Slashdot Mirror
DVD Security Group Says It Has Fixed AACS Flaws
SkillZ wrote to mention an article at the IBT site discussing a fix to the security breech of the HD DVD and Blu-ray media formats. "Makers of software for playing the discs on computers will offer patches containing new keys and closing the hole that allowed observant hackers to discover ways to strip high-def DVDs of their protection. On Monday, the group that developed the Advanced Access Content System said it had worked with device makers to deactivate those keys and refresh them with a new set."
Makers of software for playing the discs on computers will offer patches containing new keys and closing the hole that allowed observant hackers to discover ways to strip high-def DVDs of their protection.
Do they not understand, that if you can view it, you can copy it?
On the other hand, maybe they do understand, and HD-DVD/Blu-Ray 2.0 will offer only un-viewable content. Step 3, profit!
The theory of relativity doesn't work right in Arkansas.
and it will join the ranks of every other DRM mechanism devised.
"Corel has told users of its software that failure to download the free patch will disable the ability to play high-def DVDs."
Is this making a reference to the current crop of HD's that were purchased? Does the software phone home? Just curious. Any thoughts?
They really want this to be perceived as tight to sign up content providers.
Engineering is the art of compromise.
How about future successes ?
Don't you just love the corporate spin: The AACS (Advanced Access Content System) just happens to be a mechanism to deny access to the content. The moniker certainly makes the technology appear benign to Joe Sixpack consumer.
If that's "fixing the flaws", then I guess whenever I fill my gas tank I'm "inventing perpetual motion".
The flaws aren't fixed. They're just papered over slightly more aggressively. Don't worry, there'll be more flaws.
Breaking Into the Industry - A development log about starting a game studio.
Is that like a chastity belt? Or maybe an adult diaper?
Read Pynchon.
I read this bit:
"New high-def DVDs will include updated keys and instructions for older versions of the PC-playback software not to play discs until the software patch has been installed."
No one gives my computer instructions but me. So I will have nothing to do with either of these formats at all. I am just gonna say no and take my business elsewhere.
DVD is quite fine, and where it doesn't then there are hard drives. Hollywood can give me movies in a format I'll accept or they can e2fsck off.
My little Linux and tech blog
I am just wondering what "normal" customer's will think, I mean - geeks and technophiles understand the the new efforts to close AACS is just not a solution, just another workaround in a loosing battle. But I wonder what normal people think, I really doubt that average Joe will think that a patch to this system is really a good thing. Most people want to be able to copy their content, make backups, etc. One of the benefits for a lot of people with the DVD format is that DVD players are available as region free players, you can copy disks from friends, etc. I'm not saying that piracy is necessarily a good thing, just that far too many (and increasing) people enjoy that and that in itself will be a problem for the next-gen media players.
No no no. Let's just tidy that baby up a bit:
"Makers of software for playing the discs on computers are requiring consumers to download patches that will re-apply the product defects that computing professionals had removed in the weeks prior. Despite the fact that nothing is technically wrong with the older versions of the software, it is being intentionally rendered obsolete to force the update -- no new movies will be viewable on the old software."
Schwab
Editor, A1-AAA AmeriCaptions
ISTR that Muslix64's attack worked by identifying the keys in active RAM. So how does revoking the keys defeat this attack?
They didn't fix any flaws. They just deactivated old keys and issued new ones. Supposedly InterVideo will be patched to be more secure (aka try to hide the new key). Maybe that is what they are talking about but it still does not fix any flaws by a long shot. Just look at all the cracked versions of software out there that have all kinds of fancy safety and protection mechanisms and are still cracked daily. As long as its in memory in unencrypted form for any amount of time, it can be obtained.
What they have done is analogous to re-keying a lock that is susceptible to being picked -- it's only a matter of time before it is picked again. Lather, rinse, repeat. And how long before a hardware player is cracked? If I had one I'd bust into it to see what kind of flash it has. It probably has an on-board JTAG or other programming port to dump the memory like most consumer devices which are mass produced and then flashed assembly style, making obtaining the key quite easy. When the players come down in price I fully expect them to be cracked on a daily basis.
"I'll just chip in a bit for RedHat: I actually have that installed on my university machine." - Linus, '95
I feel sorry for anyone who has to give birth to DVDs, let alone backwards.
Sharp edges. Ouch.
I guess that nobody with VC understands that DRM is simply a VERY expensive, very stressful game of whack-a-mole.
It amazes me that so many people believe that they can do the DRM game and make huge money. Recent news tells me that if the US government is trying to influence other countries to do more about copyright infringement, well then, DRM must not work worth a damn, otherwise there would be no need for US Governmental intervention. With that bit of proof that it won't work, doesn't work, and can't work, it should be relatively obvious to all concerned that the only way that DRM *CAN* work is if governments create laws that make it illegal to not use DRM.
Media and content providers simply have to get on the right bandwagon... DRM isn't it. No matter what fantastically great work they do for any particular DRM scheme it will always end up broken. There is no method that can reasonably ensure secure keys when the unencrypted content has to be present to view it. Sigh, old dogs, new tricks, bad circus experiences....
Support NYCountryLawyer RIAA vs People
The number one reason Vista is Sinking Like a Stone, is "DRM problems and lack of anything even remotely demonstrating an understanding of how users want to use digital media." If DVD makers tighten up, people are going to route around them the same way they are routing around the RIAA member companies. They will flock to independent film makers and the big dumb publishers will watch their earnings collapse at 20% per year. Their greed goes beyond the already insane limits of copyright and that kind of thing is simply not fun.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
I know I'm getting offtopic here, but I personally know some people who are rich, own copyrighted content, and are absolutely obsessed with controlling it. They're not people I can understand. They think that every reasonable fair use right should be carefully meted out by themselves alone, that they should be able to revoke rights to anyone at any time for any reason, that allowing a user to copy their content without explicit licensing and permission would be the start of some file-sharing apocalypse. It's not even so much about the money with them as it is the power and control. And every time they hear about DRM being broken they want some new, better way of controlling their media. As much as I praise EMI for their actions of late, I can't help but think the people I know represent the bulk of the **AAs. The more we prove DRM is useless to a customer that has access to the hardware and software, the more appealing "Trusted Computing" will become to the Industry. Add a nanny-state government to that and you've got a recipe for disaster. And the "average consumer" wouldn't raise a stink about it. Even a locked-down home-phoning appliance could run Microsoft Office and QuickBooks and HALO*, so 99% of people wouldn't care. Tell them it's more "secure" and they'll buy it. (...wait, they already play HALO on locked-down home-phoning trusted-computing appliances...)
How can I believe you when you tell me what I don't want to hear?
Because we can. Forget about laws in books, even forget that Bill Of Rights that some of you have, they get ignored all the time. Rights are yours if you have the means to enforce your ability to exercise your right.
http://www.xboxhacker.net/index.php?topic=6866.0
http://forum.doom9.org/showthread.php?&t=124294&p
http://www.engadget.com/2007/04/10/aacs-hacked-to
appleguru.org
You're missing the point.
The benefit of all these cracks isn't to allow people to copy the movies. That ability was never in doubt -- people will always be able to do that. They'll be able to do that regardless of what the content monopolies do, short of just deciding that they won't release movies anymore (which is fine; there's enough of a demand for entertainment that other people will do it -- there's nothing special about making movies that a lot of people can't do, it just takes a lot of money).
Holding onto a crack until AACS is ubiquitous wouldn't do anything. The ultimate failure of AACS isn't, and never was, in doubt -- all DRM is flawed, and it will eventually be broken.
The question is whether it's possible to convince both the studios/content-creators, and consumers, of the utter futility of DRM in the first place, so they'll stop trying to do it, and stop wasting everyone's time. DRM is nothing but a broken window: it's millions of man-hours and probably billions of dollars of resources diverted from other, more productive, tasks, both to create it and break it. That's the real cost of DRM.
So if by releasing cracks for AACS every time they update it, as quickly as possible, it demonstrates to the studios that they're engaging in a war against a guerrilla enemy that they can't possibly defeat, regardless of how much money they spend, perhaps they'll throw in the towel sooner rather than later. It may be a slim chance, but given that Apple has started to see the light, there's some hope.
That's the real benefit of these cracks. Compared to the economic and social cost of the wasted effort, the ability of people to pirate a few movies pales in comparison.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I'm sorry, but this is /. and we only allow automotive analogies here. Please rephrase.
It must have been something you assimilated. . . .
Audio CDs were invented in 1983, before many people were computer proficient to make perfect digitial copies of songs. It was only in 1991 or so that digital DRM was invented.
True Audio CDs have no DRM. New "CDs" that have no DVDs hidden on them should have no DRM, since no one is making pure "CD" DRM anymore. If you buy CDs from non-RIAA labels, you should never run into DRM at all.
Now, DVDs do have DRM. So the question is, how do we get manufacturers to make Laserdiscs again?
There is a fine line between recklessness and courage... -- Paul McCartney
That sounds like a fantastic place to receive unbiased, neutral, well-researched information about a Microsoft product. Run by the FSF, no less! WOW!!
Here is the important question:
;)
If you were the implementer of AACS on HD player SW, how would you hide the key? I can think of a few ways:
1. Keep the data in CPU registers and cache.
2. Split the keys up into smaller pieces, and spread them around when in memory.
It seems that both is basically security through obscurity, and that has not worked very well in the future.
If you respond to this with a clever way to do this, make sure you post the reason it will not stand up to hackers as well. Otherwise, keep it to yourself
don't cut it off www.mgmbill.org
Actually, it'll end when they run out of keys to revoke. AFAICT, the set is finite.
Oh, a lesson in history from Mr. I'm my own grandpa.
It seems that both is basically security through obscurity, and that has not worked very well in the future.
Ahh, I see you have already attended the time travel seminar that will be held in two weeks.
"Alcohol, Tobacco, Firearms, and Explosives" should be a convenience store, not a government agency.
It seems that both is basically security through obscurity, and that has not worked very well in the future.
So tell me.. was Duke Nukem Forever worth the wait?
"I realise this is not a very popular opinion but it's the truth, and there for needs to be said" -Bill Hicks
2. Hiding the key is easy, but I don't know how useful it really is.
Here are some ideas on how I would do it:
1. Instead of calling a standard AES routine that needs the bytes of the key to be in successive memory locations, recode the routine to take bits of the key from different areas of memory.
2. Suppose (to simplify) that we combine a player key (PK) (that we want to hide) with a disc key (DK)(on the disc) to produce a media key (MK). Then we combine an encrypted sector (ES) with the media key (MK) to produce a decrypted sector (DS). Suppose (for illustration) that keys are 256 bits and blocks 4096 bits long.
I would follow these steps: write a single function f(DK, ES) = DS in a simple algebraic language. PK exists as constants in the function body. With a preprocessor, convert this function into 4096 boolean functions of 4352 inputs and output C code to compute their minimal disjunctive form. Recovering PK is equivalent to brute-forcing AES.
Please correct me if I am wrong.
Someone just has to write a ps3 cell code to do the key guessing just like folding@home, 100,000 pirates, and whammo, it would be cracked really fast , maybe 24hrs. Ironically, that the device player to
make bluray popular could be used to actually crack the keys the fastest.
Liberty freedom are no1, not dicks in suits.
"Ayers said future assaults by hackers can be similarly fixed by replacing compromised keys with new ones."
:(
They're going to have to institute an MS-like "patch Tuesday" to issue new keys.
On the down side, I'm going to have to wait until the weekend before the HDDVD hackers break the new scheme and resume their regular distribution schedule.
Instead, it's about hiding data in such a way that it would take so much time and so much computer resource to break the encryption code to the point where it becomes impractical to even try doing it in the first place. In practical terms, for a specific encryption algorythm, it might, for example, be estimated that it would take 1 man on 1 PC up to 8000 years of continual effort to break a particular encryption algorithm.
However, get 2 men on 2 PCs working together, it'll take up to 4000 years to break it.
4 men on 4 PCs will take about 2000 years to break it.
etc.
Based on that assumption, I give your encryption keys 1 year at the most.
Gentoo Linux - another day, another USE flag.
We have fixed the problem this time.
No, seriously, we did... Really.
So, unless some miscreant goes out and breaks something, yes, it is fixed.
Hackers of the world: It ain't broke, so please don't be taking it apart to find out why. Please! The fact that you can't watch movies you paid for on the equipment you own is a design feature. Please don't meddle with it, it will only make more work for us.
{We have just raised the bar and thrown down the gauntlet, so: On your mark, get set, GO!}
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
I thought that too, but then the back of my brain asked "Well, if they encrypt it to be decrypted by all known good keys that means a disc made at one point in time wouldn't be able to support a key issued to a new player manufacturer later."
That led me to think they had to use a revocation list scheme like CA's use. Because without it if , say, Bob's electronics decide to manufacture it's own drive then any HD content made BEFORE it was issued it's key wouldn't play on it. That would be a HUGE barrier to entry into the market.
I'm a fiscal conservative, it's a pity we don't have a political party anymore
Yeah, I used to think that ripping DVD was for folks who knew computers and were geeks. That was until I worked on a few barely computer literate people's computers and found ripping software! It gets better, while my SO was buying a DVD she'd found cheap at a grocery store the clerk running the checkout starts to tell her all about how to rent and RIP DVDs - then goes so far as to tell her it's perfectly legal! He even told her what software to use - she was pretty amused and just nodded while he went on and on about it. My point is - the folks who don't live computers are doing this in amazing numbers.
:-)
Now we're talking High Def DVD and people still want that content. They have just forced a bunch of folks to patch their software. Meanwhile the guys on the Doom9 forums have hacked the HD DVD firmware for the XBOX 360 such that it ignores half the scheme and coughs up the Volume keys. http://forum.doom9.org/showthread.php?t=124294 Whoops. People will soon be flashing their drives to decrypt the media all over again. What are they going to do, revoke drives in mass? Do they think this SAME thing won't be done to Blu Ray and other hardware? The last time around they even shared keys between Blu Ray and HD DVD pressings, talk about one key to rule them all! Slysoft even released a commercial product to rip the new media...
So what do they think will happen with HD content that's ANY different than with standard DVDs? If someone can hack existing firmware to avoid these keys then what stops an offshore manufacturer from simply producing such a drive? You might have to hit a few buttons on the remote to activate it but you can bet it will happen. the biggest thing slowing it down right now i shear size of the content - 20Gigs and an hour's worth of time to rip it is going to put off a few folks I'll bet. Where are those 1TB drives being released again?
The consumers will speak - this sucker is toast. It won't be long before simply buying a fake on a streetcorner or downloading from a torrent is FAR less trouble than buying the real thing.
Build it, Drive it, Improve it! Hybridz.org
The expensive DVD player from Sony now sits in the kitchen and occasionally plays a normal music CD, when there is nothing in the FM worth listening to.
So, runnning 24/7/365, how long does a Sony DVD player work?