[klodolph]

So what you do is you use the DRM API to negotiate a way to transfer a decryption key to a secure hardware module in the consumer's device. Having the source code to the Firefox component doesn't give you access to the firmware or keys stored in the module. (Yes, you can hack hardware. But it's way more expensive.)

[marcosdumay]

It's still your computer... Capture the firmware when loading, and decompile it.

The problem starts only when "they" decide to mandate in our hardware. (And yep, "they" are already doing it, for several values of "they". We are fighting the wrong war here.)

[klodolph]

That won't work, you'll need to try harder.

I have some insider knowledge of how these chips work. First, you get the chips with crypto keys already installed, so having a copy of the firmware source code won't help. Second, the keys are unique to the device, so getting it won't give you much. Third, the firmware is authenticated so modifying the firmware won't help. Fourth, the chip is designed to be resistant to physical attack.

[wyager]

You don't need to compromise every chip. You just need to compromise one. That's not particularly hard. You can use some fancy equipment to extract the private key, and then you can decode any video the chip could decode.

Or, if you want to be lazy, just hook a VGA cable up to a transcoder.

[klodolph]

But a particular chip will only have the keys for a small number of videos. When you buy a movie, you download that movie encrypted with a unique key, and the unique key is encrypted with your device key. So compromising one chip won't give you any kind of "master key" or anything especially valuable. The movie can be stored anywhere, when you need to play it you will pass the encrypted key to the device and the device will use it to decrypt, decode, and then send the movie directly to video output (possibly re-encrypted with something like HDCP, although that's a broken scheme).

The chip will also not send high-definition output to VGA, so you will need to do better. Basically, you have to hack the hardware.

I'd like to clarify that I'm not defending DRM, just that circumventing DRM is not as easy as people in this thread intimate. I think the reason why DRM will fail is because of economic pressures: the cost of deploying millions of devices designed to protect ubiquitous data against a small number of highly intelligent and motivated cryptography experts and hardware hackers.

[wyager]

Someone already has to buy a movie to rip and upload it. One organization can buy lots of movies at a time and upload them all.

And the analog hole can't be closed. If the video is encrypted on the wire, you can just jack into the TV's DSP hardware (at worst).

[xxs]

You can always screen capture the VGA port, DRM will never/ever work.

[takluyver]

This is a neat summary of an idea that always turns up on every DRM thread. If the best way to copy a movie is to buy some extra hardware to plug into your VGA port, and then play the movie back at regular speed while you record it, then DRM is working. Joe Bloggs isn't going to do that to give his mates copies of a movie he enjoyed.

Of course, someone out there will go through that and put it on the internet. But Joe's mate is worried that the government will track his downloads, or his computer will get a virus from these dodgy downloads. And every few weeks, the source he's using shuts down and he has to find a new one. Before long, he'll just decide it's worth giving Netflix a few dollars a month to get movies the easy way.

[wyager]

Most piracy isn't about Joe Bloggs giving the video to his friends. It's established institutions uploading videos to popular torrent sites, where they get millions of downloads. There is simply no way to prevent that.

[takluyver]

Piracy isn't about Joe giving the video to his friends precisely because of DRM. If it was trivial to click 'save as' and copy the movie to a memory stick, I think people would be swapping movies routinely.

I already outlined precisely how they limit the influence of illegal download sites: ensure that the effort to find them and the perceived risk of prosecution and malware exceeds the cost of getting the movie legally. Once people start working and appreciate the value of their time, it's not actually very hard to tip that equation in their favour.