I don't know about you, but I don't keep original copies of data on a USB key.
Quite - if the data is important enough to protect, it's important enough to backup. I've not had good experiences with reliability of USB sticks either - I've encountered two (in my limited experience) that had the habit of occasionally showing up as 'unformatted' when you plugged them into a PC. Mostly they worked, but sometimes they decided to vape themselves.
But then, it's a bit like expecting hard drives to never die, I guess.
Well, most of them are user-changeable anyway, if you can work out how to crack the box.
I have a Maxtor USB/firewire drive that I've had for >3 years, and the drive is dying. So I'm just going to buy a new big IDE HDD and stick it in the enclosure. They're all just IDE drives inside, after all.
There's also the fact that you can buy external USB drives in stores, but generally not an enclosure on its own, which may be a factor.
I jokingly asked if he'd tried turning the clock back on the machines.
Every single software that allows the product to be used for some time after doing a security check (e.g. an online check) can be cracked this way.
Er, well, yes. That's why I jokingly asked him that, because if it was me, that would have been the first thing I would have tried, not something I thought of after 2 days. I asked as a joke, because it never occured to me that he wouldn't have tried that. Especially considering how clever he thought he was.
FlexLM... well... come on... this one is just so easy it's not worth talking about
I worked somewhere where we used a bit of software that was licensed using FlexLM. We were running late on the project, and near an important deadline, the software stopped working - the license had expired (joy), and we currently had no money to pay for the (very expensive) extension.
Our genius polymath borderline autistic sysadmin tried many different solutions to try to fix it, but could not do it.
After a day or two, I jokingly asked if he'd tried turning the clock back on the machines. His eyes lit up and he left the room. Came back in 15 minutes and said "Yes, that fixed it."
Then proceeded to give me some face-saving BS about how he never thought the software would be that stupid, and ranted for about 15 minutes about how rubbish FlexLM was.
I mean, don't get me wrong, FlexLM is shit, but I didn't need to hear it from someone as incompetent as him.
You forgot 3a - someone will moan about the colour scheme of the steenkin' badges, and someone else will make different versions in all the colours of the rainbow, so they can fit into your website's questionable aesthetic (which will usually include small fonts and for bonus points, poor contrast text colours), thus diluting the design/effect of the badges, but the important thing is that your website looks cool with those badges, isn't it, and maybe someone will start making pointless egocentric Code of Conduct wristbands too that would be the coolest, wouldn't it?
I wouldn't think that it would be outrageous to think that there are 50+ million iPods sitting on store shelves and in warehouses right now.
Are you serious?
Let's say the iPod was released in 2001. They've sold 100 million units. But if, as you claim, 50+ million are in stores/warehouses, that means they've sold about 50 million in the 6 years since release.
Apple refresh the iPod lines every 1 or 2 years. This means the sales life-span of a model is 2 years max.
So your argument is that Apple keep SIX YEARS' worth of stock in the supply chain? And that of that stock, 4 years' worth, or about 33 MILLION will never be sold, because a new replacement model will be out by then?
but a firmware update on disc is a MUCH easier thing to manipulate than the one on the player, that was one of the points I was trying to make
Yes, but my point was that it wasn't. Either you can decrypt the key or you can't. i.e. either you can attack the encryption algorithm or you can't. Unless I missed some breaking news, you can't. As I indicated, it's not like they'll be sending/storing the key in cleartext.
So the same methods that you mention (wait until the software has to decrypt the key(s), because it always does) will still work. I don't see that they'll be any easier, though. Now they're known, it's obviously quick to do, but I don't see that diffing the firmware will help any.
The beauty of the present situation is we now know a whole set of keys and information about those keys. Logically that makes it easier to find keys in other software no matter how well hidden
Er, not if each software or hardware player has its own key, which as I understand it, it does. (a key for each model/version, not for individual players).
So you're stuck with trawling memory for random* data again. Knowing what one private key is does not help you crack others, otherwise you have a pretty weak encryption algorithm. Barring naive implementations, of course, which I'm not saying is impossible...but for software players that cannot mandate hardware support (like a TPM style device), due to virtualisation abilities, it's hard to see how they will remain uncrackable indefinitely.
I imagine the PS3 has a 'hard to get' Private Key (or even multiple ones) on a hardened chip somewhere. So they encrypt the key during the upgrade (i.e. on the wire, and presumably store it encrypted in the firmware) with the public key, and the PS3 decrypts it with the private key on demand.
After all, if the key is currently sitting in the PS3 firmware already, unencrypted, how hard do you think it would be for people to crack the encryption without an upgrade happening?
(NB. I am not a cryptographer, I just play at being a clueless amateur on slashdot)
Having read some of the responses, and apart from Theo's arguments being dumb (like repeatedly insisting on calling use of the code a 'mistake', like Marcus fell into a well or something, when Marcus already admitted what he did), it made me wonder how he gets any real work done. I mean he left tons of responses on that thread. I got bored scrolling past them, let alone reading them.
Doesn't he have a home to go to?
Mind you, it's probably not a fun home to be in.
"Evening, dear. You're home late."
"That's because you're INHUMAN!!!"
"Whuh..?"
"Let me get a dictionary for you...DEMON!!!"
Mike: Maybe you shouldn't have poured that washing up liquid into it.
Vyv: But the manual said: "Ensure machine is clean and free of dust before use."
Mike: Yeah, but it didn't say: "Ensure machine is full of washing up liquid."
Vyv: Ah, but it didn't say: "Ensure machine isn't full of washing up liquid."
It wasn't anything to do with the follow the white rabbit feature. That was an InterActual DVD-ROM feature only available when played in PCFriendly under Windows.
No, the White Rabbit feature worked on my Samsung DVD 709 (I had the later firmware that fixed the problems it had with The Matrix DVD).
I thought the Matrix problem was to do with branching playback? (Which I believe the White Rabbit feature used, hence the problem.)
I hear about web app X. I decide I might be interested.
I go to X's web page, and it tells me I need to install a Java VM to run the app.
Even if I already have a Java VM, I'm really not interested any more.
If I don't have a Java VM, and I'm an ordinary (non-tech) person, I'm pretty much screwed anyway. It depends if Sun have decided to dick around with the Java downloading web pages this month or not.
If I'm in an internet cafe, I'm screwed too. And so on.
Requiring a Java VM is the new "You need VBRUN300.DLL". i.e. a big fecking "Stay Away!" sign.
Compiling to JavaScript means the process is this:
Compiling Java into Javascript isn't a novel idea, it's "just" some engineering by somebody who understands compilers.
Indeed, but sadly not many programmers do understand compilers. (And even fewer understand linkers.)
Other examples are CFront (the first C++ compiler) which just compiled C++ into straight C, which was then compiled by an existing C compiler, and the first Modula-3 compiler, which also just compiled to raw C.
I myself have written a compiler that took a scripting language in our game editor, compiled it to C, linked the C code into a DLL, loaded the DLL into the game editor, and ran the code all in a single UI step (in the late 90s - and I figured these techniques were pretty old hat at the time).
Like you say, deciding to compile to Javascript is hardly a new and fantastic innovation.
I believe the LOWEST price in USD I have seen is $109 for a bare OEM drive, tack on the cost of the enclosure
Actually, it makes the Elite price look sillier. Consider that the Premium system already comes with a hard drive/enclosure, then all you're doing is shipping a 120Gb drive instead of 20Gb. In the UK, that's a difference of about GBP15-20 (US$30-40) for me, as a consumer, to purchase a single 2.5" drive. I'm guessing Microsoft would get a better deal on hard drives than I do.
So basically you're paying $140 ($180 - $40) for an HDMI port, an HDMI cable, a USB cable and a 'premium black finish'. Seems expensive. Mind you, some people seem to think nothing of dropping $60-$100 on an HDMI cable, so maybe it's not so dumb after all:-).
and software update
Software duplication costs are negligible, and I expect the group responsible for the drive migration software are considered a cost centre (at least, with respect to that software).
OIC. Right. I should probably read more about that then. I am curious about it now...unless you trust the client player (which would be madness), then all possible keys must be on every disc (in some signed/encrypted/PK form). Going back to the assertion that there are sufficient keys for one per player, that's a fair chunk of data in the key region. I mean, not compared to the gigs of data for the movie, but still. Interesting...must read about it. When I have spare time. Yeah, that's it.
That is one of the extremely clever parts of AACS. Keys can be revokes for individual players.
Normal DVD players can be bought in my local supermarket for GBP20-25. When BluRay players reach a similar level of commodity, I doubt the ability to revoke keys for individual players will seem like such a useful feature.
Windows Home Server has zero TV and DVR features (see the link you provided). It is designed to not even have a screen (it doesn't even need a video card to run).
Slashdot Mirror
Quite - if the data is important enough to protect, it's important enough to backup. I've not had good experiences with reliability of USB sticks either - I've encountered two (in my limited experience) that had the habit of occasionally showing up as 'unformatted' when you plugged them into a PC. Mostly they worked, but sometimes they decided to vape themselves.
But then, it's a bit like expecting hard drives to never die, I guess.
Well, most of them are user-changeable anyway, if you can work out how to crack the box.
I have a Maxtor USB/firewire drive that I've had for >3 years, and the drive is dying. So I'm just going to buy a new big IDE HDD and stick it in the enclosure. They're all just IDE drives inside, after all.
There's also the fact that you can buy external USB drives in stores, but generally not an enclosure on its own, which may be a factor.
From Wikipedia:
The first light pen was used around 1957 on the Lincoln TX-0 computer at the MIT Lincoln Laboratory.Gibson was born in 1955. That's some fast work!
That's not specific to you asking about availability of the Wii.
Every single software that allows the product to be used for some time after doing a security check (e.g. an online check) can be cracked this way.
Er, well, yes. That's why I jokingly asked him that, because if it was me, that would have been the first thing I would have tried, not something I thought of after 2 days. I asked as a joke, because it never occured to me that he wouldn't have tried that. Especially considering how clever he thought he was.
Apologies if I didn't make that clear.
Yes.
I don't understand...they say you're not allowed to have pinatas that look like real people, but in Mexico, we do it all the time.
I worked somewhere where we used a bit of software that was licensed using FlexLM. We were running late on the project, and near an important deadline, the software stopped working - the license had expired (joy), and we currently had no money to pay for the (very expensive) extension.
Our genius polymath borderline autistic sysadmin tried many different solutions to try to fix it, but could not do it.
After a day or two, I jokingly asked if he'd tried turning the clock back on the machines. His eyes lit up and he left the room. Came back in 15 minutes and said "Yes, that fixed it."
Then proceeded to give me some face-saving BS about how he never thought the software would be that stupid, and ranted for about 15 minutes about how rubbish FlexLM was.
I mean, don't get me wrong, FlexLM is shit, but I didn't need to hear it from someone as incompetent as him.
Aren't all textures open source?
Or do you mean they were distributed in ASCII ppm format? :-)
You forgot 3a - someone will moan about the colour scheme of the steenkin' badges, and someone else will make different versions in all the colours of the rainbow, so they can fit into your website's questionable aesthetic (which will usually include small fonts and for bonus points, poor contrast text colours), thus diluting the design/effect of the badges, but the important thing is that your website looks cool with those badges, isn't it, and maybe someone will start making pointless egocentric Code of Conduct wristbands too that would be the coolest, wouldn't it?
Are you serious?
Let's say the iPod was released in 2001. They've sold 100 million units. But if, as you claim, 50+ million are in stores/warehouses, that means they've sold about 50 million in the 6 years since release.
Apple refresh the iPod lines every 1 or 2 years. This means the sales life-span of a model is 2 years max.
So your argument is that Apple keep SIX YEARS' worth of stock in the supply chain? And that of that stock, 4 years' worth, or about 33 MILLION will never be sold, because a new replacement model will be out by then?
Well, you've convinced me.
...eminently sensible and realistic stuff...And me without mod points :-(
Yes, but my point was that it wasn't. Either you can decrypt the key or you can't. i.e. either you can attack the encryption algorithm or you can't. Unless I missed some breaking news, you can't. As I indicated, it's not like they'll be sending/storing the key in cleartext.
So the same methods that you mention (wait until the software has to decrypt the key(s), because it always does) will still work. I don't see that they'll be any easier, though. Now they're known, it's obviously quick to do, but I don't see that diffing the firmware will help any.
The beauty of the present situation is we now know a whole set of keys and information about those keys. Logically that makes it easier to find keys in other software no matter how well hiddenEr, not if each software or hardware player has its own key, which as I understand it, it does. (a key for each model/version, not for individual players).
So you're stuck with trawling memory for random* data again. Knowing what one private key is does not help you crack others, otherwise you have a pretty weak encryption algorithm. Barring naive implementations, of course, which I'm not saying is impossible...but for software players that cannot mandate hardware support (like a TPM style device), due to virtualisation abilities, it's hard to see how they will remain uncrackable indefinitely.
* I chose that word deliberately :-)
I imagine the PS3 has a 'hard to get' Private Key (or even multiple ones) on a hardened chip somewhere. So they encrypt the key during the upgrade (i.e. on the wire, and presumably store it encrypted in the firmware) with the public key, and the PS3 decrypts it with the private key on demand.
After all, if the key is currently sitting in the PS3 firmware already, unencrypted, how hard do you think it would be for people to crack the encryption without an upgrade happening?
(NB. I am not a cryptographer, I just play at being a clueless amateur on slashdot)
Having read some of the responses, and apart from Theo's arguments being dumb (like repeatedly insisting on calling use of the code a 'mistake', like Marcus fell into a well or something, when Marcus already admitted what he did), it made me wonder how he gets any real work done. I mean he left tons of responses on that thread. I got bored scrolling past them, let alone reading them.
Doesn't he have a home to go to?
Mind you, it's probably not a fun home to be in.
"Evening, dear. You're home late."
"That's because you're INHUMAN!!!"
"Whuh..?"
"Let me get a dictionary for you...DEMON!!!"
Mike: Maybe you shouldn't have poured that washing up liquid into it.
Vyv: But the manual said: "Ensure machine is clean and free of dust before use."
Mike: Yeah, but it didn't say: "Ensure machine is full of washing up liquid."
Vyv: Ah, but it didn't say: "Ensure machine isn't full of washing up liquid."
No, the White Rabbit feature worked on my Samsung DVD 709 (I had the later firmware that fixed the problems it had with The Matrix DVD).
I thought the Matrix problem was to do with branching playback? (Which I believe the White Rabbit feature used, hence the problem.)
Do you mean Visual Studio 2005? :-)
The first beta came out in 2004, I believe. i.e., before September 2005.
Here's the process:
Requiring a Java VM is the new "You need VBRUN300.DLL". i.e. a big fecking "Stay Away!" sign.
Compiling to JavaScript means the process is this:
Indeed, but sadly not many programmers do understand compilers. (And even fewer understand linkers.)
Other examples are CFront (the first C++ compiler) which just compiled C++ into straight C, which was then compiled by an existing C compiler, and the first Modula-3 compiler, which also just compiled to raw C.
I myself have written a compiler that took a scripting language in our game editor, compiled it to C, linked the C code into a DLL, loaded the DLL into the game editor, and ran the code all in a single UI step (in the late 90s - and I figured these techniques were pretty old hat at the time).
Like you say, deciding to compile to Javascript is hardly a new and fantastic innovation.
Actually, it makes the Elite price look sillier. Consider that the Premium system already comes with a hard drive/enclosure, then all you're doing is shipping a 120Gb drive instead of 20Gb. In the UK, that's a difference of about GBP15-20 (US$30-40) for me, as a consumer, to purchase a single 2.5" drive. I'm guessing Microsoft would get a better deal on hard drives than I do.
So basically you're paying $140 ($180 - $40) for an HDMI port, an HDMI cable, a USB cable and a 'premium black finish'. Seems expensive. Mind you, some people seem to think nothing of dropping $60-$100 on an HDMI cable, so maybe it's not so dumb after all :-).
and software updateSoftware duplication costs are negligible, and I expect the group responsible for the drive migration software are considered a cost centre (at least, with respect to that software).
OIC. Right. I should probably read more about that then. I am curious about it now...unless you trust the client player (which would be madness), then all possible keys must be on every disc (in some signed/encrypted/PK form). Going back to the assertion that there are sufficient keys for one per player, that's a fair chunk of data in the key region. I mean, not compared to the gigs of data for the movie, but still. Interesting...must read about it. When I have spare time. Yeah, that's it.
People still view slashdot sigs? I turned them off after the n'th movie spoiler I saw.
Normal DVD players can be bought in my local supermarket for GBP20-25. When BluRay players reach a similar level of commodity, I doubt the ability to revoke keys for individual players will seem like such a useful feature.
Windows Home Server has zero TV and DVR features (see the link you provided). It is designed to not even have a screen (it doesn't even need a video card to run).
How is it going to replace MCE again?
Do you?