Please create an account to participate in the Slashdot moderation system


Forgot your password?
Media Encryption Security Hardware Entertainment Games

Analyst Says Blu-ray DRM Safe For 10 Years 493

Mike writes to let us know that a poster on the AVS forum says that the latest issue of HMM magazine (no link given) contains a quote from Richard Doherty, a media analyst with Envisioneering Group, extolling the strength of the DRM in Blu-ray discs, called BD+. Doherty reportedly said, "BD+, unlike AACS, which suffered a partial hack last year, won't likely be breached for 10 years." He added that if it were broken, "the damage would affect one film and one player." As one comment on AVS noted, I'll wait for the Doom9 guys to weigh in.
This discussion has been archived. No new comments can be posted.

Analyst Says Blu-ray DRM Safe For 10 Years

Comments Filter:
  • by Anonymous Coward on Monday July 09, 2007 @08:43PM (#19807975)
    A link to a forum that quotes a magazine quoting a guy... something doesn't seem right here.
  • famous last words (Score:5, Insightful)

    by ErichTheWebGuy ( 745925 ) on Monday July 09, 2007 @08:45PM (#19807985) Homepage
    I give it two weeks tops. The gauntlet has been thrown down.
    • by Anonymous Coward on Monday July 09, 2007 @09:07PM (#19808155)
      Naw, DVD Jon's busy playing with the iPhone [] so it might be three weeks.
    • It certainly wasn't the best move. This is just going to further encourage someone to take the time to break the format. When will these companies learn to not make silly statements like this?
    • by Junior J. Junior III ( 192702 ) on Monday July 09, 2007 @09:35PM (#19808381) Homepage
      Get some cute chick to blow me while I hack and I bet I can crack that shit open in less than a minute.
    • by Endymion ( 12816 )
      As an old security tutorial/guide I read a long time ago said: "Never underestimate the number of MIP-years they are willing to throw at the problem."
      • Re:famous last words (Score:5, Informative)

        by turing_m ( 1030530 ) on Monday July 09, 2007 @10:40PM (#19808877)
        Here are some more famous last words that illustrate your point.

        "From a mathematical standpoint we cannot speak of a theoretically absolute unsolvability of a cryptogram, but due to the special procedures performed by the Enigma machine, the solvability is so far removed from practical possibility that the cipher system of the machine, when the distribution of keys is correctly handled, must be regarded as virtually incapable of solution."
        -German cryptographer []
        • Re:famous last words (Score:4, Informative)

          by Lisandro ( 799651 ) on Monday July 09, 2007 @11:46PM (#19809377)
          "From a mathematical standpoint we cannot speak of a theoretically absolute unsolvability of a cryptogram, but due to the special procedures performed by the Enigma machine, the solvability is so far removed from practical possibility that the cipher system of the machine, when the distribution of keys is correctly handled, must be regarded as virtually incapable of solution."

          That's pretty much true, you know. IIRC, in the later days of WWII Enigma mesages were decyphered rather quicky because operators weren't working key schedules as they should. Some tidbits here []. Still, calling a cyper system "unsolvable" is just asking to be made a fool :)
  • And... (Score:5, Funny)

    by Icarus1919 ( 802533 ) on Monday July 09, 2007 @08:47PM (#19808005)
    *queue Mortal Kombat* Test your might... MORTAL KOMBAAAAAAAT!
  • In other news... (Score:5, Interesting)

    by RightSaidFred99 ( 874576 ) on Monday July 09, 2007 @08:49PM (#19808017)
    I won't be buying BluRay discs for at least 10+ years. I don't crybaby about DRM, I just don't buy it if it doesn't suit my needs and can't be cracked, ergo if he's right I won't buy BluRay. This is one reason I like HD-DVD, it's had the shit cracked out of it.
    • by Zobeid ( 314469 )
      I'm with you. This is most definitely not what they should be saying if they want me to buy a Bluray player.
      • by westlake ( 615356 ) on Monday July 09, 2007 @09:53PM (#19808509)
        I'm with you. This is most definitely not what they should be saying if they want me to buy a Bluray player.

        But neither of you are the market. Blu-Ray has Disney and A-list titles like The Incredibles. It is content that drives sales, not cracked DRM.

        • Re:In other news... (Score:5, Interesting)

          by evilpenguin ( 18720 ) on Monday July 09, 2007 @10:05PM (#19808611)
          Yeah, but in spite of the fact that I have two good sized HDTVs, the DVD format is good enough for me. I won't buy this kind of "protection." I'll just keep buying DVDs. I hope both formats crash and burn. It is time the industry started making it easy for its customers to *use* their products as they like (and I don't mean indiscriminate copying -- I just mean I should be able to stream a movie I've bought to any TV, computer, or webpad in my house without having to move the media) and they should make it easy and painless for me to pay for it.

          The desire to have tangible media encrypted to shit is most annoying.

          I've *bought* my movies on DVD. I've got better things to do than wait two weeks for a high def movie to download. And even when the last mile problem is solved, if they keep it free of DRM crap and sell it *at a reasonable price* (and, btw, I think a few bucks is a reasonable price when they don't have to print, press, package, or distribute anything). If you could download a HD movie in a few minutes for a few bucks and store it as long as you want it, why wouldn't you? I would.

          The content people make me nuts. I won't buy *either* HD-DVD or Blu-Ray. Not. Gonna. Duuut.
        • Re:In other news... (Score:5, Interesting)

          by Serengeti ( 48438 ) on Monday July 09, 2007 @10:09PM (#19808641)
          There are two results to this war, but there is only one outcome: A player that will play both formats (reliably, unlike the LG model). Unlike Beta Vs VHS, the media are the same size and general composition in this war. When one fails, the other will 'win', but soon after the loser is no longer considered competition, players that support both formats (As well as DVD, CD, VCD, DivX, etc etc) will emerge.

          In the meantime, I've purchased an HDDVD addon for my Xbox 360, and hope that HDDVD will prevail. If it doesn't, I don't fear that I will have to repurchase my discs, just the player. I've taken a risk in purchasing the 360 addon, but its not really that big of a risk.

          So, support the format of your choice, and don't worry about lost investment: You really only risk the player.

          And as the VP of Marketing for Universal (HDDVD supporter) points out, this competition is good for one thing: Bringing HD video disc players down in price quicker than they would otherwise. Sony may own cameras that movies are shot with, media that they're recorded with, equipment they're transferred, processed, edited and mastered on, but at least there's a competitor for the media they're distributed on and the players that play them. I'd just rather they not have the whole ballpark.
  • Oblig. (Score:5, Funny)

    by Anonymous Coward on Monday July 09, 2007 @08:49PM (#19808021)
    1. Install forum software on server.
    2. Create most disgusting looking skin ever.
    3. Post links to random shit that will make people argue on news aggregation sites.
    4. ???
    5. Profit!
  • by snowraver1 ( 1052510 ) on Monday July 09, 2007 @08:50PM (#19808031)
    "With this CSS we are putting on this DVD, noone will EVER be able to copy dvds" - Some CSS guy
  • Hey, they're just ASKING for it. I give it 10 weeks - tops.
    • Hrrrrm... (Score:2, Interesting)

      by PachmanP ( 881352 ) is as if they were just asking for it. Do we have a solid understanding of this Doherty fellow's finances?
  • by ian_mackereth ( 889101 ) * on Monday July 09, 2007 @08:58PM (#19808089) Journal

    "BD+, unlike AACS, which suffered a partial hack last year, won't likely be breached for 10 days."

    There you go, fixed that for you.

  • In some ways yes... (Score:4, Interesting)

    by hcmtnbiker ( 925661 ) on Monday July 09, 2007 @08:59PM (#19808097)

    BD+ BD+ is effectively a small virtual machine embedded in authorized players. It allows content providers to include executable programs on Blu-ray discs. Such programs can:

    * examine the host environment, to see if the player has been tampered with. Every licensed playback device manufacturer must provide the BD+ licensing authority with memory footprints that identifies their devices.
    * verify that the player's keys have not been changed.
    * execute native code, possibly to patch an otherwise insecure system.
    * transform the audio and video output. Parts of the content will not be viewable without letting the BD+-program unscramble it.
    But i have to think... If it has hardware access(or can run native code) what's to say someone wont make a disk that has a BD+ program that aids in the hacking? Once you break a way around(or through) the digital signature for BD+ your whole system is compromised, how is that a good strategy?

    Imagine something close to, I make a disk with a BD+ program that once I have the program loaded I can eject the disk and put in a protected one, the BD+ can help circumvent the protection, and circumvent the BD+ on that disk. Vuala! BD+ makes it easier for me to copy.
    • by figleaf ( 672550 ) on Monday July 09, 2007 @09:13PM (#19808209) Homepage
      execute native code, possibly to patch an otherwise insecure system

      Or to execute malicious code and send all your private information to somebody.
      Stay away from Blu-ray computer players.
      • Or to execute malicious code and send all your private information to somebody.

        Or execute malicious code to break functionality of your own property, or "patch an insecure system" as their lie goes.

    • Re: (Score:2, Insightful)

      by poopdeville ( 841677 )
      If they're using a small virtual machine, the right security protocol would be to make an MD5 (or SHA-1 or whatever) hash of each essential component of the virtual machine and on board software that enforces DRM. It would then be a matter of storing a private key somewhere on the machine, after encrypting the hashes using the private key, comparing to an encrypted list stored on the disc.

      This would make cracking the machine a nightmare. Recovering the list of keys from the disc might not be too hard. Bu
    • Re: (Score:2, Insightful)

      by SCPRedMage ( 838040 )
      Or you could, I don't know, write a program to examine the BD+ program, and determine the appropriate method of descrambling the audio/video without actually having to RUN the BD+ program...
  • by blhack ( 921171 ) on Monday July 09, 2007 @09:00PM (#19808109)
    What it seems like they would be talking about here would be something similar to PKE. Err, no wait that doesn't make sense, must be something like what is used in prox cards with challenge/response...hrm...not that probably isn't what it is.....OH I KNOW! every disk comes with a monkey that kicks you in the balls every time you get the disk near a computer!!

    Unfortunately, this alienates most of the Chinese player manufacturing market. But it does have the bonus of coming with a free monkey.

    Lets make a movie starring the DRM monkeys and then post it into the intertubes! This would send an inverse monkey (also known as a something awful member) past the event horizon, causing the entire twisted fucked up backwards universe that the movie industry lives in to collapse upon itself!!!
  • by OmniGeek ( 72743 ) on Monday July 09, 2007 @09:03PM (#19808127)
    In case you have to eat them.

    To quote Bruce Schneier, "Making bits not copyable is like trying to make water not wet." I dunno 'bout those Doom9 guys, but I know enough of Bruce Schneier's work to trust his opinion on this one. I don't know what the digital-media landscape will look like when all this settles out, but I *don't* think it'll be neatly and unbreakably wrapped in DRM containers with price tags on.
  • by Jugalator ( 259273 ) on Monday July 09, 2007 @09:03PM (#19808131) Journal
    It's that they make movie execs happy, but they scare away the customers.

    Who're the most important in the success of a product?
  • 2, 4, 6 8... (Score:5, Insightful)

    by MBCook ( 132727 ) <> on Monday July 09, 2007 @09:04PM (#19808135) Homepage
    Quotes from the PDF linked to by the forum post (emphasis mine):

    The recent release of a licensing program for BD+, the coveted second line of defense against piracy...

    He said BD+ offers four times the safeguard on top of AACS against piracy.

    "If you see an apartment in a rough part of L.A., and the door has six locks on it, you're not breaking into that apartment," Doherty said. "Having those extra locks, even if you are not sure [they all work], is part of the magic of BD+..."

    BD+, unlike AACS, which suffered a partial hack last year, won't likely be broken for 10 years,...

    Hmm, they seem to have skipped 8. The amount of gall in this little article (which is the PDF) is amazing. AACS was "partially" cracked. BD+ is a second line of defense, four times as safe, and just like six weak locks that you don't think work, which, by the way, is magic.

    What is this guy smoking?

    • by Anonymous Coward on Monday July 09, 2007 @09:19PM (#19808261)
      What is this guy smoking?

      "If you see an apartment in a rough part of L.A."...

      We may not know what this guy is smoking, but we know where he bought it.

    • by FSWKU ( 551325 )

      "If you see an apartment in a rough part of L.A., and the door has six locks on it, you're not breaking into that apartment," Doherty said. "Having those extra locks, even if you are not sure [they all work], is part of the magic of BD+..."

      In rough parts of L.A., having six locks means nothing. They either break the door down, or go through the window...

      Actually, breaking into a house in L.A. would be HARDER, since it requires a concentrated physical effort to do either of those. Cracking AACS or BD+ j

  • This analyst is out of his mind. Of course, the Content Scrambling System, the "invincible" content protection on DVDs, worked on a key based system that allowed the revocation of compromised keys.

    While Sony has worked on Blu-ray DRM after the failure of the CSS, calling it uncrackable is insanity. Harder to crack? Maybe. Impossible? Definitely not. Anything that allows analog playback will be crackable. And, even with digital signal, there will be some method of attack.

    Even if the security on Blu-ray
  • ...Is that was a statement made 9 years, 11 months and 28 days ago!

    The blogger quoted actually had a very keen insight that not only would sony introduce a new standard... but that it would be called BluRay and that the DRM scheme on it is set to be cracked in 3 days!
  • In other news (Score:3, Insightful)

    by Torodung ( 31985 ) on Monday July 09, 2007 @09:13PM (#19808213) Journal
    Widespread Blu-Ray adoption not likely for 10 years.

    Coincidence? Possibly.

  • Thanks for (Score:2, Insightful)

    letting me know how hard you worked to make a product that restricts my use of it after I would bought it. I'll stick to dvd's for now till a company comes out with a storage media that where I wont be buying cripple ware.
  • I'd say it's good bet that any encryption today will be broken in less than a decade. Turings's law says that if it takes 10 years to solve a problem today but in 5 years it will only take 3 years then you're better off waiting 5 years and saving 2.
  • by CrazyJim1 ( 809850 ) on Monday July 09, 2007 @09:20PM (#19808275) Journal
    1) Don't even try hackers
    2) Go ahead, hacker, I am taunting you.
    3) Consumer, buy Blu-ray discs because your local pirate won't be stocked for years.
    4) Vendor, HDDVD is hacked, go with us for more sales instead of losing untold billions in piracy.

    I'm sure there is an actual reason.
  • by Anonymous Coward on Monday July 09, 2007 @09:21PM (#19808283)
    Read what BD+ really is: .html []

    This means that each Blu-Ray disc has a computer program compiled to execute within a proprietary, secure VM. What this means is that each disc has a program built into it whose purpose is to boot, validate that it is running on licensed hardware, enforce security policy, and if those checks are met, extract a key from its own memory and play the content.

    What does this mean for people attempting to defeat the security?

    Well it means that a full crack of BD+ will require crackers to implement a virtual machine which acts in exactly the same way as the hardware VM would act. This represents a what I will casually call a "larger challenge" than defeating CSS or AACS, in which you have to decrypt a key or a list of keys. In this case, you have to come up with something which can determine the full dynamic runtime execution path of a static binary - a currently unsolved problem in Computer Science, despite numerous attempts to do such a thing by some of the world's brightest minds.

    Just putting the same source code through a randomizing compiler/packer/obfuscator of the types that game companies have been working on for a while makes the challenge immensely harder. Precedent? []
    There's too much to talk about.

    And who's deployed this type of technology already? Who has a secure virtual machine with secure bytecode doing challenge-response to determine hardware legitimacy? People Who Care: a lot [].

    The other major problem is that the challenge-response authentication made by the program contained in the disc against the embedded hardware will require a "real" cert to succeed. Yes this is the TPCA/Palladium "sky is falling" scenario come to pass. Either the implementors made a cryptography implementation mistake, or someone with a scanning, tunneling electron microscope figures out how to defeat the epoxy guards and actually read the private cert material off a chip, or someone with a previously unheralded supercomputer or mathematical technique breaks the key from a known subset of challenge/response pairs... - or, it will remain unbroken. It is strong, known algorithm public key cryptography.

    What's really interesting about all this is if someone DOES find a way to break BD+, there is really strong incentive for them to use it to break & release movies rather than release code which performs the break. Why? Get yourself a windows VM and download all the latest in DVD-breaking binaries: ripit4me, dvd decryptor-last, dvdshrink-last, etc. Then set windbg to be your default debugger, and start trying to break very recent DVD releases. What you'll find is that the entertainment company is employing people to literally find security holes in the input to the cracking tools - the dvd image itself, and then embed "exploits" into their dvd images. There is data on those discs that has no other purpose than to crash certain binaries. It becomes obvious once you trap execution in a debugger and know a little bit about x86 asm. Don't get me wrong, they're not executing arbitrary code, just causing a DoS - but that's only because they know they can't. Some of the conditions they've found and abused are CERTAINLY exploitable. But they also know that putting shellcode in their DVDs defeats plausible deniability, which is a hell of an asset.

    Now push this knowledge forward to BD+. If someone actually manages to set up a "shim VM" that executes BD+ language and acts as a proxy between secure hardware and the bytecode, and RELEASES that VM, then we know the entertainment companies are going to enter a reverse engineering arms race. They're
    • Good post - someone should mod up the parent.

      oh yah, and on the 10 years, lol

    • by Anonymous Coward on Monday July 09, 2007 @11:12PM (#19809113)
      Blu-Ray players don't contain some mystical impossible-to-duplicate VM.

      It's a fucking Java VM. It's not anything bizarre. It's Java. Completely free VM implementations for Java already exist.

      Oh, how do I know it's a Java VM? =) I know the people at IBM who wrote the Java VM that's used to play BD+ Blu-Ray discs on the PS3.
      • by tqbf ( 59350 ) on Tuesday July 10, 2007 @01:34AM (#19809935) Homepage

        The SPDC VM is not Java. I don't think you've asked the right questions of your "people at IBM who wrote the JVM used to play BD+". Here's Avi Rubin describing the SPDC VM []:

        The SPDC Virtual Machine specification defines a MIPS-like instruction set consist- ing of 59 standard machine operations (along with several reserved and vendor-defined operations.) Each machine instruction is encoded as a 32-bit value. The Virtual Machine provides content code with two memory areas, one for the content code and data, and another undefined area which can be used as defined by the device manufacturer. The VM also defines a set of 32-bit registers, a Program Counter, and an Instruction Filter, which is applied to instructions before execution.

        (In case you're wondering, the JVM is not a "MIPS-like instruction set on 32-bit registers with a Program Counter and an Instruction Filter" --- but that wouldn't stop you from implementing such a VM IN Java, just as the JVM is itself rarely implemented in hardware --- thus the "V" in "VM".)

        The person I know who's involved with BD+ [] co-designed BD+.

        • Re: (Score:3, Insightful)

          The SPDC VM is not Java. I don't think you've asked the right questions of your "people at IBM who wrote the JVM used to play BD+".
          So he's wrong, but not completely off his rocker. []

          The person I know who's involved with BD+ co-designed BD+.
          I guess even the devil has friends, eh?
    • Question for you, since you seem knowledgeable:

      How do you implement a security system like this in software? Or do you just not do it at all?

      Seems like the way that both DVD's CSS and AACS were broken involved software players. Unless Sony simply plans to just prohibit playback on general-purpose PCs, they'll have to create some sort of software implementation of the player hardware, which would mean the VM.

      If they only allow playback on dedicated hardware, then I can see how this might make cracking somewh
    • by Anonymous Coward

      Not quite. While you raise, on first view, many interesting points, most are just straw men: no substance.

      What does this mean for people attempting to defeat the security?
      Well it means that a full crack of BD+ will require crackers to implement a virtual machine which acts in exactly the same way as the hardware VM would act. [...] In this case, you have to come up with something which can determine the full dynamic runtime execution path of a static binary

      You started on the right path. Then you went co

    • Seriously Mr. Stephenson [], isn't it time you registered for a Slashdot account?
    • Since I actually do research in recursion theory (basically the mathematical study of the halting problem) let me start by saying this has ABSOLUTELY NOTHING AT ALL TO DO WITH THE HALTING PROBLEM. The halting problem, or as you stated it determine the full execution path of a static binary, is provably unsolvable because programs can take arbitrarily long before deciding to halt. Given you know a program halts (on a given input) it's trivial to determine the full execution path. Just run it and see what it does.

      In this situation there is nothing at all like this going on. We know that the code on the BluRay disk produces whatever output lets you view the disk not only in finite time but after a very short time.

      In fact this situation offers no additional security over a well designed public crypto system AT ALL except for obscurity. The instructions for the virtual machine are just a very complicated sort of key, one that anyone who can crack the base level encryption can view. The memory footprints and all that jazz are only fancy ways of implementing a private key.

      There are damn good reasons that the people who implement public key systems and symetric ciphers don't use VM instructions as their keys. A good crypto system is built around SIMPLE and well known mathematical problems because extra complications just provide more places an attacker can find a clever short circuit that you didn't think about. The only reason to think a crypto system is secure is because you think that the attacker doesn't have any shortcuts to compute things in the other direction much faster than brute force. The more complications in your system the more places he could discover a clever trick to undermine your security.

      As I argued in my other post the benefits of the BD+ VM aren't really about security but about control. It doesn't make things much harder for the hackers but it does let the content producer execute more control over when things are decrypted. The only security advantage BD+ brings is obscurity and possibly the use of a better underlying crypto system than what AACS uses (the part that decrypts the VM at the beginning).
    • Re: (Score:3, Interesting)

      by Anonymous Coward
      This is a perfectly possible crack; I've defeated stronger stuff than this myself. You'd be amazed what determined shareware authors put out on occasion.

      Smartcards? Dongles? I've seen them using stuff like this, and it didn't help them. You forget; we do have tunneling electron microscopes. Why would any serious reverse-engineering lab not?

      - The value of the signing keys is very high, to the extent they cannot be sufficiently protected from a well-resourced attacker. They have to be used regularly, and keys
    • I followed you "People who care a lot" link, and neary spit my coffee out as I am surfing this article from my Department of Defense terminal, and my Common Access Card is comfortably lodged in my window visor of my car. The problem with CAC is that it isn't required on every Department of Defense computer. My computer, for example, is a lame Dell with Windows 2000 Professional that doesn't seem to like its own USB port enough to allow the stupid CAC card reader to work. I don't even know if they make a C
  • A question or two (Score:4, Interesting)

    by pembo13 ( 770295 ) on Monday July 09, 2007 @09:26PM (#19808307) Homepage
    Is all this DRM on BlueRay and HD-DVD optional? Ie. if I were to release a movie under the creative commons liscence, could I put it on one of the new formats in a way that it would be playable on a Linux box?
  • Do these guys like to look like idiots.
  • 'cause I'll start buying blu-ray movies when the encryption is cracked!
  • Did he say 10 Earth years? Well how do you know he did not mean 10 Mercury years? :)
    Plus, financial analysts should have pretty much taught everyone not to trust most analysts :)
  • A friend of mine bought a TV recently. They can shove a USB stick into the bottom of it and play movies they download from the internet directly. They don't need a DVD or a player. How far away is it until thumb drives can store enough information to effectively play a movie that with all the data included in an entire HD-DVD or Blue-Ray disk?

    Will all players as we know them be redundant in a few years?

    No matter how good the encryption, you can always scrape a recording of the data and convert it to another
  • Maybe he'll be prepared to make a bet with his _own_ money to the effect that the bluray DRM won't be broken before 2017 (sounds a long time away don't it?)
  • by martinX ( 672498 ) on Monday July 09, 2007 @09:39PM (#19808411)
    Do you know just how smart the guy who invented BD+ was?

    Let me put it this way: have you ever heard of Plato, Aristotle, Socrates? Morons.
  • 10 years is 1011010010 days, including 29 Feb 2008. That sounds about right.
  • by gweihir ( 88907 ) on Monday July 09, 2007 @09:40PM (#19808417)
    I assume this means one player type, but even if not, a system break can also be done by generating an automatic procedure that breaks every instance.

    Even if it means exaclty one player, with P2P filesharing that is already enough. Look at the preview copies. That is one original instance and a few days latter you can get them everywere.

    Then there still is the ''analog hole''. Fit an LCD driver (i.e. the thing that drives the pixel) with high-speed A/D converters (not difficult, and signals cannot be encrypted at this level) or read the bus between display controller and driver chip (may or may not be difficult, depending on whether there is encryption here, but does not need the A/D converter, so it would give a better signal). I expect this is a relatively cheap project any good EE or electronics tinkerer can do. Again a single copy of a movie is enough.

  • Most people who by discs don't care about the DRM.

    They just want to know if the media will last, and if you will be able to buy players for it in the future.

    It is all about the popularity of the format, for whatever reason.

  • by caffiend666 ( 598633 ) on Monday July 09, 2007 @09:44PM (#19808451) Homepage
    It can't be cracked by a ten year old. We have it in writing now! Quick, look for 9 year old Math PHDs.... All it takes is a hammer and that Blue Ray Disk is cracked up... Seriously though, there's nothing about that piece of plastic which means we can't figure out how it works. Taunting people like this just speeds up the process. Weren't these the same people who used a DRM scheme which crashed MACs and could be defeated by a sharpie?
  • by msauve ( 701917 ) on Monday July 09, 2007 @09:49PM (#19808491)
    how secure they make the media. Cracks will follow the path of least resistance. If every form of media moved to some form of uncrackable quantum encryption tomorrow, it wouldn't matter. Someone would crack HDCP, and the content would be available there.

    If not HDCP directly, then the processor to LCD data path for some el-cheapo monitor which supports HDCP. There's always some point in the chain where protection is weak, or simply doesn't exist.

    It is simply a futile endeavor as long as the consumer ultimately gets access to (i.e. can view/listen) to the content. Of course, they have no product if the consumer can't.
    • Re: (Score:3, Insightful)

      by dgatwood ( 11270 )

      From what I've read, HDCP is about as powerful as ROT13 for content protection. I'm pretty sure it is already as good as broken... COMPLETELY broken... as in snoop the handshake between a small number of devices a few times and you can compute [] a single device key. Repeat for a fairly small number of distinct device keys (40) and you can then compute any possible key []. All it takes is one modestly secure digital media format and you'll see HDCP strippers available in the back of Video Magazine or whatever

  • by MattW ( 97290 ) <> on Monday July 09, 2007 @09:55PM (#19808535) Homepage

    BD+, unlike AACS, which suffered a partial hack last year, won't likely be breached for 10 years.
    So what he's saying is, if I'm a consumer, HD-DVD is better for me, if I don't like vendors telling me how I can view content I buy?
  • The word from Doom9 (Score:5, Interesting)

    by Zontar_Thing_From_Ve ( 949321 ) on Monday July 09, 2007 @10:16PM (#19808691)
    Because of Doom9's policy on links, I can't provide a direct link, but in the June news at the Doom9 website, Doom9 himself said that until the BD+ discs come out, nobody knows what will happen, but based on the spec, it is possible that it will be uncrackable. My best guess at this time is that the only way it will be cracked is if either the implementation has a gigantic hole nobody thought of (always possible) or someone gets an illegal peek at the hardware specs for the VM and is able to implement it in software. I'm not optimistic at all that BD+ will be cracked. If any of you care at all about DVD on HD formats and you want to be able to convert your future purchases in that format to other formats to watch on other devices you own such as video iPods, you better hope that BluRay fails.
    • laughable (Score:3, Insightful)

      by geekoid ( 135745 )
      I can alway grab it after it is decoded, big whoop. Encryption, even 'perfect' encryption doesn't matter at all if someone, at sometime, needs to actually be able to understand it.

  • So information on BD+ seems relatively hard to find. The best explanations I could find are this presentation [], this pdf at dell [] and best of all this general discussion of SPDC [].

    The basic idea here is that BD+ allows the BluRay maker to embed virtual machine code (and apparently native code) on their disks which are then executed on the host machine. This code then somehow verifies that the host machine is uncompromised (memory footprints apparently) and then executes whatever process is necessary to decrypt the key that allows content access. Now it seems likely that there is some additional decryption process similar to AACS that decrypts the BD+ virtual code. Perhaps this decryption process is implemented better than the one in AACS but that is the only security advantage BD+ provides.

    The only extra security that BD+ can offer over an AACS type system is security through obscurity. There has to be some general cryptographic process to decrypt the BD+ VM instructions. Once decrypted an attacker who is aware of the BD+ standard just needs to emulate the virtual machine and have it pretend it is a valid device to access the content. The BD+ people can talk all they want about memory footprints and tamper checks but these are just a complicated private key for the device. Separating out these functions and putting them in a VM just makes the specification of the encryption scheme more complicated (and more obscure) but doesn't fundamentally increase the security.

    So why do the studies want BD+? Well maybe they've been taken in by the claims of extra security but the more plausible reason is that they want the extra control BD+ gives them over their content BD+ might not be a real impediment for the serious pirate/hacker but it does allow the movie studios to implement even more fine grained control over how you use their content. The virtual machine might be set up to prevent you from watching the movie more than once, from using a streaming feature of the device, from using it after some fixed time. Imagine, for instance, movie companies creating tiered pricing based on how many rights you want to have. Say make you pay more if you want to stream it. Disney might release their next version of Aladdin on DVD in two classes. The 'gold' class that lasts forever and the standard class that only lasts 5 years. Well you get the idea.

    So no I don't buy the argument that this feature makes the system much more secure (except insofar as it might eliminate some fuckups in how the AACS system was defined) but it certainly is in the Blu Ray consortium and movie theater's interest to portray it this way. Maybe this explains the much wider adoption of Blu Ray by the theaters. ... And I used to be rooting for Blu Ray.
  • by Whuffo ( 1043790 ) on Tuesday July 10, 2007 @01:26AM (#19809901) Homepage Journal
    A shared secret is no secret at all. It doesn't matter how carefully you wrap your secret in an enigma - at the end of the day, no matter how secure your lock, you also supply the end user with the key that opens the lock.

    So you'll print off thousands and millions of these discs that contain both the lock and the key - and distribute them to anyone who has the price of purchase - and you think it's going to take how long for just one person to open your lock?

    Once that one person has compromised your protection then it's done. From that one compromise, copies will flood the internet. Will BD+ prevent your movies from being shared? Nope, no chance of that. But it might slow things down a little - just a little, mind you.

    We hope you've spent as much time working up a plausible excuse for the failure of this system as you did in promoting it to unsuspecting media companies. They're not going to be happy when they discover you've sold them a bill of goods...

This process can check if this value is zero, and if it is, it does something child-like. -- Forbes Burkowski, CS 454, University of Washington