2. On the upside: AACS, the content protection system used for HD-DVD and BluRay has experienced its first serious defeat. The news comes from the same Doom9 forums where 2 months ago a researcher with handle “muslix” had succeeded in extracting a volume key for one of the titles. That attack was only good for stripping DRM from a single title. Each DVD has its own volume key, which itself is encrypted to many “player keys” one for every device/player that licences the standard. Of course once you can extract a single volume key, you can repeat the process to extract others but that can become a labor-intensive process. Yesterday another researcher announced that he had been able to recover one of the players keys.
Surprising? Hardly. It was only a matter of time. The attack targeted a software player– in other words an application that the user installs on their computer. Palladium / NGSCB / TCG notwithstanding the PC remains an open platform today: there is no way to hide secrets from the owner of the machine. That means the DVD-player software that ships with its own key material has no reliable way to hide it from the administrator of the machine. There is no equivalent to a “vault” where keys can be safely squirreled away, protected from the user assumed to be malicious. This is why DRM depends on obfuscation and obscurity, without any solid grounding in theory, and that’s why it desperately needs non-technical defenses such as DMCA to discourage reverse-engineering. And we can see how successful DMCA has been in the HackSDMI challenge, DeCSS debacle and series of successful attacks on iTunes and Windows Media Player.
Development of attacks on AACS also bear out a prediction from Ed Felten:
“Once he has device keys, he could in principle publish them (or equivalently publish a program containing them), thereby allowing everybody to extract title keys and decrypt discs. But if he does this, the AACS central authority will learn which device keys he is using and will blacklist those keys, which will prevent those keys from decrypting discs manufactured in the future.”
Compare this to the following quote from the post announcing successful break:
“I’m not telling which player I used (well you can guess but you might guess wrong) to retrieve the Processing Key because I don’t want to give the AACS LA any extra legal ammunition against any player company.”
3. On the downside: “This copyright notice is copyrighted.” Wendy Seltzer just received a DMCA takedown notice for posting on YouTube a recording of the copyright notice from NFL’s Superbowl broadcast. She is a law professor and intended to use the clip for teaching. (YouTube did not waste any time and sent her the letter in 5 days; if only customer service worked that quickly.) Except this is one takedown notice they may come to regret: Wendy runs the Chilling Effects clearing-house where website owners can post take-down notices they received. Even Google used to forward their DMCA notices there, giving full disclosure when search results are altered due to legal requests.