Hacker News new | comments | show | ask | jobs | submit login
Leaping Brain's "Virtually Uncrackable" DRM is just an XOR with "RANDOM_STRING" (plus.google.com)
720 points by asherlangton 1642 days ago | hide | past | web | 254 comments | favorite



Maybe there's a scheme here to prevent good DRM by flooding the market with highly inflated impressive-sounding claims attached to laughable security. The Old Media crowd won't be able to solve the Design Paradox (http://www.paulgraham.com/gh.html) well enough to tell who's lying, good designs won't be able to charge more than laughable competition, and the DRM field will slowly die.


I have this theory that some DRM schemes were intentionally sabotaged by engineers (DVD CSS comes to mind) to be weaker than they could be, for moral reasons.


Though there is no organized conspiracy, this is actually not far from the truth, especially in some areas of content protection. Companies that don't have the in-house technical expertise (music labels), working from an unprotected distribution system (audio CD) are at a particular disadvantage.

At the other end of the spectrum, you have satellite TV. In this area, a lot of money invested and full control of the playback platform have resulted in some strong systems. But still, it took a long time and a lot of cracks of intermediate systems for this industry to become the success story it is today.

Disclaimer: I worked for a company involved in the above.


Remember DirecTV's war on smart card hackers?

http://www.securityfocus.com/news/143

--------

But DirecTV reacted to that wrinkle over a year ago, by taking advantage of their ability to remotely reprogram the set top satellite receivers, as well as the cards. The company sent a few specific bytes of data to all the H cards, while simultaneously reprogramming the satellite receivers to reject cards that didn't reflect the change. This forced hackers to update the cards manually with the new data, or to make the cards writable again.

--------


Replying to myself, here's the much more exciting retelling of the story: http://www.codinghorror.com/blog/2008/05/revisiting-the-blac...


I think DirecTV is an example of a DRM win (for the company) scenario.

With a combination of technology (latest generation smart cards and cryptography) and litigation (going really strongly against infringers) has made DirecTV uncrackable in practice.

The fact that here in Mexico I cannot find someone selling a fully unlocked US smartcard shows that in a way DirecTV has won.

It used to be the case that for US$300 you could buy this fully unlocked DirecTV card to watch all USA channels here in Mexico. This was about 10 years ago when I was in college (and my flatmate used to buy that stuff).


Of course, in the case of satellite TV, you have big companies doing an awful lot of "research" into each others' crypto systems - NDS Group's alleged reverse engineering of OnDigital is the obvious example.


Has anyone pointed out that "BrainsTrust" (in the UK at least) is mostly used sarcastically to mean a stupid/idiotic person. So I think you are onto something here.




Yes, not saying it's never used ironically - I agree that that is probably most common - just pointing out that it originated as a serious label for anyone unfamiliar with the history.


FWIW I'm a UK resident and have never heard it used sarcastically.


As another UK resident, I hear it used sarcastically frequently.


I've only ever heard it sarcastically here in Australia.


All have anecdotal evidence. All must be right.

That is all.


In the US it is often used with a positive connotation.


Connotation or denotation is all in the intonation, which is hard to hear in textual form.


That's gotta be one of the most genius conspiracy theories I ever heard.


"Just a few bytes of brilliance"

Actually, 13 of them.


that sounds like all the consulting the big names provide to _yourfavoritegovernmentagencyhere_ in _yourengineeringprojectofchoice_ .

i used to think they did it on purpose, but now i'm starting to think they're just stupid and they actually think they're doing a good job.

A friend of mine sent me a research study on security standards for healthcare and they did suggestions on what to do. it boiled down to this: in essence all they were saying was use decade old crypto that everyone else already uses, we're just stuck in the past, but i'll make it sound like i just invented something new.

i wish i could find the link.


In fairness, decade old crypto is still perfectly good, with the added benefit of being field tested. Now, if we can only get people to use it properly (as in make crypto libraries that do not require a degree in crypto to use properly).


It depends

3DES is decades old and absolutely not acceptable today.


Triple-DES is actually reasonably secure, but it's not well-suited for software implementations.


It is probably secure at present, but the margins are getting uncomfortably slim.


it was just a study. it doesn't mean it'll get used anytime soon. think of it like nist standards. a lot of web developers know about them. but government contractors seem not to. theres plenty md5 and plaintext passwords in the wild.


Gizmo's point is that if only it were easy for developers to simply drop in an old (battle-hardened, field-tested) crypto system into their code, then we'd see much more of that in the wild, and much less md5 / plaintext.

Developers use md5 and plaintext because of laziness. It's not really a conscious choice on their part. They consciously choose to use MySQL vs Oracle, PHP vs .NET, etc, and they spend much more time thinking about those sorts of choices than about security choices.

Maybe some don't realize they're exposing themselves to alarming danger by storing passwords as md5 or plaintext. But I'd bet money that most simply feel that their current solution is sufficient because it "doesn't really matter anyway" since the likelihood of them getting burned by their mistake seems low to to them. So no matter how much you try to make them see that the chance of disaster is in fact alarmingly high, they'll always feel like the chance is low (until their database gets downloaded, and even then they're more likely to rationalize that away as a freak occurrence).

But the root of the problem is the laziness. So we can improve the situation by making it eas(y|ier) to use Crypto libraries properly. If it takes very little effort from average developers to use a crypto library properly, then they're much more inclined to listen. (If it costs them no time, then they're likely to go ahead and use the crypto library instead of a half-baked solution.)

By making it easy to fall into a "pit of success"[1] for crypto, we're only one or two generations of programmers away from making md5 and plaintext password storage extinct.

Unfortunately, it may be impossible to make crypto libraries easy to use without also introducing other (more subtle, yet just as dangerous) security problems, due to the context in which the crypto API is being used. In other words, truly securing an application is Really Hard, which is why tptacek's company (Matasano Security http://www.matasano.com) is so successful.

[1] - http://www.codinghorror.com/blog/2007/08/falling-into-the-pi...


Probably not so much stupid, as ignorant pressure from above, apathy from below, and Marketing off in la-la land selling fantasies. "Lets build something that compiles and ship it, fuck them if it doesn't do as advertised, how will they know?" thinks the programmer.


There is ample evidence that this is already happening.

What's impressive is how long silly schemes (this one in particular) stay afloat!


but shouldn't that have happened by now? DRM has been shockingly pathetic since at least the 1990s, maybe longer.


DRM before 1990 typically involved non-standard floppy disk formats that a home computer could not duplicate. You can read about one such scheme here:

http://dmweb.free.fr/?q=node/210


From http://leapingbrain.com/:

"Video content is protected with our BrainTrust™ DRM, and is unplayable except by a legitimate owner. All aspects of the platform feature a near-ridiculous level of security."

Near-ridiculous security seems about right.


The whole thing is a marketing "worst-of". They consistently advertise their products as "unique, brilliant, revolutionary", "magical, user-friendly, powerful", and "your only option".

The real laugh-out-loud moment is this tagline (http://leapingbrain.com/mod-machine/overview/):

"Forget crappy streaming systems and primitive, unprotected loose movie file downloads that make your products seem like a joke."


I'm actually wondering if the whole leaping brain website is just filled with sarcasm on purpose?

I mean, even for the US, the superlatives seem a bit overdone.


I think you're right. Their word choice about security ("ridiculous" security) seems to be a wink-wink-nudge-nudge touch. In other words, it looks knowingly negligent, and I wonder if that could have legal consequences?


I didn't realize this was a US company because of the awful website copy. The content is just appallingly bad, and seems more like something fit for a web squatter or an eastern-European warez site.


"Forget crappy streaming systems and primitive, unprotected loose movie file downloads that make your products seem like a joke."

That reminds me of a psychic hotline from the 90s which produced an infomercial featuring Billy Dee Williams and an obviously scripted and professionally shot series of vignettes purportedly about a young woman documenting her experiences with the hotline.

Their very next infomercial opened with these words: "Tired of psychic informercials with phony testimonials and has-been celebrities?"


I bet there is a better way to securely share files.


Near-ridiculous security seems about right.

Not just near ridiculous, it is truly ridiculous!


You cannot simultaneously crow "hurr, DRM is broken!" and act all smug about this discovery. Perhaps the original developer, like you, understood this, and did the absolute bare minimum necessary to fulfil commercial obligations, all the while making it easier for people like himself (i.e. you) to get what they want, and making a few bucks from the old and dying media industry all at the same time.

Given the evidence (complex integration with a non-standard set of open source libs, complex industry area in general), I'd say it's almost certainly an insult to imagine the developer could not have made your life harder if he'd chosen to.

Please, if anything commend the dear fellow, and shame on whoever considered a momentary glimpse of Google Plus limelight worth making this guy's Tuesday morning and ongoing professional reputation much harder earned than it otherwise might have been.

"No good deed goes unpunished"


Please, if anything commend the dear fellow, and shame on whoever considered a momentary glimpse of Google Plus limelight worth making this guy's Tuesday morning and ongoing professional reputation much harder earned than it otherwise might have been.

The developer(s) created a product that didn't do even 10% of what was advertised and now must face the consequences. Why is that bad? Their professional reputation should suffer if the quality of their work is poor.


That's a huge assumption.

Anyone with a few years of experience in the software field has heard the following: I'll pay you N dollars to X but you have to finish by unrealistic Y. I'm the sole provider of a household of 4, so in this kind of circumstances I'll agree to minimum features or specific features plus additional features if time allows. I'll make it very clear that the client can't have their cake and eat it too. Sometimes it's merely a matter of economics, so don't go hanging anyone yet.


the "proprietary video encryption" algorithm: for the first 15kB, each 1kB block has its initial bytes xor'd with the string "RANDOM_STRING".

Any minimally competent developer could have implemented this particular design during, and for the price of, their lunch.


Applying Occam's Razor, it is far more likely that incompetence is in play here, rather than a well organized conspiracy to weaken the DRM peddled by a virtually unknown company, thus Doing Their Part to bring easily decryptable media to the internet proletariat (and it would've worked, too, if it weren't for those meddling kids!)


You misunderstand. LeapingBrain dont need the DRM to be good, they just need to persuade the media industry (filmmakers) that they have DRM. Why bother to do more than that?


You don't go throwing around claims like "Fort Knox-Level Security", "near-ridiculous level of security", "We are not aware of a better DRM scheme than ours", "virtually uncrackable" etc, unless you're either the real deal or you're incompetent, because only a fool would assume that nobody in the whole of the internet would call their bluff and gleefully throw it in their face.


But maybe that stuff isn't for us, its for the film-companies that visit the site to check how it looks. Why would the end-consumer care about the level of drm?


Dishonesty is not more preferable than incompetence.


You're right, actually. I'm glad it's broken, because it's a lot easier for me to watch the videos I purchased without the DRM. I was just struck by the audacity of their marketing claims.


Way to miss the point. It's just as broken as any other DRM!


As a developer, it's your reputation to protect. If you choose to do substandard work, for whatever reason (be it for the money or for glory), you know the risk you take to your reputation.

If you're really doing it for moral reasons, you won't keep quiet and make a buck while doing it. If you're opposed to drugs, you don't become a drug dealer and make loads of money selling lower quality drugs.


i think you can be stronger than that. it's clearly written to show to the "discoverer" that it's only a gesture. i would have thought anyone with an ounce of compassion and empathy would have smiled and kept quiet.

broadcasting this, and likely harming the developer, for internet points, is a pretty poor move.


Agreed.

Looks like they know they cannot offer a video platform without providing DRM, because the media industry demands it, and they also know that trying to implement unbreakable DRM is futile. Therefore, they just need to implement the minimum needed to convince the media suppliers that their content is really DRM'd.


Yeah I think this is it. LeapingBrain has to show the media industry that they have DRM, but they don't actually need the DRM to be good or effective. Its just something they have to do. Why faff about putting lots of effort into it?


I am awed by the chutzpah of whoever is behind Leaping Brain, selling snake oil to clueless media people.

This is why I'll never be rich: I am utterly unable to sell crappy non-solutions to people with more money than knowledge.


All DRM is a non-solution really. Some are just non-er than others.

Its like the first law of "info-dynamics": 'If you can watch it, you can copy it'.

Anyone actually paying for a DRM scheme feels to me to be of the same caliber as someone investing in a perpetual motion machine. They're determined to get ripped off throwing good money after bad. Why try any harder than you have to to accept their money?


> All DRM is a non-solution really.

I know that by now it's tradition to say this, but can we please stop?

It seems to be that a law of life is 'everything dies'. Is medicine therefore useless? Are all the people who spend money for nothing but delaying the inevitable getting ripped off?

We all admit perfect security is impossible. Yes, you're right! Controlling the spread of information is a very hard problem. Yes, you're right! It would be very nice if the things I want to watch and listen to were made freely available by their creators.

But no, you're wrong. DRM has a purpose, and it can be successful even without perfectly achieving its goals. People tend to avoid effort, and if you can make pirating content more difficult than obtaining it legitimately, most people will obtain it legitimately.

There is no fundamental reason why information deserves to be free, it's just easier to copy than physical things.


DRM has a purpose, and it can be successful even without perfectly achieving its goals. People tend to avoid effort, and if you can make pirating content more difficult than obtaining it legitimately, most people will obtain it legitimately.

I haven't yet met a DRM scheme that doesn't achieve this purpose backwards(1). What it really rests on is that people don't know they could just get it easier on "allmyvideos.net".

There is no fundamental reason why information deserves to be free, it's just easier to copy than physical things.

Its not just easier. A copy has zero marginal cost. That makes it special and different than anything that came before. DRM seems to just be a monkey-patch to try to get that marginal cost to be non-zero. I'm not saying that it deserves to be free. I'm not even saying that I think it should be. I'm saying that it IS free. We don't want it to be, because our economic models don't support it (yet), but that's its natural state.

I stand by "DRM is silly". If that money were spent providing a better, easier product, they'd make more than they do now with DRM. It seems like they're perfectly willing to spend $3 to keep from losing $1 to piracy. It feels like a kind of willful ignorance.

No data, of course, just a strong opinion, held loosely.

(1) It doesn't take long outside the US to find out that there are plenty of things DRM makes impossible to aquire legitimately.


I'm saying that it [copied information] IS free.

When you say it like that, a light really went on for me. In an undergrad economics class (for some reason I can still remember the exact phrasing the professor used, though it's been almost 30 years): "a good is 'free' if, at a price of zero, supply is adequate to meet demand."

This completely explains the unique situation with regards to digital information. The (marginal) cost to provide a supply adequate to meet demand is zero.... meaning the market will drive the price to zero... digital information is free. As a content publisher, you can want it to not be that way, but that is not the reality.


But that definition isn't true of most digital content. Commercial music, movies and software are effectively subject to price discrimination: pirates pay zero, but legal customers pay nonzero and subsidize the pirates. If the price dropped to zero for everyone then supply would plummet as well.


> If the price dropped to zero for everyone then supply would plummet as well.

That's a myth, because people were writing novels and singing songs and doing theatrical plays long before media distribution and consumption. Even now many musicians earn much more money from live concerts.

Also, I pirate stuff, mostly because where I live I can't get that content at all when I want it. However I also go to the movie theaters nearby with my wife and pay something like $30 for 2 tickets and some popcorn, per movie.

I don't mind paying that price because I'll never have the same experience at home, no matter how awesome my equipment can get, because (1) the size of my monitor is upper-bounded by the size of my living-room walls and (2) watching movies at home is boring.


I don't think you have the evidence to back up that assertion. Certainly the world is changing, but people simply like making and sharing stuff. How much money have you paid for the entertainment you get from Hacker News?


Marginal cost = price only in perfectly competitive markets. For commodity content(e.g., daily news), then yes the expected long term price is zero. For content that does not have (perfect) substitutes (e.g., the latest Batman movie), the expected market price is not zero.


This was really well articulated; thank you for writing it. I find piracy/DRM/copyright theft/etc difficult to wrap my head around, in the sense that I have trouble deciding where I stand on many of those issues. The "information deserves to be free" thing has always rung a bit hollow to me, but

  "Its not just easier. A copy has zero marginal cost. That makes it special and
  different than anything that came before. DRM seems to just be a monkey-patch
  to try to get that marginal cost to be non-zero. I'm not saying that it
  deserves to be free. I'm not even saying that I think it should be. I'm saying
  that it IS free. We don't want it to be, because our economic models don't
  support it (yet), but that's its natural state."
makes way more sense.


>I haven't met a DRM scheme that doesn't achieve this purpose backwards

Steam would be a good example. It is DRM in the sense that it prevents people from simply copying the game folder anywhere, and it is more convenient than pirating (at least most of the time) with the advantages of things like pre-loading most of the files before the release date, and offering fast servers from which to download your game.


Incidentally if you copy the game folder to a friend who has actually bought it, say you've all bought a game for a LAN party, but not all of you have good connections at home, that -does- work, which has proven super convenient for me on more than one occasion.


I did not know this, and it makes me love steam just a little bit more.


> I haven't yet met a DRM scheme that doesn't achieve this purpose backwards

Because most people think that this time around, DRM is going to work perfectly, when actually, you have as much expectation it will work perfectly as that cheap Master Lock from the hardware store.

> DRM seems to just be a monkey-patch to try to get that marginal cost to be non-zero.

This is indeed the right way to think about it.

> If that money were spent providing a better, easier product, they'd make more than they do now with DRM.

Or there's the example with Steam, where you have better and easier combined with just a little DRM applied intelligently.


I wouldn't go tooting Steams horn too loud. Their system is not nearly as wonderful as many consumers assume it is. Steam does not place ANY limitations on what DRM a publisher can use. They can use StarForce, they can come up with their own magic elixir, they can require you to send naked photos of yourself to the publisher for 'safekeeping' and Valve will permit it. Steam has 1 guiding principle: The Publisher is ALWAYS right. The publisher must be able to do anything they wish, without any restrictions whatsoever.

Contrast this to a system like Apple's iTunes which set up a market with strict rules the publishers had to follow to join. They HAD to sell songs individually. They HAD to sell them for 99 cents a track. They HAD to permit the user to burn them to CD. Etc, etc, etc. Steam does not have even one single "have to" when it comes to games publishers. It is a publishers wonderland.

If you have lightweight DRM on Steam games, you have the games publishers to thank for that, not Valve. Valve would not protect you from even the most extreme forms of DRM if a publisher wished to do it. Valve even goes so far as to spend hundreds of thousands of dollars (possibly millions but I doubt it) to have their developers create features which enable publishers to make it look like they're embracing digital distro when they're not. Case in point: the ability to download a game when its done... and then sit there and wait with it encrypted and complete on your hard drive, paid for... until physical retailers can get the game on their shelves. And users think this is a feature! It is a crippling of digital distro, which operates at light speed as opposed to the slow-as-molasses speed of physical distribution. Valve didn't have to do this. They could have said 'when you upload it to our servers, the customers who preordered it get the content available immediately', but they didn't, they followed the Golden Rule of Steam - The Publisher is ALWAYS right.


In other words, Steam lets the market decide on the appropriate level of DRM, and otherwise nothing you wrote is materially different from what I said.


Okay, let's say a copy is (essentially) free. So what? There are plenty of things that people buy where marginal cost of production is << than the price.

Concretely, why is selling a DVD with a marginal cost of production of $0.50 for $15.99 ok, but selling a movie with a marginal cost of $0.001 for $15.99 "special and different from anything that came before"?


One could argue that the dvd is an attempt to tie the information to a physical object. The dvd has no value in itself.

Whenever I have bought an optical media, i have thrown it away as soon as I had the data on my harddrive.


> A copy has zero marginal cost. That makes it special and different than anything that came before.

I disagree that this is news. Thought experiment: You steal a car from the local dealer, but you leave enough money behind to pay for all the materials, transportation and manpower that went into building this one car (the marginal cost). Would this be morally okay? Why, why not? If everyone does this, who will pay for R&D?

Exactly the same is happening with digital copies. You are taking something with a marginal cost of 0, but the producer has no way to pay for one-time costs. Distributing them onto the unit price is not a new monkey-patch at all.

This will be an interesting question as 3D printing advances.

> but that's its natural state.

"Natural" is always a great word to turn an intuition into a fact. ;) There are certainly many products that are sold at arbitrary prices that have little to do with the marginal cost, it didn't take computers to get there.


This thought experiment is flawed. When you steal a car from the local dealer, he doesn't have the car any more.

The correct thought experiment is: having bought a car from Ford, you examine it carefully then purchase all the raw materials yourself and assemble an identical duplicate for your wife.

In doing so you save whatever markup Ford places above and beyond their marginal cost.

Asking whether this is morally okay is the true issue.


I agree that the local dealer should be kept out of it. I am not sure if it makes a difference that Ford wouldn't have the car anymore, they have the marginal cost. Asking for more than the marginal cost seems to be immoral to some.

But I agree that your experiment boils down to the problem I am pointing to, and it is better because it is a very real problem that we see every day (e.g. in China).


> I am not sure if it makes a difference that Ford wouldn't have the car anymore, they have the marginal cost. Asking for more than the marginal cost seems to be immoral to some.

It does, and the cases are not comparable. Leaving an empty space (plus marginal cost) where the car used to be requires the original owner to expend time and effort to replace it, and they have opportunity cost as well. None of that is true of the digital example. To be a fair comparison you'd have to leave an atom-for-atom identical replacement for the car (or more accurately, take an identical copy and leave the original) and I doubt as many people would judge that unethical.


When I use "natural", I don't mean it to express an opinion that I believe that is moral to copy that Disney movie just because I can(1). Natural in this case refers to the economic description of 'free'. An unfettered digital file has unlimited supply at no cost. Therefore supply will be sufficient to meet demand, even at a price point of zero. Things can be sold at arbitrary prices, even given away, but with physical things, the supply will not always be sufficient to meet the demand. A unit with a marginal cost that is given away is not free. This is why using cars or other physical goods produces leaky analogies; there can never be an unlimited supply of any physical good.

You are taking something with a marginal cost of 0, but the producer has no way to pay for one-time costs. Distributing them onto the unit price is not a new monkey-patch at all.

This is actually a very good observation. We've reached the point where the entire cost of the good is the one time production cost and we've discovered that we've got no good way to collect it. DRM is the best we've got right now, and its awful. You are more than correct in pointing out that 3D printing (and localized digital micro-manufacture in general) is about to make this problem acute.

As we stumble into our Star Trek future, we should be expending as much innovative energy as we can into finding a way to solve this issue.

(1) At this point in history, with the operation of the market as it currently stands, I lean towards no, it is not moral to bootleg that Disney flick.


> we've got no good way to collect it. DRM is the best we've got right now

While DRM is awful, I think we should keep in mind what advantages we (arguably?) enjoy from this monkey-patch (distributing one-time costs onto an arbitrary unit price). With Kickstarter and other one-time funding, there is no incentive to absolutely excel and make a huge profit from unit prices. There is also little risk in delivering a terrible product because one-time costs have already been covered.

> As we stumble into our Star Trek future, we should be expending as much innovative energy as we can into finding a way to solve this issue.

If this Star Trek future is anything like an utopia, then I don't see anything wrong with agreeing to keep the monkey-patch in place, even if it is not natural in the economic sense, or even enforcable. (Very much like privacy - it's not really enforcable, but I really hope that society starts to respect it anyway.)


First of all everyone is not going to do this - they haven't in the past. A few points...

If you like the car and you tell others they will most likely buy it at full cost or a least with a profit still on it.

Servicing the car will most likely depend on the manufacturer's own part on which they make a profit.

In terms of sales there is one more on the road, which will contribute to the quarterly reports for the company causing the share price to rise.

If the dealer has had it on the forecourt for several months they actually want to get rid of it now and they will be bring the price down towards, or even below, what they paid for it. You may even end up paying more than they were going to sell it for.


"A copy has zero marginal cost. That makes it special and different than anything that came before"

I love the rest of your post, but this stood out. It's special and different from anything that came before hundreds of years ago. But copyright wasn't invent yesterday, and patents weren't invented yesterday either. They've been around for hundreds of years.


Sure they have, but the cost to make each copy of a book hasn't been zero until very, very recently. That's the special part.


True. But this area, and the arguments that go with is, isn't just about the cost to copy a book (copyright). It's also about patent law - ideas were just as easy to copy back then. It's about copying plays, where the cost of copying the "book" is trivial, compared to the cost of the production itself.

I'm no historical expert, but I would wager that looking through history, you'll find that this situation isn't as unique as most people think. People were debating copyright in the English Parliament during the 1800's, including debates on piracy which practically predict the current situation.


> DRM seems to just be a monkey-patch to try to get that marginal cost to be non-zero.

Yes, that's absolutely what it is. As a society, we seem to believe that information can be owned. We get angry at each other for 'stealing jokes'. Fanboys around the world are up in arms whenever another platform copies some feature from their beloved. Plagiarism is an accusation which can ruin a career. We have always felt entitled to do what we please with the fruit of our labors, and we feel no differently when that fruit is information.

We have all had bad experiences with DRM, but we've all had bad experiences with technology in general. Especially here on HN, why does the conclusion have to be "DRM is intrusive and impossible to do right anyway" instead of "What an opportunity for a non-intrusive alternative"?

I'm not saying the second option is right, but why can't it be?


> Yes, that's absolutely what it is. As a society, we seem to believe that information can be owned

Two wrongs (information cannot be "owned" in the same sense of a physical thing, regardless of how much one wants to be believe it; and that DRM can be effective) do not make one right. Note that I'm not discussing values here - just pure technical issues.

Here's the two problems of DRM in a nutshell, that make it into snake oil.

1. The "owner" of the content wants to make said content available to person X, but not to person X's recording device, which is indistinguishable from X.

2. It is enough for said content to be freed from DRM once, to become universally free of DRM.

No matter how smart your protocols, cryptography etc is, because (1) if you can display it on a screen, and take a picture of said screen, with a high resolution capture device, you've defeated DRM. And then because of (2) the DRM scheme, regardless of its other merits, becomes ineffective.

That's why DRM cannot be done right, even if you assume it's the right thing to do. (which I don't)


  > Plagiarism is an accusation which can ruin a career.
There's a difference between ownership of an idea, and plagiarism. An example of trying to 'own' an idea would be:

  1) Person A creates an idea
  2) Person B independently creates the same idea (or
     something extremely similar).
  3) Person A attempts to assert control over the idea
     by dictating what Person B can or cannot do with it
     based on the fact that Person A 'got there first.'
An example of plagiarism would be:

  1) Person A creates an idea.
  2) Person B copies Person A's idea, and attempts to claim
     independent creation (or attempts to claim creation prior
     to Person A).
The real difference is that with plagiarism, Person B is committing a fraud about the source of the idea. It's more about authorship than anything else. Even in a society where you couldn't own an idea, you could still have authorship as the first person to think of something.



There is a very important difference between "owning" information - which is impossible and any attempt to do so is morally reprehensible - and the "creator's right" of being named as said creator - which is perfectly fine. All your examples are more or less instances of the latter - it's not okay, for example, to plagiarize because you are violating everyone's right to truth.

"We have always felt entitled to do what we please with the fruit of our labors, and we feel no differently when that fruit is information."

Except that fruit of your labor is not "information", it's a "copy of information". And of course you are entitled to do whatever you want with it. As am I, if I have gained access to it by any means that did not violate your privacy (eg., breaking into your house or hacking into your computer) or other fundamental rights (copy"right" is not a right, it's a privilege - very, very important difference, as rights cannot be granted by law). In other words, I cannot force you to share something with me. But neither can you forbid me from sharing things I have - including pieces of information - unless they violate one of your fundamental rights (for example, your dignity).


Name one real-world DRM system that makes piracy look less attractive for content (movies, music, books).

The only successful shops I can think of, such as Amazon, Steam, etc., aren't successful due to DRM (at least, not from the piracy perspective). It's due to an easier shopping experience, with the DRM getting out of the way. I'm not sure you can even meaningfully call Amazon MP3's approach DRM: it's just watermarking.

Pirating content is trivial and easy. In order to compete, you have to make an as-nice experience. Buying a book on the Kindle store is _easier_ than torrenting the book (if only slightly) - DRM has nothing to do with this aspect. DRM doesn't even remotely stop the spread of content.

The only time I've heard DRM being remotely effective is really complicated systems on games, delaying a crack by a week or so, which apparently increases sales (at the cost of plenty of bad-will from paying customers) - although I'm not aware of any published studies that really investigate that and compare to the negative sides. This is the only time your analogy of medicine delaying death makes sense; one small use case, and only for specific programs, not general content.

But for content? DRM is a non-solution, really.


> Pirating content is trivial and easy. In order to compete, you have to make an as-nice experience.

Yes, but it's a two-part process. Bits are very easy to copy around, and providing an easy way of giving money will only get you so far. What happens when the alternative of pirating is just as easy, but doesn't require money? If you want to make a nicer experience, you will eventually have to make pirating harder.

> DRM doesn't even remotely stop the spread of content.

Of course it does! No, it doesn't stop you. You know what torrents are, you know which torrents are likely to be viruses and which are in formats your computer is capable of reading. Many people out there know none of that, but can easily find the itunes button on their ipads. And all of those people have no way of sharing the things they buy, thanks to DRM.

> Name one real-world DRM system that makes piracy look less attractive for content (movies, music, books).

Here's another: Netflix. All you do is give Netflix a little bit of money each month, and then you don't have to worry about starting the download a couple hours before you want to start watching. You don't have to worry about getting caught under the new six-strikes program. You can't easily copy what Netflix gives you thanks to good old DRM, but that doesn't really hurt you.


> Many people out there know none of that, but can easily find the itunes button on their ipads.

This doesn't have anything to do with DRM, though. If DRM didn't exist, people would still easily find the iTunes button on their iPad, and would still have a hard time navigating torrents and file format issues. All DRM seems to do is slowly teach those who can't authorize that nth device to learn how to torrent.


You can't easily copy what Netflix gives you thanks to good old DRM, but that doesn't really hurt you.

Unless you happen to run a non-mainstream OS. Or move to Mexico. In which case it hurts you all the way.


Yeah, but for all that running it on Linux is a pain-in-the-bum, Netflix is on iOS, Android, and most set-top TV boxes.

I have 8 devices in my house that can play Netflix and only 1 ubuntu machine that can't -- but only because I don't want to go through the headache of patching WINE.

People have gotten Netflix working on Ubuntu before.


Both PS3 and XBox 360 games are much harder the pirate than to buy. Also, depending on how far you stretch DRM, a pirated copy of World of Warcraft is fairly useless.


> People tend to avoid effort, and if you can make pirating content more difficult than obtaining it legitimately, most people will obtain it legitimately.

The problem with DRM is that with information, it doesn't matter if it's more difficult for any given user to pirate. It only takes one person to make a copy of it without DRM, and they can then share it, and now nothing can stop anyone from viewing it. At least, that's the case without horribly repressive measures that don't allow anyone to view their own media.

All the DRM does is make legitimate use harder. If you want to find a free copy, you can; but if you're a legitimate user, and want to make a backup of your DVD? Nope, sorry, people aren't allowed to sell tools to help you do that. Want to capture a few seconds to comment on? Nope, sorry, people can't legitimately distribute tools that allow that. Want to skip the stupid previews? Nope sorry, also illegal.

The problem with DRM is that if it doesn't work perfectly, all of the bad things that it's trying to prevent can still happen, and in the meantime, tons of legitimate uses are banned, and we start to produce technology that is oppressive and works against the interests of its users.


Perfect security is theoretically possible, what gets in the way is human error - AND it really matters what you're trying to protect and from whom.

Encryption deals with sending messages from A to B such that a third-party C can't intercept the message. In a DRM scheme B and C are the same, which is why DRM is flawed by design, because:

(1) no amount of patching can ever fix it

(2) it punishes legitimate customers, as pirated content is far easier to deal with, while not suffering from lock-in effects; the irony might be that DRM is helping the prevalence of piracy

(3) no matter how hard it gets to create the initial DRM-free copy, from then on all other copies are zero-cost - which means it only takes one dedicated individual to create a pirated copy and all people that pirate stuff can enjoy it ;-)

> DRM has a purpose

Of course it does. Its purpose is to save a dying business model that was made obsolete by technology ... 1000 years ago there were businesses selling ice to clients.

The equivalent of DRM would have been to restrict refrigerators from producing ice. Fortunately for us, we realized that selling refrigerators is a lucrative business too.


Perfect security is theoretically possible, what gets in the way is human error

I forget where I read the story (might have been Cryptonomicon), and I don't know if it's true, but I find it quite illustrative of the point.

During WWII the British where finding that some of their messages encrypted with one time pads where being cracked by the Germans. Since they where pretty sure that was mathematically impossible they where quite shocked and immediately launched a full investigation.

Eventually they found that the problem was the team generating the one time pads (basically a room full of people drawing bingo balls with letters on them at random) had started second-guessing the randomness of letters generated. They'd started to subconsciously avoid balls that would lead to what they thought where patterns in an attempt to make the otp more random. Of course this lead to less randomness and broke the security of the otp.


Do you really think that all DRM users are idiots who believe in perfect DRM security?

Gosh, people who buy locks must be stupid, because anybody with a crowbar can simply pry the door out of its frame.

DRM deters people from copying content willy-nilly. You might argue about the quantitative results, but it does something, and as long as it has more value than it costs, people will pay for DRM.


But there is a big difference. If someone breaks a lock they get into your house, but if someone breaks DRM, DRM-less copies of that movie will be on the pirate bay within a day. Then users copy the DRM-less copies willy-nilly.

Directly controlling the distribution of digital artifacts is nearly impossible.


What would you say the ratio is, of all the data the NSA has vs. all the data WikiLeaks has published?


If you want to expand DRM to mean "all information security, anytime, anywhere", then you can coerce truth out of your statement.

But such a definition of DRM is pointless and tries to brush over the fact that actual DRM implementations (as in copy-protection schemes used by Amazon, iTunes, Bluray, etc.) are worthless.


Do note that he said nearly impossible...


Your analogy is not right.

DRM is more like leaving your file on the desk and putting a lock on the Xerox machine.


DRM isn't like a lock exactly. Locks keep people out period.

DRM tries to keep people from making off with the stuff in the house after you've already let them in through the door.

DRM schemes seem mostly to be misunderstandings about how encryption and authentication fit together.


  > Locks keep people out period.
Unless you have a key, or a lock pick, or a Bic pen[1], etc...

[1]: http://en.wikipedia.org/wiki/Kryptonite_lock#Lock


The Bic pen trick works wonderfully, and quite a few laptop locks still use the same kind of key. I got lucky with the speed, but my dad lost $20 to me in less than 30 seconds when his $20,000 warrantied lock opened without the key.


The file is the house. The DRM is the lock. If you have a key to the house, you can see what's inside. Just like if you have a key to the DRM, you can view the contents of the file.


Somebody who wants to break into a house with a crowbar is running a few risks.

Someone might be inside the house when they break in and that person might be armed.

Someone might see them opening the door with a crowbar and either report them or stop them.

They may be recorded on CCTV en-route to my house , or stopped the police and have to explain why they were carrying a crowbar late at night.

Even if they are not caught in the act, the incident will almost certainly be reported to the police afterwards.

None of these risks really exist in terms of breaking DRM.

If someone could break your house lock simply by tapping a button on their smartphone then I would suggest that locking your house is pointless.


You can say the same thing about strong public key cryptography as well - "if you can read it, you can copy it" - but that doesn't say anything about the encryption technology itself.

In the case of DRM, we are not in general interested in the received material being secret to us whereas in the use of traditional public key cryptography we are. The incentives are not aligned in the case of DRM, no matter what technology is used.


I don't know why this is a hard concept for people to understand.

DRM is basically the equivalent of Schroedinger's box. You want the content decryptable so that it can be consumed, yet you don't want it to be copied. The problem is, decrypted content does not discriminate use cases. If it's clear-content, it shall do as the handler of the content wishes to do.

Possibly the only method I can think of would be PKI enabled hardware. I've not thought completely on it enough to proclaim it practical or otherwise, but I had an idea that the player somehow has onboard memory to store public keys that are required for a disc to play.


I assume you mean the private keys would be on the player?

This would work until somebody manages to do a memory dump of one of the players and posts the private key on the internet.

Even if you were to re-encrypt the data for each individual player (manufacture each with a different key) you still have the problem that one DRM free copy can multiply quickly via bittorrent etc.

The most practical solution would be to have players that will only play DRM protected medium and require hardware circumvention on each individual player to bypass that and hope that this is more effort than it is worth to potential pirates.


By the same logic, a door with a lock is a non-solution to protect your flat. Nevertheless I do not see people getting angry about other people installing those in their homes.


It's easy to laugh at stuff like this, right up until they get the contract to secure your online banking...


> I am utterly unable to sell crappy non-solutions to people with more money than knowledge.

This is why us engineers quietly keep the world running.


> whoever is behind Leaping Brain

http://leapingbrain.com/about/ - all of them seem to be proudly listed there. Gotta watch the page for disappearances :)


While this is a particularly terrible DRM system for videos and I'm sure there are some really pissed off people at media companies who are learning this the hard way, in practice this is really no worse than any other video DRM system out there when it comes to stopping piracy.

HDCP is cracked, the genie is out of the bottle and there's no practical way to put it back in without causing a consumer uproar. All you can do technically is try to prevent super casual pirating of digital content, because the tech savvy can't be stopped by any practical solution. (Of course, even if HDCP wasn't cracked the analog loophole would still render DRM on any non-interactive content mostly useless).

So ultimately this stupid system (even now that it is 'cracked') is still about as effective as any other when it comes to stopping that super casual pirating.


Exactly. It's not much safer if it's encrypted with AES compared to what they did, as long as you give the user all the keys. If the keys are RANDOM_STRING or 0x2ebfgh... also doesn't matter.


Me either, but then I remember who implements and requires these restriction schemes, and my morality somehow becomes a lot more flexible...


I wish it were "clueless media people". It's actually clueless sign language teachers, clueless yoga instructors, etc. They're ripping off small businesses, not big media.

http://leapingbrain.com/clients/


If these guys could amass a big client list with their broken DRM and a crappy, clunky, and ugly site, app, and online store, then there is surely a market for a DRM-free video platform.


My suspicion is that they wrote the "secure" DRM first -- probably actually encrypting the video files -- and realized that it was way too slow to decrypt before playing the file, and for whatever reason couldn't figure out streaming it to the player during decryption.

So they hacked together something that was acceptably fast, figuring they'd solve this technical difficulty for the next release, and that was that....

It's also unfortunately possible that (until now, at least) only the developer(s) knew about this shortcut, if their internal dynamic is sufficiently poor.


I prefer to believe this was the minimum viable product for the DRM market.


I think you're giving them way too much credit.


Having a conscience sucks sometimes.


I would like to propose that DRM is not intended to be uncrackable. It's easy to convince yourself that DRM is flawed, because fundamentally it is a flawed tool. Companies know this, they're not stupid. However, DRM is actually not a technical tool to prevent piracy. Rather, DRM is a legal tool to provide stronger legal arguments that theft has occurred.

I'm not saying this is right, necessarily, but I think companies know full well that their DRM scheme will be broken, so it's not really worth investing in an "uncrackable" and costly solution. Instead, the role that DRM play is purely legal -- when the company does decide to go after someone for piracy, the DRM scheme, no matter how simple, provides them with the ability to say that the accused person "broke a lock," rather than simply walking in through an unlocked door. "Entering" vs. "breaking and entering." It's nothing but legal leverage, and effective at that role even if it's not a very strong lock.

Of course, to have this argument hold, a company would never be able to admit that they purposefully implemented weak security -- this would be akin to admitting that their door was unlocked afterall, and would weaken their legal argument. Therefore, there remains a niche in the market for solutions that look secure even if they fundamentally aren't. It's all about lip service.


In the US, the DMCA more or less makes it illegal to reverse-engineer DRM regardless of how easy it is to crack.

The DRM could be as simple as the code being "A" to bypass the DRM and if you do so, you have broken the law. Even providing that "A" to someone else would be illegal, look at all the silliness over the dvd copy protection fiasco. Therefore, they don't even have to pretend that the DRM is strong, just saying it's there is probably enough.

It's one reason printer cartridges have chips that communicate to the printer. Reverse-engineering that to provide third-party cartridges is illegal. Well, it used to be, I'm not sure over current policy as the DMCA has a back door for exceptions.

For PC games, the DRM is often employed to prevent piracy for the first two or three weeks because typically that's the highest level of sales. After that point it is usually cracked but sales often have dipped anyway. In some cases the DRM is removed in a patch at some point, often because the DRM causes problems for people who paid for the game, which kills long-term sales. Ubisoft recently changed their policies on having a seriously strict DRM to one that is more flexible; many thinking because it hurt their sales and that it was useless anyway.

No one thinks of DRM as a long term solution since it is only a matter of time before someone cracks it.


Anyone can make a bump key, but breaking into people's houses is still a crime :)


Actually, if it were covered, the DMCA would make creating a bump key a crime in of itself. For instance, there was a time that simply linking to a DVD CSS descrambler could get you in legal trouble. But considering the wide spread availability of such things, they don't bother anymore.


I did a lot of reverse engineering back in the day - you'd be surprised how many "virtually uncrackable" DRM protections used by companies like Adobe (at the time - Macromedia) that were just stupid XORs of magic strings.

Ahh..the good old days of SoftICE and w32disassm.

Oh man, the worst was the md5 of some salt + whatever you put in.

If you ever want to see some gems of misuse of cryptography for DRM management, let me know - email's in my profile.

Some examples: Using RSA 1024 bit keys, with exponent of 3...


e=3 is fine, so long as you remember to pad...


It's not that simple. There are other attacks against e=3, and you have to prevent them all.


What kind of attacks remain when using proper padding (e.g. OAEP)?


Being who he is, it would be interesting to hear him elaborate.


The original commenter said, "using RSA 1024 bit keys with exponent of 3" was a flaw in DRM systems he or she had reviewed. Your response was "e=3 is fine, so long as you remember to pad" and then "what kind of attacks remain when using proper padding (e.g. OAEP)?"

I feel a bit queasy any time I read "just do this" as a solution to crypto flaws[1]. Such answers assume way too much about the system the proposed fix applies to and make it sound trivial to secure. They also leave out all the steps behind what things "just pad" means (e.g., receiver must verify the padding and sender must properly generate).

When a developer hears "just pad", they think "append a string of zeros" when implementing a sender or "skip" when writing a receiver because that's what it means in other contexts.

In particular, your response assumed the DRM system in question:

* Was performing RSA encryption of a message, not signing or verification

* Used a public exponent e=3, not a private exponent d=3

Assuming the reader knows enough about RSA and cryptography to know what "just pad" implies, it may still be insufficient to solve the problem.

For example, if the commenter meant d=3, "just pad" wouldn't fix Wiener's attack.

http://en.wikipedia.org/wiki/Wiener%27s_Attack

Or, in the cases of RSA used for purposes other than message encryption, the suggestion of OAEP does not apply. Consider the attacks against the TMN secret sharing protocol and Franklin/Reiter verifiable signature sharing scheme (sections 5.1 and 5.2 of this paper).

http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.33.6...

The F/R scheme involves RSA encryption of signatures. But signatures must be the full modulus size (no padding possible) unless you use a larger RSA key for encryption than for signing. So again, OAEP would not fix this flaw.

Remember that the commenter was mentioning DRM, so jumping to the conclusion that they were using RSA for straightforward message encryption and with e=3 was not warranted. There are lots of applications for RSA in DRM (verifying a signature on a license key, calculations under homomorphic encryption, etc.)

For many scenarios, "just pad" would not solve the problem, even with the generous assumption that the reader knows exactly what that means and applies it correctly.

[1] I'm not picking on you here. The most astounding of these kinds of errors was when Colin Percival (who I highly respect) said "use AES-CTR mode + HMAC" and then later found he had made a fatal flaw in his own implementation of exactly that.

http://www.daemonology.net/blog/2009-06-11-cryptographic-rig...

http://www.daemonology.net/blog/2011-01-18-tarsnap-critical-...


Great response, thanks; I had not even considered the d=3 possibility. I'd just like to say in my defense that mentioning OAEP wasn't assuming the application was encryption: it was simply the first provably secure padding that came to mind.


Ok, glad to help. I agree with your defense, and e=3 is the obvious assumption for most situations.

You're right that RSA with e=3 can be as secure as e=65537, assuming an application where you use proper encryption/signing padding and verification. But it is more brittle in that partial failures in padding randomness or encryption of related messages can lead to compromise. Unless carefully reviewed and appropriate fail-closed measures are not present, it's better to avoid e=3.


This could very well be a simple bug where it's supopsed to XOR with some really random string generated on the server, but some replacement of a template string isn't happening which is why it XORs with RANDOM_STRING.

Of course this is only marginally better and should really have been caught, but there's a huge difference between saying that XORing 12 bytes with RANDOM_STRING is kick-ass DRM and actually having a kick-ass DRM infrastructure that then doesn't work right because of a bug.

If this was any really random looking string, I would be more inclined to assume that this was intentional. By the string being this token, I would guess it's a bug somewhere.

Remember. If RANDOM_STRING was truly random, unique per file and account and only transmitted from the server before playing, then this would be as good an encryption as any.


That wouldn't be better. Intercepting the decoded movie is trivial either way. Finding the encryption scheme was just a fun exercise and discovering the random string (even if it isn't "RANDOM_STRING") once you have the decrypted copy is trivial as well.


My understanding is that when using the xor cipher, even if the key is truely random, the file could still be trivially completely decrypted for a repeating key. It seems like a rather unwieldy cipher if you need to download a key which is nearly the same size as the video file.


This is apparently why the DMCA anti-circumvention provisions only apply to bypassing "effective copy protection" systems.

Of course, if a copy protection system was "effective" it wouldn't need a law prohibiting its circumvention. Conversely, if a copy protection system is circumventable, it's not effective.


IANAL, but I'm pretty sure you are misreading that. A technology that "effectively controls access" means that it has the effect of controlling access. It's not a qualitative statement on how well it works.


Since it uses [L]GPL software then this comes in to play:-

https://www.gnu.org/licenses/gpl-faq.html#DRMProhibited

" Does GPLv3 prohibit DRM?

    It does not; you can use code released under GPLv3 to develop any kind of DRM technology you like. However, if you do this, section 3 says that the system will not count as an effective technological “protection” measure, which means that if someone breaks the DRM, he will be free to distribute his software too, unhindered by the DMCA and similar laws.

    As usual, the GNU GPL does not restrict what people do in software, it just stops them from restricting others.
"


Unfourtuantly, the term "effective" is highly ambiguos. One could argue that any system that works against non-programmers is effective, as most of the market is a non-programmer.


The term "effective" is defined in the DMCA:

1201(a)(3)(B) a technological measure "effectively controls access to a work" if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.

So, even trivial measures like the broadcast flag or SCMS[0] are covered by the DMCA's anti-circumvention provisions. Similar laws in other countries have similar definitions.

[0] https://en.wikipedia.org/wiki/Serial_Copy_Management_System


This is roughly the level of programming I expect from DRM software. After all, the content needs to be in unencrypted format at some point to view it.[1] Therefore there are two kinds of programmers working on DRM, idiots and liars. One kind does not understand the futility of their efforts, the other kind wagers that there superiors do not understand the futility of their efforts.

[1] Assuming a general computation device, not a dedicated hardware player.


Someone want to explain why this is less secure than other DRM methods?


Precisely. They've gone to an effort which should invoke the DMCA (as ridiculous as that is) and they have a bullet point somewhere on a power point they can show to content creators that says DRM.

Those are the practical uses of any DRM technology one might ever devise.

Sure, you could throw in more than 5 seconds of security-through-obscurity, but why bother?


There actually are DRM schemes which were too hard to break -- DIVX from Paul Kocher (distinct from DivX), for instance.


What uses Divx DRM? I.e., Is there evidence of anyone actually trying and failing to break Divx?

Edit: I'd guessed we were talking about Divx (of the DivX codec fame) http://en.wikipedia.org/wiki/Divx , which apparently has some DRM products now and is owned by Rovio-formerly-known-as-Macrovision.


http://en.wikipedia.org/wiki/DIVX

I don't think there's actual evidence of many people actually trying to play DIVX rental discs. I only ever bought a player and discs to try to defeat the DRM (and was way overmatched; I think I could break it today with what I know and maybe with a lab I could put on a platinum amex, but not sure)


Kocher's team also did BD+, which people definitely try to break, and BD+ has been successful in its "academic" goal (if not in its business goal). They're also behind some other notable DRM/Content Protection success stories.


How so? Every single BD+ update gets cracked pretty quickly by Slysoft (and several other apps now) and most Blu-rays are cracked, reencoded and pirated before or just after their release. It's not anywhere closed to the "uncrackable masterpiece" its creators marketed it like. It was even supposed to be "patchable" if flaws were found, but the patches are only stop-gap measures which are circumvented by Slysoft and others in just days.

BD+ is mostly just an annoyance for legit customers, but is hasn't been a major obstactle for pirates and backupers for years. The goal of BD+ was to stop software-based piracy of Blu-Rays and it failed miserably on that front.


Heh, if only you knew the stories behind all this.

What if I told you that the attackers had a 2-month head start on some discs due to insiders leaking them -- would that make a difference? What about if you found out that there weren't as many "rippers" as it seems because for a while, one of them was a "thin client with remote access to a competitor's ripper"?

Also, the "uncrackable" thing came from an external analyst who had no communication with anyone at the company and was obviously wrong.

http://www.avsforum.com/t/871371/bd-unbreakable-for-10-years...

BD+ _is_ renewable, meaning no single hack breaks the system for all time (unlike DVD-CSS). There's always something you can do, and with enough resources, it can still give attackers a challenge.

I'm not saying that BD+ is the most successful DRM scheme ever, but I do think it's done well given the particular environment. If you want an out-and-out success story from the same company (8 years, no hacks ever), see the CryptoFirewall. This is an apples and oranges comparison though.


Wow, it seems like you actually co-designed BD+, HN never ceases to amaze me.

It would be really cool if you could go into more detail, this is extremely interesting! Especially the second paragraph.

I'm far from an expert on BD+, so this is pure speculation, but it seems to me though as the patches doesn't work properly because they can't patch the fundumental part of BD+ which Slysoft has figured out. It would be really weird if Slysoft actually have managed to find a completely new flaw in BD+ for every BD+ patch that is released. It seems much more likely to me that the patches can't actually fix the flaw itself, they can just hide it or change some parameters/keys (which Slysoft know how to find), requiring Slysoft to constantly release new updates to "patch the patches". It may give Slysoft's developers a constant challenge, but it also seems gives them a constant unique selling point that they profit greatly from.

Is this correct or have Slysoft actually managed to find dozens of different exploits in BD+, one for every BD+ patch?


Since HDCP has 'broken' (with master key leak), couldn't someone copy a blu-ray bitstream without having to crack any blu-ray protection format?


It wouldn't be the blu-ray bitstream but it would be the decoded digital video bitstream. It would need recompressing although from such a high quality source then generational loss should be fairly minimal.

It also would not get you any interactive elements which for some may be an issue although for others it may be preferable in this way.


I'm not saying it's impossible, merely saying that the technical strength of a DRM system is often not one of the primary goals.


Indeed, and Divx was actually a commercial failure, partially due to how annoyingly complex their rights management was (but mainly because their partner was dying).

DRM (and similar tech) works pretty well in specific cases, like printer-ink DRM. I actually think ERM was a great idea, but sadly failed to DLP and other solutions (basically blacklist vs. whitelist of permitted activities).

Where it fails is software, particularly "media content", on commodity players, fully in possession long-term of end users, who are otherwise hostile, with no real costs to a failed break attempt.


Printer ink: another CRI success story.


The printer ink thing is probably their #1 success story, although the non-DRM version is to build some patented shape and rely on patents for protection, which may also work. (IANAL though; I know you can do compatible designs in some cases, too).

This whole "DRM for 3d printing" thing is a red herring -- the real war was "DRM embedded in physical devices we purchase", like auto parts and ink, and that was fought and lost in the last decade.


You might try asking Slysoft, which has to continually release new betas of AnyDVD HD as Macrovision randomly decides to break their software with updates of BD+.

Or, you could ask all the people who used to make 6 figures dealing H-cards for DirecTV, but can't anymore.


Additionally, I don't know of any other major system that has gone 4 years without an open-source hack. Since 2008, the only BD+ rippers are commercial.

Also, credit should be due to the designers of Cinavia as it has succeeded with the least secure design possible. It's a watermark in the compressed stream that is checked by the _player_, which mutes the audio if it is present. All you have to do is patch the player to ignore the mark or play it with VLC and it is "bypassed".

However, even the commercial rippers have not yet stripped off this watermark and all bypasses other than playing in VLC have been partial (e.g., needed an old PS3 firmware).


We use simplifications when we teach things (eg crypto) to people.

When people learn about cryptography they learn that one time pads (OTP) are the only mathematically provable secure cryptography. Everything else is thought to be secure, but we don't know.

Then they learn why OTPs are not used more often. (You need a pad as large as the text you want to encrypt; the pad must be really random; you must never reuse the pads; you have to get the pads to the person doing the encrypting and decrypting.)

And then they learn a bit more and one of the simplifications they learn is to XOR a bit of text with a string; they encrypt plaintext with a key. This is not a real crypto system, it's just a silly little demonstration.

But a disturbing number of people seem to stop there and say something like "Let's use XOR and a secret key and it's a bit like a OTP so super secure!!" but they forget that you must have a pad as large as the plain text.

So their crypto system is really very very weak.

Other DRM systems have been broken, but usually by smart people working hard with advanced techniques.

I could have broken this system.

The other thing that's bad about it is that it is ridiculously easy to intercept the decrypted files and copy those.

So they've sold a system to small un-clueful content distributors and they've used hyperbole to do so.

And the law prevents us from telling those content distributors because we're not allowed to circumvent a technical copyright protection method.


The business goal behind most of these "protection" methods is to make unauthorized (unpaid) copying/sharing inconvenient. That's it. There are no commercially feasible methods to protect video or audio content against "a determined hacker", but that's not what these barriers are for. You can make fun of these laughable encryption methods all you want, but they serve their purpose by providing the desired purchase to piracy ratio.

The problem is marketing folks getting carried away when describing these "technology solutions" to the content owner, because that's what they (as well as VCs) want to hear.

Disclaimer: cofounded a video CDN+DRM provider more than a decade ago, developed many content protection methods over the years.


How do we know this wasn't a non-english speaking subcontractor that took the spec too literally?


What the hell? That implies someone who can't implement security themselves was tasked with the design of said security. Actually, that sounds about right ..


Judging by the headline, it sounded like they tried to implement a one-time pad, but had only heard of them by rough description.


That was my thought too.

In theory, OTPs are nigh uncrackable.

In practice, they suck.

1. The XOR text needs to be as long as the plaintext.

2. The XOR text needs to be truly random.

3. You have to distribute the XOR test somehow. Remember all those spy novels where they burn the codebooks? Yeah.


It very much depends on the use case. If I was a CIA director having an affair with a biographer, an OTP would seem quite helpful. During our liaisons, we could exchange thumb drives with several GB of randomly generated data from any of a number of reasonably random entropy sources (hardware PRNG works pretty well by itself, but you can throw in EGD and other sources for greater confidence) with some software whitening and the occasional bit of chaff plaintext for good measure. At each exchange destroy any previous pads (and yes, one would have to go to some lengths to ensure destruction without interception, but tossing them in to an incinerator would probably work pretty well).

Now I have a means to communicate over the internet while apart from my paramour without any concerns about the content of the messages being decoded while in transit (compromises at the source or destination are obviously still in play).

Not every crypto problem involves establishing a secure connection party selected ad-hoc without a higher-bandwidth secure channel.


> In theory, OTPs are nigh uncrackable.

One-time pads are mathematically proven to be uncrackable if used correctly. This is because, for any given cryptext, every possible plaintext of the same length is equally probable.

Using a one-time pad correctly means only using a given pad once, the 'pad' being the key material. If you ever reuse the same key, you are no longer using a one-time pad and the above proof no longer applies.

And if your pad is 13 bytes which you keep reusing over and over again, you're a bleeding idiot.


One time pad requires the key to be as big as the plaintext. This looks like a weak variant of the Vigenere cipher.


Ha, so the key really was "RANDOM_STRING", in the literal sense...was that just the programmer giving up, or was that pseudocode that was missed during shipping?


What string could possibly be more random than the one which says "RANDOM_STRING"?




The script was amazing.


I don't know about random, but "SECURE" would have been more secure.


Obligatory XKCD: http://xkcd.com/221/


"RANDOM_STRING" implies a suspiciously structural byte alignment.

"RANDOM_BITS"


Can someone explain how he got a hold of the decrypted .mov files that he compared the encrypted ones with? It's not very clear to me from the post, and I'm not familiar with Leaping Brain.

Either way.. wow... XOR encryption with just such a short repeating string! I bet it wouldn't be too hard to decrypt it even without the original file, since the file signature alone would probably be longer than the string. DISCLAIMER: I'm just speculating, I don't know the .mov specs.


Looking briefly at the .mov file format[1], it appears that any such file is guaranteed to have exactly the same bytes 4-11 (atom identifier and major brand identifier), is almost guaranteed to lead with three zero bytes (first four bytes are the length of the first atom, which is likely to be small), and will probably have the same bytes 12-15 (minor version number). If you know it's a .mov file, then you can extract "RAN" and "OM_STRIN" trivially, and the rest is easily guessable from there. In fact, since the first three bytes are probably zero, "RAN" will be right there in the file, ready for pondering.

[1] https://developer.apple.com/library/mac/#documentation/Quick...


The wrapper script is GPL'd, so I copied it here:

http://dl.dropbox.com/u/15447644/brainplayer_py.txt

My modifications are on lines 553-556. The compiled app "fixes" the .mov file just long enough for it to be loaded into the player. If you have Leaping Brain's player installed (often branded with the content owner's name), the .mov files are in a hidden .media folder. On my Mac, they were in $HOME/Library/Application Support/LeapingBrain/catalog/$VIDEONAME/.media


Thanks for sharing! Hope you won't get in trouble for your post.


Not sure how he could get in any trouble from it due to the license at the very top of the file he linked:

"# BrainPlayer is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License

I'm sure Leapfrog hated to put that GPL license on there but were likely forced to due to the VLC components they're using that are GPL/LGPL.


And, as per https://www.gnu.org/licenses/gpl-faq.html#DRMProhibited the DMCA cannot be applied to this software.


He just performed a bitwise XOR of the plaintext and ciphertext stream to obtain the key.

From the post:

By comparing the binary files, I discovered the "proprietary video encryption" algorithm: for the first 15kB, each 1kB block has its initial bytes xor'd with the string "RANDOM_STRING".

See:

https://en.wikipedia.org/wiki/XOR_cipher


From what he says, it sounds like the app is really a standard movie player, plus their 'encrypter', plus a python script that does the following:

> calls 'decrypt movie_file' to create 'decrypted_movie_file' > calls 'play decrypted_movie_file' > calls 'delete decrypted_movie_file'

He just made a copy of the python script that calls their own decryption module but removed the delete line.


I don't even know what's worse - their "proprietary encryption algorithm" or the fact that they used Python for a critical piece of distributed software that you don't want to be reverse-engineered!


For the record, distributing Python scripts doesn't have to mean distributing the source: it's possible to just execute the compiled .pyc files, which are harder to crack than (for example) Java's .class files.

Also, since xor is just a CPU instruction, you won't immediately notice it in the decompiled script (if you get that far). With all the overhead that decompilers tend to produce, it's really easy to miss.


You should really take a look at one of these .pyc files. They are very very verbose to the point that they even contain local variable names and the python code can be trivially decompiled from the bytecode.

Literally the only thing that goes missing from .py to .pyc is comments.


That's what an assembly dump looks like to an experienced reverse engineer. Writing something in a "compiled language" because it's more secure is like XOR-ing your video with RANDOM_STRING and calling it DRM.

(Not that any DRM scheme can ever work, ever, but hey. At least some try to try.)


Can't work ever? Are you taking orders for hacked DirecTV cards? :)


I think you guys have two different definitions of "work". jrockway seems to be arguing from a technical perspective, but you're likely arguing from a practical perspective. Sure, DRM can "never work" in that there's always the analog loop and all that. But it's absolutely possible to make it so insanely complex and difficult that no one will ever break it; DirectTV has shown that angle works, without a doubt.


I think the distinction is between software and hardware DRM. DirecTV controls the entire hardware chain. This means they can do various proper encryption schemes (public/pre-shared key etc) that are actually near impossible to crack and make it really, really hard to obtain the key by making the key write-only in the crypto-chip.

In a pure software solution, you control the hardware, and any hiding of the key is subject to reverse engineering the software.


There's also a distinction between access to the data stream vs the ability to make a duplicate of it.

For all of the success they've had in protecting DirecTV, if you've got a legitimate access card feeding HDMI data out, you can make a perfect digital copy of the video stream that has no copy protection whatsoever. So ultimately the DRM offers no protection for the media content companies (at least those that don't benefit from live performances like say sports games), though it does for the pipe provider who will surely get his monthly satellite fees.


I agree with your comment, except that "difficult" doesn't necessarily imply "insanely complex".

Counter-example: we once timed a release of a very minor protection update to when the main attacker typically took a holiday. We got 6 weeks out of something trivial, buying more time to work on the major release to greet him when he returned.


It all comes down to economics. Buy a beater bike, and sure, you can secure it well enough. (Mean time between stolen is low enough you don't care too much.) Buy a really nice one that everyone wants, and good luck with that.

Popular, recently produced media has too much value to too many attackers to protect. A celebrity's self shots -- same thing. A game console by Microsoft or Sony -- same thing.

> But it's absolutely possible to make it so insanely complex and difficult that no one will ever break it

A more accurate way to put it: If you make the return on effort ratio low enough, the probability of someone breaking it goes down, and it might even go down enough for you to get away with it for a useful amount of time.


It's not that simple. Sure, unpopular systems are more obscure and less likely to attract attention, but you're wrong in extending that to "if it's popular, it will be broken" (denying the antecedent).

As a counter-example, I propose DirecTV or even their competitor, Dish Network (Nagravision). Hacks of these systems are worth 6 figures, pay TV is widely desired, and there hasn't been a DTV hack since 2004. None.


> you're wrong in extending that to "if it's popular, it will be broken" (denying the antecedent).

Putting words in my mouth there. If it's popular, the probability it will be broken goes up.

> there hasn't been a DTV hack since 2004. None.

You're preaching to the choir here. Still, that's one tidbit I didn't already know. The old mainframe Mantis language is another example.


.pyc files are actually really easy to decompile, it's just that most people have never encountered the tools required to do it. I believe they literally contain the entire abstract syntax tree for the Python source code.


No, they contain marshaled bytecode. I documented the format at http://daeken.com/python-marshal-format a while back (should still be more or less correct).


Python's bytecode is for a stack machine, if I'm not mistaken, and such bytecode is a serialization format for ASTs - a post-order traversal for expressions. Interpret stack machine bytecode symbolically and it reconstructs an AST:

Compilation:

  1 + 2 => (+ 1 2) => push 1, push 2, add
Interpretation:

  push 1 => 1
  push 2 => 2, 1
  add    => (+ 1 2)
Control flow makes things slightly more complicated, but not for predictable code generation.

Obfuscated bytecode which e.g. doesn't maintain consistent interpreter stack depths for every code path (illegal for JVM or .net CLR) would make things a little harder to analyze, but I doubt that's often the case in practice with Python.


Yeah, the reconstruction isn't hard at all, but it's not a direct 1:1 mapping to the AST, since multiple control flow structures in the AST can become the same thing in bytecode. That said, it's quite simple to make it Good Enough (TM); the reason I wrote that and the RMarshal module was that I was writing a Python decompiler a part of a larger commercial project. I should release the decompiler at some point.


There's also https://github.com/gstarnberger/uncompyle which automates .pyc to .py "uncompyling"


The player decrypts the file before it is played and then encrypts again when it is finished, so if you grab the file while it is being used by the player then it will be decrypted.


Reusing one-time-pad keys means you can often very easily recover the plaintext simply by XOR'ing the two encrypted files, since it effectively takes the key out of the picture, see for example http://www.cryptosmith.com/archives/70 (where the key is literally taken out of the picture)


The "proprietary player" was just a Python script that made a temporary decrypted the video and ran VLC against it. So he just changed the Python script to keep around a decrypted copy rather than re-encrypt it away.


"Well, since they load the file from a Python script, it's easy to make a copy of the "decrypted" file before it's reverted."

He edited their Python script to make a copy.


facepalm Come on, people!

First rule of weak DRM, you do not talk when you find weak DRM.

Second rule of weak DRM, you DO NOT talk when you find weak DRM.

Third rule of weak DRM, upload to pastebin, then walk away.


That's not the second rule, but the first rule repeated.

How am I supposed to take weak DRM seriously when it has a third rule but no second rule?

:)


You need to learn your cultural references young man. Go watch Fight Club and report back with your results.


"All aspects of the platform feature a near-ridiculous level of security."

Well... They weren't lying...


To be fair, when I read the title I thought that if the string is truly random then it's actually a very good technique. This is the core operating principle behind the one-time pad which is provably secure.

Now that I read the article twice, I literally got a panic attack when I realized that it wasn't a random string that they were xor'ing their data with, but a string called "RANDOM_STRING". Although it sounds bad, one must realize that this is not security by obscurity since the key has been leaked, and nobody guarantees encryption against a leaked key.


'very good technique' The important part of a one time pad isn't the xor, it's the length. This does not even begin to resemble a one time pad. It's an xor cipher.


Yeah exactly. I cannot convey the utter disappointment I had when I realized that it was "RANDOM_STRINGRANDOM_STRINGRANDOM_STRING...." that they were XOR'ing with.


Anyone who has taken Computer Security 101 would know that security through obscurity is not the smartest thing to do. Calling it "near-ridiculous level of security." is downright blasphemy.


Blasphemy? Sounds like nothing more than the simple truth. If anything, they're being too humble. It literally is a ridiculous level of security, for here we all are ridiculing it.


Or just (unintentional) truth in marketing...


Except that these videos are playing on your local machine. With the most advanced DRM mechanism possible it is nearly as trivial to simply record the video output.

There is no reason to spend developer time making a complex mechanism that is no more secure than a simple xor.


Recording the output is not the same as extracting the DRM-free stream


This is educational content not blockbuster films. Recording the output in this case would be more than sufficient.


The only mistake in that was the word "near". It's purely ridiculous, since that method has nothing to do with security honestly saying.


I wouldn't even call it security through obscurity. I'd call it dumb as rocks security.


Not to mention, a foolhardy challenge to break it.


You know what's absolutely terrifying? This guy could conceivably go to jail for this. Looks like he has kids, presumably a wife... hoping it goes well for him.


There's two software engineers and a product architect listed on the about page - http://leapingbrain.com/about/

It might be a good idea to remove their names, to protect their reputation. ;-)


Tomorrow on HN: "Legislation passed to embed DRM chips into people's heads, which automatically shut down visual input if un-authorized content is detected playing in their vicinity. Three strikes policy before permanent blindness."


"It turned out the actual player, launched from their compiled app, was a Python wrapper around some VLC libraries"

Isn't VLC licensed under the GPL? Or at least was until very recently? http://www.jbkempf.com/blog/post/2012/How-to-properly-relice...

Is/was Leaping Brain violating the license?

EDIT: the wrapper script is apparently released under the GPL too: http://news.ycombinator.com/item?id=4834834


> Is/was Leaping Brain violating the license?

No, I can't see how they are.

Here's one GPL FAQ that's vaguely relevant:-

https://www.gnu.org/licenses/gpl-faq.html#CompanyGPLCostsMon...

But this question is very relevant:-

https://www.gnu.org/licenses/gpl-faq.html#DRMProhibited

" Does GPLv3 prohibit DRM?

    It does not; you can use code released under GPLv3 to develop any kind of DRM technology you like. However, if you do this, section 3 says that the system will not count as an effective technological “protection” measure, which means that if someone breaks the DRM, he will be free to distribute his software too, unhindered by the DMCA and similar laws.

    As usual, the GNU GPL does not restrict what people do in software, it just stops them from restricting others.
"


Just a heads up, but I think (assuming it's not somebody else on the page) the formatting of your GPL quote means that it doesn't break automatically, making the comment page very wide (at least in IE9).


I didn't mean DRM violated the GPL, I thought that they may not have been complying with the GPL by not releasing their code that used libvlc, but it appears they are.


Breaking repeated XOR with a string is a variant of the Vignere cipher or the Vernam cipher, depending on how you think of it. Either way, breaking it is a freshman cryptography exercise.


The Vernam cipher is actually quite strong when used correctly - the key needs to be as long as the input; it's never repeated :)

http://en.wikipedia.org/wiki/Gilbert_Vernam#The_Vernam_ciphe...


Could someone (OP?) provide more of the steps that might have gone (went) into discovering it was an XOR operation and the original string? Seems like an impressive intuitive leap to me!


Once I had both versions of the files, I looked at them in a hex editor. Since there were some null bytes at the beginning of the video file, it wasn't hard to guess the string they were using. I'm not going to post the file themselves (for obvious reasons), but here's the first 16 bytes of the unencrypted and encrypted files (in hex and ascii, from xxd). Unencrypted:

0000000: 0000 0020 6674 7970 7174 2020 2005 0300 ... ftypqt ...

Encrypted:

0000000: 5241 4e64 2939 2623 2526 696e 6705 0300 RANd)9&#%&ing...


Maybe OP just xor'd the files with each other and the result was the RANDOM_STRING string followed by a pile of \0 bytes, repeat.

Edit: To clarify, I meant the encrypted and temporarily-decrypted-by-the-wrapper-script versions of the same .mov file.


The XOR of two ciphertexts under P XOR K isn't K (you have to know a plaintext to make that trick work, which, granted, you likely would here). The solution that doesn't require a known plaintext is comparably simple.


As the post says, he gained access to both decrypted and encrypted version. Then (p XOR k) XOR p = k.


It's so easy to solve repeating-key XOR for the key that the solution is a practical way to detect the scheme; you wouldn't even necessarily bother trying to detect it, you'd just run the "solver" (even calling it a solver sort of dignifies it a bit too much).


So that's generally true--Babbage's solution to the Vigenere was one of my favorite things to learn in basic crypto--but amusingly I'm not sure it would be easy in this case!

In particular, while I don't know the .mov file format backwards, the last step (after lossy encoding) is probably a lossless encoder, either LZ-type or some sort of entropy coder. This means that the plaintext is going to be a very good approximation of IID coinflips; in other words, a one-time pad _key_.

"Decoding" the repeated-key XOR also decodes the one-time-pad encryption of the repeated-key interpreted as plaintext. This is, well, hard.

(mov may have enough frame structure/boilerplate that this doesn't apply; I don't know.)


Is the solver just (cyphertext XOR plaintext)?


No (although that's how this guy solved this system).


After recovering the original file, he "compared the binary files". Likely this means he popped them both up in a hex editor and noticed the difference. XORing by a string is a very common very very trivial thing to do, so it would be pretty high on your list of things to notice.


He said it was decoded by a Python script.. so easy to understand from the script I guess.


From their website:

Fort Knox-level security.

Video content is protected with our BrainTrust™ DRM, and is unplayable except by a legitimate owner. All aspects of the platform feature a near-ridiculous level of security.


Back in the 1990s, the revolutionary organization Sendero Luminoso was naive enough to believe in WordPerfect's encryption. This was a grave mistake, for that encryption (for 4.2 and 5.1 at least) was a simple XOR of the password against the text--and in 5.1 you had 10 or so bytes of known text to compare against in the header. The decryption of the files was not the only thing that worked against Sendero Luminoso, but it must have hurt them.


...I find it extremely funny when people use the word "virtually" to mean "practically" or "nearly" or "almost" and they turn out to be wrong but are excused by the fact that they added the magic word "virtually" :) ...and conversely, if someone uses the word when talking to me, I label everything the person says afterwards as 99% weasel words...


I find it curious that (after 242) there are no comments here ranting about ir/responsible disclosure. Is this simply indicative of the readership's unanimous hatred of all things DRM - or is there perhaps a threshold of ineptitude beyond which we feel ethically free to fully disclose vulnerabilities?


Hm, anybody remember Dmitry Slyarov? http://en.wikipedia.org/wiki/Dmitry_Sklyarov

As far as I recall the Adobe PDF encryption was also just some XOR with a simple passphrase. Got him into serious trouble.

And WTH is 'virtually uncrackable'?


This should be lauded just as much for being a solid little piece of citizen, even activist, journalism. The specific issues about DRM are important, but I think the greater willingness to really look into things and publish the results should be encouraged.


This is what they call this a 1024 bit Vernam Cypher in the movie "Swordfish".


The CEO of Leaping Brain (or someone pretending to be him) has now joined the Google Plus thread, implying that the "DRM" was intended as satire...

More

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: