HD-DVD and Blu-Ray Protections Fully Broken

gEvil (beta) writes "According to an article at BoingBoing, the processing keys for the AACS encryption scheme used by both HD-DVD and Blu-Ray video discs have been extracted, and a crack has been released. What this means is that there is now a method to extract the copy-protected content of any HD-DVD or Blu-Ray disc out there. This is different from Muslix64's previous crack, which only extracted the volume key for each disc. This new method bypasses this step and allows anyone to extract the data without first requiring the volume key."

OK, time to switch now!

[Anonymous Coward]

The time has come to make the upgrade.

props to Muslix64 and hackers everywhere

[cpearson]

It puts a smile on my face knowing that a small group of unpaid media hackers are able to crack the AACS encryption scheme what tooks many developers and millions in R&D to create, in just a few short weeks.

Vista Help Forum [vistahelpforum.com]

All DRM implementations will be broken.

[MartinG]

DRM is fundamentally broken by design. Ciphers of this kind rely on the attacker not getting hold of the key. At the same time, the recipient needs the key to get the data. I can never work because the attacker is the same person as the recipient.

In effect, DRM is security through obscurity.

How much longer will we have to put up with this crap before the media companies realise this and stop inconveniencing their customers and wasting our money and time as well as their own?

Horseshoe racket

[RichardDeVries]

Instead of spending billions on technologies that attack paying customers, the studios should be confronting that reality and figuring out how to make a living in a world where copying will get easier and easier. They're like blacksmiths meeting to figure out how to protect the horseshoe racket by sabotaging railroads.
The railroad is coming. The tracks have been laid right through the studio gates. It's time to get out of the horseshoe business.

Exactly.

I disagree

[TheSHAD0W]

After reading through the article I must conclude that while the author has made decoding current discs easier, AACS has NOT been "fully cracked". The key embedded in the current software may be expired in the future, rendering this method useless for discs produced after that expiration.

I'm not saying that this isn't a nice event, but we have further work to do.

Too funny...

[esarjeant]

When will the media industry learn that DRM strategies simply don't work?

As soon as you can see or hear it, it is then possible to duplicate it. No amount of copy protection will ever be able to prevent that short of preventing consumers from accessing the material altogether.

Learn to trust your consumers a little and focus on adding value to the material, and then people will buy your content. It might also help to provide some flexibility in the content licensing model, maybe giving people the option to upgrade DVD discs to HD-DVD for the same content may encourage them to continue buying media.

All your CRAP are belong to us

[sehlat]

I've said before, "safemaker, safebreaker."

Hollywood gets ONE move in the game: "Protecting" the content.

The rest of the world gets as many moves as it wants to get around the ConsumerRightsArentPermitted.

So Hollywood does everything it can to make itself hated by its customers and still expects to WIN this game?

Re:All DRM implementations will be broken.

[mrsbrisby]

It can never work because the attacker is the same person as the recipient.

That's why TPM is being pushed by DRM proponents: TPM means your computer no longer trusts you (its owner). It means that someone that can convince Verisign to sign their key will be able to have access to all your secrets- including the ones that you do not. It already happened. [microsoft.com]

Forget all that jibber-jabber about whether they have a right to protect their "copyrights", or even if you have any rights to copy: they clearly cannot be trusted with your secrecy and your privacy.

Released Too Early

[MrSteveSD]

I think they've made a mistake by breaking it too early. They should have waited until it was much more widespread. Then again, I would imagine it is psychologically virtually impossible to sit on a "breakthrough" like that.

The inherent problem...

[sco_robinso]

...As most people know is that you're trying to copy protect an inherently open media format. Even in theory it's very difficult to copy protect media in a widely open, public format.

Until vastly different technology is available 20 or 30 years down the road, all that DRM is going to amount to doing is preventing the 'average joe' from copying en-mass. They just have to make it difficult enough for the casual user to be deterred from copying the content. Look at the copy protection scheme on the iPod - it's basically useless, but it prevents grandma from copying bulk amounts on content. It's like how photocopiers are not a danger to printed media, as it's just 'too' difficult to walk up to a copier and copy things on mass. The industry just has to make it hard enough to deter joe user.

The real problem for the recording industry comes in when now people are getting more and more saavy at copying content, and it's becoming more and more common place, and digital media sharing is now common place and digital media is now common place in the living room now. 10 years ago MP3's were just making there way on the scene and basically only very saavy users knew what an MP3 was, let alone what to do with it. What happens when 10 years from now mobile HD video players are just as common as MP3 players, and your average iPod video has a half a TB of flash storage? Copying (High-Def) DVD's at that point will be common place like MP3's are relatively common place now.

The Funny Thing

[s31523]

It's funny, the whole DRM thing really seemed to come on strong after Napster was busted. In an effort to thwart the hackers and file sharing people this DRM thing kicked into high gear, yet these groups of people are probably the most savvy and creative buggers out there. The only people this DRM crap will ultimately hurt is the record/movie companies because the average Joe will just get frustrated when his new $40 HD-DVD doesn't play and gives an error of "unauthorized copy" or some crap and go off and not buy stuff any more. The hackers, I am sure, welcome the challenge and probably truly enjoy this cat and mouse game.

joke is on us

[circletimessquare]

yes, we're all laughing because this outcome was obvious to the slashdot crowd years ago. however, the people really laughing are the blokes who sell this drm technology to the MPAA/ RIAA

why laugh at them when you can steal their money?

we need a committee of slashdot readers to compile a list of buzzwords and concerns of the RIAA/ MPAA, and then sell them some technovoodoo that doesn't protect them in any way whatsoever (nothing can, obviously), but continues the RIAA's/ MPAA's illusion that drm can or ever will work

give them their false security blanket, steal their money outright, and then continue to rip them off and drive into extinction the antiquated notion of corporate media distribution channel ownership

they need us, we don't need them. make that point explicit by bleeding them dry via all possible avenues

win win! idiots

look at book publishers...

[Churla]

People still buy books, including audio books and eBooks, even though photocopier exist.

I think the recording and motion picture industries need to look at why, and follow that lead. Instead of millions in copy protection R&D, why not spend millions to improve the product? Make the product something people liked owning. (Notice how libophiles obsess over the actual tangible book?).

The one really viable way to control it would be to mandate that all players have an internet connection and it verify the purchaser has rights to the media before playing it. Of course if people have good high speed connections to the internet there's no reason to buy the physical media, which they recording and motion picture industries simply can't abide with.

Nope, it's really cracked

[suv4x4]

After reading through the article I must conclude that while the author has made decoding current discs easier, AACS has NOT been "fully cracked". The key embedded in the current software may be expired in the future, rendering this method useless for discs produced after that expiration.

In theory yes, but how easy do you believe it is to update all those specialized video players, all offline?

Don't forget: the people who buy those already had to put up with paying premium for a HDTV, expensive players, and also make sure the TV, cable and player play together through HDMI.

If you start demanding they are hooked non-stop to Internet so they can receive the daily patches, it may just be the thing crossing the line of tolerance.

Also: the hard part is retrieving keys from pure hardware. The new keys come as firmware updates over the network.. it's even easier to update those HD-DVD/BlueRay rippers. After all, you have even the keys they encrypted the patches with: you have the player, don't you.

All in all, the "super morphing update" ability of AACS seems more like a way for the AACS developers to claim "the war it's not over", when it effectively is over.

Companies will refuse to use the new keys for their disks, since they will be incompatible with plenty of the players out there, the AACS creators will whine a bit about how "they could fix it but they don't wanna, not our fault", and this is where it'll end.

Re:All DRM implementations will be broken.

[Tumbleweed]

And the problem with TPM is that you still have access to the hardware. If you've got that and enough time and skill, TPM eventually won't matter, either.

Re:Released Too Early

[zappepcs]

Wrong! Break the DRM, Break it early, and break it often. DRM is dead, in fact it was stillborn. The foundational thinking behind DRM (or CRAP if you like) was so 'not right' that it's 'not even wrong' and it isn't getting any better. The more often the *AAs have to fight back with new DRM the more likely it is that we will see who in the governments is getting paid to support DRM, and then we will really have a target to ridicule, impeach, or tar and feather.

The premise that all consumers are criminals is criminal in and of itself. Bear with me here. It defies logic and law to (analogy time) remove guns from citizens to prevent them from shooting people. It defies logic and good business sense to make .38 bullets that can only be used in guns made by one manufacturer. It defies the intent of the framers of the law in the US to presume that you are guilty until proven so, yet this is exactly what DRM is all about, the assumption that all consumers are guilty or would be if given even half a chance.

Besides this, governments should not be propping up business models that are antiquated and broken. Desktop publishing put typesetters out of work, did the governments do anything? Trains put buggy makers out of work, did the governments do anything? That is only naming a couple of examples, but the governments seem hell bent on protecting certain industries. I can only conclude that those same governments are being well paid by those industries, for that is the only logical motivation for such infringements on citizen's liberties and rights.

Now that AACS is cracked, time to follow the money and figure out who is getting paid and expose them as broadly as the DRM keys are exposed.

security through obscurity

[hAckz0r]

Yes, and just how obscure can a "standard" be? I have been harping on just how stupid the whole concept of DRM is, ever since Sony root-kitted everyone. Even after Gates makes all Windows boxes a "trusted system" we can just dust off the logic analyzers and hack the bios. If that does not work, vm's, and OS emulators will. There is no limit to the ingenuity of a pissed-off geek when they can't play what they just payed good money for, but only because of some arbitrary restriction embedded in the code. Just give a dedicated geek the binary and they will know _all_ the "secrets" about how it works. Thats a given. DRM by design can never logically work no matter how much time, energy, and money the designers throw into it. It is a flawed concept by design.

Re:The Funny Thing

[spikedvodka]

The hackers, I am sure, welcome the challenge and probably truly enjoy this cat and mouse game.

As with any game of cat and mouse... unless the mouse gives up and hides, the cat usually wins.

cat: the hackers
mouse: the media companies

Books

[ragtoplvr]

We have the ability to copy books. Why do we not do that? Because books are cheap enough that it does not pay. Authors can still make a pile of money. Every other industry has went thru this phase. Content has to get less expensive, executives have to be reduced in number, pay cuts happen, then the industry can grow again. Resorting to DRM in any form, will be unsuccessful because, technology will overcome. The first company to recognize this, restructure appropriately, price appropriately, will win. Same as with book, computers, cars, even washing machines. My .02 Rod

Re:Not Really Broken

[spikedvodka]

Even that approach isn't hack-proof, but it is a lot harder to dump the cpu registers under such conditions than it is to trace memory accesses.

Not really... If you set up a VM, you can pretty much watch the registers. besides, that data has to exist somewhere in some form to get into the register

Re:All DRM implementations will be broken.

[tuffy]

Security not through obscurity would be akin to keeping the decryption key from a third party so that he'll have to try and use brute force to decrypt your data. Much like how web browsers use SSL to keep packet sniffers at bay.

In the case of DRM, the guy who wants to watch the movie is the same person that the studios are trying to keep from decrypting it. So they try and hide the decryption key in the player so the owner can't find it. Thus, DRM always boils down to finding a way of obscuring the key's location in a big game of hide-and-seek.

Re:Horseshoe racket

[melikamp]

Content publishers are the blacksmiths, DVD's are the horseshoes, BT trackers are the railroads. This is the best analogy ever.

Re:Not Really Broken

[badasscat]

If they are smart (and if the MPAA even give them another chance), the powerdvd/windvd authors will reimplement their AACS decryption code to never store the keys in memory. Without double-checking, I believe the keys are only 128 bits, they could be loaded into the SSE registers in encrypted form and then decrypted on chip. The authors will still need to take measures to prevent an OS context switch from storing the registers in kernel-private memory during the period in which the device keys are present, but that is not an extended period of time, presumably they can kick their priority up high enough that it won't happen without hurting the system much.

And the solution the Doom9 guys will use to defeat this?

Don't upgrade to the new PowerDVD.

The cat's out of the bag. You can't put it back in now. The new key will be discovered even more easily than the old key, so there's no point even bothering with a key revocation.

Your solution may make some future DRM scheme for a new media format a little more secure, but it's effectively over for AACS.

Re:industry's response?

[piquadratCH]

So what is the industry's response to all this?

Lawyers, I guess.

Re:Horseshoe racket

[Miseph]

Actually, it's a very good analogy. It is intended to show the futility of DRM and copy protections (stopping the railroad) by the media giants who have shoehorned themselves into forced obsolescence (blacksmiths), and point out that perhaps instead of trying to prevent copying, which they cannot do, they should find ways to profit from it any way (railroad tracks are made out of steel, blacksmiths work with steel, instead of making horseshoes, they could make railroad tracks, or even locomotive parts).

And yes, for the record, I think it IS fair to say that hackers working on ways to disseminate data electronically faster and more efficiently are like the people who first put together the railroads: they are radically changing how we think about moving "goods" and conducting business; they also share some similar personality characteristics, such as creativity (to come up with ways to make things happen), intelligence (or do you think any dumbass can perform either task?), and vision (to imagine a way of doing things radically different than the ways that they are done now). DRM crackers may not be the guys laying the tracks or inventing the steam engine, but they ARE the guys designing comfortable passenger cars, figuring out where stations need to go, and showing people how much cheaper and easier it is to travel by train rather than taking a carriage.

Re:props to Muslix64 and hackers everywhere

[Anonymous Coward]

cpearson,

It has always been easier to destroy/crack something than to create it in the first place.

It is not a great undertaking to break a DRM scheme. It is not comparable to cracking strong encryption (which takes lots of horse power). The basic concept of DRM is fundamentally flawed and therefore open to attack.

DRM by its nature is both widely available and has to function on a user's local device or PC. The wide availability (unlike an encrypted message with a unique key) means the attacker has easy access both the algorithm and protected content. This mathematically greatly reduces uniqueness. One only has to setup the correct environment and observe how it functions with a legal copy. And since the DRM scheme is most likely non-unique on a copy by copy basis the affect instantly cascades. Unlike getting a randomly encrypted file you have access to the algorithm (the software) and you have access to the keys.

The big issue in DRM is how to obfuscate your algorithm and how to keep people from getting access to the stream in the clear. Both of these tasks are next to impossible to carry out effectively.

So anyone, even the very same "small group of unpaid media hackers" in question, would have to spend a large amount of effort trying to come up with better and better obfuscation schemes. While cracking the DRM will take far less resources, focus, or time.

Cracking DRM is more akin to white box QA or reverse engineering.

All that said I'm secretly glad someone stepped up and did this :-) DRM as it exists today is pointless, useless, and gets in the way of a customers fair use of something they have purchased.

I'm willing to bet 5 years from now we will see far less DRM in use and those still using it won't be selling as much music or as many movies as those not using it.

Re:All DRM implementations will be broken.

[MartinG]

Asymmetric ciphers are not security through obscurity as long as the key is not in the hands of the attacker. When used properly, the whole process is totally transparent and the attacker can see the encrypted data all day long and knows exactly how the system works but still can't get at the unencrypted data. It is not obscured at all.

Security through obscurity is where the attacker has everything they need to get at the data but they just have a few hoops to jump through. Proper security is where the attacker has no chance because they are missing something (like a secret key)

DRM gives the attacker the key (because the attacker is the owner of the media and they need the key to play it) but makes some attempt to hide it. All these attacks on DRM do not break the cipher or find a weakness in the crypto algorythm. All they do is find the key (it's in there somewhere) and use it to decrypt the content.

Re:Yes, someone walk us through this.

[hardburn]

Poking around Doom9 thread [doom9.org], the processing key for all current HD-DVD discs was found.

Looking over some example source code [doom9.org], the processing key is used with the encrypted C value to build the media key, which can then build the volume key, which can then decrypt the disc.

The MPAA can revoke the processing key, but quoting from the forum:

Some of you are missing the true meaning of this compromise. If they revoke this processing key, we just take a player compatible with a new processing key, put in one of the titles that's already cracked, and go around in memory looking for the known key. We find it, insert a new title, look in the same place and we have a new processing key.

Essentially, it becomes a known-plaintext attack.

No different than us web developers

[creativeHavoc]

Web Developers and Web Content-Maker-Guys YEARS ago gave the "no right click" a try. We quickly learned that if some one wants the content off the web site, they will get it, so there is no use in trying to introduce barriers that only hurt the casual user. You don't see "no-right-click" scripts anymore, but we are still producing tons of content for the web. Much of it copyrighted, and mostly the copyright honored.

I can't help but see this as a parent who is all too restrictive with thier child, leading the child into endless rebelion that would have been avoided if moderation was used instead of a billy club.

No protection, just really huge file sizes?

[phouqhue]

Studios have put millions of $'s into this, and it is broken, the real protection is in file size. Imagine a 200+ gig movie, uncompressed with full DTS EX and DDHD, commentary and everything else that you could want. Now imagine trying to download that movie over the course of a few weeks or months, if your ISP allows that kind of transfer. The data rate should be high that modern computers stutter and playback is jerky. Compressing it down to a managable size would be defeating the idea of watching HD. This would suffice for today and maybe even a few years. Protection is in "an unmanagable file size" and "data transfer rate", for now.

Re:All DRM implementations will be broken.

[jridley]

Emulate the hardware, or monitor the chip internals. It's been done before; many of the satellite TV hacks were discovered by people that drilled/dissolved the plastic off the chips and probed the internals.
Access to electron microscopes is pretty widespread too. Lots of university students can get access to them.

Re:props to Muslix64 and hackers everywhere

[Xugumad]

Erm, it's a simple distributed attack. While the group that succeeded was small, the cost (in man hours) of all groups that attempted but failed must also be considered, is likely not a small number.

I think this is a fundamental problem that the people backing DRM forget. They're massively outnumbered, and it's just a matter of making it not worth the rest of the human population's time to break their stuff. So far, not gone so well for them...

Re:props to Muslix64 and hackers everywhere

[file-exists-p]

When I think about DRM -- software or hardware -- I have in mind this image of a small vault in a cave, with a bunch of guys around it with all tools, time and motivation they need.

Re:Nice.

[jb.hl.com]

Why the fuck would the Recording Industry Association of America care about movies being pirated, precisely?

(Seriously, I see this far too often on Slashdot. It annoys me. A lot.)

Its all about the average Joe

[PPalmgren]

There is a reason for DRM, even if it inherently flawed in design: to keep the average Joe buying your stuff. If they stop fighting completely, you'll end up with a flopped industry. The bigger the investment they put into DRM, the more returns they get from sales, because not everyone is computer literate. The more technical they make their schemes, the more people they get buying their product instead of stealing it. Gross value goes up, even if net stays the same. Lawsuits and copyright protection are designed to scare the AVERAGE consumer away from illegal activity and narrow the possible copyright infringement targets down to a manageable size, so they can treat it exactly like cops treat druggies: go for the dealers. Copyright protection in some form or another will never die out, because if it does, a larger percentage of the population will steal the product and it will cease being a manageable problem for them.

Re:All DRM implementations will be broken.

[bill_kress]

Perhaps the inclusion of TPM in later OSes, chipsets and hard-drives will spur adoption of Linux (which presumably would just not enable such garbage).

Perhaps TPM is going to be one of the best things to ever happen to our community...

Re:Nice.

[starnix]

I believe a "shit ton" outweighs all of those.

Re:The end of software players?

[hardburn]

Lots of people already have next-gen disc players for their PC. They expect those players to play next-gen movie discs, because that's what they were advertised to do. Not allowing them to update keys would likely cause a class-action suit.

Remember, the next-gen formats are still in their infant stages. Bad publicity now would likely kill them.

Lastly, the entire justification for the heavy DRM in Vista is that they can play hi-def movies. If there are no more software players, that justification will be shown as bunk (it's bunk anyway, now it will just be obvious).

"...trying to get content without paying for it?"

[Anomalyst]

I have paid for every single DVD I own. No good deed goes unpunished, I am repeatedly subjected to unskippable previews, FBI warnings, commentary disclaimers and the same fscking flying logo and equally annoying jingle at 4 places before actually getting to the content I purchased. If I were stupid enough to buy into HD/BR I additionally lose my control over the resolution I want. This isn't about Imaginary Property rights, it's about THEIR control of MY property.

Re:All DRM implementations will be broken.

[Tumbleweed]

But i would imagine that the 'solution' will never filter down to the common man as it will be so complex only a few of us will be able to control our own hardware at that point.

Well then *fuck* the common man. If you're too stupid to be free, that's not my problem.

I guess only the smart people get to be rebels. The rest will just be rabble.

Re:Economics 101 (was: Cue Nelson)

[CyberLord Seven]

I consider it a victory though I don't have, nor plan to have, a High Definition player. I have an HD TV, and an XBox 360.

Why won't I buy the $200.00 HDDVD player from MicroSoft?

Well, I've said it before, and it bears repeatin'...

I'll buy new content when those ASS-WIPES in Hollyweird stop putting advertisements in front of the movies on DVDs! GODDAMN, I'm SICK of wading through bullshit ads for movies that stopped playing in theatres years ago when I watch an old DVD.

Pull out your Matrix DVD or your 2001: A Space Odyssey DVD and insert it into your DVD player or PS2. What happens? THE MOVIE starts to play, doesn't it?

Now try that with any DVD you bought in the last three or four years. Pisses you off, doesn't it? Yeah, me too.

They can KISS MY ASS! Even though I'm not buying their HD disks I'm still laughing my ass off at this and looking forward to more penetrations of their security. (Hey, this is Slashdot. We gotta' have pron! Just not HD Pron. Pimples and hairs where they shouldn't be. YEECH!)

Re:props to Muslix64 and hackers everywhere

[Athenais]

Or as someone once put it, there is no cryptographic solution to the problem where the intended receiver and the attacker are the same entity.

Re:MOD PARENT Up!

[Furry Ice]

This is assuming the MPAA decides to allow software players to receive the new key. Granted, it would be seriously evil of them not to do so, but we *are* talking about the MPAA after all.

...aren't allowed to exist.

[mrchaotica]

The best way for this to happen is for devices to proliferate the market wich take advantage of the crack-ability of CSS: players that take ripped DVDs, store and organize them, and are as simple and intuitive as Apple products: it has to be an appliance.

Speaking of Apple products, have you ever wondered why iTunes can't rip DVDs just like it does with CDs? It's due to a thing called the DMCA, which makes it illegal for Apple to provide such a function regardless of how technologically easy (and valuable for Apple) it would be to do. And that's why we'll never see what you suggest happen -- at least, not as long as the DMCA still stands.

You know, you have to laugh.

[Harik]

AACS/CSS/Security through telling people "don't do that" is trivial to implement, for as good as you can possibly get it (fundamental flaw in the design) and they STILL managed to fuck it up.

Basic concept: Encrypt a disk with a key that only the player has. If the player key is compromised, all disks are cracked.

"fix" #1: Encrypt the disk content a random key, encrypt that disk thousands of times with a library of pre-generated keys. Assign each player a key, quit putting that key on the disk when it's found to be compromised. Of course, you now have to re-encrypt thousands of keys for every title released, leading to possible exposure of the master database.

"fix the fix": Randomly create a single "production key", encrypt it with every player key, and give the 'blob' to every HD-DVD production facility. Now exposure is limited to one key that can be changed without exposing the master keylist.

Except someone was terminally lazy, and only did it ONCE. So EVERYONE USES THE SAME PRODUCTION KEY. Way to go! If you gave each studio their own, then compromises would be limited to a single studio's works (that were produced before the key was changed).

Worse, you introduce an attack vector to your management that effectively hides it's origin. Any hardware or software player could be compromised, or you could have an inside leak of the key. As long as the exploiter doesn't say "I got this key from Sony's HD-501 player" you have no idea how they aquired it. Basically, they completely and utterly shat on the key-revocation scheme, with no possible solution.

Whoops.

Dear MPAA: Please contact me before starting your next hairbrained content protection scheme. You can pay me millions rather then billions and I'll give you one that's not so embarassingly horrible. I'm no cryptogropher, but goddamn, it's not like you hired any security people for anything you've done yet anyway.

Re:All DRM implementations will be broken.

[dpilot]

It's merely a matter of making it hard enough to stop most attacks. By the time you're sniffing on-chip signals with RF, you're way past "most". By the way, on really good secure chips there's a heck of a lot more to the package than "a little bit of plastic." Some "secure chip" packages are designed to keep the chip from being de-packaged, or to at least guarantee that the chip will be "correctly" damaged in the de-packaging process.

I don't doubt that with a complete lab and some really good hackers, a even well-designed TPM setup can eventually be compromised.

But I'd also assert that a well-designed TPM setup is WAY beyond the resources of DVD John, the AACS crackers, and maybe even the distributed.net efforts.

By the way, by that last token, all security is by obscurity, because you're always hiding the key, and ultimately that's a key part of what the TPM does.

A few quick searches on TPM can strip away most of the arrogance on both sides, the "anything will fall" side as well as the "unbreakable" side. I can't substantiate it here and now, but I suspect that TPM can be good enough to defeat any software-only attack, and would really require significant hardware resources to compromise.

But the key point in here is a general lack of confidence in the ??AA's ability to do good encryption/DRM. At the moment, they just don't have the mindset for it.

Re:All DRM implementations will be broken.

[gdamore]

TPM is just a way of saying "secure key store". Given a TPM (and put it in the TV display, rather than in the player), it is pretty much possible to secure stuff so that the only way to break will require a high degree of sophistication and an electron scanning microscope. (And in some cases, even that might not be good enough. At very high levels of security devices are shielded against most or all forms of radiation, and removing the shield erases the key store. This is called "active countermeasures" in FIPS 140-2, IIRC.

TPM is like a powertool. It can be used for great good. It can also be used for great evil. Which it does depends on whose hands it is in.

(TPM, or similar approaches are very, very useful for things like secure transaction processing, digital security, platform assurance (i.e. guarantee that your OS load hasn't been compromised with a keylogger), and similar things.)

TPM can also be used to secure media delivery. However, in order to really prevent sophisticated pirates from stealing the HD content, the _entire_ data path must be encrypted. This includes all the electrical signaling up to and including the pixels themselves.

Then the next level of sophistication will be when somebody figures out how to use some kind of high-speed CCD or somesuch to capture the individual pixels on a high-resolution display. Of course the kind of gear required to do this would really only be worthwhile to large-scale commercial pirates -- and I wouldn't be surprised to find if _those_ guys also tried to protect the data stream against copying -- after all their illegal copies represent an income stream for them as well! (Though lacking keys, it might be hard for them to do so.

TPM properly done can certainly prevent casual piracy.

The best solution to this whole problem is not to purchase DRM'd content if you care about this kind of thing. Or, just accept that when you buy a physical copy of the media, you're pretty much going to have to accept the limitations of using just that media.

As to the concern about the fact that some studios put un-skippable ads and such on the media -- well, wait for reviews, and if it bothers you that much, don't buy the media. If enough people vote with their wallets then studios will figure it out, eventually, and give people what they want.

Oh, and one more thing, nobody should assume that they have a God-given right to watch whatever movies or listen to whatever songs they want. The distribution companies are not legally obligated to make this content to you in the first place (in any form), after all.

It ticks me off when people bitch and complain about DRM and such, and then go pirate stuff. If it bugs you, don't access the content at _all_. Your time would be better spent writing letters to your legislators and the media execs than stealing/borrowing/pirating (or whatever you want to call it) content that you have no legitimate right or need to access. Or even better yet, spend some time and money finding alternative content that fits with your ideals. (I think even more than lost sales, sales lost to a competitor will appeal most strongly to media execs.)

Re:All DRM implementations will be broken.

[Splab]

You only need to be compromised once and you have lost the game here.

When the keys are out in the wild the content can be ripped, zipped and shipped. (Yeah they use rar, but this sounded cool :D)

Re:DRM still has a place:

[Eivind]

Not to sound too pedantic, but DRM of some form still has a place. DRM should be there to discourage casual copying by non-geek people.

Which is the oposite effect from the one the RIAA claims to want:

• It hurts the family-mother wanting to make copies of the overused childrens-DVD to avoid having to buy it anew next time it gets scratched.
• It hurts the non-technical customer who just wants to listen to his music bougth for player-X 5 years later after player-X broke and he bougth player-Y.
• It harms the fully legal customer who wants to listen to his music-CD in the computer at work.
• It harms the tourist that wants to buy some Japanese DVDs as souvenirs from his travels in Japan.
• It harms the customer who for whatever reason needs to get a new computer. (yes, I know, there are ways -- but it's extra hassle)

Meanwhile:

• It has no effect whatsoever on those that get their music from p2p.
• It has no effect whatsoever on the large professional comercial pirates. (those that copy and *sell* copyrigthed material)
• It has no effect whatsoever on the cracker-team that get a kick out of being the first to "release" whatever new music or movie to various p2p-networks. It may even *add* to their prestige.

I don't see how this adds up to "90% of the goodness", nor how it amounts to "5% of the annoyance".

More like 90% of the annoyance for 5% of the benefits.

Re:props to Muslix64 and hackers everywhere

[crosbie]

Yup, that's why we have the DMCA.

TPMs only have to demonstrate that some effort has to be expended to circumvent them, i.e. that they are a protection mechanism (no matter how easily the lock may be picked with a tool readily available on the black market).

I expect it will also help magnify the crime of circumvention in the judge's eyes when it is explained just how expensive the R&D was that went into developing AACS. No-one will point out that such R&D was a priori doomed at the outset (and comparable to R&D into perpetual motion devices).

DRM is not the problem. DMCA is the problem.

Pay for art, not for copies.