4K streaming content is hit or miss because most services lock that behind Widevine L1, which requires implementors to use a secure enclave and the entire signal path to use strong encryption. If an L1 implementation gets compromised it quickly has its keys revoked and is downgraded to L2/L3, so piracy groups have a limited time window to dump as much 4K content as possible. Those lower Winevines tiers are permanently broken though so everything is immediately available in at least 1080p.
4K Blurays are currently always ripped due to an unfixable compromise in Intel SGX allowing PowerDVDs keys to be extracted, they could close that hole by revoking PowerDVDs keys for new Bluray releases but they haven't done that yet. I imagine they will at some point because PowerDVD requires SGX to play UHDs, and Intel stopped supporting that on newer consumer hardware, so 4K Bluray playback on PCs is effectively being phased out.
If you approach it at the most fundamental level, it seems like a clearly impossible goal to achieve. You are having users playing back content on their private devices, and then want to try to prevent them from copying that. That's basically impossible to achieve on somebody's own machine, and literally impossible to do once two enter into the picture. In the absolute worst case a high resolution/hertz cam on one's own screen with a quick ML software polish job, would look near to completely indistinguishable from the original content.
I imagine the reason so much money has been spent on it is because studios prefer to blame piracy than content for increasingly poor sales. So they see it as their salvation and are willing to pay big bucks, even if it's impossible. That's a primo ground for hucksters and charlatans to make a killing. Something similar happened in poker where players wanting to use fully automated software to make their decisions ended up just stepping outside the cat&mouse game and using a setup with a second computer + cam - completely and absolutely impossible to detect.
Careful who you call the bad guys. A lot of "piracy" comes from the people who spend the most money on the content they pirate.
I personally think the best DRM approaches are those that keep "the honest people honest:" IE, metadata that identifies copyright owners, flags that identify content that has restrictions due to copyright, and casual protections. (Think of a "do not enter" sign that you can choose to ignore if you have reason to do so.)
Otherwise, DRM really only works when the people consuming the content have motivation to keep it secret. (IE, corporate and military secrets.)
The point of the DRM schemes is basically to keep video "hard enough to copy that normies don't do it". And not even "normies can't find it on the Pirate Bay" but "you can right click and download from Netflix."
If they mostly succeed at that, they consider it good enough.
DRM schemes never worked, and it has been speculated that the people building them always knew it, but had other goals.
Backn in the days it was: Of course you can break DVD copyprotection schemes. But you cannot build a legal opensource DVD player software. Today it's: Of course every Netflix series can be found on the pirate bay. But you're not legally allowed to build an alternative netflix player frontend.
Denuvo mostly works. Allegedly they have a custom approach to each new game, so cracks can take months to appear, with some unpopular games never having been cracked at all. The price is lowered performance, of course.
The point is pressure on equipment manufacturers, making borrowing and streaming work for digital content, maybe also deterring casual piracy, not necessarily protecting videos from appearing on tpb.
> I really don't see why so many millions (billions?) of dollars have
been spent on technologies which so far have never kept the bad guys
out.
Sunk cost investment bias [0].
Past a certain point, even when the outcome is obviously futile, it
becomes a mixture of accumulated momentum and pure bloody mindedness
to "build it if it kills us". Companies like Microsoft or Sony
have entire departments of people working on "rights management".
Nobody has the courage to just say, "Sorry guys, this is a fool's
errand, we're going to shut it down and move you all onto something
more productive".
No. It is fundamentally impossible. DRM centralizes piracy, it makes it profitable both socially and financially to pirate harder. As DRM tries to get harder it actually gives pirates more power.
These pirates release high quality content that is better than the service provides on most devices. Typically in HEVC as well, requiring less download size.
It's also great for those that don't have consistent Internet and want to download over time.
DRM and anti piracy are a snake oil industry for business suit types that think they're protecting their assets. They're not, but they don't understand the infinitely copiable nature of digital. They want control at any cost.
I don't believe the "Digital Video Express"[1] (aka DIVX[2]) discs were ever cracked while they were on the market. But that's only because they were only sold for 1 year and nobody bought any. Even now finding information about the disc format is rare. Although anyone who has a reason to try probably should be able to do it easily since it was just 3DES.
The DRM clearly does work in preventing "casual piracy" - where average users do things like downloading a file and keeping it forever (even after cancelling a subscription) or copying the file to a friend.
> PlayReady is a media file copy prevention technology from Microsoft that includes encryption, output prevention and digital rights management (DRM). It was announced in February 2007.
At some point this silly game of cat-and-mouse is going to escalate, and streaming players won't work unless your entire computer is locked down and "verified" by Microsoft or Apple.
At some point it escalates to where the media providers make watching their media so expensive, time consuming, and difficult that piracy ramps back up.
It sounds dumb, like "why would companies shoot themselves in the foot like this" but trust that they will. They always do. Corpobrain is a form of autopilot, there's no one with intelligence in charge not because the people who work at media companies are dumb (though, they are), but because there's just literally no one in charge. Its autopilot. Each iterative decision in isolation makes sense, but when zoomed out and interpreted holistically they're killing their own business.
That sounds an awful lot like an Xbox, and I personally don't think we're too far off from those becoming general purpose cloud connected DRM computers coupled with recurring monthly subscriptions for all your app/game/content needs.
So this is pretty much about breaking the client side DRM, with a bad side effect of abusing someone else's Identity (as used within the DRM context) for nefarious purposes. Did I understand this correctly?
The "client" whose "identity" is abused here is not an end user. A "client" in this context is a program or library that talks to the license servers and receives the content decryption keys. On my Windows machine I see a "Windows.Media.Protection.PlayReady.dll", which I guess is the client that they cracked. Maybe there are also other clients that are widely accepted by license servers.
The attack essentially means that they could write a program themselves that acts as "Windows.Media.Protection.PlayReady.dll" to get decryption keys from a server. What will happen now is that Microsoft will deprecate the client and release a new one with new obfuscation and new keys. The license servers will start rejecting the old cracked client. And then people will crack the new client. And the cycle continues.
Basically the means to forge an authenticated cookie.
[Update]
It's a bit more subtle: Having the keys to forge a license request and decrypt server response allows you to emmulate or re-implement a DRM client.
Because the server is oblivious to this fake, it will respond as though it's taking to a genuine "secure" client thereby ultimately exposing the content decryption key.
> In that context, this is vendor’s responsibility to constantly increase the bar and with the use of all available technological means.
Or the vendor could just let me consume the content I paid for in whatever player I like. Which is what happens anyway, as this sort of DRM is always breakable. If the media consumer can view the content at all, they can simply record that output and re-encode in a more convenient storage format.
Yes, there is always the analogue loophole. And opening cryptography toolbox to control how users consume content is a lost cause. Crypto can only protect contents from adversaries that don't have the key. But here the paying user is the adversary and the only way the DRM can paint the video on screen is through that key.
So DRM boils down to security through obscurity. Turns out obscurity is hard, expensive and never works very well.
Given how horribly all major companies, MS most certainly included, confuse authentication vs. authorization, this is almost certainly able to be paired with a 'vulnerable' (all) endpoint to retrieve/post/update player information.
The horizontal pivot from DRM/crypto-managed Identity to a session token, an unassumingly-kosher redirect, or just omitting the "AUTHENTICATION" header itself is a trivial exercise for the common script kiddie.
This is how exploit chains get a foot-hold, and "secure" accounts get compromised like it was 2010 again.
And it paints an even bigger target on domestic Windows machines used
for media content.
Who wants to "steal" their _own_ keys?
Microsoft's broken DRM scheme creates objects of value which it then
tries to store on the client's machine deliberately beyond the owners
control and security management. It is adversarial to the user. This
is clearly a no-win situation... hence the snarky sign-off about
vendors "raising the bar", basically saying; Good luck with that! It
really seems quite unhinged.
So now there is collateral damage:
- A motive to hack Windows machines to steal content keys.
- A misuse of "identities" through a market in stolen keys
- Pivots (as parent says) to other malware vectors
So, predictably, because of DRM, Microsoft Windows is now an even more
dangerous and insecure system. Why do people persist chasing this
unnecessary, pathologically involuted technological misadventure?
Surely "controlling and monitoring peoples content" is not a hill
worth dying on?
[+] [-] londons_explore|1 year ago|reply
I really don't see why so many millions (billions?) of dollars have been spent on technologies which so far have never kept the bad guys out.
[+] [-] jsheard|1 year ago|reply
4K Blurays are currently always ripped due to an unfixable compromise in Intel SGX allowing PowerDVDs keys to be extracted, they could close that hole by revoking PowerDVDs keys for new Bluray releases but they haven't done that yet. I imagine they will at some point because PowerDVD requires SGX to play UHDs, and Intel stopped supporting that on newer consumer hardware, so 4K Bluray playback on PCs is effectively being phased out.
[+] [-] somenameforme|1 year ago|reply
I imagine the reason so much money has been spent on it is because studios prefer to blame piracy than content for increasingly poor sales. So they see it as their salvation and are willing to pay big bucks, even if it's impossible. That's a primo ground for hucksters and charlatans to make a killing. Something similar happened in poker where players wanting to use fully automated software to make their decisions ended up just stepping outside the cat&mouse game and using a setup with a second computer + cam - completely and absolutely impossible to detect.
[+] [-] gwbas1c|1 year ago|reply
Careful who you call the bad guys. A lot of "piracy" comes from the people who spend the most money on the content they pirate.
I personally think the best DRM approaches are those that keep "the honest people honest:" IE, metadata that identifies copyright owners, flags that identify content that has restrictions due to copyright, and casual protections. (Think of a "do not enter" sign that you can choose to ignore if you have reason to do so.)
Otherwise, DRM really only works when the people consuming the content have motivation to keep it secret. (IE, corporate and military secrets.)
[+] [-] bombcar|1 year ago|reply
If they mostly succeed at that, they consider it good enough.
[+] [-] hannob|1 year ago|reply
Backn in the days it was: Of course you can break DVD copyprotection schemes. But you cannot build a legal opensource DVD player software. Today it's: Of course every Netflix series can be found on the pirate bay. But you're not legally allowed to build an alternative netflix player frontend.
[+] [-] makin|1 year ago|reply
[+] [-] miki123211|1 year ago|reply
[+] [-] nonrandomstring|1 year ago|reply
Sunk cost investment bias [0].
Past a certain point, even when the outcome is obviously futile, it becomes a mixture of accumulated momentum and pure bloody mindedness to "build it if it kills us". Companies like Microsoft or Sony have entire departments of people working on "rights management".
Nobody has the courage to just say, "Sorry guys, this is a fool's errand, we're going to shut it down and move you all onto something more productive".
[0] https://en.wikipedia.org/wiki/Sunk_cost
[+] [-] jvanderbot|1 year ago|reply
Someone who wanders in the woods might not be blamed for trespassing. But someone who hops a fence with a sign on it doesn't have much defense.
[+] [-] devwastaken|1 year ago|reply
These pirates release high quality content that is better than the service provides on most devices. Typically in HEVC as well, requiring less download size.
It's also great for those that don't have consistent Internet and want to download over time.
DRM and anti piracy are a snake oil industry for business suit types that think they're protecting their assets. They're not, but they don't understand the infinitely copiable nature of digital. They want control at any cost.
[+] [-] whoopdedo|1 year ago|reply
[1] https://en.wikipedia.org/wiki/DIVX
[2] And this is when I remember that Wikipedia links are case-sensitive
[+] [-] tawa9102930|1 year ago|reply
The resulting files ("webrips") aren't a lossless copy of the original, but are good enough for most.
[+] [-] squigz|1 year ago|reply
Because the goal isn't actually to "keep the bad guys out" - it's to strip user freedom and privacy, and make a shit load of money at the same time
[+] [-] ParetoOptimal|1 year ago|reply
A PR campaign to make people think getting that content for free is harder than it is?
[+] [-] daveoc64|1 year ago|reply
[+] [-] Retr0id|1 year ago|reply
[+] [-] nevir|1 year ago|reply
The platforms roll their eyes, but implement it anyway; cause it's a rounding error, and keeps publishers happy
[+] [-] probably_jesus|1 year ago|reply
[deleted]
[+] [-] charles_f|1 year ago|reply
> PlayReady is a media file copy prevention technology from Microsoft that includes encryption, output prevention and digital rights management (DRM). It was announced in February 2007.
[+] [-] squigz|1 year ago|reply
[+] [-] 015a|1 year ago|reply
It sounds dumb, like "why would companies shoot themselves in the foot like this" but trust that they will. They always do. Corpobrain is a form of autopilot, there's no one with intelligence in charge not because the people who work at media companies are dumb (though, they are), but because there's just literally no one in charge. Its autopilot. Each iterative decision in isolation makes sense, but when zoomed out and interpreted holistically they're killing their own business.
[+] [-] tithe|1 year ago|reply
This is exactly what the WEI (Web Environment Integrity)[0] specification sought to achieve, but at the browser level.
[0] https://en.wikipedia.org/wiki/Web_Environment_Integrity
[+] [-] watermelon0|1 year ago|reply
The only reason it's possible to copy such content is because keys were leaked in the past, and they are not blacklisted.
[+] [-] clwg|1 year ago|reply
[+] [-] dawnerd|1 year ago|reply
[+] [-] unknown|1 year ago|reply
[deleted]
[+] [-] earth-adventure|1 year ago|reply
[+] [-] xurukefi|1 year ago|reply
The attack essentially means that they could write a program themselves that acts as "Windows.Media.Protection.PlayReady.dll" to get decryption keys from a server. What will happen now is that Microsoft will deprecate the client and release a new one with new obfuscation and new keys. The license servers will start rejecting the old cracked client. And then people will crack the new client. And the cycle continues.
[+] [-] repelsteeltje|1 year ago|reply
Basically the means to forge an authenticated cookie.
[Update]
It's a bit more subtle: Having the keys to forge a license request and decrypt server response allows you to emmulate or re-implement a DRM client.
Because the server is oblivious to this fake, it will respond as though it's taking to a genuine "secure" client thereby ultimately exposing the content decryption key.
[+] [-] zeta0134|1 year ago|reply
Or the vendor could just let me consume the content I paid for in whatever player I like. Which is what happens anyway, as this sort of DRM is always breakable. If the media consumer can view the content at all, they can simply record that output and re-encode in a more convenient storage format.
[+] [-] repelsteeltje|1 year ago|reply
So DRM boils down to security through obscurity. Turns out obscurity is hard, expensive and never works very well.
[+] [-] unknown|1 year ago|reply
[deleted]
[+] [-] williamcraven|1 year ago|reply
[deleted]
[+] [-] logical_person|1 year ago|reply
[+] [-] Jerrrry|1 year ago|reply
The horizontal pivot from DRM/crypto-managed Identity to a session token, an unassumingly-kosher redirect, or just omitting the "AUTHENTICATION" header itself is a trivial exercise for the common script kiddie.
This is how exploit chains get a foot-hold, and "secure" accounts get compromised like it was 2010 again.
[+] [-] amaccuish|1 year ago|reply
[+] [-] nonrandomstring|1 year ago|reply
Who wants to "steal" their _own_ keys?
Microsoft's broken DRM scheme creates objects of value which it then tries to store on the client's machine deliberately beyond the owners control and security management. It is adversarial to the user. This is clearly a no-win situation... hence the snarky sign-off about vendors "raising the bar", basically saying; Good luck with that! It really seems quite unhinged.
So now there is collateral damage:
So, predictably, because of DRM, Microsoft Windows is now an even more dangerous and insecure system. Why do people persist chasing this unnecessary, pathologically involuted technological misadventure? Surely "controlling and monitoring peoples content" is not a hill worth dying on?