MS DRM Version 2 - Cracked

As the title says: Microsoft Digital Rights Management Version 2 has been cracked. The Register has the story, including a link to a downloadable zip file which contains source code, explanation and a small DOS utility. Grab it while you can. You can also read the explanation directly here, and you can also find it with Google.

When will they learn?!?

[SealBeater]

Its not like ANY protection scheme that I can think off hasn't been broken. So far, it looks like nothing will ever not be broken.

Corps: 0, Hackers:...shit, I lost count.

SealBeater

to no end

[Rinikusu]

You know, the antics of the music industry (and the kind of thing that MS is kowtowing to with their DRM scheme) really pisses me off, but also convinces me that there will eventually come something to replace them both.

But, know what? It's their property. If they want to fuck up their distribution channels, fuck em. I can do without "so-called" modern music anyway. I go see live bands locally, get lit, and have a great time and I didn't need to buy a fucking copy-protected by the DMCA CD or cassette or anything. These guys are out there trying to make a living, maybe you should check em out. And if you catch them after the show, you might can convince them that they should distribute their songs on CD's for cheap and ask them (ask them) about how they feel about MP3's and music-sharing in general. Of course, they might not agree with you (or myself), but they have that *right* to do so.

So, I encourage, nay I *challenge* each and every one of you who would boycott MS or the RIAA to pick up a local newspaper and see what's going on in y our town this weekend. Chances are, there's a band or two actually worth checking out, and hey, it's not like you're going to meet chicks sitting behind your monitor.

Oh, and on-topic: Rock on Beale! I'm encouraged to see that grassroots hactivism coming alive! :) (hacker used in "coder" definition) Keep up the good work and keep fighting the good fight.

hmm

[Anonymous Coward]

All your digital rights are belong to us.

But seriously though, wouldn't a beowulf cluster of these be nice?

Digital Rights Management?

[zarathustra93]

When are MS, Sony and others going to learn that any sort of system like this will be broken? They should take a tip from the gaming industry.

I was excited to get a sony mp3 player as a gift last year. Until I realized that it used a proprietary format, atrac3. It will only allow me to load a particular piece of music 4 times. I've even loaded the music I make on it, but I am still subjected to this limitation. HELLO, it's my music, I made it,I own the copyright.

Digital Rights Management is there only to help support the massive amount of proffit that the recording industry is used to making. Well, I have a message for these people: The days of the $20 CD are long gone. Charge a fair amount of money for your product, and people will buy it. If you continue sticking it to the customer, they will break your systems and get it for free. Evolve or die. It's that simple.

http://www.assasins.net

DRM impossible

[andy_from_nc]

DRM usually relies on Encryption. Encryption itself has always depended on evolution. The idea that algorythms that need a system at least several orders more powerful than the one required to encrypt the data to break the data (without the key). DRM is a logistical nightmere, as it requires being able to run on last years hardware and next years regardless of the system invented next year.

Secondly, effective DRM requires a central authority and encryption method which the media available locally will nearly always exceed the bandwidth. (HDTV today, UHDTV tomarrow...all on 1 ghz? probably not)

Fair use: a birth right?

[Rob Kaper]

During a (anti-)DMCA presentation at school, the smartest question I got was
the following: is fair use a birth right or simply a result of the sale
contract?

If it's the latter, there's nothing we can do but informing people and
refusing to buy products with fscked up sale contracts (limiting fair use).

Maybe fair use is nothing more than a tradition and something we've grown
used to. And not "right", by all means. Is the limitation in copyright
(which it is) written in the books of law?

Re:Nice

[firewort]

Except, as Dmitry Sklyarov learnt, if you write something outside the US, but it's available to those inside the US, and you travel to the US-- you'll be nabbed in a heartbeat.

plan your vacations carefully, until we get that law struck from the books.

Re:to no end

[Anonymous Coward]

But, know what? It's their property.

No it's not. That's the whole point - US copyright does not create property rights. The actions of the copyright holders in shifting the terminology of the debate to the language of property rights means they've already almost won. After all, who agrees with stealing? But if they don't own it (and they don't - you paid for it), it ain't stealing...

Re:Good news

[Dashslot]

Not really. From the readme:

WARNING!!!!! I have just learned that the new Microsoft Media

Player EULA includes a clause that says they can *automatically*
modify the software on your system, without any confirmation from
you required! In other words, they can disable your software, or
force an upgrade so that FreeMe won't work, just because they feel
like it. Be careful out there!

It will work for a while but for how long?

Open Source DRM? Shareware Music?

[tonywestonuk]

Before you mod me down for been flaimbait, please read... Let say I am part of an up and comming pop band, and manage to put together enough money to release a limited set of CD's to the masses. We would have to pay Rec. Studio costs, cd replication, shiping, marketing, etc etc. Now, I would find it would piss me off should within the first days of release, the my track ended up on Gnutella, available for download by anyone for nothing.... But, what pisses me off even more, is that DRM wasn't invented to protect the rights of bands, but rather the profits of the record companies. What there should be is a format of music, that 'pseudorandom' noise can be added to at the time of recording, by whoever decides to record it. The music would still be listenable, but be of poor quality. - The pseudo-noise, can be removed by entering a key, that is purchased from the band (for a few $ at most). At this point, however, not only will the sound file become clear, but a id that is tied to keycode will be added to the sound file (This would be 'noise', but hopefully inaudiable to none but the most sensitive ears. It would be mathematically difficult to decide what is keycode, and what is ID. Should 'in the clear' music be found on gnutella, then the author can trace who purchased the code, via the ID, and take relevent legal action against them. This is how shareware works at the moment, Eg, I Download some 'cripple' ware, and should I like it, I pay the author for it, after all, they deserve it. I am usually unwilling to share the unlocked program with others as if my unlocked program ended up on a warzes site, and author finds out, (from the registration info) then I could well be in deep trouble! I am sure that this must be possible, and it will give a huge finantial gain to the people who make good music, rather than the record lables who skim the profits off other peoples work.

Re:Open Source DRM? Shareware Music?

[night_flyer]

1) since you're an up and coming pop band, where are you going to get your promotion/exposure from?

2) if people are downloading your stuff that means you might actually be good

3) if you are good and people are downloading your stuff, some people will want to buy your stuff and go to your concerts

4) if people dont know about you they wont purchase anything from you

so how do you want it?

(thanks to napster/gnutella/iuma.com/mp3.com I have found MANY new up and coming artists, and have bought their stuff... stuff I wouldnt have bought if I hadnt heard of them...

Re:Well, of course

[Anonymous Coward]

In this case, there *are* no "proven technologies", nor is it possible for there to be any.

It's one thing if you want to send a message from a source to a destination in such a way that only the destination has the key, and the message is protected from third parties. There's lots of good, solid math explaining various types of ways to do that. But that's not what DRM is. DRM (or ANY name you wish to give the plague known as 'copy protection') is you want to send a message from a source to a destination in such a way that you give a key to anyone who asks, and you don't care about whether the message is protected at all *but* you want to make absolutely damn sure no one can manufacture keys but you.. well, that's just silly, since the point is to keep the way that the key works secret *from someone who has a copy of **and uses** the key*. That just doesn't work; the key can always, in some way, be disassembled. Yes, the DRM such far (CSS and such) were cracked because the people who designed them made mistakes and left their systems vulnerable to various attacks. But how would 'proven technology' possibly help with that? Even if there weren't the kind of bugs that led to DeCSS being possible, in the end your untrusted party still has a copy of both the key and the message and can watch the two working together in as close detail as they wish..

Anyway, how on earth are you supposed to get a 'proven technology' based on security through obscurity? In my book the definition of a 'proven' encryption technology is that many people know how it works and have examined its algorithm, and none have found a crack. But in the case of something like CSS or microsoft DRM, if you tell someone what your encryption scheme is, you've already lost.. so how can you possibly have any kind of publicly scrutinized 'proven technology' used?

Re:Fair use: a birth right?

[tdye]

Fair use is part of the copyright law itself. Its intention is to prevent people from having to pay to excerpt from works for educational or other purposes, and it's been interpreted to also include what's known as 'time-shifting'. Basically, you can record a broadcast or make oa copy of a work so that you can read, watch, or listen to it later. You can even share it with your friends, i.e. you can give/loan your ST:TNG tapes to a friend without having to pay Paramount. You can't sell them, however, or profit in any way from the exchange (or broadcast or whatever).

The problems began when someone figured out how to share a copyrighted work with 16 million people at once... the fair use section of the copyright law makes no mention of scale, because it never occurred to anyone that you might be able to saturate the market with unlimited perfect copies while also charging $0.00 per copy.

Of course it's not only possible, but easy and convenient. The root problem is, copyright enforcement and fair use of digital material are now mutually exclusive concepts. It's no longer possible to have both.

So to answer your question, it's part of the law itself, and could conceivably be amended, repealed or restricted with new legislation. The holder of a copyright binds himself to the fair use doctrine when he applies for the copyright, not the purchaser when he agrees to an EULA or buys a work. 'Fair use' is not a right enumerated in the Constitution, though some may argue (convincingly IMHO) that perhaps it ought to be.

But I *like* the pathetic fallacy!

[Nindalf]

I don't consider the pathetic fallacy (describing a phenomenon as if the objects involved were humans acting it out) to be a fallacy at all, but a useful metaphorical device.

"Water seeks its level." - no, sufficient quantities of water tend to be arranged by the force of gravity over time such that its open surface is roughly equidistant from the center of gravity

"Opposite electrical charges are attracted to each other." - no, there is a force on any two objects of opposite electrical charge each toward the other

"Information wants to be free." - no, it is difficult for one party to limit the distribution of information to only those parties it approves of

The common quotes are shorter and more digestable, literal truth is not relevant compared to effective communication.

On the other hand, the literal expressions are more likely to be left alone by those who don't understand them.

Re:Digital Rights Management?

[Bluesee]

Yah, I've been saying that since Napster. P2P was supposed to destroy the traditional pyramidal economy. Well, it's appaerntly just gonna take a little longer. But its hell watching them try to keep their little toe-holds, in't it?

So many laws and lawyers and schemes and provisions to hold back the dam!

Boys oughta just step aside and let the information river flow freely; some people might lose their 'free lunch', but the rest of the world will finally realize the promise that was the internet.

You idiots! Why did you do this /NOW/?

[Telek]

Let me ask one question...

You have a DRM technology that is OBVIOUSLY crackable (as all are), and a stupid industry that has just decided that they should use this technology, but hasn't yet implemented it in many places yet.

Do you:

A) crack it NOW and therefore allow the industry to quickly switch to a "better" scheme because it's not implemented yet
-or-
B) wait until it's in use everywhere and THEN crack it once it's too late for them to switch back?

What do you think would have happened if CSS was cracked after the first 2 DVDs were released? They would have changed the scheme really quickly.

HAVE PATIENCE. WAIT until THEY CANNOT SWITCH BACK, and then hack to your hearts desire.

Argh. This just puts more ammo in the pockets of the industries to give us MORE RESTRICTIONS instead of a stupid scheme that doesn't really hamper things a lot and can be cracked AFTER they commit.

Argh. Sorry needed to vent.

Re:Open Source DRM? Shareware Music?

[cjpez]

Of course, when I hear something that sounds like sh*t, I don't buy it. I suppose if you're using just a traditional "singer/guitars/bass/drums" lineup it's probably not that big of a deal, but how can I make a decision whether or not I like Autechre or Aphex Twin if the music SOUNDS bad? Go listen to the sound samples available at Amazon or CDNow for more experimental bands, and then buy the albums. Did the samples give you anywhere NEAR a good feel as to what the music sounds like? Absolutely not.

On a more philosophical note, you're complaining about the possibility of having your stuff found on Gnutella, and then you're out however much money the downloader's theoretically not spending on you anymore. I can't speak for anyone but myself, but personally, getting me to like your music is the absolute best thing you could possibly do. If I download your music and like it, you can be sure that eventually I'm going to buy it. I don't listen to radio or watch MTV, so how do I find new music? Online. Through file-sharing systems. But I like owning CDs. I like the tangible feel of them. Maybe I won't purchase the album I downloaded, but you can bet I'll purchase the next one. If I like you enough, I tend to become rather completist, too. I'll end up with every last EP you've ever put out, just because I'm that obsessive about it.

Now without your songs ending up on my hard drive, how am I going to know you even exist? Your argument is based on an assumption that if I download your music, I'll never give you any money. That's just not true.

Re:to no end

[unitron]

How surprising that you were unable to develop a meaningful relationship with a young lady WHILE SCREAMING BACK AND FORTH IN ORDER TO BE HEARD OVER THE MUSIC.

The music industry is overvalued

[maddogsparky]

The whole industry was created to satisfy a market: the desire to pay for quality music. When that market was established, very few had the ability to promote, record, manufacture and distribute music. Large companies grew up to fill that niche, where economies of scale made music available to the masses.

The problem is that the major premises have gone away. The internet allows easy promotion and distribution. The cost of decent caliber recording equipment has come down and many independent sound studios exist that cater to home-town artists. MP3s and Ogg Vorbis reduces the manufacturing requirements to a computer and compression software. If a CD is requested, the cost to burn a CD is less than a couple of dollars, including the shipping.

The music industry as we have known it is based on premises that no longer are based in real world technical or logistical limitations. They realize that the only way to continue their existance is to artificially constrain access to their product. If they do not, they will continue to lose potential business to the artists who choose to publish themselves and to the businesses who cater to them.

The US constitution grants patents and copyrights to promote science and the useful arts. If they are using copyright law to limit the spread of good music by closing down distribution and manufacturing channels that are more efficient than their own methods, then they are doing so illegaly. I don't see how it is possible to promote a useful art by constraining its difusion.

I agree, very impressive!

[BLKMGK]

Read it all - Microsoft used SHA-1, Eliptical Curve Encryption, a bastardized version of Base64 encoding, and I think even the kitchen sink to try and keep this from being reversed. They encrypted the comms between DLLs (!) to prevent anyone from being able to get anything from the calls going back and forth must have added a ton of overhead with all of this encryption. They even move the location of the key pairs on each machine that this junk is installed upon in order to prevent the keys from being easily extracted. Kripes, Microsoft went so far as to build in the capability to REVOKE the keys if they were ever published - this hack must be killing them :-)

All of that would've worked except that the code that actually USES the keys has to know where they're located and THAT code's location is static (lol). The author simply used THAT code to pull the keys for the decryption - I love it. I'll bet some poor schmuck MSFT techie is smacking his head going "Dammit!" right about now.

I'm not sure how Microsoft could've stopped this - obviously their bulletproof EULA didn't work (lol). At some point in the code something has to know how to pull the needed keys and I cannot imagine how they would've been able to shift the code that does the calling in every copy of Windows - something has to be static somewhere or at least the code to find the location does :-)

Since Microsoft used code to detect debuggers I have to wonder how he did this - hacked the debugger too? Hack the code to stop the detection of the debugger? Or decompile the code in some fashion and step through it? (shiver)

If this was the creation of a single individual or even a team it's damned impressive! I hope that The Reg gets it's wish for some sort of an interview granted and that this person or team of persons releases more insightful cracks. This was pretty sweet IMO, my hat's off to this effort!

It could be . . .

[hawk]

> Don't worry. Some people, for whatever reason, use the male form all
> the time.

Several years ago, I took a class from Halmos (Yes, *that* Halmos, though I did
n't realize who he was at the time. It set in years later when a graduate class
stopped cold at a mention of taking his class).

Anyway, in the middle of his first lecture, he suddenly went on a detour about l
anguage, adjectives, and the like. He noted that some languages have the male a
nd female gender, some have male, female, and neutral, and that some have a pron
oun for uknown gender. And I quote rather directly, "English is one of those la
nguages. The pronoun is 'he'. So you will excuse me if I do not say 'he or she
'."

He then proceed mid-sentence on set theory.

In the enlish language, "he" does not imply gender unless the context shows othe
rwise. It is used for both the male and unknown pronoun. "She," on the other h
and, does indicate gender.

So for those of you wondering why some of us always use "he" in the unknown or g
eneral case, it could very well be because we're speaking English, rather than e
ngaging in an Orwellian campaign to change the way people think by modifying the
language.

hawk

Re:No more secrets

[Jetifi]

The more Microsoft makes it's own crypto, the higher the chances the crypto will be cracked.

Microsoft didn't use their own crypto. Read Technical - they used DES, RC4, SHA-1, and ECC, all tried and tested algorithms, although we don't know about their implimentations.

The only 'innovations' they had were a bad MAC algorithm and a broken BASE64 implimentation.

That said, it doesn't matter what crypto they use. It's being implimented on so-called "trusted" software, on an untrusted OS using untrusted hardware in an untrusted environment, with key material in the same location as the ciphertext. A recipe for disaster.

OTOH, s/crypto/cryptosystems, and you're makin' sense. The closed culture (i.e. "you customer, me sales") isn't suited to cryptosystem or cipher design.

Even Microsoft doesn't trust Microsoft for protocol design - which is why they used Kerberos.

Personal gratulations to Beale.

[eddy]

Hello there Beale Screamer. I just want to take this opportunity to congratulate you on your recent work, which was great. Keep up the good work, and stay low.

eloj bows.

Re:Information doesn't *want* to be anything

[ChaosDiscordSimple]

The notion that "information wants to be free" is a rather interesting case study of anthropomorphism gone horribly wrong. Information doesn't want anything.

You're nitpicking. Would you so angrily jump down the throat of someone who suggested that water wants to run downhill? Would you attempt to correct me what I suggest that the software I'm working on wants a 256 megabytes of RAM? Most people are perfectly capable of recognizing that anthropomorphism is not literal.

No, information doesn't want to be free. But information damn well tends toward being free. People fundamentally like sharing information. We tend to tell others things we find interesting. We spend a great deal of effort inventing tools to help share information with each other. Writing, printing, movable type, telegraphs, telephones, email, usenet, web pages.

Once you've given me a piece of information, you would be hard pressed to stop me from sharing it as I see fit. We've had to build complex legal systems of copyrights and trade secrets for the sole purpose of stopping information from spreading. In the absence of this legal system, information would tend spread. People spend huge amounts of effort developing encryption, copy restriction mechanisms, and similar mechanisms to stop information from being shared. It's always easier to make a technology that always shares information that a technology that can restrict the sharing of information.

Human beings like sharing information. Stopping this free spread of information is very difficult. No, information doesn't literally want to be free, but the behavior of normal people tends to spread information. "Information wants to be free" seems to me to be a reasonable way of summarizing the situation.