• Articles
  • Security
  • 2026
  • 06
  • Hollywood poured millions into DVD protection, and a Norwegian high school student who simply wanted to watch movies on Linux broke it.

Hollywood poured millions into DVD protection, and a Norwegian high school student who simply wanted to watch movies on Linux broke it.

So here’s a common, overused narrative: greedy corporations invented the protection, and evil hackers cracked it. It’s flashy, dramatic, and of course completely untrue.

With DVD protection, it was exactly the opposite: it was buried not by hackers, but by the US government itself, and in advance, at the drafting stage. And Hollywood studios knew it and still built their business on it for several years.

By the way, I still have a stack of disks from the 2000s lying around at home. They play just fine through VLC. But back in 1999, the same disks, bought with honest money, wouldn't run on Linux because that's what the suits decided. You put in the disk and get a slap in the face. And if you want to watch yours? Buy Windows or a special device. Very, very customer-oriented.

Let's talk about this wonderful story.

CSS, which isn't cascading styles

When DVDs were first rolled out, studios told manufacturers that protection was a must. They still remembered VHS piracy and were terrified of a format that allows perfect digital copying. That's how CSS - Content Scramble System - was born. The idea sounds okay on paper: the content is encrypted, and only a licensed player with a built-in key can decrypt it. No key, no movie.

Sounds like a plan. Until you remember one detail.

The detail that buried it all in advance

In '96, when CSS was being designed, the US had export regulations on cryptography. Roughly speaking: anything using keys longer than 40 bits couldn't be exported.

And DVDs were meant to be a global format from the start. Matrices are pressed in the States, players are sold worldwide - so the protection had to pass export control. Meaning the key had to be no longer than 40 bits. No exceptions.

But the thing is, 40-bit keys were already considered laughable at that point, and it wasn't a secret to anyone in the industry. For comparison: the much more robust DES algorithm with a 56-bit key was publicly cracked in '97 in less than a day of distributed computing. CSS was fundamentally weaker. So, back in '96, at the design stage, everyone involved knew perfectly well: they're building a castle that will eventually be breached.

Consider the absurdity: Hollywood essentially signed up for protection, the weakness of which was guaranteed by its own government. And then for several years, it believed in it and built a business model on it.

Later, independent researchers showed that in practice, the real resilience of CSS was even lower than the formal threshold - what was supposed to resist somehow, on a home computer from the late 90s, crumbled in a matter of seconds. The math behind this was analyzed in open academic papers back in 1999.

How it eventually surfaced

Then it was almost inevitable. If the protection is weak, sooner or later someone will notice. And you know, they eventually did.

In the summer of '99, it turned out that one of the licensed players under Windows stored its secret key virtually in plain sight - it didn't even take much effort to extract it. And once at least one piece of the system was out, everything else fell apart: by autumn, it became clear that the entire scheme could be broken on the fly.

That's when a group of enthusiasts called MoRE - Masters of Reverse Engineering - stepped onto the scene. And a detail that the press at the time missed: the future "DVD Jon", that Norwegian schoolboy, didn't actually break anything on his own, and he always said so in plain text. The work was collective, with two of the key participants remaining anonymous to this day. His personal contribution was more down-to-earth: he assembled a program with an interface from all this, so that movies could finally be played on Linux with just a couple of clicks. This program was released online in early October '99.

The guy was fifteen. And the nickname stuck with him forever - although honestly, it should have been shared among at least three people.

Search, trials, and code on t-shirts

On January 26, 2000, the Norwegian police - the department for economic and environmental crimes (yes, they handle both, don't ask) - came to Johansen's home. The reason was a complaint from the American DVD-CCA and MPAA. Consider the construction: Americans asked the Norwegian police to pressure a Norwegian teenager for making DVD playable on Linux. Computers were seized, and a case was opened - unauthorized access to closed data, up to two years.

In parallel, the United States was developing its own narrative. Studios sued the 2600 magazine (more precisely, its publisher) for publishing the source code of the program. Because the 1998 DMCA not only criminalized copying protected content but also the distribution of tools for circumventing it. Whether you use them for piracy or not is, in general, of little concern to the law.

The court ordered 2600 to remove the links. They removed the direct ones and posted links to sites where the code was hosted. The court ordered them to remove those as well. And here the internet reacted in the only way it understands: the code proliferated across thousands of mirrors, it was translated into prime numbers, written in Perl haikus, printed on T-shirts, and tattooed. It even got to the point where a small firm selling these T-shirts was seriously included among the defendants in the lawsuit. That is, the industry literally sued a T-shirt seller because the T-shirt had the program's text printed on it. When I first read about this, I thought it was a joke. It wasn't.

Princeton, and the threats to a professor

While the T-shirt circus was going on, a more serious story was smoldering nearby - about academic freedom.

In 2001, Edward Felten, a professor of computer science at Princeton, was set to present at a conference an analysis of another DRM system - protection for digital music called SDMI. The funniest part: SDMI itself announced a public contest "break our system" and promised a reward. Felten's team succeeded. They wrote a paper. And received a letter from the RIAA: if you publish it, we'll meet in court under the DMCA.

At first, he withdrew the paper. Then he published it anyway - after EFF stood up for him. But the осадок (residue?) is telling: in 2001, the US music industry threatened a Princeton professor with criminal charges for a scientific paper on cryptography.

How it ended for Johansen

January 2003: the court of first instance acquits Johansen on all counts. The logic of the verdict is simple and, in my opinion, absolutely sane - there is no evidence that anyone used the program illegally, and you have every right to watch a purchased disc on your own computer. Whether on Linux or anything else.

The prosecutor's office, of course, filed an appeal. December 2003: the appeal confirmed the acquittal. By that time, Johansen was already twenty years old. Three years of criminal prosecution.

The MPAA never got the conviction it was waiting for. Instead, Norwegian law established a precedent with exactly the opposite meaning: the ability to watch legally purchased content on your own hardware is not a crime.

VLC and the quiet finale

VLC appeared in 2001 — originally, it was just a student project from École Centrale Paris. It soon learned to play DVDs and became the standard media player for Linux and macOS. The relevant libraries are still part of the media player ecosystem to this day, and are built into regular software on tens of millions of machines. The legal status of all this in the US remains disputed — the DMCA hasn't gone anywhere, after all — but in practice it barely mattered anymore. Playback simply stopped being a problem, quietly and mundanely.

And that was an unpleasant thought for the industry. Every subsequent format followed the same path. HD DVD, Blu-ray with AACS — all of them eventually fell, and AACS uses truly robust modern cryptography that you can't just brute-force. It didn't help regardless. Because there is a fundamental issue called the end node problem: in order to show you a movie, the content has to be decrypted at some point — which means it ends up inside a device that you ultimately control, not the studio.

That's how DRM works—or doesn't

I generally understand the industry's argument and don't think it's completely stupid. DRM keeps the masses in check. 99% of people won't go down any rabbit holes, they'll just buy the disc and that's that.

But pirated versions still appeared by release time, sometimes even earlier. Meanwhile, DRM reliably made life miserable for legal users: it wouldn't let them watch content on their own devices, locked them into ecosystems, exposed researchers and entire publications to lawsuits. A person who bought a DVD couldn't watch it on Linux, while a person who downloaded a pirated copy could. The protection worked exactly against the people who paid. Genius, huh?

And that is the entire story of CSS, a parable. Protection was doomed from the outset by its own export legislation. And when the futility of it all became obvious to everyone, the industry did not turn to cryptography, but to courts: against users, scientists, and journals. Against a t-shirt seller, in the end.

Johansen is over forty now. The case was closed more than twenty years ago. And the discs from my shelf still play perfectly fine on PCs that have a disc drive, but now this is done not by some hacker tool, but by the standard player built into every other Mac. And this is what I like most about the whole story: millions of dollars and years of lobbying ultimately lost to the simple fact that you cannot show a person a movie and at the same time prevent them from accessing that movie.

Comments

    Also read