Re: DeCSS, crypto, (regions removed??!)
On Thu, 9 Jan 2003, Bill Stewart wrote: At 03:54 PM 01/08/2003 +0100, Martin Olsson wrote: Hi, I dont know if this is relevant to the discussion, but in Sweden (not a region-1 country) people where so pissed at the regionsystem (and the fact that most computer geeks could go around it, but the average person could not) that the whole region concept had to be removed. Ie. this forced the large companies to rethink and nowadays we have commercial region-free DVD players in most stores. That's an interesting change - a couple of years ago, friends from Sweden told me that the standard was to strictly sell only region-enforcing DVD players and then charge a bit extra for installing the region-free mod chips that everybody bought. I guess they've stopped bothering with the games by now. I wonder how they deal with the RCE (Region Code Enforced) discs? RCE is a sceme that causes the disc not to work in region free players. If you want a good test disc, try the region 1 version of Spider-man. In a region free player it will bring up a map of region codes and make nasty noises about how you need a region one player. The disc works fine in players where you can set the region. (Some region ocdeless players can do this, some cannot.) You can find places that sell region free players by searching on Google for Apex region free DVD. The only one I have used is www.220-electronics.com and I will not order from their insecure web page. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DeCSS, crypto, law, and economics
On Wed, 8 Jan 2003, Nomen Nescio wrote: John S. Denker writes: The main thing the industry really had at stake in this case is the zone locking aka region code system. I don't see much evidence for this. As you go on to admit, multi-region players are easily available overseas. You seem to be claiming that the industry's main goal was to protect zone locking when that is already being widely defeated. Try selling a regionless player in this country. It happens, but not in public. Region codes make them tons of money. (They are economic zones, nothing else.) Isn't it about a million times more probable that the industry's main concern was PEOPLE RIPPING DVDS AND TRADING THE FILES? Movies are freely available on the net, just like MP3s, and the DeCSS software was the initial technology that made ripping DVD's possible. Many people would rather get something for free than to pay for it, and DVD ripping allows that for movies. The MPAA obviously is afraid of following the RIAA into oblivion. The think that does not get press is that there is a bunch of money being made on the players themselves. Having DeCSS allows you to counterfeit players and avoid the licence fees. It also showed that they were generally stupid gits since the CSS algorythm has only 24 effective bits in the key. Brute forcing the key once you know this takes *seconds* on my PC. Snake oil makes the discs play so much smoother... - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: DeCSS, crypto, law, and economics
On 7 Jan 2003, Perry E. Metzger wrote: I don't know anyone who trades video files -- they're pretty big and bulky. A song takes moments to download, but a movie takes many many hours even on a high speed link. I have yet to meet someone who pirates films -- but I know lots of hardened criminals who watch DVDs on Linux and BSD. I'm one of these criminals. There is some trading of TV shows, but not movies. (Some, but only things that you cannot buy legally.) The few pre-release things you find on the file-sharing networks have the same (lack of) quality that the bootleg tapes have. The only large films worth the time are things that you cannot buy. (Although Song of the South should be required viewing in schools. It makes racism *boring*.) A XVCD copy of a 22 minute TV show runs about 425 megs. Anything smaller tends to look like crap. Multiply that out to a feature length film and you find out why it is impractical to trade films in this manner. (It is not worth the 2 days it will take for the download. Most people will go out and buy it than waste the time.) Many nights, I close the blinds and illegally use the computer I lawfully paid for to view the DVDs I lawfully paid for. To do that, I make use of DeCSS. My nice Unix based DVD player, ogle, needs it to read the drive. A little later this evening I'll be watching an episode of I, Claudius I bought and paid for, using this criminal software combination. Hopefully no one will learn of my shamefully immoral act. Please don't tell anyone. Not to mention the two seasons of Futurama that are only available on Region 2 PAL DVDs. (Or the other movies and TV shows not allowed by your corporate masters.) They Live is another film only available from Region 2. Maybe it tells too much about the movie industry... - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Did you *really* zeroize that key?
-compliant compilers normally distinguish between conformant source programs and noncon- formant source programs. [...] so, in the case of volatile, a compiler won't necessarily be bound by the rules of the abstract machine, unless the source program strictly conforms to the language spec's best practice definition of how a C/C++ program ought to look. True. But any compiler that tried to use such arguments to weasel out of the requirement to handle volatile in the expected way would become unpopular. * finally, my friend gives the example of a compiler that might decide to make a copy of our key buffer at runtime, in pursuit of some optimization. the compiler might have the program zeroize one copy of the key, but not the other copy. as long as the program's end result turns out to be correct, such a bizarre trick can still fulfill the language spec. Declaring the buffer as volatile would remove the compiler's licence to do such optimisation. --apb (Alan Barrett) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Palladium -- trivially weak in hw but secure in software??(Re: palladium presentation - anyone going?)
On Tue, 22 Oct 2002, Rick Wash wrote: Hardware-based attacks cannot be redistributed. If I figure out how to hack my system, I can post instructions on the web but it still requires techinical competence on your end if you want to hack your system too. While this doesn't help a whole lot for a DRM goal (once you get the non-DRM version of the media data, you can redistribute it all you want), it can be very useful for security. It can help to eliminate the 'script kiddie' style of attackers. Not really. It depends on what they are exploiting. Does every piece of code need to be validated all the time? Once a program is running, does something running in its code space get revalidated or soes it just run? I don't see how paladium stops buffer overflows or heap exploits or format bugs or any of the standard exploits that are in use today. (Not without crippling the entire system for bot the user and the programmer.) It seems to change little for script kiddies if the machines are going to communicate with other systems. (Unless the DRM holders will control who and how you can connect as well. And they just might do that as well...) The perveyors of this also claim it will stop spam and e-mail viruses. They only way it can do that is by making paladium based systems incompatable with every non-DRM machine on the planet. (So much for getting e-mail from your relatives!) The only problem this hardware seems to solve is shackling the user into what data they can see and use. If Microsoft follows their standard coding practices, the script kiddie problem will not go away with this technology. It will probably increase. And it will be illegal to effectivly stop them. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: password-cracking by journalists...
On Mon, 21 Jan 2002, Peter Trei wrote: 17 USC 1201(a)(1)(A): No person shall circumvent a technological measure that effectively controls access to a work protected under this title. I'm sure I'm picking nits here (and I praise God every day that I Am Not A L*wy*r), but what does 'effectively' mean? If it can be broken, was it effective? What level of work is required to make it an 'effective technological measure'? If the standard is 'anything, including rot13', then why is the word present in the rule at all? When I last brought this up (29 to 30 July 2001, Subject: Effective and ineffective technological measures), people posted references to two slightly different sections that try to define what effectively protects and effectively controls means: 1201(b)(2)(B): a technological measure ''effectively protects a right of a copyright owner under this title'' if the measure, in the ordinary course of its operation, prevents, restricts, or otherwise limits the exercise of a right of a copyright owner under this title. 1201(a)(3)(B): a technological measure ''effectively controls access to a work'' if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.' The key phrase seems to be in the ordinary course of its operation. If you publish the fact that you use rotn to protect your copyrighted material, but keep secret the fact that n = 13, then the ordinary course of operation of the decryption process requires the application of this secret value, so the process effectively controls access and effectively protects. The fact that somebody can guess the secret value would seem to have no bearing on whether rotn effectively does anything. --apb (Alan Barrett) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Criminalizing crypto criticism
On Friday 27 July 2001 11:13, Steven M. Bellovin wrote: In message [EMAIL PROTECTED], Declan McCullagh writes: One of those -- and you can thank groups like ACM for this, if my legislative memory is correct -- explicitly permits encryption research. You can argue fairly persuasively that it's not broad enough, and certainly 2600 found in the DeCSS case that the judge wasn't convinced by their arguments, but at least it's a shield of sorts. See below. It's certainly not broad enough -- it protects encryption research, and the definition of encryption in the law is meant to cover just that, not cryptography. And the good-faith effort to get permission is really an invitation to harrassment, since you don't have to actually get permission, merely seek it. Even worse is if the encryption is in bad faith to begin with. (i.e. They know it is broken and/or worthless, but don't want the general public to find out.) Imagine some of the usual snake-oil cryto-schemes applied to copyrighted material. Then imagine that they use the same bunch of lawyers as the Scientologists. This could work out to be a great money-making scam! Invent a bogus copy protection scheme. Con a bunch of suckers to buy it for their products. Sue anyone who breaks it or tries to expose you as a fraud for damages. I mean if they can go after people for breaking things that use ROT-13 (eBooks) and 22 bit encryption (or whatever CSS actually uses), then you can go after just about anyone who threatens your business model. I guess we *do* have the best government money can buy. We just were not the ones writing the checks... - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]