Forgot your password?
typodupeerror
Hardware Hacking Encryption Security Technology

New AACS Fix Hacked in a Day 362

Posted by Zonk
from the oh-day-warr-ez dept.
VincenzoRomano writes "ArsTechnica has just published an update to the neverending story about copy protection used in HD DVD and Blu-ray discs and hacker efforts against it. From the article: 'The ongoing war between content producers and hackers over the AACS copy protection used in HD DVD and Blu-ray discs produced yet another skirmish last week, and as has been the case as of late, the hackers came out on top. The hacker BtCB posted the new decryption key for AACS on the Freedom to Tinker web site, just one day after the AACS Licensing Authority (AACS LA) issued the key.' The article proposes a simple description of the protection schema and a brief look back at how the cracks have slowly chipped away at its effectiveness. It seems it'll be a long way to an effective solution ... if any. One could also argue whether all that money spent by the industry in this race will be worth the results and how long it would take for a return on investment."
This discussion has been archived. No new comments can be posted.

New AACS Fix Hacked in a Day

Comments Filter:
  • by elrous0 (869638) * on Friday June 01, 2007 @09:24AM (#19350635)

    Blu-ray discs with a further layer of copy protection called BD+ are rumored to be nearing delivery

    You know, they say the definition of insanity is doing the same thing over and over again, expecting different results. Somewhere I picture entertainment execs, having been sold a big and expensive line of B.S. by the firm that developed BD+ (just as they had been sold the exact same line by the companies that developed CSS and AACS), sitting in some board room saying "Don't worry, THIS time it's going to work!" They just don't get it. If it's viewable, it's hackable--period.

  • Bad system (Score:1, Insightful)

    by FST (766202) on Friday June 01, 2007 @09:26AM (#19350655) Journal
    The reason the current system will fail is because they are selling plastic and keys, and pretending they are selling culture. But they don't own the culture, except by a legal loophole, and the lesson is... the true owners of the culture, the people, will in the end will prevail.
  • by erroneus (253617) on Friday June 01, 2007 @09:32AM (#19350701) Homepage

    One could also argue whether all that money spent by the industry in this race will be worth the results and how long it would take for a return on investment.
    Of course it will be worth their effort. With more "criminal acts" against their technology, they will win further legislation around the world criminalizing any resistance to their business model. In the end, resist their business model and lose your freedom. (Why does that somehow make me think of the east india company?)
  • by tygerstripes (832644) on Friday June 01, 2007 @09:32AM (#19350719)
    My cat does this with spiders. Once he's got one of the hairy buggers pinned, he just sits there and waits for it to make a dash for "freedom". Then he chews another leg off it, and goes back to waiting.
    Whenever I see this happen, I'm torn between horror at the grisly spectacle of such torture, and the guilty pleasure of seeing something I hate being toyed with so cruelly. If I can live with it in my own home, I can live with it in the media market...
  • by TripMaster Monkey (862126) on Friday June 01, 2007 @09:34AM (#19350741)
    From the summary:

    One could also argue whether all that money spent by the industry in this race will be worth the results and how long it would take for a return on investment."

    Indeed...one could argue that a company would better serve its shareholders and its long term interests by eliminating copy protection completely. After all, at this stage of the game, anyone who wants a pirated copy can either make it themselves, or knows some techie guy who can. Eliminating all copy protection would save money otherwise pissed away on ineffective measures that only serve to annoy legitimate users, and would build a measure of good will and consumer loyalty that is worth more than anything deterring piracy could realize.
  • Re:Bad system (Score:5, Insightful)

    by minginqunt (225413) on Friday June 01, 2007 @09:35AM (#19350751) Homepage Journal
    But, you know, most of these hackers aren't even doing this because they desperately want to watch Pirates of the Opening Weekend IV: At Wits End, since most people have better things to do than watch Kiera Knightley and Orloomdo Bland do their best dining furniture impression.

    No, these guys break AACS simply because it's _there_, and the movie industry *dared* them to do it.

    And you know what? By making it more complicated than DeCSS, they made BD+ and AACS simply become *even more fun* to hack.

    These guys should befriend some supply-side economists to learn about incentives and how they work.
  • by SkyMunky (249995) on Friday June 01, 2007 @09:37AM (#19350779)
    I would have already bought an HD-DVD player had there not been DRM in place. If I knew I could make copies for myself, rip to a portable or my laptop easily, etc., I would already own an HD-DVD player an several movies for it. I guess the Industry doesn't take my demographic into account as it must be a minority, but surely there has to be some up-side to playing nice with consumers and letting us make copies/rips of their movies. I used to buy music, too, when I knew I could copy/mix/etc.
      Would they lose a sale here and there because somebody copies a movie for a friend/family/neighbor? Yes, of course. Are they going to anyway? Yes. But...are they losing sales because of DRM in place? I think lots.
  • by erroneus (253617) on Friday June 01, 2007 @09:39AM (#19350799) Homepage
    You're not looking far enough down the road to where this all leads. Hell, you're not even looking back on the road we've all be travelling where all of this is concerned. They know there is no knot that cannot be untied. What they are winning is the sympathy of lawmakers who are increasingly adding to the penaties of copyright infringement, writing new laws around the globe and generally extending copyright indefinitely. It's the quicksand they have us trapped in that they are after. The more people resist, the more legislative backing they receive. How long before whistling a tune as you walk down the street will get you arrested?

    Music [and the arts] may have charms that will soothe the savage beasts in all of us, but these people want you to pay for the remedy and will do anything to make sure you do!
  • Blank Stare (Score:2, Insightful)

    by WED Fan (911325) <akahige&trashmail,net> on Friday June 01, 2007 @09:40AM (#19350815) Homepage Journal

    The reason the current system will fail is because they are selling plastic and keys, and pretending they are selling culture. But they don't own the culture, except by a legal loophole, and the lesson is... the true owners of the culture, the people, will in the end will prevail.

    I'm sure you thought that was deep, but dude, put down the stick, exhale, and re-read your lines.

  • Simple solution (Score:4, Insightful)

    by gr8_phk (621180) on Friday June 01, 2007 @09:41AM (#19350821)
    If the MPAA want to protect their stuff they shouldn't license the decryption algorithms to PC implementations. You'd think they would have learned that with DVD. Don't put secret algorithms on widely available hardware with lots of debuggers and hacking tools. Duh.
    This would slow down the crackers a LOT - but not entirely.
  • dvd sales (Score:5, Insightful)

    by dAzED1 (33635) <brianlamere&yahoo,com> on Friday June 01, 2007 @09:48AM (#19350881) Homepage Journal
    I know this has been mentioned before a million times, but...have dvd sales really been hurt that bad by the encryption for dvd being broken years ago? Those that will rip, will find a way to rip. The rest will buy the blueray/hd dvds.

    Unless the industry is wanting to try a dramatic price hike, which would cause those on and near the fence to rip too...?
  • Re:Bad system (Score:4, Insightful)

    by BosstonesOwn (794949) on Friday June 01, 2007 @09:48AM (#19350893)
    Or how about simply stop trying to protect "content" I paid for and let me use it as I see fit.

    This "war on piracy" crap has to stop , all it is doing is creating a false market for companies to sell them content management (and I use the term loosely) systems.

    They need to rally sit back and look at the hacks that are widely available. Satellite , software , hell even bank cards. They need to either make the system more expensive to break , so there is no point in cracking it , but just buying the disc or they need to embrace what the people want.

    Since at this point you are driving your customers away I would choose the second option , don't DRM the discs and let people use the content they paid for. Why make them pay 3 times for the same content, that is just basic bad business and money mongering.
  • Re:DRM == FRAUD (Score:3, Insightful)

    by Aladrin (926209) on Friday June 01, 2007 @09:50AM (#19350903)
    Other things there's never been a working system of:

    Antigravity.
    Perpetual Motion.
    Sharks with Frickin Lasers on their heads.
    Space Flight. -- Wait, we did that one.
    Pocket Computers. -- No, sorry, that one too.

    Seriously, just because it's never worked before is -not- proof that it never will. There's -plenty- of reasons, but this is -not- one of them.

    To companies, copy protection is -not- completely useless, so we'll never see content completely free from DRM. Expensive DRM is pointless, though, as it provides nothing extra.

    Why isn't it completely useless? Because their work is covered under additional laws other than just copyright. Cheap vs Expensive DRM makes no difference here, the law doesn't differentiate.
  • by hal2814 (725639) on Friday June 01, 2007 @09:50AM (#19350905)
    "...anyone who wants a pirated copy..." (emphasis mine)

    Aha, but that's the key. Most people don't necessarily want a pirated copy. They just want a copy. If the copy protection can be difficult enough to get around to not make it worth the average person's time, then they won't bother getting a pirated version. People who make a conscious effort to pirate the material cannot be stopped, but if you can make it difficult enough to pirate nobody else will bother. I think the movie industry massively failed in that regard with DVDs. It became far too easy to pirate them. I also think they'll also fail here, but I do see why they keep trying. If they can just make it hard enough, most people won't bother.
  • by thefinite (563510) on Friday June 01, 2007 @09:53AM (#19350937)
    If I understand how the new AACS implementation will work, consumers with devices using it will need to install the new key every time it is released, if they want new movies to play. The stupidity of this is that people who want to copy a movie probably have no problem finding the new crack. No matter how often a new key comes out, within a day they can crack and copy.

    The only people inconvenienced by this system are the people who just want to watch the friggin' movie they just bought! I shudder to think of how my mom would deal with the situation if she just bought a new blu-ray movie and found it wouldn't play because she doesn't have the latest key. I hope they give up on releasing new keys soon.
  • by dAzED1 (33635) <brianlamere&yahoo,com> on Friday June 01, 2007 @09:53AM (#19350939) Homepage Journal
    eh, not really. You buy (I'd wager) dvds, and those have DRM.

    Aside from the bad PR they get from displaying their greed, the only thing actually preventing sales is the format war itself.
  • by Magada (741361) on Friday June 01, 2007 @10:13AM (#19351163) Journal

    Does anyone else silently cheer whenever you read a headline about DRM being cracked?
    Hell no. I cheer very loudly indeed.
  • Re:Bad system (Score:3, Insightful)

    by OldeTimeGeek (725417) on Friday June 01, 2007 @10:18AM (#19351205)
    Since at this point you are driving your customers away I would choose the second option

    When the customers that they're potentially driving away are a very small part of the overall base, why should they care?

    The DVDs that that majority of people buy will never be used anywhere but in their DVD player. It'll work just fine in their home computer too - all DRM breaks is the ability to make copies, something that most people don't do. If the DRM doesn't break their player in some way, which it generally doesn't, they will never know no even care that it is there.

    And why should they? These people aren't stupid, it's just that the encoding that is put on the disks is completely transparent to them and largely affects their ability to play the disks in not at all.

  • by AlHunt (982887) on Friday June 01, 2007 @10:20AM (#19351247) Homepage Journal
    Honestly, consumers just need to start voting with their dollars - don't buy copy-protected DVDs, don't buy CDs until RIAA knocks off intimidating people, don't patronize lawsuit-happy companies.

    The bottom line is that Joe Average just doesn't mind being pushed around as long as he's comfortable. Very discouraging for the future of free will, independent thinking, privacy, security, liberty and other non-socialist, non-communist ideals in the USA.

  • by alienw (585907) <alienw...slashdot@@@gmail...com> on Friday June 01, 2007 @10:23AM (#19351261)
    Actually, there hasn't been an actual hack yet. These "hacks" are what the key revocation procedure is intended for. It isn't like DeCSS, where knowing the algorithm was enough to bruteforce thousands of keys. If the AACS LA wanted to, they could stop giving out new keys to software-only players and stop this type of hacking in its tracks.
  • Pretty funny (Score:3, Insightful)

    by gweihir (88907) on Friday June 01, 2007 @10:33AM (#19351391)
    Personally I believe that as long as they allow software players, they do not have a chance to lock this down. Hardware-only players, on the other hand, will be expensive and are currently not available. And then it will still be possible to record the movie, just a little more expensive and using some hardware-hacking. Nothing that a bright EE student could not do in 2-3 months of spare time....

    Will be interesting to see whether they learn that this is not the way before or after ther business will have entirely gone away.
  • by c00rdb (945666) on Friday June 01, 2007 @10:34AM (#19351399)
    Except the less you buy, the more the industry claims that those losses are due to piracy. It's a never ending cycle.
  • by Abcd1234 (188840) on Friday June 01, 2007 @10:42AM (#19351533) Homepage
    something I hate being toyed with so cruelly

    Totally OT, but OOC, why the hate for spiders? Personally, I love the little buggers. They eat flies and other pests, and otherwise mind their own business. Sounds like a good deal to me...
  • by radtea (464814) on Friday June 01, 2007 @10:43AM (#19351553)
    Why does that somehow make me think of the east india company?

    Because the East India Company made a lot of money for a while and then went into decline and ultimately failed due to the huge cost of trying to maintain control of the areas it had attempted unsuccessfully to monopolize?

    At least the Company's business model didn't violate the laws of nature, which is more than can be said for the studios.

    Bits can be copied. Basing your business on the belief that some bits can't be copied, or that some bits can even be made quite hard to copy, is like basing your business on the belief that some mass can be made to have just a little bit less inertia than it normally would.

    Perpetual motion machines are the only thing that is unpatentable because they cannot work. We will eventually see the time come when DRM systems are unpatentable for exactly the same reason.
  • In addition. (Score:4, Insightful)

    by pavon (30274) on Friday June 01, 2007 @10:45AM (#19351591)
    To add to erroneus's nonerroneus post, the main thing that they get out of DRM and the DMCA is the ability to dictate exactly what every electronic media device in this country can and cannot do. DVD burners are becoming as common as CD burners, but burning DVDs for your friend is not as common as burning CDs as because you cannot legally purchase software to do so. At the same time it hurts customers (especially ones with young kids) who cannot legitimately backup their DVDs. You cannot copy videos from DVDs onto portable media players, because the companies that sell them are afraid of being sued. Only one company that I know of has prevailed in court over something like this, and they had were sued despite having copy-protection mechanisms built into their device. They want you to buy multiple copies of your videos because that makes them more money.

    And it has been working. The number of people who practice wholesale piracy is and always has been fairly low - what scares them is that it might become more widespread if the general public were allowed access to technology which they might abuse. I don't think that is true, and I think it is fundamentally wrong to put restrictions on an entire country just because you fear that some might abuse their freedoms, but that is where they are coming from, and in their eyes DRM has been successful in achieving that goal.

    But the real heart of the issue is that they want control for its own sake - not just because they have specific things they want to enforce, but because they have been in control for so long and letting go of any of that frightens them. They don't know what the future holds, and so their reflex is to tighten their grip as much as possible.
  • by z0M6 (1103593) on Friday June 01, 2007 @10:47AM (#19351617)
    How long before whistling a tune as you walk down the street will get you arrested? Seriously, if you (as in all of us really) let that happen, then you deserve it.
  • by mgblst (80109) on Friday June 01, 2007 @10:54AM (#19351709) Homepage
    Honestly, consumers just need to start voting with their dollars - don't buy copy-protected DVDs, don't buy CDs until RIAA knocks off intimidating people, don't patronize lawsuit-happy companies.
     
    Which well never happen. It makes people feel very uncomfortable to have to think about the ethical choices they make before they buy (this counts for things like clothing and coffee as well). They would rather not hurt their brains that much. Those are the ones that even cared enough to find out that buying some products are bad, which the majority won't, unless some celebrity happens to take a stance. Have you noticed the shift to more and more brain-dead celebrities these days?
  • by alienw (585907) <alienw...slashdot@@@gmail...com> on Friday June 01, 2007 @11:00AM (#19351813)
    I don't think it would be possible to extract keys from hardware, if said hardware is well-implemented. Granted, I wouldn't be surprised if the keys were stored in a poorly-encrypted external ROM, but hacking hardware is still orders of magnitude more difficult and expensive than hacking software, and well-protected hardware is pretty much impossible to crack. Any kid with an internet connection, a decent debugger, and a pirated copy of IDA can crack a software player, but hardware usually takes inside knowledge. Of course, the main problem with key revocation is that owners of the revoked players will be rather pissed off. Unless the AACS LA wants to buy them new players, there has to be some kind of update mechanism -- which is a security hole. So yeah, this scheme still has pretty decent sized holes.
  • by veganboyjosh (896761) on Friday June 01, 2007 @11:02AM (#19351845)
    If current trends continue, media sales will continue to drop (be it from piracy, or disinterest, or whatever legitimate reason/s), they'll totally crumble and go away. At that point, it won't matter what the real reason is, so long as they go away.
  • by TheGavster (774657) on Friday June 01, 2007 @11:13AM (#19352047) Homepage
    I wouldn't put it past the record companies (and the current trend of economy-controlling governments) to get the American government to buy licenses for the whole population one day, under the argument that they can't effectively license individuals. This is something that has already been done on some college campuses with music subscription services.
  • by Skye16 (685048) on Friday June 01, 2007 @11:21AM (#19352189)
    I love their function, I despise their implementation.

    Just looking at them for an extended period of time gives me the gibblies and I can't stop until i /flee.

    All the same, when I do see a spider in a non-important place in my house, I just do my best to not look at it and vacate the room as soon as possible. I know they do a good job, I just wish I never had to be confronted by their existence.
  • by Ngwenya (147097) on Friday June 01, 2007 @11:48AM (#19352573)

    I don't think it would be possible to extract keys from hardware, if said hardware is well-implemented.


    Yes - just a small matter of implementation :)

    You are correct, of course, that hardware key storage is generally more effective than software storage. The problem, however, is that key storage isn't the end of the story. Sure, you can embed a TPM chip in epoxy resin, and surface mount that chip onto the motherboard - but it can still be removed. Tricky, yes - error prone, also true. But it can be done. Which means that, assuming it's not some totally proprietary design it can be inserted into a standard PC motherboard and exploited from there. If it is a completely proprietary chip, well, the record of such security systems working is less than stellar. Tends to be of the same order as proprietary crypto algorithms. In using AES, the AACS designers made at least one good technical decision.

    Even if not removing the key storage device, the buses which connect it to the rest of the system are still subject to probing via ICEs. And all of this assumes that the electrical characteristics of the systems don't exhibit any exploitable variances like key-dependent delays in processing (side-channel attacks).

    And even if you had that down pat, you've still got the fact that the connection from device to display is only protected by HDCP, which was cracked years ago. And there's no real protection on digital audio outputs, so capturing that frame-by-frame and remuxing to high quality rips would still be eminently possible. The only reason there aren't HDCP strippers and HD capture devices all over the place is because AACS has been rendered moot. If the keystream still held secure, you'd simply see another attack vector.

    Now here's the other problem: in order to get the backing of people like Microsoft and other likely media centre manufacturers, the HD-DVD camp had to promise Managed Copy (Blu-Ray said they would also provide it). In other words, they had to promise that copying to a non-hardware-secured device would be possible. And if you just shift the problem onto the the PC that way, you haven't really bought anything.

    All told - your analysis is spot on - h/w only operations are harder to crack. But from a technical and business commitment standpoint, it wouldn't make any real difference. The incentive to crack is far greater than the technical obstacles in place.

    I suppose it all comes down to the age old cliché - security is a process, not a product. And with AACS, it seems that the content producers have only semi-digested that point. Without control of the entire delivery chain - something that is both technically and legally impossible you cannot square the circle of both giving someone the key and not giving it to them at the same time.

    --Ng
  • by bracktra (712808) on Friday June 01, 2007 @01:36PM (#19354335)
    For all interested, Ari Fleischer -- ex-bush press secretary -- has made a more detailed whine [64.233.167.104] using this same statistic.

    It is also useful to consider other statistics such as how much income [cbpp.org] the wealthiest one percent actually makes. When it comes to actually living life, 50% of hundreds of thousands of dollars to billions of dollars is much different than 50% of ten to twenty grand [census.gov]. It's the difference between "Am I going to be able to buy a boat upon which to stand around and drink alcoholic beverages?" and "Can I afford a place to live and food to eat?".
  • by Xtravar (725372) on Friday June 01, 2007 @01:57PM (#19354687) Homepage Journal
    Do you think those iPod owning kids are fit to do anything?

    Really.

    Think about your average high schooler walking down the hall listening to his or her iPod.

    Where do you see that person in 10 years? 20?

    We're raising a(nother?) generation of cattle, addicted to pop culture and unaware of the world.

    Like any of them will have a clue. They'll get into power and maintain the status quo.

    But it's nice to have hopes!
  • by AlHunt (982887) on Friday June 01, 2007 @02:37PM (#19355347) Homepage Journal
    >I think the bigger thing people need to do is start voting with their votes.

    I agree. We should never re-elect an incumbent, ever. Power and influence start to grow around them. No matter how "good" they seem, send them home to live with the consequences of their actions while in office. But, it'll never happen that way because as I said earlier "The bottom line is that Joe Average just doesn't mind being pushed around as long as he's comfortable"

    Truly a sad situation in America today.

  • Re:dvd sales (Score:3, Insightful)

    by debest (471937) on Friday June 01, 2007 @02:55PM (#19355625)

    have dvd sales really been hurt that bad by the encryption for dvd being broken years ago?

    Quite the opposite: I would not have purchased any DVDs or a DVD player until the copy scheme was broken. I have a small child in my house: you think I let her anywhere near the purchased copies of her movies? She gets the burned copies only.

    I gotta say, though: to VHS's credit, those tapes are fairly tough. My daughter can handle the video tapes all she wants. But DVDs are far more fragile: I've had to re-burn "Madagascar" a couple of times for her, and she's really not that rough with the discs.

    (Oh, and the fact that DVD Shrink lets me make discs that start playing the movie immediately on inserting the disc into the player is a huge bonus as well. If DVDs were indestructible, this feature makes the process worth it by itself.)
  • by mpe (36238) on Friday June 01, 2007 @06:15PM (#19358539)
    And to be honest, what we have in the USA is socialism. We redistribute the wealth all the time, from rich states to poor states, but from poor people to rich people. Think about all the government pork for the well connected. That's a form of socialism, only its socialism for the wealthy.

    Another relevent term might be "corporate socialism" where the redistribution is more to corporate than actual people...

With all the fancy scientists in the world, why can't they just once build a nuclear balm?

Working...