TOKYO Publicly acknowledging that the Content Scrambling System (CSS) used in DVD video players has been hacked, Matsushita Electric Industrial Co. and JVC abruptly canceled their planned pre-Christmas launch of new DVD-Audio players. The DVD-Audio launch could be postponed by "about six months," said a Matsushita spokesman.
This is the first time that a consumer electronics company's business plan has been altered by a breach of copy protection codes. But it foreshadows proliferation of such problems, as more consumer devices go digital and consumer electronics manufacturers are held responsible for content security.
The infiltrated code cracked by hackers and paraded on the Internet a few months ago was the CSS used in current DVD-Video players. But DVD-Audio players are designed to use CSS2. While that's a different copy protection scheme from CSS, it is believed to share some core scrambling technologies of CSS.
"Compromised CSS video led major record labels to be concerned about the copy protection of DVD-Audio," said Michael Moradzadeh, director of external legal affairs at Intel Corp.
The 4C group, composed of IBM, Intel, Matsushita and Toshiba, has been working together with major record labels on appropriate digital security measures for DVD-Audio, and "is currently looking at the situation and figuring out what to do," Moradzadeh said.
It is not known how soon and what kind of encryption system will now be designed into DVD-Audio players. Matsushita plans to propose a new encryption system to the music industry through the 4C group, the Matsushita spokesman said. Noting that the encryption system is still under consideration, Matsushita declined to discuss its details.
Meanwhile, some industry observers remained skeptical whether the exposed CSS code was the real reason for the postponement for the DVD-Audio launch. The music industry, which has been expressing a need for more robust encryption system for DVD-Audio, has not been in sync with hardware system manufacturers. Major labels have been far less willing and less prepared than systems makers for launching DVD-Audio titles.
The CSS code cracking is not new to the music industry or to consumer-electronics manufacturers. There have been a number of incidents where DVD's regional coding scheme, as well as content scrambling system, has been hacked in recent months. Among them, one of the notable incidents was the effort made by a group of Norwegian programmers who were developing DVD playback software for Linux.
In the course of trying to reverse-engineer Windows DVD players, they discovered XingDVD developed by RealNetwork's subsidiary Xing Technologies had failed to encrypt a decryption key for CSS. Consequently, some of those who discovered the secret used the decryption key to create a utility to remove the encryption in a DVD movie, making it possible for DVD movies to be illegally copied.
Since the time when the utility software called DeCSS was posted on the Web, "CSS has been opened up," said Moradzadeh. However, he noted that "we never said that CSS is a nuclear secret. We said all along that this is a light scrambling system, and we knew this was going to happen sooner or later." Noting that CSS has been used for three years, he added, "It has lasted a lot longer than we expected."
Some cryptography experts said there are serious flaws in the DVD copy protection scheme.
Bruce Schneier, founder and chief technology officer of Counterpane Internet Security Inc., said in his recent news letter that the DVD security model is flawed because it displays decrypted DVD data. "No matter how good the encryption scheme is, the DVD data is available in plaintext to anyone who can write a computer program to take it . . . And so is the decryption key. So the decryption key is available, in the clear, to anyone who knows where to look."
While it "might be a bitter pill for the entertainment industry to swallow," Schneier said "software content protection does not work. It cannot work. You can distribute encrypted content, but in order for it to be read, viewed, or listened to, it must be turned into plaintext. If it must be turned into plaintext, the computer must have a copy of the key and the algorithm to turn it into plaintext. A clever enough hacker with good enough debugging tools will always be able to reverse-engineer the algorithm, get the key, or just capture the plaintext after decryption. And he can write a software program that allows others to do it automatically. This cannot be stopped."
Most industry sources do not believe that the development of a new encryption system for DVD-Audio will lead to a change of copy protection system for DVD-Video players. "It needs to be figured out," said Moradzadeh. "On one hand, DVD-Video has been a rousing commercial success," and nobody wants to change the spec. On the other hand, not everyone is exactly happy about the copy protection system.
DVD-Audio became an easy target, mainly because the DVD-Audio players are not on the market yet. Moreover, DVD-Audio requires much less storage space for recording, compared to DVD-Video, so that making pristine digital copies off of DVD-Audio has become a much more immediate threat to record labels, Moradzadeh said.