DeCSS Loses Free Speech Shield

JohnGrahamCumming writes "BusinessWeek/CNET is reporting that the California Supreme Court has ruled that 'a Web publisher could be barred from posting DVD-copying code online without infringing on his free speech rights.' They also say that 'the state Supreme Court ruled that property and trade secrets rights outranked free speech rights in this case.'" According to the article, this "...overturned an earlier decision that said blocking Web publishers from posting the controversial piece of software called DeCSS, which can be used to help decrypt and copy DVDs, would violate their First Amendment rights."

Still a shot

Notice that the decision is based on the code being a trade secret. The lower appeals court can still decide that the code is not a trade secret, and it could still be published

What's next? Arrest Securityfocus folks?

[sdriver]

Maybe it's good reason all the tech jobs are going overseas. At least in India/Russia they have the freedom to post security related software without going to jail...

Err... trade secret rights??

[Abcd1234]

What does that mean? Correct me if I'm wrong, but last I checked, there's no such thing as "trade secret rights". Trade secrets are secret because you keep them secret (via NDA or whatever). Once they escape, they're public knowledge, end of story. I wonder how long it'll take before trade secrets are lumped together with patents, copyrights, and trademarks as "IP". *sigh*

Re:Err... trade secret rights??

[Sanity]

Once they escape, they're public knowledge, end of story.

IANAL, but IIRC the law still tries to put the toothpaste back in the tube if the original disclosure was a breach of trade-secret law (such as a violation of an NDA or license agreement), no matter how widely that toothpaste has been spread around.

For this reason trade secret law is, in many ways, much more powerful (and restrictive to the general population) than copyright.

Re:What is this DeCSS?

[N8F8]

OK: decss.c

It's not hard to copy DVDs

[Josh+Booth]

...[DeCSS] could more broadly be used in the process of decrypting and copying DVDs.

That's balogna, and everyone on Slashdot knows it. Just because the orginization is called the DVD Copy Control Association doesn't mean that the encryption used has anything to do with copying the DVDs. I can easily and full "cp /dev/dvd ~/copied-dvd.iso" without DeCSS. But you need DeCSS to access the content, which has nothing to do with copying (well, permenantly), only playing.

Re:It's not hard to copy DVDs

[len_harms]

Thats partialy wrong.

CSS was a way to enforce 'region controls'. Belive it or not this sort of thing is actually illegal in many countries. Now however they positioned it in such a way that it was for 'copyright' control. To keep those nasty pirates at bay. Like they say follow the money and you will find who benifits the most from this system being in place. I can tell you it is not the consumer.

It was never about stoping people from copying. It was about makeing sure they get your last dollar out of you.

Now the 'unlock the drive' is a way they have tried to continue to enforce the CSS schema. The drive actually looks at the data on the DVD and decides after so many plays its a 'region x' type drive. It will show up as data that does not read correctly for 'unknown regions'.

All DeCSS does is remove the region controls and the encryption they used for it. ANY dvd drive can read any disk. The software (players) and firmware (drives) is the only thing that enforces the 'read error' problem. That is why they do not like DeCSS. As there are drives out there that just ignor the region control part and just shovel data like they should.

There are people out there that have access to the ablity to make dvd18 disks. Do you think they care one iota about DeCSS? They can blast the whole disk bit for bit and still sell them. And the disk will work just fine in any properly regioned dvd player. There are also players out there that are 'region free'. Meaning they can play any disk from any part of the globe.

Re:It's not hard to copy DVDs

[Experiment+626]

But you need DeCSS to access the content, which has nothing to do with copying (well, permenantly), only playing.

I'm glad someone else caught this. It's a bit disturbing when even the Slashdot posting describes DeCSS as "DVD-copying code". DeCSS would not be necessary to make exact copies, and while it could be useful for other types of copies (like downsampling), its main use is not for copying, but playback.

Obviously, this is not the way the RIAA wants people to think of DeCSS. It's much harder to demonize a DVD playing program than some kind of copying tool used by Nasty Evil Pirates. The fact that when DeCSS is mentioned the latter comes to mind, even for a Slashdot poster or tech journalist shows just how effective the RIAA's propaganda really is.

To win this battle, it has to be recast not as a fight for our right to bootleg movies, but put the focus on the legitimate questions that have nothing to do with copying anything.

• How ARE users of Linux and other non-MS operating systems supposed to watch the movies they've paid for?
• How common-knowledge can a process be and still enjoy "trade secret" legal status?
• What gives the RIAA the right to effectively right their own international import/export laws through some ridiculous region encoding scheme and giving them the force of real laws?
• Does (and should) watching a DVD you legitimately bought and own from Japan or England in the United States make you a criminal?

illegal prime

[SHEENmaster]

4
8565078965 7397829309 8418946942 8613770744 2087351357
9240196520 7366869851 3401047237 4469687974 3992611751
0973777701 0274475280 4905883138 4037549709 9879096539
5522701171 2157025974 6669932402 2683459661 9606034851
7424977358 4685188556 7457025712 5474999648 2194184655
7100841190 8625971694 7970799152 0048667099 7592359606
1320725973 7979936188 6063169144 7358830024 5336972781
8139147979 5551339994 9394882899 8469178361 0018259789
0103160196 1835034344 8956870538 4520853804 5842415654
8248893338 0474758711 2833959896 8522325446 0840897111
9771276941 2079586244 0547161321 0050064598 2017696177
1809478113 6220027234 4827224932 3259547234 6880029277
7649790614 8129840428 3457201463 4896854716 9082354737
8356619721 8622496943 1622716663 9390554302 4156473292
4855248991 2257394665 4862714048 2117138124 3882177176
0298412552 4464744505 5834628144 8833563190 2725319590
4392838737 6407391689 1257924055 0156208897 8716337599
9107887084 9081590975 4801928576 8451988596 3053238234
9055809203 2999603234 4711407760 1984716353 1161713078
5760848622 3637028357 0104961259 5681846785 9653331007
7017991614 6744725492 7283348691 6000647585 9174627812
1269007351 8309241530 1063028932 9566584366 2000800476
7789679843 8209079761 9859493646 3093805863 3672146969
5975027968 7712057249 9666698056 1453382074 1203159337
7030994915 2746918356 5937621022 2006812679 8273445760
9380203044 7912277498 0917955938 3871210005 8876668925
8448700470 7725524970 6044465212 7130404321 1826101035
9118647666 2963858495 0874484973 7347686142 0880529443

extract it with:

#!/usr/bin/perl
use LWP::Simple;
use Math::BigInt;
my $html = get("http://www.utm.edu/research/primes/curios/485 65...29443.html");
my($prime) = $html =~ m{

([^};
$prime =~ s{\D+}{};
$prime = Math::BigInt->new($prime);
my $binary = '';
while ($prime > 0) {
$binary = pack("N", ($prime % 2**32)) . $binary;
$prime /= 2**32;
}
$binary =~ s{^\0+}{};
open(my $fh, "| gunzip -c 2>/dev/null") or die "cannot gunzip, $!";
print $fh $binary;
close $fh;

As I explain to my non-techie friends

[IthnkImParanoid]

To put it in simpler terms, I can copy coded/Chinese text by hand without ever knowing what it says. DeCSS is a codebook or Chinese-English dictionary. Dictionaries don't help you copy stuff.

Re:Trade secret case depends on Norway

[EinarH]

The norwegian economical crime unit appealed the case. The case is scheduled to be raised again in a new court in December.
But they might decide to drop the whole case because the possibility for failure.

The case will anyway only (in Norway) be off historical interest since Norway anyway probably will addopt the new Infosoc directive from EU planned to take affect from January 2004.

But the way it is today, Johansen is not sentenced for anything and per se not guilty according to Norwegian laws.

The trade secret status is still doomed

[Sloppy]

I have an idea. I keep it a secret for a while. Lots of people want to use my idea, so I license my idea to them, on the condition they aren't allowed to tell my idea to someone else.

My licensees then start to sell boxes that contain my idea inside of them. The boxes are difficult, but not impossible, to open. They sell these boxes far and wide, to anyone who wants them, without any contractual terms. You can walk into a store and anonymously buy one of these boxes with cash.

Someone eventually opens one of the boxes and peeks inside to see how it works. He happens to have picked one of the easier-to-open boxes, but really, all of the boxes were openable. It was just a question of how hard someone was willing to work.

Did I exercise due dilligence in keeping my idea a secret?

That's about how solid DVDCCA's trade secret is: not at all. The widespread publication of the already-reverse-engineered DeCSS isn't what screwed them. The sale of DVD players themselves is what doomed them. As soon as the first DVD player was sold to an end-user without any contractual obligation to keep the inner workings a secret, the DVDCCA had lost control of their secret. Anyone could have opened their box, even here in USA. Some guy in Norway just happened to be the first to get the glory.

That this loss of control was known about in advance (the whole point was that consumer electronics would implement the algorithm) rather than one of their licensees surprising them by producing a DVD player, is devestating.

If they wanted to keep CSS as a trade secret, they should have made it so DVDs could only be played in theaters, with the descrambling happening on equipment that was under control of people with whom they had secrecy agreements.

Re:Here's what the court really wants ...

No, trade secrets are quite simple.

Revealing a trade secret is only illegal if you either obtained knowledge of the secret by illegal means or if you are breaking a contract (NDA or similar) by revealing it.

The big question in this case is whether reverse engineering is obtaining a trade secret by illegal means. It is fairly obvious that it shouldn't be (and earlier cases have confirmed this), but there is a risk that courts may decide that under current legislation (DMCA etc.) it is.

Re:Which came first?

[toxic666]

You are correct, they are not guaranteed by an amednment, but in the original text.

United States Constitution, Article I, Section 8:

Clause 8: To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries;

Re:Outrageous Outranking

[toxic666]

Then you should try reading it sometime:

Article I, Section 8:

Clause 8: To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries;

Re:Something I've always wondered about....

[swillden]

I dont quite get how DVDs are protected. Its more complex than just saying use DeCSS as I understand it. or maybe I dont understand it.

There are two layers of "protection".

First, the player and drive perform a mutual authentication process (although one has to wonder why a player would ever care to verify that the drive is an "authentic" DVD drive). A "proper" drive should refuse to operate until after this authentication process has been performed. Also, after the authentication sequence, the drive will provide the disk key, if asked.

Second, after the drive is unlocked, the actual data streams must be decrypted. Normally (i.e. with an authorized player) the way this works is that the player retrieves a set of encrypted copies of the disk key, one of which is encrypted with it's player key. After retrieving the disk key, it can then decrypt the title keys, which are then used to decrypt the data stream.

However, that's not how most unauthorized players work. They still do the authentication step, but when it comes to decryption they don't bother with using a player key to get the disk key to get the title keys... instead they just attack the data streams and compute the title keys. This is possible because CSS really, really sucks. It's vulnerable to a known-plaintext attack with a trivial amount of known plaintext and there's plenty of known plaintext in the DVD sector headers.

The "just attack it" approach is why open source DVD players are a little slow to play a DVD the first time they see it. Most (all?) of them use libdvdcss which caches the keys so that the next time it sees the disk it won't have to do it again (on my box, the caches are in ~/.dvdcss). However, on modern machines, the crack time is almost negligible, so users may not notice the difference, given that it takes a few seconds for the DVD to spin up anyway.

For example, on my 800MHz PIII laptop, libdvdread (with libdvdcss) reports that it took seven seconds to decrypt all 8 title keys for a DVD I had handy. My laptop actually starts playing a movie much *sooner* than either of my "real" DVD players.

Seven seconds to crack all of the keys on a three year-old laptop. Sheesh. I guess as a user I should be glad the cryptography is so bad, but the security geek in me really wants to slap the creator(s) of CSS around some.

I really, really want to meet the guys who designed WEP.