AACS Cracked Again

EmTeedee sends us to a blog post for a summary of the latest results in cracking AACS, from the Doom9 forums (as the earlier cracks have been) — after the DVD Security Group said it had patched the previous flaws. From the DLTV blog: "This time the target was the Xbox 360 HD DVD add on. Geremia on Doom9 forums has started a thread on how he has obtained the Volume ID without AACS authentication. With the aid of others like Arnezami they have managed to patch the Xbox 360 HD DVD add on... It appears that XT5 has released [an] application that allows the Volume ID to be read without the need to rewrite the firmware. This would mean that anyone could simply plug in the HD DVD drive and obtain the Volume ID from any HD DVD without the hassle of flashing it."

One word.

[Spazntwich (208070)]

Owned.

Re:One word.

[Ravenscall (12240)]

When will these stuffed suits learn that the more they try to limit people, the more people will fight those limitations?

Re:One word.

[ryanvm (247662)]

Oh come on, you know you wanted to make your point with a Star Wars quote.

Re:One word.

[by Anonymous Coward]

You mispelled "Pwned".

That does it!

[jhfry (829244)]

No more movies! Ever! We quit!

The movie industry.

Fine by me.

[Kadin2048 (468275)]

No more movies! Ever! We quit!

The movie industry.

That really wouldn't be the worst thing in the world. There's a huge demand for movies, but they're expensive to make and the current movie industry sucks up most of the available investment dollars. There's no "secret sauce" involved in making a movie; it's just very, very expensive, and the people with enough cash to bankroll a film would rather go with an established, sure bet, rather than taking a chance on someone or something new.

If the current players just decided to pack up and go home, the new industry that would rise up in its place would doubtless be a lot more creative -- at least in the short term -- and we'd probably see a lot of new material out of it. In time, it would probably stagnate, too, because that's the way of things.

The main problem with the current situation is that the dinosaur companies have bought protection for their business models from the government, and essentially have propped themselves up. There's nothing bad with companies getting big, but there's also nothing that says they have a "right" to stay in business, either. Failing business models deserve to die, and the companies that rely on them deserve to die, too; when they don't, you're stopping what ought to be a natural economic progression.

Re:Fine by me.

[kebes (861706)]

Good post.

This assertion:

There's no "secret sauce" involved in making a movie; it's just very, very expensive.

caught my eye. Actually I would say it's an untested hypothesis that movies are expensive. Currently movie production is basically a monopoly (actually a cartel). By definition monopolies have no competition, hence there is no incentive to try and make things cheaper. This gives rise to the massive salaries and creative accounting that Hollywood engages in. (Somehow, on paper, they actually have razor-thin profits even when the movie made 10-times as much money as the supposed budget.)

If Hollywood were replaced with something new, that was actually a competitive marketplace to make decent movies at the lowest price, I bet they would cost only a fraction of what they cost now. I imagine a movie that nowadays costs $30 million could actually be made for $600,000 once salaries became more reasonable, advertising were less extensive, and studios were forced to optimize their workflow to keep the budget down. The quality/budget ratio of independent films lends credence to this theory.

Current movie prices are massively inflated because they are a monopoly. If that monopoly were removed, I bet the new price of movies would be low enough that people wouldn't bother with unauthorized duplication... because the genuine article would be cheap enough already.

Re:Fine by me.

[smellsofbikes (890263)]

>The quality/budget ratio of independent films lends credence to this theory.

I'm not trying to be snide here, but I suspect you haven't seen very many independent films. Most of them *suck* *incredibly*, but the very best 0.1% are quite good indeed, competitive with the best stuff coming out of Hollywood. I think it's something like a Boltzmann distribution [wikipedia.org] -- Hollywood has a very steep curve, so there's not a lot of difference between their very best movies and their worst. Bollywood's best are about as good, but their worst are much worse. Chinese films, at their best, are superb, but the worst ones I've seen have been nearly unwatcheable. Then you go to an independent film competition -- I'm not talking Sundance, I'm talking some local art scene competition -- and you begin thinking to yourself "I'd pay $30 to not have to watch the rest of this."

Money doesn't guarantee a movie will be good, but it does heavily indicate the movie won't be appallingly bad.

Re:Fine by me.

[HTTP Error 403 403.9 (628865)]

I think TV killed the movie industry. A traditional movie is a dinosaur compared to TV. The level of character and plot development in a single season of a one hour drama is so much greater than a single two hour movie can provide. If the Sopranos were a movie franchise, we'd be on maybe the third or fourth movie - roughly equivalent to 6 or 8 TV episodes. It seems like movies compensate for the lack of character and plot development by using gimmicks or bigger explosions.

Re:Fine by me.

[Kadin2048 (468275)]

After reading the first sentence I thought someone was making a good point, but the signature line negates it.

My signature or the GP's?

Anyway, I think it's important to work on both fronts. First, I agree that the best bet is just to not purchase anything that's DRMed at all. But since that means basically bowing out of a large portion of our culture -- I mean, no late-model VCRs (macrovision) or tapes, no DVD players or discs, no TiVO -- I think you're going to have trouble getting enough people to follow you to make it significant. There's no point in throwing yourself in front of a tank if they're just going to run over you and nobody else is going to notice or care.

Continually breaking the DRM schemes costs the studios a lot of money. It ensures that DRM is never "fire and forget;" and it turns DRM from being a one-time cost into a continual cost center, a black hole that they need to keep pouring money into. If you can make the cost of maintaining an effective DRM system higher than the cost of the piracy that it allegedly prevents, then it will eventually go away -- either the companies will see the light, or they'll be run out of business by other companies who do, and who are more profitable as a result.

The major remaining problem is that the entertainment industry in particular has so much political influence that it's going to require a lot of vigilance and advocacy to keep them from trying to use the law to buoy themselves as they start to sink -- or barring that, pull everyone else down with them. We haven't had much luck in this in the past, hence we've seen the AHRA, the DMCA, and lately the Mickey Mouse Protection Act go through. But if we can keep the visibility of their actions high -- which is aided by putting pressure on them and forcing them to be more and more outlandish and openly anti-consumer -- while at the same time denying them revenue by boycotting DRMed products and sucking their revenue through a guerrilla campaign against the DRM systems themselves, they'll eventually be forced to quit.

Re:Fine by me.

[MobyDisk (75490)]

Dear Indie Movie Lover,

Explosions are expensive.

Sincerely,
Most people

Re:That does it!

[CogDissident (951207)]

Anyone else find it funny that this came out just as they were putting people together to push out the new updates?

I have this mental image of a guy in overalls hauling boxes and boxes of patched DVDs out to the truck, looking up at the news-monitor in the shipping yard, and just a single tear falling.

Re:That does it!

[SillyNickName4me (760022)]

I have this mental image of a guy in overalls hauling boxes and boxes of patched DVDs out to the truck, looking up at the news-monitor in the shipping yard, and just a single tear falling.

Hmm.. I'd think he'd smile tho. nice job security for a while.

I LOVE this!

[jhfry (829244)]

It seems that the /. crowd, and the tech industry in general, knew well before AACS was ever released that it would be a flop. We knew it would do nothing to prevent disks from being copied, we knew it would do nothing but hurt the consumer, and we knew it was an utter waste of money.

Yet the movie industry pushed forward, and look where it got them... exactly where we said it would, nowhere.

I can't wait until they realize that it's not worth it, and just stop concerning themselves with copy-protecting their media and instead focus on creating good movies.

Re:I LOVE this!

[suv4x4 (956391)]

I can't wait until they realize that it's not worth it, and just stop concerning themselves with copy-protecting their media and instead focus on creating good movies.

Let's keep things straight:

writers/directors/actors focus on creating good movies;
movie distribution/marketing companies focus on wasting money on copy protecting their media.
hackers concentrate ruining the cop protection efforts;
the general consumer looks at the easier way to get their movie, be it rental/torrent/buy DVD/p2p: whatever seems better value.

Re:I LOVE this!

[ben there... (946946)]

Looks like as with all media post-internet, the solution is to cut out the middle man:

1) writers/directors/actors focus on creating good movies;
-->2) movie distribution/marketing companies focus on wasting money on copy protecting their media.<--
(hackers concentrate ruining the cop protection efforts;)
3) the general consumer looks at the easier way to get their movie, be it rental/torrent/buy DVD/p2p: whatever seems better value.

Re:I LOVE this!

[Pope (17780)]

DRM or not, the current 1 freaking minute booting time for HD DVD players (dunno about BluRay) is enough to put me off the damn things.

Ouch

[Grimfaire (856043)]

Someone really needs to fire whomever the MPAA uses for deciding on security for these things. Haven't they heard the golden rule of computer security? "Security by obscurity is no security" and that's all they are doing is trying to hide a key. Find the key... no security. Sheesh....

Re:Ouch

[Kimos (859729)]

It's not the fault of the MPAA directly. It's the fundamental flaw of DRM.

Encryption works because parties A and B exchange data that is encrypted with a key that party C does not have. In the case of DRM, you have the encrypted data and you have the keys that you need to decrypt and view the data. You are in essence parties B and C. They hide the key from you in the players and software, but it's there if you know how to find it. That's why DRM can and will never work. It's security through obscurity.

Looks like

[Some_Llama (763766)]

The race is on, let me tell you from the perspective of online gaming and the cheat vs cheat detection wars:

The hackers have the edge.

But if you develop the AACS standard at least you have job security ;)

Anyone else notice...

[djdbass (1037730)]

...this is just barely 24 hours after they announced it was fixed? Great work to those involved. Hell I can't get a change approved in 24 hours!

AACS

[dattaway (3088)]

Another Aacs Crack Soon

Re:AACS

[Dorceon (928997)]

How about: AACS Ain't Cryptographically Secure

Re:this is what we needed

[prelelat (201821)]

I know what your saying and I agree with it, but having the legal right to make a copy doesn't mean that they don't have the right to try and stop you. I just wish that they would realize that most people like to buy stuff, I know I like to buy DVDs it makes me feel warm and fuzzy to be like "Hey I bought the whole (insert show or movie) series". But the truth is that its too expensive to buy everything I would like to. Production costs at this point of the DVD release have usually been covered(excluding making the menu releasing extra content and having a commentary that I never listen to except on south park dvds) the packaging and DVD for a season of south park is about 50 dollars canadian when it comes out. It probably cost them 5 dollars to make(my guess and some might say it was high some might say it was low theres 3 dvds in there with graphic lables and casing and maybe shipping not sure if the store pays for that or not) so lets say the store like HMV or Best Buy makes about 10 dollars off of the sale. Thats 35 dollar profit for the manufacture. Lets say you pay Matt Stone and Trey Parker to do their commentaries for it, they probably get a % of sales. so if you sell 100,000 dvds of one season you get 3.5 million dollars, say matt and trey take 10% each the studio is left with 2.8 million.
if you reduced the cost so that a box set costs 40 dollars using the same numbers you end up with 2 million. This gives you less profit right? Well if people are more willing to buy a dvd at 40 dollars and you get 150 000 dvd sales you end up with a final profit of 3.75 3 million dollars. Your making more money. I know nothing and I'm bored so don't take me too cereal. I know people will still pirate dvds but people will always pirate dvds, you won't stop them. Use the money that your putting into research to reduce the cost of the product and sell it and I bet you will have less people pirating or at least buying a legit copy after pirating or before making a backup. I know I would.

I find it bad form that I've paid 8*45+20(best of volume was cheaper) for my south park dvd collection. Thats almost 400 dollars. come to think of it that seems insane, and thats not my only collection. Most people can't aford that and I can see why they pirate or make backups. Would you want to go out and spend that again if your DVD got wrecked by a scratch?

Re:I were one of the cracking groups...

[mhall119 (1035984)]

It's not a matter of one cracked key being easy, and another being hard. The fact of the matter is that once you crack a device, it's wide open, there is no more cracking left to be done on that device. It also means that once you crack one device, you have access to all the movies published to date, so cracking another device doesn't gain you anything.

From my understanding, the AACS system is already a very well understood system. It is actually documented and available for public viewing. The way these people are obtaining keys is by finding design flaws in the way different devices implement the system. For WinDVD, it was found that one of the keys is available in system memory at a given point while loading the disc content, and could be captured by reading the right memory address. I'm sure something similar is happening with the XBox360 keys.

The WinDVD key was revoked by AACS, and future movies will not be playable on the cracked version of WinDVD, but a free upgrade to WinDVD will use a new key that cannot be obtained the same way. Revoking the XBox key for future movies will be more problematic, since it would presumably require a firmware upgrade, and making the HD-DVD's most popular playback device unable to play the newest blockbuster movie won't be good for HD-DVD sales.

Brute-force cracking all, or even a small number, of the AACS device keys would take years, probably tens or hundreds of years (I'm not sure exactly what the device key length is). Finding ways to make a playback device give up that information is much faster and easier. Further more, once you crack a single device key, you can get the encryption key for the content of any movie, then anybody can decrypt that movie based on that key, without need of the device or device key. Going back to the WinDVD keys, any movie encrypted with the old WinDVD key can now be decrypted, making a whole generation of HD movies available DRM-free.