AACS Cracked Again

EmTeedee sends us to a blog post for a summary of the latest results in cracking AACS, from the Doom9 forums (as the earlier cracks have been) — after the DVD Security Group said it had patched the previous flaws. From the DLTV blog: "This time the target was the Xbox 360 HD DVD add on. Geremia on Doom9 forums has started a thread on how he has obtained the Volume ID without AACS authentication. With the aid of others like Arnezami they have managed to patch the Xbox 360 HD DVD add on... It appears that XT5 has released [an] application that allows the Volume ID to be read without the need to rewrite the firmware. This would mean that anyone could simply plug in the HD DVD drive and obtain the Volume ID from any HD DVD without the hassle of flashing it."

One word.

[Spazntwich]

Owned.

Re:One word.

[Ravenscall]

When will these stuffed suits learn that the more they try to limit people, the more people will fight those limitations?

Re:One word.

[Spazntwich]

Hopefully not anytime soon, as I love stories of this type.

Seriously, what was the turnaround time from a claimed patch to another breach? Was it even 3 days ago those clownshoes were crowing about it?

Re:One word.

You mispelled "Pwned".

Re:One word.

[ryanvm]

Oh come on, you know you wanted to make your point with a Star Wars quote.

Re:One word.

[calciphus]

As inconvenient as it is, the real reason for DVD security like AACS isn't for the consumer. Sorry, you're not that important.

When people invest millions of dollars in developing a standard like HD-DVD, Blu-Ray, or whatever comes along next (UV-DVD?), they need assurances that they will get their money back. They don't make money off of the sale of DVDs, but rather off of DVD hardware. So companies that manufacture DVDs can't just build players, they have to buy little AACS chips directly and exclusively from the standard's creator, and pay them a fee.

They don't /really/ care if you break the encryption, because no DVD-player manufacturer could ever go out and use the cracks to avoid paying Sony / Toshiba/NEC. AACS has done its job, in that sense.

I'm glad AACS was cracked. I don't particularly like the idea that I have to rely on a physical copy of something I allegedly only own the rights to "watch" anyways.

Re:One word.

[Kaenneth]

Ownedbiwan Kenobi?

Re:One word.

[brogdon]

"You mispelled 'Pwned'."

...and you misspelled "misspelled." :)

/English geek

Re:One word.

[HTH+NE1]

Well, you don't have to use Star Wars. There's other cultural references to be made.

"AACS of Evil" springs to mind.

That does it!

[jhfry]

No more movies! Ever! We quit!

The movie industry.

Re:That does it!

[CogDissident]

Anyone else find it funny that this came out just as they were putting people together to push out the new updates?

I have this mental image of a guy in overalls hauling boxes and boxes of patched DVDs out to the truck, looking up at the news-monitor in the shipping yard, and just a single tear falling.

Re:That does it!

[SillyNickName4me]

I have this mental image of a guy in overalls hauling boxes and boxes of patched DVDs out to the truck, looking up at the news-monitor in the shipping yard, and just a single tear falling.

Hmm.. I'd think he'd smile tho. nice job security for a while.

Re:That does it!

[Oktober+Sunset]

I see a little thought balloon appearing above his head, with the word Overtime!, then a tiny image of him going Scrooge McDucking style in a huge pile of money.

Meanwhile, the fat cat manger receives the report on how much it cost, a single tear is about to fall, as he thinks he can only buy 3 new yachts this year instead of 5, but then he remembers that actually, he can just shift the blame onto someone else and so still get his $20 million bonus, then he remembers how he would get it anyway even if he didn't fuck up. Then he cuts all all the cleaning staff's pay to make up part of the loss and he gets an even bigger bonus and can buy 7 yachts.

Then all the shareholders get their dividend report, all start crying uncontrollably as they realise their investment is paying out worse than a Scotsman on comic relief night. However instead of doing something like kicking out the board, they bleat along to the tune, The Haaaaaackers did it, BAAAAAAAAAAD hackers. Cut to fat cat manager, takes a break from Scrooge McDucking it in his pool of money and he cuts pensions and healthcare for all shipping and logistics staff. Cut back to original guy, who has to spend all his overtime money on buying his kid new braces, .

Meanwhile, the government outlaws, fair use, free speech, free thought, freedom, etc.

Capitalism at it's finest.

I LOVE this!

[jhfry]

It seems that the /. crowd, and the tech industry in general, knew well before AACS was ever released that it would be a flop. We knew it would do nothing to prevent disks from being copied, we knew it would do nothing but hurt the consumer, and we knew it was an utter waste of money.

Yet the movie industry pushed forward, and look where it got them... exactly where we said it would, nowhere.

I can't wait until they realize that it's not worth it, and just stop concerning themselves with copy-protecting their media and instead focus on creating good movies.

Re:I LOVE this!

[suv4x4]

I can't wait until they realize that it's not worth it, and just stop concerning themselves with copy-protecting their media and instead focus on creating good movies.

Let's keep things straight:

writers/directors/actors focus on creating good movies;
movie distribution/marketing companies focus on wasting money on copy protecting their media.
hackers concentrate ruining the cop protection efforts;
the general consumer looks at the easier way to get their movie, be it rental/torrent/buy DVD/p2p: whatever seems better value.

Re:I LOVE this!

[Pope]

DRM or not, the current 1 freaking minute booting time for HD DVD players (dunno about BluRay) is enough to put me off the damn things.

Re:I LOVE this!

[ben+there...]

Looks like as with all media post-internet, the solution is to cut out the middle man:

1) writers/directors/actors focus on creating good movies;
-->2) movie distribution/marketing companies focus on wasting money on copy protecting their media.<--
(hackers concentrate ruining the cop protection efforts;)
3) the general consumer looks at the easier way to get their movie, be it rental/torrent/buy DVD/p2p: whatever seems better value.

Ouch

[Grimfaire]

Someone really needs to fire whomever the MPAA uses for deciding on security for these things. Haven't they heard the golden rule of computer security? "Security by obscurity is no security" and that's all they are doing is trying to hide a key. Find the key... no security. Sheesh....

Re:Ouch

[Kimos]

It's not the fault of the MPAA directly. It's the fundamental flaw of DRM.

Encryption works because parties A and B exchange data that is encrypted with a key that party C does not have. In the case of DRM, you have the encrypted data and you have the keys that you need to decrypt and view the data. You are in essence parties B and C. They hide the key from you in the players and software, but it's there if you know how to find it. That's why DRM can and will never work. It's security through obscurity.

Looks like

[Some_Llama]

The race is on, let me tell you from the perspective of online gaming and the cheat vs cheat detection wars:

The hackers have the edge.

But if you develop the AACS standard at least you have job security ;)

Anyone else notice...

[djdbass]

...this is just barely 24 hours after they announced it was fixed? Great work to those involved. Hell I can't get a change approved in 24 hours!

Fine by me.

[Kadin2048]

No more movies! Ever! We quit!

The movie industry.

That really wouldn't be the worst thing in the world. There's a huge demand for movies, but they're expensive to make and the current movie industry sucks up most of the available investment dollars. There's no "secret sauce" involved in making a movie; it's just very, very expensive, and the people with enough cash to bankroll a film would rather go with an established, sure bet, rather than taking a chance on someone or something new.

If the current players just decided to pack up and go home, the new industry that would rise up in its place would doubtless be a lot more creative -- at least in the short term -- and we'd probably see a lot of new material out of it. In time, it would probably stagnate, too, because that's the way of things.

The main problem with the current situation is that the dinosaur companies have bought protection for their business models from the government, and essentially have propped themselves up. There's nothing bad with companies getting big, but there's also nothing that says they have a "right" to stay in business, either. Failing business models deserve to die, and the companies that rely on them deserve to die, too; when they don't, you're stopping what ought to be a natural economic progression.

Re:Fine by me.

[kebes]

Good post.

This assertion:

There's no "secret sauce" involved in making a movie; it's just very, very expensive.

caught my eye. Actually I would say it's an untested hypothesis that movies are expensive. Currently movie production is basically a monopoly (actually a cartel). By definition monopolies have no competition, hence there is no incentive to try and make things cheaper. This gives rise to the massive salaries and creative accounting that Hollywood engages in. (Somehow, on paper, they actually have razor-thin profits even when the movie made 10-times as much money as the supposed budget.)

If Hollywood were replaced with something new, that was actually a competitive marketplace to make decent movies at the lowest price, I bet they would cost only a fraction of what they cost now. I imagine a movie that nowadays costs $30 million could actually be made for $600,000 once salaries became more reasonable, advertising were less extensive, and studios were forced to optimize their workflow to keep the budget down. The quality/budget ratio of independent films lends credence to this theory.

Current movie prices are massively inflated because they are a monopoly. If that monopoly were removed, I bet the new price of movies would be low enough that people wouldn't bother with unauthorized duplication... because the genuine article would be cheap enough already.

Re:Fine by me.

[HTTP+Error+403+403.9]

I think TV killed the movie industry. A traditional movie is a dinosaur compared to TV. The level of character and plot development in a single season of a one hour drama is so much greater than a single two hour movie can provide. If the Sopranos were a movie franchise, we'd be on maybe the third or fourth movie - roughly equivalent to 6 or 8 TV episodes. It seems like movies compensate for the lack of character and plot development by using gimmicks or bigger explosions.

Re:Fine by me.

[Kadin2048]

After reading the first sentence I thought someone was making a good point, but the signature line negates it.

My signature or the GP's?

Anyway, I think it's important to work on both fronts. First, I agree that the best bet is just to not purchase anything that's DRMed at all. But since that means basically bowing out of a large portion of our culture -- I mean, no late-model VCRs (macrovision) or tapes, no DVD players or discs, no TiVO -- I think you're going to have trouble getting enough people to follow you to make it significant. There's no point in throwing yourself in front of a tank if they're just going to run over you and nobody else is going to notice or care.

Continually breaking the DRM schemes costs the studios a lot of money. It ensures that DRM is never "fire and forget;" and it turns DRM from being a one-time cost into a continual cost center, a black hole that they need to keep pouring money into. If you can make the cost of maintaining an effective DRM system higher than the cost of the piracy that it allegedly prevents, then it will eventually go away -- either the companies will see the light, or they'll be run out of business by other companies who do, and who are more profitable as a result.

The major remaining problem is that the entertainment industry in particular has so much political influence that it's going to require a lot of vigilance and advocacy to keep them from trying to use the law to buoy themselves as they start to sink -- or barring that, pull everyone else down with them. We haven't had much luck in this in the past, hence we've seen the AHRA, the DMCA, and lately the Mickey Mouse Protection Act go through. But if we can keep the visibility of their actions high -- which is aided by putting pressure on them and forcing them to be more and more outlandish and openly anti-consumer -- while at the same time denying them revenue by boycotting DRMed products and sucking their revenue through a guerrilla campaign against the DRM systems themselves, they'll eventually be forced to quit.

Re:Fine by me.

[smellsofbikes]

>The quality/budget ratio of independent films lends credence to this theory.

I'm not trying to be snide here, but I suspect you haven't seen very many independent films. Most of them *suck* *incredibly*, but the very best 0.1% are quite good indeed, competitive with the best stuff coming out of Hollywood. I think it's something like a Boltzmann distribution -- Hollywood has a very steep curve, so there's not a lot of difference between their very best movies and their worst. Bollywood's best are about as good, but their worst are much worse. Chinese films, at their best, are superb, but the worst ones I've seen have been nearly unwatcheable. Then you go to an independent film competition -- I'm not talking Sundance, I'm talking some local art scene competition -- and you begin thinking to yourself "I'd pay $30 to not have to watch the rest of this."

Money doesn't guarantee a movie will be good, but it does heavily indicate the movie won't be appallingly bad.

Re:Fine by me.

[MobyDisk]

Dear Indie Movie Lover,

Explosions are expensive.

Sincerely,
Most people

Re:Fine by me.

[Kenshin]

Dear Most People,

Controlled explosions are expensive.

Sincerely,
Someone who played with fireworks as a kid

Re:Fine by me.

[cyberfunkr]

Dear Most People,

Most common items don't explode. They spark, they pop, they burn, they shatter; but big booms with infernos and visible concussion waves are few and far between.

Sincerely,
Reality

Re:Fine by me.

[DigDuality]

Dear Mr HaveNoTaste,

There's many great movies without explosions. In fact most of the action packed movies with no dialogue except one line meat heads, sci-fi that's nothing but action with lasers, romance that's nothing more than repetition of Wedding Crasher, Meet the Fockers, and some crap with J Lo in it over and over again, all the CGI laden movies, with huge acting names in them.. tend to be really flat movies. They have no feeling, no passion, crap stories, crap dialogoue.

But ooh ooh.. look! Explosions! zomg. that's so cool.

Amazing movies were made on shoestring budgets. And not just cult classics. 12 Angry Men anyone? To Kill a Mocking Bird? These didn't exactly cost a fortune.Actors are overpaid, and Hollywood is too scared to try ideas that aren't sure things.

Sure we could have another 20 movies with Will Farrell or Ben Stiller in them, but I could really give a crap. Rodriguez and Tarintino could've made Grindhouse out of their pockets, and look how many actors and producers chipped in because they wanted to do something fun.

Movies need to get back to people who love to make them rather than these scientologiest nutbags who marry women doped up on too many prescribed pills while pregnant and not knowing who the daddy is.

Actually a success

[zeroharmada]

While I think everybody has been making good points so far, you have to remember that in the long term copy protection is actually winning. While these measures might be meant in name to stop piracy, their true value is in taking out fair use as collateral damage. The goal of DRM is not to stop piracy, but to make it difficult enough that Joe User will not be able to convert or make backups through a point and click interface. If this copy protection has done that, then it is making them money.... shame all it does is hurt the people who legitimately buy their products.

Re:this is what we needed

[prelelat]

I know what your saying and I agree with it, but having the legal right to make a copy doesn't mean that they don't have the right to try and stop you. I just wish that they would realize that most people like to buy stuff, I know I like to buy DVDs it makes me feel warm and fuzzy to be like "Hey I bought the whole (insert show or movie) series". But the truth is that its too expensive to buy everything I would like to. Production costs at this point of the DVD release have usually been covered(excluding making the menu releasing extra content and having a commentary that I never listen to except on south park dvds) the packaging and DVD for a season of south park is about 50 dollars canadian when it comes out. It probably cost them 5 dollars to make(my guess and some might say it was high some might say it was low theres 3 dvds in there with graphic lables and casing and maybe shipping not sure if the store pays for that or not) so lets say the store like HMV or Best Buy makes about 10 dollars off of the sale. Thats 35 dollar profit for the manufacture. Lets say you pay Matt Stone and Trey Parker to do their commentaries for it, they probably get a % of sales. so if you sell 100,000 dvds of one season you get 3.5 million dollars, say matt and trey take 10% each the studio is left with 2.8 million.
if you reduced the cost so that a box set costs 40 dollars using the same numbers you end up with 2 million. This gives you less profit right? Well if people are more willing to buy a dvd at 40 dollars and you get 150 000 dvd sales you end up with a final profit of 3.75 3 million dollars. Your making more money. I know nothing and I'm bored so don't take me too cereal. I know people will still pirate dvds but people will always pirate dvds, you won't stop them. Use the money that your putting into research to reduce the cost of the product and sell it and I bet you will have less people pirating or at least buying a legit copy after pirating or before making a backup. I know I would.

I find it bad form that I've paid 8*45+20(best of volume was cheaper) for my south park dvd collection. Thats almost 400 dollars. come to think of it that seems insane, and thats not my only collection. Most people can't aford that and I can see why they pirate or make backups. Would you want to go out and spend that again if your DVD got wrecked by a scratch?

AACS

[dattaway]

Another Aacs Crack Soon

Re:AACS

[Dorceon]

How about: AACS Ain't Cryptographically Secure

Re:I were one of the cracking groups...

[mhall119]

It's not a matter of one cracked key being easy, and another being hard. The fact of the matter is that once you crack a device, it's wide open, there is no more cracking left to be done on that device. It also means that once you crack one device, you have access to all the movies published to date, so cracking another device doesn't gain you anything.

From my understanding, the AACS system is already a very well understood system. It is actually documented and available for public viewing. The way these people are obtaining keys is by finding design flaws in the way different devices implement the system. For WinDVD, it was found that one of the keys is available in system memory at a given point while loading the disc content, and could be captured by reading the right memory address. I'm sure something similar is happening with the XBox360 keys.

The WinDVD key was revoked by AACS, and future movies will not be playable on the cracked version of WinDVD, but a free upgrade to WinDVD will use a new key that cannot be obtained the same way. Revoking the XBox key for future movies will be more problematic, since it would presumably require a firmware upgrade, and making the HD-DVD's most popular playback device unable to play the newest blockbuster movie won't be good for HD-DVD sales.

Brute-force cracking all, or even a small number, of the AACS device keys would take years, probably tens or hundreds of years (I'm not sure exactly what the device key length is). Finding ways to make a playback device give up that information is much faster and easier. Further more, once you crack a single device key, you can get the encryption key for the content of any movie, then anybody can decrypt that movie based on that key, without need of the device or device key. Going back to the WinDVD keys, any movie encrypted with the old WinDVD key can now be decrypted, making a whole generation of HD movies available DRM-free.