ for a detailed discussion.

Freedom to tinker: http://www.freedom-to-tinker.com/

...for this fight at freedom-to-tinker.com. The whole series on AACS is worth reading, as is every single thing he posts.

...for this fight at freedom-to-tinker.com. The whole series on AACS is worth reading, as is every single thing he posts.

This is a shameless appeal for some coders with HDDVD or BluRay drives to come out of the Slashdot woodwork and finish what muslix64 started. He said he will not finish the AACS decryption tool beyond where it stands, and it has some some serious problems:

Read this forum post for a detailed explanation of the current revision:
http://forum.doom9.org/showthread.php?p=941169#pos t941169

See Professor Ed Felten's excellent blog explaining AACS in detail:
http://www.freedom-to-tinker.com/

The official AACS specifications, straight from the source:
http://www.aacsla.com/specifications/

Your contributions will apply to both HDDVD and BluRay, of course.

Ed Felten had a good point about this last spring:

http://www.freedom-to-tinker.com/?p=1007

Private cracking and file-sharing will likely always be possible. But businesses can't operate in private - they have to offer services in public. So having the ability to sue and withhold licenses from competitors means that you have bigger shares of marketplace for whatever you're using DRM to encumber. Customers can't be stopped - but competition sure can. That's a real point, too.

This story is badly out of date. The panel voted again the next day and reached a compromise that will require future electronic voting machines to have paper trails. See:

http://news.com.com/Panel+changes+course%2C+approv es+e-voting+checks/2100-1028_3-6140956.html
http://www.freedom-to-tinker.com/?p=1095

Sigh. Is that old "Bonhomie Snoutintroff" canard still kicking around? A story that gave as its warped reasoning for the idea that "EFF always loses" two cases that EFF didn't actually conduct (Eldred v. Ashcroft and Gilmore v. Gonzales), and one that we actually won: ("They defended two amateur online journos against Apple's ham-fisted effort to silence criticism, and got beat down severely: another bad precedent." - odd, that's not quite what the Appeals Court decided when the California state appeals court upheld our defence, and held that our clients were protected by California's reporter's shield law and the constitutional privilege against disclosure of confidential sources: http://www.eff.org/Censorship/Apple_v_Does/ ).

And as to the Snoutintroff claim we somehow "persuaded" Ed Felten to withdraw from a talk as a media stunt, it's worth reading what Felten himself had to say about that period. Chilled speech, baseless legal threats, people losing jobs because they stand up for their right to reveal security flaws. That's what EFF fights.

It's worth spending time reading EFF's actual track record - either from our list of victories, or from the Wikipedia list.

(Or hell, just read our press releases from the last week where we were filing an amicus brief to defend constitutional protection for stored email, began a case to investigate and correct some 18,000 missing votes in an apparent e-voting mess-up in a Florida seat that was won by less than 400 votes, and filing an FOIA request to uncover the details of EU passenger records being handed over to the US government. And that's what we did on a Thanksgiving week - with a staff of around 30, and a budget that's a fiftieth of the size of the ACLU, and a twentieth of what the MPAA spend on Washington lobbying alone. And consider becoming a member if you're impressed - you have no idea how much every extra membership helps, nor how much there is left to do.)

Take a look at Acoustic Snooping. Yes, what the GP said is true.

Ed Felten recently pointed out something that's stuck in my mind.

Everybody knows DRM does not stop piracy. Every time you see a headline about something "cracking down on piracy", substitute "customers" for "piracy", because that's really the effect it has - pirates crack it and supply the underground all the same, and customers are inconvenienced and soured.

As Felten points out, however, DRM is not actually useless - it's just useless for stopping piracy. What it's really useful for is controlling markets. And "speed bumps" that inconvenience legitimate customers are actually great for that, because while pirates can operate perfectly well if they give away data, taking money leaves a paper trail a mile wide. This is the trail wide enough to legally obliterate any significant commercial piracy operation within the proper jurisdictions.

Of course, there are plenty of "speed bumps" out there that are easier to use. This is just useless.

This is NOT about image bugs, it is about IFRAME bugs.

http://www.freedom-to-tinker.com/?p=610

IFRAMEs _not_ images!

http://www.freedom-to-tinker.com/?p=610

I remembered that some researchers had done this before (http://www.freedom-to-tinker.com/?p=893) and it was a lot easier than replacing the keyboard. The basic idea is that all keybaords have unique sounds, and if you can interpret those sounds, then something like 90% of the keypresses can be determined by just simply listening (and if you use lasers, you don't even need to enter the room, as long as it has a window, and you have line of sight.

works fine here so perhaps it was a temporary issue.

If you would like to sign a petition you can also head to your local Linux user group.

Ed Felton has a good blog on DMCA as it is being used currently in the US.
He also has comments on the new incoming even nastier version being negotiated there.
http://www.freedom-to-tinker.com/?cat=5

Kim Weatherall has info about the impact on AU from a lawyers perspective.
http://weatherall.blogspot.com/

Ive got a small blog with some of the implications for AU written for layfolk.
http://lucychili.blogspot.com/
The older posts starting with DMCA are a set of examples of implications for different interest groups, consumers, industry government.

That sounds like the kind of sensible decision that wont be possible under DMCA.
It is exactly the shift from us owning a hardware/software/content product like a book
to being a subscriber or tenant of these things that is a problem.

With TPM it becomes criminal to discover Sony has put a rootkit on your system,
it becomes criminal to investigate Microsoft's spyware system which phones home
in readiness for their WGA with kill switch for systems running older versions(currently postponed).

It becomes criminal to investigate digital voting systems, and in the current
discussion in the US for the new improved DMCA the lobby group is actually fighting
not to have an exemption in situations which threaten critical systems and cause risk to life.
Ed Felten has a comprehensive blog on DMCA
Here is his post on this topic:
http://www.freedom-to-tinker.com/?p=984

One could argue that the industry should indeed force down the consumers throats the new formats, using HDCP to reduce piracy, but since it's so weak, there's no point.

I think the best argument is, considering HD is already widely accepted, and people are just looking for a definition on the war, that the bigger(and supposely cheaper to make) format win, beacuse size apparently matters.

I vote for a boycott to HD-DVD and Blu-ray in favor of EVDs.

I'm going to have to wait even longer not to buy a Blu Ray unit?

Crap. I was really anxious to opt out of provider-updateable DRM ("Self-Protecting Digital Content") sooner rather than later.

http://www.freedom-to-tinker.com/?p=884

Oh all right, then. There were only a few titles available for DVD in the early days too. I think the HD-DVD people have promised about 200 titles by years end. In the meantime: List of HDDVD releases.

Most of the HD-DVD players I've seen are set up improperly-- there's very little detail in the shadows. But a well set up player looks amazing-- far superior to upsampled DVD.

Don't get me wrong. I don't have a player, and am not just waiting for bluray. That decision has more to do with the sky high cost of discs and players than anything else. Oh, and a little thing called hdmi. I just don't have the soldering skills to implement Crosby's ideas

HDMI & HDCP are not meant to prevent piracy and as such contain *no* mechanism which can.

What they are is "A hook on which to hang lawsuits" (Ed Felten):

http://www.freedom-to-tinker.com/?p=1007

And that's *all* they are.

The recent series of posts on freedom to tinker should get very, very interesting in light of this new information, since he elluded to this (biggest database ever) in the first post in this series.

Seriously though, the government's right to build databases is constitutionally protected, does not have any statute of limitations placed on it, and must not be infringed upon!

Once again, what part of, you cannot impeach a king, do you people not get?

welcome our DRM overlords!

* looks at component-only HDTV, cries single tear, reads article about cracking HDCP http://www.freedom-to-tinker.com/?p=1005 *

No, but hdcp (the encryption regime used on dvi/hdmi video signals) is known to be insecure

If you read the entire set of blog comments, you'll see that this attack has been known for over 15 years - see http://www.freedom-to-tinker.com/?p=1005#comment-2 6675

So why then are researchers worried? Why are security experts like Ed Felten spending a third of their time with lawyers?[1] Clearly it's not as easy as you claim to dismiss frivolous lawsuits; the mere possibility of them is having a negative impact on research.

1. I don't have an internet link to this, but Michael Geist imparted this information to a Hart House audience citing a personal interview with Dr. Felten.

Watermarking isn't an effective DRM technique

Maybe you might consider this a trolling or a flame, but I think that it is quotes such as these that may end up bringing the most amount of trouble for the RMS crowd... I think the man is losing touch with reality, and approaching a point where zealotry is clowding his judgment to a dangerous level. How can we convince businesses that using the GPL and open source is a GOOOD THING if one of the main characters is in effect condoning IP theft if done for the 'right reasons'?

Actually what I find disturbing is the "IP" proponents are proposing that DRM be sanctified as more precious than human life. Personally, I would much prefer someone like RMS who would support giving me the source to any programs that run my company as an assurance of never being left high and dry or strongarmed to someone who says they would have no problems with killing me if it would help the bottom line the next quarter.

Also, I think it bears mentioning that RMS actually is in favor of the right to write your programs and keep them completely private, not releasing them to anyone. That's one of the reasons he entered the fray of the big Apple license debate some years back. The license was requiring that any changes be sent back to Apple, whether or not the resulting source/binary was released to anyone.

Further, when it comes to discussing the ethical basis of copyright, I think it bears repeating that the reason we have copyright at all in the United States is to "promote the progress of science and the useful arts". I'm not sure if you noticed, but it has been a trend lately amongst many technology and entertainment companies to injure the progress of science and the useful arts freely as long as they think it will keep them in the money. That includes activities such as subverting international standards organizations and activities such as subverting national governments so that they retroactively extend copyright, effectively "stealing IP", to use your terms, from all of humanity (or at least all of that country's citizens).

I seem to remember the more restrictive terms of fairplay drm (7 burns of a playlist as opposed to 10) not being retroactive and only applying to songs bought from itunes after 4.5 and the increased number of authorized computers being retroactive. So the terms of the deal were changed, but in favor of the consumer. If I am indeed remembering correctly then this is a bunch of FUD. A blog comment isn't that authoratative but it at least helps me feel like I'm not crazy. http://www.freedom-to-tinker.com/?p=660#comment-24 49