December 28, 1999
Web posted at: 5:39 p.m. EST (2239 GMT)
In this story:
Hacker Quarterly: We didn't do the hacking
Lawsuit: Consumers have suffered
By Amanda Barnett
CNN Interactive Writer
(CNN) -- An industry group that licenses encryption technology for DVDs filed a lawsuit in California on Tuesday accusing 500 Web site administrators of giving away trade secrets in a scheme to override encryption software that protects against DVD piracy.
The not-for-profit DVD Copy Control Association claims the Web sites are distributing information about a computer program that allows video pirates to hack the Content Scramble Systems, or CSS, encryption system used for DVDs. It took the motion picture industry years to agree on the encryption standard.
A small group of Norwegian hackers, calling themselves the Masters of Reverse Engineering, recently released DeCSS, which can break the encryption on almost any DVD and allow users to copy the contents of a DVD onto the user's hard drive.
The lawsuit claims the Web sites named in the suit have been posting information that directs video pirates to the DeCSS program. The lawsuit says DeCSS threatens the "financial stability of this new digital video format and the hundreds of companies involved in the DVD industry."
The suit asks the court to issue restraining orders and injunctions to stop the Web sites from distributing information about the hack.
Hacker Quarterly: We didn't do the hacking
One of the defendants, 2600: The Hacker Quarterly's site at 2600.com, posted an article responding to the lawsuit. The article expressed amazement at being sued for reporting that the DVD encryption code had been cracked. According to the article, the Web site "had nothing to do with the actual cracking of the encryption."
Another Web site, dibona.com, called the lawsuit appalling and offered a link to what it alleged to be the DeCSS source code followed by the comment "feel free to attempt to get a court injunction against me to." The writer is trying to organize a protest at the courthouse on Wednesday.
According to the lawsuit, the source code for DeCSS was posted on the Internet by Jon Johansen, who lives in Norway, as early as October 25. The program was removed from the site around November 8 after Johansen was sent a letter by a Norwegian law firm, but the suit says information about DeCSS has appeared on Web sites in at least 11 countries, including the United States.
The DVD CCA and the motion picture industry's anti-piracy task force worked to locate Web sites posting the hacked information and sent notices to dozens of Web site operators demanding the information be removed. The lawsuit says some complied, others did not.
The suit claims the defendants should have known that by posting the cracked encryption code, or links to the code, they were "misusing proprietary confidential information gained through improper means." The suit gives examples it says were taken from some of the accused Web sites, including one from a California defendant named Andrew Thomas McLaughlin:
"Mark of the scofflaw! Here's my local copy of the CSS decryption software, enjoy."
By midday Tuesday, McLaughlin had posted a note on his Web site announcing that he was pulling the code from his page:
"DeCSS is not a hill that I am willing to die on. They win, I'm sufficiently scared. Big corporate America has successfully bullied a severely underfunded scofflaw. In order to have a more restful sleep tonight, I've decided to remove the link from my Web site."
Lawsuit: Consumers have suffered
The lawsuit alleges consumers already have suffered from hacking of the DVD encryption code. A related product, DVD audio, was scheduled for release in December of 1999 but it was delayed for at least six months while a new copyright protection system is developed.
DVD Audio was supposed to use CSS2, a newer version of the hacked encryption standard used for DVD Video.
Pioneer announced earlier in December that it would go ahead with the launch of its DVD Audio products without waiting for the upgraded encryption program. The company said it would sell its DVD products that feature DVD Audio support on schedule and offer free upgrades when the new copy protection system is finalized next year.
Matsushita Electric Industrial, better known by its Panasonic brand name, delayed the launch of its DVD Audio products until mid-2000 while a new copy protection system is developed.
Every DVD disk has about 400 keys on it to make the disk readable to all of the various DVD players on the market. The players also contain keys, which are licensed and encrypted in their hardware or software playback systems.
But apparently one program, the XingDVD Player, from RealNetworks Inc. subsidiary Xing Technologies, didn't have its keys adequately protected. The Norwegian group reportedly cracked the player code while trying to reverse-engineer a software DVD player in order to create one compatible with the Linux operating system. There is currently no Linux-compatible software DVD player. The group then released the DeCSS program, which will automatically break the encryption code.