​
Those statements are not necessarily contradictory. DCI generates a media block certificate on request, which can only be written to the volatile memory within the FIPS enclosure of a media block using approved and heavily policed equipment that has to stay within the locked room, can only be operated by security cleared, named personnel, and is regularly audited up the wazoo.

I have to admit I don't know enough about it to say where the certificates are generated. I guess you could look at the certificate chain and see where the root certificate is. But, I don't know enough about all that. I use Let's Encrypt to generate certificates for my web sites. I just run a script and get certificates with ownership verified through DNS lookup.

Those certificates operate with a chain of trust. Certificates on a certain level are handled by so called "Certificate Authorities". On the very top, you have the so called root certificates and usually one or just a handful of Certificate Authorities who can issue and sign certificates on that level.

Certificate Authorities can appoint other certificate authorities at a lower level, so they can issue their own certificates at that level of trust. There are quite a few standards out there, but those security requirements, at least on paper, are pretty strict and usually involve a lot of external audits. The required certifications (those lovely things starting with FIPS, ISO/IEC, etc. and ending with some numbers) depend on what chain of trust you're part of. Stuff like Let's Encrypt issues public SSL certificates for websites and other web properties. DCI has their own chain of trust and while some requirements will have overlap, there are branch-specific requirements here that need to be met.

As for the hardware side of things: You'll usually be needing special hardware in order to issue certificates that are part of the chain of trust. You're not supposed to have your private key somewhere clear-text in unprotected memory. That's why most Certificate Authorities have one or more machines in a secure datacenter equipped with special HSMs, Hardware Security Modules. Those devices are able to issue/sign certificates within the secure context of the module itself, without ever needing to load the key into the memory of the machine itself.

From my understanding, sticking my head into certificate issues for DCI, the vendors create their own Root certificate. I would imagine the vendor then gets audited. The studios chooses to accept that root cert public key into their KDM management system which is then used to test any projector-public-cert being used comes from a trusted vendor.
That's my understanding of how it works.

Its similar with Web Browers. When you download a web browser, it comes with a number of trusted CA's installed. Each browser maker can choose to trust certs from different CA's or not based on what CA's they load into the browser software downloaded. I imagine it is similar in DCI.

If I remember correctly, the original plan was for the technical committee of the ASC to manage THE DCI root certificate for manufacturers and that they would then hand-out master certificate licenses to vendors, who would, in turn, operate their own CA under that trust level. This also would've made somewhat sense and it would also allow for some form of central control.

In practice, many vendors already had their equipment lined up, even before it was DCI certified, and due to the absence of this part of the certificate infrastructure, started to issue their own certificates under their own CA and as such, it remained. Now, it's up to the studios and distribution companies to issue KDMs to "vendor-rooted" certificates they deem trustworthy.

Of course it is all a desperate attempt to hang onto a 100+ year-old business model in the face of advancing technology ultimately making that task impossible. The effort is galiant. But, at this point it negatively impacts the honest industry that tries to make a living while not really curtailing the piracy.

The last thing that anything is bolstering these days is 'trust'. If you argue that civilization is built on trust, well, there you go. Just explains a lot to me. There is probably much more money invested to create and maintain the (questionably successful) secure environment than is lost through piracy. Meanwhile it costs the presentation industry, ultimately increases ticket prices (or closes doors) and further builds the market for the pirates.

Meanwhile actors perform to smaller and smaller audiences as their works are sequestered behind subscription fees and made available to only a subset of the world. As the number of streaming services expand the revenue involved gets spread thinner. We already know how streaming is impacting the cinemas. It isn't a panacea either. And... the solution isn't yet another streaming service!

The audio industry has had to adapt.

Sorry. I am going on with my opinions. Um... trying to ignore my own problems and... none of you are part of my problem set. Happy customers are everything, well, still second to a happy wife. Oops, or significant other.

So big corporations with investors are forced to make decisions focussed on the bottom line and distributable profits. Customers are nothing more than a (complex) variable in the revenue equation. I wonder what a good AI would eventually make of it? Most of those larger entities are safe havens for narcissists. Em... too far... time for another cup of coffee.

^^ What Bruce said.

I agree fully. The security NON issue, the streaming window, the lack of quality content, blah, blah, blah. And the worst offenders (and the ONLY constant in the entire equation) is THE STUDIOS.

All this reminds me of the old maxim (with a twist):

Patient (i.e. The Studios) : "Doc, it hurts when I force my arm around my back." (No doubt to pat themselves for being SO smart and clever.)
Doctor (i.e. Anyone with an actual brain) "Then stop forcing you arm around your back."

They will never learn, and we will always suffer for it.

I wonder what the source of most pirated content is. We seem to hear little about that. Instead, we hear of some major distribution site being shut down. So, how much pirated content IS traced back to theaters? When I was at USL, I remember getting one call from a distributor or studio or their representative wanting to know where a specific serail number media block had been sold to. Apparently the forensic marking allowed them to find the source which they were then chasing down. I imagine studios have a pirate-chaser department or cooperate to fund a pirate-chase (like Bounty Law in Once Upon a Time in Hollywood). So, where is the content being pirated from?

It was widely suspected for a long time that a major source was "screeners" - DVD or BD copies of movies that had not yet been officially released in the consumer market, which are mailed unsolicited to members of the professional guilds (AMPAS, WGA, DGA, etc.), to try to influence their voting choices. You will likely see piles of them lying around in the booths of Bel-Air Circuit residence theaters. However, I'd be a bit surprised if this is still the case, because the theatrical exclusive release window is now so short for most movies. By the time the pirate gangs have paid off one of the less rich and famous guild members for their screeners, ripped them, duplicated them, and distributed them, the content would likely be available legitimately. I'm also a bit surprised that the studios haven't tried to introduce some kind of streaming receiver device specifically for screeners, distributed to the guilds' membership, which only allow the viewing of specific content in the run-up to awards season - a kind of BettyBox for screeners. Presumably they feel that it's not worth the investment, even though there is likely an off-the-shelf solution that would be easily adaptable.

TorrentFreak keeps a weekly list of the ten most pirated movies of the week. They only account for torrented movies, for which I guess you can keep pretty accurate statistics if you monitor all the popular trackers out there. Let's assume that the pirated movies via torrents represent the entire "market", then the top 10 of the week ending on May the 22th looks like this: ​
Looking at the movies in the list, most of them seem to be captured from HD streaming sources. Sizu, the number two on the list and a newcomer in this week's list, for example, has been released on Amazon Prime on May the 16th. As soon as something gets released on one of the major streaming platforms, it usually only takes a few hours before the first bootlegged versions start to turn up... Some of the "older" movies on the list are also already out on Blu-Ray and are probably also available in that format from several pirate sources. It's pretty sure that none of those found their source inside a theater.

The sad state of affairs is that the Pirate often gets the best benefits: Content available in all forms he/she pleases. No unskippable trailers or other nonsense. Access to almost all content, without the barrier of switching between 10 different streaming services and his/her content doesn't spontaneously vanish once your "favorite" streaming service decided to ditch the license to said content...

Since a separate stream is sent to each player (probably through a content distribution network), I wonder if it would be possible to forensically mark each stream so it would be possible to tie the pirated version back to a particular subscriber.

The dCine system we use to sell used a proprietary system to make sure HDMI connections to domestic projectors could not be pirated. I heard of small teams in a certain country trying everything to break it (They never did). The point is, even with periodic upgrades to HDCP, it's pretty easy for the large entities who profit from this to bypass it.
Its also why DCI and its over-the-top security, do have their reasons. Still, it's a shame they are shortening the window so much, it nearly negates the reasons. A more cost-effective path that we developed for dCine technology would have been enough considering the short windows of today. It's a case of the left hand not knowing what the right hand is doing.

It's why I have the saying, if you read my newsletters for SCO, (Small Cinema Owners Australia), you would commonly hear me refer to this as "Streaming anywhere, Piracy Everywhere." I too monitor the pirate network, Torrent Freak being a common place. If I know, for example, a Film like Renfield, opening tomorrow in my region, has already been available on pirate networks for a month. I expect a 20-30% drop in potential BO is already baked in, and modify my schedule accordingly. The distributors get short with me sometimes when I pull back, and they ask why. I just say it's in the top 10 on Torrent Freak, and demand will be severely shorter. They should have been more careful with its streaming release strategy.

Harold, it's not possible to bake in a forensic marker for every stream viewers watch. They try to apply it in real-time in the domestic box but typically when these systems are pirated, they attack before that occurs, and it's a native, unmarked bitstream. To encode a watermark into the stream before it was sent, would require real-time encoders for every stream being sent, over just a lot of I/O sending the raw data. That's simply not reasonable. (Or would be so expensive it's not possible)

Leo, I did mention the use of our proprietary tech to the studio's techs heads. It could easily be used to make it easy to send a stream to a device and know it was not strippable, and that even if recorded of screen, watermarking could not be stripped either. But they showed no interest. I was considering adapting it to a Android playback boxes. The tech was very low-level and based on windows Xp low level drivers. You need to talk very low level to the drivers to make work. But as no one showed interest, we never went in that direction.

Back in 2003 or so, I had to implement "DRM" on a MIPS based STB platform in MIPS assembly. While our set-top-boxes were capable of doing MPEG-2 with hardware support, any hardware decryption certainly wasn't part of their capabilities. The big shot execs insisted on an UNBREAKABLE system. I assured them no such thing existed and no such thing will ever exist. I also tried to convince them that all money spent on this DRM was an exercise in futility, as all the content we were going to stream was already out there, their main delivery system had been broken years ago...

I showed them stuff like KaZaa, LimeWire and whatever was out there back in 2003. They were utterly shocked by my presentation... How I dared to show them all of that pirated stuff and how it worked? That it was just two clicks away for every normal consumer and that *everybody* back then was doing it, also due to lack of *any* legal alternatives, they didn't want to hear. They were oblivious to their own problems and there HAD to be DRM on it, or otherwise no content. And it needed to be UNBREAKABLE. Reality didn't matter.

Eventually, the conclusion was that the puny RISC CPU inside our STBs was never going to be able to sustain any continuous decryption at minimum requirements as formulated by the content police, so a big telephone company with even bigger streaming ambitions ended up trashing more than 30K STBs they had already stocked up for the first pilot runs...

Everything you'll be doing client-side will be defeated sooner than later. I'm also pretty sure that DCI security of certain mediablocks will fail, now that quite a few of them have entered the second hand market and pirates and hackers around the globe will be able to get their hands on some. Maybe that already happened, hence the recent Paramount decision to invalidate the GDC SA-2100?

Like James pointed out, inserting the watermarking at server-level would mean re-encoding all those streams real-time. Those streaming platforms are already spending billions on infrastructure, so them now spending billions extra on GPU power to do the real-time re-encoding simply isn't going to happen.

Yep.

And so... nothing to be done about any of it.

There is a lot of the Don't Look Up paradigm in this and in practically everything else. I am afraid that we are reaching the point that this particular effect as it applies to completely separate phenomenon has reached magnitudes that there is nothing but overlap on the overall Venn diagram. Right? It is feeding into a sort of positive feedback loop and every year now things get worse, frustrations grow larger and, well, does something eventually implode or the other?

I can't go through a day. I got and email today with some (legitimate) invoices from a supplier. It was not a very well-formatted email and at the top it states that I "elected" to receive invoices by email. So I pointed out that I did not elect this. I find out that there is no choice and they would not use regular mail for billing. Then why make it sound like I volunteered? I tore into them. Um, by now you guys can imagine.

Anyway, us Baby Boomers have it good since, well, as mentioned by Al Franken (The Daily Show S28 E67-E70 somewhere in there) we're going to escape all of this by essentially "getting the last chopper out of Saigon".

Not trying to find an excuse for Dolby, but - the IMS2000 and the ShowVault were not genuine Dolby products, but remaining active products from the Doremi takeover. Dolby probably never wanted, or wasn't able to, support them as long as their own product lines. They certainly laid-off some Doremi staff as well.
Yes, the CAT745/DSS220 pullout came a bit 'unexpected' as well, I admit.

I talk to a lot of smaller, undercapitalised exhibitors, and I always suggest: 'Keep your rack servers and series-2 projectors as long as possible'. They are modular, use off-the-shelf parts to a large extent, or at least, there will be a huge second hand market. You can now get a Doremi classic server for under 500 US$ (if not for free), with the cert extension, and some low cost replacements, they may easily run for another 10 years. The industry did not manage to force HFR or HDR on us, so, a 24fps HD-SDI system can likely play general DCI content for many years to come.
Well, until DCI, or a studio pulls the plug ...