Slashdot Mirror

← Back to Stories (view on slashdot.org)

Analyst Says Blu-ray DRM Safe For 10 Years

Posted by kdawson on from the words-ripe-for-the-eating dept.

Mike writes to let us know that a poster on the AVS forum says that the latest issue of HMM magazine (no link given) contains a quote from Richard Doherty, a media analyst with Envisioneering Group, extolling the strength of the DRM in Blu-ray discs, called BD+. Doherty reportedly said, "BD+, unlike AACS, which suffered a partial hack last year, won't likely be breached for 10 years." He added that if it were broken, "the damage would affect one film and one player." As one comment on AVS noted, I'll wait for the Doom9 guys to weigh in.

5 of 493 comments (clear)

  1. In other news... by RightSaidFred99 · · Score: 5, Interesting

    I won't be buying BluRay discs for at least 10+ years. I don't crybaby about DRM, I just don't buy it if it doesn't suit my needs and can't be cracked, ergo if he's right I won't buy BluRay. This is one reason I like HD-DVD, it's had the shit cracked out of it.

    1. Re:In other news... by Serengeti · · Score: 5, Interesting

      There are two results to this war, but there is only one outcome: A player that will play both formats (reliably, unlike the LG model). Unlike Beta Vs VHS, the media are the same size and general composition in this war. When one fails, the other will 'win', but soon after the loser is no longer considered competition, players that support both formats (As well as DVD, CD, VCD, DivX, etc etc) will emerge.

      In the meantime, I've purchased an HDDVD addon for my Xbox 360, and hope that HDDVD will prevail. If it doesn't, I don't fear that I will have to repurchase my discs, just the player. I've taken a risk in purchasing the 360 addon, but its not really that big of a risk.

      So, support the format of your choice, and don't worry about lost investment: You really only risk the player.

      And as the VP of Marketing for Universal (HDDVD supporter) points out, this competition is good for one thing: Bringing HD video disc players down in price quicker than they would otherwise. Sony may own cameras that movies are shot with, media that they're recorded with, equipment they're transferred, processed, edited and mastered on, but at least there's a competitor for the media they're distributed on and the players that play them. I'd just rather they not have the whole ballpark.

  2. It's not really just an encryption scheme, though. by Anonymous Coward · · Score: 5, Interesting

    Read what BD+ really is:
    http://www.cryptography.com/technology/spdc/bluray .html

    This means that each Blu-Ray disc has a computer program compiled to execute within a proprietary, secure VM. What this means is that each disc has a program built into it whose purpose is to boot, validate that it is running on licensed hardware, enforce security policy, and if those checks are met, extract a key from its own memory and play the content.

    What does this mean for people attempting to defeat the security?

    Well it means that a full crack of BD+ will require crackers to implement a virtual machine which acts in exactly the same way as the hardware VM would act. This represents a what I will casually call a "larger challenge" than defeating CSS or AACS, in which you have to decrypt a key or a list of keys. In this case, you have to come up with something which can determine the full dynamic runtime execution path of a static binary - a currently unsolved problem in Computer Science, despite numerous attempts to do such a thing by some of the world's brightest minds.

    Just putting the same source code through a randomizing compiler/packer/obfuscator of the types that game companies have been working on for a while makes the challenge immensely harder. Precedent? http://spa.jssst.or.jp/summer-2005/paper/05046.pdf
    There's too much to talk about.

    And who's deployed this type of technology already? Who has a secure virtual machine with secure bytecode doing challenge-response to determine hardware legitimacy? People Who Care: a lot.

    The other major problem is that the challenge-response authentication made by the program contained in the disc against the embedded hardware will require a "real" cert to succeed. Yes this is the TPCA/Palladium "sky is falling" scenario come to pass. Either the implementors made a cryptography implementation mistake, or someone with a scanning, tunneling electron microscope figures out how to defeat the epoxy guards and actually read the private cert material off a chip, or someone with a previously unheralded supercomputer or mathematical technique breaks the key from a known subset of challenge/response pairs... - or, it will remain unbroken. It is strong, known algorithm public key cryptography.

    What's really interesting about all this is if someone DOES find a way to break BD+, there is really strong incentive for them to use it to break & release movies rather than release code which performs the break. Why? Get yourself a windows VM and download all the latest in DVD-breaking binaries: ripit4me, dvd decryptor-last, dvdshrink-last, etc. Then set windbg to be your default debugger, and start trying to break very recent DVD releases. What you'll find is that the entertainment company is employing people to literally find security holes in the input to the cracking tools - the dvd image itself, and then embed "exploits" into their dvd images. There is data on those discs that has no other purpose than to crash certain binaries. It becomes obvious once you trap execution in a debugger and know a little bit about x86 asm. Don't get me wrong, they're not executing arbitrary code, just causing a DoS - but that's only because they know they can't. Some of the conditions they've found and abused are CERTAINLY exploitable. But they also know that putting shellcode in their DVDs defeats plausible deniability, which is a hell of an asset.

    Now push this knowledge forward to BD+. If someone actually manages to set up a "shim VM" that executes BD+ language and acts as a proxy between secure hardware and the bytecode, and RELEASES that VM, then we know the entertainment companies are going to enter a reverse engineering arms race. They're

  3. Re:The funny thing with these quotes... by MBCook · · Score: 5, Interesting
    The average consumer has no idea what Blu-Ray is.

    PS: I love Behind the Counter.

    --
    Comment forecast: Bits of genius surrounded by a sea of mediocrity.
  4. Sigh, I hate to burst your bubble... by Anonymous Coward · · Score: 5, Interesting

    Blu-Ray players don't contain some mystical impossible-to-duplicate VM.

    It's a fucking Java VM. It's not anything bizarre. It's Java. Completely free VM implementations for Java already exist.

    Oh, how do I know it's a Java VM? =) I know the people at IBM who wrote the Java VM that's used to play BD+ Blu-Ray discs on the PS3.