AACS Cracked Again

EmTeedee sends us to a blog post for a summary of the latest results in cracking AACS, from the Doom9 forums (as the earlier cracks have been) — after the DVD Security Group said it had patched the previous flaws. From the DLTV blog: "This time the target was the Xbox 360 HD DVD add on. Geremia on Doom9 forums has started a thread on how he has obtained the Volume ID without AACS authentication. With the aid of others like Arnezami they have managed to patch the Xbox 360 HD DVD add on... It appears that XT5 has released [an] application that allows the Volume ID to be read without the need to rewrite the firmware. This would mean that anyone could simply plug in the HD DVD drive and obtain the Volume ID from any HD DVD without the hassle of flashing it."

One word.

Owned.

Re:One word.

When will these stuffed suits learn that the more they try to limit people, the more people will fight those limitations?

Re:One word.

Hopefully not anytime soon, as I love stories of this type.

Seriously, what was the turnaround time from a claimed patch to another breach? Was it even 3 days ago those clownshoes were crowing about it?

Re:One word.

Oh come on, you know you wanted to make your point with a Star Wars quote.

Re:One word.

Ownedbiwan Kenobi?

Re:One word.

Well, you don't have to use Star Wars. There's other cultural references to be made.

"AACS of Evil" springs to mind.

Re:One word.

As inconvenient as it is, the real reason for DVD security like AACS isn't for the consumer. Sorry, you're not that important.

When people invest millions of dollars in developing a standard like HD-DVD, Blu-Ray, or whatever comes along next (UV-DVD?), they need assurances that they will get their money back. They don't make money off of the sale of DVDs, but rather off of DVD hardware. So companies that manufacture DVDs can't just build players, they have to buy little AACS chips directly and exclusively from the standard's creator, and pay them a fee.

They don't /really/ care if you break the encryption, because no DVD-player manufacturer could ever go out and use the cracks to avoid paying Sony / Toshiba/NEC. AACS has done its job, in that sense.

I'm glad AACS was cracked. I don't particularly like the idea that I have to rely on a physical copy of something I allegedly only own the rights to "watch" anyways.

Re:One word.

Why spend millions on AACS when other DRM would work?

Two reasons: 1 - Because if it's an existing scheme, SOMEONE owns it and likely it isn't the people inventing the new standard, nor can they charge "new technology" prices on the encoding/decoding hardware. You can't really go to a mfg and tell them they have to buy the same chips they've been buying for 10 years and tell them they cost more now. No, these are new chips. See the new logo?

And 2 - Because you need to give the content creators a reason to prefer your technology, enough to get them to make the initial investment in it. "It's way harder to pirate this movie. It's HD-DVD! Encryption the likes of which has never been seen. So will you use it to stop those big scary pirates?"

Hell of a sales pitch to a dying, scared industry.

Re:One word.

Eloquently stated, and clearly thoroughly researched.

USB/Firewire is a little different than DVD technology. With Firewire, you're paying to be part of a logo consortium. You guarantee that your product will work according to their standards and you pay them a bit of money. In exchange you get to put the "Firewire" logo on your stuff. Same goes for bluetooth, and for USB. But that's because no one company controls these. They're consortia and operate differently.

But how do you suppose they enforce that payment? It's very easy to see if someone's put your logo on their product. How do you know if they used your chips or someone else's? How do you sell them multi-million dollar encryption hardware if they could just go without it? You make it required to read the discs. You could produce a non-AACS compliant HD-DVD player. But it wouldn't play commercial movies.

The purpose is for Sony or Toshiba/NEC to control who can MAKE their standard's players, recorders, and authoring hardware. It's use as a copy-protection scheme is secondary.

Re:One word.

You mispelled "Pwned".

Re:One word.

"You mispelled 'Pwned'."

...and you misspelled "misspelled." :)

/English geek

That does it!

No more movies! Ever! We quit!

The movie industry.

Re:That does it!

Anyone else find it funny that this came out just as they were putting people together to push out the new updates?

I have this mental image of a guy in overalls hauling boxes and boxes of patched DVDs out to the truck, looking up at the news-monitor in the shipping yard, and just a single tear falling.

Re:That does it!

I have this mental image of a guy in overalls hauling boxes and boxes of patched DVDs out to the truck, looking up at the news-monitor in the shipping yard, and just a single tear falling.

Hmm.. I'd think he'd smile tho. nice job security for a while.

Re:That does it!

I see a little thought balloon appearing above his head, with the word Overtime!, then a tiny image of him going Scrooge McDucking style in a huge pile of money.

Meanwhile, the fat cat manger receives the report on how much it cost, a single tear is about to fall, as he thinks he can only buy 3 new yachts this year instead of 5, but then he remembers that actually, he can just shift the blame onto someone else and so still get his $20 million bonus, then he remembers how he would get it anyway even if he didn't fuck up. Then he cuts all all the cleaning staff's pay to make up part of the loss and he gets an even bigger bonus and can buy 7 yachts.

Then all the shareholders get their dividend report, all start crying uncontrollably as they realise their investment is paying out worse than a Scotsman on comic relief night. However instead of doing something like kicking out the board, they bleat along to the tune, The Haaaaaackers did it, BAAAAAAAAAAD hackers. Cut to fat cat manager, takes a break from Scrooge McDucking it in his pool of money and he cuts pensions and healthcare for all shipping and logistics staff. Cut back to original guy, who has to spend all his overtime money on buying his kid new braces, .

Meanwhile, the government outlaws, fair use, free speech, free thought, freedom, etc.

Capitalism at it's finest.

Fine by me.

No more movies! Ever! We quit!

The movie industry.

That really wouldn't be the worst thing in the world. There's a huge demand for movies, but they're expensive to make and the current movie industry sucks up most of the available investment dollars. There's no "secret sauce" involved in making a movie; it's just very, very expensive, and the people with enough cash to bankroll a film would rather go with an established, sure bet, rather than taking a chance on someone or something new.

If the current players just decided to pack up and go home, the new industry that would rise up in its place would doubtless be a lot more creative -- at least in the short term -- and we'd probably see a lot of new material out of it. In time, it would probably stagnate, too, because that's the way of things.

The main problem with the current situation is that the dinosaur companies have bought protection for their business models from the government, and essentially have propped themselves up. There's nothing bad with companies getting big, but there's also nothing that says they have a "right" to stay in business, either. Failing business models deserve to die, and the companies that rely on them deserve to die, too; when they don't, you're stopping what ought to be a natural economic progression.

Re:Fine by me.

After reading the first sentence I thought someone was making a good point, but the signature line negates it.

Keep cracking DRM schemes and all you'll get are more laws aimed at stopping you, more vigorous enforcement, and more DRM integrated into your hardware.

Stop buying DRM'd content in the first place and maybe you'll get somewhere.

Re:Fine by me.

After reading the first sentence I thought someone was making a good point, but the signature line negates it.

My signature or the GP's?

Anyway, I think it's important to work on both fronts. First, I agree that the best bet is just to not purchase anything that's DRMed at all. But since that means basically bowing out of a large portion of our culture -- I mean, no late-model VCRs (macrovision) or tapes, no DVD players or discs, no TiVO -- I think you're going to have trouble getting enough people to follow you to make it significant. There's no point in throwing yourself in front of a tank if they're just going to run over you and nobody else is going to notice or care.

Continually breaking the DRM schemes costs the studios a lot of money. It ensures that DRM is never "fire and forget;" and it turns DRM from being a one-time cost into a continual cost center, a black hole that they need to keep pouring money into. If you can make the cost of maintaining an effective DRM system higher than the cost of the piracy that it allegedly prevents, then it will eventually go away -- either the companies will see the light, or they'll be run out of business by other companies who do, and who are more profitable as a result.

The major remaining problem is that the entertainment industry in particular has so much political influence that it's going to require a lot of vigilance and advocacy to keep them from trying to use the law to buoy themselves as they start to sink -- or barring that, pull everyone else down with them. We haven't had much luck in this in the past, hence we've seen the AHRA, the DMCA, and lately the Mickey Mouse Protection Act go through. But if we can keep the visibility of their actions high -- which is aided by putting pressure on them and forcing them to be more and more outlandish and openly anti-consumer -- while at the same time denying them revenue by boycotting DRMed products and sucking their revenue through a guerrilla campaign against the DRM systems themselves, they'll eventually be forced to quit.

Re:Fine by me.

There's no "secret sauce" involved in making a movie; it's just very, very expensive,

no it's not. having overpaid prima donna union actors, union workers and extravagent locations, props and lunches IS expensive. making a killer good movie IS NOT expensive.

go watch El Marachi. It's better than most everything made at Hollywierd and was less than the cost of a cheap car.

a crapload of great movies are made for dirt.

Re:Fine by me.

Dear Indie Movie Lover,

Explosions are expensive.

Sincerely,
Most people

Re:Fine by me.

Dear Most People,

Controlled explosions are expensive.

Sincerely,
Someone who played with fireworks as a kid

Re:Fine by me.

Dear Most People,

Most common items don't explode. They spark, they pop, they burn, they shatter; but big booms with infernos and visible concussion waves are few and far between.

Sincerely,
Reality

Re:Fine by me.

Dear Mr HaveNoTaste,

There's many great movies without explosions. In fact most of the action packed movies with no dialogue except one line meat heads, sci-fi that's nothing but action with lasers, romance that's nothing more than repetition of Wedding Crasher, Meet the Fockers, and some crap with J Lo in it over and over again, all the CGI laden movies, with huge acting names in them.. tend to be really flat movies. They have no feeling, no passion, crap stories, crap dialogoue.

But ooh ooh.. look! Explosions! zomg. that's so cool.

Amazing movies were made on shoestring budgets. And not just cult classics. 12 Angry Men anyone? To Kill a Mocking Bird? These didn't exactly cost a fortune.Actors are overpaid, and Hollywood is too scared to try ideas that aren't sure things.

Sure we could have another 20 movies with Will Farrell or Ben Stiller in them, but I could really give a crap. Rodriguez and Tarintino could've made Grindhouse out of their pockets, and look how many actors and producers chipped in because they wanted to do something fun.

Movies need to get back to people who love to make them rather than these scientologiest nutbags who marry women doped up on too many prescribed pills while pregnant and not knowing who the daddy is.

Re:Fine by me.

Good post.

This assertion:

There's no "secret sauce" involved in making a movie; it's just very, very expensive.

caught my eye. Actually I would say it's an untested hypothesis that movies are expensive. Currently movie production is basically a monopoly (actually a cartel). By definition monopolies have no competition, hence there is no incentive to try and make things cheaper. This gives rise to the massive salaries and creative accounting that Hollywood engages in. (Somehow, on paper, they actually have razor-thin profits even when the movie made 10-times as much money as the supposed budget.)

If Hollywood were replaced with something new, that was actually a competitive marketplace to make decent movies at the lowest price, I bet they would cost only a fraction of what they cost now. I imagine a movie that nowadays costs $30 million could actually be made for $600,000 once salaries became more reasonable, advertising were less extensive, and studios were forced to optimize their workflow to keep the budget down. The quality/budget ratio of independent films lends credence to this theory.

Current movie prices are massively inflated because they are a monopoly. If that monopoly were removed, I bet the new price of movies would be low enough that people wouldn't bother with unauthorized duplication... because the genuine article would be cheap enough already.

Re:Fine by me.

>The quality/budget ratio of independent films lends credence to this theory.

I'm not trying to be snide here, but I suspect you haven't seen very many independent films. Most of them *suck* *incredibly*, but the very best 0.1% are quite good indeed, competitive with the best stuff coming out of Hollywood. I think it's something like a Boltzmann distribution [wikipedia.org] -- Hollywood has a very steep curve, so there's not a lot of difference between their very best movies and their worst. Bollywood's best are about as good, but their worst are much worse. Chinese films, at their best, are superb, but the worst ones I've seen have been nearly unwatcheable. Then you go to an independent film competition -- I'm not talking Sundance, I'm talking some local art scene competition -- and you begin thinking to yourself "I'd pay $30 to not have to watch the rest of this."

Money doesn't guarantee a movie will be good, but it does heavily indicate the movie won't be appallingly bad.

Re:Fine by me.

I think TV killed the movie industry. A traditional movie is a dinosaur compared to TV. The level of character and plot development in a single season of a one hour drama is so much greater than a single two hour movie can provide. If the Sopranos were a movie franchise, we'd be on maybe the third or fourth movie - roughly equivalent to 6 or 8 TV episodes. It seems like movies compensate for the lack of character and plot development by using gimmicks or bigger explosions.

Re:That does it! I've seen THAT movie before...

That is the second or third remake of "We quit!", and they're not getting any better.

<insert usual rant about inbred entertainment industry management noodlebrains>

Nothing is Foolproof

God just needs to invent a better fool. Or in this case, someone who cares about being able to watch stuff they buy, on other stuff they buy. No questions asked and no crud breaking because it thinks it's "illegal" due to some dust or something.

When will they learn? I'm remembering a phrase about old dogs and new tricks. The **AAs are very old dogs.

I LOVE this!

It seems that the /. crowd, and the tech industry in general, knew well before AACS was ever released that it would be a flop. We knew it would do nothing to prevent disks from being copied, we knew it would do nothing but hurt the consumer, and we knew it was an utter waste of money.

Yet the movie industry pushed forward, and look where it got them... exactly where we said it would, nowhere.

I can't wait until they realize that it's not worth it, and just stop concerning themselves with copy-protecting their media and instead focus on creating good movies.

Freudian Slip

I was reading parent post and did a double-take, as what I got of it was:

"I can't wait until they realize that it's not worth it, and just stop concerning themselves with creating good movies, and instead focus full-time on copy-protecting their media."
...which in a way seemed to make total sense, there is a perverse part of myself that thinks that this is almost where we are headed.

Z.

Re:I LOVE this!

I can't wait until they realize that it's not worth it, and just stop concerning themselves with copy-protecting their media and instead focus on creating good movies.

Let's keep things straight:

writers/directors/actors focus on creating good movies;
movie distribution/marketing companies focus on wasting money on copy protecting their media.
hackers concentrate ruining the cop protection efforts;
the general consumer looks at the easier way to get their movie, be it rental/torrent/buy DVD/p2p: whatever seems better value.

Re:I LOVE this!

Yes, but if you took the resources wasted by the distribution/marketing companies to DRM their content, the writers/directors/actors would have more resources to create better (arguably) movies.

It's more like, if hacks like Joel Schumacher stop getting $200 million budgets to make the next crap Hollywood "blockbuster" that ends up bombing at the box office anyway, then other directors will have more resources to create better movies, or at least more of them.

The bottom line is expensive special effects don't make good movies. Never have. Ever heard of Citizen Kane? Casablanca? The Graduate? On the Waterfront? One Flew Over the Cuckoo's Nest? Not a single explosion in any of those movies.

Movie budgets have basically no correlation to movie quality. It takes approximately zero dollars to write a good script. Maybe a couple bucks for some paper and a pen. Not even a computer's necessary - most of the best scripts ever produced were written in the days of the typewriter. It is true that there's a base budget that's necessary to actually produce an existing script - film/tape stock, equipment rentals, talent payroll, catering, etc. - but that is so far below what the average budget is these days that it's completely ridiculous.

In other words, the money spent on DRM has absolutely nothing to do with the quality of our movies. Writers, directors and producers have no constraints whatsoever put on them by DRM on the home video side. And if you want to complain about bad movies, it's probably because there's too much money flying around rather than not enough.

(That said, there are plenty of great movies being made today, including in Hollywood but also outside of it. If you're not finding them, then that's mostly a personal problem.)

Re:I LOVE this!

Looks like as with all media post-internet, the solution is to cut out the middle man:

1) writers/directors/actors focus on creating good movies;
-->2) movie distribution/marketing companies focus on wasting money on copy protecting their media.<--
(hackers concentrate ruining the cop protection efforts;)
3) the general consumer looks at the easier way to get their movie, be it rental/torrent/buy DVD/p2p: whatever seems better value.

Re:I LOVE this!

the general consumer looks at the easier way to get their movie, be it rental/torrent/buy DVD/p2p: whatever seems better value.

Ah, but the thing is that the DRM _reduces_ the value of the legitimate product.

• If I buy a DVD and put it in a legitimate player I get to sit through long unskippable videos telling me that copying is bad. If I download a copy of the movie I can just sit down and watch it.
• If I buy an HD DVD I can't play it on my computer because I use Free software (DRM is fundamentally incompatable with Free software). If I download a copy of the movie then it works just fine.
• If I buy some music on a corrupt optical disc (which seem to be still sold as "CDs"), I can't play it on my computer, can't rip it to Vorbis files to play on my in-car Vorbis player and it may not even work on some legitimate CD players. If I download a copy of the music then it works just fine.
• If I buy "protected" content then I can't back it up, meaning I have to carry the original discs with me which could be lost or damaged. If I download it then I can back it up just fine.

In all of the above cases, the content producers are actually pushing me _away_ from the legitimate product because the illegal version is much, much better.

The only way you can get away with screwing your customers like that is if there is no way for *anyone* to copy the product. As soon as one person has copied it, anyone else can download the copy.

Most people _want_ to buy content legitimately, but DRM or extortionate prices prevent them from doing so.

Re:I LOVE this!

DRM or not, the current 1 freaking minute booting time for HD DVD players (dunno about BluRay) is enough to put me off the damn things.

Ouch

Someone really needs to fire whomever the MPAA uses for deciding on security for these things. Haven't they heard the golden rule of computer security? "Security by obscurity is no security" and that's all they are doing is trying to hide a key. Find the key... no security. Sheesh....

Re:Ouch

It's not the fault of the MPAA directly. It's the fundamental flaw of DRM.

Encryption works because parties A and B exchange data that is encrypted with a key that party C does not have. In the case of DRM, you have the encrypted data and you have the keys that you need to decrypt and view the data. You are in essence parties B and C. They hide the key from you in the players and software, but it's there if you know how to find it. That's why DRM can and will never work. It's security through obscurity.

I were one of the cracking groups...

I'd try to crack the stuff from a number of different fronts, but keep quiet until I've cracked a few. With several cracks and exploits found, I'd be able to start working on higher level cracks, due to understanding the system.

Then I'd start releasing the cracks, starting with some of the simpler ones, only releasing another when they patch the exploit I released, resulting in an ongoing sense of futility as every time they fix the holes, I point out another.

Best exploit I think? Stealing or cracking the key to every code created for the discs. That way they'd have to throw the whole system out in order to achieve 'security' again. No current players would work. While a massive beowolf cluster cracking the whole thing would be neat and worthy of the NSA, I think that's unlikely. More possible but still pretty much 'mission impossible' would be a physical theft. If only the DVD Security Group protected those keys like government officials protect our information*...

hm...

*Yes, I'm still a bit irked about having my info stolen at least three times

Re:I were one of the cracking groups...

It's not a matter of one cracked key being easy, and another being hard. The fact of the matter is that once you crack a device, it's wide open, there is no more cracking left to be done on that device. It also means that once you crack one device, you have access to all the movies published to date, so cracking another device doesn't gain you anything.

From my understanding, the AACS system is already a very well understood system. It is actually documented and available for public viewing. The way these people are obtaining keys is by finding design flaws in the way different devices implement the system. For WinDVD, it was found that one of the keys is available in system memory at a given point while loading the disc content, and could be captured by reading the right memory address. I'm sure something similar is happening with the XBox360 keys.

The WinDVD key was revoked by AACS, and future movies will not be playable on the cracked version of WinDVD, but a free upgrade to WinDVD will use a new key that cannot be obtained the same way. Revoking the XBox key for future movies will be more problematic, since it would presumably require a firmware upgrade, and making the HD-DVD's most popular playback device unable to play the newest blockbuster movie won't be good for HD-DVD sales.

Brute-force cracking all, or even a small number, of the AACS device keys would take years, probably tens or hundreds of years (I'm not sure exactly what the device key length is). Finding ways to make a playback device give up that information is much faster and easier. Further more, once you crack a single device key, you can get the encryption key for the content of any movie, then anybody can decrypt that movie based on that key, without need of the device or device key. Going back to the WinDVD keys, any movie encrypted with the old WinDVD key can now be decrypted, making a whole generation of HD movies available DRM-free.

Revocation?

So, how long until my XBOX 360 HD-DVD drive, which I've yet to use even once (waiting for support in Leopard), officially becomes a doorstop, boatanchor, call-it-what-you-will?

"I could have you[r HD-DVD drive] revoked."
"Revoked?"
"Yeah, K-I-L-L-E-D, revoked."

Looks like

The race is on, let me tell you from the perspective of online gaming and the cheat vs cheat detection wars:

The hackers have the edge.

But if you develop the AACS standard at least you have job security ;)

Anyone else notice...

...this is just barely 24 hours after they announced it was fixed? Great work to those involved. Hell I can't get a change approved in 24 hours!

Actually a success

While I think everybody has been making good points so far, you have to remember that in the long term copy protection is actually winning. While these measures might be meant in name to stop piracy, their true value is in taking out fair use as collateral damage. The goal of DRM is not to stop piracy, but to make it difficult enough that Joe User will not be able to convert or make backups through a point and click interface. If this copy protection has done that, then it is making them money.... shame all it does is hurt the people who legitimately buy their products.

Re:Actually a success

Do you really think that there's this enormous market of people buying replacements of DVDs that they've already bought but lost or broke?

Or buying a second copy on iTunes because they can't play the DVD on their iPod?

I mean, I'm sure these things happen, but I can't imagine that it's a significant percentage of the market. It seems to me that if they removed the DRM entirely and stopped trying to shut down P2P sharing software, so that you'd have no difficulty downloading anything you wanted, they'd lose far, far more potential sales to people downloading rather than buying.