Slashdot Mirror

← Back to Stories (view on slashdot.org)

Analyst Says Blu-ray DRM Safe For 10 Years

Posted by kdawson on from the words-ripe-for-the-eating dept.

Mike writes to let us know that a poster on the AVS forum says that the latest issue of HMM magazine (no link given) contains a quote from Richard Doherty, a media analyst with Envisioneering Group, extolling the strength of the DRM in Blu-ray discs, called BD+. Doherty reportedly said, "BD+, unlike AACS, which suffered a partial hack last year, won't likely be breached for 10 years." He added that if it were broken, "the damage would affect one film and one player." As one comment on AVS noted, I'll wait for the Doom9 guys to weigh in.

15 of 493 comments (clear)

  1. That's the article... by Anonymous Coward · · Score: 5, Insightful

    A link to a forum that quotes a magazine quoting a guy... something doesn't seem right here.

  2. famous last words by ErichTheWebGuy · · Score: 5, Insightful

    I give it two weeks tops. The gauntlet has been thrown down.

    --
    bash: rtfm: command not found
    1. Re:famous last words by sg_oneill · · Score: 4, Insightful

      The spec has a brilliant little hole in it already.

      The VM's have an ability to run native code, oestensibly to 'patch' a compromised decoder.

      So.................., it seems the first step to cracking blueray has been identified. What a fuck up.

      From here theres a 60 instruction VM.Rebuild the VM firmware using the native code execution capacities, and make sure the new VM cant 'see' its outside changes, and you may well have a (near) perfect irreversible hack.

      This babys gunna sink in months.

      --
      Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
    2. Re:famous last words by Myria · · Score: 3, Insightful

      We still can't mathematically prove that ciphers are unbreakable, but that doesn't mean that a modern cipher like AES is going to be broken.
      You don't need to break the algorithm to break the DRM. The key is in software or hardware somewhere; all you need to do is find it.
      --
      "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
  3. Always keep your words soft and sweet... by OmniGeek · · Score: 5, Insightful

    In case you have to eat them.

    To quote Bruce Schneier, "Making bits not copyable is like trying to make water not wet." I dunno 'bout those Doom9 guys, but I know enough of Bruce Schneier's work to trust his opinion on this one. I don't know what the digital-media landscape will look like when all this settles out, but I *don't* think it'll be neatly and unbreakably wrapped in DRM containers with price tags on.

    --

    "My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."
  4. The funny thing with these quotes... by Jugalator · · Score: 3, Insightful

    It's that they make movie execs happy, but they scare away the customers.

    Who're the most important in the success of a product?

    --
    Beware: In C++, your friends can see your privates!
    1. Re:The funny thing with these quotes... by dAzED1 · · Score: 4, Insightful

      the real customers, not the fringe folk who even know what DRM is.

      The real customers care about what format has the most movies available.

      The movie execs care about what format they feel protects and enhances their product the most.

      Tada. Riddle solved. If the target audience for HD-DVD is going to be limited to "those who care about the DRM being cracked" then...HD-DVD is very, very doomed.

  5. 2, 4, 6 8... by MBCook · · Score: 4, Insightful
    Quotes from the PDF linked to by the forum post (emphasis mine):

    The recent release of a licensing program for BD+, the coveted second line of defense against piracy...

    He said BD+ offers four times the safeguard on top of AACS against piracy.

    "If you see an apartment in a rough part of L.A., and the door has six locks on it, you're not breaking into that apartment," Doherty said. "Having those extra locks, even if you are not sure [they all work], is part of the magic of BD+..."

    BD+, unlike AACS, which suffered a partial hack last year, won't likely be broken for 10 years,...

    Hmm, they seem to have skipped 8. The amount of gall in this little article (which is the PDF) is amazing. AACS was "partially" cracked. BD+ is a second line of defense, four times as safe, and just like six weak locks that you don't think work, which, by the way, is magic.

    What is this guy smoking?

    --
    Comment forecast: Bits of genius surrounded by a sea of mediocrity.
  6. Re:In some ways yes... by figleaf · · Score: 4, Insightful

    execute native code, possibly to patch an otherwise insecure system

    Or to execute malicious code and send all your private information to somebody.
    Stay away from Blu-ray computer players.

  7. What is the true purpose of the message? by CrazyJim1 · · Score: 4, Insightful

    1) Don't even try hackers
    2) Go ahead, hacker, I am taunting you.
    3) Consumer, buy Blu-ray discs because your local pirate won't be stocked for years.
    4) Vendor, HDDVD is hacked, go with us for more sales instead of losing untold billions in piracy.

    I'm sure there is an actual reason.

    --
    God spoke to me.
  8. It simply doesn't matter... by msauve · · Score: 5, Insightful

    how secure they make the media. Cracks will follow the path of least resistance. If every form of media moved to some form of uncrackable quantum encryption tomorrow, it wouldn't matter. Someone would crack HDCP, and the content would be available there.

    If not HDCP directly, then the processor to LCD data path for some el-cheapo monitor which supports HDCP. There's always some point in the chain where protection is weak, or simply doesn't exist.

    It is simply a futile endeavor as long as the consumer ultimately gets access to (i.e. can view/listen) to the content. Of course, they have no product if the consumer can't.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  9. Re:In other news... by westlake · · Score: 4, Insightful
    I'm with you. This is most definitely not what they should be saying if they want me to buy a Bluray player.

    But neither of you are the market. Blu-Ray has Disney and A-list titles like The Incredibles. It is content that drives sales, not cracked DRM.

  10. So HD-DVD is better for me as a consumer? by MattW · · Score: 4, Insightful

    BD+, unlike AACS, which suffered a partial hack last year, won't likely be breached for 10 years. So what he's saying is, if I'm a consumer, HD-DVD is better for me, if I don't like vendors telling me how I can view content I buy?
  11. Re:It's not really just an encryption scheme, thou by Anonymous Coward · · Score: 3, Insightful

    Not quite. While you raise, on first view, many interesting points, most are just straw men: no substance.

    What does this mean for people attempting to defeat the security?
    Well it means that a full crack of BD+ will require crackers to implement a virtual machine which acts in exactly the same way as the hardware VM would act. [...] In this case, you have to come up with something which can determine the full dynamic runtime execution path of a static binary
    You started on the right path. Then you went completely off! Crackers will simply have to do that: make a VM that's compatible with BD+. None of this full dynamic analysis hogwash.
    Thing of all the video game systems and arcade machines. The video games on them had protection schemes, yet, can't emulators play these games? Yes they can. This is no different.

    Just putting the same source code through a randomizing [...] makes the challenge immensely harder.
    Again, no, crackers don't care. Emulate the protection layer!

    The other major problem is that the challenge-response authentication made by the program contained in the disc against the embedded hardware will require a "real" cert to succeed.
    Yes, with client certs witch can be stolen: people have physical access to the hardware. No amount of silicon will change that. Even IBM's expensive crypto pci cards for bank machines have been successfully attacked. The costs required to even attain a fraction of their security (batteries, temperature and x-ray sensors, etc) would, in a retail unit, be well over what the market would be willing to bear.

    [...] or someone with a previously unheralded supercomputer or mathematical technique breaks the key from a known subset of challenge/response pairs... - or, it will remain unbroken.
    To be completely broken yes, but that is unnecessary. One just has to have broken everything released up to that point.

    What's really interesting about all this is if someone DOES find a way to break BD+, there is really strong incentive for them to use it to break & release movies rather than release code which performs the break.
    While I do agree with you, I do for different reasons. Assuming the break was done by stealing a device key, such output only releases would be better, since it would be more difficult to discover exactly witch client key was stolen.
    As far as breaking VMs? Who cares: they break it; a bug report gets filled; a week later a patch comes out.

    BD+ allows the entertainment companies to react instantly to breaks at timeline point X[...]
    Yes, well that is to say just as instantaneous as the response to the recent ACCS breach: a couple months. The only thing they can do is make security better for future disks (or reprints). They can't change the past.

    Like all the best posts on /., posted at zero, headed for minus one. ttfn!
    It would have been better this way. While there were a bunch of great links to papers, they we missuesed. Your post was a great troll, by the way.
  12. Re:It's not really just an encryption scheme, thou by logicnazi · · Score: 5, Insightful

    Since I actually do research in recursion theory (basically the mathematical study of the halting problem) let me start by saying this has ABSOLUTELY NOTHING AT ALL TO DO WITH THE HALTING PROBLEM. The halting problem, or as you stated it determine the full execution path of a static binary, is provably unsolvable because programs can take arbitrarily long before deciding to halt. Given you know a program halts (on a given input) it's trivial to determine the full execution path. Just run it and see what it does.

    In this situation there is nothing at all like this going on. We know that the code on the BluRay disk produces whatever output lets you view the disk not only in finite time but after a very short time.

    In fact this situation offers no additional security over a well designed public crypto system AT ALL except for obscurity. The instructions for the virtual machine are just a very complicated sort of key, one that anyone who can crack the base level encryption can view. The memory footprints and all that jazz are only fancy ways of implementing a private key.

    There are damn good reasons that the people who implement public key systems and symetric ciphers don't use VM instructions as their keys. A good crypto system is built around SIMPLE and well known mathematical problems because extra complications just provide more places an attacker can find a clever short circuit that you didn't think about. The only reason to think a crypto system is secure is because you think that the attacker doesn't have any shortcuts to compute things in the other direction much faster than brute force. The more complications in your system the more places he could discover a clever trick to undermine your security.

    As I argued in my other post the benefits of the BD+ VM aren't really about security but about control. It doesn't make things much harder for the hackers but it does let the content producer execute more control over when things are decrypted. The only security advantage BD+ brings is obscurity and possibly the use of a better underlying crypto system than what AACS uses (the part that decrypts the VM at the beginning).

    --

    If you liked this thought maybe you would find my blog nice too: