From what I recall, id claims to have used DES to encrypt the keys. I'm guessing they simply encrypted a serial number with a secret key (that only id knows). Only the authorization server checks the key -- the game only checks whether the key is in the right format. While DES isn't uncrackable, it's not that easy to break either. I think it's unlikely that a real keygen exists. A more plausible explanation is that your copy wasn't actually new. Game stores often have equipment and supplies to reseal a box, and I've known some employees to "borrow" a game from the store.
It looks like Viacom automated their DMCA complaints, and included several videos in their DMCA notifications that they clearly don't hold the copyright to. One of the affected users also writes a Harvard law blog, and posted about it.
I always thought a system like this would be great for initiatives and referendums.
Why would this succeed if electronic voting is so hard? Well, electronic voting is hard because you have to provide security and anonymity. Take out one requirement and it becomes easy. Since initiative and referendum petitions require your name, address, and signature, anonymity is no longer required. Even if security was compromised, the proposals would still have to be voted on in a proper election.
A system like this would also solve a problem with the current system: to get enough signatures, paid signature gathers are virtually required. Good ideas may never see the light of day simply because the financial backing isn't there.
Agreed. If you read the letter, at the very bottom, they grant a license to use the parody logo on products sold at the CafePress store, just in case one is needed. For example, someone wanting to use the proper trademark could convince the court that such commercial activity wasn't fair use, and that a license was needed, and since Linden Labs didn't enforce or license the mark, it should be invalidated. This covers their ass while still allowing the parody.
Err... Not quite. Not all of the SysInternals tools were migrated, and NONE of the source code was. Microsoft's hiding behind some pretty lame excuses (e.g. "They're using undocumented APIs!" or "Hackers are using it to make spyware!") for not distributing the source code.
If you look at the first page of the 2003 patent, it says that the patent is a continuation of another (filed in 1999), which is a division from an application filed in 1996, which became this patent. So, they started the ball rolling in 1996. The details make my eyes glaze over, so I'm not sure how different the patents are, but on the surface, they appear to be based on the same research. It's possible that the patent system moves to slowly that it wasn't until 2003 that the research was fully covered.
Actually, the athletics department is self-supporting. They don't receive any money from tuition, royalties, etc.
The University policy on IP revenue is here, but after administrative expenses are deducted, it basically boils down to 1/3rd going to the inventor, 1/3rd going to the department the inventor works in, and 1/3rd goes into University-wide research funds.
That article is wrong is one regard: "CSS relied on a single set of keys that were used to encrypt every DVD and were provided to every DVD player, both hardware and software."
CSS also uses different player keys. The three big differences between AACS and CSS is that AACS has many more player keys (CSS only had ~400), once one player key was discovered, you could easily discover all of the other player keys, and weaknesses in the encryption algorithm made it possible to discover the title keys without any player keys.
As the video said, the real story isn't the software released (it merely implements publicly-available standards), but that title keys could be obtained from PowerDVD.
The big problem with the new DRM technologies is that it requires new hardware. Up until very recently, it was nearly impossible to get video cards that support HDCP. Even when the GPU claims to support HDCP, the cards usually lack the cryptographic keys to make it work. The situation is slightly better with monitors, but there's still a huge installed base of expensive LCDs that don't support it. Users are going to be very cranky if they suddenly find the content that they purchased won't play unless they replace their monitor and video card.
I really don't understand why the movie industry is so concerned about high-definition video being sent to the monitor in the clear. Pirates will settle for movies recorded by a video camera in a theater, so they probably won't mind a reduced-resolution rip. If anything, it's easier to pirate the down-sampled version, simply because the high-definition output uses so much bandwidth (1080i uses something like ~1.5 Gbps!).
Carriers can already determine your phone's location (thanks to the Wireless E911 mandate), and third-party companies like Navizon are already beginning to do the same thing independently of carriers.
Now, imagine you're Google, and you own the service. You notice that it's lunch time and the user hasn't stopped for lunch, but they're near a fast food advertiser. You could send an SMS with a coupon to the user.
Now, I don't know that they'll necessarily follow this model, but there's plenty of things to analyze and target without being much more invasive than current carriers.
Actually, what you want has already been done, to a certain extent. Enter Monzy's "Unsafe Search".
It works by submitting your query to Google twice: once as a regular query, and once with Google's "SafeSearch" enabled. It then subtracts all of the "SafeSearch" results from the regular query, leaving you with only the hits that Google deems "unsafe." Brilliant!
Better yet, what happens if the virus repeatedly switches the product key? MS would likely give instructions to victims on how to switch the product key back to the one glued onto the machine's case, but each time you switch it back to a legitimate key, it'd have to reactivate. Eventually, the key will refuse to be activated on suspicion on key sharing.
If MS takes steps to ensure that valid product keys can always be activated, then they'd introduce a new way of pirating keys.
The reason Cisco is patenting this is because they now own Scientific-Atlanta... except the patent was applied for in 2000, and the acquisition of Scientific-Atlanta was only announced in late 2005.
Looking through the WGA trounleshooting forums, it appears that MS is already blocking VLKs (Volume License Keys) based on their IP address. The most common way to block VLKs by IP address seems to be by region. For example, there's little chance that an OSU license would be legitimately used in Chna, so it'd block that VLK from Chinese IP addresses. If there is a legitimate need to use a volume-licensed copy there, either a VPN would work, or MS could easily issue a seperate key (and they have big incentive to do so).
I agree that buffers should prevent decryption jitter from being a problem. In fact, the data still needs to be decompressed before it's passed to the DAC, and that would probably add its own jitter. However, I could see a very paranoid design, with a seperate CPU and audio chip, re-encrypting DRM-protected content before it's sent to the audio chip. A really bad design might not have any buffer before the DAC.
Again, I doubt this actually happens in practice, but it seems plausible.
I agree that DRM'ed music should sound no different, but let me play devil's advocate for a minute.
It might be possible that the decryption algorithm introduces some jitter by taking a varying amount of time to decrypt a chunk of data. A poorly-engineered system might pass this jitter through to the DAC, resulting in degraded audio quality. It might also be possible that the decryption operations cause the CPU to introduce additional noise on the power rails, which might also impact audio quality in a poorly-engineered system.
So, I don't think it's impossible that DRM affects sound quality. I'm just not convinced that it actually does.
Banks shouldn't even BEGIN to think about this until they fix their own systems to prevent phishing.
For example, I recently went to NewEgg to buy a cheap switch with my new Visa card. It forced me to enroll in Verified by Visa. Fine. But, the interesting thing is that instead of redirecting me to my bank's domain, it redirect me to arcot.com. WTF is that?! The site looks legitimate, and they knew who my bank was, but anyone could fake that. Arcot.com then asked for the last 4 digits of my social security number. The whole experience, even though it was completely legitimate, seemed like a phishing attack.
You can't except Joe Consumer to determine whether that site is legitimate or not. And worse, it created the expectation that you must enter in this info when asked, or you can't complete the purchase before the price goes up, etc. So, when a legitimate phishing site comes around, Joe Consumer will freely give away his information.
One of the new faculty members here at the University of Washington has discovered a way to "fingerprint" remote machines based on their clock skew, which is leaked out to the world via the TCP timestamp option. NATing routers don't mask this, so you can potentially differentiate multiple machines using the same IP. This was reported on Slashdot over a year ago, and here's the actual paper.
Finally, most recently, the State of New York sued as well, and the agreement reached with AOL requires AOL to have a third party verify all cancellation calls by the end of this month.
Unfortunately, it seems like AOL is considering these lawsuits just a cost of doing business, and as a result, it doesn't appear that much has changed.
When he gave the talk at UW, I believe his argument was that a technique like this would increase the incentive to drive the image sensor resolutions up beyond what would otherwise be practical, and that Moore's law would take care of the loss of resolution quickly.
It's too bad his talk isn't available online. His was one of the few that wasn't recorded for on-demand streaming over the Internet.
A little less than a year ago, a graduate student at Stanford gave a talk on light field photography at the University of Washington. The results were extremely impressive. Basically, by inserting an array of microlenses in front of the CCD, you can determine the direction of every ray coming into the camera. You lose resolution, but who needs 8 megapixels anyway? What you DO get is the ability to refocus the image in software, and take photos in low light and still retain a high depth of field.
I highly encourage you to check out his light field photography site, including his galleries, tech reports, and papers. It'll blow you away.
You might be joking, but the US actually does want to abolish leap seconds. As a compromise to keep UTC somewhat in sync with UT1 (time as measured by astronomical observations), a leap hour would be inserted every 500-700 years.
As I understand it, if you connect an RPC-1 drive to your system, the cdrom.sys driver will emulate the region control. If you look at the drive's properties, it'll say that you have two or fewer region changes left. The region setting is saved in a fairly well-known location in the registry (HKEY_LOCAL_MACHINE\Software\Microsoft\<random junk>). Vista will remove this emulation, and will probably refuse to pass key exchange messages to the drive. (As an aside, the cdrom.sys driver only checks the RPC level on startup. So, if you change an RPC-2 drive into an RPC-1 drive, Windows no longer shows the drive as being region controlled until the next reboot.)
On the other hand, Linux doesn't have any region control emulation. Since it's not encumbered by any DVD licensing contracts, it can simply pass the key exchange messages to the drive. So, it really wouldn't make sense for it to "be considered for Linux."
Slashdot Mirror
From what I recall, id claims to have used DES to encrypt the keys. I'm guessing they simply encrypted a serial number with a secret key (that only id knows). Only the authorization server checks the key -- the game only checks whether the key is in the right format. While DES isn't uncrackable, it's not that easy to break either. I think it's unlikely that a real keygen exists. A more plausible explanation is that your copy wasn't actually new. Game stores often have equipment and supplies to reseal a box, and I've known some employees to "borrow" a game from the store.
It looks like Viacom automated their DMCA complaints, and included several videos in their DMCA notifications that they clearly don't hold the copyright to. One of the affected users also writes a Harvard law blog, and posted about it.
I always thought a system like this would be great for initiatives and referendums.
Why would this succeed if electronic voting is so hard? Well, electronic voting is hard because you have to provide security and anonymity. Take out one requirement and it becomes easy. Since initiative and referendum petitions require your name, address, and signature, anonymity is no longer required. Even if security was compromised, the proposals would still have to be voted on in a proper election.
A system like this would also solve a problem with the current system: to get enough signatures, paid signature gathers are virtually required. Good ideas may never see the light of day simply because the financial backing isn't there.
Agreed. If you read the letter, at the very bottom, they grant a license to use the parody logo on products sold at the CafePress store, just in case one is needed. For example, someone wanting to use the proper trademark could convince the court that such commercial activity wasn't fair use, and that a license was needed, and since Linden Labs didn't enforce or license the mark, it should be invalidated. This covers their ass while still allowing the parody.
Err... Not quite. Not all of the SysInternals tools were migrated, and NONE of the source code was. Microsoft's hiding behind some pretty lame excuses (e.g. "They're using undocumented APIs!" or "Hackers are using it to make spyware!") for not distributing the source code.
The Winternals Administrator's Pak is also ">being discontinued, and have its functionality available only to those with Software Assurance agreements.
If you look at the first page of the 2003 patent, it says that the patent is a continuation of another (filed in 1999), which is a division from an application filed in 1996, which became this patent. So, they started the ball rolling in 1996. The details make my eyes glaze over, so I'm not sure how different the patents are, but on the surface, they appear to be based on the same research. It's possible that the patent system moves to slowly that it wasn't until 2003 that the research was fully covered.
Actually, the athletics department is self-supporting. They don't receive any money from tuition, royalties, etc.
The University policy on IP revenue is here, but after administrative expenses are deducted, it basically boils down to 1/3rd going to the inventor, 1/3rd going to the department the inventor works in, and 1/3rd goes into University-wide research funds.
That article is wrong is one regard: "CSS relied on a single set of keys that were used to encrypt every DVD and were provided to every DVD player, both hardware and software."
CSS also uses different player keys. The three big differences between AACS and CSS is that AACS has many more player keys (CSS only had ~400), once one player key was discovered, you could easily discover all of the other player keys, and weaknesses in the encryption algorithm made it possible to discover the title keys without any player keys.
As the video said, the real story isn't the software released (it merely implements publicly-available standards), but that title keys could be obtained from PowerDVD.
The big problem with the new DRM technologies is that it requires new hardware. Up until very recently, it was nearly impossible to get video cards that support HDCP. Even when the GPU claims to support HDCP, the cards usually lack the cryptographic keys to make it work. The situation is slightly better with monitors, but there's still a huge installed base of expensive LCDs that don't support it. Users are going to be very cranky if they suddenly find the content that they purchased won't play unless they replace their monitor and video card.
I really don't understand why the movie industry is so concerned about high-definition video being sent to the monitor in the clear. Pirates will settle for movies recorded by a video camera in a theater, so they probably won't mind a reduced-resolution rip. If anything, it's easier to pirate the down-sampled version, simply because the high-definition output uses so much bandwidth (1080i uses something like ~1.5 Gbps!).
Three words: location, location, location.
Carriers can already determine your phone's location (thanks to the Wireless E911 mandate), and third-party companies like Navizon are already beginning to do the same thing independently of carriers.
Now, imagine you're Google, and you own the service. You notice that it's lunch time and the user hasn't stopped for lunch, but they're near a fast food advertiser. You could send an SMS with a coupon to the user.
Now, I don't know that they'll necessarily follow this model, but there's plenty of things to analyze and target without being much more invasive than current carriers.
Actually, what you want has already been done, to a certain extent. Enter Monzy's "Unsafe Search".
It works by submitting your query to Google twice: once as a regular query, and once with Google's "SafeSearch" enabled. It then subtracts all of the "SafeSearch" results from the regular query, leaving you with only the hits that Google deems "unsafe." Brilliant!
Better yet, what happens if the virus repeatedly switches the product key? MS would likely give instructions to victims on how to switch the product key back to the one glued onto the machine's case, but each time you switch it back to a legitimate key, it'd have to reactivate. Eventually, the key will refuse to be activated on suspicion on key sharing.
If MS takes steps to ensure that valid product keys can always be activated, then they'd introduce a new way of pirating keys.
The reason Cisco is patenting this is because they now own Scientific-Atlanta ... except the patent was applied for in 2000, and the acquisition of Scientific-Atlanta was only announced in late 2005.
If you are a maintenance tech, go with MSFT - rigid corporates are less likley to ride their scooters into the wall.
;)
Ah, but they're much more likely to throw chairs around.
Looking through the WGA trounleshooting forums, it appears that MS is already blocking VLKs (Volume License Keys) based on their IP address. The most common way to block VLKs by IP address seems to be by region. For example, there's little chance that an OSU license would be legitimately used in Chna, so it'd block that VLK from Chinese IP addresses. If there is a legitimate need to use a volume-licensed copy there, either a VPN would work, or MS could easily issue a seperate key (and they have big incentive to do so).
I agree that buffers should prevent decryption jitter from being a problem. In fact, the data still needs to be decompressed before it's passed to the DAC, and that would probably add its own jitter. However, I could see a very paranoid design, with a seperate CPU and audio chip, re-encrypting DRM-protected content before it's sent to the audio chip. A really bad design might not have any buffer before the DAC.
Again, I doubt this actually happens in practice, but it seems plausible.
I agree that DRM'ed music should sound no different, but let me play devil's advocate for a minute.
It might be possible that the decryption algorithm introduces some jitter by taking a varying amount of time to decrypt a chunk of data. A poorly-engineered system might pass this jitter through to the DAC, resulting in degraded audio quality. It might also be possible that the decryption operations cause the CPU to introduce additional noise on the power rails, which might also impact audio quality in a poorly-engineered system.
So, I don't think it's impossible that DRM affects sound quality. I'm just not convinced that it actually does.
Banks shouldn't even BEGIN to think about this until they fix their own systems to prevent phishing.
For example, I recently went to NewEgg to buy a cheap switch with my new Visa card. It forced me to enroll in Verified by Visa. Fine. But, the interesting thing is that instead of redirecting me to my bank's domain, it redirect me to arcot.com. WTF is that?! The site looks legitimate, and they knew who my bank was, but anyone could fake that. Arcot.com then asked for the last 4 digits of my social security number. The whole experience, even though it was completely legitimate, seemed like a phishing attack.
You can't except Joe Consumer to determine whether that site is legitimate or not. And worse, it created the expectation that you must enter in this info when asked, or you can't complete the purchase before the price goes up, etc. So, when a legitimate phishing site comes around, Joe Consumer will freely give away his information.
One of the new faculty members here at the University of Washington has discovered a way to "fingerprint" remote machines based on their clock skew, which is leaked out to the world via the TCP timestamp option. NATing routers don't mask this, so you can potentially differentiate multiple machines using the same IP. This was reported on Slashdot over a year ago, and here's the actual paper.
So, you're not as anonymous as you'd think.
- The FTC issued a complaint and ordered AOL to change their practices.
- There were two class-action lawsuits settled in 2004.
- Ohio sued and settled in 2005.
-
Finally, most recently, the State of New York sued as well, and the agreement reached with AOL requires AOL to have a third party verify all cancellation calls by the end of this month.
Unfortunately, it seems like AOL is considering these lawsuits just a cost of doing business, and as a result, it doesn't appear that much has changed.Where is this install guide you mention? I can't find it anywhere, and the Qtrax site doesn't have anything available for download.
Strangely enough, it mentions that Qtrax 5.0 was released on January 1, 2005. Did they take it down?
Sounds pretty fishy to me, at any rate.
When he gave the talk at UW, I believe his argument was that a technique like this would increase the incentive to drive the image sensor resolutions up beyond what would otherwise be practical, and that Moore's law would take care of the loss of resolution quickly.
It's too bad his talk isn't available online. His was one of the few that wasn't recorded for on-demand streaming over the Internet.
A little less than a year ago, a graduate student at Stanford gave a talk on light field photography at the University of Washington. The results were extremely impressive. Basically, by inserting an array of microlenses in front of the CCD, you can determine the direction of every ray coming into the camera. You lose resolution, but who needs 8 megapixels anyway? What you DO get is the ability to refocus the image in software, and take photos in low light and still retain a high depth of field.
I highly encourage you to check out his light field photography site, including his galleries, tech reports, and papers. It'll blow you away.
You might be joking, but the US actually does want to abolish leap seconds. As a compromise to keep UTC somewhat in sync with UT1 (time as measured by astronomical observations), a leap hour would be inserted every 500-700 years.
I wish I were making this up.
It really couldn't be considered for Linux.
As I understand it, if you connect an RPC-1 drive to your system, the cdrom.sys driver will emulate the region control. If you look at the drive's properties, it'll say that you have two or fewer region changes left. The region setting is saved in a fairly well-known location in the registry (HKEY_LOCAL_MACHINE\Software\Microsoft\<random junk>). Vista will remove this emulation, and will probably refuse to pass key exchange messages to the drive. (As an aside, the cdrom.sys driver only checks the RPC level on startup. So, if you change an RPC-2 drive into an RPC-1 drive, Windows no longer shows the drive as being region controlled until the next reboot.)
On the other hand, Linux doesn't have any region control emulation. Since it's not encumbered by any DVD licensing contracts, it can simply pass the key exchange messages to the drive. So, it really wouldn't make sense for it to "be considered for Linux."