L'Ombre de l'Olivier

The Shadow of the Olive Tree

being the maunderings of an Englishman on the Côte d'Azur

05 May 2007 Blog Home : May 2007 : Permalink

Cracking News for HD-DVDs

If there was a group of people for whom the last two weeks have been about as bad as can be then the folks who run AACS-LA are the ones. It started off with internet user "indiggnation" at the idea that a number should be a secret and has been getting progressively worse. As a result of their loss of Diggnity, the AACS Licensing Authority (AACS LA), that is the folks in charge of the HD-DVD cryptography, have been doing the King Cnut thing and threatening to sue all and sundry to stop their secret spreading anymore. As I and many many others have said, this is a counterproductive strategy because all you do is draw attention to the fact that there is something valuable that you want to hide. As the Ars Technica areticle I linked to above explains, we went through all this when DVDs were introduced and DeCSS showed up. The article concludes:

The AACS LA has missed the lesson of DeCSS: the Internet holds no secrets. While one might sympathize with their predicament, the larger lesson to be learned here is that security based on secrets is truly no more secure than any other form of security. Once that secret is out, it's game over. The more you try to stop that secret from spreading, the more likely it is to spread. The more coveted that secret is, the worse it gets.

When "DVD Jon" was targeted for his involvement of DeCSS, geeks around the world rallied around him and the idea of DeCSS. If the AACS isn't careful, they'll simply make another generation of hero out of a problem they created. What makes it even more deplorable this time is that it's now 2007, and the writing is on the wall: DRM is a failed idea, and a waste of time and money.

I have some sympathy for people who make a mistake once. I have zero sympathy for people who make the exact same mistake a second time. The DeCSS saga showed that any DRM security has a problem, everyone has to be able to decrypt the stuff so every reader has to have the key in there somewhere. Given that, why would anyone think that a more complex kind of security scheme would fare any better?

Perhaps worst of all, all this attention means that people like me pay more attention to AACS related stories and so I come across this second older Ars Technica item which seems to indicate that the whole key revocation plan that was supposed to handle the "secret's out" issue is not going to work. This does not come as a surprise to me and it shouldn't have come as a surprise to the AACS-LA and their pals. Why not? Because of the way the internet changes economics and the incentives for the sorts of people who tend to crack these things.

Let me explain. The internet, as should be obvious, is pretty much a "gift" culture. That is to say the way you demonstrate your status on the internet is to give stuff away to others. This is how/why open source works not to mention wikipedia and all those volunteer fora where newbies can ask questions about anything and get a knowledgeable response. One reason why the internet is a gift culture is that the cost of being generous is very low. Unlike in the physical world, handing someone an electronic duplicate of something costs essentially 0 so it is easy to give stuff away. However everyone knows that the cost of duplication is low so the value acrues to people who make something difficult available and this in turn means that the harder an encyption algorithm is the more likely it is that people will try and crack it because they gain more status by doing so. As Charlie Stross pointed out in his excellent ebook rant in March:

Books that come up most often are either scanned and OCRd paper copies, or cracks of DRM-locked ebooks. If you look at the posters' activities in terms of proving status within a gift economy this makes sense; OCRing a book or cracking DRM takes time and effort, and is a demonstration of putting effort into something — it's a high value activity. Whereas posting something you grabbed off Baen's library of for-free books, or paid $5 for is just stupid — it's like turning up to a a wine and cheese evening your friends are running on a "bring a bottle" basis with a bottle of Buckfast or Mad Dog 20/20. It's cheesy, tasteless, and looks cheap, and that's how the ebook pirate elite will view you.

In other words the more fiendish the DRM the greater the status that results from being able to provide a cracked copy of it. I can't see any reason why the whole AACS scheme will not be vulnerable to it and a certain amount of evidence (from the cracker's own words) that this is exactly how the crackers see it - an intellectual challenge more than anything else.

Of course the worst thing is that once a crack has been created everyone else now has a choice. Some few minutes googling and following instructions or going out to amazon.com and buying the DVD. If the price is low enough then we'll go to amazon. If it's too high then it becomes worthwhile searching on the internet.

I despise l'Escroc and Vile Pin