November 28, 2024

AACS Decryption Code Released

[Posts in this series: 1, 2, 3, 4, 5, 6, 7.]

Decryption software for AACS, the scheme used to encrypt content on both next-gen DVD systems (HD-DVD and Blu-ray), was released recently by an anonymous programmer called Muslix. His software, called BackupHDDVD, is now available online. As shipped, it can decrypt HD-DVDs (according to its author), but it could easily be adapted to decrypt Blu-ray discs.

Commentary has been all over the map, with some calling this a non-event and others seeing the death of AACS. Alex Halderman and I have been thinking about this question, and we believe the right view is that the software isn’t a big deal by itself, but it is the first step in the meltdown of AACS. We’ll explain why in a series of blog posts over the next several days.

Today I’ll explain how the existing technology works: how AACS encrypts the content on a disc, and what the BackupHDDVD software does.

In AACS, each player device is assigned a DeviceID (which might not be unique to that device), and is given decryption keys that correspond to its DeviceID. When a disc is made, a random “title key” is generated and the video content on the disc is encrypted under the title key. The title key is encrypted in a special way that specifies exactly which devices’ decryption keys are able to extract the title key, and the result is then written into a header field on the disc.

When a player device wants to read a disc, the player first uses its own decryption keys (which, remember, are specific to the player’s DeviceID) to extract the title key from the disc’s header; then it uses the title key to unlock the content.

BackupHDDVD does only the second of the two decryption steps: you give it the title key and the encrypted content, and it uses the title key to decrypt the content. BackupHDDVD doesn’t do the first decryption step (extracting the title key from the disc’s header), so BackupHDDVD is useless unless you already have the disc’s title key. The BackupHDDVD download does not include title keys, so somebody who wanted to decrypt his own AACS-protected disc collection would have to get those discs’ title keys from elsewhere.

Typical users can’t extract title keys on their own, so BackupHDDVD won’t be useful to them as it currently stands – hence the claims that BackupHDDVD is a non-event.

But the story isn’t over. BackupHDDVD is the first step in a process that will eviscerate AACS. In the next post, we’ll talk about what will come next.

[Post updated (8 Jan 2007): Corrected the third-to-last paragraph, which originally said that BackupHDDVD came with a few sample title keys. The error was due to my misreading of the code distribution. Also added the second parenthetical in the first paragraph, as a clarification. Thanks to Jon Lech Johansen and Mark for pointing out these issues.]

2007 Predictions

This year, Alex Halderman, Scott Karlin and I put our heads together to come up with a single list of predictions. Each prediction is supported by at least two of us, except the predictions that turn out to be wrong, which must have slipped in by mistake.

Our predictions for 2007:

(1) DRM technology will still fail to prevent widespread infringement. In a related development, pigs will still fail to fly.

(2) An easy tool for cloning MySpace pages will show up, and young users will educate each other loudly about the evils of plagiarism.

(3) Despite the ascent of Howard Berman (D-Hollywood) to the chair of the House IP subcommittee, copyright issues will remain stalemated in Congress.

(4) Like the Republicans before them, the Democrats’ tech policy will disappoint. Only a few incumbent companies will be happy.

(5) Major record companies will sell a significant number of MP3s, promoting them as compatible with everything. Movie studios won’t be ready to follow suit, persisting in their unsuccessful DRM strategy.

(6) Somebody will figure out the right way to sell and place video ads online, and will get very rich in the process. (We don’t know how they’ll do it. If we did, we wouldn’t be spending our time writing this blog.)

(7) Some mainstream TV shows will be built to facilitate YouTubing, for example by structuring a show as a series of separable nine-minute segments.

(8) AACS, the encryption system for next-gen DVDs, will melt down and become as ineffectual as the CSS system used on ordinary DVDs.

(9) Congress will pass a national law regarding data leaks. It will be a watered-down version of the California law, and will preempt state laws.

(10) A worm infection will spread on game consoles.

(11) There will be less attention to e-voting as the 2008 election seems far away and the public assumes progress is being made. The Holt e-voting bill will pass, ratifying the now-solid public consensus in favor of paper trails.

(12) Bogus airport security procedures will peak and start to decrease.

(13) On cellphones, software products will increasingly compete independent of hardware.

2006 Predictions Scorecard

As usual, we’ll start the new year by reviewing the predictions we made for the previous year. After our surprisingly accurate 2005 predictions, we decided to take more risks having more 2006 predictions, and making them more specific. The results, as we’ll see, were … predictable.

Here now, our 2006 predictions, in italics, with hindsight in ordinary type.


(1) DRM technology will still fail to prevent widespread infringement. In a related development, pigs will still fail to fly.

We predict this every year, and it’s always right. This prediction is so obvious that it’s almost unfair to count it.

Verdict: Right.


(2) The RIAA will quietly reduce the number of lawsuits it files against end users.

Verdict: Right.


(3) Copyright owners, realizing that their legal victory over Grokster didn’t solve the P2P problem, will switch back to technical attacks on P2P systems.

They did realize the Grokster case didn’t solve their problem; but they didn’t really emphasize technical countermeasures. They didn’t seem to have a coherent anti-P2P strategy.

Verdict: mostly wrong.


(4) Watermarking-based DRM will make an abortive comeback, but will still be fundamentally infeasible.

The comeback was limited to the now-dead analog hole bill, which backed the dead-on-arrival CGMS-A + VEIL technology. Watermarking still looks infeasible for copy protection.

Verdict: mostly wrong.


(5) Frustrated with Apple’s market power, the music industry will try to cozy up to Microsoft. Afraid of Microsoft’s market power, the movie industry will try to cozy up to Washington.

The music industry was indeed frustrated by Apple’s market power. But they drove a hard bargain with Microsoft, shackling Zune’s most interesting features. The movie industry did cozy up to Washington, but no more than usual, and probably not due to Microsoft-fear.

Verdict: mostly wrong.


(6) The Google Book Search case will settle. Months later, everybody will wonder what all the fuss was about.

No settlement, but excitement about the Book Search case has definitely waned.

Verdict: mostly wrong.


(7) A major security and/or privacy vulnerability will be found in at least one more major DRM system.

Verdict: wrong.


(8) Copyright issues will still be stalemated in Congress.

Another easy one.

Verdict: right.


(9) Arguments based on national competitiveness in technology will have increasing power in Washington policy debates.

This didn’t happen. We thought the election would make economic health more salient; but the election focus was elsewhere.

Verdict: mostly wrong.


(10) Planned incompatibility will join planned obsolescence in the lexicon of industry critics.

Verdict: mostly wrong.


(11) There will be broad consensus on the the need for patent reform, but very little consensus on what reform means.

The main policy division, predictably, was between the infotech and biotech sectors.

Verdict: right.


(12) Attention will shift back to the desktop security problem, and to the role of botnets as a tool of cybercrime.

This should have happened, but commentators mostly missed the growing importance of this issue. Botnets were implicated in the spam renaissance.

Verdict: mostly wrong.


(13) It will become trendy to say that the Internet is broken and needs to be redesigned. This meme will be especially popular with those recommending bad public policies.

This trend mostly didn’t materialize, though there were wisps of this argument in the net neutrality debate.

Verdict: mostly wrong.


(14) The walls of wireless providers’ “walled gardens” will get increasingly leaky. Providers will eye each other, wondering who will be the first to open their network.

Verdict: mostly right.


(15) Push technology (remember PointCast and the Windows Active Desktop?) will return, this time with multimedia, and probably on portable devices. People won’t like it any better than they did before.

Push tried to bring the TV model to the Net, so it seemed logical that as TV moved onto the Net it would become more push-like. But this didn’t happen, at least not yet.

Verdict: wrong.


(16) Broadcasters will move toward Internet simulcasting of free TV channels. Other efforts to distribute authorized video over the net will disappoint.

Verdict: mostly right.


(17) HD-DVD and Blu-ray, touted as the second coming of the DVD, will look increasingly like the second coming of the Laserdisc.

The jury is still out, but this prediction is looking good so far.

Verdict: mostly right.


(18) “Digital home” products will founder because companies aren’t willing to give customers what they really want, or don’t know what customers really want.

Outside of promotional efforts in the trade press, we didn’t hear much about the digital home.

Verdict: mostly right.


(19) A name-brand database vendor will go bust, unable to compete against open source.

Verdict: wrong.


(20) Two more significant desktop apps will move to an Ajax/server-based design (as email did in moving toward Gmail). Office will not be one of them.

There seemed to be a trend in this direction, but I can’t point to two major apps that moved. But Google did introduce Office-like products in this category.

Verdict: mostly wrong.


(21) Technologies that frustrate discrimination between different types of network traffic will grow in popularity, backed partly by application service providers like Google and Yahoo.

These technologies didn’t develop, perhaps because of the policy stalemate over net neutrality.

Verdict: wrong.


(22) Social networking services will morph into something actually useful.

This one is hard to categorize. The meaning of “social networking” changed during 2006; it now refers to sites like MySpace and Facebook that are primarily webpage hosting services. That’s a useful and popular function; but it’s the term rather than the technology that morphed.

Verdict: mostly right (I guess).


(23) There will be a felony conviction in the U.S. for a crime committed entirely in a virtual world.

Commenters noted at the time that this prediction was poorly specified. Which didn’t matter, because it was wrong no matter how you interpret it.

Verdict: wrong.

Overall scorecard for 2006 predictions: four right, five mostly right, nine mostly wrong, five wrong. That’s more wrong than right, by a narrow margin, showing that our risk-taking strategy worked.

Stay tuned for our 2007 predictions.

Holiday Stories

It’s time for our holiday hiatus. See you back here in the new year.

As a small holiday gift, we’re pleased to offer updated versions of some classic Christmas stories.

How the Grinch Pwned Christmas: The Grinch, determined to stop Christmas, hacks into Amazon’s servers and cancels all deliveries to Who-ville. The Whos celebrate anyway, gathering in a virtual circle and exchanging user-generated content. When the Grinch sees this, his heart grows two sizes and he priority-ships replacement gifts to Who-ville.

Rudolph the Net-Nosed Reindeer: Rudolph is shunned by his reindeer peers for having a goofy WiFi-enabled nose. But he becomes a hero one foggy Christmas Eve by using the nose to access Google Maps, helping Santa navigate to the homes of good children.

Gift of the eMagi: Poor husband and wife find perfect gifts for each other and bid aggressively for them on eBay. Unbeknownst to them, they’re bidding against each other for the same gift. Determined to express their love by paying whatever it takes to get the gift, they bid themselves into bankruptcy.

NSA Claus is Coming to Town: He sees you when you’re sleeping. He knows when you’re awake. He knows if you’ve been bad or good, so be good or go to Gitmo.

The Little DRM-er Boy: A boy wants to share his recorded drum solo with Baby Jesus, but the file is tethered to a faraway computer. With the aid of three downloads from the East, he rips an MP3 and emails it the Mary and Joseph just in time for Christmas Night.

It’s a Wonderful Second Life: George Bailey believes that Second Life would have been better if he had never signed on at all. He jumps off a bridge … and floats slowly to the ground. Clarence Linden, George’s guardian avatar, restores the server backup from before George signed on, and watches with George while griefers run wild. George sees the error of his ways, and Clarence restores his account.

A Vista Carol: Ebenezer “Steve” Ballmer runs a coding shop in Merry Old Redmond. He forces programmer Bob Cratchit to work overtime on Christmas to meet the Vista ship date. At night, Ballmer is visited by three Ghost images: Windows Past, Windows Present, and Windows Future. [Fill in your own jokes here.] The next morning, Ballmer sends Bob home for Christmas, in exchange for a promise to keep his Blackberry on during dinner.

[Thanks to Alex Halderman and my family for help writing the stories.]

Sharecropping 2.0? Not Likely

Nick Carr has an interesting post arguing that sites like MySpace and Facebook are essentially high-tech sharecropping, exploiting the labor of the many to enrich the few. He’s wrong, I think, but in an instructive way.

Here’s the core of his argument:

What’s being concentrated, in other words, is not content but the economic value of content. MySpace, Facebook, and many other businesses have realized that they can give away the tools of production but maintain ownership over the resulting products. One of the fundamental economic characteristics of Web 2.0 is the distribution of production into the hands of the many and the concentration of the economic rewards into the hands of the few. It’s a sharecropping system, but the sharecroppers are generally happy because their interest lies in self-expression or socializing, not in making money, and, besides, the economic value of each of their individual contributions is trivial. It’s only by aggregating those contributions on a massive scale – on a web scale – that the business becomes lucrative. To put it a different way, the sharecroppers operate happily in an attention economy while their overseers operate happily in a cash economy. In this view, the attention economy does not operate separately from the cash economy; it’s simply a means of creating cheap inputs for the cash economy.

As Mike at Techdirt observes, it’s a mistake to think of the attention economy and the cash economy as separate. Attention can be converted into cash – that’s what advertising does – and vice versa. Often it’s hard to distinguish attention-seekers from cash-seekers: is that guy eating bugs on Survivor doing it for attention or money?

It’s a mistake, too, to think that MySpace provides nothing of real value to its users. I think of MySpace as a low-end Web hosting service. Most sites, including this blog, pay a hosting company to manage servers, store content, serve out pages, and so on. If all you want is to put up a few pages, full-on hosting service is overkill. What you want instead is a simple system optimized for ease of use, and that’s basically what MySpace provides. Because it provides less than a real hosting service, MySpace can offer a more attractive price point – zero – which has the additional advantage of lowering transaction costs.

The most interesting assumption Carr makes is that MySpace is capturing most of the value created by its users’ contributions. Isn’t it possible that MySpace’s profit is small, compared to the value that its users get from using the site?

Underlying all of this, perhaps, is a common but irrational discomfort with transactions where no cash changes hands. It’s the same discomfort we see in some weak critiques of open-source, which look at a free-market transaction involving copyright licenses and somehow see a telltale tinge of socialism, just because no cash changes hands in the transaction. MySpace makes a deal with its users. Based on the users’ behavior, they seem to like the deal.