Interview with Developer of BackupHDDVD

An anonymous reader writes "HD DVD and Blu-Ray were supposedly protected by an impenetrable fortress. However a programmer named "muslix64" discovered that this was not the case, and released BackupHDDVD. Now, Slyck.com has an interview with the individual responsible, who provides some interesting insight to his success."

Degrading Quality May Boost Cracking

[toonerh]

Unlike old DVD-Video, HD DVD and BluRay have a bit -- so far not set -- that degrades all output unless it is via an HDCP connection. This means my older Sharp 720p projector will be degraded along with all early adapter's HD gear

This creates a powerful incentive to not just "backup" your HiDef DVD, rather to remove an onerous limitation -- it may violate the DCMA in the USA, but it is morally and legally sound to most of the world.

I'm glad he's not

[Weaselmancer]

If he was a native English speaker, he'd probably be in a country that has some sort of DMCA-type law. And he'd probably be in custody by now.

Re:Degrading Quality May Boost Cracking

[purpledinoz]

Hollywood shouldn't be worried about this hack. They really should be worried about people actually buying these discs. What are the early adopter customers with the "non-secure" HDTVs supposed to do? Throw out their HDTV, and buy a new one so they can watch HD content? It's a real slap in the face of the customers... I hope both formats fail, and a new, non-restrictive format appears.

Re:AACS Easier to Crack Than CSS

[Sycraft-fu]

Ya, perhaps sidestep is a better term than crack. In all likelihood the cryptosystem itself can't be broken, it's AES. While we can never say for certain there's not an unknown weakness in a system, AES is one of the most studied ones out there and thus far it remains secure enough to use for classified data.

So, like the author said, you don't attack it you go around it. Obviously if the movie is being played back at some point things are being decrypted and you can get your hands on that key. That's precisely what he does. The player uses its key to decrypt the key that the volume is encrypted with. He then nabs that key and uses it to decrypt the volume.

Russian dolls.

[DrYak]

running non-"Trusted" programs in a sandbox that prevents them from accessing the hardware directly, specifically to prevent this kind of attack.

Yes, and how Windows it self will know that it isn't running inside a "simulated" trusted computer (the TC chip is virtual and part of the emulator) running inside an actual regular computer (with no chip to prevent you from running whatever you want ?) ...or running with a root kit hidden it self inside, like the Sony's one ? Treacherous Computing may work on the paper, but Microsoft isn't exactly known for perfect implementation of security tools. Root kits WILL be available.

For this to work you actually need TC-enabled computers. There aren't currently enough of them.
So either Microsoft pisses of its customers with something like "HD DVD & BD can only played on Windows Vista running on special mother boards. The rest of 80% of you just can't play them at all" (and currently customers are already pissed enough because they can't always play in full HD when they don't have display systems that *are* getting popular those days). Or either microsofts accepts to let some player run outside it's protected models and you don't even need a virtual machine or root kit to extract the needed data from memory.

As said by another /.er : stoping to provide the decryption key is the only way to avoid circumventing protection... but won't be implemented for very obvious reasons.

Re:And the best part is...

[diegocgteleline.es]

And the best part : In order to decrypt the movie and play it, every player *HAS* to have the volume ke in memory or SIMD register for a short period of time.

Which is why Windows Vista adds a special type of processes: "protected processes": You can't look at the memory of those processes, you can't debug them, you can't do *anything* to them. Not even the antivirus software can look into them. And because the kernel can't load unsigned drivers, you can't do kernel tricks to jump the protections. Microsoft will use it to "protect" the processes that handle the DRM data or the final video. Not even the administrators can start them, your binary must be "microsoft certified" in order to get that spcial "protected process" flag.

(And yes: if hackers manage to run protected processes without getting a certificate from microsoft, the windows platform will get some funny viruses that can't be deleted by AV software)

Seems like a decent guy

[Bralkein]

Since the DRM on these new formats is so insulting, I'll always be happy to see it suffering setbacks like this. However, I'd be slightly less happy if the person who cracked it was just some guy who wanted to be able to get everything for free and impress his mates by giving them free movies. Assuming this muslix64 character is telling the truth, he seems like a decent sort. His story is just that he wanted to be able to use his own purchased movies in the way that he wants to, in his own home. So consider him thoroughly endorsed!

On a different subject, this still leaves Linux (and BSD, ReactOS, Haiku etc., etc.) users in a spot of bother. I don't understand if having a movie key would allow you to watch something on the disc even without the right player software to access the HD-DVD/Blu-Ray drive, but even if you don't need special software it still looks like extraction of the movie keys can only be done with Windows software, and presumably OSX software in the future. I'd still really like to see a proper, Free Software, libdvdcss-style crack for these formats. I'd like to think it's only a matter of time...

Linux HDDVD/BR Software Player

[Pikoro]

How about a player for linux?

Since, based on the past, none of the studios will license a key for a linux player, I propose we create a player that, as part of playback, incorporates this "crack".

To get around this, the player will prompt for the disc key before playback. Then, the disc is decrypted as playpack is performed, thereby bypassing the "Player Key".

Re:And the best part is...

[try_anything]

I wonder how much money is being made off DRM by companies like Microsoft that know it will never work. When the guys with the money (the media companies in this case) want something impossible, and want it badly enough, smart tech vendors can make a lot of money by playing along.

Re:And the best part is...

[mrs clear plastic]

Good.

If the movie companies do an 'encrypt and throw away the key`, that would be great.

To be frank with you all, I am quite discouraged with the quality of the product that Hollywood is putting out now. No, not discouraged; appalled is more like it!

To put it bluntly, this stuff is not even worth the raw material in the darn DVD itself.

Lets take those permanently locked DVD's and burn them in a boiler to make steam to run a turbine to generate electricity for that community theater where some really decent stuff is performed!

Luv

Re:I'll bet...

[Fulg]

It seems likely to me that MS has a trick to allow protected processes to be debugged. It's either a secret mode of Vista, or they have debug builds of Vista that allow this type of snooping to take place.

Well, there's this:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

...which already allows one to "hijack" any executable and replace it with another, on a retail system (it's still there in Vista). No idea how/if it will work on a protected executable, though. It would certainly be an interesting experiment, but I don't have such a system here.

This trick is quite handy to stop services that you don't have rights to, by replacing them with dummy executables... *cough* corporate USB port disabling software *cough* :)

Re:If the capability exists, it will be used.

[SuperKendall]

So basically... "We're going to hold this gun to your head, here, but don't worry -- we're not going to use it! It's just easier to put the gun there, now, than it would be to do it later...but we don't want to deal with the mess it would make if we used it, so just forget it's even there. Trust us!"

We don't have to trust them. We have Blu-Ray/HD-DVD backup. I am just explaining what will happen, and why.

No, thanks. I think that as the media companies become more and more desperate, as it becomes painfully obvious that DRM just doesn't work, they're going to pull out all the stops and go down fighting.

Why would they? They will have seen the music industry cave to DRM free formats by that point and realize what large sums of money are to be gained by leaving things as they are.

Don't ever question what a broke junkie will do for a fix, and don't ever question what an obsolete corporation will do to protect its business model.

Don't ever think that a company will give up a large pile of money shoved in front of its face. That's the predictive model I use.

Re:new, non-restrictive format

[truedfx]

From what I can tell, there's three camps of consumers when it comes to DRM:

1. The camp that can't stand it, won't buy it, and goes without the content.
2. The camp that doesn't like it all that much, but buys it anyway.
3. The camp that won't pay no matter what you do, and pirates the content instead.

Your second camp can be divided into the group that doesn't like it all that much, but buys it if the DRM can be bypassed, and the group that doesn't like it all that much, but sucks it up and deals with it. I consider them very different groups.

Re:And the best part is...

[IamTheRealMike]

There's no way to patch this.

Oh pish. Of course in theory you can always extract the key from any player, in practice it's possible to make this so hard to do nobody can manage it. This is the approach satellite TV vendors have used - of course they keys are somewhere inside those smartcards or devices, but good luck to you if you try and extract them. The fact that most software players suck at protection is no news, for as long as there will be software HD-DVD/BluRay players, there will be leaked title keys. However, the point is that whilst it's easier to crack software players it's also easier to update/upgrade them, so the cost of a player revocation is much lower.

So what do creators of players do? Well, there are variety of techniques you can use to obfuscate the keys, make it harder to extract them, make it easier to update in the case of breaches, and so on. These techniques have been used successfully by Blizzard and Microsoft - Windows Media DRM is "self healing" and whilst tools to extract the keys do occassionally surface, they tend not to work for long. Blizzards "Warden" anti-bot software is pretty good at both detecting software modifications and preventing them from working, again the trick is to make online updates very easy.

Finally, there are hardware/software features being developed that can hide information inside the hardware so extracting the keys becomes a matter of hardware cracking rather than software cracked (look at LaGrande) which is a much harder problem fewer people are able to do.

AACS itself is just a piece of mathematics that makes it plausable for every key in the world to have its own player key, and to revoke those keys with linear storage cost. AACS itself has not been broken. Badly written players have been, but that was always going to be a problem. This guys issue is that if he distributes his crack, the chance of the studios figuring out which player he attacked increases, at which point they can revoke it (probably they can already guess, there aren't that many around right now). If he doesn't distribute the crack then the system relies upon him purchasing every title released and extracting the keys at home, which just doesn't doesn't scale. Sure a few titles might be lost, but who cares when thousands are published every year ....

I think the guy is pretty naive, in mixing up theory and practice like this. He says:

If you can play it, you can decrypt it! There is nothing you can do about it. The only thing they can try is to slow people down.

Well, like I said, satellite TV seems to disprove this. The box itself can play any channel (ppv movie channels for instance) but it's pretty hard to decrypt that stream if you haven't paid for it. So hard in fact that in the case of DirecTV I think it only happened once. The HU card was broken (at ridiculous expense, cost and risk), so they rolled out the P4 cards and the system has been secure ever since. Sky Digital in the UK was never broken at all. If the movie guys are determined eventually they'll just go the route digital TV companies did and ban software/pc based players.