Was a mistake made in the design of AACS?

Perry E. Metzger perry at piermont.com
Wed May 2 16:53:50 EDT 2007 

Florian Weimer <fw at deneb.enyo.de> writes:
> * Perry E. Metzger:
>> This seems to me to be, yet again, an instance where failure to
>> consider threat models is a major cause of security failure.
>
> Sorry, but where's the security failure?  Where can you buy hardware
> devices that can copy HD disks?  Or download software that does, with
> a readily usable interface?

You can't, but I think that is more a question of the market
size. Right now there are very few HD-DVDs and Blu Ray discs on the
market, and most people have DVD drives but not HD-DVD or Blu Ray
drives. (I don't know that I've ever even seen such a drive to date,
but that will surely change in a year.) Until there is a significant
percentage of the user community with an "itch to scratch" the
software will not appear. However, it is now very clear that the
software is quite doable once people want it.

> In that sense, even CSS hasn't really been broken.

I watch DVDs all the time on my open source OS laptop using software
that depends on DeCSS. It is quite nice software -- the UI is more or
less as good as any of the Windows DVD players. (If the MPAA or DVD
copy control folk want to try prosecuting me for watching DVDs I've
bought legitimately using software they don't approve of, they are
welcome to try -- I suspect that they don't have much of chance of
winning.)

I haven't used extraction software myself for real (I have no need for
it at the moment -- I don't need my DVD library online) but there are
a number of programs out there that allow you to extract the content
from DVDs to your hard drive as easily as you can do it for a
CD. They're pretty easy to find, even for Windows and OS X, and in my
tests the UIs appeared to be pretty much easy enough for an ordinary
person to use. These programs also depend on DeCSS, of course.

> Even the flurry of DMCA takedown notices isn't necessarily a bad move.
> It might help to shape the future of how access to content is
> regulated in some very particular way.

I doubt they'll get very far. Their best bet for suppression is to sue
a selected subset of people for publishing the process key, but beyond
bad publicity I don't see what practical benefit they might get.

Especially in the US, they may also eventually run up against the
first amendment. I know that one judge in the 2600 case believed that
"the constitution is not a suicide pact", but those were different
days. That case happened when the community was far less prepared, was
not shepherded by ideal people, and did not set a real precedent. I
think it might be harder to ramrod a similar case through the courts
now, especially given that the Supreme Court has never ruled on this,
and especially since programs like the ones I use to watch DVDs are
clear and obvious legitimate uses and can be demonstrated to and
understood even by members of the judiciary.

-- 
Perry E. Metzger		perry at piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list