Hanging the Pirates

[R.A. Hettinga]

<http://www.forbes.com/forbes/2005/0131/096_print.html>

Forbes



Security
Hanging the Pirates
01.31.05



Paul Kocher has a way to save Hollywood from illegal copying.

Over the past few months top brass from Hollywood and Japan's consumer
electronics giants have been hashing out their futures in hotel meeting
rooms in Tokyo and Los Angeles. Topic A is the politically charged debate
over the standard for the new high-definition DVDs, which the film industry
hopes will swell the current $24 billion DVD market, as hi-def becomes the
norm. Most of the players want to get something decided on within a year.

But, as big as the stakes are in those discussions, the movie studios are
even more keen on the outcome of the talks on the 39th floor of Toshiba's
Tokyo headquarters.



By the Numbers

Price of Piracy

Illegal file-sharing hits music far harder than film--for now.

 $21 billion n DVD sales in U.S. in 2004, a 200% increase since 2000.

 $12 billion CD sales in U.S., a 17% decline since 2000.

 $3 billion Amount movie studios lose to piracy each year.

 $4 billion Amount music publishers lose to piracy each year.

 Sources: Adams Media Research; RIAA; MPAA.
 There, a select security committee representing both hardware and film
makers has an extremely rare opportunity to stop digital piracy from doing
to movies what it did to music. Napster and its ilk have helped knock 17%
off of record label sales in the past three years. With DVD's basic
encryption already cracked and one-quarter of American homes now capable of
broadband-speed downloads, it's inevitable that one day the latest Harry
Potter film will be swapped as easily as U2's new hit.

"This is the number one priority at the highest levels," says Thomas
Lesinski, president of Paramount Home Entertainment. "The studios want to
have more control over protecting our content."

One of the most important people involved in that discussion is Paul
Kocher, the 31-year-old president of Cryptography Research, a tiny San
Francisco consulting and licensing firm that brought in $6 million last
year. Kocher is soft-spoken, young and obscure, but his credibility in the
encryption business is sterling. Eight years ago, fresh out of Stanford,
Kocher cowrote Secure Sockets Layer (SSL), the protocol that secures the
vast majority of commerce on the Internet.

What Kocher is pushing is the concept of renewable security. Any attempt to
erect a one-time, rigid barrier between thieves and content, he says, is
useless, including the current method pushed through by the Japanese
consumer electronics companies. "With very few exceptions, all the major
security systems being used by the studios today are either broken and
can't be fixed, or they're not deployed widely enough to be worth hacking,"
says Kocher.

Under the existing Content Scrambling System, electronics makers install
the exact same encryption code into nearly every DVD player. But that was
broken by European hackers in 1999 and the trick disseminated widely on the
Internet. Even the least sophisticated user can now download a program that
easily copies protected movies.

Kocher's alternative is to allow for constant change. His system, called
self-protecting digital content, places the security on the disc instead of
in the player. A software "recipe" running into the millions of steps is
burned onto every new movie disc. Each DVD player would contain a small
chip costing only a few extra cents that would follow the recipe
faithfully. If the DVD player decides the disc is secure, it will decode it
and play the movie. But each film could have a different recipe. So if a
pirate breaks the code on Spider-Man 2, he wouldn't necessarily be able to
break the code on Elf. The studios would always be one step ahead of the
thieves; at the very least it would take pirates more time to break each
film. Not a big deal: Studios make most of their money from DVDs in the
first three months, anyway.

"A lot of security systems are hard and brittle," says Robert Baldwin, head
of the security firm Plus Five Consulting. "Paul's is more like a willow
tree. It bends and recovers."

No studio executive contacted would comment on Kocher's scheme on the
record, but it looks likely to be the backbone of any eventual security
standard. A group including IBM, Toshiba, Time Warner and Microsoft is also
angling to get a complementary encryption scheme called AACS into every
future player. It will likely be written to work with Kocher's idea.

Consumer electronics firms, which dictated the last encryption format,
never had much to lose from security leaks. Film executives like the fact
that Kocher's scheme gives them a stronger hand. Now they will be able to
decide how much security they want on each disc and when it needs to be
updated.

Kocher, son of a physics professor at Oregon State University in Corvallis,
says he learned about computing because he stayed home a lot, too lazy to
bike the two miles into town. He initially wanted to be a veterinarian.
"It's not a good job from a financial perspective, but it includes the
interesting parts of medicine, and if you make a mistake you haven't done
in someone's grandma," says Kocher.

He ran out of money while at Stanford, so he started doing security
consulting for Microsoft and RSA Security. By the time Kocher graduated
from Stanford, he was already well-known as a protigi of Martin Hellman,
the co-inventor of public key encryption, the most widely used security
technique on the Internet.

A year after college Netscape asked Kocher to redesign from scratch the
security behind e-commerce. On the old version thieves could intervene in a
transaction, weaken the encryption and steal information. Kocher redesigned
the system to ensure that seller and buyer are working off of the strongest
encryption possible, and that if someone interferes, the sale fails. "With
all the problems on the Internet, SSL has stood as an industrial-strength
protocol," says Taher Elgamal, who worked with Kocher on SSL.

With SSL Kocher had full control over how the protocol would turn out.
Things aren't so straightforward with the new DVD standards. Kocher is in
the middle of a battle between Sony and Toshiba to define the new
standards. Both sides are in favor of renewable security, but they haven't
decided how to get it. For example, downloading fixes over an Internet
connection is one idea that has been floated by Microsoft and others. With
players like Sony, Microsoft and Intel all trying to impose their own
agendas, there's a risk the compromises could result in a less secure
standard.

For the most part Kocher has avoided political battles, sitting through the
endless, heated standards meetings and tapping on his Treo from the side of
the room, interrupting quietly now and then to endorse his fix.

There's money in this for him, just not that much--given that he's looking
at only several cents per disc for his firm if Cryptography's solution is
ultimately used. That could eventually work out to $75 million based on the
current 1.5 billion copies sold worldwide. More lucrative would be the
consulting fees from the studios when they eventually start deciding what
kind of security they want on each title. That's unlikely to happen until
high-definition DVDs get traction, sometime around 2007.

"The formats have to decide to build in a system that will make it possible
to fix problems later," says Kocher. "When you have the tools to handle
security risks, they'll inevitably get used."






-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'