AACS: "We Have Not Been Hacked—Just Our Players"

Okay, now things are getting confusing. Hot on the heels of his announcement that he had hacked HD DVD's Advanced Access Content System (AACS) digital rights management (DRM), muslix64 claimed to have done the same to Blu-Ray's implementation, with the help of anti-DRM crusader Janvitos. You can read the whole saga at the Doom9 forum but we'll just give you the juicy bits: "In less than 24 hours, without any Blu-ray equipment, but with the help of Janvitos, I managed to decrypt and play a Blu-ray media file using my known-plaintext attack."

For those of us not fluent in heavy code-speak, what muslix64 and Janvitos are claiming to have done is not actually to circumvent AACS itself, but to find and use each disc's unique private key to make the disc decrypt itself, just as it would in any authorized player. The exact mechanism that muslix64 and Janvitos employed to get those keys is not at all clear (not to me certainly), but they claim it isn't difficult and doesn't take expensive equipment, so the Internets will undoubtedly soon be awash with lists of those codes.

Some observers have wondered if AACS had really taken a hit, despite the claims of the hackers. On January 24, the Advanced Access Content System Licensing Authority (AACS LA) lent the hackers' claims validity with a terse dismissal:
"AACS LA has confirmed that AACS Title Keys have appeared on public websites without authorization. Such unauthorized disclosures indicate an attack on one or more players sold by AACS licensees. This development is limited to the compromise of specific implementations, and does not represent an attack on the AACS system itself, nor is it exclusive to any particular format. Instead it illustrates the need for all AACS licensees to follow the Compliance and Robustness Rules set forth in the AACS license agreements to help ensure that product implementations are not compromised. AACS LA employs both technical and legal measures to deal with attacks such as this one, and AACS LA is using all appropriate remedies at its disposal to address the attack."

Translation: It wasn't our fault and it doesn't matter anyway.

Technically, the AACS LA can revoke the license of any manufacturers making components that do not meet its standards, but industry observers aren't convinced that this will actually happen. Besides, as muslix64 told Slyck.com, "Players are part of this system—and a system is only as strong as [its] weakest link! Even if players become more secure, key extraction will always be possible."