It is now public knowledge. Doom9 hackers have reverse engineered the virtual machine at the core of BD+ protection (See issue #7 of security newsletter about more information on SPDC). The work is a master piece of reverse engineering (although the VM is rather simple and very near old 8-bit assembly language). Reading the thread of Doom9 is extremely instructive. You see how they operate and confirm our law #1.
One of the interesting lesson is the use of CRI’s patent to help understanding how it works. We always face the dilemna between securing Intellectual Property Rights through a patent or keeping trade secrets.
Can we claim that BD+ is broken? The answer is no. It would be similar to state that Java cards are broken because you have the java virtual machine. Paul Kocher’s team was wise enough no to base the trust model on the secrecy of the VM. I had discussion with him on that topic. The fight will now be at the level of the BD+ application. They will have to distinguish between good guys and bad guys. This will be the new arm race. The objective of BD+ designers will be to force to require a new pirate application for each title.
The speed of “erosion” of the different protections is impressive. We will follow the story.