Vulnerability found in HDCP, but scientist cannot publish vulnerability.

[InfoSec News <isn () c4i org>]

Forwarded from: "Jay D. Dyson" <jdyson () treachery net>


-----BEGIN PGP SIGNED MESSAGE-----

Courtesy of Vuln-Dev.

This royally sucks.  It seems the only answer is that open source work
start in parallel to the closed-source nonsense.  Just as the open
Altivore overcame the closed Carnivore, so more forward-thinking projects
should do to those snake-oil products presently protected by the fascist
DMCA.

Grrr.  Anyone who thinks full disclosure on these sorts of issues is
"inappropriate" needs to get their bleedin' head examined.


- ---------- Forwarded message ----------
Date: Wed, 15 Aug 2001 13:21:51 -0700
From: "Jon O ." <jono () microshaft org>
To: vuln-dev () securityfocus com
Cc: bugtraq () securityfocus com
Subject: Vulnerability found in HDCP -- Scientist cannot publish vulnerability


Vuln-dev:

There is currently a reported vulnerability in the High-bandwidth Digital
Content Protection system used by different hardware vendors. The
vulnerability was found by Niels Ferguson after analyizing the system.
However, Niels is unable to release the vulnerability due to US and soon
international laws. 

Due to DMCA restrictions in the US his paper describing these
vulnerabilities cannot be published so there are no details at this time.
Background information from Niels is available here: 

http://www.macfergus.com/niels/dmca/index.html

Background on the DMCA and similar laws being passed around the world are
available here: 

http://www.anti-dmca.org

Hopefully these issues will be worked out so Niels can publish his
findings and the weak protections can be improved. 

Forwarded message follows: 

- ----- Forwarded message -----

To: dmca_discuss () lists microshaft org
Subject: [DMCA_discuss] Cryptography Paper suppressed from the DMCA
Date: Wed, 15 Aug 2001 10:13:44 -0700


Niels Ferguson has found a weakness in the HDCP content protection system.
However, he can not publish the results due to DMCA issues. 

He has written a paper regarding this issue here: 

Censorship in action:  why I don't publish my HDCP results
http://www.macfergus.com/niels/dmca/index.html

<quote>
HDCP is fatally flawed. My results show that an experienced IT person can
recover the HDCP master key in about 2 weeks using four computers and 50
HDCP displays. Once you know the master key, you can decrypt any movie,
impersonate any HDCP device, and even create new HDCP devices that will
work with the 'official' ones. This is really, really bad news for a
security system. If this master key is ever published, HDCP will provide
no protection whatsoever. The flaws in HDCP are not hard to find. As I
like to say: "I was just reading it and it broke."
</quote>

_______________________________________________

- ------------------------
http://www.anti-dmca.org
- ------------------------

- ----- End forwarded message -----

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBO3rguLlDRyqRQ2a9AQFZoQP9FhsDY/iGLWI3Jw9NML1Sz6H1+Q6eyWxV
6omd5JWeypBxzW+FZaKVOzFstQKv1gUXsmvT5KL8LQqYy4BM6dE/CsW+DSyaYSWu
51iSTU36UPQmsit42r2uvYOFuiXEcEHAnRoIxBh+NXQLNBgKeSViZm8BeZlF/hC6
13NYqr8xuyw=
=eNWX
-----END PGP SIGNATURE-----



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.