RE: Was a mistake made in the design of AACS?
On Thu, May 03, 2007 at 10:25:34AM -0700, Steve Schear wrote: Well, there's an idea: use different physical media formats for entertainment and non- entertainment content (meaning, content created by MPAA members vs. not) and don't sell writable media nor devices capable of writing it for the former, not to the public, keeping very tight controls on the specs and supplies. [...] Sony's UMD format is an example of this approach. I doubt even the most reality-disconnected marketeers in Sony could call it anything but an abject failure. I also doubt any company other than Sony - which has a long history of believing it can control the delivery format - would have even bothered. Ian. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Was a mistake made in the design of AACS?
Well, there's an idea: use different physical media formats for entertainment and non-entertainment content (meaning, content created by MPAA members vs. not) and don't sell writable media nor devices capable of writing it for the former, not to the public, keeping very tight controls on the specs and supplies. This approach was rejected by the computer industry, in particular with respect to DVDs. Computer companies like Intel, HP, Dell, and Sony wanted to be able to compete to be a consumer electronics platform, playing music, video, photos, etc. Indeed, many of the advances in consumer electronics have come from computerization, such as digital music (DATs and CDs), MP3 players, digital video, fax machines, digital cameras and digital photo storage, color photo printers, ... I do recall that it took most of a decade for computer CD-ROM drives to be able to digitally read audio CDs, and then later to record them. Silicon Graphics gets major kudos for breaking that artificial barrier. Then finding, say, a Disney movie on an HD-DVD of the data format would instantly imply that it's pirated. False. It's like saying Then finding a record album on a cassette tape would instantly imply that it's pirated. No, it would instantly imply that it's been copied onto a medium of the consumer's choice. Consumers are (and should be) free to record copyrighted works onto media of their own choice, for their own convenience, without needing the permission or concurrance of the copyright owner. Congratulations, Nico, you fell into Hollywood's favorite word: pirated. It takes discipline to stop thinking in the grooves that they have worn in your brain. John - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Was a mistake made in the design of AACS?
At 07:50 AM 5/4/2007, Nicolas Williams wrote: On Thu, May 03, 2007 at 10:25:34AM -0700, Steve Schear wrote: At 03:52 PM 5/2/2007, Ian G wrote: This seems to assume that when a crack is announced, all revenue stops. This would appear to be false. When cracks are announced in such systems, normally revenues aren't strongly effected. C.f. DVDs. Agreed. But there is an incremental effect. In the same way many people now copy DVDs they have rented many will gain access to HD content made Wait, are you saying that people copy rented DVDs onto DVD media? Or that they _extract_ the content? There's a big difference: there's no need to crack the DVD DRM system to do the former, but there is for the latter. I guess I wasn't clear. Unlike ripping and copying DVD's bit-for-bit, content ripped from H-DVDs and BluRay discs are first distributed as simply unencrypted copies. Watching this content means you will probably do so from your PC (e.g., using a curent version of Power DVD) as burning a bit-for-bit HD DVD/BluRay is either not available or economically practical. Later, HD videophiles re-encode the content using the same advanced coders (i.e., H./X/264 andVC1) so at least the feature movie can be stored on a dual layer DVD. Despite the smaller data size of the DVD (about 8.5 GB) vs. HD media (20+ GB) the quality of playback is impressive, good enough for all but the most discerning Home Theater buff. Well, there's an idea: use different physical media formats for entertainment and non-entertainment content (meaning, content created by MPAA members vs. not) and don't sell writable media nor devices capable of writing it for the former, not to the public, keeping very tight controls on the specs and supplies. Authoring DVDs are available for people wishing to master protected content. These, unlike the consumer variety, allows the CSS to be present. Special burners, never very popular with consumers, even video philes, are required. Steve - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Was a mistake made in the design of AACS?
Allen [EMAIL PROTECTED] writes: I know I'm in over my head on this so my apologies, but if the key is used in one machine in a product line - Sony DVD players say - then if they find the one machine that it came from and disable it, wouldn't figuring out the key for the next machine in the production run be relatively trivial as the algorithm and hardware implementation used by all machines of a give run be the same? Therefore, couldn't one buy several of them and use them one after another as they are discovered and disabled? Perhaps so, depending on the nature of the crack. It may require unsoldering chips from the machine motherboard or other rather difficult to perform operations that would not be possible for average users. Keep in mind that each machine costs several hundred dollars, and they will be turned into bricks once revoked. This raises the question of who is bankrolling this effort and what his motivations are. So, in order to prevent any of those machines from being used they'd have to disable a whole lot of machines owned by ordinary individuals, right? What are the downside risks for Sony in doing this? I imagine it is safe to say that this is not a step that AACSLA would take lightly. If they ever did this then I suppose the machine manufacturer would have to provide owners of the affected models with upgrades to newer machines. It's very hard to predict the future and it is not clear to me that we will get into a scenario where a very small number of sacrificial machines are the source of every HD movie being uploaded to the pirate nets, such that when these few machines are revoked, immediately another few machines are swapped in to replace them. It would require a relatively large degree of coordination among what I would imagine is a generally loose affiliation of attackers with diverse motivations. But as I said, my crystal ball is foggy. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Was a mistake made in the design of AACS?
Hal Finney wrote: [snip] http://www.freedom-to-tinker.com/?p= By this point in our series on AACS (the encryption scheme used in HD-DVD and Blu-ray) it should be clear that AACS creates a nontrivial strategic game between the AACS central authority (representing the movie studios) and the attackers who want to defeat AACS. Today I want to sketch a model of this game and talk about who is likely to win... Felten focuses on the loss of revenue due to extraction of device keys and subsequent file sharing of decrypted content. AACS has a mechanism called sequence keys to watermark content and allow it to be traced back to the player that created it. Felten assumes that attackers would publish decrypted movies, AACSLA would then trace them back to the broken device, and revoke that device in future releases. I know I'm in over my head on this so my apologies, but if the key is used in one machine in a product line - Sony DVD players say - then if they find the one machine that it came from and disable it, wouldn't figuring out the key for the next machine in the production run be relatively trivial as the algorithm and hardware implementation used by all machines of a give run be the same? Therefore, couldn't one buy several of them and use them one after another as they are discovered and disabled? So, in order to prevent any of those machines from being used they'd have to disable a whole lot of machines owned by ordinary individuals, right? What are the downside risks for Sony in doing this? What am I missing in this picture? Thanks, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Was a mistake made in the design of AACS?
Ian G wrote: Hal Finney wrote: Perry Metzger writes: Once the release window has passed, the attacker will use the compromise aggressively and the authority will then blacklist the compromised player, which essentially starts the game over. The studio collects revenue during the release window, and sometimes beyond the release window when the attacker gets unlucky and takes a long time to find another compromise. This seems to assume that when a crack is announced, all revenue stops. This would appear to be false. When cracks are announced in such systems, normally revenues aren't strongly effected. C.f. DVDs. However, the money spent in trying to enforce control comes straight from the bottom line and is therefore limited if they want to stay profitable in the long run. True, they do have deep pockets, but they could be nibbled to death by ducks as they are very big targets and the ducks are small and have wings. Best, Allen - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Was a mistake made in the design of AACS?
At 03:52 PM 5/2/2007, Ian G wrote: Hal Finney wrote: Perry Metzger writes: Once the release window has passed, the attacker will use the compromise aggressively and the authority will then blacklist the compromised player, which essentially starts the game over. The studio collects revenue during the release window, and sometimes beyond the release window when the attacker gets unlucky and takes a long time to find another compromise. This seems to assume that when a crack is announced, all revenue stops. This would appear to be false. When cracks are announced in such systems, normally revenues aren't strongly effected. C.f. DVDs. Agreed. But there is an incremental effect. In the same way many people now copy DVDs they have rented many will gain access to HD content made available by those more technically sophisticated. There a number of Bit Torrent trackers which focus on HD content. All current released HD-DVD/BluRay movies are available for download. For those with higher-performance PCs for playback, broadband connections and who know how to burn a single- or dual layer DVD, the content is there for the talking. A new generation of HD media players (initially from offshore consumer electronics and networking companies, for example, Cisco/LinkSys) are poised to enter the market. These appliances will allow playback of all the common HD encoded media, including those ripped from the commercial HD discs. This will place the content from pirates and P2P community in the hands of the less sophisticated Home Theater consumer. Steve - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Was a mistake made in the design of AACS?
On Thu, May 03, 2007 at 10:25:34AM -0700, Steve Schear wrote: At 03:52 PM 5/2/2007, Ian G wrote: This seems to assume that when a crack is announced, all revenue stops. This would appear to be false. When cracks are announced in such systems, normally revenues aren't strongly effected. C.f. DVDs. Agreed. But there is an incremental effect. In the same way many people now copy DVDs they have rented many will gain access to HD content made Wait, are you saying that people copy rented DVDs onto DVD media? Or that they _extract_ the content? There's a big difference: there's no need to crack the DVD DRM system to do the former, but there is for the latter. I expect the same to be true for HD-DVDs, unless the readers themselves perform one-way transformations on the content and the readers are tamper-resistant enough that DMCA protection for them as access control devices can be claimed. available by those more technically sophisticated. There a number of Bit Torrent trackers which focus on HD content. All current released HD-DVD/BluRay movies are available for download. For those with higher-performance PCs for playback, broadband connections and who know how to burn a single- or dual layer DVD, the content is there for the talking. A new generation of HD media players (initially from offshore consumer electronics and networking companies, for example, Cisco/LinkSys) are poised to enter the market. These appliances will allow playback of all the common HD encoded media, including those ripped from the commercial HD discs. This will place the content from pirates and P2P community in the hands of the less sophisticated Home Theater consumer. So? If breaking AACS has nothing to do with disk-to-disk copies then I don't see how the coming market for HD players/writers is going to affect that kind of piracy. Or analog hole piracy. Let's face it: DRM only stops anyone from trying to make fair use of content (e.g., sampling) -- pirates might as well not even know that DRM is there, unless you can create scarcity of media for the pirates (blank media taxes), but that's harder than you think when in a couple of years someone can be manufacturing blank media in some far off place that's politically hard to reach. Well, there's an idea: use different physical media formats for entertainment and non-entertainment content (meaning, content created by MPAA members vs. not) and don't sell writable media nor devices capable of writing it for the former, not to the public, keeping very tight controls on the specs and supplies. Then finding, say, a Disney movie on an HD-DVD of the data format would instantly imply that it's pirated. Nico -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Was a mistake made in the design of AACS?
* Perry E. Metzger: This seems to me to be, yet again, an instance where failure to consider threat models is a major cause of security failure. Sorry, but where's the security failure? Where can you buy hardware devices that can copy HD disks? Or download software that does, with a readily usable interface? In that sense, even CSS hasn't really been broken. Even the flurry of DMCA takedown notices isn't necessarily a bad move. It might help to shape the future of how access to content is regulated in some very particular way. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Was a mistake made in the design of AACS?
Florian Weimer [EMAIL PROTECTED] writes: * Perry E. Metzger: This seems to me to be, yet again, an instance where failure to consider threat models is a major cause of security failure. Sorry, but where's the security failure? Where can you buy hardware devices that can copy HD disks? Or download software that does, with a readily usable interface? You can't, but I think that is more a question of the market size. Right now there are very few HD-DVDs and Blu Ray discs on the market, and most people have DVD drives but not HD-DVD or Blu Ray drives. (I don't know that I've ever even seen such a drive to date, but that will surely change in a year.) Until there is a significant percentage of the user community with an itch to scratch the software will not appear. However, it is now very clear that the software is quite doable once people want it. In that sense, even CSS hasn't really been broken. I watch DVDs all the time on my open source OS laptop using software that depends on DeCSS. It is quite nice software -- the UI is more or less as good as any of the Windows DVD players. (If the MPAA or DVD copy control folk want to try prosecuting me for watching DVDs I've bought legitimately using software they don't approve of, they are welcome to try -- I suspect that they don't have much of chance of winning.) I haven't used extraction software myself for real (I have no need for it at the moment -- I don't need my DVD library online) but there are a number of programs out there that allow you to extract the content from DVDs to your hard drive as easily as you can do it for a CD. They're pretty easy to find, even for Windows and OS X, and in my tests the UIs appeared to be pretty much easy enough for an ordinary person to use. These programs also depend on DeCSS, of course. Even the flurry of DMCA takedown notices isn't necessarily a bad move. It might help to shape the future of how access to content is regulated in some very particular way. I doubt they'll get very far. Their best bet for suppression is to sue a selected subset of people for publishing the process key, but beyond bad publicity I don't see what practical benefit they might get. Especially in the US, they may also eventually run up against the first amendment. I know that one judge in the 2600 case believed that the constitution is not a suicide pact, but those were different days. That case happened when the community was far less prepared, was not shepherded by ideal people, and did not set a real precedent. I think it might be harder to ramrod a similar case through the courts now, especially given that the Supreme Court has never ruled on this, and especially since programs like the ones I use to watch DVDs are clear and obvious legitimate uses and can be demonstrated to and understood even by members of the judiciary. -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Was a mistake made in the design of AACS?
Perry Metzger writes: I will again solicit suggestions about optimal strategies both for the attacker and defender for the AACS system -- I think we can learn a lot by thinking about it. It would be especially interesting if there were modifications of the AACS system that would be more hardy against economic attacks -- can you design the system so that slow key revelation is not an economic disaster while still maintaining an offline delivery model with offline players entirely in the enemy's control? I don't think you can, but it would be very interesting to consider the problem in detail. Ed Felten has blogged a number of ideas along these lines: http://www.freedom-to-tinker.com/?p= By this point in our series on AACS (the encryption scheme used in HD-DVD and Blu-ray) it should be clear that AACS creates a nontrivial strategic game between the AACS central authority (representing the movie studios) and the attackers who want to defeat AACS. Today I want to sketch a model of this game and talk about who is likely to win... Felten focuses on the loss of revenue due to extraction of device keys and subsequent file sharing of decrypted content. AACS has a mechanism called sequence keys to watermark content and allow it to be traced back to the player that created it. Felten assumes that attackers would publish decrypted movies, AACSLA would then trace them back to the broken device, and revoke that device in future releases. The optimal strategy depends on his parameters C, the cost in time it takes for attackers to break into new devices and extract keys; and L, the commercial lifetime of a new disk. Felten writes: It turns out that the attacker's best strategy is to withhold any newly discovered compromise until a 'release window' of size R has passed since the last time the authority blacklisted a player. (R depends in a complicated way on L and C.) Once the release window has passed, the attacker will use the compromise aggressively and the authority will then blacklist the compromised player, which essentially starts the game over. The studio collects revenue during the release window, and sometimes beyond the release window when the attacker gets unlucky and takes a long time to find another compromise. He estimates that C is measured in weeks and L in months, which bodes ill for the studios, as his model predicts that studios will receive the fraction C/(C+L) of their potential revenues if no piracy occured, and CL makes this fraction small. I see a couple of problems with his model. First, it may be that by publishing processing keys instead of device keys or movie content, it will be harder to make the traitor tracing algorithm work and AACSLA may be thwarted in their attempt to revoke the broken device. I'm not sure I understand the system well enough to know whether there are effective countermeasures for AACSLA against this attacker strategy. Threats of legal action do not appear to be achieving much success. Second, there is a long lead time between when AACSLA determines to update the processing keys and other components of the subset difference scheme, and when the disks actually reach the public. This is bad for the studios and probably effectively increases L. On the other hand I suspect his L estimate of months is excessive; 8 of the Amazon's 10 top selling DVDs were released since April 24. As with other media like CDs, it is likely that the bulk of revenues arrive during the first few weeks of release. If they can protect that window then they might view the system as achieving at least some of its goals. But these other considerations will work against them. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Was a mistake made in the design of AACS?
Hal Finney wrote: Perry Metzger writes: Once the release window has passed, the attacker will use the compromise aggressively and the authority will then blacklist the compromised player, which essentially starts the game over. The studio collects revenue during the release window, and sometimes beyond the release window when the attacker gets unlucky and takes a long time to find another compromise. This seems to assume that when a crack is announced, all revenue stops. This would appear to be false. When cracks are announced in such systems, normally revenues aren't strongly effected. C.f. DVDs. iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
