New decryption code underscores DVD security weakness

#!/usr/bin/perl -w # 531-byte qrpff-fast, Keith Winstein and Marc Horowitz # MPEG 2 PS VOB file on stdin -> descrambled output on stdout # arguments: title key bytes in least to most-significant order $_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map{$_%16or$t^=$c^=( $m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;$t^=(72,@z=(64,72,$a^=12*($_%16 -2?0:$m&17)),$b^=$_%64?12:0,@z)[$_%8]}(16..271);if((@a=unx"C*",$_)[20]&48){$h =5;$_=unxb24,join"",@b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$ d=unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d>>12^$d>>4^ $d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*8^$q<<6))<<9,$_=$t[$_]^ (($h>>=8)+=$f+(~$g&$t))for@a[128..$#a]}print+x"C*",@a}';s/x/pack+/g;eval

MIT student Keith Winstein and alum Marc Horowitz say they're out to prove a point: Publishing code that decrypts and plays DVD movies is not a crime.

In their case, they assert it's about teaching copyright issues and is thus protected under the First Amendment.

Last week, a Web site published the pair's seven-line program, which unscrambles the protection around a DVD so quickly that a movie can play at the same time, although the film appears choppy. It's the shortest program to break DVD defenses to date.

"It is nice to have a short program", said Winstein, an undergraduate in electrical engineering and computer science at the Massachusetts Institute of Technology. "You can write these seven lines of code on a piece of paper and give it to someone. It's ridiculous to say that that's not protected speech."

The act, however, may make the duo a target of the Motion Picture Association of America, the collection of Hollywood studios gunning for anyone who tries to break the digital fence surrounding the content on digital video discs.

The MPAA is looking into the new program, spokeswoman Emily Kutner said Wednesday.

Winstein and Horowitz created the program as part of a two-day MIT seminar that Winstein taught earlier this year on the debate surrounding the Digital Millennium Copyright Act, the controversial law that broadens copyright holders' power to protect their content online.

During the course, Winstein used the short program to illustrate that breaking DVD encryption is trivial, he said. "It was definitely not a copyright-circumvention course for DVDs."

To date, Hollywood has rigorously defended its digital turf.

A year and a half ago, several researchers broke the encryption that protects DVD movies as part of an international open-source project to allow the discs to be played on the Linux operating system. Known as the Content Scrambling System, or CSS, the encryption protecting DVD content acted as a digital defense protecting what movie studios consider to be near-perfect copies of their films.

Three months later, the movie studios and a DVD licensing group sued anyone who had posted or linked to the so-called DeCSS code-breaking program on the Internet. Many sites dropped the text file from their site, but a hacker publication called 2600 decided to fight.

In August, U.S. District Court Judge Lewis Kaplan ruled that 2600 could not post links to versions of the program even if they were stored overseas. With the case now on appeal, the National Football League, Major League Baseball, the Department of Justice and other organizations have added their voice in filings supporting Hollywood moviemakers.

Because the new program does not resemble DeCSS, the seven-line text file may not be covered by the current court cases, said Robin Gross, staff attorney for the Electronic Frontier Foundation, the digital rights organization representing 2600 in its case.

"What it really shows is how futile injunctions against individual programs are," Gross said. "The code itself doesn't violate any copyrights. They would have to bring an entirely new case against this code."

Two months ago, 17 computer scientists--including well-known encryption experts, security researchers and artificial intelligence gurus--filed arguments supporting the right of 2600 to link to the program.

Others, including Carnegie Mellon University professor David Touretzky--whose site is hosting the latest seven-line program--have also testified in defense of linking.

The new code could add another ripple to the legal waters, said Gross, underscoring the assertion that the code is instructive. In addition, Winstein said that today no one would use the program for routinely watching movies. The unscrambling takes so much processing power, he said, that even on a 933MHz processor, movies appear choppy.

"All programs are is instructions that teach you how to do something," Gross said. "Once you understand it, you can make it better. That's what these guys have done."

Prime number unscrambles CSS

In October 8/2001 I read a note in the spanish page Godsmaze about a prime number which, used as an executable, unscrambles CSS. May be a hoax (use it under your own risk), but here you have it...

493108359702850190027577767239076495728490777215020863208075 018409792627885097658864557802013660073286795447341128317353 678312015575359819785450548115719393458773300380099326195058 764525023820408110189885042615176579941704250889037029119015 870030479432826073821469541570330227987557681895601624030064 111516900872879838194258271674564774816684347928464580929131 531860070010043353189363193439129486044503709919800477094629 215581807111691530318762884778783541575932891093295447350881 882465495060005019006274705305381164278294267474853496525745 368151170655028190555265622135314631042100866286797114446706 366921982586158111251555650481342076867323407655054859108269 562666930662367997021048123965625180068183236539593483956753 575575324619023481064700987753027956186892925380693305204238 149969945456945774138335689906005870832181270486113368202651 590516635187402901819769393767785292872210955041292579257381 866058450150552502749947718831293104576980909153046133594190 302588132059322774443852550466779024518697062627788891979580 423065750615669834695617797879659201644051939960716981112615 195610276283233982579142332172696144374438105648552934887634 921030988702878745323313253212267863328370279250997499694887 759369159176445880327183847402359330203748885067557065879194 611341932307814854436454375113207098606390746417564121635042 388002967808558670370387509410769821183765499205204368255854 642288502429963322685369124648550007559166402472924071645072 531967449995294484347419021077296068205581309236268379879519 661997982855258871610961365617807456615924886608898164568541 721362920846656279131478466791550965154310113538586208196875 836883595577893914545393568199609880854047659073589728989834 250471289184162658789682185380879562790399786294493976054675 348212567501215170827371076462707124675321024836781594000875 05452543537

In Web uproar, antipiracy code spreads wildly

There is open revolt on the Web.

Sophisticated Internet users have banded together over the last two days to publish and widely distribute a secret code used by the technology and movie industries to prevent piracy of high-definition movies.

The broader distribution of the code may not pose a serious threat to the studios, because it requires some technical expertise and specialized software to use it to defeat the copy protection on Blu-ray and HD DVD discs. But its relentless spread has already become a lesson in mob power on the Internet and the futility of censorship in the digital world.

An online uproar came in response to a series of cease-and-desist letters from lawyers for a group of companies that use the copy protection system, demanding that the code be removed from several Web sites.

Rather than wiping out the code -a string of 32 digits and letters in a specialized counting system- the legal notices sparked its proliferation on Web sites, in chat rooms, inside cleverly doctored digital photographs and on user-submitted news sites like Digg.com.

"It’s a perfect example of how a lawyer’s involvement can turn a little story into a huge story," said Fred von Lohmann, a staff lawyer at the Electronic Frontier Foundation, a digital rights group. "Now that they started sending threatening letters, the Internet has turned the number into the latest celebrity. It is now guaranteed eternal fame."

The number is being enshrined in some creative ways. Keith Burgon, a 24-year-old musician in Goldens Bridge, N.Y., grabbed his acoustic guitar on Tuesday and improvised a melody while soulfully singing the code. He posted the song to YouTube, where it was played more than 45,000 times.

"I thought it was a source of comedy that they were trying so futilely to quell the spread of this number," Mr. Burgon said. "The ironic thing is, because they tried to quiet it down it’s the most famous number on the Internet."

During his work break on Tuesday, James Bertelson, an engineer in Vancouver, Wash., joined the movement and created a Web page featuring nothing but the number, obscured in an encrypted format that only insiders could appreciate. He then submitted his page to Digg, a news site where users vote on what is important. Despite its sparse offerings, his submission received nearly 5,000 votes and was propelled onto Digg’s main page.

"For most people this is about freedom of speech, and an industry that thinks that just because it has high-priced lawyers it has the final say," Mr. Bertelson said.

The secret code actually stopped being a secret in February, when a hacker ferreted it out of his movie-playing software and posted it on a Web bulletin board. From there it spread through the network of technology news sites and blogs.

Last month, lawyers for the trade group began sending out cease-and-desist letters, claiming that Web pages carrying the code violated its intellectual property rights under the 1998 Digital Millennium Copyright Act. Letters were sent to Google, which runs a blog network at blogspot.com, and the online encyclopedia Wikipedia.

The campaign to remove the number from circulation went largely unnoticed until news of the letters hit Digg. The 25-employee company in San Francisco, acting on the advice of its lawyers, removed posting submissions about the secret number from its database earlier this week, then explained the move to its readers on Tuesday afternoon.

The removals were seen by many Digg users as a capitulation to corporate interests and an assault on free speech. Some also said that the trade group that promotes the HD-DVD format, which uses A.A.C.S. protection, had advertised on a weekly Digg-related video podcast.

On Tuesday afternoon and into the evening, stories about or including the code swamped Digg’s main page, which the company says gets 16 million readers each month. At 9 p.m. West Coast time, the company surrendered to mob sentiment.

"You’d rather see Digg go down fighting than bow down to a bigger company," wrote Kevin Rose, Digg’s founder, in a blog post. "We hear you, and effective immediately we won’t delete stories or comments containing the code and will deal with whatever the consequences might be." If Digg loses, he wrote, "at least we died trying."

Jay Adelson, Digg’s chief executive, said in an interview that the site was disregarding the advice of its lawyers. "We just decided that it is more important to stand by our users," he said. Regarding the company’s exposure to lawsuits he said, "we are just going to prepare and do our best."

The conflict spilled over to Wikipedia, where administrators had to restrict editing on some entries to keep contributors from repeatedly posting the code.

The episode recalls earlier acts of online rebellion against the encryption that protects media files from piracy. Some people believe that such systems unfairly limit their freedom to listen to music and watch movies on whatever devices they choose."

In 1999, hackers created a program called DeCSS that broke the software protecting standard DVDs and posted it on the hacker site 2600.com. The Motion Picture Association of America sued, and Judge Lewis A. Kaplan of Federal District Court in Manhattan, citing the 1998 digital copyright act, sided with the movie industry.

The DVD code disappeared from the 2600 site, but nevertheless resurfaced in playful haiku, on T-shirts and even in a movie in which the code scrolled across the screen like the introductory crawl in "Star Wars."

In both cases, the users who joined the revolt and published the codes may be exposing themselves to legal risk. Chris Sprigman, an associate professor at the University of Virginia School of Law, said that under the digital copyright act, propagating even parts of techniques intended to circumvent copyright was illegal.

However, with thousands of Internet users now impudently breaking the law, Mr. Sprigman said that the entertainment and technology industries would have no realistic way to pursue a legal remedy. "It’s a gigantic can of worms they’ve opened, and now it will be awfully hard to do anything with lawsuits," he said.

Brad Stone
(v.The New York Times del 3 de mayo de 2007).