AACS Cracked Again

EmTeedee sends us to a blog post for a summary of the latest results in cracking AACS, from the Doom9 forums (as the earlier cracks have been) — after the DVD Security Group said it had patched the previous flaws. From the DLTV blog: "This time the target was the Xbox 360 HD DVD add on. Geremia on Doom9 forums has started a thread on how he has obtained the Volume ID without AACS authentication. With the aid of others like Arnezami they have managed to patch the Xbox 360 HD DVD add on... It appears that XT5 has released [an] application that allows the Volume ID to be read without the need to rewrite the firmware. This would mean that anyone could simply plug in the HD DVD drive and obtain the Volume ID from any HD DVD without the hassle of flashing it."

One word.

[Spazntwich]

Owned.

Re:One word.

[Ravenscall]

When will these stuffed suits learn that the more they try to limit people, the more people will fight those limitations?

Re:One word.

You mispelled "Pwned".

Re:One word.

[calciphus]

As inconvenient as it is, the real reason for DVD security like AACS isn't for the consumer. Sorry, you're not that important.

When people invest millions of dollars in developing a standard like HD-DVD, Blu-Ray, or whatever comes along next (UV-DVD?), they need assurances that they will get their money back. They don't make money off of the sale of DVDs, but rather off of DVD hardware. So companies that manufacture DVDs can't just build players, they have to buy little AACS chips directly and exclusively from the standard's creator, and pay them a fee.

They don't /really/ care if you break the encryption, because no DVD-player manufacturer could ever go out and use the cracks to avoid paying Sony / Toshiba/NEC. AACS has done its job, in that sense.

I'm glad AACS was cracked. I don't particularly like the idea that I have to rely on a physical copy of something I allegedly only own the rights to "watch" anyways.

That does it!

[jhfry]

No more movies! Ever! We quit!

The movie industry.

Re:That does it!

[CogDissident]

Anyone else find it funny that this came out just as they were putting people together to push out the new updates?

I have this mental image of a guy in overalls hauling boxes and boxes of patched DVDs out to the truck, looking up at the news-monitor in the shipping yard, and just a single tear falling.

Ouch

[Grimfaire]

Someone really needs to fire whomever the MPAA uses for deciding on security for these things. Haven't they heard the golden rule of computer security? "Security by obscurity is no security" and that's all they are doing is trying to hide a key. Find the key... no security. Sheesh....

Looks like

[Some_Llama]

The race is on, let me tell you from the perspective of online gaming and the cheat vs cheat detection wars:

The hackers have the edge.

But if you develop the AACS standard at least you have job security ;)

Anyone else notice...

[djdbass]

...this is just barely 24 hours after they announced it was fixed? Great work to those involved. Hell I can't get a change approved in 24 hours!

Fine by me.

[Kadin2048]

No more movies! Ever! We quit!

The movie industry.

That really wouldn't be the worst thing in the world. There's a huge demand for movies, but they're expensive to make and the current movie industry sucks up most of the available investment dollars. There's no "secret sauce" involved in making a movie; it's just very, very expensive, and the people with enough cash to bankroll a film would rather go with an established, sure bet, rather than taking a chance on someone or something new.

If the current players just decided to pack up and go home, the new industry that would rise up in its place would doubtless be a lot more creative -- at least in the short term -- and we'd probably see a lot of new material out of it. In time, it would probably stagnate, too, because that's the way of things.

The main problem with the current situation is that the dinosaur companies have bought protection for their business models from the government, and essentially have propped themselves up. There's nothing bad with companies getting big, but there's also nothing that says they have a "right" to stay in business, either. Failing business models deserve to die, and the companies that rely on them deserve to die, too; when they don't, you're stopping what ought to be a natural economic progression.

Re:Fine by me.

[kebes]

Good post.

This assertion:

There's no "secret sauce" involved in making a movie; it's just very, very expensive.

caught my eye. Actually I would say it's an untested hypothesis that movies are expensive. Currently movie production is basically a monopoly (actually a cartel). By definition monopolies have no competition, hence there is no incentive to try and make things cheaper. This gives rise to the massive salaries and creative accounting that Hollywood engages in. (Somehow, on paper, they actually have razor-thin profits even when the movie made 10-times as much money as the supposed budget.)

If Hollywood were replaced with something new, that was actually a competitive marketplace to make decent movies at the lowest price, I bet they would cost only a fraction of what they cost now. I imagine a movie that nowadays costs $30 million could actually be made for $600,000 once salaries became more reasonable, advertising were less extensive, and studios were forced to optimize their workflow to keep the budget down. The quality/budget ratio of independent films lends credence to this theory.

Current movie prices are massively inflated because they are a monopoly. If that monopoly were removed, I bet the new price of movies would be low enough that people wouldn't bother with unauthorized duplication... because the genuine article would be cheap enough already.

Re:Fine by me.

[Kadin2048]

After reading the first sentence I thought someone was making a good point, but the signature line negates it.

My signature or the GP's?

Anyway, I think it's important to work on both fronts. First, I agree that the best bet is just to not purchase anything that's DRMed at all. But since that means basically bowing out of a large portion of our culture -- I mean, no late-model VCRs (macrovision) or tapes, no DVD players or discs, no TiVO -- I think you're going to have trouble getting enough people to follow you to make it significant. There's no point in throwing yourself in front of a tank if they're just going to run over you and nobody else is going to notice or care.

Continually breaking the DRM schemes costs the studios a lot of money. It ensures that DRM is never "fire and forget;" and it turns DRM from being a one-time cost into a continual cost center, a black hole that they need to keep pouring money into. If you can make the cost of maintaining an effective DRM system higher than the cost of the piracy that it allegedly prevents, then it will eventually go away -- either the companies will see the light, or they'll be run out of business by other companies who do, and who are more profitable as a result.

The major remaining problem is that the entertainment industry in particular has so much political influence that it's going to require a lot of vigilance and advocacy to keep them from trying to use the law to buoy themselves as they start to sink -- or barring that, pull everyone else down with them. We haven't had much luck in this in the past, hence we've seen the AHRA, the DMCA, and lately the Mickey Mouse Protection Act go through. But if we can keep the visibility of their actions high -- which is aided by putting pressure on them and forcing them to be more and more outlandish and openly anti-consumer -- while at the same time denying them revenue by boycotting DRMed products and sucking their revenue through a guerrilla campaign against the DRM systems themselves, they'll eventually be forced to quit.

Re:Fine by me.

[smellsofbikes]

>The quality/budget ratio of independent films lends credence to this theory.

I'm not trying to be snide here, but I suspect you haven't seen very many independent films. Most of them *suck* *incredibly*, but the very best 0.1% are quite good indeed, competitive with the best stuff coming out of Hollywood. I think it's something like a Boltzmann distribution -- Hollywood has a very steep curve, so there's not a lot of difference between their very best movies and their worst. Bollywood's best are about as good, but their worst are much worse. Chinese films, at their best, are superb, but the worst ones I've seen have been nearly unwatcheable. Then you go to an independent film competition -- I'm not talking Sundance, I'm talking some local art scene competition -- and you begin thinking to yourself "I'd pay $30 to not have to watch the rest of this."

Money doesn't guarantee a movie will be good, but it does heavily indicate the movie won't be appallingly bad.

Re:Fine by me.

[Kenshin]

Dear Most People,

Controlled explosions are expensive.

Sincerely,
Someone who played with fireworks as a kid

Re:Fine by me.

[cyberfunkr]

Dear Most People,

Most common items don't explode. They spark, they pop, they burn, they shatter; but big booms with infernos and visible concussion waves are few and far between.

Sincerely,
Reality

Re:I were one of the cracking groups...

[mhall119]

It's not a matter of one cracked key being easy, and another being hard. The fact of the matter is that once you crack a device, it's wide open, there is no more cracking left to be done on that device. It also means that once you crack one device, you have access to all the movies published to date, so cracking another device doesn't gain you anything.

From my understanding, the AACS system is already a very well understood system. It is actually documented and available for public viewing. The way these people are obtaining keys is by finding design flaws in the way different devices implement the system. For WinDVD, it was found that one of the keys is available in system memory at a given point while loading the disc content, and could be captured by reading the right memory address. I'm sure something similar is happening with the XBox360 keys.

The WinDVD key was revoked by AACS, and future movies will not be playable on the cracked version of WinDVD, but a free upgrade to WinDVD will use a new key that cannot be obtained the same way. Revoking the XBox key for future movies will be more problematic, since it would presumably require a firmware upgrade, and making the HD-DVD's most popular playback device unable to play the newest blockbuster movie won't be good for HD-DVD sales.

Brute-force cracking all, or even a small number, of the AACS device keys would take years, probably tens or hundreds of years (I'm not sure exactly what the device key length is). Finding ways to make a playback device give up that information is much faster and easier. Further more, once you crack a single device key, you can get the encryption key for the content of any movie, then anybody can decrypt that movie based on that key, without need of the device or device key. Going back to the WinDVD keys, any movie encrypted with the old WinDVD key can now be decrypted, making a whole generation of HD movies available DRM-free.

Re:AACS

[Dorceon]

How about: AACS Ain't Cryptographically Secure