[Infowarrior] - AACS DRM tentacles reach far into operating systems

[Richard Forno]

AACS DRM tentacles reach far into operating systems

By Ken Fisher | Published: August 12, 2007 - 11:03PM CT

http://arstechnica.com/articles/culture/aacs-tentacles.ars


Introduction

"The biggest trick the devil ever pulled was in getting folks to blame
someone other than Hollywood for video DRM." ‹not Keyser Söze

Peter Gutmann, author of a well-known and fascinating paper describing the
tradeoffs of Microsoft's content protection system in Windows Vista, is on
the hunt again. Last year, his paper "Cost Analysis of Windows Vista Content
Protection" painted a grim picture of the lengths Microsoft went to in order
to gain full compliance with AACS, the next-gen copy control system for
Blu-ray and HD DVD (and they did go far). Now Gutmann is reiterating his
claims but also reportedly digging deep in his attacks on Microsoft. While
Microsoft deserves some of the blame, the bigger story here is the technical
nightmare created by AACS and how its tentacles are reaching into the
consumer technology we all use daily. It's a shame that this is getting lost
in the mix, but after discussing the issue with a journalist this weekend, I
decided to delve a little more into it here.

Gutmann's presentation at this year's USENIX Security Symposium in Boston
has been profiled at Network World. Gutmann's thesis is fairly basic and
unchanged from last year: Microsoft spent way too many resources appeasing
Hollywood when it should have been making Windows Vista better. Gutmann is
essentially correct; any time a consumer electronics manufacturer or other
technology company has to waste time with DRM, that company is wasting
resources that could be better spent elsewhere if DRM wasn't a sad fact of
life. Let no one doubt that. All of this attention focused on Microsoft is
missing the bigger story, however.
AACS: coming to an (incorporated) OS near you

This is important but rarely acknowledged in these discussions (and my
journo discussion partner was rather surprised to learn this): Apple will
also have to adopt a strict DRM regimen at the most fundamental levels of
Mac OS X in order to be able to (legally) play back AACS-protected Blu-ray
or HD DVD discs (e.g., most commercial discs in those formats). Apple thus
far has avoided criticism, but only because the company has not unveiled its
full plans for appeasing the various requirements imposed by the AACS
Licensing Administrator for next-gen optical disc DRM. When Apple does,
we'll all see that Blu-ray/HD DVD support comes with plenty of strings
attached‹strings that Apple will have to work into its OS, too. There is no
way around it; something similar to Microsoft's Protected Media scheme will
be required of Mac OS X if Apple is a licensee to AACS. (The same would be
true for Linux, except that AACS won't be licensed for Linux desktop use.
There's no way to securely implement it since desktop Linux is an open
environment, and AACS requires keeping secrets.)

Here's the basic rundown: AACS has "robustness rules" that include strict
mandates for the path that video data takes through a software-based system,
like a modern PC. These rules require that decrypted video "not be present
on any User-Accessible Bus in analog or unencrypted, compressed form,"
because users could possibly record or redirect that content. Companies like
Apple and Microsoft are additionally required to use "encryption, execution
of a portion of the implementation in ring zero or supervisor mode (i.e., in
kernel mode), and/or embodiment in a secure physical implementation," or any
other method that can "effectively" keep encryption keys secret.
Furthermore, they are required to use "techniques of obfuscation clearly
designed to effectively disguise and hamper attempts to discover the
approaches used" to secure the systems. Thus, video content must travel
through the system encrypted and must only interact with authorized
components over authorized pathways.

Again, these are the requirements of AACS, and they're not simple to
accomplish, especially in an operating system where there are multiple ways
to attack the system. This is why AACS goes even further, requiring that
operating systems constantly monitor the "integrity" of the content
protection system and purposely stop playing content in the event that any
"unauthorized modifications" are detected. In this way, the system not only
watches the video path as video travels on it, but it monitors the state of
the PC as a whole. 

So, when thinking about this issue, we have to ask ourselves: is a company
like Microsoft or Apple likely to tell Hollywood to jump off a cliff? No,
because both companies know that users will want to play HD DVD or Blu-ray
discs on their computers. Microsoft didn't tell AACS LA to stuff it, and
Apple won't tell them to, either. Not only do both companies want to be a
part of the HD "revolution," but both of them are also DRM developers, too.
While Steve Jobs may be an opponent of DRM for music, he has said on record
that his objections to DRM for music do not apply to video.
Timeline flaws adding up

Most of what breaks the "HD experience" on PCs right now stems from AACS's
demands on technology, starting with the requisite HDMI/HDCP support on
video cards and displays. HDMI/HDCP are two key parts of the "secure path"
for video, but the two technologies have still not penetrated the PC market
in any substantial way. (I'm quite surprised that monitor and video card
manufacturers were so late implementing HDCP, given that this aspect of AACS
has been known about for some time.)

Regardless, note that hardware-level support for AACS (via HDMI/HDCP) has
nothing to do with Microsoft or Apple, but both companies will have to
grapple with balancing the AACS requirements with providing users with a
simple playback environment. Thankfully, Hollywood has backed off the Image
Constraint Token for now, the biggest snag in the HDCP plan, likely because
of the slow adoption of HDCP itself. Hollywood holds the cards here: it's
the studios' content licensing practices at work, and it's their call when
to start enforcing technical requirements for full HD display. So, while the
HDCP issues may seem only theoretical for now, those days are numbered.

Video DRM is a drain on technology performance and engineering, wasting
precious resources on something that only benefits a very small group of
people with very narrow, self-serving demands. The shape and contours of the
video DRM experience is established by Hollywood, not by Microsoft or Apple.
How tech companies implement this stuff is, of course, important, and there
are signs that Microsoft's implementation is made overly complex by
architectural decisions the company has made. But the annoying stuff, like
downgraded video quality and video pathways with significant CPU overhead,
is all part of AACS, all by design.

Last year, Marcus Matthias, product manager of Windows Digital Media at
Microsoft, put it this way to me in a discussion about this very issue: "Any
device‹whether it be a PC or consumer electronic device‹will need to ensure
compliance with the specified policies [read: AACS], otherwise they risk
being unable to access the next-gen DVD content. Clearly we think that
offering next-gen DVD content on the PC is much preferable to having the PC
excluded from accessing this premium content."

Users should be outraged at these developments, but directing that outrage
at Microsoft (or Apple) misses the point. The movie industry's fear of fair
use and casual piracy is so great that it uses its considerable weight to
influence innovation in personal computing. They can create a technology
(AACS) and a license for that technology without ever having to prove its
utility or safety for consumers. The situation is made more deplorable by
the fact that AACS seems to be nothing more than a stab in the dark at the
problem: it has already been cracked! AACS is unproven technology with
amazingly complex demands. And it's being rolled into operating systems
essentially unproven and with little care for how much havoc it wreaks.
Some loose ends... 

Two particular comments reportedly made by Gutmann deserve commentary, even
though they aren't related to the issue of AACS in general. Gutmann
reportedly said that a $100 video card outperforms a $1,000 video card on
Vista, thanks to these content protection mechanisms. This is nothing short
of hogwash, as practically any recent video card review will show. Here's
Tech Report on the new Radeon 2900XT 1GB. The only way that a $1,000 card
and a $100 card might be "similar" would be if they both lacked HDMI/HDCP,
which a) Microsoft and Apple have no control over and b) hardly constitutes
a fair comparison of the two cards' capabilities.

Gutmann also says that users are being punished by an overzealous system
that misidentifies "premium" content. Users are supposedly finding that
Vista is blocking them from showing their own home movies if they were shot
in HD. I've worked with two HD cams on Vista (both from Sony) and haven't
had a single problem, but I've never heard anything similar from our
readers. I'd love to hear from those of you who have had this problem.
Microsoft has publicly stated that content controls can only be activated by
copyright holders, which clearly indicates that this should not be happening
to users with their own home videos.