Alex Ionesco, a security researcher in Montreal, has released technical details of a hack he's developed for Windows Vista. The hack lets him subvert Windows' anti-copying technology and get force a full-resolution, unencrypted high-def video stream. He has not released source code, however, because he claims to be nervous of violating US law — I think that this is misplaced. Canada hasn't passed Bill C-60 yet (and with any luck, it never will), so he should be all right in Canada. However, the lesson of Jon Lech Johansen is instructive — as a teenager in Norway, he released the code for DeCSS, which breaks DVD DRM, and gave up the next five years of his life to court battles against the MPAA in Norway, even though Norway didn't have a DRM law. He prevailed, but he never got those years back.
As described, Ionesco's hack is quite ingenious, and it subverts the system in a way that bypasses its fail-safes. Ionesco leads technically sophisticated Free Software projects, and is a credible source of such a break.
Vista launched this week, and it's already broken. As with previous multi-year DRM development efforts, this one disintegrated like wet kleenex on contact with the general public. Now that Vista, HDCP, Blu-Ray and HD-DVD are all broken, it seems like the millions of dollars and thousands of work-hours sunk into these systems was mis-spent. The only benefit that these anti-copying systems confer to the companies that developed them is the right to sue competitors — and that benefit could have been had by shellacking a one-atom-thick layer of token DRM onto their systems, just enough to be able to invoke the DMCA. Everything else was just gold-plating, wasted money.
The great thing about the code I've written is that it does NOT use test signing mode and it does NOT load an unsigned driver into the system. Therefore, to any A/V application running, the system seems totally safe – when in fact, it's not. Now, because I'm still booting with a special flag, it's possible for Microsoft to patch the PMP and have it report that this flag is set, thereby disabling premium content. However, because I already have kernel-mode code running at this point, I can disable this flag in memory, and PMP will never know that it was enabled. Again, Microsoft could fight this by caching the value, or obfuscating it somewhere inside PMP's kernel-mode code, but as long as it's in kernel-mode, and I've got code in kernel-mode, I can patch it.
To continue this game, Microsoft could then use Patchguard on the obfuscated value…but that would only mean that I can simply disable Patchguard using the numerous methods that Skywing documented in his latest paper.
(via /.)
See also:
Report: HD-DVD copy protection defeated
Felten and Halderman on high-def DRM crack
HD-DVD/Blu-Ray cracker muslix64 interviewed
