MI-80

What's so important about that 128bit hex string? Well that just happens to be the processing key which unlocks all current high-definition movies, both HD-DVD and Blu-Ray. Hackers of the Doom9 forum [1] have been making plenty of news lately. Through the last few months they've made several breaks in the Advanced Access Content System (AACS) [10], the security mechanism aimed to keep high-definition movies locked up. Unfortunately for the movie industry it's proved only slightly more deterring than the Content Scramble System (CSS) used to encrypt original DVDs, which was broken by a lone teenager in his spare time to enable his movie watching under Linux [2]. What took the movie industry millions of dollars and years to build, a few kids with debuggers and some spare time broke at no cost. Just like CSS. Just like Wired Equivalent Privacy (WEP) [12]. Is a trend starting to emerge here? Closed and semi-closed committee designed systems simply don't work. They continue to be inherently insecure versus their open competition as there's always someone smarter who wasn't on the committee. Although AACS utilizes an excellent encryption algorithm (AES – Advanced Encryption Standard, the current U.S. Government standard), at its core it's trying to accomplish the impossible. The movie industry wants every home in the world to have the decryption key (software players, set top boxes, mobile media players, etc.), but still hold full control over the content. They've mandated the discs be encrypted. They've mandated the signal be encrypted from the player to your screen (you can't achieve true 1080p high definition using anything but a DVI/HDMI cable currently, except for a few hacks such as VGA cables). The argument for Digital Rights Management (DRM – technology meant to keep content under the control of the providers) [13] has been an attractive one in recent years. With the advent of Windows Vista and it's DRM heavy focus (encrypting its audio and video subsystems, locking up “protected processes”, etc.) [16] content makers have jumped at the idea of handing out their products but retaining control over what happens to them. In recent years Microsoft especially has pushed “trusted computing” [15]. Unfortunately this consumer friendly name does the opposite of what it implies. The assumption is supposed to be content makers can trust your system to do as they ask. If they say you can't play music without a license, your PC won't let you. If they say your video card has to downscale video over an unencrypted cable, it must do so. If the movie industry believes a certain decryption key has been leaked your system must cease operation (such as playing high-def movies) until a new key is issued. With high definition movies the movie industry has set out to launch an unparalleled thrust to control the end users system. For example if a video card makers drivers don't support key revocation they simply won't be licensed the right to play high-def movies. This has lead to development delays, higher costs of development for software and hardware (encryption and decryption aren't CPU friendly tasks), and as anyone who's used Windows Vista can tell you, a noticeable performance hit. Now why am I writing about this today? Yesterday this all exploded. The decryption key above is not anything new. It's been around quietly in the hacker underground for a few months now (just like CSS, key members were working to break it to design a Linux HD player – maybe next time the movie industry releases a new format they should just hand one out themselves? Most set top boxes run Linux anyways!). However the key was widely published in February, and this week the movie industry decided to begin a legal assault on anyone publishing the key under claims of copyright infringement [14]. What started on the Doom9 forums quickly spread to small blogs and technology enthusiast sites – after all it was a neat hack. But when the movie industry threw out legal threats the Internet community quickly united and suddenly tens of thousands of sites were carrying this key just to spite the studios. Then the leading tech enthusiast news site, Slashdot [3], got wind and ran an article [4]. Shortly there after Slashdot's little brother Digg [5] did as well. (Slashdot is editor run, Digg is user run.) Digg is where the proverbial crap hit the fan. The Digg editors began pulling articles mentioning the key as take down orders loomed overhead. The Digg community rose up as has never been done before, filing literally hundreds of nearly identical articles and voting them up in record numbers (breaking the previously highest ranked article by over a factor of four with nearly 30,000 unique votes as I write this) [6] eventually filling the entire front page with articles pertaining to the key [7]. Soon the former TechTV star turned Digg founder Kevin Rose capitulated: “After seeing hundreds of stories and reading thousands of comments, you’ve made it clear. You’d rather see Digg go down fighting than bow down to a bigger company. We hear you, and effective immediately we won’t delete stories or comments containing the code and will deal with whatever the consequences might be.” [8] The community had spoken, they weren't going to let the genie back into the bottle. Legally you can use the Digital Millennium Copyright Act (DMCA) [17] to send out take down notices for programs which would bypass your copyright protected work. You could even outlaw the reverse engineering of it. But the publishing of an encryption key is outside of what you may protect legally. The groundless accusations of the movie industry that they may copyright a simple number is in short, insane. Imagine if I could copyright the number 16 because that's how many characters are in my password, and if you were allowed to publish it you'd be handing out one piece of the puzzle which secures my login. (Remember that the leaked key is useless without the encrypted movie and the rest of the AACS algorithm and associated codecs.) The movie industry even factored key leaks into AACS's design. The key was revoked and replaced on April 16th [9]. I am, and always have been, a proponent of full disclosure. I don't want to use an insecure product simply because I don't know it's insecure. The leaking of a key means that the systems design didn't factor in an attack vector, which is a design oversight; a flaw. The movie industry should have suffered the blow, learned from this incident, and improved the system resulting in a more secure product. Instead the movie industry has decided to close its eyes and cover its ears hoping everyone will suddenly forget that for the second time they rolled out a next generation security scheme to have it trivially broken by some high school kids. Unfortunately all the lawsuits in the world won't solve the core problem (this system relying on every end user having a key). Even if they kept this key under wraps, what happens when the next one leaks? Even if they managed to keep this hidden at best they would have security through obscurity – hoping no one found the leaked key sitting around somewhere. And as history has shown again and again, security through obscurity simply never works. It's been fascinating following this as it happened, and while the first major key break, certainly this won't be the last. In the mean time the movie industry can send take down notices until they're red in the face, but in the end they'll have to pry the decryption key, and my Linux HD player, from my cold dead hands because the day the movie studios dictate how the security industry acts is the day I hang up my white hat. ------ 01. http://forum.doom9.org/ 02. http://en.wikipedia.org/wiki/Jon_Johansen 03. http://slashdot.org/ 04. http://yro.slashdot.org/article.pl?sid=07/05/01/1935250 05. http://digg.com/ 06. http://digg.com/tech_news/Digg_This_09_f9_11_02_9d_74_e3_5b_d8_41_56_c5_63_56_88_c0_4 07. http://www.flickr.com/photos/siouxmoux/480983614/ 08. http://blog.digg.com/?p=74? 09. http://www.aacsla.com/press/ 10. http://en.wikipedia.org/wiki/Advanced_Access_Content_System 11. http://en.wikipedia.org/wiki/Content_Scramble_System 12. http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy 13. http://en.wikipedia.org/wiki/Digital_Rights_Management 14. http://blogs.law.harvard.edu/zeroday/2007/04/29/aacs-starts-sending-take-down-notices/ 15. http://en.wikipedia.org/wiki/Trusted_Computing 16. http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html 17. http://en.wikipedia.org/wiki/DMCA