The last couple of days were all about the leaked key for decrypting HD-DVD movies. This made me curious about the technology, so I headed to the
AACS LA website.
There's variety of
white papers available, which explain the AACS concept. The same papers were used by
musilix64 in making his first breakthrough on circumventing the AACS protection.
But there is more to be found on their website... There's even a section which explains the
Consumer Benefits of AACS.
- Support a superior viewing experience delivered by next generation media formats
AACS is added to the content. The content itself will probably 'work' better without AACS.
- Enable greater flexibility to manage distribute, and play entertainment content on a wider range of devices
This is a 'feature' for the publishing companies. Without the restrictive AACS protection, the content can be played on virtually every device. With AACS protection 'they' control on which device you can play the content.
- Enable groundbreaking home entertainment choices and the ability to use content on PCs and a range of CE devices
AACS is added to the content. The content itself will probably 'work' better without AACS.
- Work across a variety of formats and platforms
Five letters: L I N U X. AACS protected movies CANNOT be played on Linux. Only movies without the protection can be player on certain Linux players.
As some of you might know, the protection of Blu-Ray, and HD-DVD movies is based on a 'secret' key. You need the key to watch protected movies.
The (software)players for these movies are able to 'decrypt' these keys from the disc containing the movie. So you already have these keys on the disc. They (the movie companies) just try to hide them from the user (security through obscurity).
This is not strange that they use this scheme. It's just the way DRM works on these discs. Due to the lame-ass
DMCA law in the United States, it's ILLEGAL to try to find the key on the disc :???: .
Somehow a
HD-DVD key got discovered (or leaked), and it's going around the great Internet. Several websites have been approached by lawfirms to
take the pages down.
This key is represented by a hexidecimal code. How the hell is it possible to declare a hexidecimal string illegal?? The same string can also be represented by a different format (e.g. BASE64). Is this also illegal?
Since we dont know other hex keys for decrypting copy protected content, every other string of hex codes might also be illegal. Image this; what if the 'next' key might represent the number pi (03 14 15 92 6.....)? Does that mean that all math books need to be burned?
Just another example of the fucked up DMCA law in the US.
B.t.w. wondering what the last part is of the key... just use
Google to search for "09 F9 11 02 9D".... Google knows he rest.
Recently, the dutch
Tweakers website started with dissecting USB flashdrives. Their goal is to see if the so-called secure USB flashdrives are as secure as the manufacturer says they are.
They reviewed the SecuStick, and a BioStick. The first protects the data with a password. The latter (two different versions were tested) uses biometrics (fingerprints) to secure your precious data (in combination with AES encryption).
The full reports can be read
here, (SecuStick) and
here (BioStick). The dutch review can be read on the tweakers.net website (
here, and
here) along with interessting comments on the article.
Conclusion of the articles: Some of these so-called secure USB flashdrives are not as secure as you might think. Oke, the data is 'secure' for the casual user. If real secrets (your private pron collection :-) ) are being stored on those USB flashdrives, you might want to consider using TrueCrypt (with a strong password, and keyfiles) to store your 'valuable' data.
Steganos has a piece of software which allows you to create encrypted containers. The Stagenos software is 'freely' available on the P2P networks. just download it and use a key found somewhere on the Internet. This won't help you though.....
You simply install a copy of Steganos Safe 8 but not the new security suite and when doing this you turn "OFF" the update feature temporarily and use a fake serial code you get off the net. Simply mount anyones .SLE file encrypted drive into the software and it will ask you for their password but won't let you in because it's encrypted.
From this point you want to turn the "update" feature back on and force steganos to update by right clicking it in your system tray or restarting the software. From this point it will detect you had used a fake or known serial after the update and it will now PUNISH you by resetting your encrypted drives passwords to "123" until you buy a registered copy. [SecurityFocus]
This means that
ANYONE is able to open your encrypted content stored in the container. Just use pirated software to open the containers.
Thankfully,
Truecrypt is still freeware :-) . Too bad it still isn't available for OSX :cry: .
I've been a big fan of the
TWiT podcasts. Especially the Apple, Windows and security related podcasts. But lately, the content of those podcasts seem to shift to too much off-topic talk.
Take the latest edition of
Security Now! (Cross-Site-Scripting - Part II). The podcasts is about an hour in length, but the first half hour is nothing but talk about the Sony e-book reader, and favorite writers. What's that got to do with security?? I don't know.
Same goes for
MacBreak Weekly. It's more about having a good time for the authors, than about bringing some news. I don't mind that the authors are having fun creating the content. Hell, I appreciate a good laugh as much as the next guy, but keep it on topic.
Too bad that only about 50% of the content has something to do with the actual title (Mac / Security).
If they keep this up, they will loose a listener (not that they might care).
LOL... I already
reported that Windows Mobile 5 is buggy as hell. Even
Trend Micro thought so. Well, nothing new if you ask me.
A couple of weeks ago was the
HD-DVD protection officially circumvented. Now the Blu-Ray protection (which also uses AACS for protection) is a '
goner'.
I wonder how many trillions of dollars were spent on this protection (which is being paid by the consumers who buy these discs). I just hope that the movie industry follows the music record labels (EMI n this case) in
removing protection on audio CD's.
B.t.w. I saw the ripped HD-DVD movie '
Serenity' on my PC, and must say that the HD quality is phenomanal. Time to become an early-adaptor on the HD format (again :-)). This means a new
Full-HD TV, and an appropriate player.
OK, the title might sound a little weird, but trust me..... I work on a daily basis with digital certificates (end-user, and SSL certificates). These things get more, and more common these days. More and more webservices are being 'secured' by SSL certificates. The only problem is that the technicians who run the services don't know shit (well, most of them do) about SSL and/or PKI. I don't blame them, because it tends to be a little complex. SSL certificates can be generated as selfsigned certificates, or you might wanna get a commercial SSL certificate from Certificate Authorities like VeriSign, Thawte, GeoTrust, etc. Anyway, in every case, you need to generate a certificate signing request (CSR), and submit it to the Certificate Authority. The problem is that there are some applications that stay in a pending mode if you generate a CSR, and wait for the resulting certificate to come back from the CA. This might take a couple of days. It would be a lot nicer if you can request the certificate on another platform, and import it in the application when you get the thing. There are several ways to generate a CSR on the different platforms;
- OpenSSL - equivalent to rocket science for most people, since it's a commandline tool
- Via webserver tooling (IIS, JAVA Keytool, etc.)
- XCA - Not very user friendly if you're requesting just one or two certificates a year.
- And probably some other 'obscure' ways
But what if your application needs a SSL certificate, or your webserver is located on the other side of the world (and you have no way of accessing it directly)? How the hell do you generate a CSR? The Windows platform itself doesn't have any tools for creating certificates (only if you use IIS or have a CA running on the platform). I hope to solve this by creating an application (cross platform off course) which creates these CSR's, and create pkcs12 (or .pfx) files when you import the resulting certificate in the tool. This pkcs12 file can be installed on the server as needed. Finally, a challenge for me to start programming again.
The new and improved security in Microsoft Vista regarding DRM may have (and probably will) have great consequences for the end-user. Peter Gutman published
his research on the DRM features in Windows Vista, and his findings are staggering.
The biggest concerns are related to hardware certification revocation, and dynamically downscaling quality.
Dynamically downscaling qualit means that if Vista plays some DRM enabled media on the PC (HD-DVD, or whatever), all other in and outputs are degraded. This means that your high quality pr0n has a lousy quality, while you're listening to DRM enabled music..... Well that suck, but implications can be huge, as Peter Gutman explained.
Furthermore, the revocation of driver certificates. If, somehow, a driver signing certificate gets stolen from a manufacturer, Microsoft has the ability to revoke that particular certificate. This means that the complete install base for that drives becomes totally useless. It could mean that your PC won't be able to boot (and everyone else's) if you have that particular brand of motherboard. What if key public services become useless because of this driver revocation? No more fresh water, traffic lights gone haywire??
Peter also mentiones that the DRM scheme in general is very weak;
Note B: I'll make a prediction at this point that, given that it's trying to do the impossible, the Vista content protection will take less than a day to bypass if the bypass mechanism is something like a driver bug or a simple security hole that applies only to one piece of code (and can therefore be quickly patched), and less than a week to comprehensively bypass in a driver/hardware-independent manner. This doesn't mean it'll be broken the day or week that it appears, but simply that once a sufficiently skilled attacker is motivated to bypass the protection, it'll take them less than a day or a week to do so.
Funny thing is that engadget recently posted
an article about a piece of software that claims to remove DRM from HD-DVD movies...... So Peter's thoughts on that weren't that far off :).
Personally I think that the entire Music and Movie industry needs to come to their senses, and stop treating every customer as a criminal. But unfortunatelly, I don't think that that's gonna happen
soon.
I received an error today when I tried to access a SSL protected website. According to FireFox;
Firefox can't connect securely to because the site uses a security protocol which isn't enabled.
It seems that FireFox has removed the support for older/insecure SSL sessions. Some research showed that these setting are accessible through the 'hidden' configuration in FireFox. Just type
about:config in your addressbar and it shows the advanced settings of FireFox.
Put
security.ssl3.rsa_rc4_40_md5 in the filter bar, so that all other settings are removed from the current view. After that set the parameter to
true (default is false).
After this you're able to access the website. If not try enabling the other encryption parameter to true (which are set to false). Filter on
security, and the parameter are quite similar to the one discussed in this entry.
Note that there might be some security issues when you enable old(er) security protocol support in FireFox. These are disabled for a reason!!!.
