Monday, October 8, 2007, 12:42pm
Reader Hanji alerts us to a hack pulled off when Randall Munroe, author of the popular webcomic XKCD, spoke at MIT by invitation of the Lab for Computer Science. MIT hackers dropped hundreds of labelled playpen balls onto the audience from hatches in the ceiling. The labels bore XKCD's logo as well as the recently discovered 16-byte AACS processing key. At another point in Munroe's talk he was stalked by remote-controlled mechanical velociraptors; but fortunately he had been supplied with a squirt gun full of grape juice.
Monday, October 8, 2007, 12:39pm
The user revolt at Digg and elsewhere, over attempts to take down the now-famous "09 F9" number, is now all over the press. Many non-techies, including some reporters, wonder why users care so much about this. What is it about "09F9" that makes people willing to defend it by making T-shirts, writing songs, or subjecting their dotcom startup to lawsuit risk?
The answer has several parts. The first answer is that itâ€™s a reaction against censorship. Net users hate censorship and often respond by replicating the threatened content. When Web companies take down user-submitted content at the behest of big media companies, that looks like censorship. But censorship by itself is not the whole story.
The second part of the answer, and the one most often missed by non-techies, is the fact that the content in question is an integer â€” an ordinary number, in other words. The number is often written in geeky alphanumeric format, but it can be written equivalently in a more user-friendly form like 790,815,794,162,126,871,771,506,399,625. Giving a private party ownership of a number seems deeply wrong to people versed in mathematics and computer science. Letting a private group pick out many millions of numbers (like the AACS secret keys), and then simply declare ownership of them, seems even worse.
The third part of the answer is that the link between the 09F9 number and the potential harm of copyright infringement is pretty tenuous. AACS LA tells everyone who will listen that the discovery and distribution of the 09F9 number is no real threat to the viability of AACS or the HD-DVD/Blu-ray formats. A person getting the 09F9 number could, if he or she is technically skillful, invest a lot of work to get access to movies. But there are easier, less tech-intensive ways to get the same movies. Publishing the number has approximately zero impact on copyright infringement.
Which brings us to the civil disobedience angle. Itâ€™s no secret that many in the tech community despise the DMCAâ€™s anticircumvention provisions. If youâ€™re going to defy a law to show your disagreement with it, youâ€™ll look for a situation where (1) the application of the law is especially inappropriate, (2) your violation does no actual harm, and (3) many others are doing the same thing so the breadth of opposition to the law is evident. Thatâ€™s what we see here.
Diggers are revolting because Digg began to seek out new examples of the key and delete them immediately, instead of waiting for notice from the AACS-LA. A palette of colors for the key has been created. You can get a HD-DVD t-shirt or a tattoo. This is, as mentioned, outright civil disobedience and rebellion. Putting this genie back in its bottle is just plain futile.
I long for the day when the industry will learn that take down notices get you no place, the information and content is out there and isn't coming back and that trying to squelch fair use is a waste of time (so is trying to stop piracy, but lets not go there today).
As of this writing, there are 683,000 results according to Google (it is worth noting that MSN only has 1,902, they should get some quick bots). I'd bet that there will be over a million by the end of the week. How large of a legal team do you need to prepare a million DMCA take downs? How large of an investigative unit do you need to put names to IP addresses? Besides, there's already a vulnerability that cannot be fixed even if every key is revoked:
Despite the technical difficulty of performing this hack, it does offer some advantages in the race to beat AACS copy protection. "They cannot revoke this hack," said forum member arnezami, who has been at the center of much of the AACS cracking recently. "No matter how many Private Host Keys they revoke we will still be able to get Volume IDs using patched xbox 360 HD DVD drives."
In addition to being irrevocable, the hack has the potential to make future decryption even easier. "This hack/technique enables us to figure out how the Volume ID is stored on the disc," arnezami explained. "It's very possible we would figure out [...] how the KCD is stored on the disc. Knowing that and being able to teach a PC drive how to read a KCD will open the door for what I called third-generation decryption."
While this type of decryption (reading keys directly off a PC drive by sidestepping part of the encryption process) is still not a reality, it may not be too far off. The main issue is the cost of purchasing standalone high-def players by the hackers, but as prices for these come down, this problem will slowly go away.