ELECTRONIC FRONTIER FOUNDATION
[Join EFF] [Act Now] [Sign Up] [About EFF]

Declaration of David Wagner, in DVD CCA v. McLaughlin, Bunner, et al.

(Declaration of David Wagner in Opposition to Order to Show Cause Re: Preliminary Injunction Against All Defendants; Jan. 7, 2000)

RICHARD ALLAN HORNING - SB #45349
THOMAS E. MOORE  III- SB #115107
MICHAEL W. STEBBINS - SB #138326
TOMLINSON ZISKO MOROSOLI & MASER LLP
200 Page Mill Road, Second Floor
Palo Alto, California  94306
Telephone: (650) 325-8666
Facsimile:   (650) 324-1808

ALLONN E. LEVY - SB#187251
HUBER & SAMUELSON, P.C.
210 N. Fourth Street, Suite 400
San Jose, CA  95112
Telephone:  (408) 295-7034
Facsimile:    (408) 295-5799

ROBIN D. GROSS - SB#200701
ELECTRONIC FRONTIER FOUNDATION
1550 Bryant Street, Suite 725
San Francisco, CA  95103
Telephone: (415) 436-9333
Facsimile:   (415) 436-9993

Attorneys for Defendant
ANDREW BUNNER
 

SUPERIOR COURT OF THE STATE OF CALIFORNIA  COUNTY OF SANTA CLARA
 

DVD COPY CONTROL ASSOCIATION, INC., a not-for-profit trade association,
Plaintiff,
          v.
ANDREW THOMAS MCLAUGHLIN, et al.,
Defendants.

NO.  CV786804

DECLARATION OF DAVID WAGNER IN OPPOSITION TO ORDER TO SHOW CAUSE RE: PRELIMINARY INJUNCTION AGAINST ALL DEFENDANTS

Date:  January 14, 2000
Time:  1:30 p.m.
Dept.: 2
Honorable William J. Elfving
 

I, DAVID WAGNER, under penalty of perjury, depose and say:

1.  I am a Ph.D. candidate in Computer Science at the University of California, Berkeley, with an expected degree date of June 2000. I received an AB in Mathematics from Princeton University in 1995 and an MS in Computer Science from Berkeley in 1999. I am personally familiar with the facts set forth herein, and if called as a witness, I could and would testify thereto of my own personal knowledge.

2.  My area of research includes computer and telecommunications security, cryptography, privacy, anonymity, and electronic commerce.  Cryptography is the science of designing and analyzing secure codes and ciphers.

3.  I am a co-founder, and currently the senior graduate student, at U.C. Berkeley's ISAAC Security Research Group.  The ISAAC Security Research Group has made substantial contributions in computer, network, and wireless security, and in on-line privacy. I also teach CS261 Security in Computer Systems at Berkeley, a graduate-level course on modern computer and network security.

4.  I have published extensively on the subjects of cryptography and the security of computer systems. A list of my publications is included in my C.V. Attached hereto as Exhibit A.

5.  My work (I have done data security consulting through Counterpane Systems, Minneapolis, and independently), my studies (in addition to my work at Princeton and Berkeley, I twice interned at Bell Labs, studying under S. Bellovin) and my teaching have given me extensive experience in the analysis of real-world security systems.  The systems I have personally examined include supposedly secure systems used by hundreds of millions of people.  Many of my discoveries have resulted not only in academic publications, but also in widespread news coverage in leading newspapers, magazines, and TV news shows.  For example, in September 1995, a colleague and I reported serious security flaws in the techniques used for encrypting credit card numbers in the leading products facilitating the implementation of electronic commerce over the Internet.  This discovery was reported on the front page of the New York Times, the front page of the business section of the Washington Post, and elsewhere.

6.  In March 1997, two colleagues and I reported on the flaws in the privacy codes used by U.S. digital cellular phones, phones used by tens of millions of U.S. citizens.  This work not only received widespread news coverage (e.g., the front page of the New York Times), but also helped convince the U.S. cellular standard committee to undertake a sweeping re-design of their security architecture.

7.  In April 1998, two colleagues and I reported on the weaknesses in the privacy and billing-security protections found in GSM digital cellular phones.  GSM is the European cellular telephony standard, with over two hundred million users worldwide.  Again, this work received widespread coverage in leading newspapers such as the front page of the business section of the New York Times, page A3 of the Wall Street Journal, and other similar locations.

8.  Publication of these types of flaws in supposedly secure systems serves a vital public interest.  As our society becomes increasingly dependent on computers, telecommunications, and other information systems, it is important that our critical shared infrastructure be trustworthy and free of systemic security flaws.  At the same time, as electronic commerce becomes more prevalent, criminals gain an increasing financial incentive to exploit security vulnerabilities in our critical systems.  The vulnerabilities I described above clearly illustrate that the risks are very real: much of our existing infrastructure contains serious security vulnerabilities in its design and implementation, even though this fact may not have been apparent to the public.

9.  History is replete with examples of governments, monarchies, and institutions placing confidence in supposedly secure systems and unbreakable code.  For example, in World War II, through an enormous wartime effort the British and Polish succeeded in breaking a high-level German code called the Enigma and managed to keep this fact secret from the Germans and others for many years.  I have read historians' accounts which suggest that this success may have shortened the war by as much as a year.  The lesson of the Enigma is that we must be prepared for the adversary to expend unexpectedly large resources to break our security systems, and we must be ever-vigilant for the possibility that our most-trusted codes could have been broken without our knowledge.

10.  Cryptography is one of the primary means of securing our critical information infrastructure against attack, and the study of cryptography must, I believe, form an essential foundation for our future information infrastructure.  I believe that it is the scientific community's duty to study these issues and to report on systemic risks that the public at large may not be aware of.  One must understand the risks in order to prevent them from recurring.

11.  Outside security evaluation by independent third-party auditors forms a vital tool for ensuring the security of our critical information infrastructure.  Third-party evaluations are critical because manufacturers do not always have the incentive or talent to undertake thorough examinations themselves.  Researchers in the academic community often serve in this role, since they have no financial interest in the outcome of these evaluations.  Other individuals and institutions participate as well. Think of the collective results of this work as a "Consumer Reports" for high tech mission-critical security systems.

12. Publication and circulation of results is the accepted way to share ideas and advance scientific knowledge about cryptography.  It is widely held that the only way to learn how to build secure systems is to be intimately aware of the techniques a typical attacker might use: to be a good codemaker, one must be an accomplished code breaker. Moreover, it is not enough merely to study the theory of code-breaking: it is crucial to understand how real-world security measures are broken in practice, if we wish to build and deploy real security systems.

13.  The combined knowledge of the cryptography research community is defined by published results, and extending the body of knowledge on how real-world systems get broken in practice is crucial to securing the systems of the future.  Those who do not know history are condemned to repeat it; and publication forms the backbone of the academic community's history books.

14.  As an academic researcher, I -- and many others -- have been closely watching this case to see how what impact it may have on the ability to study practical information security and to examine and publish results on real-world systems.  In my opinion, banning research into DVD security systems, and banning the publication of the DVD security weaknesses which are the results of that research, will have a chilling effect on further research and innovation in the design and analysis of real-world security systems.

15.  The research projects I mentioned above have given me extensive experience in reverse engineering and the process of mathematically analyzing proprietary security systems.

16.  Many security systems are distributed to the mass market implemented as a set of instructions for a computer to follow, specified in a low-level language designed to be convenient for a computer to process, but not necessarily especially convenient for humans to understand.  The contents of these instructions to the computer are readily available to anyone who cares to look, but their meaning will not be readily apparent to anyone untrained in the field.

17.  Reverse engineering in the field of computer system security is the art of understanding the meaning of the computer instructions and then presenting them in a simplified form so they may be more easily understood by other humans.  Thus, the reverse engineer may be viewed as a linguist, a translator for an obscure machine-oriented dialect.  In other words, reverse engineering consists of nothing more than studying a product in depth and summarizing its relevant features in a more comprehensible form.

18.  Reverse engineering is often tedious, time-consuming, or simply boring, because computer programs are extremely verbose (by human standards), but it is not in principle difficult.  Reverse engineering of supposedly secure systems can be performed by any trained individual anywhere in the world; this work is not restricted to graduate students and Ph.D. candidates.  Individuals who lack high academic credentials have published some very important results.

19.  Academic researchers do not always have time to undertake this type of reverse engineering effort.  Instead, they rely on others to reverse engineer the product and make its inner working available in a form readily amenable to deeper mathematical analysis.

20.  One of the reasons I have been so successful at analyzing real-world security systems is that I have worked closely with people who are very talented at reverse engineering.

21.  My understanding is that the DVD security design relies in part on distributing software in an "obscured" form - hidden in locations that are not obvious.  This cannot and does not prevent reverse engineering; it can make the reverse engineering task more tedious, but it is widely known that such obfuscation can be overcome by patience, talent, or sufficiently sophisticated reverse engineering tools.  Distributing software implementations of a security system actually makes it easy to reverse engineer their inner workings.

22.  Many manufacturers distribute security systems in this way - in an obscured form -- in the hopes that no one will bother to take the time to reverse engineer their inner workings.  In my opinion, this is a foolish and immature judgment: when one's system is distributed to millions of individuals around the world, it is imprudent to assume that no one will take an interest in the system's operation.  Indeed, it is widely held view in the computer security field that it is unwise to deploy security mechanisms where reverse engineering the system allows one to evade its security measures.  From a security point of view, attempting to keep the inner workings of your security system secret is ultimately futile and serves little purpose.

23.  When security systems are distributed in a low-level computer language, before a third party can evaluate the security properties of the system one must make the operation of the system available in an understandable form.  Consequently, reverse engineering is a common part of any independent third-party evaluation of the manufacturer's security claims.

24.  One important component of the DVD security architecture is the use of encryption to prevent unauthorized parties from copying or watching DVD movies or other encrypted content.  The encryption algorithm used for these purposes is known as CSS (Content Scrambling System).

25.  Even from the very beginning, it was already widely known in the computer security community that CSS provides (at most) a very low level of security, because it uses 40-bit keys.  40-bit keys are widely recognized as providing only low security and public demonstrations have shown that they can be cracked within hours using the computing power available to students.  40-bit keys can be cracked in a fraction of a second by organizations with more resources, as the challenge at the annual RSA Conference has repeatedly demonstrated.

26.  The public did not initially know the mathematical operation of the CSS; the DVD industry elected to keep its inner workings secret.  Sometime before Oct. 1999, however, some programmers reverse engineered much of the DVD security system. and built a program (called DeCSS) that implements the same encryption process used in DVD players.  My observation of the process - I studied the communications back and forth between researchers as the work was unfolding -- was that DeCSS was built, not with the purpose to violate copyright or other intellectual property protections on DVDs, but rather to allow users of Linux and other publicly supported operating system to play legitimately obtained DVDs, as is already possible with the commercial Microsoft operating systems.  It appears that, because there was no commercial entity creating DVD software for Linux, the programmers did it for themselves.

27.  From the published results, I have absolutely no reason to believe that whoever reverse-engineered the CSS algorithm must necessarily have clicked on any contract or agreement not to reverse engineer, or must have violated some commitment to forego the disclosure of trade secrets.  In fact, the published results suggest that a graduate or other serious student could easily reverse engineer the CSS algorithm using publicly available tools, a software DVD player, and a DVD disk.  The decryption keys are, after all, on the DVD disk by design.  The software implementation of the CSS is, after all, in the DVD player by design.  Moreover, I am aware of tools and techniques which apparently allow interested parties to bypass the standard installation process and gain access to the DVD player software without ever seeing or agreeing to any license agreements that may restrict reverse engineering.  I am also aware of a tool which purports to allow one to continue the standard installation process without agreeing to any license agreement (see, e.g., http://picosoft.freeservers.com/NoLicense.htm).

28.  I became aware that on or about October 7, 1999, source code to the DeCSS program was released to the public via a discussion list on the Internet.  This high-level source code is much easier for humans to understand than the low-level computer instructions found in DVD players.  After the DeCSS source code was made available to the public, and it was demonstrated to be working code, there was no need for anyone else to undertake the tedious task of reverse engineering how DVD players work.  The DeCSS source code made it possible to analyze the security of the DVD security system without undertaking any tedious reverse engineering work.

29.  It came to my attention that on or about October 27, 1999, a cryptographer announced that he had analyzed the DeCSS high-level source code and had discovered serious flaws in the DVD CSS encryption algorithm.  His mathematical analysis described how to break the CSS code in just a fraction of a second.

30.  The announcement of cryptographic flaws in CSS was widely distributed within the academic research community, and to students of cryptography, over the Internet.  The flaws in DVD security were a topic of extensive discussion.

31.  I examined the CSS encryption algorithm soon after its flaws were first revealed to the public.  In my opinion, the CSS was extremely poorly designed.  Moreover, I believe this fact will be apparent to any qualified cryptographer who has examined the cipher in any detail.  In fact, breaking the CSS is easy enough to break that I believe breaking it would make a fine homework exercise for a university level class in cryptography and codebreaking.

32.  In my opinion, these embarrassing discoveries expose what can only be described as sloppy workmanship in the DVD security measures.  Furthermore, I believe that any competent cryptographer with full knowledge of the design of the DVD security system would have expressed serious reservations about the ability of the system to withstand scrutiny.  The entertainment industry apparently has known for some time that there were serious problems in the quality of the DVD security measures. Reports published on the Internet at http://cryptome.org/ dvd-bogk.htm indicate that the security flaws in CSS were known inside the DVD industry before they were ever discovered in public. One poster apparently spoke with a member of the DVD industry who revealed that there was a way to break CSS in fractions of a second.  Months later, this fact was re-discovered and confirmed publicly, and given the instant and wide spread propagation of the DeCSS code, and the methods of attack, the world now knows that the Emperor has no clothes.

33.  As far as I can tell, the ability to break the CSS revealed in October does not appear to make large-scale piracy significantly easier today.  It was already widely known that it is possible to copy DVD discs onto other discs without authorization, without breaking any special encryption codes.  One may simply copy the data on the disk as it is, in encrypted form, without ever decrypting it.  Decryption forms no barrier to this type of copying: CSS primarily prevents one from building DVD players without permission from the DVD industry, and does not prevent large-scale copy of DVD content. Reports published on the Internet at such locations as http://www.opendvd.org/ rickletter.html describes how to copy a DVD disc in three easy steps, without ever breaking CSS.  There is nothing new or surprising or magic here; everyone knew this was possible.

34.  In my opinion, it is fundamentally impossible to secure software DVD players against copying and piracy by dedicated individuals.  Even if the CSS had been designed properly, the unpleasant truth is that it will still be a straightforward cryptanalysis exercise to circumvent the DVD copy prevention measures by technical means.  This will not surprise anyone who has even the slightest experience in security, cryptography, and copy protection systems.

35.  In my opinion, the publication of the flaws in DVD security is a good thing.  It is a good thing for researchers, it is a good thing for future system designers, and it is a good thing for consumers.  The lessons learned here can be put to good use in making future systems more secure (for example, the next time I teach a cryptography class, I intend to discuss the flaws in the DVD security systems as an example of a pitfall to avoid when designing security systems), and the information may help consumers to choose what technology to purchase (for example, since the cost of piracy is likely to be passed on to consumers, some may prefer to avoid technology that allows easy pirating).

I declare under penalty of perjury of the laws of the State of California that the foregoing is true and correct and that this declaration was executed by me this 7th day of January, 2000, at Berkeley, California.

David Wagner


Please send any questions or comments to webmaster@eff.org

Return to   EFF   Welcome Page