HDCP Encryption Cracked, Details Unreleased Due To DMCA

Lord_Pall writes: "There's a very good article on SecurityFocus about a Dutch cryptographer. He apparently has cracked the HDCP video encryption standard, but won't release the research for fear of reprisals under the DMCA." Update: 08/15 06:10 PM by J : Meanwhile, see Keith Irwin's paper which has been released despite the DMCA. Update: 08/15 07:00 PM by J : And someone else points out this old thing. Everyone who hasn't written a paper on cracking HDCP raise your hand.

Re:They are so stupid

[kcbrown]

...and yet all of these companies still think that the DMCA is good for them.

It is good for them.

Look, these guys aren't after The Ultimate Unbreakable Encryption Mechanism. They're after something that will prevent the average person from gaining "unauthorized access" to their content. And as you note yourself, they aren't after the guys generating bootleg copies. They want to prevent the average person from being able to make useful copies of their content.

Why?

Simple: their goal is pay-per-view/use. They want to be able to rent their content out to people, and prevent said people from ever having a permanent copy. Because a permanent copy obviously defeats their ability to rent that same content to whoever has that permanent copy.

The reason this will work is that most people (obviously) aren't technically inclined and aren't capable or even interested in cracking copy protection schemes, nor are they interested in going through the trouble of "going around" the problem (e.g., by recording to analog media). They just want to view the content.

The Big Corporations know this. They're counting on it. But they need something like the DMCA to pull it off. Why?

Because they know that it's fundamentally impossible to create a crackproof system. So instead of directing their energies towards that goal, they directed it towards creating the DMCA. If people are prevented by law from creating or distributing the means to crack content control systems, then companies can successfully force pay-per-view content down the throats of the people.

The corporations also know that eventually a content control cracking mechanism will become available to the general public anyway. So when it does, they know that it can't do anybody any good if the general public can't easily get its hands on it. Why do you think they're working so hard to shut down P2P distribution mechanisms? By doing so, they successfully remove the means for the average person to get their hands on content-control cracking mechanisms and the content that would result from the use of said mechanisms.

The corporations don't care about the rights of the people. They only care about their money. They will do everything in their power to get it. The only difference I see between them and the mafia is that the corporations use law enforcement itself as their strong arm.

A good hint? DeCSS redux

[jabber01]

Ok, so here's what I'm thinking...
Under the DMCA, it is against the law to circumvent content protection schemes? Or is it against the law to disseminate such information?

In either case, the HDCP crack isn't being released, but 'a pretty good hint' has been given. Now, how 'good' must a 'hint' be before it violates the DMCA?

Say the 64 bit backdoor key to some encryption scheme is found to be 83A2FA8F.. Is it a 'good hint' to tell the word that the key is probably somewhere between 83A2FA80 and 83A2FA90? How about 83A20000 and 83A2FFFF?

We've seen DeCSS implemented in so many ways, not only machine executable but transcribable, artistic, and as a frigging Haiku even...

What makes the publication of a crack into a 'hint'? Could I just rattle off the source code, prefixed with a 'something like' and followed by a 'maybe', and be safe from persecution? Could I draw a few easily understood diagrams? Invent my own words for 'array', 'pointer', etc..

What if, as a 'hint', I tell only part of the implementation to one person, and part to another, and part to another?

Remember high-school? Did your teachers ever give 'hints'? Isn't that cheating? What if an employee of a company issued and unofficial 'hint', when they depart the payroll?

Keep it under wraps, for god's sake...

[Overzeetop]

If only HDCP would be allowed to run its course and find its way into the system in hardcode. CSS in DVD players was perfect - let it become commonplace, THEN crack it and distribute the solution. You can't change the encryption without obsoleting the huge installed base of players.

Then they'll be stuck with a cracked encryption until the next generation format comes out. Of course they'll have to make that generation much better (DVD vs VHS, for example or CD vs cassette, or HD-DVD vs DVD) or nobody will convert. It's ten-plus more years of freedom, IMHO.

Long live the cycle!

Re:They are so stupid

[Anonymous Coward]

>companies can successfully force pay-per-view >content down the throats of the people. I'm not making this leap with you. Americans never seem to appreciate just how easy it is to do without mainstream media, pay-per-view movies or otherwise. What's this "force?" It's very easy, and a rather inexpensive option, not to even have a televison, not to subscribe to cable, not to order pay-per-view movies, not to listen to music with a label, not to buy dvd's. This whole "media companies forcing their content down our throat" argument makes no sense to me, as long as it's optional to buy entertainment, optional to buy cd's, players, tv's, and pretty much anything else. As far as I know it's never been compulsory to watch pay-per-view tv or listen to any particular music format. So this whole question of "force" is really without basis or merit. I'm no DMCA fan, and I curse Sony for SCMS (literally stopping me from copying music I write and record). Still I acknowledge that Sony didn't force me to buy DAT's, and that I opted not to spend the bucks on pro DAT. Americans bring it on themselves, by insisting that they be provided with mundane, standard content. We consume it with passion.

Re:Will the DMCA hurt encryption badly?

[Raleel]

I think a fairly straight forward explanation such as "Would you want to drive a car that hadn't been independently crash tested?" or something. The ability to test encryption schemes would be easier for the lay person to understand.

Short story

[Sangui5]

I don't know about that particular story, but a good one along the same lines was written by Robert Heinlein: "Let There Be Light", published along with others in "The Man Who Sold the Moon".

In "Let There Be Light", a scientist discovers a method for building nearly 100% efficient solar panels. At first keeps it secret, and manufactures them himself. However, the oil companies file frivolous lawsuits against him, hire thugs to burn down his factory, torch his demonstration solar car, and threaten violence against his person. So finally he patents it, goes to the big papers, and gives them a big juicy story, on the condition that they also publish all of the technical details. Oh, and openly licenses it for pennies a square yard.

It is a shame that we may have to take the same route, but getting technical details published in a big publication like the New York Times, the Washingon Post, or the Chicago Tribune would be a good way to go. Especially the New York Times. What judge would censor the "Grey Lady"? She's nearly as sacrosant as the Statue of Liberty. Joe Sixpack might not care if some IEEE or ACM publication is censored, but the New York Times is one of the most respected papers in the nation, if not worldwide.

There's no need to hide your publication, but just make it painfully obvious that censoring the publication of these ideas is a direct affront to First Amendment rights.

Long arm of the law

[camusflage]

Charming. Now foreign nationals who visit the US are afraid to release details of weaknesses.

Good, I say. Serves 'em right. Once something people want to steal is released with the format, then the details will come out, and people will steal it. By not quashing discussion, they might have been able to fix it while still in R&D, but by taking the I'm-putting-my-head-in-the-sand approach, they're shooting themselves in the foot.

Re:He is Dutch, DMCA doesn't apply

[Tim C]

Tell that to Sklyarov.

However, even by claiming to have broken the encryption, he's placing himself at risk of being investigated, and possibly detained and questioned should he ever visit the US. (If I were to publicly announce that I had commited a crime, I would expect the authorities to take interest in me.)

Cheers,

Tim

They are so stupid

[rknop]

Intel spokesperson Daven Oswalt says the company has received several reports from people claiming that they have broken HDCP. But he says none have held up, and the company remains confident in the strength of the system.

...and yet all of these companies still think that the DMCA is good for them.

It's amazing how on how many levels the DMCA is a bad idea. It's squelching freedom of speech, and it's preventing the companies from producing technical systems that can effectively produce total control over their customers. Of course, the free-speech-squelching part is serving the total control purpose, and since it's the executive and legal divisions of the companies that decide what the companies "want," they probably are happier that way. And that is the real tragedy-- that and the fact that they can US legislation.

(To be fair, given the description of the attack, Intel is probably right that it still does prevent "casual copying." On the other hand, it angers me that they're trying to prevent casual (including fair use) copying, but don't mind that somebody willing to invest some money in hardware and a couple of weeks can start producing bootleg devices. Who's their real enemy here? Customers trying to exert fair use rights (and, yeah, maybe occasionally illegally copying content)? Or overseas customers producing and selling wholesale bootleg copies?)

-Rob

Anonymous is good

[chill]

One more reason the right to post anonymously [slashdot.org] is a good thing.

Will the DMCA hurt encryption badly?

[baptiste]

I just can't help but think that as more and more people discover flaws in encryption standards that we the users lose in the end. If crackers won't release details of how they cracked an encryption standard, where's the motivation for that standard to be improved? You can say the bad press is enough, but heck - if nobody releases details, how are we to believe its true?

There was a time when encryption was done to ensure it couldn't be broken. Now it seems like organziations are using the DMCA as a way to prop up bogus standrads that are dangerous due to their flaws (*cough*ebook*cough*)

Its hard enough trying to explain why Dimitry should be freed. But how can you convince a legislator or govt official that the DMCA is bad for encryption without risking prosecution? Its a scary catch 22.

Even though the Dimitry case is getting some press (Time Mag had a 2 page article - well written), I still only see proposals to slightly change the law. Not enough to allow full reverse engineering for research and the ability to expose flaws in products. Seriously - an encryption standard used to say encrypt some copyrighted work gets hacked, the victims sue showing why its such a bad encryption std and the lawyers for teh company using the bad encryption get it disqualified because its illegal to bypass encryption or copyright schemes.

Far fetched, maybe, but I really fear we will continue to see substandard encryption schemes passed off as workable because folks are less likely to publicize flaws in them if they are tied to teh DMCA.

Sure this may help open encryption standards, but we all know where the commerical money goes, so goes the world. Bad encryption standards used for IP materials and protected by the DMCA would soon be sold to businesses for privacy and such - exposing those businesses to serious exposure since the encryption std is probably less secure due to less folks trying to find flaws for fear of prosecution.

Maybe we need a contest - free tshirt to the person who manages to come up with the Chicken Little 'the sky is falling' explanation for why the DMCA is bad that'll get Joe six-pack up in arms :)

The point is the Felten case

[TrollingKarmaWhore]

I think you guys are all missing the main plot. The EFF just filed their brief in the Felten case in which they claim that the DMCA is chilling speech. The point of the press release is almost certainly to support the freedom of speech case by showing yet another example of DMCA censorship.

If Ferguson says that he has broken a protocol you can be sure he has done so. The expected outcome of the DMCA case is for the censorship provisions of the act to be struck down. So Ferguson has to expect to be able to publish soon.

The DMCA does have some interesting side effects however. Nobody can ever be sure the DRM technology they buy works, the lack of peer review and discussion means that there is a level playing field between the many peddlers of snake oil and the legit players.

Another effect is that anybody can mount a reputation attack against any scheme.

Next DMCA test - prosecution for doing research

[hillct]

It will be interesting to see if once it does get out, if companies will seek to hold him responsible, even if e doesn't release it himself. I winder if the DMCA covers the eventuality of having done research which facilitates bypassing encryption. It really isn't that far to go from doing research (and finding the solution) to writing the software that actually performs the operation. Will it become a crime to do research?

--CTH

Poetic justice.

[Black Parrot]

Lots of us said that for the SDMI contest we should say "yeah, I can crack that" but not release any details (even if we really could crack it). Let them sweat it out.

Now the industry is starting to get this treatment because of its own heavy-handedness. If some FUDster claims he can crack $ANTIPIRACYTECHNOLOGY but won't prove it, no one will will be able to call his bluff effectively.

Meanwhile, full-quality bootlegs continue to pour out of Taiwan. Society has nothing but reduced rights and privileges to show for all this.

Re:Will the DMCA hurt encryption badly?

[Erasmus Darwin]

"I just can't help but think that as more and more people discover flaws in encryption standards that we the users lose in the end. If crackers won't release details of how they cracked an encryption standard, where's the motivation for that standard to be improved?"

I don't know about you, but I'm hardly losing sleep knowing that anyone who breaks into my house at night can subvert the encryption on my DVDs and watch "Ferris Bueller's Day Off" even if they aren't in region 1.

This whole DMCA nonesense affects copyright protection schemes, not all encryption. The people who lose are the content producers, not the everyday users. These same content producers are the ones who (arguably) benefit from the encryption cracks from being widespread -- remember that these encryption systems are all about trying to maximize profitability, rather than trying to maintain 100% protection at all costs.

US expects compliance... unless foreign law on us.

[Anonymous Coward]

Porn is illegal in Saudia Arabia and most other Islamic nations. Yet we continue to be a "porn haven" and not blocking web traffic from these IPs.

The propagation of Nazi philosophy and artifacts is illegal in France, Austria, Germany, Italy, etc. Yet the US continues to make such materials available to these nations.

If the USA doesn't give a shit about other nations laws, why should they be expected to comply with ours?

Ferguson's Mistake

[rknop]

"You can be sure that somehow, somewhere, someone will duplicate my results especially because I am telling them that I have results," says Ferguson. "Someone who is braver, who has less money, and who doesn't travel to the U.S."

This, right here, is his mistake. If, in the near future, those master keys are published, I bet a nickel that Ferguson gets hauled up for a lawsuit (or perhaps even criminal prosecution), for exactly the reasons that he states here himself. It's extremely stupid, but on the other hand, I can easiliy see an overpaid bunch of useless humanity (i.e. corporate lawyers) effectively convincing judges and law enforcement officials that Ferguson should be liable. They would be right that he probably helped along other efforts to crack the encryption doing nothing more letting people know that it was possible. Ferguson's mistake is in thinking that the dunderheads who thought that arresting Sklyarov was a good idea will let him slide after he's said this.

The world is a cold, demon-haunted place nowadays. It sickens me to be a citizen of this country that so hypocritically prides itself on being free.

-Rob

Duplication

[Apotsy]

Sound like it will be easy for others to duplicate his efforts:

"An experienced IT person could recover the master key in two weeks given four standard PCs and fifty HDCP displays," said Ferguson. "The master key allows you to recover every other key in the system and lets you decrypt [HDCP video content], impersonate a device, or create new displays and start selling HDCP compatible devices."

[snip] ... he says it is a textbook example of a cryptographic attack.

Even if he never releases it himself, it'll be all over the place before too long, now that it's known to be possible. He gives a pretty good hint about how to duplicate his results.

DMCA makes encryption a dubious concept

[dcavanaugh]

Thanks to DMCA and rabid lawyers, we're creating an "underground internet" that generally ignores the law. In a scenario like this, how will anyone know which encryption standards are working and which have been compromised? We can't assume that anyone who cracks and encryption scheme is going to publish the results, but what if no one publishes anything? What happens then?

Imagine the people who design & use encryption standards as the occupants of a castle, and the hackers are trying to use a battering ram to enter the facility. Thanks to DMCA, the walls are padded, so the people inside don't hear the pounding of a battering ram on their door. The king overruled the castle engineers who wanted a thicker door. "No need for that", says the king. "My DMCA padded walls will take care of the noise, therefore I proclaim that the hacker problem is solved!" Of course, when the door gives way, it will be quite a suprise to the occupants!

Re:Next DMCA test - prosecution for doing research

[Anonymous Coward]

It's not the size of the lock, it's the fact that it's locked.

The courts, especially the criminal courts, understand that no matter HOW well something is locked up, it's still breaking and entering. Never in the history of US law has their been a case where the judge ruled for the defendant because the lock was too weak. Would you people *PLEASE!* stop making that argument!!! It's utterly useless.

This argument is not utterly useless. These schemes are presented to keep people from copying whatever and the schemes are extremely weak. What if Masterlock were selling a "paper" padlock and it was illegal (read DMCA) to prove the lock is not secure?

I understand the idea of locking material from copying is unpopular but this is the mean reason for these encryption schemes. If they don't work then the owners of the copyrights need to know.