Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Encryption Security

Why DVD Encryption Crack was a Cinch 513

Devastator writes " Wired has a good article how how the DVD encryption was cracked. The DVD industry is scared speechless about the news." Its actually an interesting little summary of the situation. I wonder what it means for the DVD industry.
This discussion has been archived. No new comments can be posted.

Why DVD Encryption Crack was a Cinch

Comments Filter:
  • A chain is only as strong as its weakest link. This is a good example.

    But then again, I do believe this will spur the Industry to do a better job, which will inspire more creative hacking, which will inspire better security... Benefits for all.
  • The DVD encryption crap is simply yet another example of the Cathedral / Bazaar scenario which continues to manifest itself throughout the industry. The fact of the matter is that while majot corporation stuggle to keep up with the open-source community currently, this is not the way the industry was, say, five years ago. A form of economic or societal Darwinism has emerged in the computing industry, by which major corporations and the coding public work at furious rates just to stay even with each other. The DVD crack is one of the more and more common cases where the Linux community has outstretched "Big Business".
  • 5 Bytes? And they call this secure? 5 Bytes is 40 bits, which means there are 2^40 possible keys. Although I don't know how much CPU is required to test a key, I tend to think a good computer could probably sniff them all out in a matter of days.

    On another note... I wouldn't like to be Xing/Real Networks right now. I think the MPIA could make a really good case for them being libel for a massive amount of money due to their negligence.

  • Another "wow, I'm *totally* shocked.. NOT!" story. You mean somebody was sloppy in how they implemented their encryption? And that led to exploiting a design flaw? WOW... :)

    In all seriousness, I have no problem with copy-protecting DVD's. All the new-age zealotry regarding IP aside, as it stands moviemakers and DVD producers have the right to profit from their efforts. If they stop profiting, they stop making movies, and poof! no more "Matrix"-quality films.

    OTOH, kudos to the hackers (in the traditional sense) who broke it. This is a rare case of white-hat hacking being beneficial. The original designers should probably be held liable somehow, and future efforts in this regard will be MUCH more careful.
  • As mentioned on Ross Anderson's Webpage here [cam.ac.uk], breaking copyright protection can always be done.

    This case is lamentable because it was defeated so easily, in a way that shouldn't have been allowed to happen.

    Encryption isn't all its cracked up to be.


  • "I would expect it could also delay the advent of recordable DVD, because it'll give people a medium to write these hacked video files."

    too late?
  • 'We will fight against the illegal software,
    blah blah blah ...'. This is soooo pathetic!
    The fact is that very small percentage of the
    users would be doing 'illegal copying', but those
    surely would go to the furthest possible extent
    to break through all the locks. The entertainment
    industry is both paranoid and stupid.

    Now I've been reading of digital watermarks on
    DVD-Audio, which, in fact, are not entirely
    transparent and somewhat degrade the quality of
    sound. Don't you think the future of DVD-Audio
    is sort of written on a wall?


  • by jshepher ( 50026 ) on Wednesday November 03, 1999 @06:41AM (#1566408) Homepage
    Since it is encryption based, my guess they used 5
    bytes (40 bits) because of export restrictions. It
    has been proven that 40bit keys can be broken
    quickly using today's computers. It was only a
    matter of time until this happened.
  • by account_deleted ( 4530225 ) on Wednesday November 03, 1999 @06:41AM (#1566409)
    Comment removed based on user account deletion
  • 1) True but...US law has a way of becomming
    the law in other countries. Remember, we are
    the last Super Bully

    2) Unconstitutional? when has that stopped them
    before?
    Hell there is legislation being considered (its
    passed the house and in the senate) to make
    a certain drug illegal. Technically...it would
    make the posession or sale of Red Meat illegal
    in the US (since it contains it in small quantity)

    (yea I know they wont enforce it in that manner
    but...its just to illistrate the silliness of it..
    technically...your brain is already illegal
    to posess due to other chemicals it makes)
  • > So now that some folks have figured out how to STEAL DvD data, what next?

    I, and many others, figured out how to STEAL dvds a long time ago. All you do is walk up to your local video store with a sledgehammer, break the glass, walk in and grab an armfull, and then run.

    What these guys have done is taken the first step that will allow me to play dvds on my box.

    I am happy. I am not stupid. I won't be wasting my valuable time copying and distributing dvds. It's MUCH easier and less expensive if you include the cost of your personal time to just go to the store and buy another disk rather than buy blanks, copy something onto them, find customers that will be willing to buy at a discounted price, sell, make sure that I'm not going to get stung by the law enforcers, etc. etc. etc.

    To put it simply, pirating dvds will not be profitable for a long, long time.

    The "old fashioned" method I described above is much more profitable than disk copying and a much greater risk to, and currently a greater drag on, the profits of the "dvd industry".
  • by Anonymous Coward
    Here's the link. http://www.nico-soft.de/DVD1/home1.html I'm going to pick up a DVD-ROM this weekend to try it. Should be neat.
  • "In the future, the laboratories will be more actively conducting strict surveillance and take counter measures against illegal, inappropriate software and hardware in the market. Moreover, we believe that, based on the recent legislation, legal measures and steps will be taken by copyright holders against such violation of intellectual properties," Mikura wrote.

    If you can't solve a problem technologically, do it with legislation. Since encrypting DVDs didn't work it looks like they'll move to the next step, prosecuting the hell out of everyone they catch. Which will most likely be a bunch of kids trading the latest releases. Nothing like harassing kids for good PR.

    Sorry, but the Internet makes the control of digital media IMPOSSIBLE. This is a fact, if you want to make big money with digital media you have to understand this fact and move from there. No major media companies have yet acknowledged this and they will fight it until they die or give in. Goes to show you, you can't teach an old dog how to use the Internet.
  • by Anonymous Coward
    His terminology is off but he is essentially correct. Whether or not it's the Linux code monkey community, or the Window code monkey community or the various cracker cabals.

    The fact remains that corporations with limited resources are trying to go head to head with a planetful programmers with too much free time.
  • can't really work in the real world? I disagree. as a matter of fact, the more times things like this happen -- the more information that starts off as billion dollar top secret encrypted info and then becomes nothing more than a little bit of code embedded in a widely distributed application -- the more its going to become obvious that free information can work very well.

    your medical records, my civil court records, their credit records, the movie industry's precious DVD keys... all this information is going to become publicly available, and there's really no way to stop it - the best we can hope to do is figure out how to live best with the fact that information is very hard to contain.
  • The "immorality" of copying DVDs is right up there with the "immorality" of copying a magazine article. The truth is that the invention of the Xerox machine did not destroy the publishing business. Even though is is possible to copy all the interesting articles in a magazine for less than the cost of an issue, the magazine business is rolling along better than ever. Why? Is it possible that the people running the movie studios are insanely greedy?

    The entire home video industry is gravy for the movie industry. Worst case, they'll have to go back to making their money off the the theatrical showing of their films instead of counting making as much again off the home video rights.

  • But isn't DIVX at least as dependent on some kind of copy-protection scheme as DVD?

    Seems to me that if you can defeat the DIVX scheme, you then get even cheaper movies that you don't have to pay to view at all, compared to DVD!

    (I don't use DVD or DIVX, by the way.)

  • Ok I have 2 notes here as more than a couple
    of people have said that "Dissassembly isn't
    illegal"

    A) The Crackers were NOT in the US. Therefore
    they are not under US law. This argument thus
    means nothing.

    B) Sony is not a US company (they are Japanese)
    thus only their offices in the US are under US
    law. Again...this statement means nothing.

    C) The statment itself is also useless, since
    the Crackers were not in Japan. So even if it is
    illegal under Japanese law, it may not be illegal
    where they are.

    D) The statment was probably written by someone in
    some PR department. Regardless of legality, they
    want to make these actions SOUND illegal and "Bad"

    E) People in PR departments may not be experts in
    copyright law...international or not.
  • DVD-r is already too late. My harddrive is already 17 GB (which is actually quite modest these days), which is the maximum size definedby the DVD standard, though dvd-r is probably way below that. So I don't think the relief a dvd-r provides above normal cd-r will last long.

    So I hope there will be something more advanced soon.
  • Storing the raw DVD video/audio data is foolish, yes. But the DVD video is of such high quality that it is feasible to downgrade it to, say, 400x300 or 512x384 pixels in truecolor and MPEG-1 it at a reasonable bitrate. That'll still result in higher quality video than what has been previously available to the w4r3z-keepers.

  • Security through obscurity is more like hiding a copy of your front door key under the little gnome statue in your rock garden, then hoping that no one thinks to look there. Of course, that's the first place a professional thief is going to look.
  • It's not like that would have taken very long at all to crack. Hell, it only took a few months to crack 56-bit DES, 40 bits would be a cinch on today's hardware. Let it run overnight and you've got yourself a fistful of cracked, valid CSS keys.

    Bottom line: It would've been cracked anyway eventually. Xing just hastened the process.

    - A.P.
    --


    "One World, one Web, one Program" - Microsoft promotional ad

  • by KyleCordes ( 10679 ) on Wednesday November 03, 1999 @07:45AM (#1566446) Homepage
    Your argument is valid, today.

    But the pace of smaller, faster, cheaper, better has show no sign of slowing. Disk space in $/Gig falls by a factor of 2 approximately every year. DVD-ROM readers will undoubtably go from 4X (or whatever) to 30X+, like CD-ROM did.

    Will you arguments still be valid when it is cheap and fast (a few minutes) to copy a DVD on to a (small part of a 200 gig) hard drive?


  • It seems to me that while watermarking could be fairly resistant to unintentional audio manipulation, or uninformed attempts to destroy it, it should fall quite easily to a compotent attack.

    It seems that watermarking should be a security-by-obscurity method, where if you knew the protocol by which the original was modified, you should be able to find where that code is stored in the source media, and remove, or scramble it.

    By knowing where the data is stored, smaller changes should suffice to mask it then if you had to add whtie noise to the whole file in order to hope to kill the watermark.

    Also, helping this, is that for any watermarking scheme to be effective, there has to be an easily available way to tell if a file is watermarked. For instance, in photoshop, loading a marked file produces a (c) symbol after the filename, and will display creator info. If you had to mail this file to the company to get an answer back, it would be so cumbersome that nobody would use it. This means that the watermark readers have to be visible, if only in binary form, to watch them work.

    All systems that are watermarked and checked on client computers are as good as broken whenever someone compotent wants to try. Being that watermarking is the hiding of a secret key in a document, and that secret key can't be too secret, because you can watch it be generated (it is your computer, and you can use a debugger) you can also remove it, by applying the inverse of that secret key to the watermarked file.

    This is complicated a bit by the fact that digital music watermarking could be done in secret, and with a key that we wouldn't know. As long as Sony music could send a copy of the MP3 to the marking company and have the key checked, it would satisfy their needs. And we're also prevented from using known-plaintext attacks unless someone gets an unmarked version of the song from pre-production, just before the watermarking.

    But even this should be vulnerable. Even if we can't remove the watermark by applying the inverse, we could, if we knew how it was done, mask out just the relevant bits, and scramble the key beyond reading in a much more subtle way than by applying a strong white noise to the whole file.

    The very fact that watermarks have to be robust also means that they can be found, if their format can be discovered, which makes them security by obscurity.

    If watermarking was done in such a way that you could check if Company A owned the file by constructing a watermark for Company A, for that file, and then looking for it, it would be easier to hide. But, watermarking needs to be read without knowing the result, to see which company's mark is used, not simply to state if a known mark is there or not.

    If the mark could not be read without knowing it, then more subtle ways of hiding the mark could be used that depended on the specific mark. (ie, if the first bit is 0, do this, else, if this, do that...) But, the mark must always be readable in a standard way. This means it has to be fairly easy to find. Sort of like using SYNC bytes on storage media to let you know where the data begins.

    Once you know the format of the sync data, and can use that to find the specific areas that the watermark would change, even if you can't determine what the data was before being changed, you could write over it with random data, along with the sync data you used to find it, the hopefully rendering the watermark unreadable.

    Any problems with this theory?
  • That's why we have locks on our cars. If a car manufacturer made a car with no locks, insurance on that vehicle would skyrocket because it would quickly become the most stolen car in America. Less people would be inclined to buy the car because of the insurance rates. The manufacturer would in fact be punished for their weak security. Which still isn't to say stealing them's right.

    But then, assuming the distributors of keys for DVD players had criminal intentions is rather silly too. Personally, I like the fact that I can now play the discs on my Linux system (Which does not have Windows on it) and may actually end up buying a player now. This also enables other aspects of "Fair Use" which phrase Hollywood would like to stamp out in exchage for "Pay Per View."

    Frankly I find the greed of Hollywood and the RIAA to be disgusting and would like to give economic preference to independent artists who do aren't in bed with that lot. Is there a web site with links to music and films (Old or upcoming) which aren't associated with those groups?

  • by Wah ( 30840 ) on Wednesday November 03, 1999 @07:46AM (#1566454) Homepage Journal
    A few years down the road at least. Fatter pipes are coming, bigger drives are here. Even with my setup I can dedicate 5 gigs pretty easy, start a download and wait a day, voila Blockbuster go boom (no, I'm not on a school LAN).

    The movie industry is in serious need of a housecleaning anyway. Whoa, look 3 new crappy movies, yippee!! (repeat every week). Personally I think this is poetic justice for the music/movie industries, they screw consumers when production costs go down and prices stay the same (but promotion costs seem to keep going up, maybe to offset the quality of the product..), we screw them when price and reproduction costs both move to zero. Serves them right for making me watch COMMERCIALS when I PAY to see a movie.

    They will still have the box office and sales (a permanent physical backup for critical info is always a good idea) but I see no place for the present day rental system in the next millenium.

  • assuming of course you found a way to circumvent the macrovision circuits. my SV-09 is not only a killer DVD player, it doesn't output Macrovision and it ignores regional codes. I just wanted to be able to watch foreign movies without buying multiple DVD players, and I wanted to avoid the picture degradation inherent with macrovision.

    Commercial pirates aren't affected by much of anything so I think the movie industry should realize that most of us BUY our movies even when we can download them. I want to support the artists involved in the production of my entertainment. They earned the money.
  • "Johansen and his partners were able to guess more than 170 working keys by trial and error before finally just giving up to go do something else."

    Sounds like an excellent new project for distributed.net... they've been doing distributed brute force encryption cracking for how long, with how much computing power ?
    230 left to go....

  • The major problem is that they are going after the wrong source, the people who sell the DVD duplication equipment. They make it seem like it's us, but that's just the publicity engine.

    The people with the duplication equipment are the ones that can create thousands of DVD's. They can make Pirate DVD's of rencent movies.

    Many times, these duplicators are doing duplication for the major movie studios.

    The movie industry should have just made sure that only they had access to the duplication equipment. Instead, they went cheap. They let anyone with a duplicator bid for the duplication contract.

    Think how many "Pirate" CPU's would exist if Intel contracted out the production of all of it's CPU's to other companies for production (and they charged $1000 for a celeron).
  • Back when I was on the DIVX project at Zenith, (and yes, I know DIVX was *evil*) DIVX was the encryption method that was competing with the current method. The flaws of the current method were well-known to the crypto people at DIVX/Circuit City, and when they went out to sell DIVX to the "content providers", they let them know exactly what those weaknesses were. I don't fault them for not choosing DIVX, but I do fault them for putting any reliance on a known weak system.
  • They have removed it, yes?

    No. [wired.com]

  • If I go out and pay $15-$20 for a DVD, and use this so I can actually watch it on my system, that's "immoral?"

    If I watch this disk under an operating system other than Windows - that's "immoral?"

    If I demonstrate, with examples, to the public how an encryption scheme is weak - that's "immoral?"

    You have some interesting ideas about morality. If you're worried about moral decline, I think there are better issues on which to focus.
  • Just recently we had a problem of our VCR eating a tape and spending a couple of days without while it was fixed (fortunately the VCR was under warrenty). The tape didn't survive.

    Certainly scratches are a big problem for optical media, but I think it's no less a problem than fragile tapes that have been wound/rewound several dozen times by the time your VCR gets them. And when DVDs are treated properly, the picture quality will be identical to the first viewing.

    In a perfect world, we wouldn't have to put up with rental media at all. Simply get movies with digital quality on demand, watch once, and get on with our lives (probably with better cared-for DVD-type media for the movies we want to own).

    I feel your rental pain, but think also that your DVD player was unaffected even by a crapped-out poorly cared-for disc. That's worth something too.

  • Ah, I'm so depressed about this entire issue. I thought the EFF would have whaled on this horrible bill, but they didn't. I didn't see much negative written about it at all. Yet, I see it being used to keep things secret.

    "From the article:

    ""The circulation through the Internet of the illegal and inappropriate software is against the stream of copyright protection."

    Thank you Clinton, Thank you DMCA, and Thank you Congress. Considering that it starts to take effect as of 1/1/2000. I expect the lawsuits to be hurled at Livid, and anyone who's even sniffed the source code around 1/3/2000.

    The only saving grace of this entire mess?

    From the text of the DMCA.

    "Reverse Engineering Exception. Section 1201(f) allows software developers to circumvent technological protection measures of a lawfully obtained computer program in order to identify the elements necessary to achieve interoperability of an independently created computer program with other programs. A person may reverse engineer the lawfully acquired program only where the elements necessary to achieve interoperability are not readily available and reverse engineering is otherwise permitted under the copyright law.7 Furthermore, a person may develop and employ technological means to circumvent and make available to others the information or means for the purpose of achieving interoperability"

    It means that while every DVD maker can try to sue to stop things like this, it means that as long as the project is attempting to add functionality (insert Play DVD's under Linux here), they are cool. Unless they've amended the act, again.

    If anything? I'd be worried more about WIPO. http://www.wipo.org/eng/. DMCA is merely the first step in more laws intended to modify American Legistlation to be more friendly towards WIPO in general. Honestly? I can't say it's a bad thing, because some of the laws need to be amended, but in this hostile climate of anti-everyone, and anti-anything-that's-bad. I'm sure a great deal of shitty law will be passed.

    When in doubt? Write your congressman, write your senator. See if they even have a clue on this issue.
  • Amphigory's question is a good one!

    There is a presumption in the post to which he responded that in fact CD-Rs have made a significant dent in software profits. I see two reasons that make me doubt they have, with the possible exception of MS operating systems.

    1) Software makers make the big money by selling software to businesses, including universities. Businesses (esp. ones that are over 4 or 5 people big) can't afford piracy, long term. Does it go on? Sure, but CD-R only makes this process easier, it isn't the start of it. Businesses like support, and docs ...

    2)People like documentation and accountability. That the accountability may be illusory for most users, the documentation is not. And it's considerably more inconvenient to make high-quality copies of documentation to accompany software. Folks will no doubt continue to exchange software, but the software industry will continue to sell boxed software for the advantages it offers. Note how well even boxed Linux distib.s sell! That's software which is free -- so someone could download it without even the risk / discomfort of illegality.


  • Yes, that's true, it would. So, because it's possible for an encryption system to be flawed, all encryption systems are worthless? What about RSA -- it's been in use (and under scrutiny) for 19 years and no "glaring hole" has been found in it. The only way to break RSA would be to discover an incredibly easy method of factoring larg primes out of enormous numbers. Barring a mathematical discovery of enormous proportions, it's impossible.

    There are a number of good encryption schemes out there and, in fact, CSS didn't have any problems with it. It was the fact that the coders left the key unencrypted that was the glaring hole. Don't blame the mathematicians for a coders mistake :)

    -----------

    "You can't shake the Devil's hand and say you're only kidding."

  • by FreeUser ( 11483 ) on Wednesday November 03, 1999 @08:01AM (#1566511)
    The film industry really should do an unbiased and intelligent analysis of the impact of emerging technologies on their product, if they want to actually protect their interests in a constructive and effective manner. Some points which should be considered.

    - consumers have had the capability of recording and copying movies to their hearts' content since the advent of the VCR. Videophile and audiophiles may not be happy with the quality, but as far as the average consumer is concerned the quality is "close enough" to perfect. Despite this, movie makers have been selling and renting movies like hotcakes. Being able to copy DVDs will not change this at all

    - commercial pirates, for whome the "infinite perfect copy" does make a difference, could already do this by using $5,000 DVD-Rs or buying their own DVD production equipment. One analog copy, reconverted to digital format, and they could produce an infinite supply of nearly perfect DVD copies for sale on the black market. This is a problem, but one which the cracking of the pathetically week css algorithm will not significantly affect.

    - high-end consumers do not like having their technology "messed with." The destruction of DAT is an example of consumers refusing to buy into crippled technology. Likewise, DVD playback which is limited to Windows, or by region, is not only an invitation to hack, but worse, creates unnecessary bad relations between the seller and the consumer.

    - finally, unlike the RIAA member companies, movie studios are not parasitical entities acting as a paid go-between between artists and their customers. They provide the capital, resources, and equipment for shooting films and play a very necessary role of the art form. Contrast this to the music industry, whose contribution to the art form, beyond providing a distribution channel they happen to enjoy a monopoly on, and perhaps a place to record and master (which any technically savvy musician can do in their own home), is negligable at best and quite often destructive. This suggests that the movie studios aren't nearly as vulnerable to artists switching to an internet medium and cutting them out of the loop as the RIAA member companies are, and have a lot less to fear from open internet standards and distribution channels than their record company counterparts.

    Even with copyable DVDs the film industry has little to fear. The target they should be most worried about -- the professional "industrial strength" pirates -- is the group least affected by these developments. The fear that the grassroots mp3 warez phenominon will happen with DVDs is unwarrented, not only because of bandwidth and storage limitations, but also because of a difference in consumer habits, and a fundamental difference in the relationship of the affected artists and consumers with the movie studios vs. the music industry.
  • Yes the technology to rip off DVD's wholesale will come. The way I see it, DVD's as far as customer acceptance goes, is still young. This leads me to believe that the industry will see abandoning the technology as a viable solution to DVD theft. I wouldn't be at all suprised if the number of movies that come out on DVDs slowly falls off and there is an introduction of a new replacement technology. Now is the time to do it, before DVD's become mainstream.
  • Think of it like this: you leave your front door unlocked everyday while you're away at work, and one day, a thief breaks in and steals everything. Will your neighbours feel sorry for you? Should they?

    So... why not tell me where you live then? It wouldn't be my fault for breaking in if, say, you were stupid enough to have windows in your house, would it? I mean, everyone knows that glass shatters incredibly easily, and therefore anyone with glass windows is just asking for it, right?

    The industry followed what they thought was their best option. They used 40-bit crypto so as to not have to have a US edition and international edition. What would the point be to using 128 bit crypto when you can still pump the DVD's output into a video capture card? You don't get all the neato things (multiple aspect ratios, etc...) but the point is the movie has been copied.

    And no matter what, no one is going to be able to market a DVD recorder with a key cracker in it, so the 40-bit crypto pretty much stop 95% of the copies that could be made otherwise.
  • Yeah - The old DVDs.

    Don't worry, pretty soon they're be a new DVD format, with new keys, and probably a new cipher, put together by a new company. And they won't forget to encrypt the key this time.

    Maybe that will be cracked too... who knows. But this really wasn't a matter of closed standards or obfuscation. It was encrypted using a private key mechanism. Even if you had the specs for the decryption routine (which the hackers had) you'd still need the key.

    -----------

    "You can't shake the Devil's hand and say you're only kidding."

  • 40 bits is a completely insane size

    40 bit encryption only serves one purpose any more...it leads people into falsely believing their data is secure.
  • True enough -- vendor response to security problems has historically been pitiful. Though in this case, I have to wonder whether it would have been desirable -- had CSS not been broken, but instead quietly reported and fixed, DVD would still be closed, the vendors would still be dragging their coattails through high-nosed proprietary BS, and work would have continued on breaking the new revision. That's assuming it was fixable, since lots of DVDs and players have shipped, and any adjustments would have to sustain backwards compatibility.

    The security research ethic as taught in universities is that you tell the vendor and give them time to ship a fix before a vulnerability becomes common knowledge, but if the vendor doesn't produce a fix (as they often don't), full-disclosure is among the available options.

    Which comes to the other point, namely that the movie industry liked DVD largely because it was (a) somewhat more desirable for consumers while costing less to manufacture, and (b) closed, and therefore subject to more control over how it moved -- like how most players don't allow you to skip over the usual copy-this-and-die FBI warning at the beginning, and some don't allow skipping of the various logos at the beginning. By and large, the computer community had no interest in letting it remain closed (we've been trying to reverse-engineer it all this time, remember), and has never based itself on the potential profit to be made by already greedy conglomerates.

    And, based on the coverage sofar, the security on CSS was a poor engineering job -- as tends to happen to closed security systems. 40 bit keys don't work anymore, and in general, anyone who designs a security system without adequate consideration of the factors deserves what happens.

    One possibility is that the music industry will try to distance itself from DVD, but I doubt it, unless they have some unannounced alternative up their sleeves (DVD2? Same thing plus a firmware "upgrade" to the players?), the alternative is VHS, which is much easier to copy than DVD, though harder to make a new master in a counterfeit manufactury.

    I'd speculate that in 1-3y bandwidth will have gotten to where VOMs can be moved around the way MP3s are now, and it will continue to have a negligible effect on industry earnings, and we'll hear tons of whining from the movie industry. Then Microsoft will put out Microsoft Video System, which will itself get cracked in a few days, and then there will be sardonic laughter. insuff des

  • Yes, but when you're talking about counterfeiting in commercially significant quantities, the encryption scheme doesn't enter into it. All the encryption scheme accomplishes is to prevent people from turning the MPEG datastream into plaintext. But a high-volume counterfeiter doesn't duplicate at that level; they duplicate the raw bits coming off the read head.

    The DVD player in your living room has no way of knowing whether the disc you're playing was legitimately stamped by the studio, or whether it's a precise bit-for-bit copy stamped in Malasia. So it's fairly easy to demonstrate the encryption scheme fails at its stated purpose.

    So what's the encryption really there for?

    Schwab

  • ARGH!!!

    Sorry for the double post -- netscape crashed mid-submit. Still not sure why that would commit it twice, though -- once with a correction and once without...
  • DVDs are encrypted to both stop piracy, and to protect Hollywood's incremental release dates.

    A film is usually released in its country of origin first. Some months later, other countries may see it. This is done to save on film printing costs. The DVD zone system--which forms a large component of DVD "encryption" is designed to ensure that a people in Australia don't order a US-imprinted DVD instead of viewing the film in theaters.
    Of course, this system ends up shafting the foriegn film buff. Many Japanese films simply don't make it into the US market/zone, and thus are inaccessible to the most import savvy viewers. Of course, one could always buy a Japanese-encoded DVD player, but that's rather expensive.
    One oddity with the zone system is that China forms its own zone. Of course, China is home to many a pirate, but this also allows the government of the PRC to essentially control film imports more effectively.
    The whole incremental release system will be obsoleted by digital distribution systems, anyway. Bravo for the crackers!
  • I suggest you click on The Hunger Site and try giving something for free. Then come back and tell us how much it affected your morgtage or car loan or whatever.
    That which is supported by advertising is not free.

    Massive corporations want you to buy their stuff. They spend money on advertising. The cost of advertizing is included in the cost you pay for their product. When you buy a can of Coca-Cola, part of what you pay goes to Coke's advertising budget; Coke buys advertising on UPN; UPN makes another season of Voyager. So you don't get to ogle Seven Of Nine(TM)[1]'s tits for free[2], no no no; you pay for it with every can of Coke, every Gateway computer, every new Toyota, whatever you see advertised.

    There's also the fact that you are paying by allowing these companies to attempt to influence your buying decisions, but that's a more subtle topic.

    ([1] Yes, "TM", according to the Star Trek website. Bleh.

    [2] No disrespect intended to Jeri Ryan. Much disrespect intended to whoever decided her character should dress like that.)

  • I think the reason they worry about the piracy issue with DVD over VCR is the quality of the copy versus the cost to make that copy. With VCRs you get generational defects, and even master copies ware out. Once you get your master copy of a DVD you can make perfect copies every time.

    Now I really think the entertainment industry is run by lawyers who don't understand the issue here. If I'm a pirate, I'll just bit copy the media (DVD in this case), and press disks. If I don't have the keys I can then just copy the encrupted data and the copy protection. If I do have the keys I can change the content before copying, but pirates don't want that.

    Before anyone works on digital IP rights issues they should be forced to read, and understand, the record player example in Godel Escher Bach. Then if they start claiming they have the ultimate meta record player we know for a fact they are idiots.
  • by Christopher B. Brown ( 1267 ) <cbbrowne@gmail.com> on Wednesday November 03, 1999 @08:16AM (#1566572) Homepage

    Your observation that "consumer piracy" is likely to be insignificant is very well noted.

    The thing is, the commercially significant piracy that takes place under the DVD regime is likely to be, as it is now, a result of "mass piracy" on the part of folks in the "gray market."

    Unfortunately, they will benefit from the cheapness of producing DVDs, and while it may become more expensive to become a "commercial DVD pirate" than it is to become a "commercial VHS pirate," that goes along with the benefits of:

    • Cheaper media and labour costs, and when you're doing something illegal, it's doubtless preferable to have fewer low-paid lackeys that could turn on you, and
    • Perfect digital copies rather than the present Analog-to-fuzzier-analog VHS results.

    If the big sellers of DVDs can maintain rigid control over the manufacturers of DVD mastering units, that might make it hard to "clone" DVDs from masters.

    Unfortunately, that's liable to have the same flaws as DAT did. With DAT, there were special codes encoded into tape headers that would let the units forbid copying. That was part of why DAT never took off.

  • by jd ( 1658 ) <imipak&yahoo,com> on Wednesday November 03, 1999 @08:16AM (#1566574) Homepage Journal
    Agreed. The key length was FAR too small, for something like this. Running more rounds (as in triple DES) would be viable, but 3DES is phenominally slow - far and away too slow to be usable for real-time applications.

    It's hard to protect -everything-, since something has to be visible to the hardware for it to be able to start decryption. The outer layer -must- be visible, even if it's in hardware. At which point, all you need do is read the outermost key, and you get to exactly the same point these guys did.

    Anything the player can see, you can see. There's nothing magical about a machine, even when it's based on a Japanese design.

    The question was never "whether" DVD encryption would be busted, but when. Actually, I'm amazed it took so long.

    Sooner or later, manufacturers, movie industry bosses, etc, are going to have to come to the same conclusion computer software houses did years ago. Copy protection -doesn't work-! It's a fundamentally flawed concept. There was only one scheme that even came close to working, and that was confiscated by the MOD in England, and classified. Even then, it was probably fairly easy to break. The whole concept is fundamentally flawed.

  • Oh, no, they used a weak, 40-bit encryption scheme with 200 different keys lying around, and it bit them in the ass, you say? I'm sorry, but if out of 200 different companies there wasn't one who would say "Hey, look, this encryption system is as solid as swiss cheese!" before creating the standard, then they're responsible for what's coming to them.

    It's as if someone discovered that every door lock and ignition lock on General Motors' cars could be disabled with a refrigerator magnet. Too bad for GM.
  • by jms ( 11418 ) on Wednesday November 03, 1999 @08:17AM (#1566578)

    Simply speaking, copy protection schemes just don't work. If you allow access to the data to anyone for any reason, someone is going to find a crack for it. I don't care how good your copy protection scheme is.


    There's one exception to this, and that's if the company goes out of business before anyone has the time or interest to hack their copy protection. i.e. DIVX.

  • >DVDs are cheaper to produce than video tapes.

    I've often wondered about this. It seems like it would be cheaper to produce a cd than a cassette tape for the same reasons, yet here we are 10 years or so into the cd revolution and cd's are still more expensive than tapes.

    (And if I remember correctly tapes/records were normally pretty close to the same price)

    Also reminds me of a speech I saw from a well known games developer. He was very excited about the proliferation of cdrom drives, as cd's were going to save his company a ton of money over shipping floppies. When someone asked if that meant his games would be cheaper, he just smiled from ear to ear... :)
  • I think, we as a society need to get over the notion that people own ideas. The open source movement has begun to demonstrate a great way for people to make a buck without having to own ideas. Rather than writing software, keeping it secret and then selling it to people, the companies have learned to give away the secrets, but make money on support and services.

    Personally, my income is hurt by closed source old world ways of distributing software and media. I work in computers doing custom development of software for corporations. The software I right is really only useful in a specific context for a company so piracy doesn't effect the work I do. However, having to pay for operating systems, database software and development tools does effect my bottom line in a big way.

    I will admit to the fact that deciding as a society that intellectual property isn't something you can own will hurt a lot of companies who have built their empires on that assumption. But in the long run I believe we will be better off for it. In addition I think their are better ways for these companies to make money.

    Rather than producing a CD and depending on the distribution of the music to make money, why not make money off concerts instead. Give away the music to hook people and then do major concert tours. Sell experiences that cannot be duplicated and pressed and mass distributed. Sell things that are unique once of a lifetime events.

    I can get a DVD of a movie, but yet I still go and see it in the theatres. Why do I do this? Because it is a unique experience that I cannot reproduce in my home. Their is value in that experience. I have a nice home theater system, but it is never the same, so I shell out my money and see it on the big screen with big sound and a large crowd of people to share the experience with.

    Really the whole intellectual property thing is, I think, a sign of inefficiency in the mechanisms of distribution more than it is a legitimate form of business. Books, CD's, Videotapes, DVD's, all have a certain cost in duplication and distribution which must be recovered. With the rise of the digital, and the ability to make infinite perfect copies it seems wholely ridiculous to charge me money for it.

    Do I believe that copying a DVD is illegal, yes. Do I believe that it is immoral, no. I believe that to charge more than the cost of distribution for the DVD is immoral.

    ---

  • 1) Yes, but there's not much time left for that either. By 2005 Japan and Europe with both have bigger net presences (And better video and voice integration for data transmission.)

    2) It killed the CDA pretty well dead in its tracks.

    2.5) I'd like to see it pass, and then everyone can go out, buy a steak at the supermarket and then go to the police and confess to possession of the drug.

  • by Christopher B. Brown ( 1267 ) <cbbrowne@gmail.com> on Wednesday November 03, 1999 @06:43AM (#1566611) Homepage
    This exposes two unavoidable vulnerabilities:
    • The system was using a published crypto scheme using "mere" 40 bit keys.

      40 bits is fairly breakable, and since key transmission is a critical problem in building crypto systems, and DVD systems often represent embedded systems, they have a few keys vulnerable to brute-force attacks.

      There is no question but that DVD encryption would be quite vulnerable to brute force attacks.

    • This story displays that protocol problems represent a major vulnerability.

      It appears that the result of this "exploit" is that the decryption keys for all DVDs have been exposed as a result of them being accidentally published.

      This is the sort of thing that organizations like the NSA reportedly are acutely sensitive to when they are trying to crack systems.

      In order to keep such systems secure, it is absolutely necessary to be extremely careful with how critical data like encryption keys are dealt with. Apparently these keys were released to people upon whom it was not carefully enough impressed that they needed to be "billions-of-dollars-riding-on-this" worth of careful.

    Oops.

  • by Foos ( 52086 ) on Wednesday November 03, 1999 @08:20AM (#1566614)
    An interesting point to note is the fact that when you make a copy of a VHS tape, you lose a certain amount of quality on each copy. So if you have a "fifth-generation" copy of a movie on VHS then there will be a noticeable loss in quality. On the other hand, with DVD there is no loss of quality whatsoever even for a "hundredth-generation" copy since it is all digital. Thus a copy will be exactly the same as the original.
  • by adimarco ( 30853 ) on Wednesday November 03, 1999 @06:45AM (#1566617) Homepage
    Without getting too deeply into the idealism of the subject, they really should have expected this.

    Simply speaking, copy protection schemes just don't work. If you allow access to the data to anyone for any reason, someone is going to find a crack for it. I don't care how good your copy protection scheme is. I don't care what kind of information you're trying to protect, or what kind of media it's on, be it CD, DVD, casette, diskette, whatever. Information wants to be free.

    They've tried so many tricks and schemes over the years. Remember the "What is the second word on page 153 of the manual" ones? Or what about software that would only let you install it twice.

    I still use numbers like 123-1234-1234567 for Micros~1 product keys even when I have the legit numbers. Always good for a chuckle.

    The way they accomplished the crack was hilarious 'though. RealNetworks (or whatever subsidiary that was) must be pretty embarassed right now... forgot to encrypt their decryption key. Morons :)

    Anthony


    ^X^X
    Segmentation fault (core dumped)
  • Clearly, these people are not very clever. It seems fairly clear to me from this "horror story" that the movie theatre model of film distribution has been marginalized by advancing technology.

    We observe that people are not willing to go to the theater, but are willing to buy VCDs. Now, would a clever person either:

    1. Release to VCD first at, say, a 50% premium over bitlegged VCDs, thereby establishing themselves as the source of the highest quality copies of that movie (and then release to theaters a couple of weeks later, thereby getting all the people who want to see the film in all its high-resolution wide-screen THX glory); or,
    2. Whine shrilly about "piracy" and your rapidly-eroding intellectual "property" rights?

    The environment is changing. Organisms (and organizations) that do not evolve will end up as an exhibit under glass in a museum. I guarantee you the environment will not change to suit your whims. Start changing the way you think about this stuff; the ulcer you save may be your own.

    Schwab

  • by Anonymous Coward on Wednesday November 03, 1999 @10:49AM (#1566626)
    Based upon what I read out of the LiVid mailing list archives on Monday:
    • Most disks have their video data encrypted with a random 40-bit key (called a "title key"?). Each disk has a different title key.
    • 409 copies of the title key are made, each encrypted with a different manufacturer's key (also 40 bits each). Those encrypted keys are written to the disk.
    • A given manufacturer, when they get their DVD license, gets one of those 40-bit manufacturer's keys and a note that says "use key number 12".
    • The player looks at the disk, extracts the 12th of those 409 encrypted keys, uses its manufacturer key to decrypt it, giving it the title key. That title key is used to decrypt the video material. It ends up with the same title key as any other player would have gotten on that same disk.
    • The manufacturer key would be held in ROM or encrypted in a software player of some sort. To discourage manufacturers from doing that badly, the following threat is put in the license agreement: If someone figures out your manufacturer key, you pay us a lot of money, and in addition we stop including your key in the 409 used on new disks. Now all the newest movies won't play on your player, and you go out of business.
    So it's like the usual hybrid PGP scheme with multiple recipients (where a per-message random symmetric key is public-key-encrypted to each of the recipients), except CSS uses symmetric encryption everywhere, and the disks are usually encrypted to the same 409 recipients all of the time, and only a few dozen of the recipient keys are actually known by real users (players), the rest being kept in a vault for new licensees.

    The problem was that the encryption was really poor. There are two attacks:

    1. For any given disk, brute force the title key. I think this would take a day or two per movie. Then assemble a web database of some sort where you could look up the title keys for your disk.
    2. Once you've figured out the title key for a given movie (say, by discovering one of the manufacturer keys, doesn't matter which), look at those other 408 encrypted keys. For each one, brute-force the related manufacturer key. (because of massive flaws in the crypto, this takes about a tenth of a second for each one). Now you have 409 manufacturer keys. You don't care which one is which. Publish them all.
    The latter has happened. Hundreds of keys are now public knowledge. Many of them are probably in use by big-name manufacturers (you now have the key of every player that could have played that disk, which is all of the current ones and most of the future ones). And it is practically impossible to change the keys in a useful way. They would have to drop all of the keys in use by the current players from new titles, making them unplayable on current hardware. If even one key remained from the set that are now known, the same attack could be made to get all of the new ones.

    Note that if they had planned for this, they could conceivably have put several keys into each player, and the response to having all of the current keys published would be to switch everything to Set 2 (instead of using FooCo's first manufacturing key on the disk, they use FooCo's second key). The current players that had multiple keys would still play new movies, but the published keys would not work. However, learning any one of the new keys (perhaps from a poorly protected software player that had multiple keys too) would allow the whole attack all over again. And brute-forcing a title key would allow the whole attack over again. The net result is that CSS is completely and utterly dead.

    There is an extra layer on top of this, the authentication phase, which I don't know much about. From what I can tell it seems to be designed to keep someone from snooping the bus traffic and reading the decrypted video from there. The DVD drive will refuse to read certain sectors from the disk (the encrypted keys) until you've negotiated something with the drive. There may be more to it than that, but the technical issues have been solved for quite a while.. the necessary ioctls are already in the linux kernel.

    And, as noted by others, this is independent of the copyright issues on DVD movies. CSS was a scheme to restrict use of the video data, and had the effect of preventing the development of open-source players on Linux and other platforms. Now they can be written (and mostly have been, although doing both audio and video at once is beyond the capacity of most processors).

    -Brian

  • Yeah, you could've said the same thing about CDRs in the early 90's. Now a blank CD costs under $1. Why shouldn't the industry expect DVD-RAM to go down in price?

    -----------

    "You can't shake the Devil's hand and say you're only kidding."

  • The real problem comes from both sides of the aisle.

    I'm quite sure the encryption opponents are quite relieved that anyone who might otherwise oppose them is too busy blaming whatever group he or she is not a part of, be it the Democrats or the Republicans, the Liberals or the Conservatives.

    Berlin-- http://www.berlin-consortium.org [berlin-consortium.org]
  • If, as you say in your post, "DIVX was *evil*," why did you work on it? Why did you help to create something you knew no one would want, and which you yourself didn't want to have?

    I'm not trying to be hostile. It's just that I learned my lesson on issues like this a long time ago, and I've made it clear to myself (and my employers) that I will not work on projects with which I personally disagree. Perhaps I'm in a better position than most (and I also don't put myself in the way of such projects), but I've never fully understood why someone would spend their precious creative energy on something they personally felt was pointless, wrong, or ethically bankrupt.

    This is just me talking,
    Schwab

  • Trust me, they're not going to rest until they can get back to the original model - people paying every time they watch a movie (and, if they can pull that off, every time they listen to a song).

    Yeah, they'll try, but I hope for them they'll see the light somewhere in the future.
    I see this as a kind of market. Corporations trying to make as much money of the customer as they can, resulting in a black market of warez/mp3z/moviez.
    Most people buy their favourite linux-distro (even the original one, not cheapbytes) instead of downloading it. Why? They feel buying it is rectified by the value.
    In my opinion most people _are_ willing to pay for what they get, but they are not willing to pay bucks which are the tenfold of the value they get.
    The battle of hollywood and the big music labels is lost, they have nothing left to fight.
    Everything the could do is damned to fail, they can't use copyprotection cause they don't control the hardware, they can't check the whole internet for warez cause even geocities or tripod can't get their own servers clean, this is impossible.
    (ie. just rename bla.mpd in bla.doc and their cute scanners will fail miserably).
    Increasing bandwith will end the possibility of making a lot of money because you own the distribution and marketing channels, and that's what it all reduces to, IMO.



  • by Dast ( 10275 ) on Wednesday November 03, 1999 @06:52AM (#1566657)
    If they did limit the keys to 40 bits because of export restrictions, maybe this will convince businesses to help fight those restrictions.

    They stand to lose a lot of money not being able to secure dvd's. And when there is money behind something, you can bet they will act.
  • The GEB example is a good one. With, one slight flaw though. However, instead of the Tortoise being the one to outwit the Crab it is the store that sells the record players to the Crab. =) If they keep changing the medium, we are going to keep getting screwed royally to buy new players.

    Personally, I hope that the record companies understood that there was a 99.999999% chance that the encryption was going to broken. I bet they have some fail-safe plans. I believe some people have mentioned as such before that they still have some tricks up their sleeves.

    But, to see the encryption fail soooooo stupidly, it has to hurt DVD's chances on the whole. Didn't Xing THINK that someone would reverse engineer their buggy software? Hell, maybe that was their idea (one little programmer not encrypting the code brings down DVD - hahaha).

    Later,
    Justin
  • by Col. Panic ( 90528 ) on Wednesday November 03, 1999 @06:53AM (#1566665) Homepage Journal
    Maybe this will give Hollywood types a more realistic perspective so productions like Hackers and that MTV portrayal are more accurate in the future.

    They needed a clue and got one they will definitely listen to this time.

  • But for now
    1. I can buy a DVD movie for around $15 bucks.
    2. I can buy a CD-R disk for around $20 bucks.
    3. Said disk might become a coaster.
    4. Said disk is better used as a backup medium.
    ($20/4.5GB) more expensive than tape.. but its random access.
    5. I can spend the entire afternoon burning said disk.
    6. I can spend a few minutes buying/renting said disk.
    7. I don't belive you can play said disk directly from your HD.. meaning you have to burn them first. .. Though this may not be true for Linux as you can mount an .iso... or whatever its called in DVD land.

  • by Fizgig ( 16368 ) on Wednesday November 03, 1999 @09:29AM (#1566667)
    Someone on the livid-dev mailing list pointed out that he told the author this but he said he had already decided his slant on the story and wouldn't change it. Alax Cox then responded that that was sadly typical of Wired "reporters".
  • If there weren't any crackers breaking (into) things, XORing bytes would still provide enough security!

    Its how you use the knowledge that counts. If you discover a security hole, then you could either:

    • do something to exploit it
    • ignore it
    • inform the appropriate people, so that it gets fixed
    If you ignore it, then you're in effect helping the 'bad guys', who will inevitably discover this vulnerability and exploit it, when in fact there may have been a chance to get it fixed.

    If you exploit it, you could either keep the discovery to yourself, make it public so that every cr/hacker-wannabe can use it for their own interests, or make it public to put pressure onto a body to fix it (as in the MS hotmail case). In the first two cases, you're being the bad guy, in the second case, your motivation is good, but your implementation is flawed: this should only be tried as a last resort.

    If you report it, and it gets fixed, then kudos all round.

    Encryption isn't all its cracked up to be.

  • Sorry, it does not show up in Netscape 4.7 (NT).

    Perhaps it didn't show up for you in Netscape 4.7 (NT), but it showed up for me in Netscape 4.7 (NT).

  • by icing ( 94825 ) on Wednesday November 03, 1999 @06:55AM (#1566691)
    The article at the digital bits [thedigitalbits.com] gives a good assessment of what this might mean to DVD.

    It will be interesting to see what the industry can do to fix "lost" activation keys. And that probably depends on if all discovered keys are in software or hardware players...

  • by Todd Knarr ( 15451 ) on Wednesday November 03, 1999 @06:56AM (#1566702) Homepage

    The "except maybe for storage" is the kicker. Most people buy videotapes, DVDs and such precisely for storage. If I have the movie on DVD, I have it. You can decide not to distribute it any more, alter it, edit it, do whatever you want with it, I can still pop the disk in the player and watch what I bought no matter what. If I download it over the net when needed, I'm at your mercy. If you decide to take it down, I'm SOL.

    Case in point: DIVX. It died because people didn't want to have to ask somebody else permission to watch a movie they'd already (in their opinion) bought. I suspect the same people want Internet-based video to succeed as wanted DIVX to succeed, and it'll die for the same reasons DIVX died.

  • What -- they are going to stop pressing DVDs, (which are much cheaper then VHS cassettes to produce, bring in higher profits, and can only be stored on a recordable medium that costs more then the prerecorded DVD), and continue manufacturing VHS cassettes, which are bulky, more expensive to produce and ship to market, and are easily copyable onto a blank medium that costs 1/3 to 1/5 the cost of the prerecorded tape?

    They're just mad because they were promised by the technical people that this encryption system was SO perfect that it would make it impossible for anyone to ever copy any part of a DVD. The pesky problem of "fair use" wouldn't be an issue, because fair use would have become technically impossible.

    Unfortunately for them, the rest of the world doesn't seem to share their vision of the future of recordable media.



  • Much like the huge cd-r explosion will dvd-r's hurt the MPIA as much as cd-rs have cut into the software industries profits?
    Do you have hard numbers, or are you just talking out the side of your mouth?

  • Now I've been reading of digital watermarks on DVD-Audio, which, in fact, are not entirely transparent and somewhat degrade the quality of sound. Don't you think the future of DVD-Audio is sort of written on a wall?

    Not necessarily. Look at mp3 - a clearly inferior standard (to full 16bit, 44.1kHz 2-channel stereo CD audio) has taken off because people are willing to sacrifice some audio quality for a small file size. MiniDisc is now also taking off under much the same auspices - psychoacoustic processing reduces the amount of information stored, so the physical medium can be smaller.

    What's a more interesting question, and is approaching completely off-topic, is whether or not all musicians will embrace 5.1 audio for their production. 2-channel audio is quite well entrenched, and the optimization of a stereo system in a room is MUCH easier than setting up a room for good 5.1 audio. The end result is that it's a hell of a lot easier to make 2-channel audio sound great...and with the typical DUMB consumer out there, the advantages of DVD-Audio aren't yet obvious.

    Getting back on track, digital watermarking is being proven out which does not affect the quality of the audio [musicode.com]. A brilliant audio engineer and electronic musician, Larry Fast [synergy-emusic.com] (of Synergy and Peter Gabriel fame) has wholeheartedly endorsed this technology - and mentions on his site that he wants to use it for attribution ("Hey, I wrote this song!") rather than for copy protection. This, more than anything, may set a trend -- not as a means by which copying is prohibited, but to serve as an identifier of the original source of a given audio recording. I expect to see this everywhere in 10 years; think of it as a GIF comment for audio.

  • the spirit of my post, which is: what's wrong with "free everything"?
    Nothing. But it doesn't exist. That's the point of my post. Now we're back where we started.
    And that is the point, food in hungry peoples mouths. Hopefully it will be books & education next. Do you see any problems with this? How could you have problems with this?
    My problem with this is that it would be much more efficient for us to give money directly to hungry people than to pay for various products an increased price, which goes to advertising budgets, a tiny portion of which goes to feed the hungry.

    The advertisers aren't doing this out of the goodness of their hearts; if they were, they'd just send the money and be done with it without making you look at ads. They're doing this because they believe that getting you to look at their ads will get you to buy their stuff. And so we drive the culture of consumption which leads to the economic injustice that makes people poor and hungry in the first place.

    Also, how much is your time worth? How much time does it take you to click on THS? Sending ten bucks to charity each year might actually be cheaper, as well as getting more results. To paraphrase some /.er's .sig, "Advertising-supported activities are only free if your time has no value."

    (And yes, I do give directly to charity, and also to persons of my direct acquaintance who are in need.)

  • HEHEHE meant to say DVD-R... I try and pay atmost 1.50 for a cd-r disk.. and even that I consider expensive
  • by brianvan ( 42539 ) on Wednesday November 03, 1999 @09:46AM (#1566741)
    Perhaps the issue isn't whether or not DVD copy protection can be cracked at all, but whether or not it's easy for MOST people to do it...

    I'd say that if it were that easy to crack CSS, then perhaps it was meant to be no more effective than Macrovision... a stumbling block too big for those not interested enough in overcoming it. While it's pretty obvious that both it's now easier to crack DVDs and it's still unfeasible to copy them in massive numbers, what's not really thought of here is whether or not such a development will dictate the future effectiveness of the copy protections on DVDs.

    The development of MP3+CDR is an entirely different story, as digital audio was an entrenched standard that was already effective for the music industry. On the other hand, DVD is still rather new and it's rather easy to predict that in five years it WILL be feasible to pass around cracked movies on the Net for many people. Just how many people are willing to do that is another issue entirely.

    I suppose that fixed storage, recordable media, and available bandwidth will all be large enough in a few years to allow DVDs to be copied easily. Still, it will take a lot of one person's time to do extensive trading, and the availability of that kind of equipment to the general public will be limited. The interesting facts and issues of the situation are:
    1. People who buy DVDs usually have all the other nice little gadgets too. Hence the current target market for DVDs will probably be enabled best to trade them illegally.
    2. DVD is a premium high-quality format for an extremely popular medium, which means that unlike CDs (which would be more of a standard format) trading DVDs would be preferrable to any other kind of bootlegging.
    3. The movie studios do have the option of pulling DVDs and sticking with VHS... for most releases. Or, perhaps a greater control and limited availablity on DVDs would prevent DVDs from becoming a mass-consumer product, hence eliminating the possiblity of mass-pirating.
    4. On the contrary, the movie studios can make a huge push of DVD into the consumer market so that it does become a mass-consumer product, not only strengthening their margins above those of the already mass-pirated, more expensive, and lower-quality VHS, but also to eliminate the possiblity that a large part of the DVD market would pirate them. Add more to the market that won't be copying them and you minimize the copying problem. CDs currently enjoy this position, as there are many people who copy them but there's a massive amount of people who can't, don't, and won't, therefore making the CD-copying problem negligible on the bottom line.
    5. Finally, the industry has time to combat the problem with a variety of solutions before copying becomes feasible. They don't have to pull off any drastic moves right now, which means that if DVD business is brisk I doubt they'll be scaling back on it anytime soon. They may switch formats (a DVD2), they might try to keep DVD-RWs and all similar DVD writable formats from becoming widespread, or they might ignore the problem altogether. It's not like what happened to the music industry, where one day the tools became available and people started ripping/encoding/copying CDs like crazy as the industry helplessly watched.

    Right now, however, it's just a big embarassment for the movie industry and a new opportunity for the elite piraters. If I had the opportunity to advise the movie industry how to handle the situation, I would probably suggest that right now they should take a "good faith" position and trust the current market to not do what they pretty much could have done anyway. In the future, I'd suggest that perhaps they take either one of two paths: They start planning a format change RIGHT now for a rollout in 10 years and make the new DVD-Video format a self-standing component with closed specifications rather than a multi-component open standard, as this would prevent anyone from easily pirating movies (in other words, a DVD drive is like a standalone DVD player and you just overlay it, which shouldn't be too much to ask in 10 years) or getting any undesirable use out of the video. Or, they make DVDs an entrenched standard and a mass-market industry with even a bigger push than they are today, with the understanding that they hold the advantage of being the honest, legal, simple, and not-too-expensive solution for DVD purchasing. In other words, who cares about pirating when you're going to make gadzillions of dollars selling legit DVDs and, for most people, that's the best or only option now and for a long time. It's like if you own a candy store and little kids keep eating the candy... you can put the candy on a higher shelf, or you can put a small basket of free candy by the door. You DON'T stop selling candy (or only sell stale candy)...
  • And, these disks pre-date the CSS crack at the least by several months.
    That only means that these people somehow had access to CSS decryption and kept quiet about it, very much like security holes in proprietary (and, less often, open) software.

    The question is, now that CSS is cracked for everyone and not just an `elite' few, what's the industry going to do? I suspect thay can't actually do anything that will allow them to `win'. For good of for ill, the various `recording' companies are losing control. In the long run, it's probably a good thing.

  • Next year DVD-2 will come out with a 1024 bit encription incompatible with existing DVD players. So few consumers can afford DVD right now they'll lose nothing by burying the cracked format and starting over. It's not good enough for college geniouses to crack stuff other people have developed. In order to solve these intellectual property wars, college geniouses have to start developing the stuff themselves.
  • If there's any liability, I would think it would be simply due to a breach of contract, and no more. How can MPIA ever show that this will result in damages? The damages may even be negative since this will almost certainly result in increased DVD sales. :-)

    I'm not saying Xing/Real won't lose money -- they might chicken out and settle out of court. Or maybe there's a contractual provision that spells out a monetary penalty for disclosing keys.

    But let's get realistic: there simply are no damages, and if this ever got into a court then MPIA's case would be pretty iffy.


    ---
  • by Chris Siegler ( 3170 ) on Wednesday November 03, 1999 @07:00AM (#1566755)

    "The circulation through the Internet of the illegal and inappropriate software is against the stream of copyright protection."
    Check out Fravia's page [phase-one.com.au] on the legality of reverse engineering. In the US, this is the case sited
    Sega v. Accolade, decided by the Ninth Circuit in 1992, makes clear that, in certain instances, the unauthorized disassembly of a computer program's object code in order to derive source code is not a copyright infringement. The Ninth Circuit applied the 'fair use' balancing test to determine that Accolade's use of reverse engineering techniques to produce an 'intermediate copy' of Sega's source code did not constitute copyright infringement. Accolade never distributed the intermediate copy commercially, but instead used it only to extract unprotectable ideas Ñ a sequence of bytes which act as a software key Ñ from Sega's game program. This key was then incorporated into Accolade's games, enabling them to 'unlock' and run on Sega's game platforms. The court cautioned, however, that disassembly involves the making of a literal copy of a program, and it is permissible only when necessary to extract the unprotectable ideas. It is unclear how far this fair use right extends.
    Sounds almost exactly like what the DVD crackers did.
  • To compare car theft, arson, assult, and destruction of property with making unauthorized copies makes you look extremely foolish.

    Cracking copy protection is an intellectual exercise that in and of itself has no ethical connotations - if anything, by increasing human knowledge (it is, after all, the solution of a mathematical problem) it could be considered ethically positive.

    Using the solution to actually produce unauthorized copies can be ethically good (making backups for your own use), bad (massive pirating), or indifferent (making a mix tape for your friend).

    The corporate state will keep trying to patch copyright law, but it's far too late. We need new systems to "promote the progress of science and useful arts," because current copyright and patent law just don't cut it in the face of modern tech.

    (P.S. Let me point out that it is "copyright, as in the right to copy, not "copywright" or "copywrite" as has been often seen here on Slashdot. Thank you, enjoy the show.)

  • First off as a former software hacker (only cracked software protection schemes, never other people's computers), it's clear that the decryption routine is the weakest link and there's absolutly no way around it as long as it's being decrypted on hardware they don't control. Even if their encryption was totally uncrackable, which it's certainly not, DVD protection is futile since any half-decent hacker can just intercept the data going to their monitor/sound card...and any idiot can just aim a camcorder at their computer screen and make a medicre but quite viewable analog copy.

    Secondly, consumers should have the *same rights* with DVDs as they do with other media such as *copying for personal use*, *playability anywhere* (no regional restrictions), and *no tracking*; DIVX was an obvious example, but there's a push for more subtle schemes of tracking individual DVD consumers.

    I bet within a few years, the movie industry in particular will give up their futile fight and realize that copying is a good thing just like has been for movies on video; and anyways there's no way to stop copying so why bother...just undercut the pirates and use more creative marketing...I mean Disney's marketing of the same movies in different packaging, etc is brilliant and shows that it's even possible to sell people the same movies they already OWN!!
  • I like good ads too, but when I go to see Fight Club and I see ANOTHER GODDAM 1-8fsckin00 commercial before the movie starts, that bothers me.

    Cool movie with a shitty ending and no consistent point.
  • by Anonymous Coward on Wednesday November 03, 1999 @07:06AM (#1566795)
    DVD protection schemes hurt sales of player hardware because there are loads of hardheaded idiot consumers out there with lots of disposable income like me who'll refuse to buy any player that doesn't play everything. (I live in R1 and import R2 DVDs so my player must at least play R1 and R2 discs or I won't buy.) I bought a Pioneer 505 and not an RCA. Why? Because I could modify the Pioneer to be multi-region but could not modify the RCA. Electronics makers KNOW this and want their players sell rather than the competitors. The ONLY reason electronics makers put region coding, crypto, and macrovision into DVD hardware was so that the Hollywood movie industry would support the format. It was as simple as "No protection and we'll release no movies on your new format". So electronics makers cane up with a rudimentary "protection" scheme to appease Hollywood execs into supporting the format. Some, like Disney, wanted more restrictions (DIVX), but suffered the effects of horrific customer backlash. Anyway, the DVD format is now entrenched and too far accepted by the public for Hollywood to reneg now and abandon DVD. Now CSS encryption cracks are mysteriously leaked. Electronics makers can now sell more hardware and not have sales hindered by protection schemes. DVD-R burners and discs will get cheaper now (In 1991, 1X CDR burners were close to $10K with blank [63-min] CDRs at $20 each!]) and this whole protection scheme will become as laughable as what is now called the "bozo bit" in the Mac filesystem. (History lesson! The 'bozo bit' was once called the 'no copy' flag and was supposed to be respected by copy programs and not copy files with the bit set. Everything under the sun ignored it, including all of apple's own OS and tools, hence it's nickname of 'bozo bit')
  • *spends half an hour trying to get to a page on Robert Fripp's website, curses*
    Well anyway- Fripp put it better than I will, funnier, but he made his website badly enough that it's impossible to deal with. So I'll just paraphrase.
    The record companies impose a number of historical charges in the form of percentages on the cost of the albums. So if the artist is getting 5% royalty on sales, that is 5% after a 20% wastage charge, j.random other charge, and (I am NOT making this up) a charge on typical breakage of the SHELLAC the music is recorded on. I am NOT making this up.
    "But CDs are not made out of shellac!". As Fripp said in his lost article, "Now you're getting clever." ;)
    Basically, we're looking at corporate pork barrel, bigtime. The artists, perhaps even the movie studios do not get _that_ much money out of these huge industries. It's the corporations taking more and more. Of course they are not passing savings on to the consumer. That would be capitalism and a desire to compete on the basis of price. Of course they are not passing vastly increased earnings on to the artists. Why should they when they can charge a percentage of CD sales to broken _shellac_ and deny it to the artist? Of course they are earning exponentially more than they were. Where do you think they get the money to bribe the government and attempt to get antipiracy legislation passed?
    The industry does not DESERVE protection. Whether it's the music industry (slamdunk of an argument to anyone who knows anything about how bad it is) or the film industry (Blair Witch Project, anyone? All you 3DSMax artists ever wondered exactly why you can't just make a movie and start trying to sell it?), it is so corrupt it's disgusting, and needs to be put down for its own good. It's not capitalism. The barriers for entry are too high, and they aren't all legal barriers (remember 'payola' of the 1950s?) These days there are ever more interesting ways to do that. It's out of control, and the consumer is powerless to stop it.
    The only sensible attack is the judo-like approach that has so often worked in the computer industry- it's time to start proliferating record companies and _film_ companies, all indy, all guerrilla businesses with low overhead and depending on the fact that, what with the big industries being the way they are, it'd actually be _more_ profitable for artists to go with an indie- even with the albums/DVDfilms/whatever being sold at fscking _bookstores_ (did you know that independent bookstores are also being choked to death by heavy corporate shifts to online selling and the constant mergers and consolidations into ever-larger corporations?).
    I think that's the way the future is heading. Could result in the mainstream being very glossy, very trivial, and very empty- with not many customers left to cheat. All that's required is that the actual media (CDs, DVDs) can be produced by indies in formats that work with the hardware generated for the consumers. That's all that's necessary. You don't need to _lead_ the curve, only be on it somewhere.
    Anyway, my two cents :)
  • Nope. The reason that VHS tapes cost around $100.00 when they come out is because they are selling primarily to video stores. A video store is willing to pay $100.00 for a tape, because they are going to rent it out over and over. A few months later, when the video stores are no longer buying copies, the studios lower the price to a level that appeals to individual consumers. It works. Lots of people will rent a movie when it comes out, then buy a copy six months later when the price drops down.

    You'll notice that some trashy blockbuster movies are being initially priced at sell-through prices. It's all a matter of the studios maximizing their income. If they think that no one is going to care about "Godzilla" six months from now, then it's in their best interests to sell as many copies as they can now. It's just marketing.
  • If a DVD is encrypted, where does the key come from to decrypt it? If the user doesn't supply it at playback time, it must be embedded in the player. That means you only have to get one key, and you have access to everything. They can't change the encryption scheme without breaking all existing players, and can't blacklist the cracked key for the same reason. It's just security through obscurity, which has been proven ineffective time and time again.
  • What this means, more importantly, is that the manufacturer of a DVD may say that: only X players will play our disk.

    That's bad. I didn't realize how bad it really was. I can just see Sony forming a deal with Warner (pick any two names you like) such that Warner's movies only play on Sony players..

    Nasty...
    ---
  • They can vary the content by zone

    We have a DVD player bought from Sony... When we bought it, we also got it modified (for about NZ$40) to accept DVDs from any zone.

    The modification is Sony approved, and was done by the shop (which was a reputable place).

    So much for zone protection...
    --
    Repton.

  • by K8Fan ( 37875 ) on Wednesday November 03, 1999 @07:17AM (#1566872) Journal
    In all seriousness, I have no problem with copy-protecting DVD's. All the new-age zealotry regarding IP aside, as it stands moviemakers and DVD producers have the right to profit from their efforts. If they stop profiting, they stop making movies, and poof! no more "Matrix"-quality films.

    Not true. Movie studios have always profited from making films, and have always spent whatever they felt necessary to do so.

    I think we can all agree that home video has been the best thing to ever happen to the movie industry. What you might not remember is that they fought home video tooth and nail. Various movie studio executives insisted that their films would never be released to home video. Disney and Universal sued Sony for inventing the home VCR! They claimed that the very existence of home taping would destroy their studios and empty theaters. You might think this is an exageration, but just ask anyone who was involved in home video in the very early 1980s.

    In spite of their best idiotic efforts, the consumer electronics industry won out and practically forced huge piles of money into the hands of the studio bosses. These idiots, had they had their way, would have smothered home video in it's cradle.

    Most /. readers are too young to remember the bad old days, when seeing anything other than a current release meant waiting for it on regular TV or maybe talking an art house into showing it on the next schedule. Trust me, it sucked.

    But one thing about Hollywood...once they start making money (even when they are forced to do so) they get insanely greedy. They start to expect it, and they want to make sure they squeeze every penny possible out of the suckers (us). That's how idiotic plans like DIVX get launched...and why they keep pushing Pay-Per-View. Trust me, they're not going to rest until they can get back to the original model - people paying every time they watch a movie (and, if they can pull that off, every time they listen to a song).

    ...and the media conglomerates are exerting all the pressure they can to make consumers believe this seems reasonable. The Supreme Court in the Sony case ruled that home taping was a privacy issue, that what a person did in the privacy of their own home with a VCR was their own business. Hollywood has been buying legislators off to get things like the Digital Millinium Copyright Act passed to pull an end-run around the Court. The act makes hacking out so-called "copy protection" a felony.

  • by ewhac ( 5844 ) on Wednesday November 03, 1999 @07:18AM (#1566875) Homepage Journal

    I've thought about this a lot, and I've come to the conclusion that the movie industry really has nothing to worry about from unauthorized copying. The facts, simply, are these:

    • DVDs are cheaper to produce than video tapes.
      A lot of manual intervention is required in the mass duplication of video tapes. Basically, you have a wall of VCRs which record at 2x normal speed. So it takes about 45 minutes to make a batch of 200 or so tapes. These machines are frequently attended by a human operator (who costs money). DVDs, on the other hand, are pressed like CDs in an entirely automated process. Thousands can be stamped out in an afternoon. The manufacturing costs for DVDs is less than one-fifth that of video tapes, a savings which, of course, is not passed on to the consumer. So, while their PR department whines shrilly about "piracy" (a term used more for its emotional overtones than its accuracy), the studio is raking in even more money than before.
    • Copying of DVDs over the Internet is a non-issue, even with the advent of broadband.
      The number of people who are going to A) spend hours downloading a 5 gigabyte file, and B) spend 5 gigabytes of hard disk space to store it (at a cost of $20/gig) is statistically insignificant. Yes, you'll probably have a college dormitory sharing movies over their 100Mbit LAN. This represents -- what? -- 0.001% of the total market? I'm surprised the studio's accounting department hasn't killed these anti-copying campaigns as an unbelievable waste of money.
    • Writable DVDs will only slightly change the playfield.
      The fact is that DVD writers are expensive and are likely to remain that way for the forseeable future. Beyond that? I think we can take a lesson from what happened to the music industry with the proliferation of CD writers and MP3 files: Those companies are as strong as they ever were, and there is no proof they are suffering financially (despite our fervent desires to the contrary).

    What I find particularly puzzling is that the hardware companies haven't figured out that they're in the driver's seat. Toshiba et al could have easily told the movie industry, "No, you're not going to get encryption or regional lockouts. Because it doesn't matter. Our manufacturing process costs less than one-fifth of the one you're using now. Once your shareholders find out there's a process that will cut your costs and increase profits and product quality (and we'll make sure they do find out), they'll rake you over the coals until you adopt it. You will use our open, unencrypted platform, and you'll like it. The financial reality leaves you no choice."

    The argument really is that simple.

    Schwab

  • note the article states that there are 400 individual keys pressed into every dvd. this reduces the 40 bit security down to a little more than 35 bits.

    that might stand up for an hour on a brute force attack by a pentium 90. if they were lucky.

    MUCH more likely, a valid key would be hit early in the attack, after all, there are 400 to choose from.
  • So now that some folks have figured out how to STEAL DvD data, what next?


    I can't speak for you, but I have a legally protected right to make backup duplicates of tapes, cds, vhs movies, dvd movies, etc. The industry putting CSS and Macrovision on the DVDs I legally own prevents me from getting my legally mandates rights. I don't own a console DVD player. I do have a small collection of DVDs that I'd like to transfer to VHS tape so that I can watch them when I please and not have to go over to a friends house.

    -sw
  • I fail to understand how this is such a shock to the industry. Why, I have partially cracked DVD Encryption a long time ago:

    Let assume c is the ciphertext and p the plaintext. Simply run the algorithm to decipher c, then dump the plaintext p unto another medium. Repeat for every c.

    In simple words: run the DVD, and copy it on a VHS. You'll lose these fancy functions, but the essence of the DVD is still there: a copyrighted movie.

    The point is: it's silly to try to prevent the copying of a film or music, whether it's in DVD, MP3 or CD format. Who the hell cares? Copyright laws are in place, and they're supposed to prevent anyone from making money illegally off of them. However, it's not illegal per se to copy a film or a song, once you bought them legally and are doing so for personal use.

    So, breaking the DVD Encryption scheme is akin to figuring out how to copy VHS to VHS. The fact that this data can be transfered over the Internet is, I think, irrevelant. The industry needs to grow up; I certainly don't see a reason to stop producing DVDs because of this.

    The rule of copy-protection scheme is: sooner or later, it's gonna get broken. Surely they realised that.

    "Knowledge = Power = Energy = Mass"

  • Two questions:

    1. Is the encryption algorithm known?

    2. Will consumer decks play unencrypted disks?

    If the answers to these are 'No', then this isn't really too important, for the time being. And while it's theoretically impossible to prevent people from determining the decryption algorithm if you ever sell software players, it should be possible to build an encryption system that can be kept a secret.

    thad

  • by Anonymous Coward on Wednesday November 03, 1999 @07:23AM (#1566900)
    I am disappointed that Wired emphasized the word "piracy" throughout the article. They imply that the only purpose of the CSS code could be for shady people to go against the will of the copyright owners.

    This simply isn't the case. They didn't bother to print the obvious fact that blank media costs significantly more than DVD movies to begin with, making unauthorized copying a waste of time and money! (Not to mention the fact that equipment to record DVDs playable in consumer DVD players is around $15,000)

    I also didn't see anyone mention that copyright law does not restrict people from making backup copies of material that they own. Even the copy protection in consumer DAT machines allows this, unlike the broken CSS scheme. (Suppose I want to make sure that the DVD movie I just bought will still work 50 years from now, even if the original gets scratched or destroyed)

    They missed the most important fact of all-- as long as CSS remained secret, computer users were forced to use Microsoft Windows or Mac OS to play back DVDs. Only the release of CSS to the public will make playing back DVDs on other operating systems possible. Many people have _wanted_ to go out and buy a DVD decoder card and movies, but have not because there was no support for this hardware in Linux or their operating system of choice. Hardware drivers have become available for some DVD decoder cards, but without CSS code the drivers are relatively useless.
    Now, we will not have to wait much longer to watch DVDs on our machines.
  • correction: "this reduces the 40 bit security down to a little more than 35 bits."

    should read: "this reduces the 40 bit security down to a little more than 31 bits."
  • Alas, no. Another Slashdot user did. However, I've been unable to find the original post; it's probably expired.

    Schwab

The reason computer chips are so small is computers don't eat much.

Working...