Slashdot Mirror

← Back to Stories (view on slashdot.org)

Blu-Ray Players Hackable Via Malicious Discs

Posted by Soulskill on from the physical-media-increasingly-sketchy dept.

An anonymous reader writes: Some Blu-Ray disc interactive features use a Java variant for UIs and applications. Stephen Tomkinson just posted a blog discussing how specially created Blu-Ray discs can be used to hack various players using exploits related to their Java usage. He hacked one Linux-based, network-connected player to get root access through vulnerabilities introduced by the vendor. He did the same thing against Windows Blu-Ray player software. Tomkinson was then able to combine both, along with detection techniques, into a single disc.

107 comments

  1. I should think so! by drinkypoo · · Score: 3, Insightful

    My Blu-Ray player runs Linux and hasn't had a firmware update since 2011. I'd be shocked if it didn't have remote root holes accessible via network, let alone local privilege escalation exploits in Java.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:I should think so! by fuzzyfuzzyfungus · · Score: 4, Insightful

      I suspect that there are a number of ways in, given the usual attention given to firmware quality; but blu-ray isn't helped by having a security model marked by absolute paranoia about the precious 'content' escaping, combined with some amount of incompetence and a lot of pure apathy about any other security concern.

      With both the BD+ vm and the BD-J stuff, there is a lot of attention paid to 'ooh, the an unauthorized player attempting to do unauthorized things with the content on the disk?!'; but the contents of the disk are largely treated as trusted and the playback device is treated almost entirely as a potential adversary, not as a potential target, either from the disk side or the network side.

    2. Re:I should think so! by Dutch+Gun · · Score: 4, Insightful

      That was my first thought as well. "It uses Java (probably an older, unpatched version), so of course it's got massive security holes." But seriously, does anyone think there's even a remote chance that in 2015, malware is going to be transported by Blu-ray disc? This is an interesting tech demo, and it's always good to be aware of the potential of these things, but it doesn't seem to be a likely threat vector.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    3. Re:I should think so! by Anonymous Coward · · Score: 2, Insightful

      I think that is also what they said about the sony rootkit embedded on CDs...

    4. Re: I should think so! by bill_mcgonigle · · Score: 4, Interesting

      but it doesn't seem to be a likely threat vector.

      Do some traffic analysis on your target's porn habits at the ISP, leave a compromised disc about his favorite kink in a bag on the ground near where he parks his car, and use his "connected" player to zero-day the other equipment on his LAN, installing the APT without even needing to pretend about premesis warrants or anything.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    5. Re:I should think so! by fuzzyfuzzyfungus · · Score: 3, Interesting

      It doesn't rank terribly high on the list of choices, given that it would be a pain in the ass to get your malware pressed into a reasonable number of disks(without suitable insider access to the later stages of disk manufacture process, in which case you might have some real room for fun); but there is one little detail that might get rather ugly:

      With 'BD Live', disks can be authored to include access to network resources, as well as locally stored assets, in their Java-driven interactive content stuff. Now, there is no way for an attacker to change the URLs a disk requests; but nor is there a way for anyone else to do so. Whatever was stamped into the disk at production will remain until the disk leaves use.

      Given that companies come and go, and company interest in specific products tends to wane even faster, I would be very, very, very, surprised if the various companies releasing 'BD Live' disks have managed to always retain control of the domain names that their disks will attempt to access. It wouldn't be a terribly high value exploit; but since a disk will attempt to access exactly the same URLs until it dies, you might be able to score a steady trickle of reliable re-infections by snapping up any lapsed domains associated with BD Live disks and adding a little 'bonus content'.

    6. Re: I should think so! by AvitarX · · Score: 1

      I tend to agree, the people I know that use blue ray don't have Internet. There's plenty of cheap boot legs next to the red box in the shadier parts, but the people buying them don t have Internet. For the rest of the people I know, a few dollar rental online here and there covers the gap of Netflix.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    7. Re: I should think so! by Malc · · Score: 1

      Any BD-J apps will need to be signed with a private key that matches the public key in the cert pressed to the disc, won't they?

    8. Re: I should think so! by greg1104 · · Score: 4, Funny

      Wow, there's an unexpected back-door entry at every step of that plan.

    9. Re: I should think so! by fuzzyfuzzyfungus · · Score: 3, Insightful

      I think that the apps are supposed to be signed(at least to get useful elevated priviliges, like access to the network or to the player local storage); but if a signed, legitimate, app makes a network request to a server that is no longer friendly, then it becomes a question of input validation, even if the application signing scheme is 100% in order and nobody screwed any part of that up.

      Call me a pessimist; but I'd bet nontrivial money that a lot of the 'interactive' cruft that is pumped out to bulk up 'special edition' releases is barely up to the challenge of presenting a helpful error message if it gets a 404 from the remote host, much less not falling over and wagging its tail against moderately clever malice. In that case, it'd be a fully signed and approved app doing the work, but taking action based on (ill-founded) trust in content it downloaded.

    10. Re:I should think so! by BitZtream · · Score: 2

      I'd be shocked if it didn't have remote root holes accessible via network,

      Contrary to popular belief, being 'old' does not instantly make you exploitable.

      Its not like it runs Oracle Java (maybe it does, maybe it doesn't)

      Its probably not LISTENing on the network, in which case its probably fairly safe, how many years has it been since theres been a remote kernel exploit of ANY kind, let alone one that'll get you some sort of access to run code?

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    11. Re:I should think so! by Dutch+Gun · · Score: 3, Interesting

      With 'BD Live', disks can be authored to include access to network resources

      I'm in a many-years-long battle with my PS3, which may be the best example of my irrational stubbornness that I can think of. Every time I play a Blu-ray disk, it asks me if I want to give it internet access. Every. Damn. Time. Why even make a setting called "BD Internet Connection: Allow/Confirm"? Seriously, I can't just set it to "no"?

      For years now, each time that question comes up, I select "no" and think to myself "Screw you, Sony!" There's no way to rationally explain it, but hell will freeze over before I select "yes".

      Now I just have another reason to keep selecting "no". Faith in my cause renewed, the battle continues...

      --
      Irony: Agile development has too much intertia to be abandoned now.
    12. Re: I should think so! by YrWrstNtmr · · Score: 1

      I'm pretty sure we could find a Usenet post from 20+ years ago, describing that exact same vector.

    13. Re:I should think so! by Anonymous Coward · · Score: 0

      I'm glad I use an HTPC with my media player of choice, so I have no risk of any of that happening.

    14. Re:I should think so! by Anonymous Coward · · Score: 1

      Then there is the other end.

      https://vimeo.com/110257380#at...
      https://vimeo.com/111417458

      This dude basically owned the whole device. He just skipped messing with the DRM as that was not his end goal. He was basically able to inject code in. He had total control of both the cpus in the device. The cpu is trusted...

      Then I see things like this
      https://www.youtube.com/watch?...

      These devices can be 100% hacked. It only takes time and some semblance of ability.

    15. Re:I should think so! by w_dragon · · Score: 2

      I was actually thinking I could probably use this to overcome the region restrictions on my blu-ray player. This seems like the type of hack that is used by the owner of the device to do things Sony didn't want the player to do, not so much the make-this-device-a-bot type.

    16. Re:I should think so! by Lumpy · · Score: 1

      Most bluray players run linux and never get updates. the OPPO Bluray player has an rs232 port on back that if you power cycle it and are fast enough, you can get a shell login as root.

      NEC TV sets are the same way.

      --
      Do not look at laser with remaining good eye.
    17. Re:I should think so! by sumdumass · · Score: 1

      Do you have any better links with the freak dude at vimeo?

      All the videos skip and stall or play sound without advancing the video for some reason.

      Oh and props for the youtube link. Even though it was likely above my skill level, it was captivating and interesting. From the start of the vimeo links, it sounds like it might be good too.

    18. Re:I should think so! by sumdumass · · Score: 2

      You wouldn't need to get it pressed on a lot of disks but imagine if an ISO file of some movie was altered and when little johny downloads it and burns it in order to play on the large screen TV in the living room or perhaps a friends house, it's there.

      Now what can this malware do. That depends, can it open a proxy and ping me so I can bounce my IP off yours? Can it sit idle until someone commands it to participate in a massive DDOS attack? Or can I use it to gain access to the blue ray player and have it stream video from the NAS in addition to playing blue rays?

    19. Re:I should think so! by MikeBabcock · · Score: 1

      I have the same comment about nearly every networked camera system ever.

      --
      - Michael T. Babcock (Yes, I blog)
    20. Re:I should think so! by complete+loony · · Score: 1

      The memory of the device contains all of those precious keys they are worried about getting into the hands of evil hackers. While I'm fairly certain blu-ray has been broken for a long time, mostly by grabbing the keys from software players. This adds another avenue to discover valid keys from any player.

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
    21. Re:I should think so! by Anonymous Coward · · Score: 0

      Isn't M$ patching remote kernel exploits 2x or more a year?

    22. Re:I should think so! by Jack+Griffin · · Score: 1

      People still use physical media? What is this 2005?

    23. Re:I should think so! by jones_supa · · Score: 1

      At least physical media allows you to own the product.

    24. Re:I should think so! by Trogre · · Score: 1

      Why not? Honestly, why would a motivated enough studio not do such a thing? Remember the BMG rootkit fiasco. The only problem for them was that they were caught.

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    25. Re:I should think so! by Dutch+Gun · · Score: 1

      "Remember the BMG rootkit fiasco."

      Exactly. I'm not trusting in their ethics... just that they're not so incredibly stupid as to try the same disastrous plan a second time.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    26. Re:I should think so! by PRMan · · Score: 1

      Next time, say "No" to Sony.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    27. Re:I should think so! by Anonymous Coward · · Score: 0

      At least physical media allows you to own the product.

      You mean that plastic coster ? Sure. But as for the movie thats on it ? Not so much.

      Worse, Bluray is designed from the ground up to screw the customer. You can lose access to movies on such coasters that you "own" by no mistake of you yourself (or because of broken equipment), but just because the "secret key" of a company has been blacklisted, and by way of a new bluray has been transferred to your player (which *must* accept such blacklists), causing your "owned" blurays you might have had for years to stop being accepted.

      Good luck getting reembursed for that loss.

    28. Re:I should think so! by jones_supa · · Score: 1

      When would such blacklisting occur?

    29. Re:I should think so! by Anonymous Coward · · Score: 0

      "Now, there is no way for an attacker to change the URLs a disk requests; but nor is there a way for anyone else to do so."

      BWAHAHAHAHA oh that's riiiiiiich.

      It took us less than 12 hours to release a piece of software to track and monitor computers with superfish installed.

      You think it wouldn't take similar amount of time to hijack/MITM a fucking URL request?

    30. Re:I should think so! by Anonymous Coward · · Score: 0

      When would such blacklisting occur?

      Primary when the "secret key" the movie is encrypted with (DRM) by a company ceases to be secret. Like when a clever programmer (sometimes also referred to as a hacker) is able to extract it from somewhere.

      But as revoking them is a human decision I can imagine that there are a few other circumstances that would trigger such revocations. And those rules are most likely, like most other ones, subject to change (do you feel secure about "owning" those bluray movies yet ? :-) ).

      Having said that, I must confess that I have not heard about a single event where such blacklisting has ocurred (it would be the worst kind of advertising you can imagine).

    31. Re:I should think so! by jmac_the_man · · Score: 1

      This is an interesting tech demo, and it's always good to be aware of the potential of these things, but it doesn't seem to be a likely threat vector.

      - The head of security for Iran's nuclear program on hacks via compromised thumb drives.

    32. Re:I should think so! by jmac_the_man · · Score: 1
      That's not quite how it works. Key revocation revokes the key of the player, not the key of the media. The media has a list of revoked keys, accurate as of the day the disk was pressed. If the key of the player is on the disk's revoked list, the disk won't play. Previously pressed disks, which do not have the key on the revoked list, will still work.

      When they were hacking through the Blu-Ray protection trying to get the key, plenty of software based players had their keys exposed and revoked. Being software players, they were quickly fixed by software update.

    33. Re:I should think so! by fuzzyfuzzyfungus · · Score: 1

      The whole point of my post was to suggest one method for causing trouble with URL requests, and I don't doubt that there are others.

      However, that doesn't change the fact that, while basically every step of the process is potentially up for grabs, the URLs stamped into the disk are static. Short of replacing the disk nobody gets to change them.

      If you control the JVM, you can rewrite them there, if you control the player's OS, you can rewrite them there, if you arrange for your host to be the one replying you can provide whatever response you wish, all true, all bad; but not the same as changing the URLs on the disk.

    34. Re:I should think so! by factory186 · · Score: 1

      Actually, given the ready availability of pirated discs in most cities, I can easily imagine a pirated blu-ray of a popular movie containing an exploit. Seems obvious and really useful.

    35. Re: I should think so! by Anonymous Coward · · Score: 0

      URL's can easily be redirected. Think bit.ly/DestinationOfTheHour

    36. Re:I should think so! by tlhIngan · · Score: 1

      With both the BD+ vm and the BD-J stuff, there is a lot of attention paid to 'ooh, the an unauthorized player attempting to do unauthorized things with the content on the disk?!'; but the contents of the disk are largely treated as trusted and the playback device is treated almost entirely as a potential adversary, not as a potential target, either from the disk side or the network side.

      This is an unfortunate part of the Blu-Ray standard - the only people who are supposed to be able to author a Blu-Ray disc using BDMV profile are... studios. Initially, back during the HD-DVD and Blu-Ray war (who I found out that they did actually want to unify the two into one rather than go to battle it out - they just couldn't agree on BD-Java vs. JavaScript (HD Interactive) and dug their heels in), HD-DVD was AACS-optional, allowing for home authored HD-DVD discs which played everywhere.

        But Blu-Ray was designed to be an exclusively Hollywood format with content dictated by the Blu-ray association (Sony proudly declared they were never going to make porn Blu-Rays, for example back then). AACS was mandatory, which meant you couldn't make a BDMV profile disc at home - you were given the BDAV profile instead which allowed for non-AACS content. In fact, it was so bad that if you mastered a BDMV disc, it would play in some Blu-Ray players but not others.

      These days, either through lax enforcement or explicit standards, AACS is optional on Blu-Rays and you can author basic BDMVs. But early players did not allow BD-R's to be BDMV, not by physical limitations, but software.

  2. Best defense is not to care by Anonymous Coward · · Score: 1

    If you can, have the "computer" that you use for such things not matter if it gets hacked. If your blue ray player has no writable storage or network access and you power it off after every use, there is no danger: all a disc could do when played is show stuff and play sounds, which can happen regardless of the hack. Lack of risk exposure, so you can literally not care about the threat, is always better than trying to actually secure something.

    1. Re:Best defense is not to care by txoof · · Score: 5, Interesting

      I suppose not caring works, but it seems like this is a great vector to turn hardware players into Zombies. If I were a criminal, I could think of a lot of things that could be done with even 1% of the world's internet connected players. Do you really want your Blu-Ray player to be part of a botnet sending spam or participating in denial of service attacks?

      If for no other reason, think of the impact on your bandwidth and electric bill. I certainly don't want a house full of hackable hardware. When (if) the internet of things arrives without security and 10% of the fridges, air conditioners, electricity meters, washing machines, pet doors, TVs and driers are all hacked because manufacturers couldn't be bothered to secure them, I think you'll probably care. It will bring the interwebs to its knees.

      --
      This one's tricky. You have to use imaginary numbers, like eleventeen... --Hobbes
    2. Re:Best defense is not to care by arth1 · · Score: 3, Interesting

      If you can, have the "computer" that you use for such things not matter if it gets hacked. If your blue ray player has no writable storage or network access and you power it off after every use, there is no danger

      I don't think there's a single BD player out there that doesn't allow for either software updates or updates to the BD codes that allow/disallow you to decode disks.

      One I have requires a USB key to be present to cache validity information for disks you have already watched - without it, it still works, but requires contacting the mothership through Internet whenever re-inserting any disks newer than the latest firmware update.

      BD disks these days even come with extras like links to youtube videos, that play on the BD player. That's an attack vector right there. Do they all use https and check the validity of the cert to avoid MITM attacks, using only name servers with signed entries? I highly doubt it.
      If I wanted to hack it, I feel fairly confident that I could do so. I'd start by hooking up to the (convenient) JTAG interface, and learn as much as i could that way, before starting to probe from the outside, i.e. through discs, USB or TCP/IP. But it would be low on my list if things I own that I want to hack. My car is more interesting.

    3. Re: Best defense is not to care by Anonymous Coward · · Score: 0

      The whole zombie thing requires persistence which requires storage which blu ray players shouldn't have.

    4. Re:Best defense is not to care by dugancent · · Score: 1

      I've had a blu-ray player for a few years. I've never once every considered plugging it into my router (it doesn't have wifi). I've never, and still don't see, any reason to connect it to the net.

      --
      SJWs are the new boogeyman. -Me
    5. Re: Best defense is not to care by drinkypoo · · Score: 2

      If the player has control over the power LED, it can pretend to be off when it really isn't. Few players have physical power switches which really switch power.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    6. Re:Best defense is not to care by jedidiah · · Score: 1

      In other words, you have a BD player too old to matter in this context. Current players do more than just decode spinning plastic. They also have all of those apps that connect to all of those interesting video services that you just conveniently ignored.

      --
      A Pirate and a Puritan look the same on a balance sheet.
    7. Re:Best defense is not to care by fuzzyfuzzyfungus · · Score: 1

      I'd not be terribly interested in the capabilities of the players themselves(routers make better zombies and are way more internet facing and unlikely to be turned off, and generally atrocious on security); but I would be very, very, nervous about anything that serves as a nice, subtle, persistent implant on a LAN.

      Even enterprises have a nasty habit of pretending that they can get away with a little sloppiness 'inside the firewall', and consumer gear often can't be persuaded not be absurdly trusting of anything that happens to share a subnet with, in the interests of ease-of-use, 'autodiscovery', and similar. If you can get an implant on one device, especially one that nobody is going to suspect(and may have few options, short of replacing, if they do), you can reinfect other devices as they pop up more or less at your leisure.

    8. Re: Best defense is not to care by Malc · · Score: 4, Informative

      Most BD players do have storage. BD-Live depends upon it for instance.

    9. Re:Best defense is not to care by Lumpy · · Score: 1

      I have a 6 month old Bluray player and it's not connected to ethernet in any way. not even wireless.

      the "smart" functions of a bluray player are a sad, sad joke compared to a Roku 3. Why would someone intentionally use the horrible half assed crap internet capabilities on a bluray player?

      I have it to play the random Disc I may or may not get, a huge amount of video is not available online so I have to get it on a spinning piece of plastic.

      --
      Do not look at laser with remaining good eye.
    10. Re:Best defense is not to care by peragrin · · Score: 1

      I was using my samsung Smart tv for youtube, as Roku didn't have a youtube. That changed ~6 months ago so I started to use both. Then Samsung tried to insert ads into my playback , so I disconnected the TV from the network.

      What will it take for companies to learn if you don't want to provide support for 10 years don't design a device that requires your constant support for 10 years?

      --
      i thought once I was found, but it was only a dream.
    11. Re:Best defense is not to care by Anonymous Coward · · Score: 0

      In other words, you have a BD player too old to matter in this context. Current players do more than just decode spinning plastic. They also have all of those apps that connect to all of those interesting video services that you just conveniently ignored.

      All those useless apps have vastly superior equivalents on other platforms. DVD/BD apps are almost entirely unsolicited marketing drivel.

    12. Re:Best defense is not to care by dugancent · · Score: 1

      It's a smart player. I just can't stand the smart functions and use a Roku instead.

      --
      SJWs are the new boogeyman. -Me
    13. Re:Best defense is not to care by zippthorne · · Score: 1

      Looks like samsung solved the problem by convincing you to use a different device...

      --
      Can you be Even More Awesome?!
    14. Re:Best defense is not to care by Shirley+Marquez · · Score: 1

      That's why I won't pay extra for a smart TV. I figure that its smart features will be obsolete within three years anyway, which is nowhere close to the useful life of the TV itself, and that I will have to buy some sort of external device if I want to continue to have smart features that will work with current services. (Currently that would be a Roku, an Amazon Fire TV, an Apple TV box, or something similar.)

    15. Re:Best defense is not to care by tepples · · Score: 1

      All those useless apps have vastly superior equivalents on other platforms.

      Which is fine so long as you already own a device of one of these "other platforms" in your living room. "Smart" TVs and "smart" BD players are convenient for people who happen not to, such as households with one PC that is in another room.

  3. Of Course They Are by Kunedog · · Score: 1

    These players were designed from the ground up to keep you on a leash forever, so of course they will try every way to force firmware updates on you even if you deny yours access to the internet. They never thought much about keeping the device secure, except against the customer.

  4. Yet another reason to abandon physical media. by Anonymous Coward · · Score: 0

    If you watch your movies via streaming, this is not an issue. 2015 people, 2015.

    1. Re:Yet another reason to abandon physical media. by jedidiah · · Score: 2

      > If you watch your movies via streaming, this is not an issue. 2015 people, 2015.

      Yes. In 2015 there's still plenty of stuff that's not available via streaming or is only available at a price that most people aren't interested in paying.

      Some us actually use this stuff and don't merely talk about it.

      --
      A Pirate and a Puritan look the same on a balance sheet.
    2. Re:Yet another reason to abandon physical media. by ToasterMonkey · · Score: 2

      > If you watch your movies via streaming, this is not an issue. 2015 people, 2015.

      Yes. In 2015 there's still plenty of stuff that's not available via streaming or is only available at a price that most people aren't interested in paying.

      Some us actually use this stuff and don't merely talk about it.

      The movie I was streaming just flaked out, that's why I came over here to make sure the Internet connection was still up and say hi.

    3. Re:Yet another reason to abandon physical media. by Shirley+Marquez · · Score: 1

      I still watch Blu-Ray for movies where I care about the picture quality. It looks and sounds a lot better than any currently available streamed video, for the simple reason that they are using a lot more bits to encode the content so you don't suffer such severe compression artifacts. I expect the same to be true for streamed 4K vs whatever they end up calling Blu-Ray 4K.

  5. This just in! by Anonymous Coward · · Score: 0

    Programs running on a device can exploit weaknesses in security!

    News at 11! Remember to watch Slash Action News with Timmy and Neal!

  6. Blu-Ray Players Hackable Via Malicious Discs by SeaFox · · Score: 2

    ...that are inserted by their owners.

    Always good to remember a venerability is a venerability, but a trojan is a trojan.

      - People buying legitimate blu-ray titles are not going to have this issue.
      - Even people downloading pirated content are not going to have this issue... as long as they are downloading just video files and not trying to pirate the entire disc with menus.

    1. Re:Blu-Ray Players Hackable Via Malicious Discs by Anonymous Coward · · Score: 2, Interesting

      People buying legitimate blu-ray titles are not going to have this issue.

      Unless the bluray came from Sony. Zing.

      Oh, and buck feta.

    2. Re:Blu-Ray Players Hackable Via Malicious Discs by Anonymous Coward · · Score: 1

      - People buying legitimate blu-ray titles are not going to have this issue.

      Because official media never contains malware.

    3. Re:Blu-Ray Players Hackable Via Malicious Discs by Anonymous Coward · · Score: 1

      Always good to remember a venerability is a venerability

      Are you saying those Blu-Ray players deserve great respect because they're so old? :-)

    4. Re:Blu-Ray Players Hackable Via Malicious Discs by Anonymous Coward · · Score: 0

      Yep. Vote Parent Up.

    5. Re:Blu-Ray Players Hackable Via Malicious Discs by Anonymous Coward · · Score: 0

      *Vulnerability

    6. Re: Blu-Ray Players Hackable Via Malicious Discs by Anonymous Coward · · Score: 0

      Step 1: rent Blu-ray movie
      Step 2: return burned bd-r disk with movie and malware injected
      Step 4: profit

  7. Ha ha they used JAVA; morons! by EmperorOfCanada · · Score: 0

    I have hated blueray since the day it came out. I hated the initial cost of the players. I hated that the first generation of players were often incompatible with later disks. I hated that they made you watch FBI warnings, company logos, etc. I hated that they wanted me to rent them from sleazy stores like blockbuster. I hated that Sony slimed the HD DVD thing. I hated that you couldn't get a reasonably priced blueray burner for a computer. I hated the exorbitant cost of a blank blueray for a computer.

    But if I had known that the core of the technology had anything to do with Java I wouldn't have hated them, I would have pitied them. Sort of like I don't hate a cripple who walks slowly in front of me. It's not their fault their crippled. I so I guess it isn't Sony's fault that they are retarded.

    1. Re:Ha ha they used JAVA; morons! by fuzzyfuzzyfungus · · Score: 2

      Unfortunately, it's not just blu ray: 'BD-J' is their specific variant; but it is based on the so-called 'Globally Executable MHP', a truly horrifying acronym-standard-soup constructed to enable vaguely interoperable java-based UI atrocities for various flavors of set top box associated with DVB-T, DVB-S, and DVB-C(Basically, all digital broadcast and cable activity that isn't ATSC, ISDB, DTMB, or some fully proprietary oddball).

      BD-J is North America's main point of contact with this delightful substance; but it enjoys near-total ubiquity in the parts of the world that also use DVB.

  8. Incredible use of time by Anonymous Coward · · Score: 0

    And his parents thought he wouldn't amount to anything

  9. Agenda bias by Anonymous Coward · · Score: 0

    Why "malicious discs"?

    The fact that owners can hack their own devices is a GOOD thing.

    1. Re:Agenda bias by jones_supa · · Score: 1

      Are you joking? That's like saying that AutoRun is a good thing.

    2. Re:Agenda bias by TheGavster · · Score: 2

      That was exactly my thought. This is exactly how cell phones are jailbroken; I was actually quite disappointed that the article was purely from a security vulnerability standpoint as opposed to how I can root my player and make it allow skipping of the thrice-damned FBI warnings.

      --
      "Because Science" is one step from "Because old book". Try "Because of my experiment testing my falsifiable assertion".
  10. Wanna know a secret? by Solandri · · Score: 4, Interesting

    I'll let you in on a little secret. I own lots of Blu-ray discs, but I don't actually own a Blu-ray player. I buy the disc (whatever my thoughts on Copyright, it is the law and the content producers do deserve to be paid), then I download a Blu-ray rip of the movie from a torrent site. Toss the file on my media server, and call it a day. They get their money, I don't have to deal with their forced previews and FBI warnings. I really have to wonder what they're thinking. First they complain about piracy, then they respond by making their products worse for legit customers than for pirates.

    1. Re:Wanna know a secret? by Anonymous Coward · · Score: 0

      To pay money and still be a criminal looks like the worst of both worlds to me. No thanks for giving money to the people who want to destroy the internet to protect their profits either.

    2. Re:Wanna know a secret? by zugmeister · · Score: 1

      If I remember right, you're still considered to be in violation of copyright because you're using an unapproved rip. Your possession of the disk does not change the status of your torrented file. Now while ripping your own disks for personal use is still a violation of the DMCA (I'm pretty sure 'cause you're breaking the encryption to make the rip), it stays away from the whole torrent thing and may give you a better quality file, if only in terms of quality / file size and what language subtltles you get.

    3. Re:Wanna know a secret? by spire3661 · · Score: 2

      NO. Sony v. Universal (and subsequent rulings) have made it clear, it does not matter where a backup comes from, as long as you dont share it. If he downloaded the movie directly, without uploading anything, hes totally 100% legit in the clear. A backup is a backup is a backup, regardless of origin, you just cant share it.

      --
      Good-bye
    4. Re:Wanna know a secret? by Anonymous Coward · · Score: 0

      He is probably torrenting the movies when he downloads them, so he should be uploading at the same time unless he is 100% leeching. The uploading part would be considered illegal then.

    5. Re:Wanna know a secret? by kesuki · · Score: 2

      a good firewalled computer will block 99.999% of the outbound requests and only transmit via backdoors in the system. they then are breaking the law to claim you are breaking the law, and thus you have a right to sue them for using a backdoor on your systems.

      citation http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal#Legal_and_financial_problems

      "In addition to violations of the Consumer Protection Against Computer Spyware Act of 2005, which allowed for civil penalties of $100,000 for each violation of the law, the alleged violations added in the updated lawsuit (on December 21, 2005) carried maximum penalties of $20,000 per violation."

      --
      https://www.gnu.org/philosophy/free-sw.html
    6. Re:Wanna know a secret? by spire3661 · · Score: 1

      Yes, i know, thats why i phrased it the way i did. Torrent is not the only way to transfer data, just like McDonald's is not the only place to get a burger. Its just popular.

      --
      Good-bye
    7. Re:Wanna know a secret? by zugmeister · · Score: 2

      NO. Sony v. Universal (and subsequent rulings) have made it clear, it does not matter where a backup comes from...

      Well, one Bing search and the first hit I get is from Legalzoom which has a pretty straightforward writeup. You may be interested in the section labeled "DMCA Basics", but more relevant to the subject at hand they say "What the DMCA does, through DRM, is make the circumvention illegal, not the actual copying. So, now, even if you own your DVD and are trying to make a personal copy ... it is illegal to bypass DRM protection measures to make your backup". Note I didn't say anything about copyright or fair use, but like it or not you are not legally allowed to bypass even broken DRM to make a personal backup of your own purchased media.

    8. Re:Wanna know a secret? by zugmeister · · Score: 1

      In this case the OP said "then I download a Blu-ray rip of the movie from a torrent site" so, yeah, It's pretty safe to assume that's where he's getting his rips...

    9. Re:Wanna know a secret? by spire3661 · · Score: 1

      Not completely correct. You can do bit for bit copying of a DVD for a backup, keeping the encryption intact, you just cannot break the encryption. They are considered separate issues. The DCMA treats fair use as a necessary casualty. Its an interesting twist, but mostly irrelevant to Sony v. Universal other than encrypted DVDs in particular as a source for backups.

      --
      Good-bye
    10. Re:Wanna know a secret? by Anonymous Coward · · Score: 0

      I do the same thing, except for the part about giving them money. I sleep fine.

    11. Re:Wanna know a secret? by crimson+tsunami · · Score: 1

      Luckily most sane countries have exemptions for just such situations :)

    12. Re:Wanna know a secret? by PRMan · · Score: 1

      Torrenting IS sharing. You are sharing back small pieces of the file. That's distribution.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    13. Re:Wanna know a secret? by spire3661 · · Score: 1

      I get that, I just dont like letting pass the thought that torrent is the only way to obtain a backup. Its popular, so it will always have preponderance, but I want people to know that if they DL it from any tech that doesnt upload, they are in the clear. When it comes to protocols, torrent is the exception (in its mechanism of uploading), not the rule.

      --
      Good-bye
    14. Re:Wanna know a secret? by Anonymous Coward · · Score: 0

      Please don't sue me, I didn't know your message was under a ROT26 DRM before I finished reading it.

  11. "Hack?" by Sloppy · · Score: 1

    Isn't the very point of this player's system, that the player serves the interests of the disc's publisher over the interests of the users, where the users' needs should always yield whenever there is a conflict? That's not a mere technicality; it's the very essence. From the spec's pov, this is desirable operation. Nothing has been subverted.

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
    1. Re:"Hack?" by Anonymous Coward · · Score: 0

      Sure, it is a desirable operation from a disc publisher's point of view. But, what if everybody can qualify as a disc publisher just by handing over a disc?
      Security from the industry point of view rarely matches user's point of view: Industry wants to protect revenues, users want to protect themselves.
      So, exactly like this situation, Blu-Ray players may have a shining, flexible feature from and industry perspective, which is a big gaping hole from a consumer's perspective. ..and a simple "Hi m8..have a look a this..it's cool!", although perfectly fine from ANY pov, starts giving shivers in the spine... ..and you paid for this!

  12. can you use this on trun off HDCP / region lock? by Joe_Dragon · · Score: 1

    can you use this on trun off HDCP / region lock?

  13. dont know bout bluerays but you can hack stingrays by ozduo · · Score: 0

    Unless they get you first like Steve Irwin https://en.wikipedia.org/wiki/...

    --
    I got to the chocolate box before you, that's why the hard ones have teeth marks.
  14. Ooookay... by jpellino · · Score: 1

    and so now they can do what to my stuff?

    --
    "Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
  15. Geriatric DVDs and Blurays by caseih · · Score: 1

    Arguably off topic, but anyone that thinks on-disc custom menus with interactive content are a good idea should have watched my grandmother try to just play a DVD. Pop the disc in, hit pay. Then after wading through unbypassable FBI warnings (how can they even get away with some of the things they claim in those messages?) and previews, you finally get to the movie. Erm no. It's video loop with an integrated menu. She could hardly remember which remote was which, let alone what button did what. Trying to explain to a hearing impaired person how to play the video was always very interesting. Sometimes hitting play again worked, sometimes it didn't. Turn on CC? Very difficult for her. In many respects the old VHS was way more usable for her. Put it in, hit play, hit the CC button. Call it good. interactive blu rays would probably have been completely unusable to her.

    I learned a lot about technology over the years watching her try valiantly to interact with it. She did an admirable job for someone in her 90s (She learned computers with MS-DOS in her late 60s, so she's always had aptitude for it), but it made me realize most modern technology seems to be developed by 30 something year old hipsters who never think they will grow old and decline cognitively, or decline in terms of physical dexterity (drag and drop, double click, or any modern tablet action). Things that are obvious to me and easy now will be much harder some day. But never to worry. The next generation will roll their eyes and push buttons for us (or touch screens) while rolling out their own hip technology that we're just too old to appreciate.

    1. Re:Geriatric DVDs and Blurays by Anonymous Coward · · Score: 0

      It is not only bluray, dvd was very hit and miss too. I had a player with no remote control, and very few buttons on the dvd player. Many disks were unplayable unless you had more buttons to navigate the menus. And that was just the language selection menu, so that they could annoy you with the antipiracy message most appropriate to your region.
      The majority would loop at the DVD menu indefinitely if you could get them that far.
      The better DVD might loop many times but would eventually autoplay from beginning to end (including extras) even if you did nothing.

  16. Linux is secure right? by johncandale · · Score: 1

    Hey guys Linux is secure right? Can we please stop pretending open source means secure? Closed source doesn't mean secure either but the argument you often hear is "X is open source" "Open source things are secure" "Therefore X is secure".

    1. Re:Linux is secure right? by Anonymous Coward · · Score: 0

      Opensource can be more secure. It obviously wont be if you leave it unpatched for 5 years though.

      Lately even the commercial projects have an opensource "community edition"... this isn't opensource though, it is free labor as the changes are integrated into the "enterprise" version and often made into a pay-for-only features.

    2. Re:Linux is secure right? by ledow · · Score: 1

      Claiming, or falling for, any argument that "open-source is secure" is a complete failure to understand. Security is relative, not absolute. To get this ass-backwards just makes you look like an idiot. Believing anyone who says ANYTHING "is secure" is utter stupidity (rather than "is more secure", for instance)

      It's like saying "metal's secure". No it's not. I can walk around a sheet of metal just as easily as a pane of glass. However, a metal lock built to the same design as, say, a glass one is likely to be MORE secure.

      As such, open-source is not "secure". It's considered to be "more" secure if everything else is equal.

      Tell me, how many Windows-based Blu-Ray players can you buy in your local supermarket? Zero? Shocking. Why? Because Windows is not properly designed for embedded use at all really, certainly not until very recently. There were ATM's that run on XP Embedded, and there were a few cars that had Windows-based control systems (I remember a story of some ambassador being locked in a car by it).

      As such, a complete install of Windows would be vast overkill and a huge attack surface for such things because it's just not ready for that. So it's not a fair comparison at all, as Windows is inherently "less secure" in such circumstances as it's just not designed to do that. However, Linux / open-source Blu-Ray players are "more" secure than many of the alternatives still, everything else being equal.

      And why - because not only can you see if your player would be affected by the bugs but, by the same licence that grants you the ability to see the bug, you can CHANGE THE CODE if you so want. No waiting for vendor updates. One person in the world who knows how to code can look, see the problem, fix it, publicise it and therefore purge the world's devices of it.

      Tell me, how many "security patches" do you think other commercial Blu-Ray players ever get given? Even the ones connected to the net 24/7 for their "extra media" functionlaity. There's even a facility to update Blu-Ray firmwares via buying new disks (not unlike the Wii games that bundle an update of the underlying OS before they'll let you play them). It's rarely used.

      If you're going to pick arguments, have some vague understanding of what the real argument is, not some child on the Internet's poor re-stating of it.

      Open-source is potentially MORE secure than closed-source, everything else being equal.

      Those conditions and caveats make a HUGE difference to the intent, meaning, and truth of the statement.

      Guess what, AES-128 isn't "secure" either. But it may be "more" secure than other algorithms, for example.

  17. Brilliant idea, Blu-Ray by Trogre · · Score: 1

    Does anyone else just want to sit down with the genius who decided to put a Java runtime into a standard for home video and have a long, fireside chat?

    Possibly involving the poker and some of the larger blocks of firewood?

    --
    "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
  18. Re:can you use this on trun off HDCP / region lock by SeaFox · · Score: 1

    Wouldn't it be easier to buy a blu-ray player that has that ability? There are certain makes available in the U.S (I'm going to assume you're in the U.S.) that have hidden player settings menus to control BD region specification. It's not possible to get a true "region free" (it plays everything) player, you'll have to change the player whenever you go from discs from one region to another. But at a cost of $50-$100 it's affordable to buy it as a second BD player to set to your favorite secondary region that you have many titles from, and much cheaper than importing a normal player from the region you want.

  19. Mac Blu-ray Player by Anonymous Coward · · Score: 0

    My Blu-ray player software runs on Mac and updates every week to support more new released Blu-ray discs. It's easy to operate in dealing with the Blu-ray discs and Blu-ray ISO files. Pretty good in designs and features. Almost forget, it's from Macgo.

  20. If broadband is capped at 10 GB/mp by tepples · · Score: 1

    People still use physical media? What is this 2005?

    The Internet connections available in some geographic areas are effectively stuck in 2005.

  21. Caps, especially in the country by tepples · · Score: 1

    If you live too far from the nearest CMTS or DSLAM to get a cable or DSL connection, how much streaming are you going to do with the 10 GB per month that a wireless ISP allows you?

  22. The mole is in your household by tepples · · Score: 1

    that are inserted by their owners

    Not necessarily, because not everybody lives alone. Anybody in your household with the opportunity to insert a disc can attempt to exploit a vulnerability like this. I imagine that most people do not regularly disconnect their BD players and keep them under lock and key.

    1. Re:The mole is in your household by SeaFox · · Score: 1

      Not necessarily, because not everybody lives alone. Anybody in your household with the opportunity to insert a disc can attempt to exploit a vulnerability like this.

      If you're worried about your security from other people in your home, you have bigger problems than your BD player.

  23. UMG v. MP3.com by tepples · · Score: 1

    NO. Sony v. Universal (and subsequent rulings) have made it clear, it does not matter where a backup comes from, as long as you dont share it.

    Where do you get that? I see UMG v. MP3.com which decided exactly the opposite. The backup has to be made by you from a genuine copy, not transmitted by someone else through the Internet.

  24. Immigration by tepples · · Score: 1

    But unfortunately, "most sane countries" place onerous requirements on people born in not-sane countries who wish to live and work there.

  25. AACS license by tepples · · Score: 1

    But, what if everybody can qualify as a disc publisher just by handing over a disc?

    That's what AACS is supposed to prevent. BD players are supposed to require BDMV discs to use AACS, and the AACS license imposes a fee per title plus other requirements that likely include not doing this very thing.