Why DVD Encryption Crack was a Cinch

Devastator writes " Wired has a good article how how the DVD encryption was cracked. The DVD industry is scared speechless about the news." Its actually an interesting little summary of the situation. I wonder what it means for the DVD industry.

Good Example...

[Kid+Zero]

A chain is only as strong as its weakest link. This is a good example.

But then again, I do believe this will spur the Industry to do a better job, which will inspire more creative hacking, which will inspire better security... Benefits for all.

Ramifications in Other Industries

[Wyvern13]

The DVD encryption crap is simply yet another example of the Cathedral / Bazaar scenario which continues to manifest itself throughout the industry. The fact of the matter is that while majot corporation stuggle to keep up with the open-source community currently, this is not the way the industry was, say, five years ago. A form of economic or societal Darwinism has emerged in the computing industry, by which major corporations and the coding public work at furious rates just to stay even with each other. The DVD crack is one of the more and more common cases where the Linux community has outstretched "Big Business".

Re:Ramifications in Other Industries

His terminology is off but he is essentially correct. Whether or not it's the Linux code monkey community, or the Window code monkey community or the various cracker cabals.

The fact remains that corporations with limited resources are trying to go head to head with a planetful programmers with too much free time.

Re:Ramifications in Other Industries

[Foogle]

How would one have bazaar'ed this sort of thing? OpenSourced the encryption algorithm so that people could examine it?

Well that would've been nice, but the algorithm wasn't the problem -- it was the implementation of it. And of course, if the implementation was OpenSourced, then we wouldn't have to crack the key, because we'd have seen it already, embedded into the CSS routines.

The original poster was just spouting buzzwords, trying to get a stupid moderator to give him +1

-----------

"You can't shake the Devil's hand and say you're only kidding."

Re:Ramifications in Other Industries

[Foogle]

Don't presume to tell me what I do and do not know -- That won't make it true. Yes, I do know quite a bit about cryptography. What I don't know much about is CSS. From the article I read, I was under the impression that it was a block cipher much like DES or Blowfish and that the way the hackers hacked it was because the original coders left the original key out in the open. Is that not the case?


-----------

"You can't shake the Devil's hand and say you're only kidding."

Re:Ramifications in Other Industries

[Evangelion]

"Linux community"

How is this at all related to Linux, let alone the Linux Community?

It's a crack. Cracks happen all the time, regardless of the OS you're on. This has nothing to do with the Cathedral and/or the Bazzar. Really, how are software cracks and open source development related? Other than the latter making the former unessecary?

I'm confused by your comment....

Re:Ramifications in Other Industries

[dirty]

I'm curious, are you just spouting out buzz words, or did you actually sit down and think about what you were saying? This has NOTHING at all to do with "the Cathedral / Bazaar scenario". It's about a careless company and someone cracking a weak encryption scheme. It has nothing to do with open source, linux, whatever else you might want to call it. It's a crack. Sheesh.

Re:Ramifications in Other Industries

You know nothing of cryptography, nor of css, nor of its weaknesses. Why is DES _still_ secure even when you can download DES source code? Ditto for kerberos? Why can you get the source code to most of the next contenders following DES, if it would hurt their ability to be secure? Clue bat, divulging source to any encryption algorithm can't do anything to it, but make it more secure. And yes, the algorithm of css was the _problem_, not the implementation. The algorithm is is subject to divide and conquer. No algorithm that is subject to this can be said to be an encryption algorithm. No, just because the algorithm is open sourced, doesn't mean they have to post the keys that they use for it. For example, not all keys that are used by DES must be posted to the net in the clear for DES to work. In fact it may surprise you that people generally don't post their keys to the net.

5 Bytes?

[Amphigory]

5 Bytes? And they call this secure? 5 Bytes is 40 bits, which means there are 2^40 possible keys. Although I don't know how much CPU is required to test a key, I tend to think a good computer could probably sniff them all out in a matter of days.

On another note... I wouldn't like to be Xing/Real Networks right now. I think the MPIA could make a really good case for them being libel for a massive amount of money due to their negligence.

Re:5 Bytes?

[jshepher]

Since it is encryption based, my guess they used 5
bytes (40 bits) because of export restrictions. It
has been proven that 40bit keys can be broken
quickly using today's computers. It was only a
matter of time until this happened.

Re:5 Bytes?

I can't think of any reason at all why the Studios would allow any further IP they own to go out on the DVD format until it is fixed.

Right, just as they're soooo reluctant to let that same IP out on the ultra secure VHS, right?

Enjoy your VCRs, guys. We'll have them a bit longer if the crackers keep it up.

Hmm, yeah, they'll probably stop this sort of activity any second now. As long as there is data protection, there will be crackers.
Curiosity is human nature...

Re:5 Bytes?

[mlc]

an unrealistically high rate of, say, 10^4 (ten thousand) keys a second

I don't think that's unrealistically high at all. In fact, my Pentium II-333 is cracking 872 kilokeys in a second for distributed.net. Assuming that 40bit keys are easier to crack than 64bit keys and someone has slightly faster hardware than I do, they could easily reach a million keys in a second, likely more. Given that one could easily crack 10^6 keys in a second, it'd take only 10^6 seconds using your figures, which is only about 11 days. If we could reach 10^7 keys/second (not completely unreasonable, IMHO), it'd take only 10^5 seconds, or slightly more than a day.

Re:5 Bytes?

[jafac]

LIABLE

Spelling errors are one thing, but in this case, libel is also a legal term, meaning something completely different.

I wish I had a nickel for every time someone said "Information wants to be free".

Re:5 Bytes?

[lamour]

40 bits is a completely insane size

40 bit encryption only serves one purpose any more...it leads people into falsely believing their data is secure.

Re:5 Bytes?

[drudd]

Can't think of any reason? Howabout the billions of dollars they've invested in this format.

You don't throw away billions in R&D, marketing and production, simply because you're afraid that a small minority of that product will be lost to piracy.

Say they cut off production. They would be open to class-action lawsuits from the people who bought players in good faith.

There's also nothing they can do to fix the situation. There are millions of players out there which use specific keys, some of which have been cracked. They can't release DVD's without those cracks, otherwise those players will become useless.

Essentially the industry will make a lot of noise, and possibly line the pockets of their favorite legislators, but other than that, there's not much they can do about the situation.

Doug

Re:5 Bytes?

[Chops-Frozen-Water]

>5 Bytes? And they call this secure?
They were probably limited by the speed of decryption as to how complex/secure they could make the algorithm. DVD Video is coded twice if it's encrypted, and the MPEG2 video decoding isn't cheap (most PCs use dedicated hardware), so wasting time on complex decryption algorithms was probably out of the question.
--

Re:5 Bytes?

[Shimmer]

5 Bytes is 40 bits, which means there are 2^40 possible keys. ... I tend to think a good computer could probably sniff them all out in a matter of days.

Um, I don't think so. 2^40 is a little more than 10^12 (one trillion). Even testing at an unrealistically high rate of, say, 10^4 (ten thousand) keys a second would still take 10^8 (one hundred million) seconds, which is more than three years.

-- Brian

Re:5 Bytes?

[Ozwald]

There's a few things I just don't quite understand:

First, why encrypt it? What is stopping someone from doing a disk image copy from DVD to DVD (assuming the writer supports the size) or playing the DVD and recording it onto an older VCR?

Second, wouldn't encrypting the data then saving only specific vendor keys on the disk make it impossible for someone else to design and build a DVD player? They would only be able to play movies after a certain date manufacture date and would be up to their eyeballs in nondisclosures.

Even then, the only reason this is important to us is that finally open source software can now finally play DVDs. This encryption has been nothing more than an inconvenience to us simply because a handful of people are greedy. I say good riddance.

Re:5 Bytes?

[Cramer]

First off, that stupid, moronic, idiotic law only applies to encryption and has nothing at all to do with software or hardware for decryption. Otherwise, the d.net clients would be illegal to download outside the US.

Second, that stupid, moronic, idiotic law doesn't apply to non-US citizens outside the US. If it wasn't developed by a US citizen and/or on US soil, then it doesn't apply.

Personally, I think they choose 40bit crypto for two reasons: they wanted it to be broken, and they didn't want a computationally intensive system. The more complex they make the crypto, the more complex the hardware/software will be to deal with it. Hardware based decoding wouldn't be much of an issue, however, software based systems could be a severe hinderance.

Re:5 Bytes?

[Bill+Currie]

And, these disks pre-date the CSS crack at the least by several months.

That only means that these people somehow had access to CSS decryption and kept quiet about it, very much like security holes in proprietary (and, less often, open) software.

The question is, now that CSS is cracked for everyone and not just an `elite' few, what's the industry going to do? I suspect thay can't actually do anything that will allow them to `win'. For good of for ill, the various `recording' companies are losing control. In the long run, it's probably a good thing.

Re:5 Bytes?

[rew]

40 bits is a completely insane size

As people are used to algorithms that can do one encryption in about a microsecond, brute-forcing 40 bits becomes feasable. However, if your algorithm is inherently slow, and takes for example one second (on a current computer) to perform, then it would take about 34k years to break.

Now if computers continue to get faster at 1000 times every 20 years, that 40bit key to that encryption algorithm can be cracked by 34 computers in one year, 20 years from now.

That's "reasonable security".

One or two bits is rediculous. 40 bits isn't that bad, but it depends on the algorithm. Try a 40bit RSA key. That can be broken in seconds.

40 bits DES Is "tricky", and we can design an encryption that is pretty strong with 40 bits. There is nothing inherently wrong with 40 bits.

Roger.

Re:5 Bytes?

[Thagg]

> They were probably limited by the speed of > decryption as to how complex/secure they could > make the algorithm. DVD Video is coded twice if > it's encrypted, and the MPEG2 video decoding > isn't cheap (most PCs use dedicated hardware), > so wasting time on complex decryption algorithms > was probably out of the question The length of the key has nothing to do with the time it takes to do decryption, for many ciphers. For RC4, in particular, the key can be up to 256 bytes, or 4096 bits, with no change in the speed. There has to be a different reason.

40 bits is a completely insane size; it can be cracked by anybody with a little time on their hands.

Unfortunately for the DVD companies, this cannot be fixed without recalling the millions of machines that are out there.

thad

Re:5 Bytes?

[AndyGuy]

Also the music industry has been releasing unsecure IP for years and is still making large profits.

The whole encyrption thing was just to make it a bit harder for home copying (pros could always simply copy the whole DVD).

Big surprise? Not really

[El+Volio]

Another "wow, I'm *totally* shocked.. NOT!" story. You mean somebody was sloppy in how they implemented their encryption? And that led to exploiting a design flaw? WOW... :)

In all seriousness, I have no problem with copy-protecting DVD's. All the new-age zealotry regarding IP aside, as it stands moviemakers and DVD producers have the right to profit from their efforts. If they stop profiting, they stop making movies, and poof! no more "Matrix"-quality films.

OTOH, kudos to the hackers (in the traditional sense) who broke it. This is a rare case of white-hat hacking being beneficial. The original designers should probably be held liable somehow, and future efforts in this regard will be MUCH more careful.

Re:Big surprise? Not really

[FLuke27]

Hollywood has been buying legislators off to get things like the Digital Millinium Copyright Act passed to pull an end-run around the Court. The act makes hacking out so-called "copy protection" a felony.

I suppose it's not enough that violating a copyright is illegal. That's the problem I have with these ideas... don't stop the method if it doesn't always = crime; stop the crime. They seem to be trying to make the laws idiot-proof... the idiots being the RIAA etc., who are too stupid to be able to protect the copyrights via due process etc.

Re:Big surprise? Not really

[platypus]

Trust me, they're not going to rest until they can get back to the original model - people paying every time they watch a movie (and, if they can pull that off, every time they listen to a song).

Yeah, they'll try, but I hope for them they'll see the light somewhere in the future.
I see this as a kind of market. Corporations trying to make as much money of the customer as they can, resulting in a black market of warez/mp3z/moviez.
Most people buy their favourite linux-distro (even the original one, not cheapbytes) instead of downloading it. Why? They feel buying it is rectified by the value.
In my opinion most people _are_ willing to pay for what they get, but they are not willing to pay bucks which are the tenfold of the value they get.
The battle of hollywood and the big music labels is lost, they have nothing left to fight.
Everything the could do is damned to fail, they can't use copyprotection cause they don't control the hardware, they can't check the whole internet for warez cause even geocities or tripod can't get their own servers clean, this is impossible.
(ie. just rename bla.mpd in bla.doc and their cute scanners will fail miserably).
Increasing bandwith will end the possibility of making a lot of money because you own the distribution and marketing channels, and that's what it all reduces to, IMO.

Re:Big surprise? Not really

[homebru]

Fifty years ago, when television started to become affordable for middle-class Americans, it was loudly denounced as the "killer of the movie industry". Who would pay money to go to a theater when they could stay home and watch for free.

So, to protect themselves, the movie industry imposed a rule that no movie could be shown on tv until seven years after its first theater appearance.

This lasted into the sixties, when the tv networks discovered how to make "made especially for tv" movies which would never be seen in theaters.

Point is, the movie industry has been in business for quite a while and will continue for quite a while longer. They have survived more technical inovations than most /. readers can remember.

They won't be put out of business by the DVD hack. Somehow, they will use it and build on it and come out better off than ever.

If you can figure out how they will do it, get a business practice patent on your idea and donate the immense profits to the Free Software Foundation.

Re:Big surprise? Not really

[Foogle]

Future efforts? They would have to create a DVD-2 format, that used a different key or different cipher. All the old players wouldn't work with the new format, and that includes DVD-decoder cards that aren't flash-upgradable. Fortunately software-based DVD will probably not suffer much from this sort of turnover.

Anyway, with a 40-bit key, it would've been cracked eventually.

-----------

"You can't shake the Devil's hand and say you're only kidding."

Re:Big surprise? Not really

[Cramer]

That's the good (and bad) thing about the Supreme Court... Congres can pass whatever laws they want to, but it's up to the courts to enforce them. Once it reaches the Supreme Court -- they look at each other, shake their heads, say "I don't think so" -- and they declare the law unconstitutional, then the game is over. What's Congres going to do, pass the same law again?

Re:Big surprise? Not really

[stevew]

First - I'm going to impart a little bit of information to the multitudes concerning CSS on DVD.

I know the above because I worked for a semiconductor company that was considering doing a DVD decoder chip. The company reviewed the requirements for getting the CSS codes. Some of the relevant details from the contract. You have to essentially brain-wipe your engineers if they leave the company(not an exageration either.) If the consortium requires a change in the implementation you must get it to silicon in 6 months(not easy for fabless companies.) The folks supplying content can hold your company liable for violating/exposing the CSS (Xing is going to have LOTS of trouble here me thinks..) Summary - you sign away your company to the consortium. Note - all of this is from year old memory...

The contract was SO draconian that major parts of it were invalid under CA law.

Now with that said - if someone comes along and reverse-engineers your encryption scheme so they can play DVD devices without belonging to the consortium and subjecting themselves to the awful contractual agreements...this would be a GOOD thing! Building a player for instance that used the OS version of the decryption algorithm wouldn't be violating anyones' copyright. This would only be adding competition to the consortium and help drive prices down... why is this a bad thing?

Having laws that allow clean-room style reverse-engineering are draconian in their own right and I oppose them for the above reasons. What if Apple had won their look-and-feel lawsuit years ago -whoops, no X Windows as an example.

enuff said.

Re:Big surprise? Not really

[K8Fan]

In all seriousness, I have no problem with copy-protecting DVD's. All the new-age zealotry regarding IP aside, as it stands moviemakers and DVD producers have the right to profit from their efforts. If they stop profiting, they stop making movies, and poof! no more "Matrix"-quality films.

Not true. Movie studios have always profited from making films, and have always spent whatever they felt necessary to do so.

I think we can all agree that home video has been the best thing to ever happen to the movie industry. What you might not remember is that they fought home video tooth and nail. Various movie studio executives insisted that their films would never be released to home video. Disney and Universal sued Sony for inventing the home VCR! They claimed that the very existence of home taping would destroy their studios and empty theaters. You might think this is an exageration, but just ask anyone who was involved in home video in the very early 1980s.

In spite of their best idiotic efforts, the consumer electronics industry won out and practically forced huge piles of money into the hands of the studio bosses. These idiots, had they had their way, would have smothered home video in it's cradle.

Most /. readers are too young to remember the bad old days, when seeing anything other than a current release meant waiting for it on regular TV or maybe talking an art house into showing it on the next schedule. Trust me, it sucked.

But one thing about Hollywood...once they start making money (even when they are forced to do so) they get insanely greedy. They start to expect it, and they want to make sure they squeeze every penny possible out of the suckers (us). That's how idiotic plans like DIVX get launched...and why they keep pushing Pay-Per-View. Trust me, they're not going to rest until they can get back to the original model - people paying every time they watch a movie (and, if they can pull that off, every time they listen to a song).

...and the media conglomerates are exerting all the pressure they can to make consumers believe this seems reasonable. The Supreme Court in the Sony case ruled that home taping was a privacy issue, that what a person did in the privacy of their own home with a VCR was their own business. Hollywood has been buying legislators off to get things like the Digital Millinium Copyright Act passed to pull an end-run around the Court. The act makes hacking out so-called "copy protection" a felony.

Copyright Protection

[Evil+Greeb]

As mentioned on Ross Anderson's Webpage here, breaking copyright protection can always be done.

This case is lamentable because it was defeated so easily, in a way that shouldn't have been allowed to happen.

Encryption isn't all its cracked up to be.

arent DVD recorders already avaiable???

[scarbelly]

"I would expect it could also delay the advent of recordable DVD, because it'll give people a medium to write these hacked video files."

too late?

toshiba reply etc

[Porky+Pig]

'We will fight against the illegal software,
blah blah blah ...'. This is soooo pathetic!
The fact is that very small percentage of the
users would be doing 'illegal copying', but those
surely would go to the furthest possible extent
to break through all the locks. The entertainment
industry is both paranoid and stupid.

Now I've been reading of digital watermarks on
DVD-Audio, which, in fact, are not entirely
transparent and somewhat degrade the quality of
sound. Don't you think the future of DVD-Audio
is sort of written on a wall?

Re:toshiba reply etc

[WNight]

It seems to me that while watermarking could be fairly resistant to unintentional audio manipulation, or uninformed attempts to destroy it, it should fall quite easily to a compotent attack.

It seems that watermarking should be a security-by-obscurity method, where if you knew the protocol by which the original was modified, you should be able to find where that code is stored in the source media, and remove, or scramble it.

By knowing where the data is stored, smaller changes should suffice to mask it then if you had to add whtie noise to the whole file in order to hope to kill the watermark.

Also, helping this, is that for any watermarking scheme to be effective, there has to be an easily available way to tell if a file is watermarked. For instance, in photoshop, loading a marked file produces a (c) symbol after the filename, and will display creator info. If you had to mail this file to the company to get an answer back, it would be so cumbersome that nobody would use it. This means that the watermark readers have to be visible, if only in binary form, to watch them work.

All systems that are watermarked and checked on client computers are as good as broken whenever someone compotent wants to try. Being that watermarking is the hiding of a secret key in a document, and that secret key can't be too secret, because you can watch it be generated (it is your computer, and you can use a debugger) you can also remove it, by applying the inverse of that secret key to the watermarked file.

This is complicated a bit by the fact that digital music watermarking could be done in secret, and with a key that we wouldn't know. As long as Sony music could send a copy of the MP3 to the marking company and have the key checked, it would satisfy their needs. And we're also prevented from using known-plaintext attacks unless someone gets an unmarked version of the song from pre-production, just before the watermarking.

But even this should be vulnerable. Even if we can't remove the watermark by applying the inverse, we could, if we knew how it was done, mask out just the relevant bits, and scramble the key beyond reading in a much more subtle way than by applying a strong white noise to the whole file.

The very fact that watermarks have to be robust also means that they can be found, if their format can be discovered, which makes them security by obscurity.

If watermarking was done in such a way that you could check if Company A owned the file by constructing a watermark for Company A, for that file, and then looking for it, it would be easier to hide. But, watermarking needs to be read without knowing the result, to see which company's mark is used, not simply to state if a known mark is there or not.

If the mark could not be read without knowing it, then more subtle ways of hiding the mark could be used that depended on the specific mark. (ie, if the first bit is 0, do this, else, if this, do that...) But, the mark must always be readable in a standard way. This means it has to be fairly easy to find. Sort of like using SYNC bytes on storage media to let you know where the data begins.

Once you know the format of the sync data, and can use that to find the specific areas that the watermark would change, even if you can't determine what the data was before being changed, you could write over it with random data, along with the sync data you used to find it, the hopefully rendering the watermark unreadable.

Any problems with this theory?

Re:toshiba reply etc

[Zurk]

ya. you can watermark with frequency information i.e. 1 bit for a whole range of unique frequencies spread over several dozen physical bits in the file. This makes is pretty tough to remove the watermark especially if several watermarks are hidden in the file...its also tougher to encode the watermark and/or verify it however..think of it as several dozen plastic straws painted the same colour as the surrounding hay in a haystack..pretty difficult to find and remove.

Re:toshiba reply etc

[Wohali]

Now I've been reading of digital watermarks on DVD-Audio, which, in fact, are not entirely transparent and somewhat degrade the quality of sound. Don't you think the future of DVD-Audio is sort of written on a wall?

Not necessarily. Look at mp3 - a clearly inferior standard (to full 16bit, 44.1kHz 2-channel stereo CD audio) has taken off because people are willing to sacrifice some audio quality for a small file size. MiniDisc is now also taking off under much the same auspices - psychoacoustic processing reduces the amount of information stored, so the physical medium can be smaller.

What's a more interesting question, and is approaching completely off-topic, is whether or not all musicians will embrace 5.1 audio for their production. 2-channel audio is quite well entrenched, and the optimization of a stereo system in a room is MUCH easier than setting up a room for good 5.1 audio. The end result is that it's a hell of a lot easier to make 2-channel audio sound great...and with the typical DUMB consumer out there, the advantages of DVD-Audio aren't yet obvious.

Getting back on track, digital watermarking is being proven out which does not affect the quality of the audio. A brilliant audio engineer and electronic musician, Larry Fast (of Synergy and Peter Gabriel fame) has wholeheartedly endorsed this technology - and mentions on his site that he wants to use it for attribution ("Hey, I wrote this song!") rather than for copy protection. This, more than anything, may set a trend -- not as a means by which copying is prohibited, but to serve as an identifier of the original source of a given audio recording. I expect to see this everywhere in 10 years; think of it as a GIF comment for audio.

Learning from Microsoft

[finkployd]

After using such a weak encryption method in the DVD format, the Japanese company responded by attacking the people responsible for breaking it and threatening lawsuits (good luck, since the "crackers" responsible remain anonymous).
Kind of reminds one of the revent security hole in Hotmail, where instead of admiting any responsibility, Microsoft attacked the horrible people who discovered the problem.

I think the concept of blaming the people who break security and pointing all the fingers at them is on it's way out, I believe the people who create the encryption and security methods should be held more accountable for weak security. Come on, without these "crackers" who break into things, we would still be XORing bytes and considering that the ultimate security.

Finkployd

Re:Learning from Microsoft

[aqua]

True enough -- vendor response to security problems has historically been pitiful. Though in this case, I have to wonder whether it would have been desirable -- had CSS not been broken, but instead quietly reported and fixed, DVD would still be closed, the vendors would still be dragging their coattails through high-nosed proprietary BS, and work would have continued on breaking the new revision. That's assuming it was fixable, since lots of DVDs and players have shipped, and any adjustments would have to sustain backwards compatibility.

The security research ethic as taught in universities is that you tell the vendor and give them time to ship a fix before a vulnerability becomes common knowledge, but if the vendor doesn't produce a fix (as they often don't), full-disclosure is among the available options.

Which comes to the other point, namely that the movie industry liked DVD largely because it was (a) somewhat more desirable for consumers while costing less to manufacture, and (b) closed, and therefore subject to more control over how it moved -- like how most players don't allow you to skip over the usual copy-this-and-die FBI warning at the beginning, and some don't allow skipping of the various logos at the beginning. By and large, the computer community had no interest in letting it remain closed (we've been trying to reverse-engineer it all this time, remember), and has never based itself on the potential profit to be made by already greedy conglomerates.

And, based on the coverage sofar, the security on CSS was a poor engineering job -- as tends to happen to closed security systems. 40 bit keys don't work anymore, and in general, anyone who designs a security system without adequate consideration of the factors deserves what happens.

One possibility is that the music industry will try to distance itself from DVD, but I doubt it, unless they have some unannounced alternative up their sleeves (DVD2? Same thing plus a firmware "upgrade" to the players?), the alternative is VHS, which is much easier to copy than DVD, though harder to make a new master in a counterfeit manufactury.

I'd speculate that in 1-3y bandwidth will have gotten to where VOMs can be moved around the way MP3s are now, and it will continue to have a negligible effect on industry earnings, and we'll hear tons of whining from the movie industry. Then Microsoft will put out Microsoft Video System, which will itself get cracked in a few days, and then there will be sardonic laughter. insuff des

Re:Learning from Microsoft

[jafac]

It's called an "Ad Hominem" attack. Go after the person who's presenting the logical argument against you, instead of attacking the logical argument (because you can't beat it, because you're likely wrong).

When people start resorting to Ad Hominem attacks, it's generally a sign that they're wrong (of course, this statement, in of itself, is an Ad Hominem attack - that's the problem with this logic, it recurses don't it?)

I wish I had a nickel for every time someone said "Information wants to be free".

Re:Learning from Microsoft

[Evil+Greeb]

If there weren't any crackers breaking (into) things, XORing bytes would still provide enough security!

Its how you use the knowledge that counts. If you discover a security hole, then you could either:

• do something to exploit it
• ignore it
• inform the appropriate people, so that it gets fixed

If you ignore it, then you're in effect helping the 'bad guys', who will inevitably discover this vulnerability and exploit it, when in fact there may have been a chance to get it fixed.

If you exploit it, you could either keep the discovery to yourself, make it public so that every cr/hacker-wannabe can use it for their own interests, or make it public to put pressure onto a body to fix it (as in the MS hotmail case). In the first two cases, you're being the bad guy, in the second case, your motivation is good, but your implementation is flawed: this should only be tried as a last resort.

If you report it, and it gets fixed, then kudos all round.

Encryption isn't all its cracked up to be.

Re:Learning from Microsoft

[Nyarly]

If you report it, and it gets fixed, then kudos all round.

That'd be great, but the publicity of the thing is that you report it and They ignore you. This is Microsoft's second favorite game, after inflating mediocre products. IIRC, Back Orifice was created in response to a brushoff from MS.

Granted, the flip side is that when the glitch gets fixed, no one hears about it, since the company in question is desperate to keep that sort of information quiet.

Finally though, what would the fix have been in this case? Not to continue the license to XingDVD or RealNetworks? Their key would still be plaintext and useful for guessing new keys.

Furthermore, what could the fix be now? Scrap this DVD standard and replace it with a new one? A resurgance of DIVX(fie!)? You're dealing with an existing hardware market that is just beginning to take off that you would be completely destroying if you scrap the existing security. Any new security system would have to be a superset of the old one, which mean it would be no more secure.

Re:Learning from Microsoft

[TheCarp]

Well you know...
these companies just have to learn
"When you point your finger, 3 more point back
at you"

Its silly, its simple...god damnit...its right.

Re:not much time left...

[TheCarp]

1) True but...US law has a way of becomming
the law in other countries. Remember, we are
the last Super Bully

2) Unconstitutional? when has that stopped them
before?
Hell there is legislation being considered (its
passed the house and in the senate) to make
a certain drug illegal. Technically...it would
make the posession or sale of Red Meat illegal
in the US (since it contains it in small quantity)

(yea I know they wont enforce it in that manner
but...its just to illistrate the silliness of it..
technically...your brain is already illegal
to posess due to other chemicals it makes)

We do care, that it is not immoral

[marcus]

> So now that some folks have figured out how to STEAL DvD data, what next?

I, and many others, figured out how to STEAL dvds a long time ago. All you do is walk up to your local video store with a sledgehammer, break the glass, walk in and grab an armfull, and then run.

What these guys have done is taken the first step that will allow me to play dvds on my box.

I am happy. I am not stupid. I won't be wasting my valuable time copying and distributing dvds. It's MUCH easier and less expensive if you include the cost of your personal time to just go to the store and buy another disk rather than buy blanks, copy something onto them, find customers that will be willing to buy at a discounted price, sell, make sure that I'm not going to get stung by the law enforcers, etc. etc. etc.

To put it simply, pirating dvds will not be profitable for a long, long time.

The "old fashioned" method I described above is much more profitable than disk copying and a much greater risk to, and currently a greater drag on, the profits of the "dvd industry".

Re:link to the utility?

Here's the link. http://www.nico-soft.de/DVD1/home1.html I'm going to pick up a DVD-ROM this weekend to try it. Should be neat.

When will they learn...

[Wah]

"In the future, the laboratories will be more actively conducting strict surveillance and take counter measures against illegal, inappropriate software and hardware in the market. Moreover, we believe that, based on the recent legislation, legal measures and steps will be taken by copyright holders against such violation of intellectual properties," Mikura wrote.

If you can't solve a problem technologically, do it with legislation. Since encrypting DVDs didn't work it looks like they'll move to the next step, prosecuting the hell out of everyone they catch. Which will most likely be a bunch of kids trading the latest releases. Nothing like harassing kids for good PR.

Sorry, but the Internet makes the control of digital media IMPOSSIBLE. This is a fact, if you want to make big money with digital media you have to understand this fact and move from there. No major media companies have yet acknowledged this and they will fight it until they die or give in. Goes to show you, you can't teach an old dog how to use the Internet.

Re:When will they learn...

[netwiz]

Well, this also goes along with a pet theory of mine. All these big media companies are money-grubbing greed-driven capitalists. At some point they're going to have to get used to slimmer margins, as what they're trying to do is make up for expense in volume, and that requires you to drop your price. Look at hard drives. The individual margin for a disk from say, Seagate (EIDE, not SCSI), is around 2-5%. They make up the cost by selling zillions of drives. The margins on a DVD are around 90%. they dont' really care if the DVD doesn't sell, as the studio is usually ahead by the end of the theater run; any money that comes in from rentals and home-video purchases is pretty much pure profit.

Re:So do slashdot folks care that this is immoral?

[vyesue]

can't really work in the real world? I disagree. as a matter of fact, the more times things like this happen -- the more information that starts off as billion dollar top secret encrypted info and then becomes nothing more than a little bit of code embedded in a widely distributed application -- the more its going to become obvious that free information can work very well.

your medical records, my civil court records, their credit records, the movie industry's precious DVD keys... all this information is going to become publicly available, and there's really no way to stop it - the best we can hope to do is figure out how to live best with the fact that information is very hard to contain.

Re:So do slashdot folks care that this is immoral?

[K8Fan]

The "immorality" of copying DVDs is right up there with the "immorality" of copying a magazine article. The truth is that the invention of the Xerox machine did not destroy the publishing business. Even though is is possible to copy all the interesting articles in a magazine for less than the cost of an issue, the magazine business is rolling along better than ever. Why? Is it possible that the people running the movie studios are insanely greedy?

The entire home video industry is gravy for the movie industry. Worst case, they'll have to go back to making their money off the the theatrical showing of their films instead of counting making as much again off the home video rights.

Re:DIVX was right

[cburley]

But isn't DIVX at least as dependent on some kind of copy-protection scheme as DVD?

Seems to me that if you can defeat the DIVX scheme, you then get even cheaper movies that you don't have to pay to view at all, compared to DVD!

(I don't use DVD or DIVX, by the way.)

Re:How does it work, really?

[Nyarly]

That might just be reasonable iff there was a huge market share held by a> any one player or b> any one disc press house. Then MAYBE they could pull that kind of nonsense and say "We have DVD2K!" and make it backwards compatible with the other side of the market's product. I suspect that a monopolistic player company would have an easier time of it.

Then they could redo the security of it, and expect results. Some extra features wouldn't hurt, but overall, all they'd really need to do is make the play. In the most ideal situation a partnership of two huge companies would be required: one to produce DVD2k players with backwards compatibility, and the other to make DVD2K discs out of all the new content they could lay hands on.

However, I don't think we are anywhere near that kind of situation. The cost-of-duplication argument aside (because it's silly; I heard that one when CD-R was just starting), to circumvent the clusterfuck they've invented would destroy the DVD market as it exists now. And it isn't firmly enough embedded for a changover.

5:1 for music unimpressive to my ears ...

[__aadkms7016]

At AES last year I went to a Dobly demo room, where they remixed different types of music for 5:1. Musically, I can't say it added anything to the experience for me.

Now, for movies and video games its different, placement around the space has meaning in the context of the story, but there's a long tradition of musicians all being in one place -- on a stage -- and people sitting in front of them, which is a good match for stereo placement.

Re:5:1 for music unimpressive to my ears ...

[freq]

Im not really impressed with anything over 2 channels of audio for any environment.

It just reeks of novelty... (anyone remember quadraphonic sound???) just a way to get people with too much money to buy more speakers...

to me multi-channel audio doesn't even fit well into the context of a movie. a movie takes place on a 2 dimensional field. sound from anywhere besides the front is distracting, and seldom used for any meaningful effect.

its hard enough setting up a decent listening environment for 2 channels! and besides the pan knobs on my mixer only go from L to R :)

Country of origin?

[TheCarp]

Ok I have 2 notes here as more than a couple
of people have said that "Dissassembly isn't
illegal"

A) The Crackers were NOT in the US. Therefore
they are not under US law. This argument thus
means nothing.

B) Sony is not a US company (they are Japanese)
thus only their offices in the US are under US
law. Again...this statement means nothing.

C) The statment itself is also useless, since
the Crackers were not in Japan. So even if it is
illegal under Japanese law, it may not be illegal
where they are.

D) The statment was probably written by someone in
some PR department. Regardless of legality, they
want to make these actions SOUND illegal and "Bad"

E) People in PR departments may not be experts in
copyright law...international or not.

Re:So do slashdot folks care that this is immoral?

[Ranger+Rick]

> Do any of you out there even CARE? Or like I
> figure, none of you understand how you get paid
> (many of you are students ANYWAY!) and how lost
> profits affect you.

Well, I assume the archival law still applies here (you can make a backup copy for storage). Not only that, but I know of a real-world, legitimate use for this...

My friend has a lot of DVDs, and he travels often for work, but he can't yet afford a portable DVD-playing device (be it DVD-ROM or one of those spiffy mini players). He asked me if there was something to extract them, because he has a laptop (without a DVD-ROM), and wanted to know if there was a way to convert them to VCDs so he can watch them on the road.

This has been said on Slashdot many times in other contexts, but... just because it's been cracked doesn't mean it was done maliciously. There *are* real-world, legitimate uses for this (DVD-playing for Linux? Archived VCDs?), just as there are illegitimate uses.

Granted, maybe more people will use it for Evil than will use it for Good (TM), we have yet to see.

The article is gone !!

[matsh]

http://www.wired.com/news/technology/0,1282,32263, 00.html

They have removed it, yes?

Re:The article is gone !!

[Guy+Harris]

They have removed it, yes?

No.

Re:The article is gone !!

[matsh]

Sorry, it does not show up in Netscape 4.7 (NT).

Re:The article is gone !!

[Guy+Harris]

Sorry, it does not show up in Netscape 4.7 (NT).

Perhaps it didn't show up for you in Netscape 4.7 (NT), but it showed up for me in Netscape 4.7 (NT).

Wonder what will happen to Xing and/or Real...

[prop-hed]

Networks when the MPAA gets there guidos working on this. Makes you think...I don't wish any "ill" towards either company, but it wouldn't surprise me if either of them "disappeared". Youse knows what I mean?

Re:DVD-R

[jilles]

DVD-r is already too late. My harddrive is already 17 GB (which is actually quite modest these days), which is the maximum size definedby the DVD standard, though dvd-r is probably way below that. So I don't think the relief a dvd-r provides above normal cd-r will last long.

So I hope there will be something more advanced soon.

Re:DVD Encryption? Good riddance

[lw54]

Ummm... Have you tried copying a DVD to VHS?

What about re-encoding?

[tietokone-olmi]

Storing the raw DVD video/audio data is foolish, yes. But the DVD video is of such high quality that it is feasible to downgrade it to, say, 400x300 or 512x384 pixels in truecolor and MPEG-1 it at a reasonable bitrate. That'll still result in higher quality video than what has been previously available to the w4r3z-keepers.

Re:What about re-encoding?

[tietokone-olmi]

Yes, MPEG2 is more efficient. But the efficiency results mainly in more bang for the bit, i.e. a better looking picture at more frames per sec at the same bitrate.

What I was getting at is that if one were to take the MPEG2 stream apart and encode the decoded frames (and a good compromise of the sound tracks, of course) into a lower-quality MPEG1 stream (as in, lower resolution and less FPS at a lower bitrate), the whole ordeal would result in a MPEG1 system layer stream that would still have better quality than the same video data from any other source because there's no analogue step in between.

Of course it won't be as good looking etc as the original MPEG2 stream, but it'll be storable on a small number of CD-R discs. And quite a bit less resource hungry to play back.

And supervhs is an analogue format and thus not suitable for long-term storage or convenient replaying in a computer :-)

Re:What about re-encoding?

[Dusty]

IIRC, DVD video encoding is a variant of MPEG-2, i.e. it uses time based compression between frames as well as compression of the frames themselves. So it should return a better compression ratio than MPEG-1. That coupled with the fact that DVD movies are probably stored at a resolution of 576 pixels high by 720 pixels wide, would mean that an MPEG-1 encoded picture at 400x300 would take up roughly the same space. A good guality MPEG-2 video feed usually takes 8mbits/s, so a two hour film would fill 7200 mega bytes. Hence the requirement to save it on a DVD disk in the first place. So I don't think re-encoding it at a lower
resolution using MPEG-1 will be practical.

After all if your happy with 400x300 why not use a super VHS video to tape the output of your DVD player.

Re:What about re-encoding?

[Troed]

So I don't think re-encoding it at a lower resolution using MPEG-1 will be practical.

Approx 4-5 dvd-rips made digitally from DVDs to VCDs are released each day.

Re:not much time left...

[gorilla]

Actually, it's more historically true to say the opposite.

The rest of the world signed the Berne convention on copyright in the 1887-1920 period. The US held out until 1976.

Re:Security through obscurity doesn't work!

[jms]

Security through obscurity is more like hiding a copy of your front door key under the little gnome statue in your rock garden, then hoping that no one thinks to look there. Of course, that's the first place a professional thief is going to look.

The key's only 40 bits anyway.

[Wakko+Warner]

It's not like that would have taken very long at all to crack. Hell, it only took a few months to crack 56-bit DES, 40 bits would be a cinch on today's hardware. Let it run overnight and you've got yourself a fistful of cracked, valid CSS keys.

Bottom line: It would've been cracked anyway eventually. Xing just hastened the process.

- A.P.
--

"One World, one Web, one Program" - Microsoft promotional ad

Re:The key's only 40 bits anyway.

[sumner]

It's not like that would have taken very long at all to crack. Hell, it only took a few months to crack 56-bit DES, 40 bits would be a cinch on today's hardware. Let it run overnight and you've got yourself a fistful of cracked, valid CSS keys.

In general it isn't nearly that easy; in particular, you need some known plaintext in the encrypted file to be able to check and see if you've succeeded in decrypting it.

e.g. I encrypt "Secret Message" with my key. You know the message starts with "Secret". You can keep decrypting with different keys until you find one that starts with "Secret" then read the second half. (In practice, you may need a bit more plaintext than that to ensure a unique match) If I encrypt a random number--e.g. an encryption key--you can decrypt it all you want with different keys, but you won't know when you've succeeded.

The end result for DVD would probably have been a two-stage search; first try decrypting the DVD with random keys until you get the movie (which could take a long time, unless you can automate the "this is a valid movie" step), then brute force the encrypted key until you match the key that you have working.

Sumner

Re:The key's only 40 bits anyway.

[gorilla]

Actually, the last DES cracking contest (DES-III) was cracked in under 24 hours

Re:The key's only 40 bits anyway.

[platypus]

They know the format the decrypted file should have, the patterns of a sensefull video stream should be recongnizable, so I assume this is easier to break than a text in an unknown (but existing) language.

Btw. the second possibility is actually used for cracking (analog) pay-tv on the fly.

Re:The key's only 40 bits anyway.

[hasse]

The point here is that they got one of the 400 keys from the Xing player, used that to decrypt the data and then knew stuff like how the header of a dvd movie looks like. After that it's brute force.

Re:Net Impact on Movie Industry: Zero

[KyleCordes]

Your argument is valid, today.

But the pace of smaller, faster, cheaper, better has show no sign of slowing. Disk space in $/Gig falls by a factor of 2 approximately every year. DVD-ROM readers will undoubtably go from 4X (or whatever) to 30X+, like CD-ROM did.

Will you arguments still be valid when it is cheap and fast (a few minutes) to copy a DVD on to a (small part of a 200 gig) hard drive?

Re:How does it work, really?

[Mignon]

Studios releasing player-specific media might not be so far-fetched, in that theater chains are already affiliated with studios, I think.

I wonder if a movie studio would ever do something like what you suggested. I don't remember if Sony was in the music business back during the Beta/VHS wars, but would they have released a heavily promoted video on VHS and Beta simultaneously? (Would they have ever released it on VHS?

(A little historical cross-industry comparison, for those so inclined.) In 19th century New York City, among other places, taverns were owned by breweries. One ploy was to give away salty snacks and sandwiches at lunchtime; workers would then buy lots of beer to wash it down. Nowadays most places still give away pretzels for the same reason. [Maybe we should start referring to free pretzels, along with free speech and free beer...]

Re:blaming those who break security

[Greyfox]

That's why we have locks on our cars. If a car manufacturer made a car with no locks, insurance on that vehicle would skyrocket because it would quickly become the most stolen car in America. Less people would be inclined to buy the car because of the insurance rates. The manufacturer would in fact be punished for their weak security. Which still isn't to say stealing them's right.

But then, assuming the distributors of keys for DVD players had criminal intentions is rather silly too. Personally, I like the fact that I can now play the discs on my Linux system (Which does not have Windows on it) and may actually end up buying a player now. This also enables other aspects of "Fair Use" which phrase Hollywood would like to stamp out in exchage for "Pay Per View."

Frankly I find the greed of Hollywood and the RIAA to be disgusting and would like to give economic preference to independent artists who do aren't in bed with that lot. Is there a web site with links to music and films (Old or upcoming) which aren't associated with those groups?

Re:Bad reporting on part of Wired

[drudd]

Exactly! If I want to use my PC (my only DVD-player) to watch my admittedly modest DVD collection, I must boot 98.

DVD playing is one of the last few items left which is saving my 98 partition from final destruction.

Doug

Re:I just hope they don't stop making DVD's

[Nylathotep]

That may be true, but whats the point? People have DVDs because of the quality of picture and sound.. If you just crunch those down for transmission what have you gained? Even on a cable modem, it takes forever to get a movie off a warez site. Let alone finding the warez site with what you want in the first place...

Its easier (and cheaper, since time IS money) to go to blockbuster and rent the flick. And to those movies that are on the net but not released on tape yet, again, why bother? Do you really want to waste your time on a camcorder from the back of the theatre reproduction?

Linux drivers would have postponed the shock...

[runswithd6s]

Think about it. If the manufacturers would have provided DVD drivers as loadable kernel modules for the Linux community, there would be far less attention given to the decryption of the DVD's CSS encryption scheme. We simply want to play movies from an excellent media (in comparison to what is currently available...VHS or huge MPEG files) on the Operating System of our choice.

Of course, someone will always pick up the challenge from statements like, "The Copyrights are guaranteed because we've encrypted the data on the disks," and ,"no one will break the cypher." Some recreational hacker or perhaps the evil black market dealer.

Who cares?!! We just want to watch our movies...

Net Impact on Blockbuster: 100

[Wah]

A few years down the road at least. Fatter pipes are coming, bigger drives are here. Even with my setup I can dedicate 5 gigs pretty easy, start a download and wait a day, voila Blockbuster go boom (no, I'm not on a school LAN).

The movie industry is in serious need of a housecleaning anyway. Whoa, look 3 new crappy movies, yippee!! (repeat every week). Personally I think this is poetic justice for the music/movie industries, they screw consumers when production costs go down and prices stay the same (but promotion costs seem to keep going up, maybe to offset the quality of the product..), we screw them when price and reproduction costs both move to zero. Serves them right for making me watch COMMERCIALS when I PAY to see a movie.

They will still have the box office and sales (a permanent physical backup for critical info is always a good idea) but I see no place for the present day rental system in the next millenium.

Re:Net Impact on Blockbuster: 100

[Evangelion]

2. I can buy a CD-R disk for around $20 bucks.

Don't you mean 'I can buy 20 CD-R disks', or 'I can buy 4 CD-RW disks', or 'I can buy a DVD-R(AM) disk' ?

If you're seriously paying that for a single CD-R disk, I have some bad news for you...

Re:Net Impact on Blockbuster: 100

[MindStalker]

But for now
1. I can buy a DVD movie for around $15 bucks.
2. I can buy a CD-R disk for around $20 bucks.
3. Said disk might become a coaster.
4. Said disk is better used as a backup medium.
($20/4.5GB) more expensive than tape.. but its random access.
5. I can spend the entire afternoon burning said disk.
6. I can spend a few minutes buying/renting said disk.
7. I don't belive you can play said disk directly from your HD.. meaning you have to burn them first. .. Though this may not be true for Linux as you can mount an .iso... or whatever its called in DVD land.

Re:Net Impact on Blockbuster: 100

[MindStalker]

HEHEHE meant to say DVD-R... I try and pay atmost 1.50 for a cd-r disk.. and even that I consider expensive

Re:DVD Consumer Rights - Copying is a GOOD Thing!

[jsewell]

I mean Disney's marketing of the same movies in different packaging, etc is brilliant and shows that it's even possible to sell people the same movies they already OWN!!

How much of this re-buying the same movie is just becuase the munchkins wore out by constant re-watching (or spilled grape juice on) their video of the Little Mermaid? You know kids and fragile electronics don't mix.

I was going to say you won't see this re-buying happening when everything is DVD which doesn't wear out, but then it occured to me that DVD's are easier to wreck than videotape. I have already ruined my DVD of the Matrix, and that was even before I even watched it! (dumbass me didn't have the disc centered in my tray and the disc got caught and scratched on the edge...)

Kids are gonna be MURDER on DVDs. There would have to be some kind of kid-proof cartridge for these things if they ever catch on.

So your basic point is absolutely correct, the way to combat piracy is to inovate, and market, and make people NOT WANT to buy the pirate copy. As to whether hollywood and big business are up to that challenge is an exercise for the reader...

Re:So do slashdot folks care that this is immoral?

[spot]

it is completely moral to crack the code & publish the results.

it is illegal but completely moral to use the crack to copy DVDs.

there is no "right to profit", but there are right ways to profit. hollywood is in no danger, they are just too greedy and shortsighted to see how they can make money without copyright (ie, in a free market).

information is free.
the only question is:

Re:So do slashdot folks care that this is immoral?

[Score+Whore]

CSS prevents me from making digital copies to another for of media that I can use (cd, hdd, tape.) And macrovision prevents me from recording it without signal filtering hardware.

-sw

Re:DVD is Dead Anyway.

[Icculus]

DIVX. It died because people didn't want to have to ask somebody else permission to watch a movie they'd already (in their opinion) bought.

I agree with you here, but I have a feeling that as bandwidth becomes more plentiful and more content is put online, people may start shifting away from the need to have that box or shiny disc in their hand to represent what they spent their money on. I personally never buy movies. I don't see the value in having this pretty box containing a movie I may watch twice ever. Better to spend the money and take the wife to see it on the big screen once. If I absolutely had to spend $1.50 or $2 to watch it once online later, that seems OK. Better than spending $15 - $20 on a tape (or $20 - $30 on DVD).

This is sort of how the current cable pay-per-view model works. Image and sound is superior to VHS and it really doesn't cost any more than renting. I think DIVX was shooting for this sort of model but with superior sound/picture quality as an advantage. They just didn't market very well and got a little greedy with the pricing. :)

DIVX did suck though. It seemed more like they were duping people into thinking they were actually buying the movie. Oh well... RIP DIVX. May your successor be less lame.

Question...I'm confused.

[slackergod]

Perhaps I don't understand correctly,
but if DVD is a method of storing data,
couldn't the data simply be copied from one
DVD to another (given appropriate hardware)?
It seems to me the only time the decryption
would be needed is when one was actually
_playing_ the video.
If not, could someone explain? It this key
locking the DVD drive at a hardware level?
If the keys are only needed for decryption into a mpeg stream, how does this crack have any impact at all on pirateing DVD? A digital copy is the same as the original, and a key shouldn't enter into it. What gives?

-Slackergod

perl is like a pit bull: it may be ugly,
but it's damn good at what it does.

Re:Question...I'm confused.

[TeChYMaN]

ATTENTION TO THIS POOR COMMENT!
You cannot, from what I understand, copy DVD to DVD, not only because DVD-RAM does not have enough storage capacity, but because the DVD Drive(s) themselves do not allow it. The easier way would be to rip it and MPEG4-ify it. See my previous comment Here, this may clear things up.

Re:Net Impact on Movie Industry: Zero

Toshiba et al could have easily told the movie industry, "No, you're not going to get encryption or regional lockouts. Because it doesn't matter. Our manufacturing process costs less than one-fifth of the one you're using now. Once your shareholders find out there's a process that will cut your costs and increase profits and product quality, they'll rake you over the coals until you adopt it."

The problem is that the movie industry will then start crying and whining and creating mountains of bad PR about this open format because it will allow their "life-blood" (as the RIAA put it) to be sucked out of them by the pirates. It doesn't even matter if costs them 5 to produce 5000 DVDs which they then sell at $25 each. If they're not comfortable with the format, they will throw negative PR at it. Remember all the mud-slinging Hilary Rosen (from the RIAA) did about MP3?

Either that, or they will complain and whine and lobby the U.S. Congress to legislate some form of compulsory copy-protection (for DAT).

You're talking about people with billions of dollars in the bank. They didn't get that rich by giving things away.

yep, it works great...

[mosch]

assuming of course you found a way to circumvent the macrovision circuits. my SV-09 is not only a killer DVD player, it doesn't output Macrovision and it ignores regional codes. I just wanted to be able to watch foreign movies without buying multiple DVD players, and I wanted to avoid the picture degradation inherent with macrovision.

Commercial pirates aren't affected by much of anything so I think the movie industry should realize that most of us BUY our movies even when we can download them. I want to support the artists involved in the production of my entertainment. They earned the money.

Re:blaming those who break security

[settonull]

Occasionally, I just feel the need to scream. Cant do that at work, so I'll post something
Heh, I feel this way a lot.

You are so right. Damn it annoys me that _I_ get blamed if I try to steal a car. Just what are those car manufacturers thinking by not putting in better car alarms? Its all their fault.

Interesting point, but I don't think it is the correct analogy.

The true hackers are the ones that discover the problem, not those that exploit it all over. It is not that you shouldn't get blamed for trying to steal a car, however you shouldn't be blamed for pointing out that the car company built a car that lets anyone in if they tap just right on the door. The car manufacturer _should_ be held to a certain level of competence, and in the US is.

>just keep deluding yourself with the belief that hackers are heroes
ok, and you can continue deluding yourself thinking that for every person that makes public a security problem, there isn't 100 bad guys already exploiting the problem.

Whats the quote? "If ignorance is bliss, I hope I'm never happy."

Re:Net Impact on Movie Industry: Zero

[Talla]

- DVDs are cheaper to produce than video tapes.

This would be true, if there were no menus, no chapters, no extras and static encryption rate. Unfortunately, mastering a DVD is very expensive. The costs can reach >$100k before a single disc is produced.

new project for distributed.net ?

[Darxus]

"Johansen and his partners were able to guess more than 170 working keys by trial and error before finally just giving up to go do something else."

Sounds like an excellent new project for distributed.net... they've been doing distributed brute force encryption cracking for how long, with how much computing power ?
230 left to go....

Re:new project for distributed.net ?

[Bolero]

IF Distributed.net got into this it would take them at most all of an hour to finish off the rest of the 230 keys and that is with a ton of effort being duplicated across Distributed.net.

No, they are better off continuing to test out RC5-64 for free..... =)

Piracy is from thier own Duplicators

[just+someone]

The major problem is that they are going after the wrong source, the people who sell the DVD duplication equipment. They make it seem like it's us, but that's just the publicity engine.

The people with the duplication equipment are the ones that can create thousands of DVD's. They can make Pirate DVD's of rencent movies.

Many times, these duplicators are doing duplication for the major movie studios.

The movie industry should have just made sure that only they had access to the duplication equipment. Instead, they went cheap. They let anyone with a duplicator bid for the duplication contract.

Think how many "Pirate" CPU's would exist if Intel contracted out the production of all of it's CPU's to other companies for production (and they charged $1000 for a celeron).

They were warned about this years ago!

[Archeopteryx]

Back when I was on the DIVX project at Zenith, (and yes, I know DIVX was *evil*) DIVX was the encryption method that was competing with the current method. The flaws of the current method were well-known to the crypto people at DIVX/Circuit City, and when they went out to sell DIVX to the "content providers", they let them know exactly what those weaknesses were. I don't fault them for not choosing DIVX, but I do fault them for putting any reliance on a known weak system.

Re:They were warned about this years ago!

[Archeopteryx]

No argument. I don't own one.

Re:blaming those who break security

[AndroSyn]

But then again somebody may torch the house, but would you leave the door unlocked for them to do it? Or have the door jammed shut with a chair? With gasoline sitting next to the door too? When you knew damn well there was an ex-convict who just got out after serving a sentence of 25 years for arson living down the street.

I know I'd have the deadbolt on the door. Would you?

"Everyone be cool or nobody gets to ride in the Bonneville"

Re:So do slashdot folks care that this is immoral?

[Erik+Fish]

For one thing, the industry can't afford to "try another format". For another, the computer software industry isn't losing ANY money -- try reading the sales figures instead of the SPA propaganda.

The oft lamented "potential" loss of sales can't be proven (otherwise the software companies would be able to get insurance for these losses). The industry groups whine on and on about the "billions" in "losses" while the industry shows greater profits every year -- including the years that CD-RW drives dropped to and below $300.

Real/Xing's week of pooch screwing

[Croaker]

Heh... first the jukebox debacle, then they are implicated in leaving the gates unlocked and letting the unwashed hoards pillage the sacred city of DVD... not a good PR week for these guys.

Makes it seem like the folks over there aren't really on the ball.

Re:So do slashdot folks care that this is immoral?

[Ded+Bob]

Telling others about the weakness is not immoral. Maybe illegal with all those laws banning security cracking out there, but it is not immoral.

As for what this could be used for in a moral way, would be:

1) Allow viewing of DVD's on alternative OS's (i.e., FreeBSD).

2) Allow viewing of DVD's from different regions. If I want to buy (quite moral) a DVD from a different country, why should I not be allowed to play it in my DVD player or computer (both of which I purchased legally and morally)? Some movies may not even be available in the U.S.. Any moral reason I should not be able to view them?

immoral as any, but sad that the industry will now try another format.

I doubt the industry will try another format. Too many recalls would have to be done to fix the millions--I only know there were over a million players in December 1998--of players out there in the world.

let me get this straight...

[Booker]

If I go out and pay $15-$20 for a DVD, and use this so I can actually watch it on my system, that's "immoral?"

If I watch this disk under an operating system other than Windows - that's "immoral?"

If I demonstrate, with examples, to the public how an encryption scheme is weak - that's "immoral?"

You have some interesting ideas about morality. If you're worried about moral decline, I think there are better issues on which to focus.

tapes are rather fragile too, however

[tuffy]

Just recently we had a problem of our VCR eating a tape and spending a couple of days without while it was fixed (fortunately the VCR was under warrenty). The tape didn't survive.

Certainly scratches are a big problem for optical media, but I think it's no less a problem than fragile tapes that have been wound/rewound several dozen times by the time your VCR gets them. And when DVDs are treated properly, the picture quality will be identical to the first viewing.

In a perfect world, we wouldn't have to put up with rental media at all. Simply get movies with digital quality on demand, watch once, and get on with our lives (probably with better cared-for DVD-type media for the movies we want to own).

I feel your rental pain, but think also that your DVD player was unaffected even by a crapped-out poorly cared-for disc. That's worth something too.

Re:tapes are rather fragile too, however

[Cramer]

The scratch problem is too true (with digital data, audio is a different story.) The tighter the data is packed onto the disk, the easier it will be to destroy it with a speck of dust. Hard drives are (and always have been) this sensitive. When your "CD"s get anywhere near that data density, merely breathing on it could render it a coaster.

Video tapes, on the other hand, can take some _serious_ abuse. You can wrinkle the tape, scratch some of the oxide off, stretch it, and even cut sections of the tape out (i.e. "splice") and it'll still play back with little distortion and certainly without "skipping" or crashing. Basically, if it's not been rendered a pile of smoldering plastic, it's probablly still playable :-)

However, video tapes have a finite lifetime. They are magnetic media and as such slowly bleed their magnetic charge away (this is why you shouldn't punch your low density floppies to be high density floppies, btw -- not that floppies have a shelf life anyway.) Additionally, the action of playing the tape is slightly distructive. The tape has to be under precise tention during playback to work right. This tention stretches the tape -- esp. if the VCR needs service. (This is what causes the distortion at the top of the frame during playback.)

Disclaimer: I used to service VCRs back before they became disposable. I've seen/heard audio CDs playback without distortion despite them having been half disolved. (be careful where you spill your liquor.)

Re:Consequences for DVD?

[etherwalker]

I gather from the article that each DVD-player licensee has their own key. Every DVD title then has it's own discreet key for unlocking its contents. The DVD also has some sort of table where the DVD-specific key is encrypted using each one of the licensee keys.

Once one of the licensee keys was found, it was possible to perform a plaintext attack against all of the other licensee keys. If just one licensee key was broken, DVD encryption could still stand because new DVDs could remove that one licensee from their table. But since the encryption was so weak, all of the other licensee keys are exposed now too, and any change to the system would break every DVD player in existance. Let's hope the DVD consortium doesn't feel the need to go that far.

Re:Forced Format Switch for Security(CD -> DVD Aud

[settonull]

This reminds me -- I've got to get a CD-R drive soon. I suppose you all know what I'm going to use it for. All I can say is, if the industry doesn't take steps to protect what's theirs (their intellectual property), they'll get exactly what they deserve.

This is so totally the wrong attitude. The studios will never be able to totally protect their IP with technology. Look at the cold war, or the last 10 years (at least) of software publishing, you can't beet technology with technology. As it becomes more and more obvious that it is impossible to long-term protect your IP, I think we are going to see a few shifts in the way society thinks.

Think of it like this: you leave your front door unlocked everyday while you're away at work, and one day, a thief breaks in and steals everything. Will your neighbours feel sorry for you? Should they?

I would sure hope they would feel sorry for me. I shouldn't have to lock my doors everyday to be safe, and in many places in the world I still don't.

don't let society change you for the worst, change society for the better.

Re:So do slashdot folks care that this is immoral?

[dr]

I could go after your ad hominem attack

I'm impressed. I haven't seen anyone use argument fallacies since I was in university some 3 years ago.

blaming those who break security

[Subwolf]

I read this sort of thing all the time. Occasionally, I just feel the need to scream. Cant do that at work, so I'll post something

(snip)--: I believe the people who create the encryption and security methods should be held more accountable for weak security.

You are so right. Damn it annoys me that _I_ get blamed if I try to steal a car. Just what are those car manufacturers thinking by not putting in better car alarms? Its all their fault.

Tell me, what is so wrong about 'XORing bytes and considering that the ultimate security'? Better security wouldn't be needed if people wouldn't try to 'crack' software.

When somebody torches your house, ruins your family, gets you fired from your job and tosses you in a homeless shelter, and you _DONT_ press charges, simpy saying "Thank you for showing me how stupid I was for not having a security system that could keep you away from my house.", get back on here and let me know. Until then, just keep deluding yourself with the belief that hackers are heroes.

Re:blaming those who break security

[billybob+jr]

No one is doing anything to other people's DVD discs. If I decided to crack my own DVD disc to get at the data unencrypted, who have I stolen from?

Re:blaming those who break security

[finkployd]

I understand your point and agree to an extent. However, I was putting forward an opinion from a different point of view. Of course you blame the person who breaks into your house, but you also have to look at the security in place. After all, if it's possible to unlock your house with a well placed credit card, then you would be a little ticked at the person who made the lock (or made the house and decided to use a cheap lock).

My point is, when we rely on people for security (ie hotmail) or companies rely on a copy protection scheme, there is a certin amount of responsilility on on the supplier's part. This all too common "we have a secure system, if it was broken into, it's completly the fault of the hacker" attitude is not going to work much longer.

"well, if your system is supposed to be secure, how did people break it? You must not be very good if a group of kids who cannot stop using the ShIfT key when typing can break it."

Yes, better security wouldn't be needed if people didn't break into things, and cops wouldn't be needed if people never killed and robbed each other. However, we don't live in that world.

Finkployd

Re:blaming those who break security

[Subwolf]

How can you be so ignorant?
It took me 22 years to get the way I am. But dont worry, I plan to be twice as ignorant by my 44th birthday.

So before you label...(snip)

You obviously have misunderstood my last post... I was not trying to focus on whether or not hackers are criminals. I was focusing on the insanely retarded line saying that the companies that get hacked should be held more responsible for their lack of security.

Lets try a different comparison, shall we? Women who dress in revealing clothing are _asking_ to get raped. It is their fault for not wearing more conservative clothing.

When anybody does something illegal, _they_ are responsible. End of discussion.

Re:blaming those who break security

[Subwolf]

True hackers...find...not exploit...etc(snip)

Your right. Companies should infact give little bonus checks to people that point out security holes, or issues or whatever. It would invite more people to check for them and help the company in the long run. However, how people (hackers) go about checking for those security issues is the issue. Trying to pick the lock on your own car is a LOT different than picking the lock on your neighbors car. Just as breaking into your own NT machine is different than breaking into a company's machine.

Your intentions, imo, should not make a difference in the trial, only the sentencing.

Re:blaming those who break security

[Mr.+Slippery]

To compare car theft, arson, assult, and destruction of property with making unauthorized copies makes you look extremely foolish.

Cracking copy protection is an intellectual exercise that in and of itself has no ethical connotations - if anything, by increasing human knowledge (it is, after all, the solution of a mathematical problem) it could be considered ethically positive.

Using the solution to actually produce unauthorized copies can be ethically good (making backups for your own use), bad (massive pirating), or indifferent (making a mix tape for your friend).

The corporate state will keep trying to patch copyright law, but it's far too late. We need new systems to "promote the progress of science and useful arts," because current copyright and patent law just don't cut it in the face of modern tech.

(P.S. Let me point out that it is "copyright, as in the right to copy, not "copywright" or "copywrite" as has been often seen here on Slashdot. Thank you, enjoy the show.)

Re:blaming those who break security

[dabrig]

"If ignorance is bliss the wipe the smile off my face"

Re:blaming those who break security

[syates21]

"Using the solution to actually produce unauthorized copies can be ethically good (making backups for your own use), bad (massive pirating), or indifferent (making a mix tape for your friend). "

Hmm this is interesting. So, what you're saying is that whether copying and distributing authorized copies is bad depends on how many people you distribute it to.

Would you mind enlightening the rest of us about the "magic number" of people that you can distribute pirated copies to and still have it be "indifferent."

Maybe if I just steal enough money from the cash register for my own personal use, and not for lots of people, a judge will decide it was ethically "indifferent."

The human power to rationalize is something to behold.

Re:How can breaking trade secret be "illegal"?

[Malo]

Ah, I'm so depressed about this entire issue. I thought the EFF would have whaled on this horrible bill, but they didn't. I didn't see much negative written about it at all. Yet, I see it being used to keep things secret.

"From the article:

""The circulation through the Internet of the illegal and inappropriate software is against the stream of copyright protection."

Thank you Clinton, Thank you DMCA, and Thank you Congress. Considering that it starts to take effect as of 1/1/2000. I expect the lawsuits to be hurled at Livid, and anyone who's even sniffed the source code around 1/3/2000.

The only saving grace of this entire mess?

From the text of the DMCA.

"Reverse Engineering Exception. Section 1201(f) allows software developers to circumvent technological protection measures of a lawfully obtained computer program in order to identify the elements necessary to achieve interoperability of an independently created computer program with other programs. A person may reverse engineer the lawfully acquired program only where the elements necessary to achieve interoperability are not readily available and reverse engineering is otherwise permitted under the copyright law.7 Furthermore, a person may develop and employ technological means to circumvent and make available to others the information or means for the purpose of achieving interoperability"

It means that while every DVD maker can try to sue to stop things like this, it means that as long as the project is attempting to add functionality (insert Play DVD's under Linux here), they are cool. Unless they've amended the act, again.

If anything? I'd be worried more about WIPO. http://www.wipo.org/eng/. DMCA is merely the first step in more laws intended to modify American Legistlation to be more friendly towards WIPO in general. Honestly? I can't say it's a bad thing, because some of the laws need to be amended, but in this hostile climate of anti-everyone, and anti-anything-that's-bad. I'm sure a great deal of shitty law will be passed.

When in doubt? Write your congressman, write your senator. See if they even have a clue on this issue.

You're missing one element

[Mawbid]

People should know that there was a security flaw, even if they only hear about it after it's been fixed. You could even say that it's *more* important to spread the word about a company's feeble security measures than it is to plug the hole because it decreases the chances that people will trust the company in the future and if this happens a lot, people shouldn't trust the comany. If reports about the hole only come out after it's fixed, then there aren't any sensational news items and there isn't any public outcry against and mockery of the company involved. This means that a compny that may well deserve to look bad avoids much of the fallout.
That is, you could say that if it hadn't been shown over and over again that laughable security practices never really hurt the company responsible even when they are exposed.
--

Comp USA has plenty of software on shelf ...

[timothy]

Amphigory's question is a good one!

There is a presumption in the post to which he responded that in fact CD-Rs have made a significant dent in software profits. I see two reasons that make me doubt they have, with the possible exception of MS operating systems.

1) Software makers make the big money by selling software to businesses, including universities. Businesses (esp. ones that are over 4 or 5 people big) can't afford piracy, long term. Does it go on? Sure, but CD-R only makes this process easier, it isn't the start of it. Businesses like support, and docs ...

2)People like documentation and accountability. That the accountability may be illusory for most users, the documentation is not. And it's considerably more inconvenient to make high-quality copies of documentation to accompany software. Folks will no doubt continue to exchange software, but the software industry will continue to sell boxed software for the advantages it offers. Note how well even boxed Linux distib.s sell! That's software which is free -- so someone could download it without even the risk / discomfort of illegality.

Re:Comp USA has plenty of software on shelf ...

[DGregory]

1) What about games? How many businesses use games? I would say very few. How many games get pirated... I would say a LOT. Poke around on some warez sites and see all the games they claim you can download. If there is a game you want, and you manage to find it, will you fork over $50 for the box? I don't think so. If your friend buys a game on CD and you can make a copy of it, will you pay the money for the real version? Most people who do that wouldn't.

2) And what kind of documentation comes with Windows, Office, etc anyways? Very shitty documentation. Any normal user has to buy an expensive book, so what is the use of the 50 page book that comes with Windows/Office/Frontpage (to name a few off the top of my head) - firewood. If you could get a copy of Office on CD from your buddy, you'd save $400 for the media, and pay $50 for a book that you'd have to buy anyways.

I'm not saying any of this is legal or ethical, I'm just saying it happens all the time, and if it was impossible for people to do this copying, you bet the companies would be making more money.

Re:Net Impact on Movie Industry: Zero

[BHS_Turf]

What can you run off of DVD drives except for movies?

What are you talking about you can get the most valuable piece of software ever cobbled together on DVD -- The MSDN Library!

Why DVD piracy doesn't matter

[bgarland]

DVD piracy is a non-issue for several reasons...

1) DVD's are HUGE.

DVD-9 (single sided, dual layer) holds approximately 8GB of data. These are the most popular discs. Do you really thing that someone is going to download 4-8 GB of data to watch a movie? What about the storage cost on disks? Yeah, hard drives are getting cheaper but as far as I know you can't get a 8 gig drive for less than $20 (the cost of a DVD movie).

Some new movies are even coming on DVD-18 (dual sided, dual layered). That's up to 16 gigs!

2) You'd have to play them from your computer's hard drive. There is DVD-RAM available but as far as I know it cannot burn dual layers which most new DVDs need. Also, I doubt that DVD players can read DVD-RAM anyhow (only a select few can read CD-R/W).

3) DVD's are cheap. Hmmm. Lemme see. Should I go buy the real movie at Reel.com for $10-15 or should I waste my time downloading it from the net, storing it on my hard drive, and being limited to playing it on my computer? (forget taking it to a friends house to watch).

Not only are they cheap to buy, but the studios are making money hand over fist with these things. They are much cheaper to produce than VHS tapes, but do they pass the savings on to the consumers? Hell no.

The low cost of DVD's are making CD's look like the ripoff that they are. What would you rather have for $15? A 74 minute CD that is just audio, or a 90+ minute movie, with audio and video, and tons of special features?

I think that if DVD's were cheaper (say $14.99 retail) then everyone would buy more of them, and it would be completely insane to want to buy/download a pirated copy instead of the original. If I were the studios, I'd rather sell 100,000 DVDs at $14.99 a pop, than 30,000 at $24.99 a pop (the current retail for most DVDs).


All in all, I hate copy protection on everything. It always ends up inconveniencing the legitimate users. SCMS for digital audio sucks! Why oh why can't I make perfect digital copies of my MiniDiscs? It's my damn music on them! Thankfully there are SCMS defeaters.

Macrovision for video sucks! Why can't I make copies of my VHS tapes for personal use (like having one copy for the house and another for an RV [hypothetical, I don't have an RV]). When you buy any kind of media you are usually paying for the rights to view the tape for personal exhibition, not for the actual media that you purchase. Therefore you should be able to freely copy the media as you wish as long as you're the one viewing it and you retain ownership of your copies (don't sell them).

But I digress. The industry will never listen. They will keep on using copy protection, knowing full well that it WILL be circumvented eventually, and that it ends up inconveniencing the legitimate users the most.

*sigh*

Ben

Re:Why DVD piracy doesn't matter

[RayChuang]

Ben,

I agree 100%! (^_^)

People forget that we're talking files that are so big that even WITH broadband Internet access it'll take MANY hours just to download.

Besides, discs are quite inexpensive. Places like Reel.com and other online DVD retailers can sell you a DVD movie for very, very cheap, so the incentive to make a pirated copy is NOT there.

I think the simple solution is to just up the encryption level on the CSS to 128 bits. At 128-bit encryption, if you want to break the encryption better think multi-million dollar computer systems just to consider breaking the encryption.

Re:Why DVD piracy doesn't matter

[TeChYMaN]

Here's a few Counterstrikes (for lack of a better word) to your answers of why NOT to copy a DVD


1. COMPRESSION! MPEG-4 Video is great. Sure there are some artifacts, but because of "keyframes" (frames that contain all the data of that frame), They are corrected rather quickly. MP3 Audio works fine for audio (that's with the exception of true audiophiles, keep it at .ac3)

2. You DON'T need to play them from your computer's HDD! 1-2GB Full movies fit on a DVD-RAM just fine.

3. DVDs are Cheap! I AGREE! When you rent them and rip them. It takes a good 25-30 min to rip a movie.

I Don't plan to pirate what I copy. That's just plain wrong. I keep them for my personal use, and if I did want to pirate it, it wouldn't be cost-effective. DVD-RAM Drive: $5000? DVD-RAM Disc: $25. DVD Rental: $5. My Time: Priceless.

MasterCard Narrator:

With MasterCard you can buy anything. But somethings, You can't buy

Re:Why DVD piracy doesn't matter

[Steve+B]

I think the simple solution is to just up the encryption level on the CSS to 128 bits.

Can this be done in a manner backward-compatible with existing CSS, using the existing 40-bit key as part of the 128-bit key (similar to one of the weak-crypto arrangements the NSA attempted to foist on the industry, in which 128-bit algorithms would be used, but only 40 bits of key space would really vary, the rest being added in a way that made them accessible to the NSA)?
/.

Re:Totally irresponsible

[cr0sh]

Actually, I think they should have waited to release the program after low-cost means of copying the resulting file became available. A very likely outcome of this whole thing will be some kind of restrictions or something on DVD recorders (tech or price wise)...

Re:Kill the smart people

[Foogle]

Yes, that's true, it would. So, because it's possible for an encryption system to be flawed, all encryption systems are worthless? What about RSA -- it's been in use (and under scrutiny) for 19 years and no "glaring hole" has been found in it. The only way to break RSA would be to discover an incredibly easy method of factoring larg primes out of enormous numbers. Barring a mathematical discovery of enormous proportions, it's impossible.

There are a number of good encryption schemes out there and, in fact, CSS didn't have any problems with it. It was the fact that the coders left the key unencrypted that was the glaring hole. Don't blame the mathematicians for a coders mistake :)

-----------

"You can't shake the Devil's hand and say you're only kidding."

Consumers have been copying movies since the 80's

[FreeUser]

The film industry really should do an unbiased and intelligent analysis of the impact of emerging technologies on their product, if they want to actually protect their interests in a constructive and effective manner. Some points which should be considered.

- consumers have had the capability of recording and copying movies to their hearts' content since the advent of the VCR. Videophile and audiophiles may not be happy with the quality, but as far as the average consumer is concerned the quality is "close enough" to perfect. Despite this, movie makers have been selling and renting movies like hotcakes. Being able to copy DVDs will not change this at all

- commercial pirates, for whome the "infinite perfect copy" does make a difference, could already do this by using $5,000 DVD-Rs or buying their own DVD production equipment. One analog copy, reconverted to digital format, and they could produce an infinite supply of nearly perfect DVD copies for sale on the black market. This is a problem, but one which the cracking of the pathetically week css algorithm will not significantly affect.

- high-end consumers do not like having their technology "messed with." The destruction of DAT is an example of consumers refusing to buy into crippled technology. Likewise, DVD playback which is limited to Windows, or by region, is not only an invitation to hack, but worse, creates unnecessary bad relations between the seller and the consumer.

- finally, unlike the RIAA member companies, movie studios are not parasitical entities acting as a paid go-between between artists and their customers. They provide the capital, resources, and equipment for shooting films and play a very necessary role of the art form. Contrast this to the music industry, whose contribution to the art form, beyond providing a distribution channel they happen to enjoy a monopoly on, and perhaps a place to record and master (which any technically savvy musician can do in their own home), is negligable at best and quite often destructive. This suggests that the movie studios aren't nearly as vulnerable to artists switching to an internet medium and cutting them out of the loop as the RIAA member companies are, and have a lot less to fear from open internet standards and distribution channels than their record company counterparts.

Even with copyable DVDs the film industry has little to fear. The target they should be most worried about -- the professional "industrial strength" pirates -- is the group least affected by these developments. The fear that the grassroots mp3 warez phenominon will happen with DVDs is unwarrented, not only because of bandwidth and storage limitations, but also because of a difference in consumer habits, and a fundamental difference in the relationship of the affected artists and consumers with the movie studios vs. the music industry.

Consumers have been copying movies since the 80's

[FreeUser]

The film industry really should do an unbiased and intelligent analysis of the impact of emerging technologies on their product, if they want to actually protect their interests in a constructive and effective manner. Some points which should be considered.

- consumers have had the capability of recording and copying movies to their hearts' content since the advent of the VCR. Videophile and audiophiles may not be happy with the quality, but as far as the average consumer is concerned the quality is "close enough" to perfect. Despite this, movie makers have been selling and renting movies like hotcakes. Being able to copy DVDs will not change this at all

- commercial pirates, for whome the "infinite perfect copy" does make a difference, could already do this by using $5,000 DVD-Rs or buying their own DVD production equipment. One analog copy, reconverted to digital format, and they could produce an infinite supply of nearly perfect DVD copies for sale on the black market. This is a problem, but one which the cracking of the pathetically week css algorithm will not significantly affect.

- high-end consumers do not like having their technology "messed with." The destruction of DAT is an example of consumers refusing to buy into crippled technology. Likewise, DVD playback which is limited to Windows, or by region, is not only an invitation to hack, but worse, creates unnecessary bad relations between the seller and the consumer.

- finally, unlike the RIAA member companies, movie studios are not parasitical entities acting as a paid go-between between artists and their customers. They provide the capital, resources, and equipment for shooting films and play a very necessary role as part of the art form. Contrast this to the music industry, whose contribution to the art form, beyond providing a distribution channel they happen to enjoy a monopoly on, and perhaps a place to record and master (which any technically savvy musician can do in their own home), is negligable at best and quite often destructive. This suggests that the movie studios aren't nearly as vulnerable to artists switching to an internet medium and cutting them out of the loop as the RIAA member companies are, and have a lot less to fear from open internet standards and distribution channels than their record company counterparts.

Even with copyable DVDs the film industry has little to fear. The target they should be most worried about -- the professional "industrial strength" pirates -- is the group least affected by these developments. The fear that the grassroots mp3 warez phenominon will happen with DVDs is unwarrented, not only because of bandwidth and storage limitations, but also because of a difference in consumer habits, and a fundamental difference in the relationship of the affected artists and consumers with the movie studios vs. the music industry.

Movie Industry will need to tackle this soon.

[Zimm]

Yes the technology to rip off DVD's wholesale will come. The way I see it, DVD's as far as customer acceptance goes, is still young. This leads me to believe that the industry will see abandoning the technology as a viable solution to DVD theft. I wouldn't be at all suprised if the number of movies that come out on DVDs slowly falls off and there is an introduction of a new replacement technology. Now is the time to do it, before DVD's become mainstream.

Re:Movie Industry will need to tackle this soon.

[Danse]

I think it's probably too late. The way they've already hyped DVD, it would generate some serious hostility towards the studios. You think people will just forget that the studios told them how great DVD was so that they would go out and buy a 500 dollar player, and then dropped them because they changed their mind? Lawsuits would probably fly if that happens.

Re:Movie Industry will need to tackle this soon.

[Potloodsmurfer]

i think you might be right. and the lesson to be learned here is for cracker-groups to wait with publishing their little program until the technology is to mainstream to get canceled.

The studios will likely *make* money due to this

[Don+Negro]

Why?

As it's been well-explained above, the economic realities of the situation make consumer pirating in lieu of purchase unfeasible. Equally, it does little to aid commercial DVD pirates.

However, it opens access by a technologically savvy, notoriously stubborn group of people with a higher-than-normal percentage of disposable income (Us. The Linux community.) to their product.

Unfortunately, they will likely do something very reactionary and stupid, and will sell more DVDs regardless.

Don Negro

Re:Forced Format Switch for Security(CD -> DVD Aud

[um...+Lucas]

Think of it like this: you leave your front door unlocked everyday while you're away at work, and one day, a thief breaks in and steals everything. Will your neighbours feel sorry for you? Should they?

So... why not tell me where you live then? It wouldn't be my fault for breaking in if, say, you were stupid enough to have windows in your house, would it? I mean, everyone knows that glass shatters incredibly easily, and therefore anyone with glass windows is just asking for it, right?

The industry followed what they thought was their best option. They used 40-bit crypto so as to not have to have a US edition and international edition. What would the point be to using 128 bit crypto when you can still pump the DVD's output into a video capture card? You don't get all the neato things (multiple aspect ratios, etc...) but the point is the movie has been copied.

And no matter what, no one is going to be able to market a DVD recorder with a key cracker in it, so the 40-bit crypto pretty much stop 95% of the copies that could be made otherwise.

Re:Hurray!

[Foogle]

Yeah - The old DVDs.

Don't worry, pretty soon they're be a new DVD format, with new keys, and probably a new cipher, put together by a new company. And they won't forget to encrypt the key this time.

Maybe that will be cracked too... who knows. But this really wasn't a matter of closed standards or obfuscation. It was encrypted using a private key mechanism. Even if you had the specs for the decryption routine (which the hackers had) you'd still need the key.

-----------

"You can't shake the Devil's hand and say you're only kidding."

Absolute Stupidity

[TheCarp]

My thoughts on this...

I. I don't understand how this scheme works?
(or was suposed to). If I have a DVD...I make
a binary copy of it...throw it on another DVD
(or if im on a real OS...connect it to a loopback
device)...what stops me from using this copy in
my DVD player...afterall...ALL of the data should
be identical.
Decrypting an exact duplicate of original data
should work just like the original.

II. There really is no way this could have been
secure. Copy protection can't work. It shouldn't be hard to do a copy by reading and capturing
directly from video memory. Then a nice un-encrypted copy.

III. I have to wonder what algorythm they used.
Was it something that could be easily attacked?
a simple capture from memory could get the
unencrypted movie...and lead to a known-plaintext
attack.

The simple problem is this...they want their
data to be safe...only "Authorized" (ie people
who paid for it) people see it. However, its
possible for those people to control the hardware
that does the encoding. (and the software to some
extent)

Basically...copying would happen one way or
another. Its not stoppable. encryption is really
good for transport of data from "end to end"
to and to keep out unauthorized people in between.

Re:Magic Bullet

[jafac]

Dongle? naw. Just implant a chip on the disk itself, in the unused portion by the spindle (and a counterweight on the opposite side of the spindle). The chip contains the key, and is hard-coded per disk - the chip can use the same technology as these smartcards. A different disk won't have the same key. The additional production costs should be minimal.

I wish I had a nickel for every time someone said "Information wants to be free".

'They didn't encrypt the key' doesn't make sense

[c+o+r+e]

Okay, we're being asked to believe that the Xing encryption key was compromised because it was not stored encrypted. This is asinine. If they had stored the key encrypted, that means that the decryption key for that would be somewhere in the clear. This would only be simplistic obfuscation that should be easily subverted. -core

Wherefore encrypted decryption keys?

[Spire]

The Wired article states that the DVD copy protection was easily cracked because Xing had inadvertently neglected to encrypt its decryption key.

I may be completely mistaken about this (in which case, please don't hesitate to set me straight), but I just don't see why it's so important to encrypt the decryption key in the first place.

I mean, at some point during the DVD player software's execution, the decryption key is going to have to be decrypted anyway (so that it can be applied to the ciphertext). A hacker need only load the player into a debugger and trace it up to this critical point, and then simply capture the naked decryption key from memory as soon as it surfaces.

Thus, encrypting the decryption key serves as only a minor annoyance, making it only incrementally more difficult for a competent hacker to retrieve the key. Such "protection by obfuscation" is widely known to be one of the worst ways to "encrypt" or otherwise protect one's data.

In this light, how much more difficult would it have been to "hack" any of the other software DVD players out there, by simply debugging them and waiting for the player to decrypt (and expose) its own decryption key for all to see? I'd wager: not much more difficult at all.

Re:Wherefore encrypted decryption keys?

[Score+Whore]

Yup. Anything that can be done in software can be completely reverse engineered and understood. It doesn't matter how sneaky, misleading and underhanded the application is meant to be about protecting it's secrets. You just can't stop people who want the information.

-sw

Re:DVD Encryption? Good riddance

[Enoch+Root]

Didn't know that... Interesting.

Still, I think my point stands... The industry was certainly not hurt by everyone and their brother copying VHS cassettes. It's insane to say they're losing so much money because of piracy.

Did you ever hear of someone running an "illegally copied VHS ring"? I sure didn't. Yet up until now (as you point out), copying a VHS movie was standard.

And once you own it, you should damn well be able to copy it, sides.

"Knowledge = Power = Energy = Mass"

Re:Great insight; one question

[ewhac]

Yes, but when you're talking about counterfeiting in commercially significant quantities, the encryption scheme doesn't enter into it. All the encryption scheme accomplishes is to prevent people from turning the MPEG datastream into plaintext. But a high-volume counterfeiter doesn't duplicate at that level; they duplicate the raw bits coming off the read head.

The DVD player in your living room has no way of knowing whether the disc you're playing was legitimately stamped by the studio, or whether it's a precise bit-for-bit copy stamped in Malasia. So it's fairly easy to demonstrate the encryption scheme fails at its stated purpose.

So what's the encryption really there for?

Schwab

Re:How does DVD encryption work?

[Score+Whore]

Without the unlock key (which was the first step necessary to get around to breaking CSS) DVD-ROM drives will not deliver data from encrypted movies.

So at a minimum you still need to activate the unlock system in the DVD-ROM before you can make a disk-disk copy. But that came before the DeCSS showed up anyway.

-sw

They Should Replace Failed Media

[David+Jensen]

Disney only licenses the product. If the media fails, I still have the license, so they should replace the media, right? Some SW companies were very good about that, but I haven't tried lately.

Re:Net Impact on Movie Industry: Zero

[barleyguy]

Actually, DVD writers are NOT expensive. I bought a Toshiba 2x DVD-RAM/DVD-R writer for under $500. That's pretty cheap, especially since I saved myself the purchase of a tape drive.

It only does 2.6/5.2 Gig, but with only 2x compression, you could get a 4.7gig movie on it.

One thing, though - blank DVD's are more expensive (in small quantities) than DVD movies. A blank DVD is about 25-35 dollars, whereas most movies are less than 25 dollars. So it's not really cost effective, at the moment, to copy DVD's. Now converting them to VCD format and putting them on an 87 cent blank CD would be feasible, with a slight loss in quality.

Re:link to the utility?

[Nichen]

Aye, I have a copy of DeCSS, even made a short clip of Pi into mpeg1 last night to check out the quality. Word of warning, it takes a LONG time to rip a movie, and at least on my dvd drive (I have a Creative Labs 5x drive) the dvd and drive were both rather hot after the ripping. Make sure you have a lot of hard drive space too ;)

As to where to get it? Look around on the net, I found it in about 5 minutes using good ol' search engines.

Re:Why not bribe a licensee? (need a big bribe)

[Ivootje]

Of he wouldn't do it this way, putting that key unencrypted on the disc.

But secretly writing it down as a zipcode or a phonenumber in his Palmpilot, which will be read by Agent X in restaurant Y.

Etc. etc.

Re:Net Impact on Movie Industry: Zero

[GoofyBoy]

>movie industry really has nothing to worry about >from unauthorized copying.

What they do have to do is make a reasonble effort to protect their property. Its like not even having a lock on a door, no matter how weak the lock is. This would be effective in courts of law.

>Writable DVDs will only slightly change the playfield

Actually, one of the links in the article has a how-to on converting a DVD to a reduced quality VCD (which can be produced using Writeable CDRoms)

>the hardware companies haven't figured out that >they're in the driver's seat.

I think that software companies are more in control. What can you run off of DVD drives except for movies? Not too many programs/applications out there.

Re:Heeheehee (veering even more off topic)

[DanaL]

Umm...I usually go to those rooms called 'Bathrooms', but perhaps they build theatres differently up here in Canada :)

Re:So do slashdot folks care that this is immoral?

[osboy]

I pronounce my judgments thus:

1) Cracking DVD encryption key: Not Immoral. (c'mon folks, it's computer science, not crime)

2) Copying DVD movies for personal use, trading with friends, etc.: a Little Immoral (Immoral but still within my personal comfort zone. :)

3) Sale of pirated material for personal gain: Damnably Immoral!

Furthermore, the motion picture industry should not worry about me, nor others like me, because:

My home theater setup is better-sounding than my computer speakers. My television is larger than my computer monitor. My sofa is more comfortable than my office chair, and does not require mastery of yoga to fit me and my wife on. I enjoy the DVD format for it's sound quality and for the picture quality. I also always buy movies that I really like. I have tons of movies on VHS that I've copied, but i never watch them. The ones I watch most often are ones I've bought, because I can't afford a professional dubbing deck, and the quality of the recording is better on the store-bought ones. When a kick-ass new movie comes out, I want to see it on a huge screen in a movie theater. When something I REALLY want to see comes out, like The Matrix (huzzah!) or Episode I (Argh!), I ESPECAILLY want to see it in a theater FIRST. Besides, since I don't have numerous spare 9 GB drives lying around, and I don't have a T3 to my house, acquiring these pirated movies would be a pain in the ass. So I can pay $24.95 at retail for a movie I really like, and watch it on my home theater, or I can pay, what, 10 buck less for a pirated one, and watch it on my computer. Er, I think I'll take the $24.95, and the self-rightoeous moral superiority. :)

Re:Net Impact on Movie Industry: Zero

[Merk]

I think you're forgetting something. The timeframe. VCR tapes have been around for how long? 20 years? In that 20 years, the "size" of 1 gigabyte will chage tremendously.

I remember when I first downloaded Linux it was about a hundred megs and I was using a 2400 bps connection. I just let it run for 12+ hours.

How long before someone with a fast connection decides it's worth 12 hours to download the 6 gig Matrix DVD?

The cost of DVD writers is only a short term barrier too. Sure, they're expensive now, but do you really think that in 10 years, it will be expensive to get 10 Gig of removeable storage?

In less than 10 years, the hard drive my computer uses has undergone a 100 fold increase in size. The bandwith of my internet connection has undergone a nearly 1000 fold increase in size. But during that time my VCR hasn't changed, and DVDs were supposed to last that long too.

Scheiss Netscape!

[FreeUser]

ARGH!!!

Sorry for the double post -- netscape crashed mid-submit. Still not sure why that would commit it twice, though -- once with a correction and once without...

Re:I just hope they don't stop making DVD's

[Jeremy+Erwin]

DVDs are encrypted to both stop piracy, and to protect Hollywood's incremental release dates.

A film is usually released in its country of origin first. Some months later, other countries may see it. This is done to save on film printing costs. The DVD zone system--which forms a large component of DVD "encryption" is designed to ensure that a people in Australia don't order a US-imprinted DVD instead of viewing the film in theaters.
Of course, this system ends up shafting the foriegn film buff. Many Japanese films simply don't make it into the US market/zone, and thus are inaccessible to the most import savvy viewers. Of course, one could always buy a Japanese-encoded DVD player, but that's rather expensive.
One oddity with the zone system is that China forms its own zone. Of course, China is home to many a pirate, but this also allows the government of the PRC to essentially control film imports more effectively.
The whole incremental release system will be obsoleted by digital distribution systems, anyway. Bravo for the crackers!

Re:How can breaking trade secret be "illegal"?

[Darby]

Question. This thing actually passed?!?
"creating or distributing technology" that can be used to circumvent copy protection
Let's see. A compiler, a debugger, a disassembler,a text editor, a DVD Burner............
Do you remember what they used to crack the protection on Lotus 123 all those years ago?
That's right. A hole punch. Snip bad sector gone.
It looks like everything is illegal now.
---CONFLICT!!---

Re:So do slashdot folks care that this is immoral?

[Mr.+Slippery]

I suggest you click on The Hunger Site and try giving something for free. Then come back and tell us how much it affected your morgtage or car loan or whatever.

That which is supported by advertising is not free.

Massive corporations want you to buy their stuff. They spend money on advertising. The cost of advertizing is included in the cost you pay for their product. When you buy a can of Coca-Cola, part of what you pay goes to Coke's advertising budget; Coke buys advertising on UPN; UPN makes another season of Voyager. So you don't get to ogle Seven Of Nine(TM)[1]'s tits for free[2], no no no; you pay for it with every can of Coke, every Gateway computer, every new Toyota, whatever you see advertised.

There's also the fact that you are paying by allowing these companies to attempt to influence your buying decisions, but that's a more subtle topic.

([1] Yes, "TM", according to the Star Trek website. Bleh.

[2] No disrespect intended to Jeri Ryan. Much disrespect intended to whoever decided her character should dress like that.)

Linux DVD Movie Player

[shivas]

So can we have a DVD MOvie player for Linux which can use these hacked keys to decrypt the content?

Re:Net Impact on Movie Industry: Zero

[My_Favorite_Anonymou]

No matter how cheap it is, it won't be cheaper than vhs tape. Are you trying to tell me that the 200gig harddrive you are describing is going to be cheaper than compatable 40 2-hour vedio tape (assume 1 movie=5 gig) that cost 40 bucks? And nobody pivates movie with vhs that's already out on video, you can only buy shaky-cam theatrical release.

I agree zero impact in U.S. Hong Kong movie industry is suffer a big deal aleady though. 50% of the time people by good advertisement campaign, or promotion. This is one thing pivate can never provide.

(btw, who can justify a 50-dollar Russ Meyer video, I'm going to buy the pirate from ebay. I don't care what you say.)

Re:XORing bytes _is_ the ultimate security

[ToastyKen]

Nuke 'em from orbit. It's the only way to be sure.
:)

Re:Net Impact on Movie Industry: Zero

[color+of+static]

I think the reason they worry about the piracy issue with DVD over VCR is the quality of the copy versus the cost to make that copy. With VCRs you get generational defects, and even master copies ware out. Once you get your master copy of a DVD you can make perfect copies every time.

Now I really think the entertainment industry is run by lawyers who don't understand the issue here. If I'm a pirate, I'll just bit copy the media (DVD in this case), and press disks. If I don't have the keys I can then just copy the encrupted data and the copy protection. If I do have the keys I can change the content before copying, but pirates don't want that.

Before anyone works on digital IP rights issues they should be forced to read, and understand, the record player example in Godel Escher Bach. Then if they start claiming they have the ultimate meta record player we know for a fact they are idiots.

DVD 2 VCD or MPG

[BrookHarty]

I have been converting a few of my DVD's to VCDs for the past 2 months.
I can only watch VCD's on my laptop. Home theater system is DVD/VHS. (DVD player plays VCDs also...)
Only problem is it takes 2 days to rip/convert a DVD to VCD. So I own the same movie on 3 formats, VHS,DVD and VCD...

If anyone is interested, check out http://www.dvdsoft.se for ripping/encoding/converting DVDs.
If you want to buy Original VCDS check out http://www.coolvcd.com - They have matrix on VCD!

The movie industry has made money off me......

Re:DIVX was right

[settonull]

But isn't DIVX at least as dependent on some kind of copy-protection scheme as DVD?

Yes it is, and IIRC there was a small device you could build/buy that would allow you to watch a DIVX movie without paying for it. Copy protection is a waste of time either way.

Great insight; one question

[Christopher+B.+Brown]

Your observation that "consumer piracy" is likely to be insignificant is very well noted.

The thing is, the commercially significant piracy that takes place under the DVD regime is likely to be, as it is now, a result of "mass piracy" on the part of folks in the "gray market."

Unfortunately, they will benefit from the cheapness of producing DVDs, and while it may become more expensive to become a "commercial DVD pirate" than it is to become a "commercial VHS pirate," that goes along with the benefits of:

• Cheaper media and labour costs, and when you're doing something illegal, it's doubtless preferable to have fewer low-paid lackeys that could turn on you, and
• Perfect digital copies rather than the present Analog-to-fuzzier-analog VHS results.

If the big sellers of DVDs can maintain rigid control over the manufacturers of DVD mastering units, that might make it hard to "clone" DVDs from masters.

Unfortunately, that's liable to have the same flaws as DAT did. With DAT, there were special codes encoded into tape headers that would let the units forbid copying. That was part of why DAT never took off.

Re:Great insight; one question

[PotatoHead]

Good for Sony. As things slowly become global, people realize that other cultures have a lot to offer. What model DVD did you get?

Re:Great insight; one question

[PotatoHead]

I think that is is there for control. They can vary the content by zone, and they also can have a say in who makes disk players, and what they can and can't do. Think about this: If there were no real encryption, what would prevent the average joe from producing DVD's? The mastering process would be just as it is now for CD's. Expensive at first, but less as demand grows. Also said average joe would be able to distribute their media anywhere...

Re:Great insight; one question

[Repton]

They can vary the content by zone

We have a DVD player bought from Sony... When we bought it, we also got it modified (for about NZ$40) to accept DVDs from any zone.

The modification is Sony approved, and was done by the shop (which was a reputable place).

So much for zone protection...
--
Repton.

Depends on how you look at it.

[dpdx]

M.o.R.E. should have quietly reported the problem to the Xing and whatever the main company that handles DVD technology is and helped them solve it, not just totally fuck them over, as well as the rest of us.

Even if they'd have done that, that old, crackable system is still burned onto millions of discs, and they're all available at your friendly neighborhood content provider, the video store. That's a lot of Disney flicks to steal.

Second, your premise assumes that MoRE should be interested in helping the nice multi-national megaconglomerates [who presumably represent the people]. That doesn't strike me as realistic.

In fact, I'd tend to think that groups such as this exist to subvert the profit of companies they perceive as evil (not that anyone in this community would know anything about that, based on their dealings with the Open Source Software movement). I don't gather from the article that MoRE is setting up to become your one-stop shopping center for bootleg Meg Ryan flicks. They hacked DVD, probably (if I had to guess) mostly for it's own sake.

Turn the argument around for a second, like this:

cDc is totally irresponsible to all of us who would use Windows because they didn't quietly alert Microsoft to the fact that it was so #@$! easy to administer remote control to a Windows box, and now they're forcing Microsoft to release another version of Windows. How dare they!

OK, I know the analogy breaks down somewhat, but the kernel is this: the same mindset from which MoRE came to hack DVD, probably prevents them from acting in the manner you described as correct.
_____

Re:Depends on how you look at it.

[supz]

"Why DVD Encryption Crack was a Cinch" | supz (77173) | Preferences | Top | 362 comments | 2 siblings
Threshold: Save:
The Fine Print: The following comments are owned by whoever posted them. Slashdot is not responsible for what they say.
( Beta is only a state of mind )
Totally irresponsible (Score:1)
by supz (supz@i.love.spam.net) on 02:36 PM -- Wednesday November 03 1999 EST (#260)
(User Info)
The guys from M.o.R.E., that made DeCSS are totally immature and irresponsible. Cracking the DVD encryption is not neccesarily the bad thing,
the bad thing is that they made this program and distributed it. That ruins DVD for everyone. Now the movie industry is going to have to retaliate
and put some alternate protection on DVD's which could even possibly require all of us to purchase new DVD players or something of the sort.

M.o.R.E. should have quietly reported the problem to the Xing and whatever the main company that handles DVD technology is and helped them
solve it, not just totally fuck them over, as well as the rest of us.

DVD technology is a really great deal: you get digital quality video and audio and a bunch of extra scenes on one small CD-sized disc, all for about
the cost of the movie on video. Why ruin a good thing? I must say that it was also stupid and irresponsible for Xing to not encrypt the key, but two
wrongs do not make a right.

Shame on MoRE.
[ Reply to This | Parent ]
>
Re:Totally irresponsible (Score:1)
by cr0sh on 03:22 PM -- Wednesday November 03 1999 EST (#305)
(User Info)
Actually, I think they should have waited to release the program after low-cost means of copying the resulting file became available. A very likely
outcome of this whole thing will be some kind of restrictions or something on DVD recorders (tech or price wise)...
[ Reply to This | Parent ]
Depends on how you look at it. (Score:1)
by dpdx (dpdx@nospam.teleport.com) on 03:56 PM -- Wednesday November 03 1999 EST (#327)
(User Info)
M.o.R.E. should have quietly reported the problem to the Xing and whatever the main company that handles DVD technology is and
helped them solve it, not just totally fuck them over, as well as the rest of us.

Even if they'd have done that, that old, crackable system is still burned onto millions of discs, and they're all available at your friendly neighborhood
content provider, the video store. That's a lot of Disney flicks to steal.

Second, your premise assumes that MoRE should be interested in helping the nice multi-national megaconglomerates [who presumably represent
the people]. That doesn't strike me as realistic.

In fact, I'd tend to think that groups such as this exist to subvert the profit of companies they perceive as evil (not that anyone in this community
would know anything about that, based on their dealings with the Open Source Software movement). I don't gather from the article that MoRE is
setting up to become your one-stop shopping center for bootleg Meg Ryan flicks. They hacked DVD, probably (if I had to guess) mostly for it's
own sake.

Turn the argument around for a second, like this:

cDc is totally irresponsible to all of us who would use Windows because they didn't quietly alert Microsoft to the fact that it was so
#@$! easy to administer remote control to a Windows box, and now they're forcing Microsoft to release another version of Windows.
How dare they!

A security hole in windows could harm people far worse than a security hole in a DVD, so that little analogy breaks down a hole lot.

Re:Depends on how you look at it.

[Darby]

cDc is totally irresponsible to all of us who would use Windows because they didn't quietly alert Microsoft to the fact that it was so #@$! easy

Your analogy breaks down in this case because
cDc did exactly this and Microsoft told them to fsck off.

Not that I disagree with your point, I just wanted to point that out.
---CONFLICT!!---

Re:Not too surprising

[jd]

Agreed. The key length was FAR too small, for something like this. Running more rounds (as in triple DES) would be viable, but 3DES is phenominally slow - far and away too slow to be usable for real-time applications.

It's hard to protect -everything-, since something has to be visible to the hardware for it to be able to start decryption. The outer layer -must- be visible, even if it's in hardware. At which point, all you need do is read the outermost key, and you get to exactly the same point these guys did.

Anything the player can see, you can see. There's nothing magical about a machine, even when it's based on a Japanese design.

The question was never "whether" DVD encryption would be busted, but when. Actually, I'm amazed it took so long.

Sooner or later, manufacturers, movie industry bosses, etc, are going to have to come to the same conclusion computer software houses did years ago. Copy protection -doesn't work-! It's a fundamentally flawed concept. There was only one scheme that even came close to working, and that was confiscated by the MOD in England, and classified. Even then, it was probably fairly easy to break. The whole concept is fundamentally flawed.

Too bad for them!

[roystgnr]

Oh, no, they used a weak, 40-bit encryption scheme with 200 different keys lying around, and it bit them in the ass, you say? I'm sorry, but if out of 200 different companies there wasn't one who would say "Hey, look, this encryption system is as solid as swiss cheese!" before creating the standard, then they're responsible for what's coming to them.

It's as if someone discovered that every door lock and ignition lock on General Motors' cars could be disabled with a refrigerator magnet. Too bad for GM.

Re:Too bad for them!

[Dante333]

I thought it was with a palm pilot?

Re:Information Wants To Be Free

[jms]

Simply speaking, copy protection schemes just don't work. If you allow access to the data to anyone for any reason, someone is going to find a crack for it. I don't care how good your copy protection scheme is.


There's one exception to this, and that's if the company goes out of business before anyone has the time or interest to hack their copy protection. i.e. DIVX.

Re:Net Impact on Movie Industry: Zero

[jdwtiv]

>DVDs are cheaper to produce than video tapes.

I've often wondered about this. It seems like it would be cheaper to produce a cd than a cassette tape for the same reasons, yet here we are 10 years or so into the cd revolution and cd's are still more expensive than tapes.

(And if I remember correctly tapes/records were normally pretty close to the same price)

Also reminds me of a speech I saw from a well known games developer. He was very excited about the proliferation of cdrom drives, as cd's were going to save his company a ton of money over shipping floppies. When someone asked if that meant his games would be cheaper, he just smiled from ear to ear... :)

So much wasted effort... *sigh*

[jidar]

It really amazes me how clueless the entire entertainment industry is. Consider the amount of time, money and effort that is going into creating these encryption schemes on digital media, and for what? As several people have already pointed out, you can't stop people from copying! If your media ever has to be 'unencrypted' for someone to view it, then that is the point where it can be duplicated, be it by 'catching' the data as it goes to your monitor and sound card or by using a video camera aimed at your monitor. It is painfully obvious that there is NOTHING and I mean NOTHING that can be done to stop copying of media. People aren't even going to be slowed down. How long is it going to take them to catch on to that? This seems so obvious to me, and yet entire industries are all fighting to do... do what? Make another easily bypassed copy protection scheme... in short, not a damned thing.
All wasted effort.

hrm?

[MenTaLguY]

I was unaware that Bill Clinton and Al Gore were Republicans. Thanks for enlightening me.
Berlin-- http://www.berlin-consortium.org

Nope, I don't care...

[sterno]

I think, we as a society need to get over the notion that people own ideas. The open source movement has begun to demonstrate a great way for people to make a buck without having to own ideas. Rather than writing software, keeping it secret and then selling it to people, the companies have learned to give away the secrets, but make money on support and services.

Personally, my income is hurt by closed source old world ways of distributing software and media. I work in computers doing custom development of software for corporations. The software I right is really only useful in a specific context for a company so piracy doesn't effect the work I do. However, having to pay for operating systems, database software and development tools does effect my bottom line in a big way.

I will admit to the fact that deciding as a society that intellectual property isn't something you can own will hurt a lot of companies who have built their empires on that assumption. But in the long run I believe we will be better off for it. In addition I think their are better ways for these companies to make money.

Rather than producing a CD and depending on the distribution of the music to make money, why not make money off concerts instead. Give away the music to hook people and then do major concert tours. Sell experiences that cannot be duplicated and pressed and mass distributed. Sell things that are unique once of a lifetime events.

I can get a DVD of a movie, but yet I still go and see it in the theatres. Why do I do this? Because it is a unique experience that I cannot reproduce in my home. Their is value in that experience. I have a nice home theater system, but it is never the same, so I shell out my money and see it on the big screen with big sound and a large crowd of people to share the experience with.

Really the whole intellectual property thing is, I think, a sign of inefficiency in the mechanisms of distribution more than it is a legitimate form of business. Books, CD's, Videotapes, DVD's, all have a certain cost in duplication and distribution which must be recovered. With the rise of the digital, and the ability to make infinite perfect copies it seems wholely ridiculous to charge me money for it.

Do I believe that copying a DVD is illegal, yes. Do I believe that it is immoral, no. I believe that to charge more than the cost of distribution for the DVD is immoral.

---

Right to copy for personal use

[speedbump]

Wrong! You do not have a 'right' to copy legally obtained content for your own use; you only have the opinion of the Courts that home copying is immune from prosecution.

As long as we're talking about morality.....

[Ukab+the+Great]

If you want to talk about morality artists getting hurt, why don't you mention the different continent codes that DVD's/players have, courtesy of the DVD people. This little scheme is quite immoral. Basically, if you have a DVD you bought in Europe, it won't work on a DVD player in the U.S., and vice-versa. Or if you bought your player in Australia, you can't play DVD's you bought in china This is *damned* immoral because it bars people in one country from watching some great films produced in countries other than their own. Sure, a lot of films will get ported back and forth between continents, but not all of them, especially in the case of independant film. We see this phennomena with game consoles, where the playstation you bought in america might not run some awesome games you can only find in Japan. Same thing. This immoral practice hurts some very talented artists in other countries who have yet to be discovered. Hopefully the DVD crack will end this.

It means nothing for the DVD industry...

[Bill+the+Cat]

Give the current price of pre-recorded DVDs, the vast majority of people will find it much simpler to buy a legitimate copy of their DVDs, rather than try to obtain a pirate copy.

If the DVD makers decide to be dumb and raise the prices of their movies, well...

Re:Matrix?

[noom]

You forgot to critisize the acting -- Keanu Reaves really sucks. Although I agree with you on all other counts.

And yet, somehow, I still enjoyed the movie a lot. Go figure.

It had to be broken

[Another+MacHack]

The mere fact that software-only DVD players could exist is sufficient to ensure that the scheme was crackable, 40-bits or 2048. Why? Because obviously the software player could decode the stream in order to play it. They key has to be either on the disc, or in the player; there's no way around that. A hardware-assisted solution could have at least hidden the keys in a chip somewhere, but a software one is all out in the open, requiring only patience before it falls.

Who screwed up?

[DanMcS]

The article says the codebreakers reversed the XingDVD player. It was easy because someone didn't encrypt their CSS code. I thought the article was unclear on who exactly it was, but on a second reading it appears that Xing themselves were the culprits. If so, this probably opens them up for a slew of lawsuits from the people who claimed this format was secure.
Anybody else think it's possible they did it on purpose? I mean, you don't screw up an industry standard that bad on _accident_. Could have been a disgruntled employee, maybe, I dunno.

Re:Who screwed up?

[nevets]

Actually, they had proprietary code, so they thought that it was hidden. The article says that the Xing code was reversed engineered. And that their key just wasn't encrypted. So those at Xing probably never thought that their software would be reversed engineered. Idiots, more likely than disgruntled employees.

Steven Rostedt

Re:Net Impact on Movie Industry: Zero

[Cramer]

I'm sure the DVD Forum was well aware this weak as all hell pseudo-crypto was going to be broken in record time. Anyone who knows anything about cryptography knows the CSS system is a joke -- the only way it can be close to secure is by hiding it's simplicty behind an NDA.

There's nothing to suggest the forum cannot (will not) change the keys. After all, it's simply one sector of the disk. No PC DVD-ROM will care what's in that sector any more than any set-top box will. This will break every software player and every DVD decoder card that handles CSS directly. The set-top boxes are questionable...

As I understand it, CSS merely prevents access to the sectors of the DVD; it's not actually munging the data in that sector. If that's the case, then the DVD forum can fill that sector full of random garbage and break every PC DVD-ROM in the world while not bothering the set-top boxes that don't give a rats ass about CSS -- the decoder hardware is closely coupled to the read head. It wouldn't take long before manufacturers would be offering new firmware to remove CSS once and for all. That'd be _GREAT_, therefore, I must be wrong :-(

Of course, for all I know, the DVD-ROM drive itself could be the one doing the scambling. All I know is that the drive is not supposed to give you access to the protected sector(s) without proper CSS handshaking and key exchange.

A dumb question (was Wherefore encrypted ....keys)

[billybob+jr]

If someone had the ability to press a dvd that was a duplicate of another, wouldn't that dvd play just the same as the original?

I just hope they don't stop making DVD's

[cehf2]

It would be very bad for the DVD industry if the Film makers stop producing DVD's. At the moment it is not such a problem as you can not feasibly copy a dvd movie across the internet, as it is about 4gb.

DVD's are so much better than any video could ever be that the film industry has got to keep producing them. besides they are probably cheaper to produce than videos, as it is a relatiuvely simple pressing process.

Re:I just hope they don't stop making DVD's

[jms]

What -- they are going to stop pressing DVDs, (which are much cheaper then VHS cassettes to produce, bring in higher profits, and can only be stored on a recordable medium that costs more then the prerecorded DVD), and continue manufacturing VHS cassettes, which are bulky, more expensive to produce and ship to market, and are easily copyable onto a blank medium that costs 1/3 to 1/5 the cost of the prerecorded tape?

They're just mad because they were promised by the technical people that this encryption system was SO perfect that it would make it impossible for anyone to ever copy any part of a DVD. The pesky problem of "fair use" wouldn't be an issue, because fair use would have become technically impossible.

Unfortunately for them, the rest of the world doesn't seem to share their vision of the future of recordable media.

Re:I just hope they don't stop making DVD's

[N_R_K]

DVD's are transported across the internet everyday. Right now Movies on DVD are converted into MPEG1 or VCD format everyday. This process is time consuming, but very possible. It takes a 4-6gig DVD and converts it to about 1.2 gig (2 CDR discs) which are distributed daily if you know where to look for them. The point is, stiffling the release of DVD-R or putting additional restrictions on them is pointless, since the piracy they hope to prevent already happens on a large scale.

Totally irresponsible

[supz]

The guys from M.o.R.E., that made DeCSS are totally immature and irresponsible. Cracking the DVD encryption is not neccesarily the bad thing, the bad thing is that they made this program and distributed it. That ruins DVD for everyone. Now the movie industry is going to have to retaliate and put some alternate protection on DVD's which could even possibly require all of us to purchase new DVD players or something of the sort.

M.o.R.E. should have quietly reported the problem to the Xing and whatever the main company that handles DVD technology is and helped them solve it, not just totally fuck them over, as well as the rest of us.

DVD technology is a really great deal: you get digital quality video and audio and a bunch of extra scenes on one small CD-sized disc, all for about the cost of the movie on video. Why ruin a good thing? I must say that it was also stupid and irresponsible for Xing to not encrypt the key, but two wrongs do not make a right.

Shame on MoRE.

Re:not much time left...

[Greyfox]

1) Yes, but there's not much time left for that either. By 2005 Japan and Europe with both have bigger net presences (And better video and voice integration for data transmission.)

2) It killed the CDA pretty well dead in its tracks.

2.5) I'd like to see it pass, and then everyone can go out, buy a steak at the supermarket and then go to the police and confess to possession of the drug.

The unencrypted key in Xing's player is irrelevant

[kijiki]

If your computer can use the key to decrypt the stream in software, you can watch it decrypt its own code in Softice or something similar, and get the key. The encyrpted code just made things more difficult. Without some kind of tamper-proof hardware there is NO WAY to do 100% secure digital media distribution.

Not too surprising

[Christopher+B.+Brown]

This exposes two unavoidable vulnerabilities:

• The system was using a published crypto scheme using "mere" 40 bit keys.

  40 bits is fairly breakable, and since key transmission is a critical problem in building crypto systems, and DVD systems often represent embedded systems, they have a few keys vulnerable to brute-force attacks.

  There is no question but that DVD encryption would be quite vulnerable to brute force attacks.

• This story displays that protocol problems represent a major vulnerability.

  It appears that the result of this "exploit" is that the decryption keys for all DVDs have been exposed as a result of them being accidentally published.

  This is the sort of thing that organizations like the NSA reportedly are acutely sensitive to when they are trying to crack systems.

  In order to keep such systems secure, it is absolutely necessary to be extremely careful with how critical data like encryption keys are dealt with. Apparently these keys were released to people upon whom it was not carefully enough impressed that they needed to be "billions-of-dollars-riding-on-this" worth of careful.

Oops.

Re:Not too surprising

[Cramer]

I don't know... the old Atari "hole in the floppy" method, while relying on the software to verify the hole, was a very effective system. The C64 also had a very good system... the floppy drive was a computer all it's own; load code in the drive to read back the protected data in a way that was not normally readable.

Any time software is used to enforce copy protection, the protection is worthless. Only a hardware solution beyond the alteration of an end-user is a solution. This worked perfectly for the Playstation until the advent of the mod-chip.

Re:Not too surprising

[Bradley]

Every player -- including consoles from Sony, Toshiba, and other consumer electronics vendors, as well as software vendors for PCs like WinDVD and ATI DVD -- has its own unique unlock key. Every DVD disc, in turn, has 400 of these 5-byte keys stamped onto the disc. That way, the unlock key from every licensee, be it WinDVD or a Pioneer DV-525 unit, will read the disc.

So does this mean that there can only ever be 400 DVD drive manufacturers? What happens if XYZ Corp starts manufacturing these tomorrow, and I buy one. Can I then not play a DVD that was printed yesterday?

Am I missing something?

Re:Not too surprising

[Bradley]

I don't really think there will ever be more than 400 DVD drive manufacturers.

And nobody will be using this software from the 60s when we have to worry about date rollovers...

Presumably that means that whoever's in charge of the whole process has these keys already autogenerated, and pressed onto each disk?

Re:Not too surprising

[hasse]

That's right. But I don't really think there will ever be more than 400 DVD drive manufacturers. (It's not like there was 400 manufacturers who signed up from start, and those are the only ones who've got keys. They're assigned keys when they sign up for a license.)

Re:Net Impact on Movie Industry: Zero

[Foos]

An interesting point to note is the fact that when you make a copy of a VHS tape, you lose a certain amount of quality on each copy. So if you have a "fifth-generation" copy of a movie on VHS then there will be a noticeable loss in quality. On the other hand, with DVD there is no loss of quality whatsoever even for a "hundredth-generation" copy since it is all digital. Thus a copy will be exactly the same as the original.

Why not do this?

[JM_the_Great]

First you get the encrypted DVD. Put it in your computer and play it. Get a scan converter and record it to VHS. Play it back and record it to an MPEG, VCD, DVD or whatever. This will work with anything CD's, Encrypted/Copyrighted/watermarked music, anything that can be transilated into an analog signal and back again. You will lose some quality, but, to save a few bucks it might be worth it.

In this sense no matter how strong the encryption is, it can always we worked around. If you record it to a DAT (music) or another high quality Video recorder you woln't lose much quality and you don't even have to crack a encryption scheme.

If software was only this easy to pirate.

Disclaimer: I don't suggest you do any of the things stated above and I'm not responsible for anything that might happen to you beacuse of your use of said ideas.

That's my $(2^4*3+1/7%3*2/100)

Information Wants To Be Free

[adimarco]

Without getting too deeply into the idealism of the subject, they really should have expected this.

Simply speaking, copy protection schemes just don't work. If you allow access to the data to anyone for any reason, someone is going to find a crack for it. I don't care how good your copy protection scheme is. I don't care what kind of information you're trying to protect, or what kind of media it's on, be it CD, DVD, casette, diskette, whatever. Information wants to be free.

They've tried so many tricks and schemes over the years. Remember the "What is the second word on page 153 of the manual" ones? Or what about software that would only let you install it twice.

I still use numbers like 123-1234-1234567 for Micros~1 product keys even when I have the legit numbers. Always good for a chuckle.

The way they accomplished the crack was hilarious 'though. RealNetworks (or whatever subsidiary that was) must be pretty embarassed right now... forgot to encrypt their decryption key. Morons :)

Anthony


^X^X
Segmentation fault (core dumped)

Re:Information Wants To Be Free

[panck]

Information wants to be free.
i couldn't agree more, especially in a system like the internet, which was designed to allow information to move from one point to another as easily as possible.
trying to create a "secure" site or system connected to a medium like the internet is almost like getting in the ocean and trying not to get wet.
Here's a hint to the Motion Picture association and the Recording Industry....don't put your content in a format that can easily be read, unless you want it easily copied.
If you want to make it hard for people to copy, it has to in a format/using a system that makes it difficult for any information to be transferred.

Keep the information flowing, folks.

Re:Information Wants To Be Free

[xanth]

There are two cases that apply to the conjecture that "Information Wants To Be Free".

• The first is the situation where the distributor of the information would like to keep the information secret, while the recipient either has no preference, or would like to publicize the information. This case corresponds to the movie/music/software industry attempting to enforce copy protection. It clearly can never be done with 100% enforcement. At some point, regardless of the encryption scheme and protocol used, the information HAS to be converted to plaintext before the intended recipient can view the information. Thus the decision to keep the information secure is up to the recipient.

• The second case is when both the distributor AND the recipient would like to keep the information secret. In this case, by using a sufficiently well tested and well designed encryption scheme and secure protocol for exchange, the information can be kept secret against all forms of attack.

So the ball is in the recipients court: the distributor has little control, and while security of information in the context of private email and so forth is entirely achievable, in the context of "copy protection" it is, as the borg say, futile.

Re:Information Wants To Be Free

[jafac]

using that license key - you have signed your death warrant. Whenever you go onto the internet, IE secretly sends a GUID containing your license number to a Microsoft database. So when Microsoft rules the world, the Bill Gates' Jackbooted thugs will track you down and send you to the "Intellectual Property Paradise", where you can work as slave labor (waxing Bill Gates' fleet of Ferraris), until you have paid back all the value of the intellectual property you have stolen. Then, you will be executed, automatically, by electricution, scheduled and actuated by a WinCE device they've implanted up your butt.

I wish I had a nickel for every time someone said "Information wants to be free".

Re:Take a lesson from Hong Kong?

[ewhac]

Clearly, these people are not very clever. It seems fairly clear to me from this "horror story" that the movie theatre model of film distribution has been marginalized by advancing technology.

We observe that people are not willing to go to the theater, but are willing to buy VCDs. Now, would a clever person either:

1. Release to VCD first at, say, a 50% premium over bitlegged VCDs, thereby establishing themselves as the source of the highest quality copies of that movie (and then release to theaters a couple of weeks later, thereby getting all the people who want to see the film in all its high-resolution wide-screen THX glory); or,
2. Whine shrilly about "piracy" and your rapidly-eroding intellectual "property" rights?

The environment is changing. Organisms (and organizations) that do not evolve will end up as an exhibit under glass in a museum. I guarantee you the environment will not change to suit your whims. Start changing the way you think about this stuff; the ulcer you save may be your own.

Schwab

Re:5:1 can be good

[just+someone]

The problem is that engineers need to learn how to do good 5.1 mixing. The mixes are designed to for the user to face the center speaker, it's not as non-directional as stereo configurations. Speaker position is programmed into surround sound set-ups to make it seem like the sound is coming from one direction.

There are a few great music tracks on movie dvds. Turn off the TV, and you've got great sound.

The talking heads Stop making sense has two great 5.1 mixes. One puts you in the front row, and the second is the "soundboard" mix, and what I would expect to be on a dvd audio disk. The music surrounds you.

The Aretha franklin scene is blues brothers is another great mix. The background singers are in the surround speakers.

And you can see how the mixes get better as an engineer gets more experience by listening to Fleetwood Mac The Dance DVD. The surrond speakers come alive in the last few songs.

Not a good week for real.com

[uncleFester]

First the privacy snafu, now this. The question, though, is who will get the blame for this.. Xing for failure to encrypt, or Real for not catching it? Who gets their ass tossed out the front door?

*snicker*

So, what to do now? Firmware updates? SuperMassive recall? (unlikely) An excuse to change the spec/format? At the least, all codes will^H^H^Hshould be strengthened, changed, etc.. I guess the overall question is...

How will the average consumer get bent over in this one?

-fester

Windows NT encountered the following error: The operation completed successfully.

Re:DVD is Dead Anyway.

[Todd+Knarr]

Yep, you've "got" it alright. But with attitudes like yours, not a lot more will be stored on media you can keep indefinitely.

Perhaps. But my "attitude" is the norm among consumers. License, schmicense. When the average buyer comes home with a movie, they know they don't have the right to duplicate it and sell copies but they own the copy they bought. Tell them "you can't use what you just bought because we changed our minds", and they'll laugh at you. Try to enforce it, and people will ignore you. Make media that doesn't let them ignore you, and it'll sell as well as DIVX.

Re: Have you tried copying a DVD to VHS?

[Another+MacHack]

Sure, that's what "color correctors" are for.

DVD-R

[bbqBrain]

The article raises an interesting point: there could definitely be a move to restrict DVD-R technology in the US following this chain of events. It seems an absolute outrage to me that the potential of DVD-R could go unrealized, at least in the short term.

CD-R is great, but a more and more packages are too big to fit on a single disc. DVD's offer a convenient way around this. There's nothing wrong with the technology--don't punish it and the people who want to use it for legal purposes.

Of course, it wouldn't be the first time the recording industry imposed its will on the American public. As I recall, they almost killed DAT. In fact, it never did catch on much for home use.


-bbqBrain

Re:Kill the smart people

[Bolero]

I agree with you for the most part. The only problem I have is your example. Distributed.net is using a different method to break RC5-64 than what the CSS hackers used. They didn't attempt to brute force attack CSS, instead they found a kind of security hole in Xing/Real Network's security

If somebody found a glaring security hole in RC5-64, it too would be brought down.

Like hybrid multiple-recipient PGP

Based upon what I read out of the LiVid mailing list archives on Monday:

• Most disks have their video data encrypted with a random 40-bit key (called a "title key"?). Each disk has a different title key.
• 409 copies of the title key are made, each encrypted with a different manufacturer's key (also 40 bits each). Those encrypted keys are written to the disk.
• A given manufacturer, when they get their DVD license, gets one of those 40-bit manufacturer's keys and a note that says "use key number 12".
• The player looks at the disk, extracts the 12th of those 409 encrypted keys, uses its manufacturer key to decrypt it, giving it the title key. That title key is used to decrypt the video material. It ends up with the same title key as any other player would have gotten on that same disk.
• The manufacturer key would be held in ROM or encrypted in a software player of some sort. To discourage manufacturers from doing that badly, the following threat is put in the license agreement: If someone figures out your manufacturer key, you pay us a lot of money, and in addition we stop including your key in the 409 used on new disks. Now all the newest movies won't play on your player, and you go out of business.

So it's like the usual hybrid PGP scheme with multiple recipients (where a per-message random symmetric key is public-key-encrypted to each of the recipients), except CSS uses symmetric encryption everywhere, and the disks are usually encrypted to the same 409 recipients all of the time, and only a few dozen of the recipient keys are actually known by real users (players), the rest being kept in a vault for new licensees.

The problem was that the encryption was really poor. There are two attacks:

1. For any given disk, brute force the title key. I think this would take a day or two per movie. Then assemble a web database of some sort where you could look up the title keys for your disk.
2. Once you've figured out the title key for a given movie (say, by discovering one of the manufacturer keys, doesn't matter which), look at those other 408 encrypted keys. For each one, brute-force the related manufacturer key. (because of massive flaws in the crypto, this takes about a tenth of a second for each one). Now you have 409 manufacturer keys. You don't care which one is which. Publish them all.

The latter has happened. Hundreds of keys are now public knowledge. Many of them are probably in use by big-name manufacturers (you now have the key of every player that could have played that disk, which is all of the current ones and most of the future ones). And it is practically impossible to change the keys in a useful way. They would have to drop all of the keys in use by the current players from new titles, making them unplayable on current hardware. If even one key remained from the set that are now known, the same attack could be made to get all of the new ones.

Note that if they had planned for this, they could conceivably have put several keys into each player, and the response to having all of the current keys published would be to switch everything to Set 2 (instead of using FooCo's first manufacturing key on the disk, they use FooCo's second key). The current players that had multiple keys would still play new movies, but the published keys would not work. However, learning any one of the new keys (perhaps from a poorly protected software player that had multiple keys too) would allow the whole attack all over again. And brute-forcing a title key would allow the whole attack over again. The net result is that CSS is completely and utterly dead.

There is an extra layer on top of this, the authentication phase, which I don't know much about. From what I can tell it seems to be designed to keep someone from snooping the bus traffic and reading the decrypted video from there. The DVD drive will refuse to read certain sectors from the disk (the encrypted keys) until you've negotiated something with the drive. There may be more to it than that, but the technical issues have been solved for quite a while.. the necessary ioctls are already in the linux kernel.

And, as noted by others, this is independent of the copyright issues on DVD movies. CSS was a scheme to restrict use of the video data, and had the effect of preventing the development of open-source players on Linux and other platforms. Now they can be written (and mostly have been, although doing both audio and video at once is beyond the capacity of most processors).

-Brian

Re:DVD encryption is so stupid!!!!

[Foogle]

Yeah, you could've said the same thing about CDRs in the early 90's. Now a blank CD costs under $1. Why shouldn't the industry expect DVD-RAM to go down in price?

-----------

"You can't shake the Devil's hand and say you're only kidding."

In all seriousness...

[MenTaLguY]

The real problem comes from both sides of the aisle.

I'm quite sure the encryption opponents are quite relieved that anyone who might otherwise oppose them is too busy blaming whatever group he or she is not a part of, be it the Democrats or the Republicans, the Liberals or the Conservatives.

Berlin-- http://www.berlin-consortium.org

Well, what took them so long?

[XNormal]

I don't know about the film industry, but I certainly expected this. I was making bets on it with some friends. When I heard there will be software implementations I gave the DVD format 6 months before it's reverse-engineered. I lost... it took a little longer.

----

Obligitory "I told you so"

[LordHamster]

When I first heard of DVD encryption, I jokingly made bets on how many days it would take someone to crack it. I guessed 10 days. So I was a bit off, but "I told you so." I wonder when these people will realize that all copy-protection schemes can be cracked. What they have to do is provide more than just the movie in thier "official" versions. They should learn some lesson's from Rob Young's famous Linux - Ketchup speech. :)

Re:Net Impact on Movie Industry: Zero

[nickm]

DVDs unfortunately will lose out in the standards war for one basic reason: they're fragile. Everyone knows that if you scratch a CD (and so often we do), it'll skip, rendering part of it unenjoyable. Well, DVDs store information with twelve times the density of a normal CD. Couple that with intense compression, and you end up with two orders of magnitude more damage to a DVD when you scratch it.

The big market for home movies is in rentals. However, my friends and I once rented Tron from Blockbuster to watch on a new DVD player. Something like seven of the twelve acts were garbled beyond viewing ability. The Tron videotape's only problem was that the bastard who rented it prior to us didn't rewind it. The first problem ended up with a wasted evening plan. The latter ended up with merely a waste of ten minutes' rewinding time.

--
I noticed

Re:DVD is Dead Anyway.

[Todd+Knarr]

So why are stores that sell VHS tapes still in business? Yes, people like to rent before they buy. Yes, they like being able to get things they only want to watch once cheaply. But if they find something they want to watch repeatedly they go buy it, and in numbers large enough to keep the video department at Media Play, and stores like Sun Coast, open.

Re:DVD Encryption? Good riddance

[jnik]

In simple words: run the DVD, and copy it on a VHS. You'll lose these fancy functions, but the essence of the DVD is still there: a copyrighted movie.

The problem is, most DVD's have been macrovisioned. They mess up the video signal so that there's "minimal" loss in quality, but it wreaks havoc with the AGC of a VCR. VHS tapes are being macrovisioned now, too. 13th Floor, for example.

Re:Take a lesson from Hong Kong?

[key+nell]

Most HK film productions are financed by organized crime. In many cases they're the ones selling the pirate VCDs.

Nobody is ruining anything

No, it is spray painted in 50' high letters

[Randy+Rathbun]

What gets me is that no matter how hard they try encryption just gets blown away. I still find it rather tiring to keep reading this stuff. The guys coming up with this encryption stuff are either lawyers or marketing drones, so of course it does not stand up for very long!

Of course once it gets cracked then it becomes "hey! they cheated! they are illegal underground punks! they worship the devil!" and a host of other things - just look at what the Brittish recording industry put out recently - after all anyone who listens to MP3s are nothing but a bunch of pot smoking pedophiles, right?

To me breaking encryption is just the geek way of thumbing our noses at idiots. Here's to more beautiful hacks!


941415926518293950285123123568785948184839358193 948913958495
80124569890476636201512012315668018651125564087489 7980465063

Re:So do slashdot folks care that this is immoral?

[jafac]

The honest customer gets the VERY REAL and TANGIBLE benefit of not having to worry about Feds busting down his door and confiscating his computer, and locking him away.

The pirate may convince himself it's not going to happen. But there's always that possibility.

When you pirate, you get the software.
When you purchase, you get legitimacy. (personally, I think that MS probably hides GUIDs with your VC++ license # in the binaries it compiles, so virus writers can be tracked down, just like MS Word (UP) encodes GUIDs in Word documents).

I wish I had a nickel for every time someone said "Information wants to be free".

Offtopic: Philosphocal Question

[ewhac]

If, as you say in your post, "DIVX was *evil*," why did you work on it? Why did you help to create something you knew no one would want, and which you yourself didn't want to have?

I'm not trying to be hostile. It's just that I learned my lesson on issues like this a long time ago, and I've made it clear to myself (and my employers) that I will not work on projects with which I personally disagree. Perhaps I'm in a better position than most (and I also don't put myself in the way of such projects), but I've never fully understood why someone would spend their precious creative energy on something they personally felt was pointless, wrong, or ethically bankrupt.

This is just me talking,
Schwab

Re:Offtopic: Philosphocal Question

[Archeopteryx]

Well, honestly, I didn't think it was *evil*, but I thought it would be perceived as such. And I told people that it would be. The DIVX folks were not interested in being Big Brother, they were interested in providing a service that would obsolete video rental returns, and in making some major money while doing so. They failed to correctly consider the implications of the system that the available technology forced them to design.

However, if I were asked to work on something I actually thought was evil, I would either decline, or steer it away from that condition, or learn how to subvert it. In all the years I have been designing systems (22 years), I have not yet been faced with that choice. And that includes my time writing nuclear safety systems for a major power utility.

I have, however, decided not to go ahead with business ideas of my own which I thought were unethical. For example, I considered starting a 900 phone sex service in 1980, but decided that I didn't want to profit from other people's loneliness.

DVD is Dead Anyway.

[Smakk]

As a pioneer in the industry to develop DVD-ROM, I can tell you first hand that DVD is dead. The only clients for it have been people with video (movies) to transfer. Even the most non-technical feel that all video will be available over the net soon, so why bother buying DVD's and DVD players? Internet II, digital TV and a host of other high speed connections will render putting the video on a disk silly, except maybe for storage.

Re:DVD is Dead Anyway.

[Todd+Knarr]

The "except maybe for storage" is the kicker. Most people buy videotapes, DVDs and such precisely for storage. If I have the movie on DVD, I have it. You can decide not to distribute it any more, alter it, edit it, do whatever you want with it, I can still pop the disk in the player and watch what I bought no matter what. If I download it over the net when needed, I'm at your mercy. If you decide to take it down, I'm SOL.

Case in point: DIVX. It died because people didn't want to have to ask somebody else permission to watch a movie they'd already (in their opinion) bought. I suspect the same people want Internet-based video to succeed as wanted DIVX to succeed, and it'll die for the same reasons DIVX died.

Re:DVD is Dead Anyway.

[Endymion]

Ahh... but can I watch Dark City, the Crow, and/or Fear and Loathing [widescreen] in nice crystal clear video and stunning 5.1 sound RIGHT NOW over the net? And will it cost me big $$$ each time I watch it? That can add up a lot when you watch the Thrill Kill Kult scene in the Crow over and over again...

I though not. I'll stick with DVD for a while then.

Businesses and export restrictions.

[Dast]

If they did limit the keys to 40 bits because of export restrictions, maybe this will convince businesses to help fight those restrictions.

They stand to lose a lot of money not being able to secure dvd's. And when there is money behind something, you can bet they will act.

Re:Net Impact on Movie Industry: Zero

[Jerenk]

The GEB example is a good one. With, one slight flaw though. However, instead of the Tortoise being the one to outwit the Crab it is the store that sells the record players to the Crab. =) If they keep changing the medium, we are going to keep getting screwed royally to buy new players.

Personally, I hope that the record companies understood that there was a 99.999999% chance that the encryption was going to broken. I bet they have some fail-safe plans. I believe some people have mentioned as such before that they still have some tricks up their sleeves.

But, to see the encryption fail soooooo stupidly, it has to hurt DVD's chances on the whole. Didn't Xing THINK that someone would reverse engineer their buggy software? Hell, maybe that was their idea (one little programmer not encrypting the code brings down DVD - hahaha).

Later,
Justin

Re:Consumers have been copying movies since the 80

[gorilla]

- finally, unlike the RIAA member companies, movie studios are not parasitical entities acting as a paid go-between between artists and their customers. They provide the capital, resources, and equipment for shooting films and play a very necessary role of the art form.

This is true for the most part, however more and more films are being made as independant productions & only distributed by the major studios.

This is a trend I expect to continue. With the increasing costs of movie production it shifts the risk from a single entity which can be bankrupted by a bad film onto a smallar company which can take bigger risks.

not much time left...

[mullein]

I was re-reading the Digital Millennium Copyright Act of 1998, which was made law a year ago (october 1998). One of its provisions is that defeating copy protection (unless you're a specifically exempt institution or can demonstrate a valid need to make backups) will be illegal two years to the day after the passage of the act, which makes it effective in october 2000. any comments on this, preferably from someone who understands the legal ramifications of this?

Re:not much time left...

[Mattsson]

Well... I'm glad that I'm a "potential terrorist" and not a US citizen. =)

Re:not much time left...

[Evangelion]

In the states, yes. Was that an international law? I can't remember.

The h^Hcrackers who did this were in Europe.

Re:not much time left...

[TheCarp]

hmmmm buy red meat and goto the police and confess
you could already do that...

Your brain produces DMT naturally. DMT is a
schedual 1 hallucinogen. Thus, you are not only
in posession of DMT, you are manafacturing it.

Many states already make GHB posession illegal...
GHB is what is found in meat..and again
already in your brain.

If I were you, I would go turn myself in now.

Re:not much time left...

[hadron]

Fortunately, your funny little legislation doesn't affect what happens in parts of the world where people arne't so stupid.

Um, and it's probably unconstitutional anyway.

Re:Net Impact on Movie Industry: Zero

[ColinG]

Um... sort of off topic, but bandwidth related and to the downloading of DVDs. While you demonstrate your patience, assuming it takes between 6 and 10 (we'll assume 6) minutes to download 100k at 2400 speeds (in my experience, it DOES, also calculated assuming 2.4 kilobits/sec, or 300 *bytes* per second), that means it takes about 100 hours (one megabyte per hour) to complete a one megabyte download of your 100 megabyte linux distribution. I'm not patient enough to wait 100 hours for a DVD movie to download, so your comparison is a bit off, methinks. ;)

Good

[Col.+Panic]

Maybe this will give Hollywood types a more realistic perspective so productions like Hackers and that MTV portrayal are more accurate in the future.

They needed a clue and got one they will definitely listen to this time.

Re:Bad reporting on part of Wired

[Fizgig]

Someone on the livid-dev mailing list pointed out that he told the author this but he said he had already decided his slant on the story and wouldn't change it. Alax Cox then responded that that was sadly typical of Wired "reporters".

Re:Coca-Cola secret formula

[Porky+Pig]

don't they use guano as one of their
ingridients?

Not gonna happen in a million years

[Randy+Rathbun]

If it was going to, nobody would be producing audio or data CDs. We have had CD-R drives for what, 6 years now?
941415926518293950285123123568785948184839358193 948913958495
80124569890476636201512012315668018651125564087489 7980465063

Re:So do slashdot folks care that this is immoral?

[Mattsson]

And, of course, all your software are licenced, you have never taped a tv/radio transmission,
never read a paper in the store, never parked without paying, never driven to fast, etc, etc.

All illegal and immoral...

40-bit encryption??

[RayChuang]

I find it very surprising that the DVD encryption only used a 40-bit scheme. The problem is that anyone with a decently fast DESKTOP computer (e.g., Pentium III 550 MHz or Athlon 500 MHz minimum) could break the 40-bit scheme pretty quickly.

I think what will happen is that the DVD standards people will probably modify the encryption scheme to 128 bits, and believe me, to break 128-bit encryption you'll need hardware that is WAY, WAY beyond the expense of 99% of computer users nowadays. We're talking a multi-million dollar supercomputer or a HUGE Beowulf cluster (maybe over 600 machines in the cluster, and we're talking ones using the Alpha CPU) just to even consider breaking 128-bit encryption.

I won't be surprised that the modification of CSS to 128-bit encryption happens in the next year or so.

Re:40-bit encryption??

[RayChuang]

>> And they will still but the decryption key in the player, where it will wait to be discovered by someone with a disassembler...

Finding the key is one thing, but decrypting a 128-bit key is QUITE something else.

You'll need extremely serious computing power just to consider decrypting something encoded with 128-bit encryption.

Re:'They didn't encrypt the key' doesn't make sens

[hadron]

Yep.

Resistance is futile, you shall be duplicated.

Re: DVD and 40 bit keys

[Mattsson]

But not all the companies who make DVD players are american.
As a fact, very few.
So this wouldn't have been much of a problem...

related article

[icing]

The article at the digital bits gives a good assessment of what this might mean to DVD.

It will be interesting to see what the industry can do to fix "lost" activation keys. And that probably depends on if all discovered keys are in software or hardware players...

Re:Consumers have been copying movies since the 80

[Cygnus+v1]

Contrast this to the music industry, whose contribution to the art form, beyond providing a distribution channel they happen to enjoy a monopoly on, and perhaps a place to record and master (which any technically savvy musician can do in their own home), is negligable at best and quite often destructive.

I'm against the stranglehold that the Big Five have on media distribution, but I don't think that your statement holds water. It takes quite a bit of equipment just to make decent-sounding stereo recordings at home from a linear or non-linear multitrack system. Most of the big studios are not owned by record companies anyways. Don't even try to tell me that an album with the production quality of Dream Theater's Scenes From a Memory could be made in even 1% of home studios.

Re:No big deal

[TeChYMaN]

Redundant as you may wish, Yeah, if you own a big old production plant.

Re:Bad reporting on part of Wired

[Joools]

Good old Wired -- they invariably wring every storey for the most emotional value they can, even when they have to downplay an obvious truth to do so.

If the four-hundred-some messages on this board are any indication so far, the overwhelming reaction to this isn't "Great, now I can pirate DVDs", it's "Great! Linux drivers!" Which, of course, means MORE dvd sales, not less.

I don't typically believe in cosmic justice, but a little part of me is glad to see Real in the hotseat after this week's Real Jukebox Trojan Horse debacle.

Re:A dumb question (was Wherefore encrypted ....ke

[Spire]

Yes. But consumer DVD readers (including DVD-ROM drives) will not deliver data without first receiving the requisite decryption key via the established protocol. If you have a DVD-ROM drive, you can verify this by trying to copy one of the large (1GB) .VOB files to your hard disk; you'll get an error message as soon as you hit encrypted data within the file, since you haven't obtained "authorized" access to the data.

So the protection ("lock") is indeed done in hardware; the key to this lock, however, exists in software, which of course is the weak link in the chain.

When the DVD standard was being developed, I don't know if they failed to foresee that DVD decoders would eventually be implemented in software, or if they did foresee it, and simply accepted the eventual "cracking" of the protection as an inevitable reality. If I were they, I would have fought against allowing software DVD decoders to be produced at all -- at least it would have further delayed the inevitable.

Re:So do slashdot folks care that this is immoral?

[Steve+B]

2)Copying DVD movies for personal use, trading with friends, etc.: a Little Immoral

2.1)Copying DVD movies for personal use (e.g. backup, format conversion): Not Immoral. (Also Not Illegal, FUD to the contrary notwithstanding.)

2.1.1)Interposing technological barriers to (2.1) above: Immoral. (Not Illegal, but current practice of mandating it without consumer consent should be illegal.)

2.2)Copying DVD movied to trade: Immoral.
/.

Re:So do slashdot folks care that this is immoral?

[Amphigory]

Much like the huge cd-r explosion will dvd-r's hurt the MPIA as much as cd-rs have cut into the software industries profits?

Do you have hard numbers, or are you just talking out the side of your mouth?

Re:So what happens when we can't export DVDs..

[Mattsson]

I don't understand.
Is it illegal to export encrypted data from the US?
I thought it only touched algorithms and encryption software.

Otherwise everyone in the US who's communicating with someone outside the US with a non-US encryption or the scanned PGP are breaking the law!

Otherwise there's no problem since very few dvd-players are manufactured in USA.
Most of them come from asia...

Re:Video distribution over the network and DVD.

[Porky+Pig]

It's funny you've mentioned it. I've recently visited the seminar on xDSL technologies, and one of the topics was VDSL (very high speed DSL) suitable for movie distribution. Since distance limitations are rather serious, the idea is to put the aggregation point (sort of DSLAM) somewhere into the basement of a large appartment building, or appartment complex, or campus types of environment, and from there distribute the material over the existing phone wires. It is being implemented on vary large scale in Hong-Kong
(and I forgot where else)

Yet I do not believe DVD is dead. Some people like network-based distribution, some like to have a small collection, or rent, it all depends ... Eventually DVD will be superceeded by HDVD but this won't happen for at least 2-3 years, may be more.

Re:So do slashdot folks care that this is immoral?

[jafac]

Please. In the vast majority of piracy cases, the pirate would not have paid full price for legitimate copies anyway, so no sales are lost. In fact, there is a positive side to being pirated. Mindshare.
If only 5 people on the planet can afford to wear Nike shoes, that's not much mindshare. If 1 billion wear counterfieted shoes, maybe a 6th person will think it's cool enough to cough up the money for a legit pair. The CHANCE that the 6th person is going to buy, is better than the alternative, 5 customers, period, and no mindshare (which incidentally is what drives the stock market today - which is probably a lot more important to a company's long term success and survival than actual profits. Sick to say so, but unfortunately true).

I wish I had a nickel for every time someone said "Information wants to be free".

pun

[betamax_]

"the motion picture industry is reeled" Who else noticed it? Come on!

Re:So do slashdot folks care that this is immoral?

[Mr.+Slippery]

the spirit of my post, which is: what's wrong with "free everything"?

Nothing. But it doesn't exist. That's the point of my post. Now we're back where we started.

And that is the point, food in hungry peoples mouths. Hopefully it will be books & education next. Do you see any problems with this? How could you have problems with this?

My problem with this is that it would be much more efficient for us to give money directly to hungry people than to pay for various products an increased price, which goes to advertising budgets, a tiny portion of which goes to feed the hungry.

The advertisers aren't doing this out of the goodness of their hearts; if they were, they'd just send the money and be done with it without making you look at ads. They're doing this because they believe that getting you to look at their ads will get you to buy their stuff. And so we drive the culture of consumption which leads to the economic injustice that makes people poor and hungry in the first place.

Also, how much is your time worth? How much time does it take you to click on THS? Sending ten bucks to charity each year might actually be cheaper, as well as getting more results. To paraphrase some /.er's .sig, "Advertising-supported activities are only free if your time has no value."

(And yes, I do give directly to charity, and also to persons of my direct acquaintance who are in need.)

Re:Let's not be judgmental

[Black+Parrot]

> Everyone wants something for nothing.

Just an observation on our society's value system:

If you want something for nothing, you're despised as a deadbeat;

If you want a whole lot for almost nothing, you're admired as an entrepreneur.

--
It's October 6th. Where's W2K? Over the horizon again, eh?

Damn...

[BonzMan]

Wow, really sucks to be Real right now. After the escapade (what, 2 days ago?) with their realplayer sending out personal info, now they seriously fsck up in not encrypting their DVD player...
Does anyone else here smell lawsuits?

::sniff sniff::

Bonz..

Re:Damn...

[Mignon]

I think either the traders haven't heard this yet (yeah, right) or they don't think it'll cause a problem for Real. As I write this their stock price is at 113 3/4, up 7 3/4.

Re: Won't last long.

[bgarland]

So few consumers can afford DVD right now they'll lose nothing by burying the cracked format and starting over.

Where the hell do you live? Ethiopia?

Good DVD players can be had for about $250 which is no more than any other piece of mass market consumer electronics. Factor in that it plays CDs too and now you don't have to drop another $100 on a CD player. Joe Sixpack working for minimum wage at Wal-Mart can afford a DVD player for gods sake!

Movies are about $15 online and about $20 at retail stores. That's no more than the cost of a CD (but I guess few consumers can afford CDs either huh?).

Then again, maybe you're just disillusioned and still use cassette tapes and VHS!

I will admit to knowing not much about "DVD-2" but I don't really care. DVD as we now know it is here to stay. Millions of standalone players have been sold (several million) and nearly every new PC has a DVD-ROM drive. There's no reason to chuck it in favor of a new format. With current DVD there is a disc version called DVD-18 that is dual sided and dual layered. You can fit over 6 hours of film on one disc! For instance the first DVD-18, released recently, is Stephen King's The Stand all on one disc! How is that not good enough?

I really don't see what needs to be improved in DVD. Anyway, it really doesn't matter because so many players have been sold, so many movies pressed, that there's no way a rival format could take hold at this point, imho.

Ben

From the Article

[Mr_Plow]

The circulation through the Internet of the illegal and inappropriate software is against the stream of copyright protection

Is this true? I thought that it was not illegal to have software that was capable of breaking copy-protection, but merely that using it to pirate copyrighted materials was illegal. This is dubious logic because you can pirate recordings with a tape deck and you can record movies from pay-per-view to your VCR, but that doesn't make those machines illegal. WTF? Anyone know the legal precedence?
------------------------------------- ---------------------

DVD encryption - to keep honest people honest...

[brianvan]

Perhaps the issue isn't whether or not DVD copy protection can be cracked at all, but whether or not it's easy for MOST people to do it...

I'd say that if it were that easy to crack CSS, then perhaps it was meant to be no more effective than Macrovision... a stumbling block too big for those not interested enough in overcoming it. While it's pretty obvious that both it's now easier to crack DVDs and it's still unfeasible to copy them in massive numbers, what's not really thought of here is whether or not such a development will dictate the future effectiveness of the copy protections on DVDs.

The development of MP3+CDR is an entirely different story, as digital audio was an entrenched standard that was already effective for the music industry. On the other hand, DVD is still rather new and it's rather easy to predict that in five years it WILL be feasible to pass around cracked movies on the Net for many people. Just how many people are willing to do that is another issue entirely.

I suppose that fixed storage, recordable media, and available bandwidth will all be large enough in a few years to allow DVDs to be copied easily. Still, it will take a lot of one person's time to do extensive trading, and the availability of that kind of equipment to the general public will be limited. The interesting facts and issues of the situation are:
1. People who buy DVDs usually have all the other nice little gadgets too. Hence the current target market for DVDs will probably be enabled best to trade them illegally.
2. DVD is a premium high-quality format for an extremely popular medium, which means that unlike CDs (which would be more of a standard format) trading DVDs would be preferrable to any other kind of bootlegging.
3. The movie studios do have the option of pulling DVDs and sticking with VHS... for most releases. Or, perhaps a greater control and limited availablity on DVDs would prevent DVDs from becoming a mass-consumer product, hence eliminating the possiblity of mass-pirating.
4. On the contrary, the movie studios can make a huge push of DVD into the consumer market so that it does become a mass-consumer product, not only strengthening their margins above those of the already mass-pirated, more expensive, and lower-quality VHS, but also to eliminate the possiblity that a large part of the DVD market would pirate them. Add more to the market that won't be copying them and you minimize the copying problem. CDs currently enjoy this position, as there are many people who copy them but there's a massive amount of people who can't, don't, and won't, therefore making the CD-copying problem negligible on the bottom line.
5. Finally, the industry has time to combat the problem with a variety of solutions before copying becomes feasible. They don't have to pull off any drastic moves right now, which means that if DVD business is brisk I doubt they'll be scaling back on it anytime soon. They may switch formats (a DVD2), they might try to keep DVD-RWs and all similar DVD writable formats from becoming widespread, or they might ignore the problem altogether. It's not like what happened to the music industry, where one day the tools became available and people started ripping/encoding/copying CDs like crazy as the industry helplessly watched.

Right now, however, it's just a big embarassment for the movie industry and a new opportunity for the elite piraters. If I had the opportunity to advise the movie industry how to handle the situation, I would probably suggest that right now they should take a "good faith" position and trust the current market to not do what they pretty much could have done anyway. In the future, I'd suggest that perhaps they take either one of two paths: They start planning a format change RIGHT now for a rollout in 10 years and make the new DVD-Video format a self-standing component with closed specifications rather than a multi-component open standard, as this would prevent anyone from easily pirating movies (in other words, a DVD drive is like a standalone DVD player and you just overlay it, which shouldn't be too much to ask in 10 years) or getting any undesirable use out of the video. Or, they make DVDs an entrenched standard and a mass-market industry with even a bigger push than they are today, with the understanding that they hold the advantage of being the honest, legal, simple, and not-too-expensive solution for DVD purchasing. In other words, who cares about pirating when you're going to make gadzillions of dollars selling legit DVDs and, for most people, that's the best or only option now and for a long time. It's like if you own a candy store and little kids keep eating the candy... you can put the candy on a higher shelf, or you can put a small basket of free candy by the door. You DON'T stop selling candy (or only sell stale candy)...

Kill the smart people

[Slur]

Encryption is dead, will always be dead, and will always fail. Why? For the simple reason that a vast number of common hackers grok what goes into encryption technology, and no special corporate giant is going to be able to keep anything secret that is - simply put - built into the nature of things.

On the other hand, if governments and corporations want to protect information from ordinary citizens they have only to dumb down the educational system, and kill (or indoctrinate) everyone with an IQ over 130. Maybe it's just a matter of time before this occurs. Maybe it already is happening.

Vive la revolution!



--------
Yeah, I'm a Mac programmer. You got a problem with that?

Re:Kill the smart people

[Mr_Plow]

Encryption is dead? Don't you really mean that weak encryption is worthless? Click here for some insight on encryption. Distributed.net has been running its RC5-64 bit key challenge for two years. That's right, two years. There are, on average, some 40~60 thousand participants everyday. But if you look at the top performers, you will see that many of what is counted as a single participant is actually a group of hundreds of computers working together. Now, the amazing part is that with all the participants involved donating all of their spare CPU cycles for 2 years, less than 15 percent of the keyspace has been checked. That means that if for some reason the real key is the last one checked, it won't be found for another 11 years or so. But maybe in your eyes that's not a long time. For many practical purposes, 13 years is a long-enough time for gov-intel to be obsolete, or for private citizens hiding from the gov't, 13 years is long enough to pass the statute of limitations of many crimes.
----------------------------------------- -----------------

Re:DVD Consumer Rights - Copying is a GOOD Thing!

[Cramer]

CDs are bad enough -- esp. from bad mass-production houses. My win95 CD, in absolute pristine condition, has been difficult to read from day one due to the low quality, high speed method of production (I think they were a little low on silver that day :-))

Given this and the density of information on a DVD, I wish they would be securely encased. 3.5" floppies are better protected than DVDs. (I've always been a strong backer of CD caddies. It's unfortunate that high speed drives _have_ to be tray loaded due to balance concerns -- would you trust a caddy loaded CD spinning at 9000 RPM?)

I'd love it if DVDs were encased like MO disks. They are basically a CD in a secured housing that has a caddy-like door on both sides so they fit alot like a tray loaded CD. There is a recessed latch to keep the "door" from opening by accident. This may be how the DVD-RAM carts are done, but I've never seen one nor does the movie industry use such things (they'd much rather you buy a new 30$ DVD.)

Won't last long.

[heroine]

Next year DVD-2 will come out with a 1024 bit encription incompatible with existing DVD players. So few consumers can afford DVD right now they'll lose nothing by burying the cracked format and starting over. It's not good enough for college geniouses to crack stuff other people have developed. In order to solve these intellectual property wars, college geniouses have to start developing the stuff themselves.

Re:Won't last long.

[Speare]

Will DVD-2 have a reasonable less-lossy compression scheme? I really hate putting up with NTSC, nevermind making the image even worse with highly lossy compression that adds obvious artifacts.

I had just gotten into laserdisc when DVD came out, and of course now it's impossible to find laserdiscs of good titles. (I know, whine whine.)

Re: DVD and 40 bit keys

[DaveHowe]

I wouldn't be surprised if the lousy, five byte encryption on these things came down to making them US Export-Legal.... Even with the "new, improved" fast-track licencing, I believe each individual export has to be at least notified, and the paperwork overhead of tracking each batch of DVD players to the end user would have been astronomical.
And there, you thought the US government's export ban had no positive aspects ;+)
--

It is unrelated to weak encryption

[Alex+Belits]

The whole idea that someone can "encrypt" something that is supposed to be seen by user/consumer and have "secret" programs/keys/whatever running on equipment controlled by user that can "decrypt" it and show the result, is entirely based on the assumption that user is incapable of reverse-engineering running program, or at least effort necessary outweights the benefit. While one can argue that it can work for some games (and yet I don't think, it stopped anyone), it definitely not so for movies on DVD, especially considering regions and other "features" that users perceive as sabotage. Even the most perfectly "protected" program can be reverse-engineered if user can run it in some controlled environment, so in the case ov DVD encryption this model simply couldn't work -- once something is out, it's out, and to prevent someone from reproducing a process one shouldn't perform that process when someone is watching in the first place.

Re:So do slashdot folks care that this is immoral?

[jafac]

I just bought my son a Gameboy for his birthday.

The license agreement for Pokemon Yellow says that I do NOT have the right to make backup duplicates of the game software (as if I could), and owning/operating the special equipment to do so is illegal. I understand why they feel they need to say something like this - but I don't understand why it's perfectly legal and acceptable for them to trample on my rights to "fair use".

I wish I had a nickel for every time someone said "Information wants to be free".

There are no damages to be liable for

[Sloppy]

If there's any liability, I would think it would be simply due to a breach of contract, and no more. How can MPIA ever show that this will result in damages? The damages may even be negative since this will almost certainly result in increased DVD sales. :-)

I'm not saying Xing/Real won't lose money -- they might chicken out and settle out of court. Or maybe there's a contractual provision that spells out a monetary penalty for disclosing keys.

But let's get realistic: there simply are no damages, and if this ever got into a court then MPIA's case would be pretty iffy.

---

Disassembly of Object Code illegal?

[Chris+Siegler]

"The circulation through the Internet of the illegal and inappropriate software is against the stream of copyright protection."

Check out Fravia's page on the legality of reverse engineering. In the US, this is the case sited

Sega v. Accolade, decided by the Ninth Circuit in 1992, makes clear that, in certain instances, the unauthorized disassembly of a computer program's object code in order to derive source code is not a copyright infringement. The Ninth Circuit applied the 'fair use' balancing test to determine that Accolade's use of reverse engineering techniques to produce an 'intermediate copy' of Sega's source code did not constitute copyright infringement. Accolade never distributed the intermediate copy commercially, but instead used it only to extract unprotectable ideas Ñ a sequence of bytes which act as a software key Ñ from Sega's game program. This key was then incorporated into Accolade's games, enabling them to 'unlock' and run on Sega's game platforms. The court cautioned, however, that disassembly involves the making of a literal copy of a program, and it is permissible only when necessary to extract the unprotectable ideas. It is unclear how far this fair use right extends.

Sounds almost exactly like what the DVD crackers did.

Re:Disassembly of Object Code illegal?

[otis+wildflower]

Sounds almost exactly like what the DVD crackers did

Yes, but US laws don't apply in Norway.
Your Working Boy,

Consequences for DVD?

[bughunter]

So what does this mean for the DVD format in general. I'm not clear on the details of the standard, but it sounds to me that this crack leaves the DVD standard open to nearly-indiscriminate copying, even if you don't have DeCSS. It's a known crack, now...

But I'm specifically curious if the same keys are used from title to title, or does each title have its own key?

And can the standard be "upgraded?" To a 128-bit key, for instance?

Re:prophecy vs. reality

[Battra]

>"Computer FX will never get better than Tron"
>"Apple is dead."
>"The world market for computers is 5"
>"DAT will replace tapes and CDs"

I'm with you on the last three, but come on....

Tron rules!

The last movie I rented was Battlestar Galactica, and no, I'm not kidding.

Hurray!

[David+A.+Madore]

I call this a victory against obfuscation and closed standards.

I hope the keys - and all the relevant details - were widely published, and I hope this means we'll have Linux software that reads DVD's soon.

Re:Hurray!

[David+A.+Madore]

But there's something I don't understand: they can't just change the format, like that, with all the existing DVD players around, can they? People who bought one of those will be mad (and you can't say - oh, sorry, you've got to buy a new one because some guy cracked our stupid format and we had to change it).

The world isn't really *that* rotten, is it? - Famous last words.

XORing bytes _is_ the ultimate security

[Mister+Attack]

Come on, without these "crackers" who break into things, we would still be XORing bytes and considering that the ultimate security.

As a matter of fact, XORing bits with a one-time pad _is_ the ultimate security. Completely unbreakable, as long as you have a completely random one-time pad, and as long as you only use each one-time pad once. Just thought I'd bring that to your attention.

Re:XORing bytes _is_ the ultimate security

[bofh23]

Nuke 'em from orbit. It's the only way to be sure.

Secure that shit Hudson! ;-)

This time it's war

Shiny Silver Platter Prices

[David+Jensen]

Both the music industry and the movie industry charge more for the shiny silver platter because they can. Customers feel that they are getting a better product than the one that comes on magnetic tape. The cost of duplication has no impact on thes pricing decisions.

Re:Net Impact on Movie Industry: Zero

[jCaT]

yeah, that's a one-time shot... then they can press as many as they want for a dollar a piece. Did you ever notice that VHS tapes when they first come out cost about 100 bucks, and after a few months drop down to reasonable prices? This is because of the time required to make a vhs tape. As someone already posted, it takes about 45 minutes. Take that against about 30 seconds to make a dvd.... hmm, looks like DVD is a little more efficient.

Another take on perfect digital reproduction...

[gharikumar]

I was talking to a friend who works for one of the big Japanese electronic firms. He said that it has been possible to produce digital camcorders with durable disks (not tapes) for years now. The recording quality is supposedly not be as good as DVD, but it is still far superior to the quality of the VHS-C and Hi-8 tapes. Also, the disks are far more durable (supposedly, they can last for decades without degradation, like those shown in the movie "Rising Sun".)

However, they won't produce them because they don't want to piss off the big Hollywood studios. Also, they won't make digital camcorders with digital outputs; once you record stuff, it comes out as analog. All because the studios are scared that the camcorder will become a medium of distribution for pirated movies.

Consider what this means. If I videotape my daughter, there is no way that recording will be around when she is 50. And not because we don't have the technology to make it happen.

Re:Security through obscurity doesn't work!

[Cramer]

As my dad says,

• "Locks only keep the honest people out."

Re:How can breaking trade secret be "illegal"?

[Darby]

Wow.

I'll have to read that.
---CONFLICT!!---

Re:No big deal

[TeChYMaN]

Alas, My dear coward. You cannot copy DVD to DVD. The hardware will not let you, poor soul filled with cowardace! Let your cowardace free, and grab an account!

prophecy vs. reality

[Pope]

I can tell you first hand that DVD is dead

Right.
"Computer FX will never get better than Tron"
"Apple is dead."
"The world market for computers is 5"
"DAT will replace tapes and CDs"

OK enough of the "X is dead" predictions.
Anyone making such grand statements, especially in the computer field, has obviously not read any history.

I am not particularly impressed by Video on Demand demos.
I will always prefer to own the atoms of the movies I love, same with records.
I like having liner notes, cover art, etc.
All those bits have to be stored somewhere and I'd rather have the option of getting at them anywherem anytime I damn well like, and not have anyone else know about it.

Look what happened to DIVX!

Buy once, listen/watch many is my motto.

ppoe


Pope

Re:Take a lesson from Hong Kong?

[Steve+B]

The economics of the situation (legitimate DVD copies of major movies selling for $20-$30) just don't make piracy profitable enough to have a major effect on the bottom line. The only way for pirates to make money in that environment is to organize on a scale that makes them big fat targets for any government that gives a flip about the matter (which is the underlying problem in East Asia).
/.

DVD Consumer Rights - Copying is a GOOD Thing!

[Ron+Bennett]

First off as a former software hacker (only cracked software protection schemes, never other people's computers), it's clear that the decryption routine is the weakest link and there's absolutly no way around it as long as it's being decrypted on hardware they don't control. Even if their encryption was totally uncrackable, which it's certainly not, DVD protection is futile since any half-decent hacker can just intercept the data going to their monitor/sound card...and any idiot can just aim a camcorder at their computer screen and make a medicre but quite viewable analog copy.

Secondly, consumers should have the *same rights* with DVDs as they do with other media such as *copying for personal use*, *playability anywhere* (no regional restrictions), and *no tracking*; DIVX was an obvious example, but there's a push for more subtle schemes of tracking individual DVD consumers.

I bet within a few years, the movie industry in particular will give up their futile fight and realize that copying is a good thing just like has been for movies on video; and anyways there's no way to stop copying so why bother...just undercut the pirates and use more creative marketing...I mean Disney's marketing of the same movies in different packaging, etc is brilliant and shows that it's even possible to sell people the same movies they already OWN!!

Ever heard of FAIR USE, you sanctimonious jerk?

[jcr]

Anyone who has legally purchased a DVD is perfectly entitled to make a backup copy against the possiblity of the original being damaged.

Get this through your head: EVERY advance in recording technology has vastly increased the revenues of the music and motion-picture industries, and despite this fact, those boneheads still fight tooth and nail against *every* new home-recording technology.

-jcr

Magic Bullet

[deefer]

Again, big business has failed to grasp the ingenuity and resourcefulness of the hacker community. Good work, fellas! :) And even better, well done for publishing your work this early. Less scrupulous people would have kept this to themselves, and have a car boot sale industry in pirate DVD's booming by now.
Why does big business seem to think copy protection is the magic bullet? Whatever can be engineered, can be reengineered. Even if they'd not a) hardcoded keys onto the media and b) not used a kitten weak security model, what on earth prompted the designers to think that people wouldn't try and break it, just for the sheer hell of it? Even if they'd used massive keys, I'd bet a pound to a penny there'd be an underground "CrackDVD@Home" distributed project running somewhere... And they're bound to get lucky sometime or other.
And why should it impinge on recordable DVD's? Existing video media are a doddle to rip off (not that I am advocating this). In 10 years time, yes, DVD's will be the defacto standard in western countries for video data. But protecting your copyright for this media must either be uncrackable (_very_ hard in this scenario, without considerable overhead for the user - imagine having to plug in a different dongle per disc, type in a security key, or whatever before being able to watch the film...), or the video industry must lobby international support for piracy crackdowns to be more thorough.
Just expecting technology to be the easy answer in this instance is foolish at best, and dangerous at worst. Until the price of the products the industry is hawking drops, and the penalty for illegal copies is made severe, piracy will still continue. But industry is too short sighted to see this, and will continue overcharging whilst whining about the pirate industry it is fuelling.

Re:Hurry to see the previews!

[Wah]

I like good ads too, but when I go to see Fight Club and I see ANOTHER GODDAM 1-8fsckin00 commercial before the movie starts, that bothers me.

Cool movie with a shitty ending and no consistent point.

Heeheehee

[DanaL]

I got a chuckle out of the article when they called them "anonymous developers" (to make them sound more dangerous and shady??) and then proceeded to quote one Jon Johansen, the founder of MoRE :)

Dana

Blamestorming

[sansbury]

So maybe now that it's Hollywood getting caught on the short end of the stick, we'll start seeing laws being re-written in a way not so favorable to manufacturers of crappy software.

On the other hand, this fight's a little like they used to say about the Iran-Iraq war: Whay can't both sides lose?

-cwk.

But electronics makers WANTED DVD format cracked!

DVD protection schemes hurt sales of player hardware because there are loads of hardheaded idiot consumers out there with lots of disposable income like me who'll refuse to buy any player that doesn't play everything. (I live in R1 and import R2 DVDs so my player must at least play R1 and R2 discs or I won't buy.) I bought a Pioneer 505 and not an RCA. Why? Because I could modify the Pioneer to be multi-region but could not modify the RCA. Electronics makers KNOW this and want their players sell rather than the competitors. The ONLY reason electronics makers put region coding, crypto, and macrovision into DVD hardware was so that the Hollywood movie industry would support the format. It was as simple as "No protection and we'll release no movies on your new format". So electronics makers cane up with a rudimentary "protection" scheme to appease Hollywood execs into supporting the format. Some, like Disney, wanted more restrictions (DIVX), but suffered the effects of horrific customer backlash. Anyway, the DVD format is now entrenched and too far accepted by the public for Hollywood to reneg now and abandon DVD. Now CSS encryption cracks are mysteriously leaked. Electronics makers can now sell more hardware and not have sales hindered by protection schemes. DVD-R burners and discs will get cheaper now (In 1991, 1X CDR burners were close to $10K with blank [63-min] CDRs at $20 each!]) and this whole protection scheme will become as laughable as what is now called the "bozo bit" in the Mac filesystem. (History lesson! The 'bozo bit' was once called the 'no copy' flag and was supposed to be respected by copy programs and not copy files with the bit set. Everything under the sun ignored it, including all of apple's own OS and tools, hence it's nickname of 'bozo bit')

So what happens when we can't export DVDs..

[empath]

..because of the high encryption they use? I mean, the distributed.net team's focus was partially to show that we needed to up the limits on export regulations. People are obviously going to find some way around any 'weak' encryption method out there. The industry will push for more complicated encryption until it's so complex that they can't export it.

If the movie industry can't export their movies, we're gonna have an even bigger force pushing for less-strict export laws on encryption. Or am I missing something here?

DIVX was right

[IntlHarvester]

Interestingly, one of the big sells that DIVX had with the content industry was that DVD encryption was crap and would be easily broken. This was dismissed as FUD in some corners, but was enough to get a few studios to commit to DIVX over DVD early on.

DIVX hasn't been turned off yet - it would be interesting to see if a modified version is brought back to life. It's the only starting point they've got right now.

(Of course, they would have to sort out the pricing, quality, and retail channels issues that killed DIVX in the first place.)
--

Re:Consumers have been copying movies since the 80

[Darby]

Don't even try to tell me that an album with the production quality of Dream Theater's Scenes From a Memory could be made in even 1% of home studios.


Well never having heard it I can't address the issue.
Could you post the MP3 somewhere. I'll listen to it and let you know ;-p

---CONFLICT!!---

link to the utility?

[griffjon]

Does anyone have the link to DeCSS? In all seriousness, I want to copy Matrix to my HD to see if I can run it any better from the HD than from the dvd.

A word on MacroVision

[Cramer]

Most quality TVs on the market have macrovision stablizers. My 13 year old Sony TV (it's actually a monitor with a TV decoder in it) has a macrovision stablizer in it -- and I have the full schematics for that TV :-) [FWIW, that TV also has a video signal stablizer in it that effectively puts the sync signals -- in fact, the entire VBI -- back in... who needs a cable descrambler :-) And no, it's not designed to be a descrambler, Sony just put some damned good hardware in there.]

Macrovision does not mess with the active video portions of the signal. It sticks a "super white" high-frequency spike in the vertical blanking interval (VBI) to mess up the automatic gain control (AGC) circuitry intended to correct the white level -- exactly what voltage is "white" and "black" -- for broadcast signals that can (and usually do) have slight changes in the peak-to-peak waveform. Basically, the AGC is there to prevent the picture from fading in and out when you're watching it.

TV's have very slow "averaging AGC's" simply because it doesn't have to react rapidly to what is usually very slight voltage changes. And since the TV is only displaying the image and the designers know the retenative properties of the phosphor and the average human eye, it doesn't make sense to have rapid changes in the AGC. A dip in signal would be smoothed by the glow of the phosphor and the image retention of your eyes. Like wise, boosting the signal for a transient spike would not be good -- it would take a noticable fraction of a second for the image to return to normal.

VCRs are a totally different problem. They have rapidly adjusting AGCs because they have to. They're job is to record the video signal to a magnetic tape. The tape heads can only handle a specific range of voltage for the video signal. Too much could bleed into the other tracks and end up erasing the tape instead of recording or actually generate too much voltage and damage the VCR during playback. Too little would end up not recording any signal at all. The VCR needs every frame that it's recording to tape to have the exact same peak-to-peak white level or it would run the risk of recording too little video signal to be able to play back a fully synchronized video signal.

Alot of VCRs will have no trouble at all playing back a macrovision signal recorded onto the tape, but even ignoring the AGC, most VCRs cannot record a signal with that voltage level -- the circuitry cannot recover fast enough from such a high voltage, high frequency spike. I used to have such a VCR... the rotary transformers would get slightly messed up and and not record a clean signal for the rest of the VBI and sometimes on into the active (displayed) video portion. (I may not have recorded anything I could playback, but it did a better job deguesing the heads than the tool designed to do that :-))

Disclaimer: Macrovision is not new and I'm not a child :-) I used to work on TVs and VCRs back before they became single-chip, disposable toys.

Re:Coca-Cola secret formula

[Cramer]

That's B A W L S...

It's an interesting drink. I have one setting here on my desk.

Re:DVD crack

[syrupdude]

Well, you know that the ubiquitous "they" have been working on a new dvd that will support HDTV (1920 x 1080) resolution. I think that this is a good thing, since new releases will likely be released in the newer format rather that sticking with dvd resolution (whatever it currently is). HDTV broadcasts are still quite a bit away, so I won't be buying one anytime soon for broadcast reception... but if I can watch all my favorite movies that way, then I will certainly consider buying one. I don't see any reason why hdtv manufacturers won't be jumping on this like a whore on a congressman.

Re:'They didn't encrypt the key' doesn't make sens

[Cramer]

"simplistic obfuscation" can be _very_ powerful if exercised properly.

Please take a look at any Netrek client source code. "Blessed" binaries use a 128bit RSAREF public key system to verify the client as authentic (as opposed to a hacked up "borg" client that tends to play itself.) The key and relevant code is broken up into a minimum of 15 files (I think the max is 40) and then the binary is linked in random order so the key processing is scattered all over the rather huge binary.

Despite the "small" key size and the relative ease of recovering the secret key by factoring, I've never heard of anyone recovering one of the keys for a blessed binary. And if they did, I'm sure it was not by disassembling the binary.

Re:Net Impact on Movie Industry: Zero

[Chris+Johnson]

*spends half an hour trying to get to a page on Robert Fripp's website, curses*
Well anyway- Fripp put it better than I will, funnier, but he made his website badly enough that it's impossible to deal with. So I'll just paraphrase.
The record companies impose a number of historical charges in the form of percentages on the cost of the albums. So if the artist is getting 5% royalty on sales, that is 5% after a 20% wastage charge, j.random other charge, and (I am NOT making this up) a charge on typical breakage of the SHELLAC the music is recorded on. I am NOT making this up.
"But CDs are not made out of shellac!". As Fripp said in his lost article, "Now you're getting clever." ;)
Basically, we're looking at corporate pork barrel, bigtime. The artists, perhaps even the movie studios do not get _that_ much money out of these huge industries. It's the corporations taking more and more. Of course they are not passing savings on to the consumer. That would be capitalism and a desire to compete on the basis of price. Of course they are not passing vastly increased earnings on to the artists. Why should they when they can charge a percentage of CD sales to broken _shellac_ and deny it to the artist? Of course they are earning exponentially more than they were. Where do you think they get the money to bribe the government and attempt to get antipiracy legislation passed?
The industry does not DESERVE protection. Whether it's the music industry (slamdunk of an argument to anyone who knows anything about how bad it is) or the film industry (Blair Witch Project, anyone? All you 3DSMax artists ever wondered exactly why you can't just make a movie and start trying to sell it?), it is so corrupt it's disgusting, and needs to be put down for its own good. It's not capitalism. The barriers for entry are too high, and they aren't all legal barriers (remember 'payola' of the 1950s?) These days there are ever more interesting ways to do that. It's out of control, and the consumer is powerless to stop it.
The only sensible attack is the judo-like approach that has so often worked in the computer industry- it's time to start proliferating record companies and _film_ companies, all indy, all guerrilla businesses with low overhead and depending on the fact that, what with the big industries being the way they are, it'd actually be _more_ profitable for artists to go with an indie- even with the albums/DVDfilms/whatever being sold at fscking _bookstores_ (did you know that independent bookstores are also being choked to death by heavy corporate shifts to online selling and the constant mergers and consolidations into ever-larger corporations?).
I think that's the way the future is heading. Could result in the mainstream being very glossy, very trivial, and very empty- with not many customers left to cheat. All that's required is that the actual media (CDs, DVDs) can be produced by indies in formats that work with the hardware generated for the consumers. That's all that's necessary. You don't need to _lead_ the curve, only be on it somewhere.
Anyway, my two cents :)

Why not bribe a licensee?

[Ivootje]

First of all, it's a 40bit encryption. That's too less anyway.

So, every licensee gets a unique encryption key. Instead of cracking (or in this case, _reading_) the encrypion key, why not offer some employee at Real (or any licensee) some money (or free pizza, whatever the person falls for) and get the key.

If this whole DVD system is based on the fact that licensees should keep their keys secure, this encryption is bound to fall, either through bribe or the employee in question just gives the key to a couple of his closest friends, which give it to... well, you get the point.

My two E0,02 (two eurocents)

So naive, so very very naive

[m0nkeyb0y]

The movie industry is completely naive if they thought they had a system which was impervious to being copied. I'm too young to remember, but I can only assume the same thing happened with VHS when that was finally able to be copied/written at home. It was only a matter of time, effort, and curiousity.

Silly copy protection schemes

[nas]

I think someone needs some basic lessons on cryptography. If the
key to the DVD is encrypted then how can the player use it? Does
it have a key to decrypt this key? Is that key encrypted? Maybe
you can see the problem here.

The player must be able to decode the DVD. If people have access
to the player then they can reverse engineer it and find out how it works.

IMHO, any copy protection scheme like this is doomed to fail. If
you can play something then you can copy it. It really is as
simple as that.

Re:So what about DVD-RAM?

[redled]

There are a few reasons why you can't yet use DVD-RAM, even though the encryption has been taken care of. First of all, DVD-RAM media is not recognized by all but a few drives -no dvd players recognize them. Also, there are 3 (three!) different standards for dvd-ram, all using slightly different technology. This means that it will likely be a few years before any one of them is widespread enough to become supported by the hardware manufacturers. The discs can only hold between 2.5-4.8GB. This means that some movies may not even be able to fit on a disc (discs cost around $20, btw). So, apart from these, the only viable option would be to use DVD-R to copy movies. Then again, at tens of thousands of dollars for the recording equipment, and $35-40 for the media, the purpouse is, once again, defeated. Fore more detailed information check out the DVD FAQ

--

Re:So do slashdot folks care that this is immoral?

[hadron]

No it's not immoral. For example, this actually allows people to play DVDs on linux, which was previously impossible. This is a clear case of the movie industry being evil.

Re:Wont last 50 years

[Why2K]

I remember reading that the max lifespan on a cd was around 9 years, though it may have improved.

I don't know about this... I've got music CDs that I bought over ten years ago that still play fine (if I have a sudden urge to listen to all of that great '80s music!).

Re:So do slashdot folks care that this is immoral?

[johnynek]

Wait a second, what is immoral? Of course what these guys did is NOT immoral. Immoral would have been breaking the weak crypto, then copying all the top movies and selling them on the black market. The real bad guys were going to break this one day, these guys did the movie industry a favor by alerting everyone.

That having been said, I don't think that everyone has the right to copy DVD's and I don't think it will happen very often. However, when one day 4.7 Gigs is nothing, then maybe movies will be copied a great deal, and what then? The truth is copy protection (as noted by so many ./ers) does not work. So, we may just have to adjust to live in a world where a certain amount of piracy is expected.

I think it should still be illegal. If they catch people or rings selling pirated material they should be punished, but the movie industry needs to stop being so afraid of digital distribution.

PS: if they stop making DVD's over this I am going to be rather upset.

Re:Net Impact on Movie Industry: Zero

[jms]

Nope. The reason that VHS tapes cost around $100.00 when they come out is because they are selling primarily to video stores. A video store is willing to pay $100.00 for a tape, because they are going to rent it out over and over. A few months later, when the video stores are no longer buying copies, the studios lower the price to a level that appeals to individual consumers. It works. Lots of people will rent a movie when it comes out, then buy a copy six months later when the price drops down.

You'll notice that some trashy blockbuster movies are being initially priced at sell-through prices. It's all a matter of the studios maximizing their income. If they think that no one is going to care about "Godzilla" six months from now, then it's in their best interests to sell as many copies as they can now. It's just marketing.

Security through obscurity doesn't work!

[Tet]

If a DVD is encrypted, where does the key come from to decrypt it? If the user doesn't supply it at playback time, it must be embedded in the player. That means you only have to get one key, and you have access to everything. They can't change the encryption scheme without breaking all existing players, and can't blacklist the cracked key for the same reason. It's just security through obscurity, which has been proven ineffective time and time again.

I don't buy DVD just to copy them...

[WyldOne]

I buy DVD and CD-roms (audio and game) because they are more permenent. PERIOD. As media go they will last longer for me after multilple playing than say a magnetic tape/LP. I will hear no pop's, jitters etc. when I am using media in a digital format. I think that CD-ROM based tech is rated at about 30 year shelf life. Compare that to a magentic tape which maybe will last 6 months under hard usage. (I know this because I have lost games because of megnetic decay) On another note I think at last count I had over 300 video/DVD's, ~100 audio CD's/tapes, and over 100 games in my library. That represents over 1.5 TERABYTES of data. I _WISH_ I had that kind of spere hard drive space. The truth of the whole thing is this. I pay for movie, I want to keep movie and not rebuy move every 2 years because of decay/storage problems. The movie industry as well as the audio industry need to wake up. We are loosing good movies/soundtracks now at a terrifying rate. This frantic paranoia about somebody copying your stuff needs to put to better use.

Re:How does it work, really?

[synthe]

From what I gathered from the article, that is backwards. The Xing key was cracked, as were a bunch of others by process of deduction, from knowing the Xing key. This means that future DVDs produced won't have those keys on the discs, meaning that old players won't be able to play new DVDs. The question then is, what about people who have hardware DVD players with keys that got compromised? Will there be a recall/exchange, some sort of flash upgrade, or are they SOL?

Re:How does it work, really?

[Otto]

What this means, more importantly, is that the manufacturer of a DVD may say that: only X players will play our disk.

That's bad. I didn't realize how bad it really was. I can just see Sony forming a deal with Warner (pick any two names you like) such that Warner's movies only play on Sony players..

Nasty...
---

Re: DVD and 40 bit keys

[DaveHowe]

But not all the companies who make DVD players are american. As a fact, very few.
So this wouldn't have been much of a problem...
nbsp; Possibly not - but a lot of the recordings seem to be from the US, so I suspect they had a big say in the definition of the standard.
Non-US members could have defined a standard without them, of course, but would then run the risk of being the Betamax players in a VHS market....
--

Re:Wont last 50 years

[matguy]

The life span of the aluminum depens a lot on where you live, coastal climates being the worst. Mobile Fidelity Sound Labs was/is doing a lot of work on this ultimately using gold as the reflective layer. Other pressing sites also may have done some improvements since then, also, if I remember correctly MFSL was having JVC press their disks.

matguy
Net. Admin.

Re:So do slashdot folks care that this is immoral?

[Mister+Attack]

short answer: no.

longer answer: I could go after your ad hominem attack ("none of you understand how you get paid (many of you are students ANYWAY!)"), and say that the fact I'm a student has nothing to do with anything, and that I do, in fact, understand how I get paid... but I won't.

It's not like it was particularly hard to copy DVD's before; a DVD player with the video out hooked to my digitizer would have worked pretty well. I'm not sure you understand that this doesn't _really_ change anything.

As for cd-r's and the software industry, come on, how many people were going to _buy_ AutoCAD or LivePicture if they couldn't get it for free? not many. Therefore, not much lost profit. Just my $0.02 (NC residents please add 6% sales tax)

So... There go our chances of getting TPM on DVD

[handorf]

Just what we need, evidence that (like we all knew) the format would be broken. But you can be sure that the movie producers aren't going to treat this with logic ("Oh, so it can be copied. Big deal, they can do the same thing with video tapes").

No, instead we're going to see a flight from DVDs. Like Star Wars was ever REALLY going to come out. Gotta love the paranoia among the studios that'll be setting in about now.

At least this came out AFTER Divx died, otherwise it would just prolong it's life.

On the upside, if they kill the DVD format for fear of copying, maybe they'll release the specs so I can play the DVDs I do own under Linux with full interactivity!
-- I'm omnipotent, I just don't care.

thanks alot

[arielb]

I'm pretty sure this means the end of DVD-or at the very least, delaying the latest titles. I guess it's VHS forever

Re:So do slashdot folks care that this is immoral?

[AxeLion]

Perhaps I'm just a tad too idealistic, but I would think that if these guys cracked the 40-bit encryption code, they would have first notified the affected companies/people.

But then again, if they did, the companies might have just shrugged it off and not done anything to make the encryption better.

Oh well ...

Where there is Media, there will be piracy.

[Craig+Maloney]

Witness the number of people in the 80's who spent time and trouble reverse-engineering copy protection. Witness the number of copy-guard "picture quality enhancers" on the market. Witness how many mods there are for game consoles (Doctor 64, anyone?) Wherever there is a media to be hacked, there will be someone hacking it. Yes, the industry might lose money on it, but on the same token, there should be no discernable effect on their bottom line. People will still buy DVDs at Best Buy in the same number that they did before. If the Motion Picture industry is really that paranoid this will encourage piracy on the internet, they need to stop making a home-based media for people to watch it. (And that would be just plain absurd.) The MPAA needs to get a reality check. There is always a way around copy protection and encryption.

Re:Take a lesson from Hong Kong?

[CryptdotX]

The American movie industry is starting to do this already. The American studio that made Titanic released a VideoCD version of it available dubbed and subbed in Chinese, on the streets at the same time as the pirate versions. I think that they were successful, although I haven't heard any news about it since.

Net Impact on Movie Industry: Zero

[ewhac]

I've thought about this a lot, and I've come to the conclusion that the movie industry really has nothing to worry about from unauthorized copying. The facts, simply, are these:

• DVDs are cheaper to produce than video tapes.
  A lot of manual intervention is required in the mass duplication of video tapes. Basically, you have a wall of VCRs which record at 2x normal speed. So it takes about 45 minutes to make a batch of 200 or so tapes. These machines are frequently attended by a human operator (who costs money). DVDs, on the other hand, are pressed like CDs in an entirely automated process. Thousands can be stamped out in an afternoon. The manufacturing costs for DVDs is less than one-fifth that of video tapes, a savings which, of course, is not passed on to the consumer. So, while their PR department whines shrilly about "piracy" (a term used more for its emotional overtones than its accuracy), the studio is raking in even more money than before.
• Copying of DVDs over the Internet is a non-issue, even with the advent of broadband.
  The number of people who are going to A) spend hours downloading a 5 gigabyte file, and B) spend 5 gigabytes of hard disk space to store it (at a cost of $20/gig) is statistically insignificant. Yes, you'll probably have a college dormitory sharing movies over their 100Mbit LAN. This represents -- what? -- 0.001% of the total market? I'm surprised the studio's accounting department hasn't killed these anti-copying campaigns as an unbelievable waste of money.
• Writable DVDs will only slightly change the playfield.
  The fact is that DVD writers are expensive and are likely to remain that way for the forseeable future. Beyond that? I think we can take a lesson from what happened to the music industry with the proliferation of CD writers and MP3 files: Those companies are as strong as they ever were, and there is no proof they are suffering financially (despite our fervent desires to the contrary).

What I find particularly puzzling is that the hardware companies haven't figured out that they're in the driver's seat. Toshiba et al could have easily told the movie industry, "No, you're not going to get encryption or regional lockouts. Because it doesn't matter. Our manufacturing process costs less than one-fifth of the one you're using now. Once your shareholders find out there's a process that will cut your costs and increase profits and product quality (and we'll make sure they do find out), they'll rake you over the coals until you adopt it. You will use our open, unencrypted platform, and you'll like it. The financial reality leaves you no choice."

The argument really is that simple.

Schwab

Re:Does anybody know about DVD encryption?

[Admiral+Mouse]

Two questions:

1. Is the encryption algorithm known?

2. Will consumer decks play unencrypted disks?

Yes, they will. I have many discs which are not encrypted with CSS.

----

not even 40 bit security

[gonar]

note the article states that there are 400 individual keys pressed into every dvd. this reduces the 40 bit security down to a little more than 35 bits.

that might stand up for an hour on a brute force attack by a pentium 90. if they were lucky.

MUCH more likely, a valid key would be hit early in the attack, after all, there are 400 to choose from.

Re:So do slashdot folks care that this is immoral?

[Score+Whore]

So now that some folks have figured out how to STEAL DvD data, what next?

I can't speak for you, but I have a legally protected right to make backup duplicates of tapes, cds, vhs movies, dvd movies, etc. The industry putting CSS and Macrovision on the DVDs I legally own prevents me from getting my legally mandates rights. I don't own a console DVD player. I do have a small collection of DVDs that I'd like to transfer to VHS tape so that I can watch them when I please and not have to go over to a friends house.

-sw

Can data ever be considered safe?

[Kingpin]

Have any of you ever heard of an attempt to keep data protected from copying that was successful? I haven't. Never seen a game, app with a software/hardware protection that hasn't been breached. The crackers have always "won" as I see it - perhaps it's just a matter of time before we see CRACK@home when the software business introduces long keys. Sooner or later any encryption technology (save quantum perhaps) will be outdated and basically worthless.

Kingpin

DVD Encryption? Good riddance

[Enoch+Root]

I fail to understand how this is such a shock to the industry. Why, I have partially cracked DVD Encryption a long time ago:

Let assume c is the ciphertext and p the plaintext. Simply run the algorithm to decipher c, then dump the plaintext p unto another medium. Repeat for every c.

In simple words: run the DVD, and copy it on a VHS. You'll lose these fancy functions, but the essence of the DVD is still there: a copyrighted movie.

The point is: it's silly to try to prevent the copying of a film or music, whether it's in DVD, MP3 or CD format. Who the hell cares? Copyright laws are in place, and they're supposed to prevent anyone from making money illegally off of them. However, it's not illegal per se to copy a film or a song, once you bought them legally and are doing so for personal use.

So, breaking the DVD Encryption scheme is akin to figuring out how to copy VHS to VHS. The fact that this data can be transfered over the Internet is, I think, irrevelant. The industry needs to grow up; I certainly don't see a reason to stop producing DVDs because of this.

The rule of copy-protection scheme is: sooner or later, it's gonna get broken. Surely they realised that.

"Knowledge = Power = Energy = Mass"

Does anybody know about DVD encryption?

[Thagg]

Two questions:

1. Is the encryption algorithm known?

2. Will consumer decks play unencrypted disks?

If the answers to these are 'No', then this isn't really too important, for the time being. And while it's theoretically impossible to prevent people from determining the decryption algorithm if you ever sell software players, it should be possible to build an encryption system that can be kept a secret.

thad

How does DVD encryption work?

[RelliK]

Can somebody please explain in detail how the whole DVD encryption works?

Can't you just duplicate the encrypted DVD data using a DVD-R? You'd be able to get the exact replica of the original, and play it in any DVD player, without the need to decrypt it first. Or am I wrong?

Not anonymous

[Ilmari]

good luck, since the "crackers" responsible remain anonymous

Well, according to this article (in norwegian), it was a 15-year old guy named Jon Johansen from Thor Heyerdahl high school, in Vestfold, Norway, who cracked it (He's a member of the group MoRE (Masters of Reverse Engineering), mentioned in the Wired article).

Not at all that anonymous if you ask me :)
---
Ilmari

Re:Not anonymous

[finkployd]

True, but now that I think about it, it will be tough to prove that he did anything illegal since the RealNetworks key was not encrypted anyway.

I don't think anything will happen to him.

Finkployd

Bad reporting on part of Wired

I am disappointed that Wired emphasized the word "piracy" throughout the article. They imply that the only purpose of the CSS code could be for shady people to go against the will of the copyright owners.

This simply isn't the case. They didn't bother to print the obvious fact that blank media costs significantly more than DVD movies to begin with, making unauthorized copying a waste of time and money! (Not to mention the fact that equipment to record DVDs playable in consumer DVD players is around $15,000)

I also didn't see anyone mention that copyright law does not restrict people from making backup copies of material that they own. Even the copy protection in consumer DAT machines allows this, unlike the broken CSS scheme. (Suppose I want to make sure that the DVD movie I just bought will still work 50 years from now, even if the original gets scratched or destroyed)

They missed the most important fact of all-- as long as CSS remained secret, computer users were forced to use Microsoft Windows or Mac OS to play back DVDs. Only the release of CSS to the public will make playing back DVDs on other operating systems possible. Many people have _wanted_ to go out and buy a DVD decoder card and movies, but have not because there was no support for this hardware in Linux or their operating system of choice. Hardware drivers have become available for some DVD decoder cards, but without CSS code the drivers are relatively useless.
Now, we will not have to wait much longer to watch DVDs on our machines.

oops, i meant 31 bits

[gonar]

correction: "this reduces the 40 bit security down to a little more than 35 bits."

should read: "this reduces the 40 bit security down to a little more than 31 bits."

Playstation Encryption vs. DVDs

[ronfar]

Currently, there is a war going on between Sony and mod-chippers over encryption. You see, a while ago I got a mod chip installed in my Playstation purely so I could play one disk (Samurai Spirits 1 & 2, a legitimate import version, not available in the US region.) Even though I chipped my Playstation to play games which were coded for outside my region, that same chip works for copied games too. Recently, Sony became aware of the encryption crack, and has started coding some of its disks (such as Dino Crisis from Capcom) so they will detect the chip and fail to play. Of course, now there are people coming out with new ways to get around the new encryption, including new hacked pirate disks and GameShark codes. I wonder if DVD companies will attempt something similar.

poor poor pitiful Toshiba

[technoCon]

Think of it as cosmic justice. I remember when Toshiba sold the Russians the machine tools they needed to make their nuclear submarines' propellers a zillion times quieter.

This is also a cautionary tale for cryptologists that every cryptanalyst knows by heart.

Cryptologists will often be deluded into thinking their systems are far more secure than they really are. Cryptanalysts stay in business because of this.

DVD fiasco discussions at the Yahoo RNWK board

[cyberdonny]

Come in and join the fun

Re:Take a lesson from Hong Kong?

[ewhac]

Alas, no. Another Slashdot user did. However, I've been unable to find the original post; it's probably expired.

Schwab