Slashdot Mirror
HDCP Encryption Cracked, Details Unreleased Due To DMCA
Lord_Pall writes: "There's a very good article on SecurityFocus about a Dutch cryptographer. He apparently has cracked the HDCP video encryption standard, but won't release the research for fear of reprisals under the DMCA."
Update: 08/15 06:10 PM by J : Meanwhile, see
Keith Irwin's paper
which has been released despite the DMCA.
Update: 08/15 07:00 PM by J :
And someone else points out
this old thing.
Everyone who hasn't written a paper on cracking HDCP raise your hand.
Look, these guys aren't after The Ultimate Unbreakable Encryption Mechanism. They're after something that will prevent the average person from gaining "unauthorized access" to their content. And as you note yourself, they aren't after the guys generating bootleg copies. They want to prevent the average person from being able to make useful copies of their content.
Why?
Simple: their goal is pay-per-view/use. They want to be able to rent their content out to people, and prevent said people from ever having a permanent copy. Because a permanent copy obviously defeats their ability to rent that same content to whoever has that permanent copy.
The reason this will work is that most people (obviously) aren't technically inclined and aren't capable or even interested in cracking copy protection schemes, nor are they interested in going through the trouble of "going around" the problem (e.g., by recording to analog media). They just want to view the content.
The Big Corporations know this. They're counting on it. But they need something like the DMCA to pull it off. Why?
Because they know that it's fundamentally impossible to create a crackproof system. So instead of directing their energies towards that goal, they directed it towards creating the DMCA. If people are prevented by law from creating or distributing the means to crack content control systems, then companies can successfully force pay-per-view content down the throats of the people.
The corporations also know that eventually a content control cracking mechanism will become available to the general public anyway. So when it does, they know that it can't do anybody any good if the general public can't easily get its hands on it. Why do you think they're working so hard to shut down P2P distribution mechanisms? By doing so, they successfully remove the means for the average person to get their hands on content-control cracking mechanisms and the content that would result from the use of said mechanisms.
The corporations don't care about the rights of the people. They only care about their money. They will do everything in their power to get it. The only difference I see between them and the mafia is that the corporations use law enforcement itself as their strong arm.
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
Tell that to Sklyarov.
However, even by claiming to have broken the encryption, he's placing himself at risk of being investigated, and possibly detained and questioned should he ever visit the US. (If I were to publicly announce that I had commited a crime, I would expect the authorities to take interest in me.)
Cheers,
Tim
It's official. Most of you are morons.
We start to see some of the indirect effects of the DMCA. The choices for secur ity experts and developers will be to A) not publish their works, leaving them f or a more malicious hacker to discover, or B) publish, just NEVER enter the US a gain. Either way research and development as well as security and technical con ferences will start to leave US locations, favoring those countries that won't a rrest their participants.
Other countries will leap ahead in encryption abilities, while the US rests on i ts DMCA laurels. Brings back memories of the smaller, more efficient, more reli able cars from Japan and Europe in the 60's and 70's that caught Detroit by surp rise. Took them 10 or 15 years to catch up.
Unfortunately, as long as there is money to be had from lobbyists, there will al ways be legislative sand for our politicians to stick their heads in.
"Those who forget history are doomed to repeat it."
Intel spokesperson Daven Oswalt says the company has received several reports from people claiming that they have broken HDCP. But he says none have held up, and the company remains confident in the strength of the system.
...and yet all of these companies still think that the DMCA is good for them.
It's amazing how on how many levels the DMCA is a bad idea. It's squelching freedom of speech, and it's preventing the companies from producing technical systems that can effectively produce total control over their customers. Of course, the free-speech-squelching part is serving the total control purpose, and since it's the executive and legal divisions of the companies that decide what the companies "want," they probably are happier that way. And that is the real tragedy-- that and the fact that they can US legislation.
(To be fair, given the description of the attack, Intel is probably right that it still does prevent "casual copying." On the other hand, it angers me that they're trying to prevent casual (including fair use) copying, but don't mind that somebody willing to invest some money in hardware and a couple of weeks can start producing bootleg devices. Who's their real enemy here? Customers trying to exert fair use rights (and, yeah, maybe occasionally illegally copying content)? Or overseas customers producing and selling wholesale bootleg copies?)
-Rob
There was a time when encryption was done to ensure it couldn't be broken. Now it seems like organziations are using the DMCA as a way to prop up bogus standrads that are dangerous due to their flaws (*cough*ebook*cough*)
Its hard enough trying to explain why Dimitry should be freed. But how can you convince a legislator or govt official that the DMCA is bad for encryption without risking prosecution? Its a scary catch 22.
Even though the Dimitry case is getting some press (Time Mag had a 2 page article - well written), I still only see proposals to slightly change the law. Not enough to allow full reverse engineering for research and the ability to expose flaws in products. Seriously - an encryption standard used to say encrypt some copyrighted work gets hacked, the victims sue showing why its such a bad encryption std and the lawyers for teh company using the bad encryption get it disqualified because its illegal to bypass encryption or copyright schemes.
Far fetched, maybe, but I really fear we will continue to see substandard encryption schemes passed off as workable because folks are less likely to publicize flaws in them if they are tied to teh DMCA.
Sure this may help open encryption standards, but we all know where the commerical money goes, so goes the world. Bad encryption standards used for IP materials and protected by the DMCA would soon be sold to businesses for privacy and such - exposing those businesses to serious exposure since the encryption std is probably less secure due to less folks trying to find flaws for fear of prosecution.
Maybe we need a contest - free tshirt to the person who manages to come up with the Chicken Little 'the sky is falling' explanation for why the DMCA is bad that'll get Joe six-pack up in arms :)
Top Most Bizarre/Disturbing Error Messages
This is a very good essay. It does an excellent job of explaining the problem with the DMCA succinctly, and in a manner than anyone can understand. I'm going to keep this link and use it whenever I want to explain the problem with the DMCA to someone non-technical.
Free Hans!
I've uncovered the secret ingredients in the Colonel's spices and McDonald's Special Sauce. I figured out where Amelia Earhart has been all these years. I know whether or not the moon landings were faked, who shot Kennedy, and how many stones there are in the Washington Monument.
I have decrypted the secret code in the Bible, correlated it with the secret codes of the Baghavad Ghita, Talmud and Qur'an and now now the inner thoughts of all gods. I have unified field theory and quantum theory and will soon have a device that will bend all matter to my will.
I know the secrets of teleportation, telekinesis, telepathy, and how to get women to want me. I know the secrets of every three-letter agency in government, the Psychic Friends network, and the US Postal Service.
Unfortunately, due to the nature of the DMCA, I am unable to share my findings with others. I suppose I'll have to get on my FTL spaceship and find a more genial planet. Ta-ta!
It will be interesting to see if once it does get out, if companies will seek to hold him responsible, even if e doesn't release it himself. I winder if the DMCA covers the eventuality of having done research which facilitates bypassing encryption. It really isn't that far to go from doing research (and finding the solution) to writing the software that actually performs the operation. Will it become a crime to do research?
--CTH
--Got Lists? | Top 95 Star Wars Line
Imho his goal is not getting his paper published, but getting people to think about the consequences of these laws. Unfortunately, this the only way we foreigners can protect our rights abroad.
Linked to this, in Europe a 'law' is being prepared (due Sept 3rd I believe) which forces a country to assist another country to eavesdrop (snif Internet traffic) on a user if he (she) did an illegal act in that OTHER country. To link this with a previous link (thanks for the thought), if China were to be part of such agreement, every couple with 2 or more kids could forget its privacy...
Joost
--Black holes are where God divided by zero--
This is a Good Thing(tm)! If the details aren't released, then it's just rumor, speculation and slander against the HDCP standard!
That means the HDCP consortium can continue on their merry way to rolling out their video solution...and then after we have all this great content available...THEN we can have someone release the information (I see Lawrence Lessig waving his hand there in the back).
Think about it. If the Crack SDMI has come back with nothing but failure...then maybe we would all have GB of juicy full-quality (minus watermarks, ahem) songs sitting on our harddrive awaiting a simple watermark snipper.
Thank you DMCA! Chilling research only delays the inevitable! It doesn't stop it!
- JoeShmoe
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
Monkey sense
The Complete Document can be found here:
http://www.macfergus.com/niels/dmca/index.html
Very good stuff. Too bad they didn't link it in the story.
"You can be sure that somehow, somewhere, someone will duplicate my results especially because I am telling them that I have results," says Ferguson. "Someone who is braver, who has less money, and who doesn't travel to the U.S."
This, right here, is his mistake. If, in the near future, those master keys are published, I bet a nickel that Ferguson gets hauled up for a lawsuit (or perhaps even criminal prosecution), for exactly the reasons that he states here himself. It's extremely stupid, but on the other hand, I can easiliy see an overpaid bunch of useless humanity (i.e. corporate lawyers) effectively convincing judges and law enforcement officials that Ferguson should be liable. They would be right that he probably helped along other efforts to crack the encryption doing nothing more letting people know that it was possible. Ferguson's mistake is in thinking that the dunderheads who thought that arresting Sklyarov was a good idea will let him slide after he's said this.
The world is a cold, demon-haunted place nowadays. It sickens me to be a citizen of this country that so hypocritically prides itself on being free.
-Rob
Many countries are cinsidering DMCA type legislation to bring them into compliance with the WIPO Intelectual Property Treaties. For more on the the legal constructs being cinsidered by the World Intellectual Property Organization, see their whitepaper "Technical Protection Measures: The Intersection of Technology, Law, and Commercial Licenses" (M$ Word or PDF). Take a good look at this stuff. It's important that people fully understand the actions being taken by WIPO and begin to realize that arguing about your rights or my rights isn't the critical issue. The critical issue is that if WIPO has their way, there will be no protection for citizens of any country, from potentially usurous and monopolistic IP practices.
--CTH
--Got Lists? | Top 95 Star Wars Line
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
However, even by claiming to have broken the encryption, he's placing himself at risk of being investigated, and possibly detained and questioned should he ever visit the US.
...
... hence the term "swear").
You are probably right, as the DMCA is clearly intended to be used as a club to squelch information and discussion under the (woefully thin) guise of protecting copyright holders.
However
(If I were to publicly announce that I had commited a crime, I would expect the authorities to take interest in me.)
... even the DMCA hasn't made it illegal to figure out how to decrypt encrypted copyright material, but rather has made the trafficking in devices using that knowledge illegal. By announcing he's done it, but not sharing the methodology, he cannot in any way be said to have "trafficked" in a circumvention device. To do so he would have to publish, and this he has not done. Not that that will stop Intel or someone else affiliated with the Copyright Cartels from swearing out a false afidavit and falsely imprisoning this individual (and, interestingly, while the Sklyrov case goes forward I do not see anyone from Adobe being arrested for Perjury, which swearing out a false affidavit is
Of course, it is only a matter of time until someone does publish, probably anonymously, and DHCP dies the death it so richly deserves.
The software world, which relies on restricted copy priveleges (copyright) far more heavilly than even the Media Moguls of Hollywood and New York, learned over a decade ago just how futil copy protection schemes were. Instead, they chose to go another route, making serial-numbered copies traceable rather than uncopiable (something which has been shown mathematically to be myth in any event). Interestingly enough, having people's names attached to serialized copies of software had a chilling effect on copyright violation that no amount of copy-protection schemes and hardware dongles was able to achieve. It didn't eliminate it, but it sure cut down on the number of people willing to share their copies of software with anyone other than, at most, their closest friends.
The Copyright Cartels and Media Conglomerates refused to learn this obvious lesson, prefering instead to believe they have purchased protection through the DMCA sufficient to allow even the most flawed "copy protection" to stand through artificial threat with a government gun in contradiction to both information theory and basic physics in the physical world.
Of course, when "casual copying" has been mostly eliminated and fair use is dead, the industrial copyright violators will still be producing illegale wares in quantity, until they in turn are shut down using methods and laws which have been around for decades. Which underscores the real motivation and target behind MPAA and RIAA purchased legislation such as the DMCA: the individual consumer, not the commercial copyright violator.
The Future of Human Evolution: Autonomy
Free Hans!
Anonimous submissions to the papers, inside, unnamed sources and subsequent 'expert' analysis have taken down Presidents..
Why don't people anonimously submit this sort of thing (cracks, weaknesses, bug reports) to news sources?
Would the papers be liable for printing someone elses 'approach', without necessarily verifying it's correctness first? After all, Deep Throat wasn't named to be right, he only gave 'hints' about Watergate...
I could see The Register, the Motley Fool, the Washington Post, or maybe just some online news source (ahem, slashdot, ahem) printing 'suggestions' from anonimous sources... And as 'reputable' guardians of Liberty (*sigh*) they would be able to claim the need to protect the identities of the submitters in order to maintain their 'professionalism', or some such...
How about it slashdot? Set up a PO Box where people could send neat stuff without a return address..
The REAL jabber has the user id: 13196
What you do today will cost you a day of your life
"An experienced IT person could recover the master key in two weeks given four standard PCs and fifty HDCP displays"
1
2 or 14
4
50
Therefore the key is:
12450 or
114450 or
12450 * 114450 = 1424902500 or
sqrt(12450^114450).
q.e.d.
keep it simple.
Of course not. What, do you think some company is going to file charges and get the FBI to arrest someone from Russia just because they give a talk about their work in Vegas? Or that an industry trade group would threaten a lawsuit if a college professor tried to present a research paper? My god, people are paranoid around here! Next thing you know they'll be saying that the Big Corporations are trying to outlaw reverse engineering!
Best Slashdot Co