backtop

Print 28 comment(s) - last by RW.. on Jun 3 at 5:48 PM
AACS loses the keys to its house, quickly changes locks

Efforts that began in December 2006 and continued through February 2007 lead to the discovery of the Processing Key used to encrypt high-definition media with the Advanced Access Content System. The work of a small hacking community created essentially a silver bullet that was able to defeat the copy protection of all HD DVD and Blu-ray Disc media on the market at that time.

The Advanced Access Content System Licensing Administration (AACS LA) acknowledged the effectiveness of the hack and began to enact measures to restore the integrity of its technology. Beginning May 22, which is most notably the release date of the Matrix trilogy on HD DVD, all high-definition titles shipped with Media Key Block (MKB) v3 – a new encryption key version that would render the previously discovered Processing Key obsolete.

Interestingly enough, the AACS’ updated protection measures appeared to be defeated by SlySoft, makers of AnyDVD HD software, before the new MKB versions officially hit streets. The AACS has yet to officially issue a statement and is current investigating the latest attack on the system, according to comments made by Richard E. Doherty, director of technology strategy at Microsoft, who is also actively involved with the AACS.

The initial method used by hackers to snoop the sensitive encryption keys from HD DVD and Blu-ray were accomplished using PC software. More specifically, hackers took advantage of holes in WinDVD to read data straight from the PC’s memory. While such a hack may not have been possible without the existence of software players, the AACS appears unshaken about high-def media on computers.

“Just to clarify, the original attack was on certain software players that proved to be vulnerable, and did not and does not represent a widespread break in the AACS ecosystem ... In the past PC's have typically been a big target for hacking activities, as they are designed to run arbitrary software programs. But the line between PCs and traditional CE devices is clearly blurring – and many of the best PVR systems (in my opinion) are highly customizable and capable of running user-designed software,” explained Doherty, also pointing to how a Windows Media Center box could be strong addition to home theatres.

“Keep in mind, however, that AACS is aware of the history and attack vectors of PC playback systems, and there are several technical measures (such as KCD and the entire proactive renewal system) that are designed specifically to address the particular issues of PC-based protection,” Doherty added.

The uncovering of the Processing Key to HD DVD and Blu-ray happened in February, leaving some to wonder why it wasn’t until months later until the appearance for a new MKB. Doherty provides the answer, “AACS of course has the technical means to revoke overnight. But the current license agreement generally provides for 90 days. This is to allow time for the manufacturer to repair the product and presumably fix the vulnerability, and time to rollout the patches to the affected users.”

The apparent grace period is done in the interest of consumers, as if the key were revoked immediately, legitimate consumers could find themselves with an unplayable disc until a software update. Despite the quick ‘rehack’ of the AACS, the system is designed to avoid another complete defeat like CSS – the technology used to protect DVD.

“You have seen a revocation cycle occur which has required upgrades to certain software players to make them more robust to known styles of attack. The AACS system was designed to deal with these sorts of attacks, and remains intact as a technology. This is in contrast to CSS, which is vulnerable to direct, brute-force attacks,” said Doherty, who then explains it in even simpler terms. “The analogy we sometimes give is: if you lock your house, but leave the keys lying on the street, then there's really nothing wrong with the locks or with the concept of locks in general. If you don't find the keys, you can change the locks if you like.”

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
Analogy
By supaflydaddyc on 6/1/2007 10:18:06 AM , Rating: 4
I don't know about all of you but I think the analogy used at the end of the article is a pretty good one. Especially considering its from a Director of Technology Strategy at Microsoft and not some PR spin person.




RE: Analogy
By Verran on 6/1/2007 10:30:46 AM , Rating: 3
I don't really think the analogy is that accurate. It's a very shallow look at the situation. To continue the analogy and make it more fitting I would say:

"Yes, but the lock only works if the keys are safe. As long as you have a lock on your door, you have to carry your keys to work. Why crack the lock when you can just nick the keys from a pocket?"

The analogy is lame to begin with and mine makes it even more so, but that's the best I can do. Anyways, their analogy would be applicable if the "silver bullet" key leaked straight from AACS. But it didn't. People got it by observing its use. I don't see how you can stop people from getting the key when it's included and necessary for use of the content.


RE: Analogy
By Fallen Kell on 6/1/2007 5:12:04 PM , Rating: 5
Too bad their security is more analogous to the following:

The key to the door is contained in the safe next to the door which has its safe key in the lock (and just needs to be twisted).

This is also why the new process key which is the replace the process key mentioned in this article used for "The Matrix" et. al., is also already hacked. The keys are in plain sight on the disk. You are giving out a disk that has the lock and the key to the lock on the same device. This is why DRM is FUNDAMENTALLY FLAWED. You can either allow people full access to the content, OR you can prevent ALL access to the content. You can NOT give PARTIAL access to the content (i.e. view only under certain circumstances).

The key that unlocks the door will always be visible and able to be found because details of where the key is located are given to the device manufactures and/or software creators.

The key with either be in the hardware itself, or on the disk/medium containing the audio/video content itself. Which limits the scope of the places that need to be searched if someone is looking for the key. It is not like the real world in the sense of a lock, a door and a key, because the key in the real world can be located anywhere in the world/universe or even have been destroyed. In the DRM world, we know the key exists, and we can trace the interactions of the device and the content to know where to limit our search for the key. It is more like having a key with a homing beacon on it which everyone knows how to listen to the beacon...


RE: Analogy
By alifbaa on 6/2/2007 8:19:22 AM , Rating: 2
I like your analogy a lot, but I think there is an addition to it that is important to note...

Once that original key gets stolen, all the invited guests need to make a copy of the new key and istall the lock themselves. The vast majority of the invited guests have no idea of the need to do so until their door "breaks." Even then, most won't know there is a simple way to "fix" the door. If they know there is a way to fix the door, many won't feel confident in their abilities to implement the fix. Finally, the few who are able to fix the door on their own will quickly grow tired of the process 90 days from now, when they have to fix the door again.

This will be the death of DRM as we know it. Either they will do away with it completely or they will start rolling out systems that stifle technology even more.


RE: Analogy
By xphile on 6/2/2007 2:39:30 AM , Rating: 2
If I lose the key to my house I'm a bit stuck. In the actual human world there are hundreds of professions and only a very small percentage of them are experts with locks. So I'd call a locksmith. And the missing aspect of the entire analogy is that he doesnt even need a key to open any lock when he knows how all the mechanisms works.

In the computing world as a society a massively larger percentage of the community is interested in learning about, and becoming expert in, the braking of this locking mechanism.

You can come up with a new lock, but so many people are concentrating on cracking it that once one is cracked it wont take long for each addition design, and there are only so many strategies that remain plausible.

So in the end once this knowledge is gained this analogy is actually in reality one that should say:

"If you get locked out of your house, it really doesnt matter a damn where your keys are, dont even bother looking for them; if you yourself don't know how to get into your house then two out of every three people in the street will."

If they want a really useful analogy they should just give up this stupidity:

"Security is only effective as a deterent. If there is enough determination to break in, no home is safe. When the best security is cracked once it is breached. With that knowledge shared it is crippled. When everyone knows how to get into your house anyway whether you lock the door or not, no lock is doing anything but fuel the determination of those wanting to get in. The majority that will do the right thing by you anyway still will."


RE: Analogy
By therealnickdanger on 6/1/2007 10:34:13 AM , Rating: 2
The only problem with the analogy is that the new "locks" are all made from the same weak, breakable "material". Change the locks all you like, it won't change anything...


RE: Analogy
By BMFPitt on 6/1/2007 10:47:03 AM , Rating: 5
After realizing that writing their password on a yellow sticky note on their monitor wasn't good for security, they decided to go with a blue sticky note instead.


RE: Analogy
By Kefner on 6/1/2007 10:57:32 AM , Rating: 3
Exactly, when are they going to realize this is all just a huge waste of time and resources. Whatever they come up with, there is always someone with the skills to crack it. It's just an endless cycle.


RE: Analogy
By Christopher1 on 6/1/2007 7:55:42 PM , Rating: 2
An endless cycle and a huge waste of money. I think that the entertainment companies are being frightened into using DRM by people who have an ulterior motive: namely that they get paid by the DRM companies under the table.


RE: Analogy
By nilepez on 6/3/2007 12:52:55 PM , Rating: 2
I doubt that. Copy protection has been a part of video for more than 20 years. And in the case of HD disks, they're supposed enable some sort of system that allows you to copy it to a media server and make a physical back up.

At some point, this is no longer about consumer rights and it's just about free movies, and we're getting closer to that point.

I believe in consumer rights, but it's also painfully obvious that most making noise on this issue do so because they want to get free stuff. I've alreayd seen this with the DRM free iTunes downloads. People are complaining now because there's a tag in it with their user id in it

That said, it's also clear that the media companies cannot when this game (though I suppose they might be able to win if they did whatever DirectTV does. AFAIK, their system has been secure for at least a couple of years


RE: Analogy
By Screwballl on 6/1/2007 10:52:51 AM , Rating: 4
A bit better analogy to that should have been:

If you hide your house key under a rock and someone watches you move the rock, use the key then put it back... is it the lock manufacturers problem?
The problem actually lies with the people watching... so it doesn't matter if you put your key under a different rock or in the crevice above the back door, if someone is watching they will get the key regardless of its location or lock type. Some keys are just harder to come by.


RE: Analogy
By Screwballl on 6/1/2007 11:03:02 AM , Rating: 3
and another bit of info...

Locks keep honest people honest
dishonest people will always find a way to the other side to get what they want whether its through the lock or through a window


RE: Analogy
By BMFPitt on 6/1/2007 11:18:27 AM , Rating: 2
In all reality, I think the encryption is the least important part of what prevents common users from pirating. Inconvenience is much more critical. All that is needed to keep 95% of would-be copiers from doing it is a do-not-copy bit enforced by the authoring software and OS. Tools would be as easy to get for going around that as they are for encrypted discs, but this way it gives a nice challenge and bragging rights to those who write it.


RE: Analogy
By Christopher1 on 6/1/2007 8:07:33 PM , Rating: 3
Problem is that the Supreme Court has said that people are ALLOWED to make 1:1 copies of CD's and DVD's as a form of investment protection.


RE: Analogy
By nilepez on 6/3/2007 12:56:47 PM , Rating: 2
Has DMCA made it to the SCOTUS? For some reason, I'd swear that they actually upheld the applicable portions. As a result, you have a right to copy it, so long as you don't hack your way past copy protection.

So yeah, we have the right to copy it, but if it's copy protected, you'll have to commit a felony to exercise that right....the DMCA is a totally f*cked up law.


RE: Analogy
By MonkeyPaw on 6/1/2007 3:05:48 PM , Rating: 3
quote:
Locks keep honest people honest
dishonest people will always find a way to the other side to get what they want whether its through the lock or through a window


By this logic, I suppose you can throw me into your "honest" category, as I've never broken into someone's personal property (home, car, or otherwise). The problem is, I don't go around checking to see if people are locking their doors, or even wondering if their doors are locked for that matter. There are people out there that don't think about stealing, at least in the case of breaking and entering. That's why there are entire towns where people don't ever lock their doors.

I think the comparison of AACS to home locks is a little flawed anyway. Finding a key to a home isn't really a prize. You don't steal a home (what they key protects), you steal what's in it. Besides, just getting into a house doesn't mean you're in the clear. Someone could be home, there could be a dog, they could have a security system, someone could see you. There are still other barriers.

A better comparison might be like finding a set of car keys. The key protects the car from unauthorized use. Once you have the key to the car, you can get in it, start it up, and drive it away like it's yours. It's not yours, but you have full access to its features until you get caught. To go a step further in this analogy, consider that there are auto makers that allow you to replace your lost keys based off a simple code, but it's specific to your vehicle only. AACS would be like General Motors having a key code hidden in every GM VIN that will tell you how to make a key that starts any GM car ever made. Once you figure out that code, you can produce the key and steal any GM car you like.


RE: Analogy
By feelingshorter on 6/2/2007 12:54:45 AM , Rating: 2
I don't think your analogy is as good as the one posted by Fallen Kell. Its not people "watching" where you put your key. If you allow access to your content, they can crack/hack it.

Either you:
1. allow no access, such as sealing a door shut (in which its no longer called a door, just a wall).

or

2. Let people access it. (regardless of the method)

The movie studios are just tending their symptoms, and not fixing the root of their disease.

Partial access will always be crackable. Even if you let people watch it in theaters, someone will find a way to sneak a video camcorder in there to record it, and again, it will end up on torrent websites. Pirates get it for free, so the quality isn't good but they cannot complain about free.

All the movie studios should just come together, and partner up with ISPs. Eg:

1. All movie studios team up to create one dl service.
2. They partner up with ISPs, to offer it for an added $25/month.
3. Movie studios can then offer downloads, while ISPs can offer speed increases, to supplement the bittorrent distribution. That way, no one feels like they are using the bandwidth they paid for to download stuff they they also paid for.

I'm just dreaming here guys.


RE: Analogy
By BikeDude on 6/3/2007 5:14:28 AM , Rating: 1
But the DVDs won't change and DVDs are bound to survive for at least another decade. If pirates don't complain about movie theater quality, they will surely be satisfied with DVD quality.

The question at hand however, is what to do with HD quality? HD is pretty much all the quality we will need for quite a while (famous last words?), so once a consumer buys a HD-DVD or BRay disc, that consumer will not need a "new and improved" format for a long time, assuming the disc doesn't break... (which leads to the next question: how can the consumer make backups of his collection, in case the disc DO break?)

Personally, I prefer HD content, but I want the freedom to play the content on my computer (where I play all my DVDs today, I have a 30" Apple LCD). I'd also like the freedom to purchase discs the next time I visit the US or Thailand for that matter. And when I get kids, I'd like to take backups of certain discs... In addition, I do not enjoyed all the studio logos, promotional clips and anti-piracy ads that sometimes appear on various DVDs. I want to be able to skip directly to the movie itself.

The studios aren't only trying to stop piracy, they are also trying to decide where we buy discs and force us to watch various promotions before they let us access the main feature. IMO the consumer gets a *better* product by resorting to piracy. I could let myself be convinced that copy protection is a necessary evil, but then the industry has to play absolutely fair. Currently they cheat and steal our time.

Sadly, the game industry is also affected. I bought Flight Simulator X and don't need to keep the disc in the drive. The game immediately shows me the main menu, and I'm flying within a short time. Life was good, and I was a very happy camper. Then I bought "Rainbow Six: Vegas" and until I found an unofficial patch, I was forced to watch the silly studio logos for over a minute before I could get to the action. Not to mention that the copy protection only supports one of my DVD drives. That...is...just...plain...evil... :( The box did not say anything about forced menus and I would've returned it to the store, except I bought it while travelling and threw away the receipt somewhere.

May the studio execs burn in hell. I'll be happy to supply the gasoline.


RE: Analogy
By RW on 6/3/2007 5:48:47 PM , Rating: 2
I don't even know a movie that's worth to be hacked/ripped not even buyed.


Not just defeated by SlySoft
By AndyUK on 6/1/2007 10:43:28 AM , Rating: 5
But blown open again by hackers finding the new Processing Key!

http://forum.doom9.org/showthread.php?t=126404




By James Holden on 6/1/2007 4:46:51 PM , Rating: 2
Lol I like how they photoshopped Einstein to write the key out in the thumbnail.


Analogy
By KreamOfTheKrop on 6/1/2007 10:35:55 AM , Rating: 3
Sure, she's a fine analogy, but how about the flip side?

Hackers enjoy the challenge that these DRM companies and groups create, and enjoy breaking them due to their implications on the revocation of the Fair Use precedents.

The DRM groups build the 'keys' for the 'door', but the hackers are trained 'lock pickers', and they have support and community. They have the know-how and the blueprints to your lock's design. Change the keys, get locked out, call the locksmith.

DRM groups will not win, they will only agitate home users who do not understand why their new gen video disc players need the internet to change a key that was banned so they can watch a movie they legally own. Look at Itunes with DRM free MP3s. The normal public users, who use Itunes already demanded a market for DRM free.




AACS Remains Confident
By Mitch101 on 6/1/2007 11:08:29 AM , Rating: 2
AACS Remains Confident they can get many more millions out of the MPAA because they are morons.

We all know they have done wonders for DVD protection and now they are showing how well they can bilk the MPAA out of even more money in the HD-DVD and BLUE-RAY arena.

Does the MPAA or Consumer deserve a refund for DRM?
http://freshscoop.com/modules.php?name=News&file=a...




Patent Infringement
By deeznuts on 6/1/2007 12:36:33 PM , Rating: 2
How does this lawsuit claiming AACS infringes on its patents, affect all of this?

http://arstechnica.com/news.ars/post/20070531-encr...




Protection Sucks
By Alexstarfire on 6/1/2007 1:57:57 PM , Rating: 2
Why do they bother making new protection at all anymore? As long as you need something other than the basic copy disc programs then it's more than secure already. They keep saying, and I can't stress this enough, that most of the consumers are not hackers and don't bother trying to copy protected movies. This brings into question why they spend millions of $$$ making protection that, in the end, ALWAYS gets defeated by said small group of hackers and still leaves the vast majority of the people unable to copy it?

There is no good answer. People only copy movie for two reasons: for personal use, or for commercial resale. People who commercial resale it are ALWAYS going to have a copy no matter what, so no point in trying to stop them. And they claim that the other group is quite small. The only reason these groups exist is because so many feel movies are overpriced, and they are severely. If they could drop the cost of movies by $5 or more the number of people copying it would drop significantly.

These people are too stupid to actually try it though. Every company know to man will always "play it safe" when they use that first crazy idea to get launched up there. If a crazy idea got you there to begin with, why would you play it safe?




Wake up already
By raven3x7 on 6/2/2007 1:20:31 PM , Rating: 2
I can't believe that media companies have yet to realize that DRM is nothing but a waste of resources and money that could be better spend. Instead of trying to prevent copying they should sell their products through the addition of extra value to their products by adding elaborate booklets, posters, special web content( i.e. exclusive content for TV shows) etc.




Analogy
By umbala on 6/2/2007 5:23:20 PM , Rating: 2
Since everyone is offering their own analogies, here is mine.

There is a house that is impossible to break into directly. Then there is the key to the door of that house and it's stored inside a safe next to the house. The safe uses a combination lock. We cannot break into the house and we cannot guess the key. We have only to figure out the combination of the safe to gain full access to the house. Once the key has been stolen, you can change the key and even the safe in which it is stored (to some degree), but as long as the safe uses a combination key, someone will eventually find it.

All analogies are flawed and mine is no exception. My point is that once the defenses have been breached, it's only a matter of time before they are breached again. They cannot change the fundamental way in which their technology works. They can upgrade the safe or bury it in the back yard, someone will find it, dig it up and then figure out the new combination to the new key.




m
By Sungpooz on 6/3/2007 10:56:22 AM , Rating: 2
and the entire proactive renewal system...

proactive works?




"Folks that want porn can buy an Android phone." -- Steve Jobs



Latest Headlines
2/10/2012 Daily Hardware Reviews
February 10, 2012, 5:50 PM
2/9/2012 Daily Hardware Reviews
February 9, 2012, 11:54 AM
2/8/2012 Daily Hardware Reviews
February 8, 2012, 1:11 PM
Ex-Acer CEO Slapped With Lawsuit for Joining Lenovo
February 7, 2012, 5:38 PM
2/7/2012 Daily Hardware Reviews
February 7, 2012, 12:23 PM
2/6/2012 Daily Hardware Reviews -- Intel 520 240GB SSD Edition
February 6, 2012, 12:04 PM
botimage
Copyright 2012 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki