Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vista DRM Cracked by Security Researcher

Posted by ScuttleMonkey on from the only-a-matter-of-time dept.

An anonymous reader writes "Security researcher Alex Ionescu claims to have successfully bypassed the much discussed DRM protection in Windows Vista, called 'Protected Media Path' (PMP), which is designed to seriously degrade the playback quality of any video and audio running on systems with hardware components not explicitly approved by Microsoft. The bypass of the DRM protection was in turn performed by breaking the Driver Signing / PatchGuard protection in the new operating system. Alex is now quite nervous about what an army of lawyers backed by draconian copyright laws could do to him if he released the details, but he claims to be currently looking into the details of safely releasing his details about this at the moment though."

29 of 379 comments (clear)

  1. very fitting by Anonymous Coward · · Score: 5, Funny

    called 'Protected Media Path' (PMP)
    I can guess how that's pronounced...
    1. Re:very fitting by User+956 · · Score: 5, Funny

      "called 'Protected Media Path' (PMP)" I can guess how that's pronounced... Well, it just goes to show, that PMP'ing an operating system ain't easy.

      --
      The theory of relativity doesn't work right in Arkansas.
    2. Re:very fitting by EvanED · · Score: 5, Funny

      Well, it just goes to show, that PMP'ing an operating system ain't easy.

      Or 'It's hard out here for a PMP'

    3. Re:very fitting by Anonymous Coward · · Score: 5, Funny

      Come on, that jab is unfair.

      As a user of the Windows Home Operating Rights Environment, I must state for the record that all of my transactions with said system are completely clean, and take place using the most effective protection available. If you truly feel that some of your Media exchanges are tainted, I'd suggest it's probably because you didn't pay the requisite PMP fees.

    4. Re:very fitting by drinkypoo · · Score: 5, Funny

      Or 'It's hard out here for a PMP'

      I don't know what you heard about me
      But you can't get your video out of me
      High quality video you can't see
      Because I've got uncracked PMP.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    5. Re:very fitting by Coucho · · Score: 5, Funny

      Big Data Cane.. is that you?

      --
      *pSig = NULL;
  2. I have a brilliant crack of the Vista DRM too... by Anonymous Coward · · Score: 5, Funny

    ... but there is no space in the margin of this comment to write it.

  3. Post the details on MySpace by DBCubix · · Score: 5, Funny

    and then ask Network Solutions to suspend their domain. It works on GoDaddy domains.

    --
    I called it a mighty Sperm Whale, she called it Finding Nemo.
  4. Re:Pro Bono Security Attorneys by dafragsta · · Score: 5, Informative

    If only there was some EFFin' organization that provided such a service. I don't know what the EFF we'll do now. I guess we are all pretty EFF'd.

  5. He won't need to ... by Midnight+Thunder · · Score: 5, Insightful

    Now that people know it is possible, I am sure it is only a matter of time before others across the globe attempt to find the weakness. Some of these people won't even be affected by USA law, unless they decide to visit or transit through the country.

    --
    Jumpstart the tartan drive.
  6. Seems that the cat is already out of the bag... by rewt66 · · Score: 5, Informative

    Mark says that it's possible. He also says enough that someone else as "skilled in the art" as he is can probably figure out what he did.

    And what he did, if I understand correctly, is have some of his own code run as kernel without it being in a "test signed" driver. That seems to be the essense of his approach. Once you figure out how to do that, you can basically do anything, and Microsoft can't stop you.

  7. Alex is also re-implementing the win32 kernel by Anonymous Coward · · Score: 5, Interesting

    Alex Ionescu is the main kernel/HAL developer for the GPL'ed ReactOS project (www.reactos.org), which is aiming for an OS that is fully binary AND driver-compatible with Windows XP/Vista. If you look through the work he's done in the ReactOS SVN (developer name 'ion'), I have no doubts that he's fully capable of analyzing and defeating any kernel-level protections in Vista.

    Although ReactOS can share a lot of work with the WINE project for the win32 userland, it could still use any developers that are familiar with win32 development and would like to see a truly free operating system capable of using windows drivers/software.

  8. Re:1st thing is to get a good lawyer by BSAtHome · · Score: 5, Informative

    Freedom to tinker: http://www.freedom-to-tinker.com/

  9. Re:1st thing is to get a good lawyer by yo_tuco · · Score: 5, Informative

    From the about page it says:

    He [Alex] is currently studying at Concordia University in Montreal, Canada"

    So does the DMCA apply?

  10. Re:Why bother even having DRM? by i+kan+reed · · Score: 5, Insightful

    Not for the pirates, no... It's generally beleived that DRM is to screw those who actually pay for things into paying for them more than once.

  11. Re:I'll do it... by robably · · Score: 5, Funny

    The DMCA doesn't have arms, it has tentacles. Horrible, oozing, pus-filled tentacles.

  12. Norwegians, I'm ashamed of you by Weaselmancer · · Score: 5, Funny

    Someone in America cracked this first.

    --
    Weaselmancer
    rediculous.
  13. Re:Let's learn English by EvanED · · Score: 5, Funny

    Could not be more redundant.

    Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo.

    (Also, that "sentence" I quoted is a fragment. And you didn't capitalize "i" in the previous sentence, which is actually a run-on.)

  14. Re: It's a shame by Alwin+Henseler · · Score: 5, Insightful

    It's a shame that things have come to a point where developers/security researchers have to worry about releasing findings like this, perhaps *even* when they are not under US law.

  15. Re:1st thing is to get a good lawyer by Phrogman · · Score: 5, Interesting

    No, that doesn't matter. I am sure that my govt will happily deport him if the **AA asks them to. We seem to bend over backwards for the US at this point, and for the **AA in particular, just look at the politician they bought recently up here. A Conservative government here in Canada turns us into a mere appendage of the US Government, compliant to their will most of the time. Hell, we just paid out 10 mil in damages to a Canadian Citizen we happily fingered for the US Dept of Homeland security so they could ship him to Syria to be tortured for a year or so even though there was no evidence he supported terrorism. I have no doubt that violating DRM (which is surely as Evil(tm) as terrorism in the eyes of the **AA, in fact they probably want to equate the two) will be sufficient to get this guy exported to some country for torture as well :)

    "Government for the corporations, by the corporations, for the benefit of all corporations..." or something to that effect.

    --
    "The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
  16. 1st is to realize credit is overrated. by Kadin2048 · · Score: 5, Insightful

    Well, he's already probably a bit screwed.

    Here's the problem: there's virtually no way to get in trouble, if you just release an exploit anonymously. (By definition, if it's truly anonymous, they can't catch you; there are lots of ways to basically ensure your anonymity today.) Where you start to get in trouble is when you want to release an exploit that's going to ruin somebody's day and take credit for it.

    This comes up with regards to other, less-politically-sensitive bugs. When you step forward and take credit for something that you've released, you're basically holding up a big "come and get me!" sign. It's a lot easier to sling mud at a person, than it is at some anonymous entity on the Internet.

    It's really taking credit that burns people, not releasing the bug/hack/exploit. It would have been trivial for this guy to release his code, anonymously or even pseudonymously, and keep it firewalled from his real-world identity. If he had done that, there might have been some attempts to uncover who he really was, but I doubt anyone would try that hard -- it's harder to go after someone that's anonymous, than an actual person. With a person, you have something to put in your mind under 'enemy,' that you just don't have with some vaporous person or persons on the Internet. Being anonymous diffuses a lot of the hatred, because it's harder to hate someone that might not exist. By standing up and taking credit, you're accepting everything.

    Personally, if I were to discover something like this, there's no way I'd publicly admit it. I live a happy enough life without becoming some sort of hacker/security icon; the downsides of becoming the next Dimitry Sklyarov seem far greater than the possible benefits. Release the code somewhere in public, maybe signed with a private key that you have stashed away (so, decades down the line, you'd be able to claim it, if you wanted to and if the statute of limitations had run out), and only communicate via Usenet dead-drops and anonymous remailers. The tools to remain completely hidden are all there -- heck, you could probably do interviews in Wired under a psuedonym, the only absolute would be keeping the Clark-Kent-esque secret of your true identity hidden, and I'm not sure if some people would be able to swallow their pride enough to do that.

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  17. Details? by Jotii · · Score: 5, Funny

    he claims to be currently looking into the details of safely releasing his details
    Can anyone explain more in detail?
    --
    [sig]
  18. Obligatory attempt at poor humor... by E-Lad · · Score: 5, Funny


    "It's time to un-PMP ze audio"

  19. Re:Misleading story by Alex_Ionescu · · Score: 5, Interesting

    1). It doesn't work out of the Box.

    Yes, it requires a reboot, which is why it's only useful for bypassing DRM, not for open source apps (which will have to bother the user to reboot).

    2). It uses a method provided by Microsoft.

    Erm, no, PMP is provided by Microsoft. This method bypasses it.

    3). It hasn't been tested.

    It works fine, the actual PMP-disabling code hasn't been tested because I don't want to touch that. But my code ran in kernel-mode, which means it's possible. Read up a bit on computer architecture and you'll see that as long as you have access to the kernel, you're God on the machine (Apart from hypervisor machines and/or additional hardware -- which PMP doesn't currently employ).

    4). Author is more afraid of the DMCA than of violating Microsofts EULA terms.

    Author is a student and doesn't want to be sued out of existence because this method could be used to "circumvent a technological measure primarly destined for copyright protection".

  20. Re:1st thing is to get a good lawyer by anup_at_mac · · Score: 5, Funny

    "We seem to bend over backwards for the US at this point, and for the **AA in particular....... " You mean bend over forward, right?
    --
    cheers, http://88.80.13.160/wiki/Wikileaks
  21. Re:He didn't "Break" PatchGuard by Alex_Ionescu · · Score: 5, Informative

    Administrators can turn PatchGuard off at boot time. He didn't break it.

    There's no way to turn off PatchGuard off, only Driver Signing, which watermarks your desktop and disables PMP. Ways to break Patchguard 2.0 were published recently by "Skywing" on uninformed.org

  22. Re:It's all in the details. by D4rk+Fx · · Score: 5, Funny

    Grammar tip: don't use the same word three times in one sentence.
    How about 9 times, is that okay?
    Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo.
  23. Re:Misleading story by Alex_Ionescu · · Score: 5, Informative

    You havent tested this. I could care less if your driver is loaded.

    Not using a driver, RTFM.

    Microsoft knows that 3rd party driver certificates are going to be stolen/compromised. Microsoft hasn't even provided a method to reject unsigned drivers yet (per MSDN it will be in Vista SP1).

    Which is why this isn't using a stolen/3rd party driver or unsigned driver, nor actually loading a driver.

    Did you happen to hook one of the kernel functions PatchGuard is monitoring? Try to patch CI.DLL and see what happens. You can disable driver signing. You cannot disable PatchGuard.

    There's about a dozen ways to disable PatchGuard, and I was able to patch CI.DLL, disable PatchGuard, as well as turn off code signing. I don't want to sound condescending, but you don't seem to know what you're talking about, or you're being deliberately misleading with your PatchGuard comment.

    I'm not saying that you can't bypass Microsofts DRM restrictions. I just don't think you have and the burden of proof is on you.

    I'm not going to commit legal suicide by proving it. The point of my blog entry was never to say I broke DRM, but that I've found a way which can break it, which people are free to explore on their own.

  24. Re:1st thing is to get a good lawyer by Ghost_3k · · Score: 5, Informative

    And what's even more funny, in the last paragraph on his page:
    "He is also a Microsoft Student Ambassador and is representing the company on campus as a Technical Rep."