Forgot your password?
typodupeerror
Windows Operating Systems Software Security

Vista DRM Cracked by Security Researcher 379

Posted by ScuttleMonkey
from the only-a-matter-of-time dept.
An anonymous reader writes "Security researcher Alex Ionescu claims to have successfully bypassed the much discussed DRM protection in Windows Vista, called 'Protected Media Path' (PMP), which is designed to seriously degrade the playback quality of any video and audio running on systems with hardware components not explicitly approved by Microsoft. The bypass of the DRM protection was in turn performed by breaking the Driver Signing / PatchGuard protection in the new operating system. Alex is now quite nervous about what an army of lawyers backed by draconian copyright laws could do to him if he released the details, but he claims to be currently looking into the details of safely releasing his details about this at the moment though."
This discussion has been archived. No new comments can be posted.

Vista DRM Cracked by Security Researcher

Comments Filter:
  • by Anonymous Coward on Monday January 29, 2007 @03:19PM (#17803342)

    called 'Protected Media Path' (PMP)
    I can guess how that's pronounced...
  • by Punko (784684) on Monday January 29, 2007 @03:20PM (#17803356)
    As fast as you can
    • by BSAtHome (455370) on Monday January 29, 2007 @03:32PM (#17803564)
      Freedom to tinker: http://www.freedom-to-tinker.com/ [freedom-to-tinker.com]
    • by yo_tuco (795102) on Monday January 29, 2007 @03:32PM (#17803568)
      From the about page [alex-ionescu.com] it says:

      He [Alex] is currently studying at Concordia University in Montreal, Canada"

      So does the DMCA apply?
    • Make sure you download the automatic update for your Vista installation so that your DRM features continue to work smoothly. (btw first time an update was ever released before the software it's updating...)
    • Well, he's already probably a bit screwed.

      Here's the problem: there's virtually no way to get in trouble, if you just release an exploit anonymously. (By definition, if it's truly anonymous, they can't catch you; there are lots of ways to basically ensure your anonymity today.) Where you start to get in trouble is when you want to release an exploit that's going to ruin somebody's day and take credit for it.

      This comes up with regards to other, less-politically-sensitive bugs. When you step forward and take credit for something that you've released, you're basically holding up a big "come and get me!" sign. It's a lot easier to sling mud at a person, than it is at some anonymous entity on the Internet.

      It's really taking credit that burns people, not releasing the bug/hack/exploit. It would have been trivial for this guy to release his code, anonymously or even pseudonymously, and keep it firewalled from his real-world identity. If he had done that, there might have been some attempts to uncover who he really was, but I doubt anyone would try that hard -- it's harder to go after someone that's anonymous, than an actual person. With a person, you have something to put in your mind under 'enemy,' that you just don't have with some vaporous person or persons on the Internet. Being anonymous diffuses a lot of the hatred, because it's harder to hate someone that might not exist. By standing up and taking credit, you're accepting everything.

      Personally, if I were to discover something like this, there's no way I'd publicly admit it. I live a happy enough life without becoming some sort of hacker/security icon; the downsides of becoming the next Dimitry Sklyarov seem far greater than the possible benefits. Release the code somewhere in public, maybe signed with a private key that you have stashed away (so, decades down the line, you'd be able to claim it, if you wanted to and if the statute of limitations had run out), and only communicate via Usenet dead-drops and anonymous remailers. The tools to remain completely hidden are all there -- heck, you could probably do interviews in Wired under a psuedonym, the only absolute would be keeping the Clark-Kent-esque secret of your true identity hidden, and I'm not sure if some people would be able to swallow their pride enough to do that.
      • Re: (Score:3, Interesting)

        by Rob T Firefly (844560)
        Thing is, now that he's meekly announced that he's cracked it but not saying how, someone else can duplicate his work (or comes to the same end by unrelated means) and post it anonymously, and it'll all come back to this guy now. He's put himself in the crosshairs even without posting source code.
  • by adambha (1048538) on Monday January 29, 2007 @03:20PM (#17803358) Homepage
    How about a team of pro bono attorneys who are willing to defend (fight?) cases like this in which a researcher simply wants to share his/her findings? Sort of like a non-profit organization.
    • Re: (Score:3, Insightful)

      by eviloverlordx (99809)
      How about a team of pro bono attorneys who are willing to defend (fight?) cases like this in which a researcher simply wants to share his/her findings? Sort of like a non-profit organization.

      We can watch as MS' legal team steps on them like a bug. Not that MS would be in the right, only they would have the most might.
    • by dafragsta (577711) on Monday January 29, 2007 @03:26PM (#17803476)
      If only there was some EFFin' organization that provided such a service. I don't know what the EFF we'll do now. I guess we are all pretty EFF'd.
      • Re: (Score:3, Funny)

        by fotbr (855184)
        You'd have to put a pro-linux spin on this before the EFF will give a damn.

        Merely being anti-microsoft and anti-drm isn't enough to get the linux and open-source fanboys fired up enough to get the EFF to do anything.
        • Re: (Score:3, Interesting)

          by tddoog (900095)
          Not true at all.

          Here is a list of the EFFs recent battles.

          * EFF Warns ABC to Back Off Blogger
          * Florida Voters Challenge Judge's Shutdown of Election Investigation
          * EFF Defends Right to Link from Internet Wiki
          * EFF Backs DontDateHimGirl.com in Defamation Case
          * Computer Security Expert Edward W. Felten Joins EFF Board of Directors
          * Lawsui
    • by brunes69 (86786) <slashdot@nOsPAm.keirstead.org> on Monday January 29, 2007 @03:55PM (#17803852) Homepage
      You really think you can find that many Pro-Bono Attorneys?

      I mean sure, The Joshua Tree was great, but they've been going downhill for awhile....
    • Re: (Score:3, Interesting)

      by kripkenstein (913150)
      He's going to need attorneys very soon. By hacking the DRM he committed a violation; publishing the hack would just add insult to injury - perhaps a lawsuit for supposed 'damages'. But he has already broken the law.

      IANAL.
  • Moving to Redmond? (Score:3, Interesting)

    by Anonymous Coward on Monday January 29, 2007 @03:21PM (#17803364)
    Sounds like somebody will soon get a juicy job offer from Microsoft to tighten up the system...
    • by Anonymous Coward on Monday January 29, 2007 @03:59PM (#17803916)
      From Alex's website -

      "He is currently studying at Concordia University in Montreal, Canada, and is in his first year of obtaining a bachelor's degree in Software Engineering. He is also a Microsoft Student Ambassador and is representing the company on campus as a Technical Rep."

      Uh oh.
    • by arivanov (12034) on Monday January 29, 2007 @04:41PM (#17804484) Homepage
      Yup. There is a word for this in the industry. It used to be called a BUGTRAQ gadfly though nowdays it should be called a "Full Disclosure Gadfly".

      You make enough stink on a non-moderated list like FD with the sole purpose to get hired and you get hired. There are pimps that follow FD, BUGTRAQ and the like for "fresh talent".
  • by FuturePastNow (836765) on Monday January 29, 2007 @03:21PM (#17803378)

    ...could do to him if he released the details, but he claims to be currently looking into the details of safely releasing his details...
    Grammar tip: don't use the same word three times in one sentence.
  • by Anonymous Coward on Monday January 29, 2007 @03:23PM (#17803404)
    ... but there is no space in the margin of this comment to write it.
  • by $RANDOMLUSER (804576) on Monday January 29, 2007 @03:23PM (#17803406)
    "Vista DRM cracked by anybody with the desire to do so".
  • by DBCubix (1027232) on Monday January 29, 2007 @03:24PM (#17803436)
    and then ask Network Solutions to suspend their domain. It works on GoDaddy domains.
    • Re: (Score:3, Interesting)

      by $RANDOMLUSER (804576)

      It works on GoDaddy domains.

      Closed captioned for the informationally challenged: Microsoft pays GoDaddy to use IIS for parked domains so it looks like IIS is "just behind" Apache on "who's using which web server" pie charts.
  • Hopefully, other players in the media industry see this and realize that DRM is a pointless encumbrance!

    Yeah, right. They'll just keep up with their usual approach, one akin to installing a governor on your car to deter theft.
    • by Pojut (1027544)
      ...a governer to deter theft?

      What the fuck are you talking about? Last time I checked a governer prevented a vehicle from going over a certain speed (or in the case of a rev-limiter, from going over a certain RPM)
      • by Jabrwock (985861)

        Last time I checked a governer prevented a vehicle from going over a certain speed (or in the case of a rev-limiter, from going over a certain RPM)

        I suppose with a custom governor you could use it to disable your transmission, which would effectively prevent someone from driving off in your car. I mean, all you'd have to do is have some control that adjusted it to prevent a vehicle from going over the speed of 2mph... ;)

        They have remote battery-cutoffs, why not remote governor adjusters?

        • by Pojut (1027544)
          Because what would be the point in that...? Like you said, they have remote battery cutoffs....I would rather someone not be able to start my car rather than be able to drive it at 2 miles an hour...

          Unless you are being sarcastic, in which case my sarcasm-radar is broken
  • by 192939495969798999 (58312) <info AT devinmoore DOT com> on Monday January 29, 2007 @03:28PM (#17803500) Homepage Journal
    Just release it, the deluge of bad PR will suck the moneyline away from the lawyers long enough for you to jet to Aruba or somewhere.
  • by Midnight Thunder (17205) on Monday January 29, 2007 @03:29PM (#17803506) Homepage Journal
    Now that people know it is possible, I am sure it is only a matter of time before others across the globe attempt to find the weakness. Some of these people won't even be affected by USA law, unless they decide to visit or transit through the country.
    • by drinkypoo (153816) <martin.espinoza@gmail.com> on Monday January 29, 2007 @03:59PM (#17803932) Homepage Journal

      Some of these people won't even be affected by USA law, unless they decide to visit or transit through the country.

      One wonders if the harassment of people who are not breaking US law in their own jurisdiction when they come to the US will have a chilling effect on technology in the USA. Certainly, some very smart people would be very stupid to visit here...

    • by walt-sjc (145127)
      Releasing the information anonymously is easy. The problem comes for researchers who want to put their name on it. The problem this guy now has, is that if some anonymous person releases a crack, MS lawyers will get the MS purchased FBI / NSA to go after this researcher regardless of any "proof" that HE actually released it or not.
  • by rewt66 (738525) on Monday January 29, 2007 @03:29PM (#17803510)
    Mark says that it's possible. He also says enough that someone else as "skilled in the art" as he is can probably figure out what he did.

    And what he did, if I understand correctly, is have some of his own code run as kernel without it being in a "test signed" driver. That seems to be the essense of his approach. Once you figure out how to do that, you can basically do anything, and Microsoft can't stop you.
  • by Anonymous Coward on Monday January 29, 2007 @03:29PM (#17803512)
    Alex Ionescu is the main kernel/HAL developer for the GPL'ed ReactOS project (www.reactos.org), which is aiming for an OS that is fully binary AND driver-compatible with Windows XP/Vista. If you look through the work he's done in the ReactOS SVN (developer name 'ion'), I have no doubts that he's fully capable of analyzing and defeating any kernel-level protections in Vista.

    Although ReactOS can share a lot of work with the WINE project for the win32 userland, it could still use any developers that are familiar with win32 development and would like to see a truly free operating system capable of using windows drivers/software.
  • by 8127972 (73495) on Monday January 29, 2007 @03:30PM (#17803536)
    After all, it's only going to get cracked sooner or later. So there is no point is there?
    • by i kan reed (749298) on Monday January 29, 2007 @03:43PM (#17803726) Homepage Journal
      Not for the pirates, no... It's generally beleived that DRM is to screw those who actually pay for things into paying for them more than once.
    • by drinkypoo (153816)
      Your sig (at the moment: "This is my opinion. To make sure you don't steal it, it's covered by the DMCA.") contains all the answers. The DMCA basically prohibits all reverse-engineering except for the purpose of interoperability. While in the loosest sense of the word that IS what we are talking about (you're making Windows interoperate with your TV) it's not what they mean. You can reverse-engineer Windows all you want, but only for the purpose of running Windows programs, or making your product work on Wi
    • by happyemoticon (543015) on Monday January 29, 2007 @03:52PM (#17803818) Homepage

      The goal is not to make a secure system. The idea of securing a system from its owner (who has physical access) while maintaining usability is absurd and approaches impossiblity. They just want to make a system which 99.9% of users cannot crack, make it so that the crack cannot be generalized across different systems, and prosecute the remaining 0.1%.

      Really, the only way to defeat DRM is to prove to companies that they will make more money without DRM than with, or, failing that, make the preceding true via strikes and public awareness.

    • Re: (Score:3, Interesting)

      by TheSpoom (715771) *
      The only way DRM could work is if the publisher controlled both the hardware and the software environment. Ever heard of Trusted Computing and the Fritz chip [cam.ac.uk]? The idea is that they goop up the board with epoxy and/or lock the keys into a tamper-resistant CPU. Any attempts to get them would destroy the hardware. Once they do this, it is within the realm of possibility that they'd have their dream DRM that could only be broken by the most well-funded labs, which, in the United States, would probably be ve
    • Re: (Score:3, Interesting)

      by RAMMS+EIN (578166)
      I think you add DRM to your system to gain the favor of the Copyright Cartel. The business case is that they will prefer to distribute content through your proprietary system, rather than a competitor's system that doesn't have DRM. Since people (supposedly) want the content, they'll use your system...and there's your profit.
    • Re: (Score:3, Interesting)

      by RAMMS+EIN (578166)
      The point of DRM, as far as I can see, is not that it prevents determined pirates from doing what they want, but to wring more money from paying customers. Instead of paying for content once, you can make them pay multiple times by limiting what they can do with their purchase.

      E.g., if they can't play their original purchase on their portable music player, you can make them pay again if they want to do that. If you prevent them from making a backup, they will have to pay again if the initial purchase is los
  • What with (Score:3, Funny)

    by JustNiz (692889) on Monday January 29, 2007 @03:31PM (#17803546)
    Excellent news.
    What with HD-DVD and Blu-Ray being cracked already, and now this, combined with all the hate and general unity by consumers against the big movie and music industry, how much more signal do they need that DRM is pointless and unwanted and to finally stop trying to force it on us?

    • combined with all the hate and general unity by consumers against the big movie and music industry,

      The problem is, there is not general unity by consumers against those industries. There is definitely unity on Slashdot and other tech-savvy sites, but walk into any Best Buy (or any other store) and look at the dozens of people perusing the DVD & CD sections. If the Vista DRM cripples legitimately purchased media you will see public backlash but as long as the public doesn't know what's going on behin

  • Its a shame (Score:3, Interesting)

    by JustNiz (692889) on Monday January 29, 2007 @03:33PM (#17803572)
    that he put his name to it, rather than just release his findings anoymously from a public internet terminal.
  • by Anonymous Coward on Monday January 29, 2007 @03:34PM (#17803596)
    If I drive a car, or heck use a toaster. Isn't it legal for me to give the product to a mechanic or someone versed in the art to check whether it's safe or not?

    So if I use windows .. I need to know if the DRM or digital signing is crap. I don't want spyware to be fakely "digitally signed" and run on my system. If the DRM is crap why would anyone release anything with it? Why are software companies able to prevent or hinder research into the security of their products and announcements to the public w.r.t their safety?
  • I'll gladly do it. I live an arm's length away from the furthest reach of the DMCA.
  • by resistant (221968) on Monday January 29, 2007 @03:39PM (#17803664) Homepage Journal

    Yes, I know it's been said very many times before, but I'm moved to say it again. It's simply obscene that runaway copyright law provisions should be used to casually stomp on this kind of freedom of speech, especially in the U.S.A., where allegedly there is a First Amendment guaranteeing freedom of speech. I would very much like to see a full-out legal confrontation between these terroristic laws as they stand, and the Constitution. The alleged and artificial "right" of the smirking lawyers at commercial companies to keep their nasty little secrets does not in any sense abrogate the innate, natural right of the people to talk to each other about any damn thing they want, particularly complex subjects, and in any way they wish, including via carrier pigeons and Morse code, let alone in plain English (or whatever language) on the Web.

    It's really a shame that other countries such as Sweden actually surpass the U.S.A. in this area.

    Frankly, this pisses me off enough that I'm very strongly tempted once my finances improve enough for the expensive legalities, to spit in the eyes of these jerkoffs with a direct, blunt and extremely widespread explanation (possibly on a Russian server to further annoy and frustrate them) of whatever it is that they absolutely are frantic to not have explained, along with the text of the Constitution with the First Amendment highlighted in red. I think a well-crafted attack on this crap would gather quite a lot of support, moral and otherwise.

  • Honest question (Score:4, Interesting)

    by jiggerdot (976328) on Monday January 29, 2007 @03:40PM (#17803674) Homepage
    Since the DRM in Vista is so inextricably tied in to the OS, then ANY hack which allows you to run stuff at kernel level will, by definition, be able to break the DRM. Which begs the question: could Sony's next rootkit be a violation of the DMCA, instead of just a huge pain in the ass?
  • by SEMW (967629) on Monday January 29, 2007 @03:40PM (#17803676)

    ...which is designed to seriously degrade the playback quality of any video and audio running on systems with hardware components not explicitly approved by Microsoft.
    Woah! "anyvideo and audio"? I thought it was just Blu-ray and HD-DVD movies which have the Image Constraint Token (ICT) flag set. TFA quotes it as "some premium content", which doesn't make it much clearer. Anyone want to clarify?
  • by Weaselmancer (533834) on Monday January 29, 2007 @03:47PM (#17803764)

    Someone in America cracked this first.

  • Yay! (Score:2, Funny)

    by Grinin (1050028)
    There needs to be an installer to bypass the PMP and DRM functionality in Vista so that every user can have the right to CHOOSE!
  • Details? (Score:5, Funny)

    by Jotii (932365) on Monday January 29, 2007 @04:08PM (#17804056) Homepage

    he claims to be currently looking into the details of safely releasing his details
    Can anyone explain more in detail?
  • Even if Vista were perfect and beyond any cracks/hacks, the DRM on the media will be defeated on other platforms. The content will then spread without DRM. Somebody in Hong Kong or Vietnam will make a standalone Blu-Ray/HD-DVD player that rips directly to open formats, and that will be that.

    All the effort MS is putting into this will not make the studios happy, and will not make the customers happy. I think they made a bad choice.
  • Misleading story (Score:3, Informative)

    by NullProg (70833) on Monday January 29, 2007 @04:11PM (#17804120) Homepage Journal
    This is a Blog entry, not an Article or News story. From the Blog...

    1). It doesn't work out of the Box.
    That being said, it turns out the code I've written does not work out of the box on a Vista RTM system.

    2). It uses a method provided by Microsoft.
    As part of the Protected Media Path, (PMP), Windows Vista sets up a number of requirements for A/V software and drivers in order to ensure it complies with the demandes of the media companies.

    3). It hasn't been tested.
    Although used on its own, this POC doesn't do anything or go anywhere near the PMP (I don't even have Protected Media, HDMI, HD-DVD, nor do I know where PMP lives or how someone can intercept decrypted steams),

    4). Author is more afraid of the DMCA than of violating Microsofts EULA terms.
    a particularly nasty group of lawyers could still somehow associate the DMCA to it, so I'm not going to take any chances.

    This isn't a story. Its pre-mature speculation.
    Enjoy,

    • Re:Misleading story (Score:5, Interesting)

      by Alex_Ionescu (199153) on Monday January 29, 2007 @04:26PM (#17804272) Homepage
      1). It doesn't work out of the Box.

      Yes, it requires a reboot, which is why it's only useful for bypassing DRM, not for open source apps (which will have to bother the user to reboot).

      2). It uses a method provided by Microsoft.

      Erm, no, PMP is provided by Microsoft. This method bypasses it.

      3). It hasn't been tested.

      It works fine, the actual PMP-disabling code hasn't been tested because I don't want to touch that. But my code ran in kernel-mode, which means it's possible. Read up a bit on computer architecture and you'll see that as long as you have access to the kernel, you're God on the machine (Apart from hypervisor machines and/or additional hardware -- which PMP doesn't currently employ).

      4). Author is more afraid of the DMCA than of violating Microsofts EULA terms.

      Author is a student and doesn't want to be sued out of existence because this method could be used to "circumvent a technological measure primarly destined for copyright protection".

  • Sometimes . . . (Score:3, Insightful)

    by Hamoohead (994058) on Monday January 29, 2007 @04:14PM (#17804148)
    . . . the only incentive one needs to complete a task is the knowledge that it has been, and can be done. It doesn't much matter if he releases his code. TFA has enough info for anyone savvy enough to duplicate his work. Once it's out of the bottle, it'll be like WGA all over again. Another cat . . . another mouse . . . another cat . . . But perhaps the knowledge that Windows ultimate "security" DRM is, indeed, insecure will turn out to be the mouse that roared.
  • by E-Lad (1262) on Monday January 29, 2007 @04:17PM (#17804190) Homepage

    "It's time to un-PMP ze audio"
  • by nwoolls (520606) on Monday January 29, 2007 @04:38PM (#17804434) Homepage
    If it didn't have some FUD right in the summary.

    'Protected Media Path' (PMP), which is designed to seriously degrade the playback quality of any video and audio running on systems with hardware components not explicitly approved by Microsoft..

    No. It doesn't. It does it for specific DRM content.

    These restrictions only apply to DRM content, such as HD DVD or Blu-ray. User's standard unprotected content will not be faced with these restrictions.

    http://en.wikipedia.org/wiki/Protected_Video_Path [wikipedia.org]
  • by LoudMusic (199347) on Monday January 29, 2007 @04:53PM (#17804616)

    Security researcher Alex Ionescu claims to have successfully bypassed the much discussed DRM protection in Windows Vista ...
    I figured that out too. Seems there are plenty of products on the market already that help with the problem. OS X, Ubuntu, Amiga, Solaris, Zeta, ... hell, even XP.

    No one ever said we have to upgrade to Vista.
  • DRM is difficult. (Score:3, Interesting)

    by rew (6140) <r.e.wolff@BitWizard.nl> on Tuesday January 30, 2007 @04:28AM (#17811088) Homepage
    Standard encryption is easy. Keep your keys safe from the bad guys and as long as you use a reasonable encryption, things are fine.

    DRM is difficult: You have to give the end user the keys, and then trust that only the uses that you've prescribed are allowed. Giving the keys to the end user is stupid, so the keys are given ONLY to a trusted module inside the end users machine. That trusted module is supposed to A) keep the keys secret, and B) enforce the rules that accompany the key. (e.g. you rented this for a week and a week has gone by).

    If you have a general purpose computer, it's very difficult to have a trusted software module that can't be cracked somewhere inside.

    In the backup-hddvd case, examining the core of the userspace program revealed volume and title keys. But the "master keys" are still somewhere inside.

    In this case the operating systems trusted platform that should prevent that kind of tricks has been broken. Now you can insert your own debugger into the trusted core, and examine other stuff inside the trusted platform. Or you can claim to be a trusted driver, who has to have access to the unencrypted HD content.

    In any case, as long as there is no hardware trusted module, it is always possible to run a good enough simulation, and run the DRM software under the simulation in a virtual machine.

    And even if you DO have a hardare DRM module, I don't think it's possible to get right if you have a passive element on one side. For example a HDDVD is passive. So it can't verify the other side, and only give up the keys if it has confirmed the other side to be a trusted DRM module.

No hardware designer should be allowed to produce any piece of hardware until three software guys have signed off for it. -- Andy Tanenbaum

Working...