💾 Archived View for gemini.spam.works › mirrors › textfiles › hacking › shw0893.asc captured on 2021-12-04 at 18:04:22.

View Raw

More Information

-=-=-=-=-=-=-

Syndicated Hack Watch 08:93

The Start Of The War

Sky  had suffered its most devastating hack to date. Its  security 
was  demolished  and  the MultiChannels package was  about  to  be 
introduced.  They  had to do something fast or it would  all  slip 
away.

The  Blackbox industry was beginning to move the pirate cards  for 
Sky  in  volume. There were talks of quantities  of  ten  thousand 
being  sold. Cards were beginning to filter into the UK.  At  this 
stage Sky had no option but to move. The pirates were attacking on 
the home front. This was economic war and Sky was losing.

The  Grey  Market  piracy of a card for a card  was  an  essential 
factor in Sky's growth. As long as it wasn't too overt then it did 
not  seem to matter. Sky were benefiting from the  arrangement  as 
was the other channels such as FilmNet.

With  the  advent of the Ho Lee Fook hack the Grey  Piracy  market 
took a bit of knock. The Ho Lee Fook card and chip allowed  access 
to  all VideoCrypt scrambled channels. The prices varied  but  the 
lowest  quoted figure was ?99.00. Considerably less than what  Sky 
were charging for the whole package. 

As if by some miracle, Sky and News Datacom came up with a fix for 
the  hack. Yes it was not really Sky's responsibility to  fix  the 
hack. News Datacom, the designers of the security architecture had 
to try and stop the Ho Lee Fook hack. It seemed that the had found 
a solution.

As with all events in the Blackbox industry, it has been  assigned 
a catchy name. The name of solution is the "Zombie Fix". No,  this 
is  not  the name for the  continual brainwashing adverts  on  Sky 
One.   The  reason for the name is that old  cards  have  recently 
started  to  work  again on this 3.5 Second on -  3.5  Second  off 
cycle.  Cards that have been authorised for Sky's  movie  channels 
are  working on TV Asia. Other cards such as those for  the  Adult 
Channel are working on the same basis on the Sky channels.

The  Blue card that I had received started to act funny. At  first 
it happened on only Sky Movies and The Movie Channel. Sky Gold and 
TV  Asia were unaffected. It could have been a problem on the  Sky 
channels  but experience and instinct proved otherwise. It  was  a 
countermeasure. After a few days, the same sort of effect occurred 
on TV Asia and Sky Gold. The upgrade to VideoCrypt was complete. 

The program in the Ho Lee Fook card and chip apparently  contained 
enough  to decode the scrambled channel but not enough to  respond 
to the over the air switch off codes. This limited  implementation 
meant  that the hack was a very powerful one. It was not  possible 
for  Sky and News Datacom to actually send out a command  for  the 
card to switch off. What this implies is that the card had  enough 
information  and  data  to  decode  the  channels.  The  hack  had 
separated the access control from the decryption aspect.

Of  course  the  fact that the Ho Lee Fook hack  was  not  a  full 
implementation  may  well have provided a weak spot  for  Sky  and 
News Datacom. 

This  is the point at which the hack was attacked. The  datastream 
on  the  VideoCrypt  system  appears to  have  been  altered.  The 
alteration  did not affect the official Sky cards but  the  pirate 
cards and chips started to malfunction.

Essentially  the  Zombie Fix caused the pirate card  to  return  a 
fixed key every second time. This is the standard response when  a 
bad  card is inserted. The card cannot match the challenge and  it 
jumps to a sub-routine that returns a fixed key.

The  standard response to the wrong card being inserted is  hidden 
from  the viewer. Ordinarily when the wrong card is  inserted  the 
on-screen graphics will make the fact clear. Sky and News  Datacom 
were a little clever here.

The  data for "Wrong Card Inserted" may well be passed to  the  on 
screen  graphic display chip. A signal is being sent out over  the 
air  to this chip to switch it off during this operation.  One  of 
the  effects of the countermeasure is that the channel  identifier 
message does not come up on the screen either.


ECM Meets Electronic Counter Counter Measure

At  this  stage  the war between the pirates and  Sky  is  growing 
complex.  The  Zombie Fix has been met with a new  card  and  chip 
issue.  The  new card and chip work on the Sky  channels  and  the 
other VideoCrypt scrambled channels.

According to sources the hackers only took ten minutes to come  up 
with the solution to the Zombie Fix. It was, apparently, a  rather 
simple one but it did require the replacement and upgrading of all 
the pirate cards and chips on the market. It appeared that Sky had  
hit the pirates. 

The problem for Sky and News Datacom is that they are not  dealing 
with  a  FilmNet type situation.  When FilmNet's  analogue  SatPac 
system  was  being pirated, the market was at its  most  expanded. 
Every  Tom Dick and Harry was involved and there was  very  little 
organisation.  The current pirate market is better  organised  and 
the buy in price is high financially and technologically.

The  main problem of getting the updated hack into the market  now 
seems to have been solved. Some dealers in Holland were  promising 
a  one week turn around on the chips and cards.  From  information 
received this time schedule has been followed.

The Blackbox Industry has recovered from the Zombie Fix at a  rate 
that has alarmed Sky and News Datacom. The recovery appears to  be 
just in time for the introduction of the Sky MultiChannel package.


The Next Move

With the imminent introduction of Sky MultiChannels, a compromised 
VideoCrypt is a very big problem. It remains to be seen what  will 
happen.  Sky  and  News Datacom will have to make a  move  on  the 
situation soon.

Assuming  they  have another fix up their sleeves  they  can  wait 
until  the  market  is  saturated  with  pirate  cards  and   then 
introduce the electronic counter measure (ECM). It would naturally 
have the most effect as it would deter a larger number.

However  pressure  from other users of the VideoCrypt  system  may 
force  the  situation. There are two options here:  the  immediate 
introduction of the ECM or the introduction of a new card  series. 
Both  options  hinge on availability. If there is no  ECM  now  or 
likely  within the next few months, Sky and News Datacom  will  be 
forced into bringing the 08 series of cards. Again if there is not 
a  sufficient number of the 08 cards available they will  have  to 
maintain the 07 issue and with it the pirate market.

Normally  the  smart cards are changed in the  Spring  or  Autumn. 
Introducing  the  08  issue card over the next  few  months  would 
conform  to  the  pattern  but  the  logic  is  flawed.  The   Sky 
Multichannels is coming into operation over the same time  period. 
The  subscriptions and card administration will place a strain  on 
Sky's  operation  and  the  hassle  from  new  cards  would   only 
complicate things.

If  Sky  do introduce a new card issue then it may  occur  anytime 
from  October onwards. Some sources favour April 1994 for the  new 
issue.

The question of Pay Per View still remains unanswered. The 07 card 
issue  was  to have handled this facility. The P000 T000  was  the 
indication. With the Ho Lee Fook hack it would seem that the  idea 
was   stalled  for  the  moment.  Hypothetically  the   Sky   Gold 
transponder  might be the ideal path for a PPV service. Of  course 
if the hack is as dangerous as everyone thinks then it is possible 
that the PPV routines will have been compromised as well. 

A  hack  on the PPV routines would in some senses be  more  severe 
than  the hack on the VideoCrypt system. The PPV channel would  be 
carrying premium programming and would be far more costly than the 
movie or sports channels. Therefore a pirate card that would  give 
infinite tokens or credits would be extremely valuable.



Hi-Tech's Card Trick

The  Hi-Tech Card Tricks card is a reality and it works. The  card 
is  black  and  uses a PIC processor. When  tested  it  worked  on 
FilmNet.  It  seems that once again FilmNet are  in  trouble.  The 
EuroCrypt-M system is now compromised. 

The  reason that the card handles only FilmNet is the legality  of 
the  situation.  If  the  card  actually  decoded  the  TV3/Tv1000 
channels  then it would be just as illegal in the UK as  a  pirate 
Sky card. 

The  problem  has  to  do  with  the  uplink  or  origination   of 
TV3/TV1000.  Since  it  is  being  uplinked  from  the  UK  it  is 
technically a UK originated channel and is therefore protected  by 
the  UK  Copyrights Patents And Designs Act - just like  Sky.  The 
tricky  question  of the porn is neatly sidestepped.  They  uplink 
that from outside the UK.

The cost of the card is ?150 and it is available from Hi-Tech.  It 
is  the only card that descrambles D2-MAC EuroCrypt-M  signals  at 
the moment.



Active Logic - Cannot Recommend A Purchase - Yet

A company called Active Logic has been advertising heavily in What 
Satellite  and  claiming to supply pirate smart cards  for  D2-MAC 
channels  such as FilmNet. The advert is cause for concern  as  it 
promises a lot but is too cleverly worded to make coherent  sense. 
It  assures  the reader that the cards are Unique  Clone  Designs. 
This  is a bit of a contradiction in terms. Other factors such  as 
the wording of the advertisement have given brought back  memories 
of   PR  Technology's  brash  style.  Now  they  may  be   totally 
unconnected.

The  hints at the cards for other D2-MAC channels being  available 
are  decidedly  dodgy. If they have pirate cards  for  TV3/TV1000,  
then  they are in violation of the Copyright Patents  And  Designs 
Act.  The advert also mentions that there is a German address.  If 
they  are  clever then they may try to use the German  address  to 
ship these cards from. Even so it would still put the UK operation 
in trouble as they would be supplying information and a product in 
breach of the act.


Red Hot Television To Make A Comeback

It  appears  that  despite the rumours  floating  about,  Red  Hot 
Television is not dead yet. What appears to have happened was that 
the  operation  in  Denmark was closed down but  not  the  channel 
itself. The channel was busy arranging alternative finance.

According to some reports they have arranged the new financing and 
will be back on Eutelsat 2-F1 within the next few weeks. The  test 
bar  transmissions  on the same Eutelsat transponder  (11.181  GHz 
Horizontal)  are  scheduled to start on August 24th  with  a  full 
service resuming on August 29th.

The  scrambling system that they will use for the next  few  weeks 
will be the SAVE system. This means that the present array of SAVE 
descramblers will not have to be upgraded just yet.

The tests of the Enigma-1 system just before the channel went off-
air were successful and it is believed that the smart card for the 
channel was into the prototype stage.

The  hack on the VideoCrypt system threw up an unexpected  problem 
in  that  the JSTV smart card actually  descrambled  the  Enigma-1 
scrambled signal. There were no doubt a lot of happy JSTV  viewers 
except  that  there  was a "Wrong Card Inserted"  graphic  over  a 
rather  strategic  part of the screen. Both the new and  old  JSTV 
cards  appeared to work on the system. Of course the channel  will 
eventually,  according  to  the information  received,  switch  to 
Enigma-1.

There  are other porn channels who claim to be starting  up  soon. 
TV69  apparently  has the backing of some  ex-Red  Hot  Television 
people  and VTO. It will, so the claim, use VideoCrypt with  cards 
supplied via the Adult Channel. This is only one of a few channels 
that  may or may not start transmitting over the next few  months. 
After 12 Europe is also one of those mooted. It remains to be seen 
which will actually start transmitting. 


Syndicated Hack Watch  -  Copyright (c) 1993 All Rights Reserved

                    MC2 Publications Division 
                     22 Viewmount, Waterford,
                             Ireland