When security meets reality: AACS

Engadget reports about the next step in the AACS saga (via BoingBoing): During the time window between one cracked AACS key getting all over the place, and industry revoking that key, yet another key has been compromised.This is not just a glimpse at the sorry state of DRM technology and deployment, but also a study in failure modes of security technology. What has been demonstrated by this particular crack is nothing less than the total collapse of the protection that AACS is supposed to deliver, because the attackers are capable (probably reproducibly) of opening a new hole while the defenders in the system are still in the process of rolling out the countermeasures to the last. We might end up living in a world in which no Blu Ray or HD-DVD disk will hit the market protected.Meanwhile, it looks as if we’re going to see the defenders engage in an exercise of whack-a-mole in which all they do is burn money, without ever achieving their protection goals. The security technology and the organizational measures surrounding it turn around to damage the defenders more than they’ll ever damage the attackers.For some more reading on the design aspects exposed in this particular DRM debacle, have a look at these links:

(In the last one, Ed Felten tries to model an attacker with an economic incentive to break the keys, and predicts certain behaviors. It’s interesting to observe how the behavior we’re seeing in real life is (a) different, and (b) even more damaging to the defenders.)