"Video content is protected with our BrainTrust™ DRM, and is unplayable except by a legitimate owner. All aspects of the platform feature a near-ridiculous level of security."

Near-ridiculous security seems about right.

Given the evidence (complex integration with a non-standard set of open source libs, complex industry area in general), I'd say it's almost certainly an insult to imagine the developer could not have made your life harder if he'd chosen to.

Please, if anything commend the dear fellow, and shame on whoever considered a momentary glimpse of Google Plus limelight worth making this guy's Tuesday morning and ongoing professional reputation much harder earned than it otherwise might have been.

"No good deed goes unpunished"

This is why I'll never be rich: I am utterly unable to sell crappy non-solutions to people with more money than knowledge.

I'm not saying this is right, necessarily, but I think companies know full well that their DRM scheme will be broken, so it's not really worth investing in an "uncrackable" and costly solution. Instead, the role that DRM play is purely legal -- when the company does decide to go after someone for piracy, the DRM scheme, no matter how simple, provides them with the ability to say that the accused person "broke a lock," rather than simply walking in through an unlocked door. "Entering" vs. "breaking and entering." It's nothing but legal leverage, and effective at that role even if it's not a very strong lock.

Of course, to have this argument hold, a company would never be able to admit that they purposefully implemented weak security -- this would be akin to admitting that their door was unlocked afterall, and would weaken their legal argument. Therefore, there remains a niche in the market for solutions that look secure even if they fundamentally aren't. It's all about lip service.

Ahh..the good old days of SoftICE and w32disassm.

Oh man, the worst was the md5 of some salt + whatever you put in.

If you ever want to see some gems of misuse of cryptography for DRM management, let me know - email's in my profile.

Some examples: Using RSA 1024 bit keys, with exponent of 3...

Of course this is only marginally better and should really have been caught, but there's a huge difference between saying that XORing 12 bytes with RANDOM_STRING is kick-ass DRM and actually having a kick-ass DRM infrastructure that then doesn't work right because of a bug.

If this was any really random looking string, I would be more inclined to assume that this was intentional. By the string being this token, I would guess it's a bug somewhere.

Remember. If RANDOM_STRING was truly random, unique per file and account and only transmitted from the server before playing, then this would be as good an encryption as any.

Of course, if a copy protection system was "effective" it wouldn't need a law prohibiting its circumvention. Conversely, if a copy protection system is circumventable, it's not effective.

[1] Assuming a general computation device, not a dedicated hardware player.

The problem is marketing folks getting carried away when describing these "technology solutions" to the content owner, because that's what they (as well as VCs) want to hear.

Disclaimer: cofounded a video CDN+DRM provider more than a decade ago, developed many content protection methods over the years.

Either way.. wow... XOR encryption with just such a short repeating string! I bet it wouldn't be too hard to decrypt it even without the original file, since the file signature alone would probably be longer than the string. DISCLAIMER: I'm just speculating, I don't know the .mov specs.

First rule of weak DRM, you do not talk when you find weak DRM.

Second rule of weak DRM, you DO NOT talk when you find weak DRM.

Third rule of weak DRM, upload to pastebin, then walk away.

Well... They weren't lying...

Now that I read the article twice, I literally got a panic attack when I realized that it wasn't a random string that they were xor'ing their data with, but a string called "RANDOM_STRING". Although it sounds bad, one must realize that this is not security by obscurity since the key has been leaked, and nobody guarantees encryption against a leaked key.

It might be a good idea to remove their names, to protect their reputation. ;-)

Isn't VLC licensed under the GPL? Or at least was until very recently? http://www.jbkempf.com/blog/post/2012/How-to-properly-relice...

Is/was Leaping Brain violating the license?

EDIT: the wrapper script is apparently released under the GPL too: http://news.ycombinator.com/item?id=4834834

Fort Knox-level security.

Video content is protected with our BrainTrust™ DRM, and is unplayable except by a legitimate owner. All aspects of the platform feature a near-ridiculous level of security.

As far as I recall the Adobe PDF encryption was also just some XOR with a simple passphrase. Got him into serious trouble.

And WTH is 'virtually uncrackable'?