Wednesday, May 02, 2007

HD-DVD brought down by Web 2.0

Back in January I had reported on the hacking of HD-DVD protection by improper key management. AACS, makers of the DRM protecting the new format, vowed to try to shut down BackupHDDDVD, which is instrumental to some part of the cracking process. At the time I thought it was likely to be the last we would hear about this topic, after all, cracked protection is hardly news, is it? Once the how-to had been posted in Ed Felten's blog, the game was up. Or so I thought...

In order to understand the cracking process, we need to understand keys. Felten explains it best, so here he goes:

"In AACS, each player device is assigned a DeviceID (which might not be unique to that device), and is given decryption keys that correspond to its DeviceID. When a disc is made, a random “title key” is generated and the video content on the disc is encrypted under the title key. The title key is encrypted in a special way that specifies exactly which devices’ decryption keys are able to extract the title key, and the result is then written into a header field on the disc.
When a player device wants to read a disc, the player first uses its own decryption keys (which, remember, are specific to the player’s DeviceID) to extract the title key from the disc’s header; then it uses the title key to unlock the content."

However, January's vulnerability was limited, as it could not decrypt the title's key, it was only a player key, which would be useless by itself. Suggestions were made to have a title key database that cracking software could access, but as far as I know it was not implemented. That was the state of play until yesterday, when a key was released to the public which allegedly can be used to decrypt most existing titles. Apparently, this is a processing key, something akin to a master key. I have not been able to find the first source of the key, although some sites have posted a link to a removed WordPress blog here. The earliest post I could find in this meme is here. Perhaps in the days of Web 2.0, it is impossible to find sources. Anyway, what we know for sure is that someone posted this somewhere (vagueness is also very web 2.0):

"Spread this number. Now.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0. It's the HD-DVD processing key you can use to decrypt and play most HD-DVD movies in Linux. Movie studios are going ballistic over this leak, so Digg the story up and make it reach the front page."

This was like DeCSS all over again, but this time with blogs, YouTube, Digg and the whole force of a meme-churning machine. In other words, AACS does not stand a chance. That doesn't mean they did not try! Apparently the number made front page of Digg, who then received a Cease & Desist letter and decided to remove the stories and even cancel user's accounts. Needless to say, the slightest whiff of censorship sent the copyfight warriors on overdrive, and we had a t-shirt (pictured), replication in countless blogs, and even a song uploaded on YouTube. Some of the discussions in Slashdot and Wired have been worth reading as sociological examples of slighted self-righteous geekdom. I can imagine this repeated in chat-rooms across the world:

"Replicate this number, it allows you to copy your HD-DVDs"
"But, I don't own any"
"Doesn't matter man, they're trying to censor us!"

Digg realised they were losing the good will of geekdom, so they posted a "we hear ya", together with the dreaded number on the title. They have decided to "go down fighting" and side with the rebelling masses.

I may be forgiven for being my cynical self, but I must admit that I'm getting slightly suspicious about this whole affair, I'm missing some very basic information in order to make sure that this is a legitimate issue. Here are some problems that I have with the news:

  1. Where is the original post? Has it really been taken down?
  2. The earliest key replication seems to come from a meme post designed to anger the masses. No, you cannot copyright numbers, but keys may be protected as part of an effective technological protection measure.
  3. AACS has not made any official declaration that it's pursuing infringers, something that they have done in the past.
  4. I would like to see Digg's cease-and-desist letter, it seems to me like lawyers for the industry moved incredibly fast.
  5. There's something about the whole story that smells like urban legend to me. The meme has spread too fast in order to get accurate information.
  6. Has anyone actually tried to use the key?

It's possible that my suspicions are misplaced. If that is the case, AACS may have committed the biggest blunder by trying to suppress the key; the level of dissemination is such that it will be impossible to recall it. This may prove to be a case study of how useless cease-and-desist may become in the Web 2.0 era. Even if the story proves to be a clever hoax, copyright owners should heed the lesson.

Update. Some interesting replication strategies from David Berry:

But I still haven't seen any first-hand report that anyone has actually used the key to crack an HD-DVD.

Update 2: Chilling effects has posted the AACS C&D letter to Google, so I guess that makes it official, the key seems legit. If AACS wants to take it down, there must be a reason.
"Ladran Sancho, seƱal que caminamos".

Update 3: Fred von Lohmann from EFF has posted a warning against posting the key.


pangloss said...

Thanks for this - v interesting. I wil use it in Alicante!

Ben Bildstein said...

I think you're right to be sceptical. I believe it, but that could be because of where I first heard the story (only a few hours prior to reading your post). Here's my 2c worth: first, this forum says 11 February (but this is Web 2.0, so who knows, right?); second, I got there from the programming reddit.

Anonymous said...

I think you're right to be sceptical. But in any case it has drawn out some interesting questions -- for example in this case Digg is actually self-censoring and censoring others who wished to discuss the issue - no letter cease and desist required.

The original post is HERE but it appears that when others (entangled state) have posted it Google was sent a desist letter which meant the author was closed down. I'll post the letter below...

Anonymous said...

DMCA Complaint Notice from Google Notebook
April 27th, 2007 by entangledstate

Google has given me a reason to finally start a blog. This evening I received a DMCA Complaint Notice from Google for something that was publicly available on my Google Notebook. Here’s the full content of the email from Google.


Google has been notified, according to the terms of the
Digital Millennium Copyright Act (DMCA), that content
in your notebook Google Notebook Entry

allegedly infringes upon the copyrights of others.
The particular section of your notebook in question is
the section covering

The notice that we received, with any personally
identifying information removed, will be posted online
by a service called Chilling Effects, and we will send you
the link of this notice. We do this in accordance with
the Digital Millennium Copyright Act (DMCA).

The DMCA is a United States copyright law that provides
guidelines for online service provider liability in case of
copyright infringement. Please see
For more information about the DMCA, please for the process
that Google requires in order to make a DMCA complaint.

We are asking that you please remove the allegedly infringing
content from your notebook. If you do not do this within the
next 3 days (by 4/30/07), we will be forced to remove your
entire notebook. If we did not do so, we would be subject to a
claim of copyright infringement, regardless of its merits.

We can reinstate this content into your blog upon receipt of
a counter notification pursuant to sections 512(g)(2) and (3)
of the DMCA. For more information about the requirements
of a counter notification and a link to a sample counter
notification, see

Please note that repeated violations to our Terms of Service
may result in further remedial action taken against your
Google account.

If you have legal questions about this notification,
you should retain your own legal counsel. If you have any
other questions about this notification, please let us know.

Thank you for your understanding.

The Google Team

Apparently this hexadecimal string is a copyrighted work. 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0. It’s the HD-DVD Processing Key for most movies released so far. I was not aware that a string of numbers and letters was copyrightable. Perhaps its just my ignorance but it seems that someone is abusing the DMCA again.


Anonymous said...

5 Responses to “DMCA Complaint Notice from Google Notebook”
Dick Weisiger Says:
April 27th, 2007 at 11:22 pm
A book is a “string of numbers and letters” and can be copyrighted, but nobody would copyright the number 3 or a random alphanumeric string of any length. It is not the length of the string, but the information incorporated into the string that is really important. The string you list contains important information, so it makes sense to me that it can be subject to copyright.

entangledstate Says:
April 27th, 2007 at 11:36 pm
If I remember correctly this hexadecimal string was discovered by someone watching the changes in their computer memory when they ran certain software. How is distributing something you discover on your own computer that is not obviously someone else’s material
a violation of their copyright. I’m sure that I received this notice purely because some organization did not want this string to be distributed. A funny thing is that when I did some googling for the string it came up all over the place, including this wired blog post . Why come after my Google Notebook which is just used for me to store information I want to keep. I wasn’t attempting to distribute their “copyright”, I was just storing it for my own use.

entangledstate Says:
April 28th, 2007 at 12:40 am
I have two further comments. A hexadecimal string can mean many different things in many different contexts. Does copyright law have any provisions for context of material.

My other comment is about the purpose of Google Notebook. My understanding is its purpose is for a user to be able to capture snippets of text that they find on the internet. If someone is arguing that a hexadecimal string is a copyrighted work then I would have to say just about everything in my Google Notebook is someone else’s material. That’s its purpose. This issue can even be extended to the indexes of websites that Google uses to do searches. The index is built on others work. To me this takedown notice goes to the very heart of what the web is about. I’m not faulting Google necessarily but I was only using their service how I thought it was intended.

Archi Says:
April 28th, 2007 at 2:50 am
I don’t think that the issue here is that the text is copyrighted. It is probably being considered a “tool” to circumvent a technological access control, and the DMCA makes such circumvention illegal regardless of whether it is for an otherwise legal purpose. You must be familiar with the whole DeCSS debacle which is essentially the same thing.

Is it any less disturbing? No. But it is helpful in these situations to be as clear as possible about exactly what is being claimed.

entangledstate Says:
April 28th, 2007 at 4:50 am
Yes I remember the DeCSS but the email mentioned above only says copyright and not that the string was being used to circumvent any sort of encryption. As I said, I pretty sure the string was discovered by watching the changes to memory locations on the persons computer. I really don’t think that could be classified as circumvention. There are many aspects of the DMCA law, the only that seems to be applied via Google is copyright infringement.


Anonymous said...

There are some cool historical sites that list the details including facebook groups and this post talking about the Digg situation

Andres Guadamuz said...

Thanks for all the information David, it is precisely what I was looking for.

Anonymous said...

Can't resist posting this... DVD versus HD-DVD

Puts a whole new spin on HD-DVD... sorry...


Anonymous said...

And finally, here is the AACS letter cease and desist letter...