On Sat, Mar 24, 2007 at 10:21:49PM -0400, Herbert Graf wrote: > On Sat, 2007-03-24 at 21:37 -0400, Byron A Jeff wrote: > > I still think that most of those protection schemes are generated by novices > > who think the know the process. That's why they are so easily broken. > > I'd have to partially disagree. I can't believe that technologies like > ACSS and HDCP were "generated by novices". I'm certain, given the money > spent, that MANY experts were involved. No disagreement there. In fact from the articles that I've read, the encryption has not in fact been broken. > However, being used for what they are used for, they are HUGE targets, > and attract MANY people trying to defeat them. Where they failed is key management. > I think of it kinda like the "superbugs" we have these days. Out of > millions or billions of bacteria, if only ONE survives an anti-biotic > "attack", it will reproduce and multiple, creating a "superbug". It's > similar with protection schemes that have such a large scope, all it > takes is ONE person to get lucky and break it, then it's all over. But it wasn't luck here. That's where I come back to the novice point. You can have a tank and it's easily breached if you leave out the keys to open it. Rule #1 of envcryption is key management. Anyone who doesn't take that into account is in fact operating at the novice level. I agree about the fact that there will be a concerted effort to break. But the true failure is the insistence of having software players. It's a heck of a lot more diffcult to circumvent firmware just because of sheer accessibility. > > > Aside from that, I run linux on my main machine at work and my machines > > > at home are both linux. I keep a 2k machine at home for MCU devel tools > > > like MPLAB. > > > > I'm completely Linux based for my PIC toolchain. Tools including gputils, > > JAL, NPCI (my own HLL), picprg, linwload (used with Wouter's WLoader), > > various Python pieces, and pkp from pikdev are all in my toolkit to various > > degrees of use. The last time I used MPLAB was when it was running on DOS > > well over 10 years ago. > > My problem is my addiction: I'm addicted to using the ICD2 for my PIC > work. ICD2 support under Linux is quite poor. While there are some > software packages that support programming some (perhaps most) devices, > I don't believe there is much (if any) debug support. At home I run a > win2k virtual machine just for this reason. I can't be addicted to something that I haven't taken. I've been working with microcontrollers and microprocessors as a hobbyist for 20 years. Everything from Motorola 6802->6809->68K to 8051s to PICs. Most didn't have the hardware debugging support that the ICD2 offers. So you learn to simulate, to hex dump, and the like. Hardware debugging is absolutely essential when you have issues like race conditions and whatnot. But their value for logic errors isn't as great. Of course having one debugging tool that can do it all is a great thing. But tying back to the original theme, it's tough to be forced to do things the original content provider wants it done. That's why folks like muselix64 who cracked the keys for HDDVD and Blu-Ray did what he did. I can't figure out why Microchip has been so secretive about the ICD2 protocol. They're so open about everything else. And AFAICT they haven't run into any severe support issues with anything else. > Other MCU vendors are even worse however, I don't believe Freescale, > Luminary or Cypress parts have any Linux support, either from the > manufacturer or third parties. It's for that reason that I have to keep > that virtual win2k machine available. Companies have no good reason to support anything other than Windows. I would not expect them to. What they need to figure out though is that they can get a additional customer base simply by providing enough documentation so that someone can generate their own tools. Someone will take up the task. > > > But how do you make the interval bigger? Spending MUCH more money didn't > > > work for HDDVD and BluRay (they were cracked MUCH faster then DVD was). > > > > I'm reading the HDDVD thread now. Again it was cracked due to stupidity. > > Specifically leaving a decrypted key in memory for anyone to see. > > > > It really doesn't matter how tightly one locks up one's house if they leave > > all the keys on the stoop, does it? > > Your analogy is incomplete. It would be more appropriate to say: the > house is locked, the problem is they had to give out keys to a bunch of > people. ONE of those people left the keys in their unlocked car. In this case it's the software guy that did it. If all HDDVD and blue-ray players were firmware embedded, they wouldn't be cracked. But as usual Microsoft has to get in the middle of it, and they want to insist on how you can play those disks. It's the same reason that original DVD was cracked. Folks couldn't abide that they couldn't play their legally bought DVDs in their legally bought DVD drives without being forced to use some certain software. It's a tough problem because the freedom to use your own tools and the responsibility not to abuse go hand in hand. Companies continue to try to restrict freedom, and that's why the cracking occurs. But the crackers (or others that end up with the cracked content) are irresponsible. And so the battle rages on. > The fact is there will ALWAYS be a way to break something created by > humans. The fact that I as a consumer are paying for these efforts ticks > me off. I got that. The question remains: Does a company simply give up because some segment of the population refuses to play fair? A while back you responded to a post about giving up from freedoms in the name of public safety. I believe you dismissed this as an apples and gorillas argument because the public welfare is important enough that giving up some freedoms are acceptable, while protecting company content isn't nearly so important. But what you miss is that attemtping to protect that content is absolutely vital to that company, regardless of how you, the legit paying consumer, feels about it. You can't investors if your business plan doesn't show how you'll try to proect the content. Also I think ALWAYS may be a bit of a reach. You have to limit the scope of the question to "Can it be done in a time frame that makes it usable for the cracker." If I come up with a scheme that takes 18 months to crack, then I'm in business. Getting back to the novices who keep attempting to protect content, they're taking the wrong approach. They keep trying to protect content by obscuring it: security by obscurity. They need exactly the opposite: shine a spotlight on it. If I needed to really proect content, then I'd start an X-prize style contest opening up a cracking competition for whatever scheme I've come up with. Offer $50k to the first one who can crack the content with the given player. Require that the cracker explain the process before paying. Give a limited time frame (say 30 days) to get it done. I bet after a few iterations with the real motivated experts out in the field, you'd come up with something that would be difficult enough to pass muster. I really don't care if you need 10,000 years and a quantum computer to get the job done because no one has those types of resources. Just get it to a point where you're not doing something stupid. > > > I use mostly open source. I do pay for some apps as long as they work > > > well and don't go crazy with protections. The industry will survive. > > > > Open Source foregoes the software selling profit model. There's limited money > > in it. > > I don't think so. Redhat is making TONS of money selling and supporting > open source software. Less selling, more supporting, mostly marketing. It's in fact a great example of the segmentation of the market. Redhat makes very little off students, hobbyists, and well versed Unix/Linux folks. They download Fedora, support themselves, and wave nicely at RedHat. The sales and support comes from companies and middle level managers who feel naked unless they have a finger to point when things go wrong. This works in a huge market, where the second segment is large enough to support your company. But if the pie is small, like in the OPs case, the model fails. You have to be able to capture part of that first segment simply to survive. But the first segment is the group motivated to relieve you from your software without having to pay (either directly by cracking or indirectly by receiving cracked software). Note that only a handful of companies meet your requirements. For the average OpenSource project, the profit model tends towards zero. > Linksys/Cisco has made CRAPLOADs of money selling the WRT54 series of > routers due to their open source nature (LOTs of geeks have bought these > routers specifically due to the fact it's open source). But that's not a software model. It's an excellent model, but not a software one. Linksys/Cisco is selling hardware. And each and every hardware company should embrace OpenSource, because it'll sell more hardware for them, and give many more innovative uses for that hardware. Motorola gets it too with their Linux phones. But they are not selling software. They are selling phones. > Despite the FUD that commercial software vendors claim, money CAN be > made with the open source model, sometimes VERY good money. That said, I > don't believe ALL software should be open source, I have no problem > compensating a vendor for software that is worth the money. Unfortunately most of the customer base doesn't feel like you do. A question: do you financially support OpenSource projects? By this do I mean have you sent a financial donation to an author who wrote something that you use? > Unfortunately there is ALOT of software out there that isn't worth the > money charged for it. Of course. And that's both in the OpenSource and ClosedSource arenas. I'm enjoying the discussion. I'm learning a lot. BAJ -- http://www.piclist.com PIC/SX FAQ & list archive View/change your membership options at http://mailman.mit.edu/mailman/listinfo/piclist