[ISN] Vulnerability found in HDCP, but scientist cannot publish vulnerability.

From: InfoSec News (isnat_private)
Date: Wed Aug 15 2001 - 23:02:56 PDT

  • Next message: InfoSec News: "RE: [ISN] MS patch-scanner for Win-NT, 2K, IIS, SQL"

    Forwarded from: "Jay D. Dyson" <jdysonat_private>
    Courtesy of Vuln-Dev.
    This royally sucks.  It seems the only answer is that open source work
    start in parallel to the closed-source nonsense.  Just as the open
    Altivore overcame the closed Carnivore, so more forward-thinking projects
    should do to those snake-oil products presently protected by the fascist
    Grrr.  Anyone who thinks full disclosure on these sorts of issues is
    "inappropriate" needs to get their bleedin' head examined.
    - ---------- Forwarded message ----------
    Date: Wed, 15 Aug 2001 13:21:51 -0700
    From: "Jon O ." <jonoat_private>
    To: vuln-devat_private
    Cc: bugtraqat_private
    Subject: Vulnerability found in HDCP -- Scientist cannot publish vulnerability
    There is currently a reported vulnerability in the High-bandwidth Digital
    Content Protection system used by different hardware vendors. The
    vulnerability was found by Niels Ferguson after analyizing the system.
    However, Niels is unable to release the vulnerability due to US and soon
    international laws. 
    Due to DMCA restrictions in the US his paper describing these
    vulnerabilities cannot be published so there are no details at this time.
    Background information from Niels is available here: 
    Background on the DMCA and similar laws being passed around the world are
    available here: 
    Hopefully these issues will be worked out so Niels can publish his
    findings and the weak protections can be improved. 
    Forwarded message follows: 
    - ----- Forwarded message -----
    To: dmca_discussat_private
    Subject: [DMCA_discuss] Cryptography Paper suppressed from the DMCA
    Date: Wed, 15 Aug 2001 10:13:44 -0700
    Niels Ferguson has found a weakness in the HDCP content protection system.
    However, he can not publish the results due to DMCA issues. 
    He has written a paper regarding this issue here: 
    Censorship in action:  why I don't publish my HDCP results
    HDCP is fatally flawed. My results show that an experienced IT person can
    recover the HDCP master key in about 2 weeks using four computers and 50
    HDCP displays. Once you know the master key, you can decrypt any movie,
    impersonate any HDCP device, and even create new HDCP devices that will
    work with the 'official' ones. This is really, really bad news for a
    security system. If this master key is ever published, HDCP will provide
    no protection whatsoever. The flaws in HDCP are not hard to find. As I
    like to say: "I was just reading it and it broke."
    - ------------------------
    - ------------------------
    - ----- End forwarded message -----
    Version: 2.6.2
    Comment: See http://www.treachery.net/~jdyson/ for current keys.
    -----END PGP SIGNATURE-----
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Aug 16 2001 - 04:26:44 PDT