Analyst Says Blu-ray DRM Safe For 10 Years 493
Mike writes to let us know that a poster on the AVS forum says that the latest issue of HMM magazine (no link given) contains a quote from Richard Doherty, a media analyst with Envisioneering Group, extolling the strength of the DRM in Blu-ray discs, called BD+. Doherty reportedly said, "BD+, unlike AACS, which suffered a partial hack last year, won't likely be breached for 10 years." He added that if it were broken, "the damage would affect one film and one player." As one comment on AVS noted, I'll wait for the Doom9 guys to weigh in.
That's the article... (Score:5, Insightful)
famous last words (Score:5, Insightful)
Always keep your words soft and sweet... (Score:5, Insightful)
To quote Bruce Schneier, "Making bits not copyable is like trying to make water not wet." I dunno 'bout those Doom9 guys, but I know enough of Bruce Schneier's work to trust his opinion on this one. I don't know what the digital-media landscape will look like when all this settles out, but I *don't* think it'll be neatly and unbreakably wrapped in DRM containers with price tags on.
The funny thing with these quotes... (Score:4, Insightful)
Who're the most important in the success of a product?
2, 4, 6 8... (Score:5, Insightful)
Hmm, they seem to have skipped 8. The amount of gall in this little article (which is the PDF) is amazing. AACS was "partially" cracked. BD+ is a second line of defense, four times as safe, and just like six weak locks that you don't think work, which, by the way, is magic.
What is this guy smoking?
Perhaps they just want some additional QA... (Score:1, Insightful)
Re:The funny thing with these quotes... (Score:5, Insightful)
The real customers care about what format has the most movies available.
The movie execs care about what format they feel protects and enhances their product the most.
Tada. Riddle solved. If the target audience for HD-DVD is going to be limited to "those who care about the DRM being cracked" then...HD-DVD is very, very doomed.
Re:In some ways yes... (Score:5, Insightful)
Or to execute malicious code and send all your private information to somebody.
Stay away from Blu-ray computer players.
In other news (Score:3, Insightful)
Coincidence? Possibly.
--
Toro
Thanks for (Score:2, Insightful)
What is the true purpose of the message? (Score:5, Insightful)
2) Go ahead, hacker, I am taunting you.
3) Consumer, buy Blu-ray discs because your local pirate won't be stocked for years.
4) Vendor, HDDVD is hacked, go with us for more sales instead of losing untold billions in piracy.
I'm sure there is an actual reason.
Re:In some ways yes... (Score:2, Insightful)
This would make cracking the machine a nightmare. Recovering the list of keys from the disc might not be too hard. But even then, you'd have a very hard time writing a "liberated" firmware that hashes to the same value as the original. (You could also try to change the private key, but that sounds even harder)
Re:In some ways yes... (Score:2, Insightful)
Re:famous last words (Score:5, Insightful)
The VM's have an ability to run native code, oestensibly to 'patch' a compromised decoder.
So.................., it seems the first step to cracking blueray has been identified. What a fuck up.
From here theres a 60 instruction VM.Rebuild the VM firmware using the native code execution capacities, and make sure the new VM cant 'see' its outside changes, and you may well have a (near) perfect irreversible hack.
This babys gunna sink in months.
Well, one player is enough... (Score:3, Insightful)
Even if it means exaclty one player, with P2P filesharing that is already enough. Look at the preview copies. That is one original instance and a few days latter you can get them everywere.
Then there still is the ''analog hole''. Fit an LCD driver (i.e. the thing that drives the pixel) with high-speed A/D converters (not difficult, and signals cannot be encrypted at this level) or read the bus between display controller and driver chip (may or may not be difficult, depending on whether there is encryption here, but does not need the A/D converter, so it would give a better signal). I expect this is a relatively cheap project any good EE or electronics tinkerer can do. Again a single copy of a movie is enough.
It simply doesn't matter... (Score:5, Insightful)
If not HDCP directly, then the processor to LCD data path for some el-cheapo monitor which supports HDCP. There's always some point in the chain where protection is weak, or simply doesn't exist.
It is simply a futile endeavor as long as the consumer ultimately gets access to (i.e. can view/listen) to the content. Of course, they have no product if the consumer can't.
Re:In other news... (Score:5, Insightful)
But neither of you are the market. Blu-Ray has Disney and A-list titles like The Incredibles. It is content that drives sales, not cracked DRM.
So HD-DVD is better for me as a consumer? (Score:5, Insightful)
Re:That's the article... (Score:3, Insightful)
Re:2, 4, 6 8... (Score:1, Insightful)
Pffft. Someone truly determined to break into an apartment is not going to be put off by a mere six locks on one of the ways in. Whatever way you look at it, it's just a matter of someone putting in enough time and/or effort to get in there.
Re:In other news... (Score:1, Insightful)
But you're still buying DVD's. If you weren't such a hypocrite, you'd stop watching that too. Oh, but DVD's are cracked, so despite all the posturing, it's not about the why, it's about the how. So your "the DVD format is good enough for me" REALLY means "it's good enough for me until one or both of the other formats are cracked" or "since the content is the same and though I have HD tv's, I got cheap ones so I can't even really tell the difference between upscaled 480i and a real 720p plus my eyes are going out from staring at
How will they do software playback? (Score:3, Insightful)
How do you implement a security system like this in software? Or do you just not do it at all?
Seems like the way that both DVD's CSS and AACS were broken involved software players. Unless Sony simply plans to just prohibit playback on general-purpose PCs, they'll have to create some sort of software implementation of the player hardware, which would mean the VM.
If they only allow playback on dedicated hardware, then I can see how this might make cracking somewhat harder, but that seems like a high price to pay: it eliminates the entire HTPC concept.
Re:It's not really just an encryption scheme, thou (Score:3, Insightful)
Not quite. While you raise, on first view, many interesting points, most are just straw men: no substance.
You started on the right path. Then you went completely off! Crackers will simply have to do that: make a VM that's compatible with BD+. None of this full dynamic analysis hogwash.Thing of all the video game systems and arcade machines. The video games on them had protection schemes, yet, can't emulators play these games? Yes they can. This is no different. Again, no, crackers don't care. Emulate the protection layer! Yes, with client certs witch can be stolen: people have physical access to the hardware. No amount of silicon will change that. Even IBM's expensive crypto pci cards for bank machines have been successfully attacked. The costs required to even attain a fraction of their security (batteries, temperature and x-ray sensors, etc) would, in a retail unit, be well over what the market would be willing to bear. To be completely broken yes, but that is unnecessary. One just has to have broken everything released up to that point. While I do agree with you, I do for different reasons. Assuming the break was done by stealing a device key, such output only releases would be better, since it would be more difficult to discover exactly witch client key was stolen.
As far as breaking VMs? Who cares: they break it; a bug report gets filled; a week later a patch comes out. Yes, well that is to say just as instantaneous as the response to the recent ACCS breach: a couple months. The only thing they can do is make security better for future disks (or reprints). They can't change the past. It would have been better this way. While there were a bunch of great links to papers, they we missuesed. Your post was a great troll, by the way.
Re:famous last words (Score:4, Insightful)
Re:It simply doesn't matter... (Score:3, Insightful)
From what I've read, HDCP is about as powerful as ROT13 for content protection. I'm pretty sure it is already as good as broken... COMPLETELY broken... as in snoop the handshake between a small number of devices a few times and you can compute [freedom-to-tinker.com] a single device key. Repeat for a fairly small number of distinct device keys (40) and you can then compute any possible key [roumazeilles.net]. All it takes is one modestly secure digital media format and you'll see HDCP strippers available in the back of Video Magazine or whatever for $30 apiece....
Protecting content with BD+ is solely intended to damage the fair use of individual consumers to make backup copies of their own media that they lawfully obtain. Anyone doing commercial piracy has been able to break HDCP and reencode trivially for a long time.... When are the media companies going to learn that playing games with technology to try to prevent legal copying only pisses off the customers?
A message for BD+ developers (Score:3, Insightful)
So you'll print off thousands and millions of these discs that contain both the lock and the key - and distribute them to anyone who has the price of purchase - and you think it's going to take how long for just one person to open your lock?
Once that one person has compromised your protection then it's done. From that one compromise, copies will flood the internet. Will BD+ prevent your movies from being shared? Nope, no chance of that. But it might slow things down a little - just a little, mind you.
We hope you've spent as much time working up a plausible excuse for the failure of this system as you did in promoting it to unsuspecting media companies. They're not going to be happy when they discover you've sold them a bill of goods...
Re:MOD PARENT UP (Score:3, Insightful)
Doherty reportedly said, "BD+, unlike AACS, which suffered a partial hack last year, won't likely be breached for 10 years."
How many times have you heard that? My money says it's hacked before this story rolls off of Slashdot's front page.
laughable (Score:3, Insightful)
Re:It's not really just an encryption scheme, thou (Score:5, Insightful)
In this situation there is nothing at all like this going on. We know that the code on the BluRay disk produces whatever output lets you view the disk not only in finite time but after a very short time.
In fact this situation offers no additional security over a well designed public crypto system AT ALL except for obscurity. The instructions for the virtual machine are just a very complicated sort of key, one that anyone who can crack the base level encryption can view. The memory footprints and all that jazz are only fancy ways of implementing a private key.
There are damn good reasons that the people who implement public key systems and symetric ciphers don't use VM instructions as their keys. A good crypto system is built around SIMPLE and well known mathematical problems because extra complications just provide more places an attacker can find a clever short circuit that you didn't think about. The only reason to think a crypto system is secure is because you think that the attacker doesn't have any shortcuts to compute things in the other direction much faster than brute force. The more complications in your system the more places he could discover a clever trick to undermine your security.
As I argued in my other post the benefits of the BD+ VM aren't really about security but about control. It doesn't make things much harder for the hackers but it does let the content producer execute more control over when things are decrypted. The only security advantage BD+ brings is obscurity and possibly the use of a better underlying crypto system than what AACS uses (the part that decrypts the VM at the beginning).
Re:Break BD+ ? Inconceivable! (Score:2, Insightful)
Re:Sigh, I hate to burst your bubble... (Score:3, Insightful)
Re:In some ways yes... (Score:3, Insightful)
Ooh. Epoxy. Because that stopped iOpener hackers. And XBOX hackers.
And what about software players? How is the key hidden there?
Perhaps Blu-Ray discs won't play on PCs? Guess what? HD-DVD just won.
Re:DVD Macrovision requires composite input on TV (Score:2, Insightful)
Re:famous last words (Score:2, Insightful)
Security through obscurity hides how the lock works. After all, you can't pick a lock, if you don't understand how it's tumblers are arranged.
The weakness of this approach, is that you prevent legitimate review of the mechanism - a 'good' algorithm can be mathematically proven as 'strong' (e.g. PGP).
Now, that's not to say that it's _not_ worth 'hiding' stuff - hacking a network is significantly harder if information on it is 'obscured' however if your security won't stand alone against someone who _does_ know everything about how it works, then it's fundamentally flawed.
Of course, DRM is all about giving someone a locked box. And then giving them the key to that locked box, so they can use the content. And at the same time, trying to control how/where/when they open the box.
It's not all that hard, to encrypt something such that it's 'computationally infeasible' to brute force crack. It's significantly harder to do so, whilst at the same time giving away a decryption key.
Re:Hacked soon (Score:3, Insightful)
Red flag, Red flag meet bull.