> I am curious: Are there better techniques for getting
> high-quality images out, rather than just videotaping a
> screen? If I am given a sealed box with a CRT, is there
> some technique I can do to get a better copy of what's being
> sent to the screen? It seems like it should be possible to
> read small parts of the screen very closely, perhaps
> detecting the power of the electron beam that's painting the
> image on each position and color. It's reaonable to do this
> over only a small area of the screen at a time. Imagine an
> 8'' x 10'' screen displaying a rented movie or other
> ``copy-proof'' video stream. That's 80 square inches, so if
> we could only scan in one square inch at a time, we'd just
> have to play the movie 80 times. We might take multiple
> samples from each square inch and do some kind of averaging
> to smooth out quantization errors, noise in the system, etc.
There are easier vectors of attack than that.
One idea which springs to mind would be to hook into the
row and column addressing on the LCD panel itself, or (more
likely) in the output stages of the LCD driver hardware.
If it's a normal CRT monitor then pulling the signals out
is even easier.
Everything I've seen on this proposal - which isn't that much
I will admit - tends to imply that the encryption is basically
done in the digital link between the source and screen.
It's hard to see how anything more than trivial encryption could
be done between the drivers and the actual display.
If you were able to pull that data, it is feasable that you
could reconstruct a recordable image.
Of course, there are also ways manufacturers could try to counter
this. Constructing tamper-resistant cases for monitors is one
way. Indeed, I'll suggest to everyone here that tamper
resistant enclosures (everything from "mousetraps" to FIPS-140
style boxes) are going to become much more common in consumer
electronics.
One aside I will make is that tamper resistant enclosures
aren't only useful for this purpose. As many people will
be aware, many manufacturers of consumer goods would dearly
like consumers to only have their equipment serviced
at "registered" centres. In many, if not most legal
juristictions, such limitations on trade are illegal, so
companies are forced to use scare tactics to convince
consumers of the "dangers" of third party servicing.
Implementing tamper resistance to limit consumer choice would
be legally dubious, but if you implemented it because of
an IP protection requirement (as mandated in an industry
"standard"), then it would be much harder to prosecute.
The manufacturer could say "sorry, your honor, but to
implement standard ABCX20YX, I am forced by the licensing
standards body forced us to use a tamperproof enclosure. The
effect on the servicing arrangements are unfortunate, but it's out
of my control. I am sorry, but the licensing organisation
is based in <insert the current puppet legal juristiction>,
you'll have to take the matter up with them (good luck, sucker!)".
Needless to say, I am not for a moment suggesting such
a conspiracy theory. Not for a moment.... :) Ahem.
Nor would I ever suggest a correlation between the
latest DeCSS fiasco and "puppet legal juristictions".
No, not at all. Ahem....
Ultimately, this will come down to being a tradeoff between
investment and return. Who's Intel targeting? I'd suggest
they're targeting casual copiers and underfunded bootleg
operators. Against them, this may be viable. Against even a
moderately well funded piracy operation, forget it.
I am reminded of an anecdote told to me by a friend in
the arcade game industry. He said that their main enemies were
little backyard operations in Asia, who could clone an arcade
game (not a trivial piece of computing hardware) in weeks.
I asked him if implementing functions in ASICs would help, and
he told me that they'd recovered bootleg games where the copiers
had actually designed a daughterboard to implement the ASIC!
That is a significant engineering investment, I suggested. He
agreed, but said that once they sell more than 500 units worldwide,
the bootleggers would start to produce copies. Apparently
there was a significant amount of black market money, and
underutilised reverse engineering talent involved.
Nintendo's "CIC" chips would be another case in point. Both
inband and out of band attacks were quickly found against
the original version of them.
> I think all copy-protection runs into a wall when it gets to
> human-perceptible output, at least in dealing with
> determined pirates. Though the Intel scheme probably does a
> good job of preventing cheap, casual copying of video
> streams, which is presumably their purpose for doing the
> design in the first place.
No, not all. There used to be a scheme for audio cassettes
where a signal was introduced which was slightly less than
the bias frequency (which, from memory, is 40 kHz). The
effect was to cause an annoying "beat" to develop in copied
audio cassettes. People with more accurate knowledge may
know more about this than I - I'm remembering something I
read over a decade ago. It failed because a 40 kHz signal
is trivial to filter out, and the bootleggers soon did it
as a matter of course.
Is it possible to design a scheme which introduces a visual
disruption on playback, but which is impercetable to a normal
viewer? For example, could the frame rate be subtly varied
so that a copy will record flicker at the top and bottom
on the screen, yet is invisible when viewed from the master?
I wouldn't rule that out, and I bet that companies like
Macrovision are actively investigating the possibilities.
But that's not been suggested in the current proposal.
Ian.
Disclaimer: Personal opinions and comments only.
