Vista DRM Cracked by Security Researcher 379
An anonymous reader writes "Security researcher Alex Ionescu claims to have successfully bypassed the much discussed DRM protection in Windows Vista, called 'Protected Media Path' (PMP), which is designed to seriously degrade the playback quality of any video and audio running on systems with hardware components not explicitly approved by Microsoft. The bypass of the DRM protection was in turn performed by breaking the Driver Signing / PatchGuard protection in the new operating system. Alex is now quite nervous about what an army of lawyers backed by draconian copyright laws could do to him if he released the details, but he claims to be currently looking into the details of safely releasing his details about this at the moment though."
very fitting (Score:5, Funny)
Re:very fitting (Score:5, Funny)
Re:very fitting (Score:5, Funny)
Or 'It's hard out here for a PMP'
Re:very fitting (Score:5, Funny)
I don't know what you heard about me
But you can't get your video out of me
High quality video you can't see
Because I've got uncracked PMP [azlyrics.com].
Re:very fitting (Score:5, Funny)
Re:very fitting (Score:5, Funny)
As a user of the Windows Home Operating Rights Environment, I must state for the record that all of my transactions with said system are completely clean, and take place using the most effective protection available. If you truly feel that some of your Media exchanges are tainted, I'd suggest it's probably because you didn't pay the requisite PMP fees.
Re: (Score:3, Funny)
Re: (Score:3, Funny)
Re: (Score:3, Funny)
1st thing is to get a good lawyer (Score:3, Funny)
Re:1st thing is to get a good lawyer (Score:5, Informative)
Re:1st thing is to get a good lawyer (Score:5, Informative)
He [Alex] is currently studying at Concordia University in Montreal, Canada"
So does the DMCA apply?
Re:1st thing is to get a good lawyer (Score:4, Insightful)
that depends, does he travel to or through the US?
Re:1st thing is to get a good lawyer (Score:5, Interesting)
"Government for the corporations, by the corporations, for the benefit of all corporations..." or something to that effect.
Re: (Score:3, Informative)
Credit where credit is due, and all that.
Not a problem (Score:3, Interesting)
Freenet: It's Not Just For Kiddie Porn Anymore(TM) [freenetproject.org]
Re:1st thing is to get a good lawyer (Score:5, Funny)
Thank god for the primary process!!! (Score:4, Funny)
*stabs self in eyes with thumbs*
JAZZ HANDS!
Re:1st thing is to get a good lawyer (Score:5, Informative)
"He is also a Microsoft Student Ambassador and is representing the company on campus as a Technical Rep."
Second (Score:2)
1st is to realize credit is overrated. (Score:5, Insightful)
Here's the problem: there's virtually no way to get in trouble, if you just release an exploit anonymously. (By definition, if it's truly anonymous, they can't catch you; there are lots of ways to basically ensure your anonymity today.) Where you start to get in trouble is when you want to release an exploit that's going to ruin somebody's day and take credit for it.
This comes up with regards to other, less-politically-sensitive bugs. When you step forward and take credit for something that you've released, you're basically holding up a big "come and get me!" sign. It's a lot easier to sling mud at a person, than it is at some anonymous entity on the Internet.
It's really taking credit that burns people, not releasing the bug/hack/exploit. It would have been trivial for this guy to release his code, anonymously or even pseudonymously, and keep it firewalled from his real-world identity. If he had done that, there might have been some attempts to uncover who he really was, but I doubt anyone would try that hard -- it's harder to go after someone that's anonymous, than an actual person. With a person, you have something to put in your mind under 'enemy,' that you just don't have with some vaporous person or persons on the Internet. Being anonymous diffuses a lot of the hatred, because it's harder to hate someone that might not exist. By standing up and taking credit, you're accepting everything.
Personally, if I were to discover something like this, there's no way I'd publicly admit it. I live a happy enough life without becoming some sort of hacker/security icon; the downsides of becoming the next Dimitry Sklyarov seem far greater than the possible benefits. Release the code somewhere in public, maybe signed with a private key that you have stashed away (so, decades down the line, you'd be able to claim it, if you wanted to and if the statute of limitations had run out), and only communicate via Usenet dead-drops and anonymous remailers. The tools to remain completely hidden are all there -- heck, you could probably do interviews in Wired under a psuedonym, the only absolute would be keeping the Clark-Kent-esque secret of your true identity hidden, and I'm not sure if some people would be able to swallow their pride enough to do that.
Re: (Score:3, Interesting)
Pro Bono Security Attorneys (Score:4, Interesting)
Re: (Score:3, Insightful)
We can watch as MS' legal team steps on them like a bug. Not that MS would be in the right, only they would have the most might.
Re:Pro Bono Security Attorneys (Score:5, Informative)
Re: (Score:3, Funny)
Merely being anti-microsoft and anti-drm isn't enough to get the linux and open-source fanboys fired up enough to get the EFF to do anything.
Re: (Score:3, Interesting)
Here is a list of the EFFs recent battles.
* EFF Warns ABC to Back Off Blogger
* Florida Voters Challenge Judge's Shutdown of Election Investigation
* EFF Defends Right to Link from Internet Wiki
* EFF Backs DontDateHimGirl.com in Defamation Case
* Computer Security Expert Edward W. Felten Joins EFF Board of Directors
* Lawsui
Re:Pro Bono Security Attorneys (Score:4, Funny)
I mean sure, The Joshua Tree was great, but they've been going downhill for awhile....
Re: (Score:3, Interesting)
IANAL.
Moving to Redmond? (Score:3, Interesting)
Re:Moving to Redmond? (Score:4, Funny)
"He is currently studying at Concordia University in Montreal, Canada, and is in his first year of obtaining a bachelor's degree in Software Engineering. He is also a Microsoft Student Ambassador and is representing the company on campus as a Technical Rep."
Uh oh.
Re:Moving to Redmond? (Score:4, Interesting)
You make enough stink on a non-moderated list like FD with the sole purpose to get hired and you get hired. There are pimps that follow FD, BUGTRAQ and the like for "fresh talent".
It's all in the details. (Score:4, Funny)
Re: (Score:2)
Re:It's all in the details. (Score:4, Funny)
Re: (Score:3, Funny)
Re:It's all in the details. (Score:5, Funny)
Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo. [wikipedia.org]
Re: (Score:3, Informative)
I knew some AC would say this, so I should have just preemptively explained it.
If the sentence were "Don't use the same word three times in the same sentence", then you would be correct. However, the sentence is "Grammar tip", which is a fragment. The second part is an appositive, relating to "tip." The colon is the giveaway.
See? AC's don't always know everything.
I have a brilliant crack of the Vista DRM too... (Score:5, Funny)
In future news... (Score:4, Funny)
Post the details on MySpace (Score:5, Funny)
Re: (Score:3, Interesting)
Closed captioned for the informationally challenged: Microsoft pays GoDaddy to use IIS for parked domains so it looks like IIS is "just behind" Apache on "who's using which web server" pie charts.
Re: (Score:2, Interesting)
What a revelation! (Score:2)
Yeah, right. They'll just keep up with their usual approach, one akin to installing a governor on your car to deter theft.
Re: (Score:2)
What the fuck are you talking about? Last time I checked a governer prevented a vehicle from going over a certain speed (or in the case of a rev-limiter, from going over a certain RPM)
Re: (Score:2)
Last time I checked a governer prevented a vehicle from going over a certain speed (or in the case of a rev-limiter, from going over a certain RPM)
I suppose with a custom governor you could use it to disable your transmission, which would effectively prevent someone from driving off in your car. I mean, all you'd have to do is have some control that adjusted it to prevent a vehicle from going over the speed of 2mph... ;)
They have remote battery-cutoffs, why not remote governor adjusters?
Re: (Score:2)
Unless you are being sarcastic, in which case my sarcasm-radar is broken
Re: (Score:3, Insightful)
"If you really want to do something about it, just go find the guy who made the original comment and smack him on the ba
just release it (Score:3, Funny)
He won't need to ... (Score:5, Insightful)
Re:He won't need to ... (Score:5, Interesting)
One wonders if the harassment of people who are not breaking US law in their own jurisdiction when they come to the US will have a chilling effect on technology in the USA. Certainly, some very smart people would be very stupid to visit here...
Re: (Score:2)
Seems that the cat is already out of the bag... (Score:5, Informative)
And what he did, if I understand correctly, is have some of his own code run as kernel without it being in a "test signed" driver. That seems to be the essense of his approach. Once you figure out how to do that, you can basically do anything, and Microsoft can't stop you.
s/Mark/Alex/ (my bad) (Score:2)
Alex is also re-implementing the win32 kernel (Score:5, Interesting)
Although ReactOS can share a lot of work with the WINE project for the win32 userland, it could still use any developers that are familiar with win32 development and would like to see a truly free operating system capable of using windows drivers/software.
Why bother even having DRM? (Score:4, Insightful)
Re:Why bother even having DRM? (Score:5, Insightful)
Re: (Score:2)
Re:Why bother even having DRM? (Score:4, Insightful)
The goal is not to make a secure system. The idea of securing a system from its owner (who has physical access) while maintaining usability is absurd and approaches impossiblity. They just want to make a system which 99.9% of users cannot crack, make it so that the crack cannot be generalized across different systems, and prosecute the remaining 0.1%.
Really, the only way to defeat DRM is to prove to companies that they will make more money without DRM than with, or, failing that, make the preceding true via strikes and public awareness.
Re: (Score:3, Interesting)
Re: (Score:3, Interesting)
Re: (Score:3, Interesting)
E.g., if they can't play their original purchase on their portable music player, you can make them pay again if they want to do that. If you prevent them from making a backup, they will have to pay again if the initial purchase is los
What with (Score:3, Funny)
What with HD-DVD and Blu-Ray being cracked already, and now this, combined with all the hate and general unity by consumers against the big movie and music industry, how much more signal do they need that DRM is pointless and unwanted and to finally stop trying to force it on us?
Re: (Score:2)
The problem is, there is not general unity by consumers against those industries. There is definitely unity on Slashdot and other tech-savvy sites, but walk into any Best Buy (or any other store) and look at the dozens of people perusing the DVD & CD sections. If the Vista DRM cripples legitimately purchased media you will see public backlash but as long as the public doesn't know what's going on behin
Re: (Score:2)
Re: (Score:3, Insightful)
They haven't done up to this point, because it hasn't generally interfered with everyday use for most consumers.
That could change almost overnight if people who spent a lot of money on funky new HD-DVD or Blu-Ray movies find they can't watch them at full quality, or if people's portable media players start dying and they can't transfer their extensive music libraries to another player.
Sony's rootkit only affected a relatively small
Its a shame (Score:3, Interesting)
Re: It's a shame (Score:5, Insightful)
It's a shame that things have come to a point where developers/security researchers have to worry about releasing findings like this, perhaps *even* when they are not under US law.
Re: (Score:3, Funny)
Is it illegal for me to have someone check safety? (Score:4, Interesting)
So if I use windows
I'll do it... (Score:2)
Re:I'll do it... (Score:5, Funny)
Crushing of Freedom of Speech (Score:4, Insightful)
Yes, I know it's been said very many times before, but I'm moved to say it again. It's simply obscene that runaway copyright law provisions should be used to casually stomp on this kind of freedom of speech, especially in the U.S.A., where allegedly there is a First Amendment guaranteeing freedom of speech. I would very much like to see a full-out legal confrontation between these terroristic laws as they stand, and the Constitution. The alleged and artificial "right" of the smirking lawyers at commercial companies to keep their nasty little secrets does not in any sense abrogate the innate, natural right of the people to talk to each other about any damn thing they want, particularly complex subjects, and in any way they wish, including via carrier pigeons and Morse code, let alone in plain English (or whatever language) on the Web.
It's really a shame that other countries such as Sweden actually surpass the U.S.A. in this area.
Frankly, this pisses me off enough that I'm very strongly tempted once my finances improve enough for the expensive legalities, to spit in the eyes of these jerkoffs with a direct, blunt and extremely widespread explanation (possibly on a Russian server to further annoy and frustrate them) of whatever it is that they absolutely are frantic to not have explained, along with the text of the Constitution with the First Amendment highlighted in red. I think a well-crafted attack on this crap would gather quite a lot of support, moral and otherwise.
Honest question (Score:4, Interesting)
Re: (Score:2)
"*Any* video and audio"? (Score:3, Interesting)
Re: (Score:2)
"Any A/V container format that can support ICT tokens" is probably the most accurate way to state it. Those MPEG files you downloaded five years ago can never be degraded, but content distributed today in "Windows Media Format v12" or whatever could be.
Norwegians, I'm ashamed of you (Score:5, Funny)
Someone in America cracked this first.
Re:Norwegians, I'm ashamed of you (Score:5, Funny)
-Eric
Sorry 'bout that (Score:4, Funny)
Didn't read TFA, but when I saw this in the blurb:
draconian copyright laws
...I just assumed it was us.
Yay! (Score:2, Funny)
Details? (Score:5, Funny)
DRM is overcome as a community, not individually (Score:2, Insightful)
All the effort MS is putting into this will not make the studios happy, and will not make the customers happy. I think they made a bad choice.
Misleading story (Score:3, Informative)
1). It doesn't work out of the Box.
That being said, it turns out the code I've written does not work out of the box on a Vista RTM system.
2). It uses a method provided by Microsoft.
As part of the Protected Media Path, (PMP), Windows Vista sets up a number of requirements for A/V software and drivers in order to ensure it complies with the demandes of the media companies.
3). It hasn't been tested.
Although used on its own, this POC doesn't do anything or go anywhere near the PMP (I don't even have Protected Media, HDMI, HD-DVD, nor do I know where PMP lives or how someone can intercept decrypted steams),
4). Author is more afraid of the DMCA than of violating Microsofts EULA terms.
a particularly nasty group of lawyers could still somehow associate the DMCA to it, so I'm not going to take any chances.
This isn't a story. Its pre-mature speculation.
Enjoy,
Re:Misleading story (Score:5, Interesting)
Yes, it requires a reboot, which is why it's only useful for bypassing DRM, not for open source apps (which will have to bother the user to reboot).
2). It uses a method provided by Microsoft.
Erm, no, PMP is provided by Microsoft. This method bypasses it.
3). It hasn't been tested.
It works fine, the actual PMP-disabling code hasn't been tested because I don't want to touch that. But my code ran in kernel-mode, which means it's possible. Read up a bit on computer architecture and you'll see that as long as you have access to the kernel, you're God on the machine (Apart from hypervisor machines and/or additional hardware -- which PMP doesn't currently employ).
4). Author is more afraid of the DMCA than of violating Microsofts EULA terms.
Author is a student and doesn't want to be sued out of existence because this method could be used to "circumvent a technological measure primarly destined for copyright protection".
Re:Misleading story (Score:5, Informative)
Not using a driver, RTFM.
Microsoft knows that 3rd party driver certificates are going to be stolen/compromised. Microsoft hasn't even provided a method to reject unsigned drivers yet (per MSDN it will be in Vista SP1).
Which is why this isn't using a stolen/3rd party driver or unsigned driver, nor actually loading a driver.
Did you happen to hook one of the kernel functions PatchGuard is monitoring? Try to patch CI.DLL and see what happens. You can disable driver signing. You cannot disable PatchGuard.
There's about a dozen ways to disable PatchGuard, and I was able to patch CI.DLL, disable PatchGuard, as well as turn off code signing. I don't want to sound condescending, but you don't seem to know what you're talking about, or you're being deliberately misleading with your PatchGuard comment.
I'm not saying that you can't bypass Microsofts DRM restrictions. I just don't think you have and the burden of proof is on you.
I'm not going to commit legal suicide by proving it. The point of my blog entry was never to say I broke DRM, but that I've found a way which can break it, which people are free to explore on their own.
Re: (Score:3, Interesting)
Not using a driver, RTFM.
snip
Which is why this isn't using a stolen/3rd party driver or unsigned driver, nor actually loading a driver.
Ok, I re-read the post, and read some of the other postings. Did slashdot miss a link? Where exactly do you descibe your method?
There's about a dozen ways to disable PatchGuard, and I was able to patch CI.DLL, disable PatchGuard, as well as turn off code signing.
Again, is there some other link that wasn't posted with this story? No where on the orginal blog entry does it
Re:Misleading story (Score:5, Informative)
Re: (Score:3, Insightful)
"Programmers" like that are anything but decent if they release such code in the market. They're the ones responsible for 90% of the BSODs we see and the system instability that plagued NT due to crappy drivers. They're the reason I think Patchguard is a good idea, in some ways.
Note that I have nothing against people who experimented with the kernel and used hooking for learning and experimenting, just don't ship out a product
Sometimes . . . (Score:3, Insightful)
Obligatory attempt at poor humor... (Score:5, Funny)
"It's time to un-PMP ze audio"
Wouldn't Be A Slashdot Article (Score:4, Informative)
'Protected Media Path' (PMP), which is designed to seriously degrade the playback quality of any video and audio running on systems with hardware components not explicitly approved by Microsoft..
No. It doesn't. It does it for specific DRM content.
These restrictions only apply to DRM content, such as HD DVD or Blu-ray. User's standard unprotected content will not be faced with these restrictions.
http://en.wikipedia.org/wiki/Protected_Video_Path [wikipedia.org]
"... bypassed ... Vista ..." (Score:3, Insightful)
No one ever said we have to upgrade to Vista.
DRM is difficult. (Score:3, Interesting)
DRM is difficult: You have to give the end user the keys, and then trust that only the uses that you've prescribed are allowed. Giving the keys to the end user is stupid, so the keys are given ONLY to a trusted module inside the end users machine. That trusted module is supposed to A) keep the keys secret, and B) enforce the rules that accompany the key. (e.g. you rented this for a week and a week has gone by).
If you have a general purpose computer, it's very difficult to have a trusted software module that can't be cracked somewhere inside.
In the backup-hddvd case, examining the core of the userspace program revealed volume and title keys. But the "master keys" are still somewhere inside.
In this case the operating systems trusted platform that should prevent that kind of tricks has been broken. Now you can insert your own debugger into the trusted core, and examine other stuff inside the trusted platform. Or you can claim to be a trusted driver, who has to have access to the unencrypted HD content.
In any case, as long as there is no hardware trusted module, it is always possible to run a good enough simulation, and run the DRM software under the simulation in a virtual machine.
And even if you DO have a hardare DRM module, I don't think it's possible to get right if you have a passive element on one side. For example a HDDVD is passive. So it can't verify the other side, and only give up the keys if it has confirmed the other side to be a trusted DRM module.
Re:Too bad this didn't come out 3-6 months from... (Score:3, Interesting)
Re:Let's learn English (Score:5, Funny)
Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo. [wikipedia.org]
(Also, that "sentence" I quoted is a fragment. And you didn't capitalize "i" in the previous sentence, which is actually a run-on.)
Re: (Score:3, Interesting)
I don't think so. Businesses don't care; this will not affect them. Home users don't care; they don't want Vista. It's the lack of a compelling reason to purchase Vista that's stopping people from purchasing Vista. Windows 95 was a major upgrade. Windows XP was a major upgrade. They both got major attention. Windows Vista is a minor upgrade. It adds eye candy and some features that only business users typically n
Re: (Score:3, Insightful)
Suppose my current hardware is fast enough and has enough resources to run even the most demanding of applications.
Suppose my current monitor can handle the resolutions required.
Suppose I did have a hd-dvd drive and some movies.
Imagine how pissed I would be if I couldn't watch them at native resolution because according to Microsoft I had the wrong connector.
I want an Operating system, not a restricted system.
Re:He didn't "Break" PatchGuard (Score:5, Informative)
There's no way to turn off PatchGuard off, only Driver Signing, which watermarks your desktop and disables PMP. Ways to break Patchguard 2.0 were published recently by "Skywing" on uninformed.org
Re: (Score:3, Interesting)
What more, if there were no copyright, there wouldn't be a need for GPL (you could "steal" other people's code by using it in a closed-source product, but you wouldn't have any way to profit from it, so noone'd bother).