Slashdot Mirror
Analyst Says Blu-ray DRM Safe For 10 Years
Mike writes to let us know that a poster on the AVS forum says that the latest issue of HMM magazine (no link given) contains a quote from Richard Doherty, a media analyst with Envisioneering Group, extolling the strength of the DRM in Blu-ray discs, called BD+. Doherty reportedly said, "BD+, unlike AACS, which suffered a partial hack last year, won't likely be breached for 10 years." He added that if it were broken, "the damage would affect one film and one player." As one comment on AVS noted, I'll wait for the Doom9 guys to weigh in.
A link to a forum that quotes a magazine quoting a guy... something doesn't seem right here.
I give it two weeks tops. The gauntlet has been thrown down.
bash: rtfm: command not found
In case you have to eat them.
To quote Bruce Schneier, "Making bits not copyable is like trying to make water not wet." I dunno 'bout those Doom9 guys, but I know enough of Bruce Schneier's work to trust his opinion on this one. I don't know what the digital-media landscape will look like when all this settles out, but I *don't* think it'll be neatly and unbreakably wrapped in DRM containers with price tags on.
"My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."
It's that they make movie execs happy, but they scare away the customers.
Who're the most important in the success of a product?
Beware: In C++, your friends can see your privates!
Hmm, they seem to have skipped 8. The amount of gall in this little article (which is the PDF) is amazing. AACS was "partially" cracked. BD+ is a second line of defense, four times as safe, and just like six weak locks that you don't think work, which, by the way, is magic.
What is this guy smoking?
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
The best way to find holes is to throw down the gauntlet to the hacker community and let them attack. This will give BluRay time to eliminate mistakes before players start rolling out the door for next xmas...
execute native code, possibly to patch an otherwise insecure system
Or to execute malicious code and send all your private information to somebody.
Stay away from Blu-ray computer players.
Widespread Blu-Ray adoption not likely for 10 years.
Coincidence? Possibly.
--
Toro
letting me know how hard you worked to make a product that restricts my use of it after I would bought it. I'll stick to dvd's for now till a company comes out with a storage media that where I wont be buying cripple ware.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
1) Don't even try hackers
2) Go ahead, hacker, I am taunting you.
3) Consumer, buy Blu-ray discs because your local pirate won't be stocked for years.
4) Vendor, HDDVD is hacked, go with us for more sales instead of losing untold billions in piracy.
I'm sure there is an actual reason.
God spoke to me.
If they're using a small virtual machine, the right security protocol would be to make an MD5 (or SHA-1 or whatever) hash of each essential component of the virtual machine and on board software that enforces DRM. It would then be a matter of storing a private key somewhere on the machine, after encrypting the hashes using the private key, comparing to an encrypted list stored on the disc.
This would make cracking the machine a nightmare. Recovering the list of keys from the disc might not be too hard. But even then, you'd have a very hard time writing a "liberated" firmware that hashes to the same value as the original. (You could also try to change the private key, but that sounds even harder)
After all, I am strangely colored.
Or you could, I don't know, write a program to examine the BD+ program, and determine the appropriate method of descrambling the audio/video without actually having to RUN the BD+ program...
My sig can beat up your sig.
I assume this means one player type, but even if not, a system break can also be done by generating an automatic procedure that breaks every instance.
Even if it means exaclty one player, with P2P filesharing that is already enough. Look at the preview copies. That is one original instance and a few days latter you can get them everywere.
Then there still is the ''analog hole''. Fit an LCD driver (i.e. the thing that drives the pixel) with high-speed A/D converters (not difficult, and signals cannot be encrypted at this level) or read the bus between display controller and driver chip (may or may not be difficult, depending on whether there is encryption here, but does not need the A/D converter, so it would give a better signal). I expect this is a relatively cheap project any good EE or electronics tinkerer can do. Again a single copy of a movie is enough.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
how secure they make the media. Cracks will follow the path of least resistance. If every form of media moved to some form of uncrackable quantum encryption tomorrow, it wouldn't matter. Someone would crack HDCP, and the content would be available there.
If not HDCP directly, then the processor to LCD data path for some el-cheapo monitor which supports HDCP. There's always some point in the chain where protection is weak, or simply doesn't exist.
It is simply a futile endeavor as long as the consumer ultimately gets access to (i.e. can view/listen) to the content. Of course, they have no product if the consumer can't.
"National Security is the chief cause of national insecurity." - Celine's First Law
But neither of you are the market. Blu-Ray has Disney and A-list titles like The Incredibles. It is content that drives sales, not cracked DRM.
the DVD format is good enough for me. I won't buy this kind of "protection." I'll just keep buying DVDs
/. all day long".
But you're still buying DVD's. If you weren't such a hypocrite, you'd stop watching that too. Oh, but DVD's are cracked, so despite all the posturing, it's not about the why, it's about the how. So your "the DVD format is good enough for me" REALLY means "it's good enough for me until one or both of the other formats are cracked" or "since the content is the same and though I have HD tv's, I got cheap ones so I can't even really tell the difference between upscaled 480i and a real 720p plus my eyes are going out from staring at
Question for you, since you seem knowledgeable:
How do you implement a security system like this in software? Or do you just not do it at all?
Seems like the way that both DVD's CSS and AACS were broken involved software players. Unless Sony simply plans to just prohibit playback on general-purpose PCs, they'll have to create some sort of software implementation of the player hardware, which would mean the VM.
If they only allow playback on dedicated hardware, then I can see how this might make cracking somewhat harder, but that seems like a high price to pay: it eliminates the entire HTPC concept.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Not quite. While you raise, on first view, many interesting points, most are just straw men: no substance.
You started on the right path. Then you went completely off! Crackers will simply have to do that: make a VM that's compatible with BD+. None of this full dynamic analysis hogwash.Thing of all the video game systems and arcade machines. The video games on them had protection schemes, yet, can't emulators play these games? Yes they can. This is no different. Again, no, crackers don't care. Emulate the protection layer! Yes, with client certs witch can be stolen: people have physical access to the hardware. No amount of silicon will change that. Even IBM's expensive crypto pci cards for bank machines have been successfully attacked. The costs required to even attain a fraction of their security (batteries, temperature and x-ray sensors, etc) would, in a retail unit, be well over what the market would be willing to bear. To be completely broken yes, but that is unnecessary. One just has to have broken everything released up to that point. While I do agree with you, I do for different reasons. Assuming the break was done by stealing a device key, such output only releases would be better, since it would be more difficult to discover exactly witch client key was stolen.
As far as breaking VMs? Who cares: they break it; a bug report gets filled; a week later a patch comes out. Yes, well that is to say just as instantaneous as the response to the recent ACCS breach: a couple months. The only thing they can do is make security better for future disks (or reprints). They can't change the past. It would have been better this way. While there were a bunch of great links to papers, they we missuesed. Your post was a great troll, by the way.
So you'll print off thousands and millions of these discs that contain both the lock and the key - and distribute them to anyone who has the price of purchase - and you think it's going to take how long for just one person to open your lock?
Once that one person has compromised your protection then it's done. From that one compromise, copies will flood the internet. Will BD+ prevent your movies from being shared? Nope, no chance of that. But it might slow things down a little - just a little, mind you.
We hope you've spent as much time working up a plausible excuse for the failure of this system as you did in promoting it to unsuspecting media companies. They're not going to be happy when they discover you've sold them a bill of goods...
Yeah, must be a pretty thin news day for Slashdot to be posting stories based on somebody's quotes. Not to mention the only thing remarkable about the quote is it's staggering stupidity:
Doherty reportedly said, "BD+, unlike AACS, which suffered a partial hack last year, won't likely be breached for 10 years."
How many times have you heard that? My money says it's hacked before this story rolls off of Slashdot's front page.
I can alway grab it after it is decoded, big whoop. Encryption, even 'perfect' encryption doesn't matter at all if someone, at sometime, needs to actually be able to understand it.
The Kruger Dunning explains most post on
Since I actually do research in recursion theory (basically the mathematical study of the halting problem) let me start by saying this has ABSOLUTELY NOTHING AT ALL TO DO WITH THE HALTING PROBLEM. The halting problem, or as you stated it determine the full execution path of a static binary, is provably unsolvable because programs can take arbitrarily long before deciding to halt. Given you know a program halts (on a given input) it's trivial to determine the full execution path. Just run it and see what it does.
In this situation there is nothing at all like this going on. We know that the code on the BluRay disk produces whatever output lets you view the disk not only in finite time but after a very short time.
In fact this situation offers no additional security over a well designed public crypto system AT ALL except for obscurity. The instructions for the virtual machine are just a very complicated sort of key, one that anyone who can crack the base level encryption can view. The memory footprints and all that jazz are only fancy ways of implementing a private key.
There are damn good reasons that the people who implement public key systems and symetric ciphers don't use VM instructions as their keys. A good crypto system is built around SIMPLE and well known mathematical problems because extra complications just provide more places an attacker can find a clever short circuit that you didn't think about. The only reason to think a crypto system is secure is because you think that the attacker doesn't have any shortcuts to compute things in the other direction much faster than brute force. The more complications in your system the more places he could discover a clever trick to undermine your security.
As I argued in my other post the benefits of the BD+ VM aren't really about security but about control. It doesn't make things much harder for the hackers but it does let the content producer execute more control over when things are decrypted. The only security advantage BD+ brings is obscurity and possibly the use of a better underlying crypto system than what AACS uses (the part that decrypts the VM at the beginning).
If you liked this thought maybe you would find my blog nice too:
I don't think that word means what you think it means.
When information is power, privacy is freedom.
Ooh. Epoxy. Because that stopped iOpener hackers. And XBOX hackers.
And what about software players? How is the key hidden there?
Perhaps Blu-Ray discs won't play on PCs? Guess what? HD-DVD just won.
Even allowing for that exception, there was still WAY more of a market for DVD than there currently is for HD DVD/Blu-ray. There just aren't enough people willing to shell out the $1500+ for an HDTV and the $600+ for the player for adoption rates to be anywhere NEAR that of DVD's.
My sig can beat up your sig.
Red flag, Red flag meet bull.
Supporting World Peace Through Nuclear Pacification