Vista DRM Cracked by Security Researcher

An anonymous reader writes "Security researcher Alex Ionescu claims to have successfully bypassed the much discussed DRM protection in Windows Vista, called 'Protected Media Path' (PMP), which is designed to seriously degrade the playback quality of any video and audio running on systems with hardware components not explicitly approved by Microsoft. The bypass of the DRM protection was in turn performed by breaking the Driver Signing / PatchGuard protection in the new operating system. Alex is now quite nervous about what an army of lawyers backed by draconian copyright laws could do to him if he released the details, but he claims to be currently looking into the details of safely releasing his details about this at the moment though."

Pro Bono Security Attorneys

[adambha]

How about a team of pro bono attorneys who are willing to defend (fight?) cases like this in which a researcher simply wants to share his/her findings? Sort of like a non-profit organization.

Moving to Redmond?

[Anonymous Coward]

Sounds like somebody will soon get a juicy job offer from Microsoft to tighten up the system...

Alex is also re-implementing the win32 kernel

[Anonymous Coward]

Alex Ionescu is the main kernel/HAL developer for the GPL'ed ReactOS project (www.reactos.org), which is aiming for an OS that is fully binary AND driver-compatible with Windows XP/Vista. If you look through the work he's done in the ReactOS SVN (developer name 'ion'), I have no doubts that he's fully capable of analyzing and defeating any kernel-level protections in Vista.

Although ReactOS can share a lot of work with the WINE project for the win32 userland, it could still use any developers that are familiar with win32 development and would like to see a truly free operating system capable of using windows drivers/software.

Its a shame

[JustNiz]

that he put his name to it, rather than just release his findings anoymously from a public internet terminal.

Is it illegal for me to have someone check safety?

[Anonymous Coward]

If I drive a car, or heck use a toaster. Isn't it legal for me to give the product to a mechanic or someone versed in the art to check whether it's safe or not?

So if I use windows .. I need to know if the DRM or digital signing is crap. I don't want spyware to be fakely "digitally signed" and run on my system. If the DRM is crap why would anyone release anything with it? Why are software companies able to prevent or hinder research into the security of their products and announcements to the public w.r.t their safety?

Re:Post the details on MySpace

[$RANDOMLUSER]

It works on GoDaddy domains.

Closed captioned for the informationally challenged: Microsoft pays GoDaddy to use IIS for parked domains so it looks like IIS is "just behind" Apache on "who's using which web server" pie charts.

Honest question

[jiggerdot]

Since the DRM in Vista is so inextricably tied in to the OS, then ANY hack which allows you to run stuff at kernel level will, by definition, be able to break the DRM. Which begs the question: could Sony's next rootkit be a violation of the DMCA, instead of just a huge pain in the ass?

"*Any* video and audio"?

[SEMW]

...which is designed to seriously degrade the playback quality of any video and audio running on systems with hardware components not explicitly approved by Microsoft.

Woah! "anyvideo and audio"? I thought it was just Blu-ray and HD-DVD movies which have the Image Constraint Token (ICT) flag set. TFA quotes it as "some premium content", which doesn't make it much clearer. Anyone want to clarify?

Re:Too bad this didn't come out 3-6 months from...

[SEMW]

right now this seems to give M$ a head start on tightening the DRM noose even more or insisting on TPM.

Maybe now MS Norway's use of a Mac [atvs.vg.no] to demonstrate Vista makes more sense [vnunet.com]...

Re:1st thing is to get a good lawyer

[Phrogman]

No, that doesn't matter. I am sure that my govt will happily deport him if the **AA asks them to. We seem to bend over backwards for the US at this point, and for the **AA in particular, just look at the politician they bought recently up here. A Conservative government here in Canada turns us into a mere appendage of the US Government, compliant to their will most of the time. Hell, we just paid out 10 mil in damages to a Canadian Citizen we happily fingered for the US Dept of Homeland security so they could ship him to Syria to be tortured for a year or so even though there was no evidence he supported terrorism. I have no doubt that violating DRM (which is surely as Evil(tm) as terrorism in the eyes of the **AA, in fact they probably want to equate the two) will be sufficient to get this guy exported to some country for torture as well :)

"Government for the corporations, by the corporations, for the benefit of all corporations..." or something to that effect.

Re:He won't need to ...

[drinkypoo]

Some of these people won't even be affected by USA law, unless they decide to visit or transit through the country.

One wonders if the harassment of people who are not breaking US law in their own jurisdiction when they come to the US will have a chilling effect on technology in the USA. Certainly, some very smart people would be very stupid to visit here...

Re:Why bother even having DRM?

[TheSpoom]

The only way DRM could work is if the publisher controlled both the hardware and the software environment. Ever heard of Trusted Computing and the Fritz chip [cam.ac.uk]? The idea is that they goop up the board with epoxy and/or lock the keys into a tamper-resistant CPU. Any attempts to get them would destroy the hardware. Once they do this, it is within the realm of possibility that they'd have their dream DRM that could only be broken by the most well-funded labs, which, in the United States, would probably be very illegal.

Of course, here, we're getting into 1984 type stuff that people would never buy into. Right? Well... hopefully. Read the FAQ linked above if you haven't before; like everything else, they're selling this under the guise of "security", even though it has very little tangible benefit to the end user.

Re:What with

[Anonymous Coward]

A simpler approach: 1) attend live events (theatre, music etc) 2) don't buy from the mainstream media. The nicest feature of this is that you can do these things and still enjoy yourselves without having to suffer from hateful stress.

Re:Why bother even having DRM?

[RAMMS+EIN]

I think you add DRM to your system to gain the favor of the Copyright Cartel. The business case is that they will prefer to distribute content through your proprietary system, rather than a competitor's system that doesn't have DRM. Since people (supposedly) want the content, they'll use your system...and there's your profit.

Re:Post the details on MySpace

[heinousjay]

Awesome insinuation. Any evidence?

Re:Manna from heaven.

[drinkypoo]

Vista would appear to be going nowhere in the market with the DRM mill-stone around its neck.

I don't think so. Businesses don't care; this will not affect them. Home users don't care; they don't want Vista. It's the lack of a compelling reason to purchase Vista that's stopping people from purchasing Vista. Windows 95 was a major upgrade. Windows XP was a major upgrade. They both got major attention. Windows Vista is a minor upgrade. It adds eye candy and some features that only business users typically need (like whole-disk encryption, which is a recipe for disaster in the hands of home users.)

The bottom line is that home users will be the major adopters of Vista because they will get the machine with Vista and they will run it with Vista. Corporate users who get new machines in with Vista will probably, if they have a volume license, run Windows XP on them instead, for the foreseeable future, not least because Vista has a brand-spanking-new TCP/IP stack which at least in the beta was known to be vulnerable to a whole laundry-list of otherwise-outdated attacks, things Windows hasn't been vulnerable to since the late nineties. Personally my biggest concern about vista on the corporate desktop (luckily not a decision I have to make) is that the network stack will be a vector of attack into the network, one that our firewall has no power to stop since users are continually opening outgoing connections.

Re:Pro Bono Security Attorneys

[kripkenstein]

He's going to need attorneys very soon. By hacking the DRM he committed a violation; publishing the hack would just add insult to injury - perhaps a lawsuit for supposed 'damages'. But he has already broken the law.

IANAL.

Re:Why bother even having DRM?

[RAMMS+EIN]

The point of DRM, as far as I can see, is not that it prevents determined pirates from doing what they want, but to wring more money from paying customers. Instead of paying for content once, you can make them pay multiple times by limiting what they can do with their purchase.

E.g., if they can't play their original purchase on their portable music player, you can make them pay again if they want to do that. If you prevent them from making a backup, they will have to pay again if the initial purchase is lost or damaged. And so on.

Re:1st is to realize credit is overrated.

[Rob T Firefly]

Thing is, now that he's meekly announced that he's cracked it but not saying how, someone else can duplicate his work (or comes to the same end by unrelated means) and post it anonymously, and it'll all come back to this guy now. He's put himself in the crosshairs even without posting source code.

Re:Misleading story

[Alex_Ionescu]

1). It doesn't work out of the Box.

Yes, it requires a reboot, which is why it's only useful for bypassing DRM, not for open source apps (which will have to bother the user to reboot).

2). It uses a method provided by Microsoft.

Erm, no, PMP is provided by Microsoft. This method bypasses it.

3). It hasn't been tested.

It works fine, the actual PMP-disabling code hasn't been tested because I don't want to touch that. But my code ran in kernel-mode, which means it's possible. Read up a bit on computer architecture and you'll see that as long as you have access to the kernel, you're God on the machine (Apart from hypervisor machines and/or additional hardware -- which PMP doesn't currently employ).

4). Author is more afraid of the DMCA than of violating Microsofts EULA terms.

Author is a student and doesn't want to be sued out of existence because this method could be used to "circumvent a technological measure primarly destined for copyright protection".

Re:He won't need to ...

[TropicalCoder]

Some of these people won't even be affected by USA law, unless they decide to visit or transit through the country.

They don't have to visit or transit through the country - The US government will just send the CIA to kidnap them and send them to Egypt for torture.

Re:Moving to Redmond?

[arivanov]

Yup. There is a word for this in the industry. It used to be called a BUGTRAQ gadfly though nowdays it should be called a "Full Disclosure Gadfly".

You make enough stink on a non-moderated list like FD with the sole purpose to get hired and you get hired. There are pimps that follow FD, BUGTRAQ and the like for "fresh talent".

Not a problem

[StarKruzr]

but he claims to be currently looking into the details of safely releasing his details about this

Freenet: It's Not Just For Kiddie Porn Anymore(TM) [freenetproject.org]

By design?

[Anonymous Coward]

Remember when Asian DVD manufactures *had* to implement DVD-region-encoding? Even though they absolutely didn't want to? Even though the market clearly didn't want it?
Their solution was to ship region-encoded players (thus fulfilling their legal obligations) that were incredibly trivial to unlock - usually pressing two buttons simultaneously on the remote or similar nonsense.

One could argue that Microsoft has delivered a DRM system that satisfies the content producers yet is crackable enough to allow vista to be successful in the market.

In fact, there's no way you can prove that the hack itself didn't originate in Redmond.

Or this is just all pie-in-the-sky and everything really is exactly as it appears. :)

Re:Pro Bono Security Attorneys

[tddoog]

Not true at all.

Here is a list of the EFFs recent battles.

        * EFF Warns ABC to Back Off Blogger
        * Florida Voters Challenge Judge's Shutdown of Election Investigation
        * EFF Defends Right to Link from Internet Wiki
        * EFF Backs DontDateHimGirl.com in Defamation Case
        * Computer Security Expert Edward W. Felten Joins EFF Board of Directors
        * Lawsuit Demands Answers About Government's Secret 'Risk Assessment' Scores
        * Fight to Unseal Critical Evidence in AT&T Surveillance Case
        * Tuesday Hearing on Critical E-Voting Evidence in Flawed Florida Election
        * American Travelers to Get Secret 'Risk Assessment' Scores
        * Self-Help Group Backs Off Attack on Internet Critic
        * EFF Accepts Barney's Surrender
        * EFF Fights to Shield Email from Secret Government Searches
        * Sarasota Voters File Lawsuit for Re-vote in Congressional Race
        * EFF Files Suit for Answers About New International Air Passenger Data Deal
        * California Supreme Court Rules in Favor of Free Speech on the Internet

Re:Misleading story

[NullProg]

Not using a driver, RTFM.
snip
Which is why this isn't using a stolen/3rd party driver or unsigned driver, nor actually loading a driver.

Ok, I re-read the post, and read some of the other postings. Did slashdot miss a link? Where exactly do you descibe your method?


There's about a dozen ways to disable PatchGuard, and I was able to patch CI.DLL, disable PatchGuard, as well as turn off code signing.

Again, is there some other link that wasn't posted with this story? No where on the orginal blog entry does it mention that you disabled PatchGuard. If you have patched CI.DLL then I congratulate you.

I reserve my right to be a skeptic until I have the details.

Enjoy,

DRM is difficult.

[rew]

Standard encryption is easy. Keep your keys safe from the bad guys and as long as you use a reasonable encryption, things are fine.

DRM is difficult: You have to give the end user the keys, and then trust that only the uses that you've prescribed are allowed. Giving the keys to the end user is stupid, so the keys are given ONLY to a trusted module inside the end users machine. That trusted module is supposed to A) keep the keys secret, and B) enforce the rules that accompany the key. (e.g. you rented this for a week and a week has gone by).

If you have a general purpose computer, it's very difficult to have a trusted software module that can't be cracked somewhere inside.

In the backup-hddvd case, examining the core of the userspace program revealed volume and title keys. But the "master keys" are still somewhere inside.

In this case the operating systems trusted platform that should prevent that kind of tricks has been broken. Now you can insert your own debugger into the trusted core, and examine other stuff inside the trusted platform. Or you can claim to be a trusted driver, who has to have access to the unencrypted HD content.

In any case, as long as there is no hardware trusted module, it is always possible to run a good enough simulation, and run the DRM software under the simulation in a virtual machine.

And even if you DO have a hardare DRM module, I don't think it's possible to get right if you have a passive element on one side. For example a HDDVD is passive. So it can't verify the other side, and only give up the keys if it has confirmed the other side to be a trusted DRM module.

Re:"Draconian"

[shutdown -p now]

We don't need life + 90yrs for GPL to work. But it's there. And yes, it's draconian.

What more, if there were no copyright, there wouldn't be a need for GPL (you could "steal" other people's code by using it in a closed-source product, but you wouldn't have any way to profit from it, so noone'd bother).