Forgot your password?
typodupeerror
Hardware Hacking Television Build Your Rights Online

DirecTV's Secret War On Hackers 619

Posted by michael
from the not-as-think-as-you-dumb-we-were dept.
Belch writes "4 or more years ago DirecTV launched its service. DirecTV was one of the very first large distributors of smart card technology in their product. So much so, that Hughes corp. (the primary owner of DirecTV) decided to create their own smart cards. Each receiver has a smart card located inside that is keyed to the subscriber, and actively participates in the decryption of the digital satellite video stream. However, considering Hughes decided on this technology when it was virtually in its infancy, they made several mistakes. The hacker community caught onto these mistakes, and there has been a war between DirecTV and the hacking community ever since. For the past two or more years, it was apparent the hacking community would win this war, completely opening the DirecTV signal. However, over the last 6 months, DirecTV has fought back with a vengeance, displaying the most extensive technical campaign against the hacking of their product..." Click through for the rest of the story.

"Allow me to give you some background.

"One of the original smart cards, entitled 'H' cards for Hughes, had design flaws which were discovered by the hacking community. These flaws enabled the extremely bright hacking community to reverse engineer their design, and to create smart card writers. The writers enabled the hackers to read and write to the smart card, and allowed them to change their subscription model to receive all the channels. Since the technology of satellite television is broadcast only, meaning you cannot send information TO the satellite, the system requires a phone line to communicate with DirecTV. The hackers could re-write their smart cards and receive all the channels, and unplug their phone lines leaving no way for DirecTV to track the abuse. DirecTV had built a mechanism into their system that allowed the updating of these smart cards through the satellite stream. Every receiver was designed to 'apply' these updates when it received them to the cards. DirecTV applied updates that looked for hacked cards, and then attempted to destroy the cards by writing updates that disabled them. The hacking community replied with yet another piece of hardware, an 'unlooper,' that repaired the damage. The hacker community then designed software that trojanized the card, and removed the capability of the receivers to update the card. DirecTV could only send updates to the cards, and then require the updates be present in order to receive video. Each month or so, DirecTV would send an update. 10 or 15 minutes later, the hacking community would update the software to work around the latest fixes. This was the status quo for almost two years. 'H' cards regularly sold on eBay for over $400.00. It was apparent that DirecTV had lost this battle, relegating DirecTV to hunting down Web sites that discussed their product and using their legal team to sue and intimidate them into submission.

"Four months ago, however, DirecTV began sending several updates at a time, breaking their pattern. While the hacking community was able to bypass these batches, they did not understand the reasoning behind them. Never before had DirecTV sent 4 and 5 updates at a time, yet alone send these batches every week. Many postulated they were simply trying to annoy the community into submission. The updates contained useless pieces of computer code that were then required to be present on the card in order to receive the transmission. The hacking community accommodated this in their software, applying these updates in their hacking software. Not until the final batch of updates were sent through the stream did the hacking community understand DirecTV. Like a final piece of a puzzle allowing the entire picture, the final updates made all the useless bits of computer code join into a dynamic program, existing on the card itself. This dynamic program changed the entire way the older technology worked. In a masterful, planned, and orchestrated manner, DirecTV had updated the old and ailing technology. The hacking community responded, but cautiously, understanding that this new ability for DirecTV to apply more advanced logic in the receiver was a dangerous new weapon. It was still possible to bypass the protections and receive the programming, but DirecTV had not pulled the trigger of this new weapon.

"Last Sunday night, at 8:30 pm est, DirecTV fired their new gun. One week before the Super Bowl, DirecTV launched a series of attacks against the hackers of their product. DirecTV sent programmatic code in the stream, using their new dynamic code ally, that hunted down hacked smart cards and destroyed them. The IRC DirecTV channels overflowed with thousands of people who had lost the ability to watch their stolen TV. The hacking community by and large lost not only their ability to watch TV, but the cards themselves were likely permanently destroyed. Some estimate that in one evening, 100,000 smart cards were destroyed, removing 98% of the hacking communities' ability to steal their signal. To add a little pizzazz to the operation, DirecTV personally "signed" the anti-hacker attack. The first 8 computer bytes of all hacked cards were rewritten to read "GAME OVER".

"For more information, visit http://www.hackhu.com."

This discussion has been archived. No new comments can be posted.

DirecTV's Secret War On Hackers

Comments Filter:
  • by Anonymous Coward
    Don't try that repair. It won't work, and it will destroy your card.

    see this [hackhu.com]

  • by Anonymous Coward
    The other funny thing is the hackers have referred to Hughes/DirecTV as "Dave" for years on IRC/webboards.

    Unfortunately the smart cards weren't quite "Hal", otherwise we would have heard

    I'm sorry Dave, I can't do that

    last Sunday night.

  • by Anonymous Coward
    You make a number of good points, but they don't apply here. Sure, you have a right to receive and decrypt any of the electro magnetic radiation coming your way. But they also have the right to change the encryption system. They did that and in a very cool way. They didn't run off to Washington and beg for nasty, fascist laws like the DMCA.
  • by Anonymous Coward
    Lastly, DirecTV also hit many, many paying subscribers running legit cards with their attack on Sunday. You can be certain that this attack cost them quite a few dollars in terms of cards needing to be replaced as well as the loss of subscribers that they have managed to piss off once again. This is not necessarily true. I sell RCA DSS systems, and about 6-8 months ago, DirectTV started saying that all users had to upgrade to new access cards (i.e. smart cards), that they were going to send out replacements for the old ones (namely the very very old ones, etc). I have not had one complaint yet from anyone that did this upgrade, however, I have had many complaints from users that had old access cards, or 'hacked' cards. This was planned by DirectTV, they just used this ECM as a forced-upgrade option to those legit users who had not already upgraded.
  • by Anonymous Coward
    There is so much disinformation in article I just read I can't believe it. Where did you guys get your info? Allow me to put on my shit kickers and point out several flaws with your article.

    1. "So much so, that Hughes corp. (the primary owner of DirecTV) decided to create their own smart cards" (They do not create anything NDS is the creator of the card, they were contracted to produce and maintain the security and encryption systems. But you would have know that had you bothered to look on the back of the damn card.)

    2. "One of the original smart cards, entitled 'H' cards for Hughes" (The F card was around long before the H card came out. There was a limited number of G cards then came the H it was named H because it was the next progression in the naming cycle. Not some great naming conspiracy.)

    3. "The hacker community then designed software that trojanized the card, and removed the capability of the receivers to update the card" ("Trojanized" you make it sound as if condom man invented it, the correct term for what you describe (write protecting the card) is "stealthed")

    4. "Each month or so, DirecTV would send an update. 10 or 15 minutes later, the hacking community would update the software to work around the latest fixes. (Some 3ms were up for years without being touched)

    5. "DirecTV sent 4 and 5 updates at a time"
    (Actually there were up to 9 at 1 time)

    6. "Many postulated they were simply trying to annoy the community into submission" (Dynamic code updates were recognized long before they were fully active (C2 and D9 nano). Everyone knew it was coming.)

    7. "Some estimate that in one evening, 100,000 smart cards were destroyed" (It was a hell oh alot more then that if you include all the VALID subscribing customers that were effected by there botched attempt. You fail to mention that there were almost as many vaild subs taken down as well.)

    8. "removing 98% of the hacking communities' ability to steal their signal" (I'm still up and running, emulation is uneffected (Thanks PGM))

    8. "To add a little pizzazz to the operation, DirecTV personally "signed" the anti-hacker attack. The first 8 computer bytes of all hacked cards were rewritten to read "GAME OVER" (WRONG, don't know who was feeding you that line crap (oh, yeah the same moron that told you the "H" was for Hughes) the actual code is below)

    So get your facts straight, I would've expected better from you guys.
  • by Anonymous Coward
    Magician is one of the best in H card modifications. This is what he had to say about what was written to the write-once area starting at address 8000. "Reset the stack to 16h and RET, to resume execution at 0400h to load "00 04 00 09" into EEPROM write register which RETs to 01AFh to enable EEPROM write mode which RETs to 0399h to write 00 04 00 09 to 8000-8003h." Since 00 04 00 09 is not even close to 47 41 4D 45 4F 56 45 52 (the hex version for "GAMEOVER"), and since it was 4 bytes, not 8 bytes, and since the article didn't even discuss emulators, I'm beginning to think it's purposely slanted. For those who give credit to DTV ECM people, they had help from Eddie of Northsat as part of the deal for being busted (in Canada). He has made good progress hacking the HU card.
  • by Anonymous Coward on Thursday January 25, 2001 @05:27AM (#481913)

    but stealing tv is wrong

    I am so sick of this attitude! It is not "stealing TV". When you steal something, the person that you stole it from no longer possesses it. An example of stealing TV would be smashing a shop window, grabbing a television set under your arm, and running. This is by no means the same thing.

    DirecTV are broadcasting their signal over satellite. Whether you pay for their service or not, it gets beamed into your property. If you have a dish, you will pick up the signal. If you happen to have the means of decoding this signal, you can watch their TV shows. How is this stealing? This is no more stealing that watching the Superbowl at a friend's place because he has DirecTV and you don't. Are you "stealing TV is wrong" advocates suggesting that DirecTV should send agents round to their subscribers houses to issue them with an extra pay-per-view bill for any of their friends who happen to be parked on the couch with a bag of doritos watching the game?

    No, this is an outrageous abuse. If DirecTV don't have a business model which can earn them a profit as they beam their signal into EVERYONE'S airspace, then they shouldn't be in business, end of story. Or, as they would say, "game over".

  • by Anonymous Coward on Thursday January 25, 2001 @05:57AM (#481914)
    I'm noticing a distinct pro-Hughes sentiment here. Personally, I see nothing wrong in recieving signals from the air and decrypting them.

    Please consider this for a moment: Hughes is bombarding us with their electromagnetic emissions... why shouldn't we be allowed to receive and decrypt them?

    I really don't see how this is much different than DeCSS, which seems to enjoy the support of the Slashdot community.

    So... stealing motion picture studios' work is OK, but it's wrong to intercept and decrypt electromagnetic signals broadcast through the air? Signals that are being absorbed by our bodies, with still unknown effects.

    I'll buy the idea that people shouldn't 'steal' DirecTV's signal when DirecTV allows me a way to opt out of being hit with their sattelite beams. (Please don't suggest that I wear a tinfoil hat. ;)

    LASTLY, I haven't seen any mention of how these counter measures have affected paying customers. I know several legit DirecTV subscribers who had their cards stop working after Black Sunday. How does anyone feel about that?

    Is it OK for DirecTV to inconvenience paying customers in the course of their battle with the hackers? How many 'civilian casualties' will be tolerated? And is DirecTV going to be giving these people refunds? Probably... if they spend an hour or two on the phone. The customer's time isn't important anyways, right? As long as they're paying their bill...

  • by Anonymous Coward on Thursday January 25, 2001 @05:55AM (#481915)
    Most of the comments see to be along the lines of "kudos to Hughes/DTV for beating the hackers at their own game and not resorting to lawyers"

    Well, That may not be how it actually went down.

    In October the guy who ran Northsat in Canada got raided. There was a consent decreee, and as part of his plea bargain he agreed to act as a consultant to DirecTV.

    Although DTV had already been busy implementing the dynamic code, many old timers claim that they see dean's hand in the 4 (that's right 4, not one) ECM's that came down starting last sunday.

    So it would seem that the legal system allowed DTV to force a hacker to destroy part of his own creation. Not a clear cut case of DTV defeating pirates with their own engineers. Guess he shouldn't have have a bunch drugs and cash in his house when they raided him hehe.

    http://www.legal-rights.org/northsat.html
    http://www.legal-rights.org/newspapers/northsat. ht ml
  • by Anonymous Coward on Thursday January 25, 2001 @06:47AM (#481916)

    In fact since most of us DONT get DirectTV and are STILL constantly bathed in its RF emissions Hughes is in the wrong, if anyone is. Mind you, I don't have a problem with them sending the bits to their own subscribers. The fact they they chose a CHEAPER method of distribution to increase their own profits opens them up to this.

    Anything being broadcast non-interactively(not two-way like say, a cordless phone), whether tv, radio, or otherwise, is like air as far as I'm concerned. i.e. Not any company's but the peoples.

    If the company doesn't like that, make their own customers use over priced less effective measures, like cable, spread spectrum, or other methods.

    If the cost of that makes it unprofitable, so be it. The Constitution (Sorry, US centric) gives the right to the PURSUIT of happiness, not the right to it. THere is a difference. Similarly, Hughes can try to make money by giving a service worth paying for. They're not entitled to just because they spent a lot of money.

    Think about it. If I fire radiation at your home 24/7 without you asking for it (paying subscribing whatever, and that IS what radio/broadcast energy is) you should have the ability to do whatever you want with it.

    They are NOT STEALING. Stealing implies taking something away from someone else. As in they no longer have an object they previously did. These peeople went out and bought their own satellites, smartcards and gizmos. They can fdo anything they want with them.

    Xerox did not have to pay all the scribes who were put out of work by copiers, nor did the guy who came up with carbon paper. Just because you used to be able to make money doing something once does not mean you are entitled to keep making money off it forever.

  • It's a great game they're playing, and I respect the way they're playing it. All the slashdroids whine that companies should use technical means to secure information instead of legal means. DirecTV did just that, and they caught most of the people.

    As for my perspective, I have a DirecTV platinum subscription, or whatever they hell they call it, yet I hack my service. Why? Because it's fun.

    They got one of my cards, and didn't get four others. This wasn't the final 'game over' for everybody, just for the script kiddies of the card hacking world.

    As for the legality of it all... who cares? This shit is fun!

    --
    "Don't trolls get tired?"
  • I'm not from the US, so I don't know how the set top boxes are sold in the States, so ignore me if I have things wrong...

    Where do these people get the STBs to watch DirecTV from? Generally cable/satellite/etc operators will sell their STBs as a loss leader, aiming to get their money back from subscribtion charges over a lengthy period of time.

    Assuming this is how DirecTV is sold in the states, that sounds pretty close to theft to me...

    ...j
  • by Chris Johnson (580) on Thursday January 25, 2001 @05:39AM (#481920) Homepage Journal
    So, the big nasty corporation solves its problem with hacks of fiendish ingenuity whereupon the 'hackers' bury them in lawyers? *g*

    Riiiiiiight....

  • So by this logic, If you are using a Cell phone and I evesdrop on your conversation I'm not invading your privacy? Your Phone is broadcasting out and assuming you're close enough its on my property. I'm not paying for cell phone access, so I can listen to your conversation cause its on my property, right?

    Stealing and Invading Privacy are two different things.

    You should also note that until just a few years ago, it was indeed perfectly legal to listen to any radio transmission you could receive, as long as you didn't divulge the contents. That meant that, yes, you COULD listen to cellphone calls. You just couldn't tell anybody else about the contents. Then, one of the first content-protection laws, ECMA, was passed making it illegal to listen to cell phones. This was a law passed purely for the convenience of the cell-phone companies, so they could say "Yes, we're secure - it's against the law to listen in." It was and is still technically feasible, however. Even old televisions that went above channel 70 could hear cellphone calls. (Note: this law is rapidly becoming moot, since most cell companies are switching to digital as fast as then can go. You could still scan the digital cellphone bands, but it's much harder to listen in. )

    I have phone lines that cross my propery, does that mean I can hook into them and get free long distance?

    No, because now you're not passively intercepting the radio waves. You're taking active steps to steal service.

    You're letting your indignation take over your higher thought processes, plus you have forgotten recent history. Calm down.

    As far as I know, according to the law you can still listen to cordless phones, which is nearly as entertaining. And, for a really good time, try scanning baby monitors.


    ...phil

  • by Enry (630) <enry.wayga@net> on Thursday January 25, 2001 @06:26AM (#481924) Journal
    Sooo...

    You wouldn't care if I set up a listening post to hear any wireless stuff going on in your house, right? You probably don't care about Echelon and various Internet-based listening posts monitoring your e-mail and where you surf, right?

    After all, you are sending your data out over shared space, and if I feel like manipulating it *however I want*, that should be my right.
  • Yes, no more mobile phones.

    That doesn't mean they did anything wrong.
  • by Phaid (938) on Thursday January 25, 2001 @05:58AM (#481927) Homepage
    It's how you play the game. Hughes deserves props for doing this the right way - by outsmarting the pirates. Unlike some other industries who combat piracy by buying laws that take away everyone's freedoms just to protect themselves, or force everyone to sell crippled hardware so that their precious media can't be used in a way they don't approve of, these guys stayed with an existing technology and made it work in the face of rampant piracy. My hat's off.
  • Forcing me to uninstall and reinstall the game IS harm. It's a big waste of my time.

  • It is not "stealing TV". When you steal something, the person that you stole it from no longer possesses it.

    Consider the infrastructure. Those satellites are expensive. If you are grabbing the service for free, who's paying for the infrastructure and operating costs? Hughes is not the bad guy here. They don't circumvent fair use rights in any way, they provide better service, pricing, and quality than local cable providers and their pay per view is cheaper than (and higher quality than VHS) video rental. Their business practices are not monopolistic (in fact, they have several competitors)

    The manual that came with my reciever even listed details of channel allocation, packet format, etc.

    This is no more stealing that watching the Superbowl at a friend's place because he has DirecTV and you don't.

    That's not stealing because they contracted with your friend to provide the service in exchange for a fee (which was presumably paid). They got theirs and your friend got his. If they decided to bill by the eyeball as you suggest, I would switch to another service immediatly. If they took steps to make sure there wasn't another provider, then I would agree with you.

    Punishing the bad guy like the MPAA and RIAA who circumvent fair use rights and play dirty games to kill off competition won't work if they know they'll be punished even if they play the good guy.

    If DirecTV don't have a business model which can earn them a profit as they beam their signal into EVERYONE'S airspace, then they shouldn't be in business, end of story. Or, as they would say, "game over".

    O.K. they and the regular cable operators should shut down immediatly. You can go back to a glorious 3 channels of $hit mixed with snow to choose from.

  • There may be some ground to say that DirectTV overstepped its bounds to destroy cards that were at one time rightfully sold.

    I imagine that DirecTV's response to a claim would be "Fine, you pay for the service you stole from us, and we'll replace your card". Somehow, I don't think there will be many claimants.

  • For starters, H cards are damn near indestructible. I've seen one go through a washing machine and still function.

    How can a virus wipe out my flash BIOS? After all, it survived a trip through the washing machine! They blew a few fusable links using a charge pump on the chip.

    Secondly, even there would be no need to add the offending code bit by bit, you could just send 1 update.

    And the pirates would just block it. First, DTV had to get the pirates to accept the updates rather than block them.

    Thirdly the destruction of the cards would force Hughes to replace them. Not a cheap move. They'd be opening themselves to a lawsuit from everyone who was willing to say "I hadn't modified my card, honest" otherwise.

    And if DTV could prove otherwise (such as the defendant's lack of a DTV account and no history of payments to DTV), the court records will prove that the plaintiff committed a felony. Sort of like the things you see in the dumb crooks shows.

  • The reason you have never seen an individual (someone not reselling their copied/"stolen" material) is because of the need to prove a loss. This is a major issue surrounding MP3's and the like. Just because a person has copied/decoded/viewed commercial data, it does NOT mean they would have ever paid for it. You can NOT prove a loss of profit, because you can't prove that the person would have ever paid for it at all.

    That is true for content protection. However, DTV is a service and so the laws are a bit different.

  • They are running a commercial enterprise, it's the responsibility of them to come up with a business model which at least covers their costs... It's certainly not the responsibility of any other party to support anyone's business model.

    They do that by charging for the service (which wouldn't exist at all if they couldn't charge for it). They also accomplish it by things like the subject of this story. It's not like they're trying to get a TV or VCR tax like some cartels we know. Or like they're trying to sue competing technology into the dirt. They also don't try to squeeze out more than their due by circumventing fair use rights. If they were, I would agree that they failed in their responsability to have a profitable business model.

  • I know that I've tried to fight the battle as much as I could on my end to make sure that the public at large knows the difference between Hackers and Crackers. I know others have too, but I think that that battle is moot; with CNN and Cnet and USA Today, and the rest of the media continuing to use to the work "hacker" for what we mean as "cracker", anyone that seems to use the work "hacker" correctly (in our terms) tends to be frowned upon as one that is fighting the system, etc etc. Look at Judge Kaplan's feelings in the deCSS case.

    We need to strongly promote a word or phrase that implies that that person is not one that hacks to undermine a system, but to learn and possibly improve a product. "White hat hacker" I've heard used, but it still has some negative connetation. Of course, even if we come up with such a word, we need to inject it into the mainstream press somehow, and that can only be done by groups that are leading the hacking effect, include Linus, Red Hat, and other distros.

  • by MoNickels (1700) on Thursday January 25, 2001 @06:00AM (#481939) Homepage
    Rob and the gang,

    Congratualations on a well-written, engaging news story. Clear, concise, interesting with thrilling narrative, factually informative. This entry is a model for all good Slashdot entries.

    Thanks.
  • I don't like DirecTV much. I don't agree with the proprietary signal DirecTV uses. I also just plain don't like the service as well as I liked my old Primestar (dammit; why'd DirecTV have to buy them out?)

    Neither do I support stealing channel access by the hackers, though. This isn't a fair use issue; the difference is the same as copying a book from a library (fair use) vs. stealing it from the bookstore (shoplifting). Frankly, I think this was an unbelieveably cool move by DirecTV. I do find it somewhat scary that they were actually able to make this work, but what they did is truly an ingenius anti-hack method.

    Now, the next question is, when are the hackers going to run around this system too?
    ----------
  • actually you can get sued for "protecting" your property/goods by dangerous means.
    A liquor store owner was sued (successfully, and for a load of cash) because he put an electrified fence piece over a skylight that was used a large number of times to rob his store during the night.
    IANAL, but the law is called something like the "pull-string trigger" law. (i.e. you can't rig a gun to your door so when it's opened the gun fires.)
  • I'm pretty impressed by this. I'm sure the real hackers, namely the ones who worked on the code and enjoyed tinkering respect this sort of orchestrated response. The 99% of lusers who just bought a card and plugged in the code I'm sure are very ticked off, but they were never into for a good hack, they just wanted free TV.

    There may be some ground to say that DirectTV overstepped its bounds to destroy cards that were at one time rightfully sold. I would suspect that their legal department has some sort of "appropriate use" clause. Besides, any one with a functional frontal lobe knows that people were stealing. Those who had their cards fried should think fondly on their time of beating the system, but above all they should respect that DirectTV outsmarted them.

    Of course... this assumes that someone isn't right now figuring out a way to reverse the process or come up with a new way of hacking the system. Any way you cut it, this is one of the most interesting and impressive reactions in years. Maybe the cuecat people could take a hint and decide to get smarter instead of making legal threats.

  • Tricky. In general, I'd agree with you, but current law doesn't seem to be on the side of Hughes.

    *I* think that if you have a computer which you allow to run non-trusted software, and can recieve such software independently of what you do, you're asking for trouble. (although there should still be some kind of minor trespass violation - it's illegal to enter a house with an open door if it's not yours, just not as bad as if you had broken the door down)

    On the other hand, it's illegal to hack computers, no matter what sort of crappy security they have. While no intelligent US hacker is going to step forward and sue Hughes for hacking (as they'd quickly get counter-sued for watching it) Canadians may have better luck. I think that it would be rather funny for them to start a class-action suit, as their watching is quite legal but Hughes' hacking still isn't.
  • by cpt kangarooski (3773) on Thursday January 25, 2001 @09:08AM (#481947) Homepage
    I disagree.

    As others have pointed out Hughes is sending the signal to hackers. In fact, they want to send it to nearly everyone, ideally. Furthermore they're sending it as a broadcast radio signal, and that's a public resource.

    If you proceed with your logic, you imply that it would be illegal to read billboards on the side of the road (ideally for this argument in the state-owned right of way) if the whim of the owner was that you weren't allowed.

    Just as there is a right to free speech, there MUST be in order to actually have such a right function, an equally absolute right to listen. Otherwise you're supporting the opinion that you have a right to free speech, but if the government finds it inconvenient, people who listen can be arrested. (despite the speaker going free) This is a nonsensical propisition you're making, I think we'll all agree.

    If a communication is privileged or there is an expectation of privacy (e.g. whispering, talking in a way that cannot reasonably be intercepted outside your home, lawyer-client discussions) I can see making that a minor crime. Generally one that's worse for the government (e.g. tapping w/o a warrant) than individuals.

    But sending data across a public medium to virtually the entire continent does not strike me as private. Even the Internet is not private - it's a network of other, smaller networks, and it's hardly possible to believe that communications across it are automatically private. Certainly the most esteemed privacy/encryption experts on the net don't think so.

    Once someone recieves such a stream - particularly if it was sent so that they, their neighbors and their countrymen could recieve it - I don't see how it's Hughes' business what's done with it. If they wish to prevent people from seeing it, the best way is to not send it to them at all. The second best way is to heavily encrypt it, but encryption is not a guarantee. It also means that Hughes' business is not TV but decryption software. If someone manages to put out an RE'd version w/o infringing on patents, then that's their right too. We rely on that right to have microcomputers that aren't all sold by IBM.

    And furthermore, in Canada, which is what we're discussing, the people there explicitly DO have the right to watch broadcast signals. There's just no two ways about it there. If the law in Pottsylvania were that TV broadcasters had to give out free TV sets to people in order to have a license to broadcast then Hughes would have to either stop broadcasting to them, or start handing out the sets; it doesn't matter if the law is different than US law, sovereign states have the right to have different laws.
  • They got a dish and decoding equipment from DirecTV, and presumably (correct me if I'm wrong) signed an agreement not to hack that equipment when they did so.

    If you feel like putting up a dish to capture that satellite's signal, go ahead. Manipulate it however you want, too. But unless you can brute force the encryption keyspace or you the transmitting company, your manipulations are not going to get very far.

    The question then becomes "what do DirecTV subscribers actually sign to, under what conditions, and when?" I don't use the system, so I'm not going to speculate... but I will point out that their ongoing, "you must communicate with our modem to get the latest decryption firmware updates" service could make it real hard to decode their signal without their help, even if you can purchase the system (with original firmware) while avoiding signing away your rights to hack it.
  • The difference is simple: DirectTV can beat hackers technically; the recording industry cannot.

    DirectTV sends broadcasts over the airwaves, and can send encryption keys for those broadcasts over phone lines on a separate, authenticated channel. Although they cannot prevent legitimate subscribers from recording and sharing the broadcasts they paid for, they can easily prevent pirates from accessing broadcasts they have not paid for (without getting a copy of the frequently changeable keys or a tape/CD-R of the desired program from a legitimate subscriber.)

    This is not possible with the recording industry, because they cannot change encryption keys on the media they sell, and they must include those keys with the media or with the players in order to allow the media to be played back even once. At this point it isn't encryption, it's scrambling. And scrambling can always be defeated, as long as we control the hardware. For any non-interactive media that can be played back on a general purpose computer or a sufficiently hackable electronics device, it is simply impossible to enforce "pay per play", "do not copy", etc. with technological measures. Despite SDMI, I think most of them know they can't beat copyright violators technically, and know that the only way to beat violators in court is to with unconstitutional laws like the DMCA that hurt non-violators as well. It's not just evil we're dealing with here, it's desparation.
  • Click-through agreements have loads of legal, ethical, and practical problems (they aren't made until after you've purchased the product, they aren't an actual signature, the product isn't necessarily run the first time by the owner, it is possible to bypass them by hacking the product before running it and agreeing not to hack it...)

    With our cable modem service, at least, there's something like four pages of fine print that they got us to put a physical signature on during installation. I made the (apparantly incorrect, according to other posters) assumption that DirecTV would have their bases covered that way.
  • by EoRaptor (4083) on Thursday January 25, 2001 @07:49AM (#481951)
    Alright, while the story above is 'correct', it's something like reading chapter 6 of a 12 chapter novel, and claiming to understand everything. Alot more has been going on than is shown here. In the beginning, as it were, was the F card. This card was a dumb eeprom, and was hacked so fast it must have made DTV's head spin. The video stream at this time was un-encrypted, and you merely had to convince your receiver to show the channels. This lasted about a year or two, and then a new card began appearing, this was the H series card. This card had a dedicated ASIC on it for decryptiing scrambled content. It was also a 'smart' smartcard, in that it tried to think about commands that were sent to it, and had some basic functions (read, write, compare, etc) that could be called on. Eventually, DTV mailed out new cards to all valid F card owners, and completely removed the older card from service. They also switched to an encrypted video stream, and that was the end of the F card. This new H card was trickier to deal with, but at this time Hughes, who owned DTV, had made another mistake. This was the same card used in some european digital satellite systems, and a great deal of information was alreayd available on it. Hacking it (and these people were hackers, in that they had to reverse engineer a 'black box' device only by watching how DTV interacted with it, even if they used their knowledge for less than stellar purposes.) took less time than DTV would have thought. This is what went on for the years leading up to this story, in that the hackers would enable some new security hole, and DTV would send down an update to close it. Eventually though, DTV realized that there were an unlimited number of holes that could be opened, due to a flaw in the memory checking on the card, (large values would roll back over to zero) and that the programming hardware needed to work with these card had become cheap enough to be a mass market. About this time, DTV went quiet, and the community that hadgrown up around priating DTV satellite signals began to get fat and lazy. When DTV started up again, this time patching the firmware in the receivers to test the H cards unique ID against a list of known bad ID's, and to lock out bad cards if they were found, alot of people were caught by surprise. It was easy enough to overcome this problem, in that you could copy a valid, subscribed cards ID onto an unsubscribed card. Called cloning, this technique had definciecies that had been known for some time, in that part of the cards unique ID was stored into a write once area of the cards EPROM, and couldn't be changed, only masked. Since DTV seemed to have stopped sending down card updates, cloning became popular. In fact, it became the way of doing things. Looking back, it is easy to see how DTV set everyone up for this, allowing cloning to become rampant, because they knew how to kill it. When DTV started up the updates again, some of the original hackers warned heavily against cloning, saying this was tge beggining of the end. Most people, however, were content to simply update to the latest way of activating their cloned card, and content to ignore the number of updates piling up on their card. Once the updates were complete, those early hackers really began to scream about what was going to happen, but still no one listened. And, in the end, it did happen. What DTV did was send down a packet of information, that said: Take this address, and store it in this new location. Then, using the basic features of the card, compare that adress we just stored to an adress at this memory location. If they match, do nothing. If they don't match, set this memory pointer to location X, instead of location Y, where X is a specific part of WRITE ONCE memory. Another packet came along, and said, write some stuff to this memory location (the 'GAME OVER' in this case). If the memory pointer had changed to a write once area, too bad. If not, it was harmless. What was the card comparing? the ID reported by the card and the ID actually valid for the card. This type of kill was instant and deadly. It was also 100% safe, in that anyone using a clonned card was garunteed to be priating the service, and the packet would not, under any circumstance, hurt a valid subscribers H series card. It was so deadly because the area written too is part of the cards boot process. When it first receives power, the card no longer starts in a valid state, instead spitting out useless garbage. There is no way to write to this memory location again, and there is no way to change the cards boot process, because it happens before the interface comes up. I don't believe a magic bullet killed kennedy, but this magic bullet certainly killed all these cards. Well, all is not lost, because a while back, DTV ran out of valid ID's for a H series card, and had to make a new card, dubbed HU. This card is much trickier and much smarter than the H card, but it may also have flaws that can be exploited. Only time will tell, but in a sort of ironic twist, this is again a card from europe. Maybe the american hackers will get another helping hand from oversees, and maybe not. Primitive hacks for it have already started appearing, and the game of tit for tat is already being played out, as DTV shuts down early HU hacks. Don't hold your breath though, the card has remained unhacked in europe for some time. I hope this clears up some mystery. AS DTV did well this time, but they've made huge mistakes int h past that onlye ncouraged hackers to use their knwoledge to priate the system, it was, if you will, a sort of contempt. It was so easy, it was like DTV was daring you to do it.
  • If you buy a book, that doesn't give you the right to duplicate and distribute that book. What the GPL does is to give additional rights that copyright doesn't give you, but places conditions on the exercise of those rights. What I get annoyed about is stupid click-throughs that profess to take away my rights under the "first sale" principle without giving anything in return.
  • Actually, these are hackers. They are also crackers. The had an amazing grasp on the technology, and used that knowledge. In fact, it was kind of interesting, because this was a hacker/hacker war. There is a big difference between crackers who are hackers and crackers who are script k1dd13z. Not that cracking is okay if you are a genious, but that even if you don't agree with what's being done, you can at least appreciate the skill with which it was done. This seems like quite an amusing little war, and I'm sure the hackers working for DirecTV got a kick out of it (especially the "GAME OVER" part).
  • I doubt that's a very large group of users (there may well be a decent number of people who can't get a channel they want, but not that many are willing to mod their receiver over it), but I would be inclined to feel sympathetically towards them. What channels do they lock out geographically (besides local network affiliates)?

    - -Josh Turiel
  • by jht (5006) on Thursday January 25, 2001 @06:47AM (#481959) Homepage Journal
    If you want to design and build your own DirecTV-compatible dish and receiver from components, and write software for it that decodes the video stream, then hooking it up to your TV set and watching for free is not theft in my book. The signals are, as you point out, passing through your property, and you were smart enough to figure out how to do something with them. Enjoy. Hell, get Dish Network too, while you're at it.

    But taking DirecTV's own receiver, only made for the purpose of viewing their service by subscription, and then modifying it for free service is theft, plain and simple. By your standard, there should only be free broadcast service (over-the-air commecial TV), because anything else is and should be open for the taking to anyone who can hack a receiver or get their hands on a modded card.

    If that's the case, forget pay-per-view (what - life without Wrestlemania?), forget all the premium commercial-free services like HBO - and forget pretty much any reception at all anywhere other than in and near urban areas.

    There's a big difference between fair use and theft of service. I should be able to record off my DTV, time-shift as I like with my VCR or Tivo, and not rely on analog streams to do so if everything I have is digital. But there's nothing inherently wrong with paying to get that signal into my house to begin with, so long as I can re-use what I paid for. A different point entirely.

    - -Josh Turiel
  • by jht (5006) on Thursday January 25, 2001 @05:26AM (#481960) Homepage Journal
    On one side, you have folks who hack the hardware to get free service.

    On the other side, you have a company that sells a dish and programming, at pretty reasonable prices compared to cable rates, and wants to get paid for their goods.

    Given that's it's at an interesting intellectual game at best to figure out how to hack a DTV smart card system, and theft of service at worst, it just appears that DirecTV has figured out how to win the cat and mouse game once and for all. Good for them. If DirecTV was the only form of television service available (ie., a monopoly), I'd look on theft of service a little more tolerantly, but there's all sorts of TV alternatives out there - broadcast, cable, and other satelite providers.

    This is different from, say, the i-Opener hack because the i-Opener hack was fundamentally about hardware. Buying the box did not incur an obligation to use the service (due to a mistake on Netpliance's part), and the hack didn't allow you to steal their service - it allowed you to re-purpose the hardware. That would be like hacking a DirecTV box to work with Dish Network instead. A cool, "because it's there" hack.

    So if DirecTV won the war, more power to them. There may be a fine line between hacking and theft at times, but hacking a DTV smart card for free service is definitely on the wrong side of that line.

    Besides, stuff like descramblers and smartcards are usually what spammers are filling my emailbox with, and I hate spammers! :-)

    - -Josh Turiel
  • by Ian Schmidt (6899) on Thursday January 25, 2001 @06:28AM (#481966)
    As a DirecTV subscriber (who pays for the stuff) I agree 100%. Obviously the Hughes engineers are some damn smart guys, and the TV pirates (let's use the right terminology here - /. gets caught up about "hackers" not being evil enough that it's ridiculous to call the pirates that) are not as smart.

    I have zero respect for these pirates. They could be applying their skills to the next piece of free software, while instead they're just trying to get free TV. What a waste.

  • It's just that all people who had their cards ECM'd chose to manipulate the signals in such a way that it destroyed their equipment....

    ;-)
  • by The G (7787) on Thursday January 25, 2001 @05:26AM (#481968)
    Damn but it's nice to see a company that's willing to fight on the technical ground rather than running to its lawyers at the first sign of trouble. That's downright brave and honourable, there.

    Say what you may about the real and supposed sins of DirecTV and its crackers, they were fighting the war on its technical merits rather than with hordes of lawyers. That's good stuff. It's nice to see a company with the integrity to defend itself within its market and its product rather than look for protection from above.
    --G
  • Since this is really about theft-of-service, we're not talking hacking, but cracking. I encourage companies to crack down on crackers.

    Let's not make the same linguistic mistake we despise when the average reporter gets it wrong.

    [ObDisclaimer: my employer has business relationships with DirecTV, but I do not speak for them]

  • Since this is really about theft-of-service, we're not talking hacking, but cracking. I encourage companies to crack down on crackers.
    You obviously meant " HACK down on crackers", didn't you?

    --

  • by xyzzy (10685) on Thursday January 25, 2001 @05:13AM (#481977) Homepage
    ...it is a thing of beauty... Not because of who won or lost, but because of the elegance with which it was done!

    [someone should forward this article to the "Beautiful code" guy!]
  • by The Dodger (10689) on Thursday January 25, 2001 @05:24AM (#481979) Homepage

    First of all, let's point out here that what this little story refers to as "hackers" are actually "pirates".

    Secondly, what the Hughes technicians did was far more worthy of the term "hack". It stands out simply because it was the "big nasty corporation" who turned the technical tables on the crackers, and defeated them.

    The whole thing smacks of genius - the subtlety, (in sending out the updates in a fragmented manner), the timing (ambushing the pirates a week before one of the biggest US TV events), the technical brilliance - all these are trait too often missing in so-called "hackers".

    Respect to the Hughes guys.


    D.

  • It's interesting. This morning's prevailing opinion of Hughes/DirecTV is that they engineered a cool hack and beat TV pirates at their own game.

    Yesterday, we were discussing how we can hack new DirecTV tuners to allow HDTV resolution on analog ports.

    Does anyone else appreciate the irony of both events happening in the same week?

  • We need to strongly promote a word or phrase that implies that that person is not one that hacks to undermine a system, but to learn and possibly improve a product.

    Does anyone recall the term used for the engineers/hackers in the "Marooned in Realtime" SciFi series? (I don't have the books here at work).

    Something like "tweakers" or "tinkerers" I think.

    Tinkerer would be an excellent word to promote ... it describes exactly what is being done, has no negative connotations, and could apply equally to hardware, software, genetic-ware, nano-ware, or what have you.

    My 2 cents...
  • They ARE saving money by buying a hacked card. Hacked cards give you PPV movies, Pr0n channels, Football games, etc. Channels that can cost upwards of 35-50 bucks for just one event, for one day, like a boxing match. And of course Local channels from East Coast or West Coast time zones that you can't get even if you are paying.

    Either way, I'm sure most hackers just love a good challenge.
  • Watch out - the DirecTivo does not record your OTA broadcast signals. It only records the channels you get from the satellite. So, if you don't get the network channels from your dish, then you won't be able to Tivo them (or, I assume, use the Tivo remote to change to the OTA channels).

    True, but that's not as bad as it sounds. I don't really need the OTA broadcast signals, since my local stations (Cincinnati area) are available off the satellite. (Same for 30-40 other local markets already.) Of course, they don't carry the local PBS station, but the national PBS feed is available. They don't carry the WB station, but I never watch that anyway!

    Once I found that out, I ended up getting the Sony DNR Tivo system. It interacts perfectly with the Sony SAT-B2 receiver, and my OTA channels. In fact, there is a cable that plugs from the Sony Tivo unit into the Sony sat receiver to control it. My one Tivo remote is thus the only one I have to use to get all the channels. Works perfectly.

    I've heard a lot of people complain about picture quality with this kind of setup. When the standalone TiVo records something, it does its own MPEG encoding. MPEG is a lossy compression algorithm, and I've heard that re-encoding a decoded MPEG stream tends to exaggerate that lossiness. I'm told that the quality of TiVo recording from OTA broadcasts is better than the quality of the satellite broadcasts.

    With the combined DirecTV/TiVo box, it's true that you no longer have an MPEG encoder, but it's recording the MPEG streams as they come off the satellite, without modification. That means no loss of quality playing back the TiVo recordings as compared to watching the content live -- either way, the exact same MPEG data is being decoded for viewing. Even if your setup looks good to you, there's unquestionably some loss of quality inherent in using multiple passes of a lossy compression algorithm. (But if you don't notice it, that's lucky.)

    More significantly, DirecTV probably does a better job of MPEG compression than your standalone TiVo can hope to. They've got professional-grade MPEG encoding equipment, and a strong financial incentive to get the best compression possible. (It's a lot cheaper to get expensive encoders than to launch new satellites!) Also, I've read that DirecTV does MUCH more intensive encoding on pay-per-view movies because they don't have to do it in real time; they can really optimize both quality and compression when it's done in advance. (I don't know if they do the same thing with other movie channels like HBO or not.) DirecTV also knows (more or less) which content needs to have more bandwidth (e.g. sports) or less (e.g. talk shows), and can optimize compression that way. What's it mean for me? In addition to having better quality for the TiVo recordings, it also means that it's probably going to use the available disk space more efficiently, and without my needing to make any decisions about what quality settings to use. I see this as a good thing.

    The one bad thing is the lack of an MPEG encoder for recording sources other than the satellite, but this is not an unreasonable tradeoff. Adding that encoder back in might cost another $200 in the unit price, and I'm not sure it's that important to me right now... But if it's important to you, then it sounds like you have the right setup for your needs.

    I had thought that having the satellite receiver and Tivo all in one unit would be a good thing, but I've had absolutely no problems with the setup I've got. If you don't yet have a Tivo system, get it! My wife thought we didn't need it at all, but she is totally convinced now.

    My wife was adamantly opposed to it; she considers it a waste of money because it seems no better than a VCR to her, and she's tired of clutter around the house (my fault) and the plethora of electronic devices (also my fault). So I've had to lobby for it for a while now. I think she'll let me get it when I'm done cleaning up the house, which I'm almost done with... (Having invested a good 30-40 hours into this project!)

    Assuming she relents and lets me get it, I won't be a bit surprised if she changes her mind and becomes a TiVo convert; I've heard of it happening to other people often enough...
  • by Deven (13090) <deven@ties.org> on Thursday January 25, 2001 @07:12AM (#481991) Homepage
    Ummm... bullshit! I know more than one legitimate DirecTV subscriber who was knocked off by these ECMs.

    Taking out the hackers in only one of Hughes goals with these ECMS. The other was to destroy ALL H-cards, thus forcing their paying customers into upgrading to the HU cards.

    But I'm sure they're _real_ sorry for whatever inconvenience they've caused people.


    I don't know where you get your information, but they did not destroy all H cards last Sunday. My trusty old Sony SAT-B2 receiver came with an H card, and it still works fine. But I'm a legitimate paying DirecTV customer. Are you sure your friends were really legit?

    As soon as I can convince my wife to allow it, I'm gonna upgrade to the Sony SAT-T60 receiver with TiVo -- recording the MPEG streams straight off the satellite is very cool, and I'm dying for that 14-day advance program guide. (I was very annoyed with DirecTV for cutting the guide from 3 days to under 2!) Maybe I'll sell the old Sony receiver after that; the remote codes may conflict with the new Sony, plus the SAT-T60 actually has two DirecTV tuners in it! (But the second one won't work until TiVo gets their act together and updates their software to handle it...)
  • Ever here of the FCC? It's the people's airwaves, and the people here in the USA elected politicians who put the FCC in control of regulating communication over those airwaves.

    No, it is not stealing. It is the unathorized use of communications resources set aside for others. Just because something is not stealing does not mean it is not illegal.
  • #1: The Communications Satellite Act of 1962 gave the FCC new responsibilities with respect to space communication.
    #2: It is not illegal to own and operate descrambling or decoding equipment, but it IS illegal to recieve unathorized programming.
    #3: I'm not familiar enough about satellite descramblnig laws nowadays, but recieving unathorized programming is still illegal.
  • by Pope Slackman (13727) on Thursday January 25, 2001 @06:37AM (#481996) Homepage Journal
    The point is that the signal is broadcast to *everyone*, not just paying customers.
    You're not /stealing/ it, you're merely using a signal in a way that goes against what the originator intended.
    I don't see this as 'theft' in any way - denying *potential* profits, yes, but not theft.

    IMO, Hughes did the Right Thing.
    The crackers cracked their signal, so they cracked the crackers cracks. I think that's pretty nifty.

    --K
  • Well, technically, it's not public airwaves. Hughes/DirecTV/et.al. own a chunk of of the US RF spectrum (in the 30GHz range as I recall.)

    Um, no. No single entity "owns" any RF spectrum in the U.S. The RF spectrum is a public resource (like a national park) that is administered by the government because it's a scarce resource and because (although I don't totally buy this) if you let everybody transmit wherever they want, the spectrum will be useful to no one. The portion of the spectrum that DirecTV uses is leased to it by the FCC and gives DirecTV broadcast rights on that band. As far as I know there is no regulation of who can receive on what band, because unlike multiple transmitters, multiple receivers can't really hose the public RF spectrum for everyone else.

    True, there are laws about decrypting phone calls but other than that receiving is legal. I don't believe the phone laws apply to DirecTV, unless you know for sure that they do?

    As an aside, I don't agree with laws against phone decryption because whether or not there is a law, anyone who is sufficiently motivated can monitor your transmissions. The law provides only the appearance of safety; it doesn't really give you any privacy. Plus of course you sent me those signals onto my property, but that topic's been covered already :)

  • by ethereal (13958) on Thursday January 25, 2001 @09:51AM (#482011) Journal

    It's true that DirecTV doesn't have as much money as they otherwise would; but it does not necessarily follow that anything has been stolen from them. Many other events could result in them not getting as much money - an economic slowdown, a competitor with a better product, or even a nasty rumor that their satellites are really being used to track people for the sinister purposes of Major League Baseball. Just the fact that they don't have as much money doesn't make it stealing.

    In the normal understanding of a "theft of service", somebody is still out of some physical quantity that they would otherwise have charged for and that they do not just hand out to all and sundry. Theft of cable TV service, for example (and according to the TV industry at least) steals from your neighbors by degrading their picture quality (a measurable, quantifiable thing). Spam is a theft of network resources and hardware resources on a mail server that your ISP charges you to maintain. Trojans or worms are thefts of service in almost the same way, by consuming network bandwidth and host processing power which somebody paid for and somebody else is getting charged for.

    But receiving unauthorized satellite broadcasts doesn't deprive anyone of something they are being charged for. Your neighbor's signal is not any more degraded, DirecTV doesn't have to spend any more money than they would have otherwise to achieve national coverage, and the producers of the TV content are already getting paid by DirecTV under terms that were mutually agreeable to both of them. From all of these people's perspective, things are just the same as if you didn't have a DirecTV at all.

    This doesn't mean that I disapprove of Hughes' actions in this case - I think they are entirely within their rights to police their hardware under any means that are permissible under the contracts they have with DirecTV subscribers, assuming that they have such contracts (although I don't think they have the right to modify the customer's lawfully purchased software or hardware without the customer's permission in the absence of a contract allowing it). I just don't think Hughes should be surprised when other individuals make use of the bits that DirecTV is flinging around so profligately, considering that those bits would just "go to waste" anyway.

    I have to add, though, that it's nice to see a company whose initial response was not "send in the lawyers". Duking it out hacker a hacker is the way to go on this, and so much more entertaining for the rest of us without DirecTV or the inclination to hack one.

  • by ethereal (13958) on Thursday January 25, 2001 @06:07AM (#482012) Journal

    I'm curious as to how this is really a theft of service. When that term is applied to spam, for instance, the theft occurs when spammers use up the bandwidth of their relays and the time and hardware of the targeted ISPs. In that case you can point to the extra costs that were required based on the actions of the thieves.

    However, this satellite broadcast is streaming through all of us all the time. Does just possessing the knowledge to decode these ambient bits somehow make a person a thief? I'll agree that it's unfair to the legit DirecTV subscribers to have to pay for a service that some are getting for free, but I don't agree that decoding bits that are normally present in the environment is theft.

  • Yes, I would care if you set up a listening post in my house, as your comment implies. However, I think what you meant is would I mind if you set up a listening post in your own house. That's fine with me. And if EMI from my cordless phone or 802.11b LAN reach into your house and you receive them. that's cool too. I don't talk about things on the cordless phone that I don't mind having the whole neighborhood hear. If I'm doing anything "sensitive" over the LAN it's double encrypted (SSH inside of WEP).

    So, to answer your question, yes it is your right to listen to any radio transmissions that travel thru your house. At least in my opinion. Current US law does not reflect my opinion.

    I find the whole idea that somebody can broadcast information over the radio waves to their whole neighborhood (or in the case of DirectTV, a whole continent) and have any expectation of privacy with respect to that information. That's just stupid. It's like claiming you have an expectation of privacy for a classified ad in the paper.
  • by griffjon (14945) <{GriffJon} {at} {gmail.com}> on Thursday January 25, 2001 @05:43AM (#482015) Homepage Journal
    Exactly! DirecTV did fall back to lawyers for a bit, but in general they did the absolute correct thing--fix the damned problem. Mad props to the proigrammer/team that handled the multipart code. If only more companies would respond to security threats and other flaws by fixing them instead of legally snuffing out their discoverers.
  • I really don't see how this is much different than DeCSS, which seems to enjoy the support of the Slashdot community.


    So... stealing motion picture studios' work is OK,

    Bzzt. No, stealing motion picture studios' work is not ok. But that's not what DeCSS is about. In fact, DeCSS is 100% useless to you unless you already have a DVD.


    ---
  • You don't OWN software, you have a license to use it. Even with so-called FREE software. I can't do whatever I want with GPLed software. I have to abide by the terms of its license. Even if you're just using no-CD cracks, you aren't licensed to do so. You might as well say, "Well, it's INCONVENIENT for me to abide by all of the terms of the GPL so I just won't redistribute my modificiations. After all, I BOUGHT these Red Hat CDs."
  • You seem to have missed the point of the message you replied to. The point is not who's right or wrong, the point is that the story itself is an interesting one, regardless of which side you take (if any).

    The original message was correct: this was a nice piece of reporting for /., although I wouldn't have minded some more technical details.

  • Like others, I object to the use of the term "piracy" when applied to intellectual "property". When Blackbeard boarded your ship and took your gold, your womenfolk, and your life, you weren't left with identical gold, women, and life. "Piracy" is a pejorative term used by industry as a way of demonizing its opponents.

    Even a superficial analysis of the issues surrronding intellectual property makes it clear that those issues are far from simple, and that the current attitudes towards IP in the legal and commercial sphere are often hard to justify. In many cases, especially related to patent law, those who benefit from intellectual property law do so at the expense of the public domain, and could just as easily be labeled pirates.

    In this specific case, I agree that what Hughes did was perfectly acceptable and well within their moral, ethical, and legal rights. However, so were the actions of the original hackers of the system. Things get a bit more questionable when it comes to people simply buying a hacked chip to avoid service fees, but even there, "piracy" is not the appropriate term.

  • by Greg W. (15623) on Thursday January 25, 2001 @06:50AM (#482025) Homepage

    You have no right to make a profit.

    Nobody can steal that which you have given them for free.

    Just because you came up with some "clever" business model that involves charging people money for services, that does not entitle you to compensation from people who figure out how to provide this service for themselves.

    I am deeply disturbed to see this bullshit perpetuated by someone outside the US. Previously, I had been operating on the assumption (obviously false) that "the right of a business to make money" was confined to the US.

    Once again, for the slow ones: you do not have a right to make a profit, no matter how clever you may think you are, and no matter how long you've been making a profit in the past. If someone out there catches on to your scheme and bypasses it, you lose.

    (With all that said, I have to applaud the hackers who work for DirecTV. Unlike certain other industries, they didn't resort to dirty tricks or underhanded legislation -- they simply used what they had, and ingeniously too. I'm not ranting against DirecTV here -- I'm ranting against all those who thought that the H-card hackers were "stealing".)

  • by still cynical (17020) on Thursday January 25, 2001 @05:13AM (#482030) Homepage
    For all the noise that /. makes over the user of Hacker vs. Cracker, one would think that stealing services would fall into the latter category. While I think that the reverse engineering and cleverness involved in cracking the smartcards is quite impressive, I see no noble motivation, just stealing a service that is quite expensive to develop and provide. The real Hackers in this story work for Hughes.
  • by mindstrm (20013) on Thursday January 25, 2001 @07:15AM (#482041)
    To answer your questions.
    YES.

    1) yes. Actually, I am 100% allowed by law, in Canada, to listen to your analog cellular calls. Cellphone companies tried to change this, but the crtc was firm: you have no reasonable expectation of privacy by transmitting on public airwaves using standard modulation.
    Now.. with Digital phones, and specifically, with Encryption this changes. Under Canadian law, encryption wrapping the conversation indicates that you have a reasonable expectation of privacy, and someone violating that woudl be violating your rights.
    Note that the only reason it's protected is because it is encrypted AND because it is a conversation. Satellite broadcast is not the same thing.

    Taking photographs, again. If what I see is visible from somewhere I'm legally allowed to be, I'm allowed to take photographs of it. I can photograph anything that can be seen from somewhere I'm allowed to be, especially a public street or my own property.

    And regarding 'shotgun' mikes, it depends. If I can hear the conversation of you yelling at your wife, and I'm simply using the mike to amplify it, then I am within my rights to record it. If I can't hear you at all, and use the mike to snoop on you, then that's illegal, because you have a reasonable expectation of privacy.

  • by mindstrm (20013) on Thursday January 25, 2001 @06:14AM (#482042)
    Sorry... I have to draw a line here. Perhaps it's my Canadian blood talking.. but...

    I respect that they put up the satellite, and started the TV service.. however....

    THey are broadcasting signals over PUBLIC airspace, including INTO MY YARD. If I feel like putting up a dish to capture that signal and manipulate it *however I want* within my own property, that should be my absolute right (though the law may not agree). If they don't want me to receive the signal, don't broadcast it into my yard. PERIOD.

    THe airwaves are PUBLIC.

  • by mindstrm (20013) on Thursday January 25, 2001 @07:24AM (#482043)
    Actually, no, I wouldn't care. Seriously.

    I firmly believe that if you broadcast something on public airwaves, then you have no right to expect privacy. I *know* when I use my cordless phone that anyone who wants can listen in.

    I also know that when I transmit cleartext data over the internet (like this slashdot post), it is going into a network that I have *no control* over, because I don't own it. I *assume* that someone is listening in. If I want nobody to listen to my conversations, I use encryption, hoping that deters them somewhat, though I'm still aware someone could be intercepting it and decrypting it if they are capable.
    As for manipulation...

    If I'm broadcasting through your network, and you want to sniff my info and manipulate/decrypt it, and there is no standing agreement that you won't ever do this... go right ahead. If you *DO* anything with that information outside your own brain/house.. THEN I'll have a problem with it, but not because you intercepted it.

  • by Croatian Sensation (27341) on Thursday January 25, 2001 @06:03AM (#482068)
    In Canada it is completely legal to decrypt the DirecTV signal. Because of antiquated laws governing the sale of content in Canada, we are not allowed to purchase the programming from Hughes. Instead we are forced to purchase from one of two local companies that offer a smaller selection and that force us to pay for unwanted Canadian content.

    In Canadian law however, it is legal to decrypt a satelite signal provided that it cannot be legally paid for. We cannot legally purchase and pay for the DirecTV stream and thus we are legally and morally entitled to decrypt and watch the DirecTV stream.

    So whereas Americans who attempt to decrypt the signal can indeed be considered "crackers", the Canadians that have been victimized by the Canadian government and Hughes are "Hackers". We have done nothing wrong and are being punished for it.

    -
  • by NickV (30252) on Thursday January 25, 2001 @05:29AM (#482073)
    Honestly, DirecTV is very cool about this situation. They even have a guy on alt.dss.hack that TALKS to the hackers and actually goes about in conversation with them. They truly look at this as a game of chess, and I was always intrigued by the complexity of the "war" at times.

    To show you how cool things have become... The latest trend in DSS is using emulation software on a PC to intercept the signal and then sending it to your reciever. It truly is an innovative solution!

    I swear, words like ECMs (Electronic Counter Measures) that literally destroy cards, and Unloopers (thinks that fix "looped" or destroyed cards") really make this feel like some hollywood hacker movie. But it's not. It's for real! Damn, that is just too cool!

    -Nick
  • This is the perfect solution to a nagging problem.
    Direct TV sells a service. They make money from
    the sale of this service, and they provide the
    infrastructure, the broadcast, the hardware, etc.

    Then, a bunch of kids decide that they want what
    DirectTV has, but not at their terms. So they steal
    the service. Yes, they stole it. Hell, they
    admit it in the article.

    So what does DirectTV do? They beat the hackers at their
    own game. They outplay, outsmart, and outfox them.

    Bravo. They protected themselves and their market
    share in the best way possible. In the end, we
    can all appreciate the beauty of this particular hack.
  • by DirkGently (32794) <dirk AT lemongecko DOT org> on Thursday January 25, 2001 @05:51AM (#482094) Homepage
    Actually, you *are* taking something from them. If you subscribe to thier service, they know what channels you are capable of watching, and can tell the actual HBO people (for instance) that they have 18 million viewers and want to be billed as such (I can only think that as the number of viewers increases the actual cost to the provider decreases due to an increase in effectiveness of advirtising). So its not JUST your monthly billing statement that they are losing out on.

    So if they increase thier profits by having more subscribers, you *are* stealing from them, in a very real sense.

    Dirk
  • by chroma (33185) <{moc.gnirpsdnim} {ta} {amorhc}> on Thursday January 25, 2001 @05:43AM (#482096) Homepage
    It appears that hackers are now considering a piece of hardware that sits between the DSS receiver and the smart card [hackhu.com]. It would emulate the damaged area of memory and, presumably, prevent that area from being written to again. You didn't really think the game was over, did you?
  • by segmond (34052) on Thursday January 25, 2001 @05:55AM (#482103)
    what if this happened in the software world? Where ID did this to quake, and somehow quake had an update, and they end up updating in such a way that the pirate/cracked versions are destroyed. Would people be screaming about their privacy being violated?

  • by segmond (34052) on Thursday January 25, 2001 @06:29AM (#482104)
    if you read a lot, you will see that there is a way around this, emulation, basically what happens is that a PROM gets written to, by using emulation to emulate that PROM, we can reverse all the bits DirecTV's toggled back to the original, it is not theortical, it is already out there, those who were smart to get it early are not crying now. But I am sure DirecTV will come up with a smart idea, in the console world, it is possible to write game that can detect different kind of emulators. So they might write code that can detect an emulator. i.e, Emulators usually don't emulate bugs in hardware. ;) It is amazing how a bug in hardware can be used for useful things. :D

  • by miracle69 (34841) on Thursday January 25, 2001 @05:57AM (#482106)
    At one time in America, it was legal for you to hack and decode any signal that was sent onto your property. I can't remember the name of the act that allowed this, but if an electronic signal was sent onto your property, and you could decode it, listening/watching it was your right.

    This is why the old C-band dishes never had prosecutions for descrambling, or why you could listen in to Cellular Telephone conversations. And this would apply to DirecTV too, except it didn't exist when this law did.

    Sometime in the mid 90's, a new Radio Telecommunications Act was passed which banned the eavesdropping on cellular telephones and any other signal entering your property that needed to be decoded. Thus, now the old C-Band hackers had become pirates, and the new DirecTV decoding was illegal.

    The question is this - do you have the right to translate signals that are travelling onto your property - signals which you did not request?

    The old law said yes. The new one says no.
  • by tbo (35008) on Thursday January 25, 2001 @09:20AM (#482107) Journal
    This is true hacker war at its best. The DirecTV hackers vs. the DirecTV programmers. I bet both sides had a great time, and enjoyed the game. The "GAME OVER" message was an especially nice touch.

    Someone said that they're within their rights to "illegally" descramble DirecTV's content, because it's broadcast over public airwaves. True, but then, isn't DirecTV also entitled to broadcast whatever they want? If you just happen to be foolish/1337 enough to be running a hacked card, well, thanks for coming out, better luck next time. DirecTV didn't physically destroy the cards, so I don't think the hackers have any grievance in that respect...

    Nicely done, on both sides. I think this deserves an entry into the hacker hall of fame.
  • by mpe (36238) on Thursday January 25, 2001 @10:02AM (#482131)
    Xerox did not have to pay all the scribes who were put out of work by copiers, nor did the guy who came up with carbon paper. Just because you used to be able to make money doing something once does not mean you are entitled to keep making money off it forever.

    Unless the people currently making money out of a specific business model can get their business model made the "law of the land". Which is the same root issue surrounding Napster, DeCSS, etc. Large corporate interests trying hard to make sure their business model doesn't become obsolete. (With their relatives such as the iopener and cue cat, where a business thinks it is the job of the law to protect their, unproven, business model.)
    The "scribes" are probably wishing they had considered political lobbying...
  • by Minupla (62455) <minupla@@@gmail...com> on Thursday January 25, 2001 @07:12AM (#482179) Homepage Journal
    Point of interest. I recall following a news story awhile back where RCMP (under pressure from the land below the 49th) tried to crack down on DirectTV pirates. IIRC, and it wasn't appealed 18 times, it was ruled that since the service is not available for sale in Canada, (and DTV goes through some serious hoops to insure it isn't) that selling and using electronic parts to circumvent security measures on it is perfectly legal.

    Canada also has some different views on the RF spectrum. IE: last I checked it was illegal to manufacture a scanner that could scan 800MHz (non-digital Cell) in the US, but not Canada.

    FWIW,

    --
    Remove the rocks to send email
  • by Yax-Pac (62585) on Thursday January 25, 2001 @06:30AM (#482181) Homepage
    Absolutely brilliant! Kudos to the DirecTV engineers who devised this fantastic plan. They're worthy of the true hacker title in this particular war.
  • by RedX (71326) <redxNO@SPAMwideopenwest.com> on Thursday January 25, 2001 @06:14AM (#482196)
    The card might say that on it, but I'd certainly be interested to see if this claim would stand up in court. The user pays for this card anytime they want a new one, it is not given or "loaned" to the user. When you buy a receiver, you're essentially also buying the smart card also. When your card is somehow damaged, DirecTV charges anywhere from $39 to $89 for a new one. In fact, many subscribers that had their legit H cards hit this past weekend are being forced to pay $89 for a new HU card directly from DirecTV, and DirecTV will refund $50 when they receive the damaged H card. Of course, looking at some recent court cases such as DeCSS and DCMA, I wouldn't at all be surprised to see the courts side with the corporation yet again.
  • by RedX (71326) <redxNO@SPAMwideopenwest.com> on Thursday January 25, 2001 @05:58AM (#482197)
    First off, several months ago the gurus in the DirecTV "hacking" community predicted the exact events that happened this past, and anyone paying attention changed over to a technology that hasn't been defeated yet, called Emulation. Emulation is basically allows the H card and receiver to process correctly while insulation the H card from any write packets that DirecTV sends. The EMU setup consists of a board that is the same width as the H card that slides into the card slot on the receiver. This board has a serial connection that then connects to the serial port of a PC. This PC is running a small DOS program. The H card is then inserted into the smart-card programmer, which is connected to the 2nd serial port on the PC. Emulation has survived all attacks that DirecTV has launched against "hacked" cards for the past few months, and likely will stay up as long as DirecTV continues the data stream for the H card.

    Secondly, the new HU card has recently been hacked to allow for the "3M" scripts that open all channels. DirecTV launched their first attack against hacked HU cards this past week as well, but the community actually learned quite a bit about the HU card from this attack. This HU hack is only available through "dealers" for several hundred dollars, but I'd expect the necessary scripts to become freeware over the next few months. DirecTV will have their hands full once an emulation script is created for the HU.

    Lastly, DirecTV also hit many, many paying subscribers running legit cards with their attack on Sunday. You can be certain that this attack cost them quite a few dollars in terms of cards needing to be replaced as well as the loss of subscribers that they have managed to piss off once again.

  • by gadders (73754) on Thursday January 25, 2001 @05:16AM (#482217)
    I mean it must have been a pisser if you were getting free TV but still, that was quite a cool plan.

    Can we set-up an interview with the techie that planned it?
  • by Panamon777 (78286) on Thursday January 25, 2001 @05:38AM (#482220)
    ...but I wouldn't make the claim that it's RIGHT to watch their content for free. Just because it's digital does't make theft of service (or whatever you want to call it) moral.

    Evan
  • by Speare (84249) on Thursday January 25, 2001 @07:48AM (#482227) Homepage Journal

    The question is this - do you have the right to translate signals that are travelling onto your property - signals which you did not request?

    According to the law, no, you don't have that right. I don't agree with that; I still feel you should have the right to do whatever you want with the signals that are sent to your property. But this really doesn't matter one way or another in this particular case, because it doesn't sound like Hughes tried to press legal charges on those who did hack/crack the signal.

    Here's the rub: Hughes made the cards, and Hughes "leased" or "licensed" the cards to real customers with EULAs. Hughes has the right to damage their own cards, even in your home, through the use of their FCC-licensed class and power of signals.

    If you were a legit customer who had an old (and now burnt) H card, it dropped your service for a day or two while you stop by a service center. If you were a thief who got pay-to-view entertainment for free, then that burnt card is useless to you.

    I have absolutely NO problem with the way that Hughes handled this.

  • by bmoore (106826) on Thursday January 25, 2001 @05:15AM (#482261) Homepage
    This is the way to "defend" against software piracy. Defeat the hackers in a struggle through technology. Litigation in the courts is just not the way to stop people in the end. I have no problem with people wanting to have their customers pay for their product. I like how DirectTV responded to the piracy. Corporations (RIAA, MPAA, etc): BEAT US TECHNICALLY, NOT IN COURT! It means SO much more.
  • by n3rd (111397) on Thursday January 25, 2001 @05:36AM (#482267)
    They'd be opening themselves to a lawsuit from everyone who was willing to say "I hadn't modified my card, honest" otherwise.

    Sorry, but you're wrong. Do you think a bank robber can sue a bank who puts a dye pack in his bag of money to render the money useless? Do you think that people who put razor bars around their stereo equipment can be sued by the theif who loses a finger?

    Thirdly the destruction of the cards would force Hughes to replace them. Not a cheap move.

    What do you think is cheaper: letting people take $30 or $40 per month out of Hughes' pocket by not paying for the service, or replacing a single smart card. I'm not an authority on the subject, but I think making these people pay for 2 months of service would make up for the cost of a new smart card. BTW, is "thirdly" a word?

    Finally, the site Michael linked to requests financial support by clicking a paypal link. Sounds like an elaborate setup to fleece the /. community.

    We're glad Shoeboy is looking out for our interests. Slashdot requests financial support by displaying banner ads, and so do 99% of all other sites on the web. The one in question uses PayPal for its financial support instead of banners. What's the problem?
  • by nlvp (115149) on Thursday January 25, 2001 @06:15AM (#482276)
    The distinction between hacker and cracker has nothing to do with the skill involved. IT's based on the motivation and the result. Someone who does damage, who steals services (be it TV, telephone or something else) or who steals information is a cracker.

    Crackers are not always script kiddies
    Hackers are never script kiddies
    Hackers are not Crackers

    Hackers have my respect. The hacking involved in duping an entire community of crackers (no matter how intelligent they are) for long enough to build a program in their machines, little piece by little piece, then pull the trigger, whilst having the flair and style to leave the message "GAMEOVER" in the first 8 bytes of the code is fantastic, and the credit goes to directv.

    Of course, since I pay for services and end up subsidising people who think they've a right to the same services for free because they happen to have the skills necessary to steal them probably makes me a little biased.

  • by boldra (121319) on Thursday January 25, 2001 @06:02AM (#482280) Homepage
    Possible new recruits at DirecTV!

    I think the bit I like best about this is that DirecTV managed to upgrade their software remotely without cuasing an interruption to the service. THAT was a ballsy thing to do before the Superbowl!

  • by clare-ents (153285) on Thursday January 25, 2001 @06:23AM (#482330) Homepage
    I think there a substantial differences between DirecTV and DeCSS.

    With DeCSS I paid for the signal and it is illegal for me to decode it myself.

    With DirecTV the hackers have not paid for the signal and they have been techincally outsmarted by the company.

    With DeCSS, the company have attempted to encrypt their signals from people who have the right to view them, technically they failed and now they are suing all who know how to decrypt them.

    With DirecTV the company is attempting to enrypt their signals from those who haven't paid for them, and they've come up with a technical solution and won [for the time being].

    DirecTV are not attempting to run over the legal rights of consumers, they are attempting to prevent piracy. CSS attempts to destroy legal rights under the guise of preventing piracy.

  • by JCMay (158033) <JeffMayNO@SPAMearthlink.net> on Thursday January 25, 2001 @05:21AM (#482335) Homepage
    In the almost two years we've had DirecTV, the bills have gone up almost ten dollars. I do admit that five of those dollars go to get the local (Orlando) channels.

    My wife and I are pretty happy with the service (other than rain fade margins-- they don't exist!) and think that we made the right choice over going with TWC. One of her teacher colleagues has TWC digital cable, and the picture is awful compared to DirecTV. (Except in those summer monsoons when DirecTV doesn't work at all!)

    I have never been comfortable with people getting these kinds of services without paying for them. That monthly bill not only pays for the programming, but also on infrastructure and maintenance. Hughes played a HUGE gamble by launching its DirecTV bird. Unlike cable, satellite systems must have their entire infrastructure in place before they can sign their first subscriber. Cable systems can roll out a piece at a time, and early adoptors help pay to expand into new areas.

    The only thing I'd like Hughes to add is a non-Windows bidirectional link for DirecPC and a dual-subscriber discount like TWC has with RoadRunner.

  • by Oliver Wendell Jones (158103) on Thursday January 25, 2001 @05:20AM (#482336)
    Check here [freeservers.com] for exactly how the cards were 'destroyed' and for a possible way that they could be repaired... but why would you want to do that?
  • by Alien54 (180860) on Thursday January 25, 2001 @06:29AM (#482358) Journal
    To a vary large extent, the hacking of the Direct TV system has been a game. Sortof like the "Spy vs Spy" comic you "used" to read in Mad Magazine (maybe you still do)

    Now Obviously, alot of folks are going to be pissed off because they "lost" the game.

    And I am sure that the fine folks at DirectTV are gleeful about the gnashing of teeth and their own clever victory.

    Somehow I think this has to been kept quite separate from the other issues dealing with digital media.

    People providing a service deserve enough to be able to cover the costs of their operation and to make a reasonable profit. Let those who are without sin cast the first stone. Who has not had dotcom phantasies of obscene wealth? Well how did you expect you would do this? by giving away the homeplanet? or do you want them to spent millions of dollars so that you can enjoy your right to the superbowl and free pr0n?

    That being said there is ALSO the issue of fair and reasonable exchange for goods and services. DirectTV certainly has been on the wrong side of the issue as far as some aspects of copy protection, etc.

    Some people would rather spend extraordinary effort and money to not not pay for goods and services. In the past, these people were called the 'rich'; it was part of their culture. and now this attitude has dribbled into the rest of society

    In the past, much of what has passed for morality has been an effort to help keep people in their place, to help mold them into sheeple. This has been the main thrust of modern education since the education "reforms" at the beginning of the 20th century. All those immigrants had to be educated to be good workers, etc. NOT competitors to the status quo.

    This ties in with the DirectTV game because the company, as such, naturally, and perhaps unwittingly, takes advantadge of the situation to impose conditions that are not fair exchange.

    People instinctively react, at first, to situations that are not fair. They get mad. and they use this to justify their own attempts to get what they think they are due, and maybe a little bit more. It becomes a viscious circle.Unfortunately, some poeple will never be happy.

  • by l-ascorbic (200822) on Thursday January 25, 2001 @05:10AM (#482378)
    This looks like poetic justice to me. All credit to DirecTV.
  • by Paladin128 (203968) <aaron@@@traas...org> on Thursday January 25, 2001 @05:22AM (#482385) Homepage
    • Hackers will find a way around the new system. They always find a way, and they will have fun doing it.
    Doubtful... if you read the article correctly, this last act effectively destroyed the smart cards.

    What would be cool is if someone found a way to actually revers-engineer and manufacture smart cards that recieved the regular updates, and acted exactly like legit ones, except they didn't dial into DirecTV.

    This is the way companies should combat hackers that are "stealing" or "bypassing access control methods"... not tracking them down and suing them, and getting laws put in place to ban things that are useful to the community at large. DirecTV was able to attack hackers without infringing on their paying customers!

    "Evil beware: I'm armed to the teeth and packing a hampster!"

  • You're missing the point. I'm actually one of those people who downloaded DeCSS to see how CSS worked. I find this sort of thing (encryption, access control mechanisms, etc.) interesting. I don't have time to hack the damn thing myself, but reading the source code or other information about how a hacker went about attacking the problem. This helps ME learn. What would have happenned if this hacker kept the secret for him and his small group of underground friends? DirecTV would have never found out about it, and never fixed the problem, and never been able to fight back. The widespread distribution of the methodologies used to circumvent the encryption meant that DirecTV would eventually have to hear about it, and have the power to stop it.

    "Evil beware: I'm armed to the teeth and packing a hampster!"
  • by b1t r0t (216468) on Thursday January 25, 2001 @12:46PM (#482396)
    This sounded like a pretty cool hack on the part of DirectTV (whether you agree with them or not), so I decided to take advantage of my ISP's one month news spool of alt.dss.hack to see what was up.

    It looks to me like DirectTV (better known to the a.d.h members as "Dave", and not to be confused with "SuperDave", one of the newsgroup regulars) played an ace they've had up their sleeve for a long time. Apparently the boot code (in ROM) of the 8051 in the chip checks one bit in a 32-bit region of PROM (as in you can program it but you can't reset it) and goes into an infinte loop (I think this is what is being referred to as a "looped" card) early during the boot process. Since this is in ROM where it can't be re-programmed, you can't bypass it.

    It seems there's also an ASIC in the card that is crucial to the decoding process. I'm guessing that it has to be enabled by the 8051. And if the 8051 "loops" before you can talk to it, you're hosed.

    It also seems that there was a recent move to "emulators", which emulated the 8051, but passed commands to the ASIC through to the real card. That way, as long as the card was alive enough to tell it what to do, you would esentially firewall off the card from any nasty code that wanted to do stuff like program write-once bits in the CPU chip. Some people were arguing recently that emulators were overkill, but it seems they have been proven wrong. The only people with hacked cards that still work either had emulators or were lucky enough to pull their cards in time (or the decoder box was unplugged).

    Apparently for a couple of weeks now "Dave" has been downloading code to detect illegal cards and test it (by locking up assorted cards and seeing what kind of results they got) before sending down the "ECM" code which caused the card to kill itself.

    As to the timing, it is suspected they chose one week before Super Bowl to allow enough time for legitimate users (or those illegitimate users who wanted the better signal in time for The Big Game) to receive new cards.

    Here are two messages I found on the newsgroup about all this: (line art removed from the first one because of /.'s lame filter)

    From: ump25@aol.com (Ump25)
    Newsgroups: alt.dss.hack
    Date: 22 Jan 2001 05:38:13 GMT
    Subject: EVERYONE READ THIS! INFO FROM MAGICIAN ET. AL.
    Message-ID: <20010122003813.16538.00000761@ng-bj1.aol.com&g t;

    From Magician and Hypertek comes the following...

    As most everybody is aware, the ability of the dynamic code to execute a kill-type ECM was displayed today on "Black Sunday".

    First, the bad news: the ECMs wrote 4 bytes to "write once" area of the EEPROM, 8000h-8003h. Unfortunately, one of the bytes that is changed is 8000h, which is checked extremely early in the ROM startup code (003Fh) to see if it contains "33h". These ECMs re-wrote this byte to "00h", which means that it very quickly enters an infinite loop because "P1.7" is not set. Since this area of the H card is "write once", there is no way to reset this byte back to "33h" to allow normal startup to continue, even by way of an unlooper.

    Second, for those interested, here are all the EEPROM addresses that were tested to see if they contained modified bytes. Each byte was tested in its own packet (i.e., one address at a time):
    code:
    - - -
    8243 Vector for setting DPTR to ZKT secret vector
    8246,8247 Vector for Cmd09 vector
    8255 Vector for Ins58 patch vector
    8258 Ins44 preprocessing vector
    825B Ins44 extras vector
    825E Find tier or PPV vector
    8264 "EndInsHandling" vector
    8273 Cmd1F vector
    827C,827D Ins54 vector
    8282,8283 Ins18/Ins1A vecotr
    8440 First byte of channel blackout data (checked if non-zero)
    8582,858C,8593 Cmd60 code
    85B7 B7 nano vector
    85BE BD nano vector
    85C0,85C1,85C2 C0 nano vector
    85C3 C3 nano vector
    85C6,85C7 C6 nano vector
    85E2,85E6,85ED,85EF,85F6 B5 nano code
    8606,8608,8611 AddAToDfdNanoBufIfFlOpn code
    8630 Deferred Cmd60 processing code
    86DD Never-executed portion of old C6 nano code
    87A1 Old CF nano jump table
    8800 Hash algorithm code
    8955 Main loop vector code
    8973 Ins18/Ins1A code
    8975 Ins54 check code
    8982 Setup for Ins38 code
    89A0,89A3 Setup for Ins44 code
    89A6,89B2,89B9 Setup for Ins4C code
    89DF End of main loop vector code
    8BFE Cmd0C code
    8CC7,8CCA,8CCB Preprocess deferred Cmd60 code
    8CD9,8CDE Cmd0B for non-virgin cards code
    8CF2,8CFE Ins58 patch code
    8D04,8D09,8D0D,8D11,8D14,8D178D1A,8D1D,8D20,8D22 ,8 D24,8D25,8D32 Ins54 code
    8D66,8D6A,8D72,8D76 Add ASIC bytes to signature hash code
    8DD0,8DD3,8E68 Do 1 hash iteration code
    8F2F Preprocess Cmd09 code
    8F53 Cmd0C patch 1 code
    - - -
    Here is an example dynamic code packet (for the 8D1Ah address; all of the addresses were tested using similar packets, except for 8440h which used a JNZ instead of JZ):
    code:
    - - -
    C3 nano used to preset RAM locatiosn 10h-1Fh:
    C3 0A 00 20 99 03 AF 01 00 04 00 09 | Seed hash only (using 9 data bytes) results in these bytes at 10h-1Fh:
    20 99 03 AF 01 00 04 00 09 CB 29 71 06 19 74 D0
    Fourth byte loaded in EEPROM write register
    Third byte loaded in EEPROM write register
    Hi byte of 1st loop return address and second byte loaded in EEPROM write register
    Lo byte of 1st loop return address and first byte loaded in EEPROM write register
    Hi byte of 2nd loop return address
    Lo byte of 2nd loop return address
    Hi byte of 3rd loop return address
    Lo byte of 3rd loop return address
    What 8D1Ah is compared to

    The C9 nano looked like this:
    C9 10 20 90 8D 1A E0 47 60 08 90 | Write 15 bytes+RET, execute and hash
    80 00 78 15 75 81 16 :
    which caused this code to be executed:
    893C mov DPTR,#8D1Ah
    893F movx A,@DPTR
    8940 xrl A,@R1
    8941 jz 894Bh
    8943 mov DPTR,#8000h
    8946 mov R0,#15h
    8948 mov SP,#16h
    894B ret
    - - -
    Remember, R1 starts equal to 10h. So the above code does the following:
    Compare 8D1Ah to @10h (which contains #20h)
    If they match, simply return
    Otherwise, set DPTR to 8000h
    Set R0 to 15h
    Reset the stack to 16h and RET, to resume execution at 0400h to load "00 04 00 09" into EEPROM write register which RETs to 01AFh to enable EEPROM write mode
    which RETs to 0399h to write 00 04 00 09 to 8000-8003h.
    In addition, there was an ECM to detect an H cards running with non-H CAM IDs, although this packet did not loop the card but simply "locked it up" until the next reset:
    code:
    - - -
    C3 nano used to preset RAM locatiosn 10h-1Fh:
    C3 0B 00 FE FC 32 00 00 04 AC 01 68 14 | Seed hash only (using 10 data bytes) results in these bytes at 10h-1Fh:
    FE FC 32 00 00 04 AC 01 68 14 8A DF A3 AA 81 34
    Hi byte of 1st loop return address
    Lo byte of 1st loop return address
    Hi byte of 2nd loop return address
    Lo byte of 2nd loop return address
    Hi byte of 3rd loop return address
    Lo byte of 3rd loop return address
    Hi byte of 4th loop return address
    Lo byte of 4th loop return address

    The C9 nano looked like this:
    C9 12 20 90 83 74 81 60 07 57 70 | Write 17 bytes+RET, execute and hash
    05 09 B9 12 F6 22 75 81 19 :
    which caused this code to be executed:
    893C mov DPTR,#8374h
    893F movx A,@DPTR++
    8940 jz 8949h
    8942 anl A,@R1
    8943 jnz 894Ah
    8945 inc R1
    8946 cjne R1,#12h,893Fh
    8949 ret
    894A mov SP,#19h
    894D ret
    - - -
    Remember, R1 starts equal to 10h. So the above code does the following:
    If first byte of CAM ID is 00, return (everything OK).
    Otherwise, AND first CAM ID byte with byte @10h (#FEh)
    If result is non-zero (meaning first CAM ID byte is not 01h), go to ECM routine
    Otherwise, AND second CAM ID byte with @11h (#FCh)
    If result is non zero, go to ECM routine
    Otherwise, return (everything OK)
    The ECM routine resets the SP to cause the RET to resume execution at 1468h, which RETs to 01ACh, which RETs to 0400h, which RETs to the infinite loop at 0032h...

    From: Spacemonkey Gleep <Fictitious@Dont.Bother.Its.invalid>
    Newsgroups: alt.dss.hack
    Subject: How Write-Once memory works, or "Why H cards hit by the ECM are never going to be fixed"
    Date: Mon, 22 Jan 2001 10:56:12 -0800
    Message-ID: <Fictitious-402BA7.10561222012001@news.primenet .com>

    In response to the umpty-nine-dozen "Why can't we just..." questions about the corrupted write-once area on the card, here's an explanation that may shed some light. (Note to those "in the know": Yes, I'm simplifying things ridiculously. Not everybody playing in this little sandbox is an EE with the knowledge to understand the inner workings of a chip)

    A byte of RAM memory is a set of 8 cells that can hold a one or a zero. Which cells have 1s in them determines the value of the byte when you read it. With RAM, you can change the values any time you like. You can think of that byte as 8 switches that can be turned on or off in different combinations to give you various values.

    A byte of ROM is similar, in that it's 8 cells that can each hold a 1 or a 0. Unlike RAM, these 1s and 0s are fixed. Instead of the "switches" that RAM has, you can think of ROM as having either a wire (for a 1) or no wire (for a zero). They can't be changed once made. The wire (or lack of one) is a permanent thing.

    A byte of Write-Once memory (Also known as "PROM", or "Programmable Read Only Memory") has characteristics of both RAM and ROM. Like RAM, you *CAN* write to it, under certain circumstances. Like ROM, once written, it's **FOREVER**. Think of a byte of PROM as being 8 microscopic fuses.

    When the chip is made, all the fuses are "good". If you could see it at the microscopic level, it would look something like this: ( each | is a fuse that isn't blown )

    | | | | | | | |

    and would have the value FF, or 255 in decimal.

    Now, let's say you want the byte to have the value B7 (That's 183 in decimal, and in binary, it's 10110111) To write that value to it, you deliberately burn out two fuses in the byte, leaving it looking like this: (| = unblown fuse, : = blown fuse)

    | : | | : | | |

    From that point, it would be possible to write to it again, and change the value, *BUT* there's a catch. You can only "blow" more fuses. You can't "un-blow" fuses that are already blown. This means that a number that needs one of the fuses that's already blown out is going to be impossible to write.

    So why is this a problem?

    Normally, byte 8000 of the H card holds the value 33 (in Decimal, 51. In binary, 00110011) and the byte looks like this:

    : : | | : : | |

    But after being hit by DTV's ECM last night, the byte is set to 00 - it looks like this:

    : : : : : : : :

    There's no fuses left to blow out. They're all gone. That means that forever and always, byte 8000 of your ECMed card is going to say "I'm holding the value 00" when asked.

    Why this means the card is permanently dead:

    VERY early after the card gets powered up and reset, a check is done:

    Does byte 8000 hold the value 33?

    If the answer to that question is yes, then all is right with the world, and things start happening. The card gets initialized, spits out the ATR string, and then goes into "wait for a command from the IRD" mode. If, on the other hand, the answer is no, then the card goes into an infinite loop that does nothing. If you program in BASIC, it's the equivalent of the line

    10 GOTO 10

    NOTHING gets done until the next time the card is reset. And then the same thing happens all over again.

    This check is in the card's ROM, so it can't be bypassed or changed.

    Reprogramming the card won't do anything useful, since the ROM doesn't even get looked at, let alone messed with, by programmers (or unloopers, for that matter) and even if it did, it wouldn't do anything useful, since ROM can't be changed (short of actually damaging it).

    So how can it be fixed?

    The simple answer: It can't. Congratulations. Your H card is now an ice scraper. Get used to it. Life sucks.

    The more extended answer:

    If you've got the micro-tools to "rebuild" the blown fuses on the chip, you could go that route, but unless you're a chip manufacturer, or have access to that type of equipment somehow, you ain't got a prayer. We're talking about electron microscopes, tools for depositing single atoms onto the silicon wafer itself, that sort of thing. In other words, trying to do it is going to mean more money, knowledge, equipment, and effort than most any of us are capable of applying to the problem.

    In short, last nights ECM was the ECM to end all ECMs. Any card hit by it is toast, and barring someone developing a cheap way to rebuild chips mat the wafer level (which isn't even remotely likely to happen anytime soon) there isn't a thing that can be done about it. Enjoy your new ice scraper.

    Or get in touch with me about shipping it to me. I want to dissect it to get the ASIC out of it for some experimenting I want to do.
    --
    GLEEEEEP!!!!
    PGP KeyID: 0x016B6B53 on the keyservers.
    http://www.megsinet.net/~kayo/index.html

  • by American AC in Paris (230456) on Thursday January 25, 2001 @07:34AM (#482414) Homepage
    I respect that they put up the satellite, and started the TV service.. however....

    THey are broadcasting signals over PUBLIC airspace, including INTO MY YARD. If I feel like putting up a dish to capture that signal and manipulate it *however I want* within my own property, that should be my absolute right (though the law may not agree). If they don't want me to receive the signal, don't broadcast it into my yard. PERIOD.

    THe airwaves are PUBLIC.

    ...and by this same reasoning, DirecTV has every right to send signals that will disable Hughes chips. If you don't want to receive these signals, you shouldn't be listening for them in the first place. It isn't DirecTV's fault if your self-hacked hardware doesn't react properly to their signal.

    The airwaves are public, after all.

    information wants to be expensive...nothing is so valuable as the right information at the right time.

  • by wackysootroom (243310) on Thursday January 25, 2001 @05:10AM (#482436)
    Hackers will find a way around the new system. They always find a way, and they will have fun doing it.

  • by eXtro (258933) on Thursday January 25, 2001 @06:07AM (#482461) Homepage
    This may get me modded down as a troll, but what DirectTV did was a hack and a beautiful one no less. I actually feel that I need to tip my hat to the engineers involved. If companies are going to try and prevent hackers from using their product then this is the way to go. I have respect for this as opposed to the "send in the lawyers" approach. Sure, DirectTV did that as well, but this was elegant. They hacked the hackers.

    I personally believe that any signals that happen to cross the boundaries of my property are mine to do with as I wish, but I also believe that the senders of those signals have the right (and in the case of a commercial enterprise, the necessity) to try and protect those signals.

    This should be listed as one of the Top Ten Hacks of all time.

One good reason why computers can do more work than people is that they never have to stop and answer the phone.

Working...