Hacker News new | past | comments | ask | show | jobs | submit login
Keurig competitors crack company's DRM code (consumeraffairs.com)
74 points by thisisblurry on Aug 29, 2014 | hide | past | web | favorite | 88 comments

The fact that a coffee maker has DRM at all is depressing.

Hah, just wait until you experience the INTERNET OF THINGS.

There will come a day when the proverbial walled garden becomes a literal walled garden, and we'll all get to say "we told you so!"

It won't be particularly satisfying, but in that dystopian near-future, it will be one of life's few remaining pleasures.

> "It won't be particularly satisfying, but in that dystopian near-future, it will be one of life's few remaining pleasures."

[expression of cynicism detected]

[content override triggered]

[querying for user's linguistic analysis based on previous communication]

[synthesizing praise for walled garden using user's linguistic profile]

[deliver praise to recipient instead of ungood sentiment]

Seriously though, we're already filtering Facebook posts based on "relevance". We're a really, really thin line away from silencing posts based on the sentiments expressed within.

Filtering based on sentiment? Oh, they're way ahead of you there: http://money.cnn.com/2014/06/30/technology/social/facebook-e...

Zoom. Enhance.

...the internet of things that you do not really own or have any control over anymore.

This is just a step away from e.g. toasters that won't toast anything but "authorised" bread (packaged in cartridges for "convenience", I'm sure...) A lot of this vendor lock-in has already been happening in the computing industry with things like printer cartridges, but as more and more appliances become "smarter" the incremental implementation costs of lock-in decrease so it becomes more widespread.

On the other hand the saying "when there's a will, there's a way" fortunately continues to apply, so we see "breakthroughs" like this. However, the frightening part is that this will no doubt be considered a "flaw" or "security breach" by some, so the systems gradually become more secure over time, and sadly this is security against the users. I could imagine this easily escalating into use of cryptography, which might then result in firmware hacking, countered by even stronger cryptography (e.g. signed firmware updates), leading to hardware hacking, stronger antitamper hardware, etc.

Breaking that kind of DRM is easy. Very, very easy.

Step 1: Get some wheat, eggs, water, etc. Make bread. Step 2: Get some wood, coal, gas, some fuel. Step 3: Bake bread.

DRM PWNED. This walled garden is the kind of walled garden you build around cattle. If the cows move, you can't just build a fence around them.

I think it is fantastic. Companies lately are moving toward profits over customer loyalty, which seems counter-intuitive. Keurig et al need to learn a lesson from this and stop the silly non-sense. They have already cornered the at-home brewing market (or close to it I would assume) and personally have never seen a non-Keurig branded K-cup that they are so worried about. There is no need to get greedy.

It would be depressing if a Kuerig were the only way you could obtain coffee.

Perhaps Keurig should print their logo onto the cups with said special ink, and the machine should identify the logo with an image matching algorithm. If I understand trademark law correctly, competitors wouldn't be able to reproduce the Keurig logo without the strong possibility of facing repercussions for trademark infringement. I mean in reality it wouldn't work well at all and just make consumers pissed, but I wonder what the legal situation would be if they could pull it off.

Even if they print an entire logo in the ink, someone could sell some kind of reusable sticker with that special-ink-logo and just stick it onto the non-Keurig cups during use. When finished with 1 cup, remove sticker and stick it on to a different cup.

I don't see why they even bother trying to lock down their machines TBH as it can't be done well without significantly increasing the cost of the machine or cups (or inconveniencing existing customers).

I have a Keurig (non-DRM) and buy mostly Keurig branded cups anyway but if I had to buy one of these "2.0" machines with DRM, I'd just not buy a Keurig machine.

Or put the sticker over the sensor. Or hotwire the sensor (caution: voids your warranty).

Somewhere a Keurig engineer has gone 'shit'. As far as I know the law for Europe, you're not allowed to use another companies logo form on a commercial product without prior agreement, which is why clothing houses like to heavily brand their items as they can't prevent a competitor from stealing the cut of the item but they can prevent them from using a logo.

Exactly this. Lululemon, TNA, Guess, whatever all make sure their logo is clearly visible for the very reason the design itself isn't patentable, but you make the logo the selling feature.

As mentioned elsewhere, consumers could just cut the top off or take the foil off a legit k cup and place it on top of a non legit one then run the machine?

Kind of invalidates that old single cup self fill solution they themselves sold. Example http://www.amazon.com/Keurig-K-Cup-Reusable-Coffee-Filter/dp...

A cursory Google search shows that not only are companies making Keurig-compatible cups, but also Keurig-compatible coffee machines, so people who want them could get those instead. Funny that the end consequence of this may be that a whole ecosystem around this format ends up continuing to dominate despite the fact that all of the players are selling knock-offs and the originator of the idea has moved on... it's IBM PC-compatible all over again.

I wrote the software for the Mother Parkers RealCup brewer and am quite familiar with at least their knockoff. The real purpose of the brewer was really as a way to push their brand of K-cups (it's the razor blade thing). Everything is about pushing those cups because the margins on those cups are amazing. Keurig is desperate to try to maintain their licensing deals. The (patented) Vue cups aren't doing great, so this was their next attempt. Keurig's attempts aren't really focused on serving the customer, but rather on trying to extract continued revenues from them. BTW...$3.7B market in K-Cups. Crazy huh?

Rent seeking. This is one of the things that in my businesses I try to avoid because it is basically should be a last ditch, hail-mary pass. Which is what this DRM probably is for Keurig.

Ideally, you should always focus on being better than your competitors, which is difficult--but not impossible--in commodity products. Good examples are Dropbox or Starbucks. Cloud storage space or coffee are obviously not new or hard to deliver products, but it's how you deliver them that makes all the difference. I think this is a loosing battle for Keurig, and they should focus on providing some additional value (or perceived value, which can be just as good) to their customers. Maybe that's genuinely better tasting coffee, or maybe it's a slight (but acceptable) premium over generics (people like and trust brands).

Exactly. Customer satisfaction is the last thing on Keurig's mind right now. I think we all know how this will play out if they don't wise up.

They should require you to create an account online which you must login too and enter a code found on the K-cup in order to get your coffee.

That will show those pesky people wanting to use your rather expensive machine with slightly less expensive however still a ripe off single serving coffee pods.

They'll be willing to go through all that trouble for the convenience of only having to push a button to get their coffee!

Worked so well for Sim City!

Some potential parallels there.

Blatant lies: "Our coffee machines just can't support other companies' k-cups."

Empty promises: "Buy our new coffee machine and it'll enable us to make a lot of new and exciting flavors!" First new flavors out of the gate are durian and Mountain Dew.

I'm looking forward to the inevitable half-hearted apology, which will of course have still more empty promises. Not long after that they'll announce the v3 model, which will have an incompatible DRM to v2, forcing their customers to either upgrade or use off-brand companies' k-cups.

  First new flavors out of the gate are durian and Mountain Dew.
Can't be much worse than hazelnut, or vanilla.

Have you ever had a durian? We actually bought one once, at Christmas.

It was... memorable.

Actually yes, I did and think it's a wonderful fruit.

The trick, however, is not to buy one and take it home (or to your hotel room), but to buy a ripe durian at a street vendor and let him open it. Eat straight away and keep a lot of napkins available.

While the taste is really amazing (in my opinion) there's no doubt that the stink is amazing too. And nearly impossible to air out of a closed room.

Most hotels in Singapore flat out forbid durian in your room.

And then they sell you a subscription. To your coffee maker.

And only works if connected to the internet at all times.

3G version to be announced soon.

When your proprietary coffee delivery system costs $50/pound and people still buy it, is DRM a surprise?

You know perfectly well people are paying for the convenience and easy cleanup.

Starbucks coffee -- $1.75 for an espresso shot that uses 0.25 oz of beans -- is $112/pound, so the k-cup is a bargain.

Are there any non-proprietary pod based coffee machines?

Article states it's not true "digital" rights management. Seems more like an analog rights management (shine an infrared light on ink and register reflection). So presumably no one can be technically liable under the DMCA. However, if Keurig were to switch to a more "digital" form of rights management (perhaps actual RFID), could these third party coffee pod creators be found guilty of circumventing content protection technologies (DMCA violation)?

Since there's no copyrightable artistic work involved here, I don't think the DMCA applies.

Like someone above said, the pattern could be in a shape of their logo, so anyone replicating it would be effectively putting another company logo on their product,which is definitely not legal.

There are ways to lose your trademarks if you use them or simply allow them to be used in the wrong contexts. I think their competitors would argue that this is one of those ways.

I was going to ask why they didn't just patent the thing. This is the physical world after all. Turns out they did, but the most important one expired in 2012. http://blogs.wsj.com/corporate-intelligence/2012/11/28/the-k...

Next time Keurig should hire a cryptographer. GPG signed QR-codes or something similar (vulnerable to replay attack, but harder to circumvent).

I don't understand how literally printing the password on the cup would be more effective, unless the coffee maker is internet-connected and each code is revoked after usage.

It harkens back to having to call Microsoft because you've replaced your motherboard except now it's Keurig and even less pleasant because you can't have your coffee while you're on hold.

The machine could add each code to an internal blacklist after each use. It doesn't prevent the same code being used with another machine, but it would prevent coffee vendors from providing boxes of K-cups that are all printed with a single code.

Those vendors could acquire new codes as easily as making a trip to the store. Heck, they could even incentivize customers to snap a photo of an authentic K-cup's code and tweet it to them, maybe for a coupon or imaginary internet points. As long as they had enough codes to make sure any given pallet didn't have any duplicates, they could be 99% certain a customer wouldn't get repeats, especially if they retired codes after a certain number of printings.

I predict that the Keurig 3.0 will be Internet-only. Using an expanded Hyper Text Coffee Pot Control Protocol: http://tools.ietf.org/html/rfc2324 for management. Surely no DRM opponents can complain if they're using standardized protocols.

Using an app on your phone, you'll scan the coffee pod you want to use (your phone takes a picture of you via the front-facing camera as a security measure; much like ATMs have cameras); this connects to the central Coffee Server to generate a one-time passcode. Then your phone does a BREW via HTCPCP to the Keurig, providing an K-Authorization header. Having the encryption key for the one-time passwords be stored on the server avoids the mistakes problems Sony etc. have had where private keys inside devices are compromised.

Requiring a smartphone could present interesting branding opportunities, e.g. co-branding the Keurig 3.0 with iPhone 7, social network integration (click once to post the coffee you're drinking to Facebook), automatic reordering and possibly integration with health services as your coffee drinking data can be shared with your health care provider who can adjust your insurance accordingly.

They could do a Louis Vuitton and make their trademark an integral part of the password design. Or pick a nice QR code and trademark that.

This doesn't work... Nintendo tried it with the gameboy. The boot rom would extract the nintendo logo from the cartridge and display it on the screen. If it wasn't correct, the game wouldn't run. If it was correct, the theory was that trademark would prevent 3rd party games. But the judge ruled it was being used as a functional access control device and not as a trademark, so 3rd parties could include the nintendo logo in their games.

LV uses pure trademark law; it's not functional. That's why their protection stands.

I don't think you could trademark a QR code as it wouldn't be sufficiently distinctive.

morcheeba: looks like your account's been shadowbanned for some reason.

Possibly for good reason: https://news.ycombinator.com/item?id=8170246

Best leave it to the mods.

Next time Keurig should stop engaging in lunacy like DRMed coffee.

Can you (tm) a QR-code?

Things that are printed have copyright. Copying them is not allowed. If the machine has a camera and can recognise the printed material on the cup, then it cannot (legally) be copied.

In order to prevent -replay- refill attacks, the machine has to destroy the cup too after use.

Depressing if my suggestions are true :(

No. Only sufficiently creative works by humans have copyright. Some sort of QR code or barcode could have patent protection but never copyright. Trademark protection would be unlikely for something as generic as a QR code.

Nintendo once made a game system which only accepted floppy disks embossed with the Nintendo logo[1]. Which obviously can be protected by trademark law.

Perhaps they should use the camera to look for some pattern they can copyright.

Of course, for Nintendo I don't think it prevented piracy...

[1] http://www.glitterberri.com/developer-interviews/how-the-fam...

I doubt that a camera would be practical though, the slot for the pod would need to provide illumination and the camera lens would need to be positioned far enough away from the pod so that it could focus on the logo printed on top of it. The camera would need to be of a relatively high resolution, which would be expensive, otherwise competitors could print artwork which is not the trademarked logo but which does fool the machine into recognising it.

> otherwise competitors could print artwork which is not the trademarked logo but..

And by definition imitates with the intent to mislead? Seems that ought be illegal?

Misleading a coffee machine? No...

RFID chips are almost at the point where they would be cost effective for a K-cup. Then the private key could be stored on silicon, where it's much harder to get out. I worked on a medical product with this system.

I feel so bad suggesting this.

The author's confidence in common sense is touching:

> It's still too early to tell, but the fact that Keurig's “DRM” can be cracked with such ease doesn't seem to bode well for the company.

> So that's one reason Keurig might be in trouble: because it bet everything on imposing a technological barrier which turned out to be ridiculously easy to get around.

Err, so easily crackable DRM will not survive legal challenges? (I seem to remember a story, which my Google-fu is insufficient to recover, of someone embarrassing Jack Palance during an interview by showing him the complete DeCSS source ….)

Couldn't someone just cut the top off or take the foil off a legit k cup and place it on top of a non legit one then run the machine? This would cost the non legit companies less... Not having to retool production. Just tell the consumer what to do or include a special cover.

I do not understand why is anyone buying machines with pods. Expensive machine, expensive coffee, and creating garbage for each cup.

Is it so hard to put teaspoon of coffee in cup and pour hot water?

Its simple, its clean, and convenient. There are many makers of k-cups to choose from so finding an acceptable cup of coffee made this way isn't too hard. I went through a few variety packs, read reviews on Amazon and the like, to narrow my choices. I then used Amazon's subscribe and save feature, visits to slick deals, and even my costco membership, to buy k-cups are good prices.

During summer my coffee drinking goes down and the ability to just make one cup is great. Cooler months and its time for the Bonavita, sometimes its good when friends want some but even then I have dropped back to the k-cup.

I only agree with the "expensive coffee" part. I've got a tassimo machine which has capsules for both coffee and milk - you use both,and it makes delicious latte, much better than I would be able to do myself - at least not without frothing milk, which is messy and I would rather not do it. The machine itself was $40 which is hardly expensive, and the coffee is most absolutely not garbage. And the convenience is huge. It could be cheaper, but it works out at something like $0.80 per cup, which I am ok with, since I rarely drink more than 1 cup a day anyway.

Good, but doesn't make Keurig a good coffee worth drinking ;)

I have no idea why anyone would put up with drm and pay such a ridiculous price for such terrible "coffee."

Is it really that hard to get a coffee presser and some ground coffee?

Why does it bother you that others wish to make some task more convenient? And BTW, there are bio-degradable (compostable) cups that one can buy, if that was part of your concern. The office manager at my company says they are actually cheaper, too.

It doesn't bother me that people want to make certain things convenient what bothers me is the commoditization of every last thing in our consumer driven culture. Is your life really going to be so much better if you can make your coffee in 1 minute instead of 2 minutes? I really don't see any other convenience with ready-made coffee other than the time component. If that convenience comes at the cost of locked down devices for making coffee then it is really short-sighted of people to buy into that "convenience".

In a workplace environment with a shared kitchen it absolutely is worth it to an average manager to avoid the spills and mess of grounds and keep everything in the pods. This is where I saw most Keurigs first, and then it seemed to "hijack" its way into the household because people got addicted to the convenience that they enjoyed at the office.

Where I work there is a machine that dispenses coffee (Americano: basically an espresso plus piping hot water to fill the cup up). Such machines are more expensive than the typical office Keurig, but for an office of any size not prohibitively so. For office coffee it's actually quite good, and far and away better than any swill out of a Keurig I've ever had the misfortune of drinking.

> Is your life really going to be so much better if you can make your coffee in 1 minute instead of 2 minutes?

No. But if I have fifty things to do every day, one of which is making coffee, and I can shave a minute or two off of each one, I've saved lots of time.

> what bothers me is the commoditization of every last thing in our consumer driven culture.

A guy picking coffee beans could say the same thing about your pre-roasted pre-ground holier-than-Kuerig choice.

If you have 50 things to do in a day then coffee is the least of your worries. I also don't understand this really weird optimization mindset that some people have and that they apply to every single activity in their life. Some of my greatest insights have happened while I was just daydreaming or in general just doing nothing. Sometimes people should really stop and smell the roses.

I hear you, I really do.

Most of the coffee I drink is $5 a cup local artisan-roasted pour over. But I can't tell you how many times popping a pod in the Kuerig as I rushed out the door saved me - and gave me the time to smell other-than-coffee roses.

It's presumptuous to pick one thing you like taking the time to do and accuse those who choose to do other things slowly of not doing anything slowly.

For most people, Kuerigs aren't destroying mindfulness or presence, either by force or as one of a thousand cuts.

I can appreciate a quick coffee, but around here most people just use instant for that use-case. Some people seem to prefer the taste of the pods, but I don't find it much different. Instant is considerably cheaper, and also keeps from adding the clutter of a coffee-specific gadget to the kitchen.

Sometimes people should really stop and smell the roses.

And the less time I have to spend preparing my coffee, the more time have to sit with my coffee and do just that.

You're missing the point. Coffee is the roses in this case.

> If you have 50 things to do in a day then coffee is the least of your worries.

Right, and the person getting upset at the very idea of a one-button coffee machine is the one worrying about coffee, not person who has already purchased and is happily using the one-button coffee machine.

> If you have 50 things to do in a day then coffee is the least of your worries.

It seems like people who do 50 things in a day are those most in need of mild stimulants.

The enormous amount of waste? And I question how bio-degradable those cups are, unless you mean in the sense that everything biodegrades... eventually. Plus the expense. Prices seem to be about 50c/cup [1:3] which is just awful; you can get really good coffee for that much money with just a bit of work. Keurig coffee generally tastes pretty bad imo.

[1] http://www.amazon.com/San-Francisco-Bay-Coffee-Breakfast/dp/...

[2] http://www.amazon.com/Grove-Square-Cappuccino-Vanilla-24-Cou...

[3] http://www.amazon.com/Keurig-Original-Donut-K-Cup-Regular/dp...

We use [1] at the office. It seems they are only 97% bio-degradable. Does that mean I shouldn't be composting them? And 50 cents is not bad per cup (cheaper than brand name Keurig). Making the coffee yourself (buying grinds or beans), it will still cost you $.25 - $.35 per cup. Pretty small difference IMO.

Now taste is another matter, but I'm not much of connoisseur, so I don't really pay too much attention. I mostly drink for the warmth and the caffeine =)

Well, I can get 6lbs of coffee at Costco for $42.99 (price from their website). According to Folgers for 6floz of water (a small cup of coffee) you need 1tbsp of ground coffee. Another site suggests one tbsp of ground coffee would be 4.5-7g. Looks like the coffee pods can brew up to about 12oz.

So per 12oz, coffee beans are going to cost $0.14-$0.22/cup. Since I didn't shop around for prices on the beans, I won't for the k-cups either: the cost per k-cup at Costco seems to be pretty close to ~$0.65/k-cup across the board.

That's at least a 195% increase in cost.

If you're just having the occasional cup of coffee, it's not worth worrying about. At 3 cups a day all year that would be around $500.

If you clear $25/hr after tax, that means you're spending 20 hours at work to pay for the difference. Even if we assume you brew each cup of traditional coffee individually at 2 minutes each to a 1 minute k-cup, you're saving 18.25 hours per year.

Whatever way you cut it, it's seems like it's a net loss to me. And the coffee tastes terrible.

You mention Grove Square...they were the worst. Interesting thing about them was to get around the (now expired) filter patents, they used instant coffee rather than using coffee grounds. They were much worse than your standard Keurig.

It's convenience at the expense of money and flavor. It also increases waste.

I've mostly seen the machines in offices. They obviously make a lot of sense for the use case for where you have dozens of people who all want different things at different times of day. Big improvement over a communal coffee pot.

All the people who pick up coffee at Dunkin, Starbucks, and McDonald's seem to think so. The cost of Keurig over making your own is a pittance compared to the multiple you are paying at those places, but millions do that daily.

Jailbreaking your iPhone is so 2010, now the cool kids are jailbreaking their Keurigs.

Their SSL is bad. It gets an F from SSL Labs due to an exploitable version of OpenSSL -- https://www.ssllabs.com/ssltest/analyze.html?d=consumeraffai... -- and Firefox refuses to connect to it at all due to weak ciphers:

An error occurred during a connection to www.consumeraffairs.com. SSL peer selected a cipher suite disallowed for the selected protocol version. (Error code: ssl_error_cipher_disallowed_for_version)

> and Firefox refuses to connect to it at all due to weak ciphers:

It's not a weak cipher. I get the same error, but the cipher the server selects is TLS_ECDHE_RSA_WITH_128_SHA (0xc011). If I've got my SSL best-practices straight, that's not a bad choice.

The server, however, also selected SSL 3.0. My understanding is that you can't use that cipher with SSL 3.0 because it didn't exist. Firefox thus aborts the connection; note the error: "…cipher_disallowed_for_version" (of SSL).

I've seen this before on a server I had, and it had the same behavior. I'm nearly certain this is a bug on the server side, perhaps in OpenSSL. The server I had made some pretty nonsensical decisions in the server hello, such as the above with Firefox, and with Chrome, selecting TLS 1.0 even though that was disabled. I asked about it on SO[1], but never got a reply. (For me, it's no longer an issue; we enabled TLS on that server for hopefully obvious reasons.) Firefox and Chrome's client hellos are pretty similar, but not the same, and I never figured out the difference that caused the server to choose SSL or TLS over the other.

[1]: http://stackoverflow.com/questions/25146651/why-is-nginx-sel...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact