****************************************************************** *---------------- Syndicated Hack Watch - 04:1994 ---------------* ****************************************************************** *-------------- Special Projects BBS +353-51-50143 --------------* *-------------- SysOp: John McCormac --------------* ****************************************************************** *------------- (c) 1993 MC2 (Publications Division) -------------* *--------------- 22 Viewmount, Waterford Ireland ----------------* ****************************************************************** ****************************************************************** Syndicated Hack Watch is copyrighted material. All unauthorised reproduction whether in whole or in part, in any language will be suitably dealt with. ****************************************************************** Contact Numbers: Voice: +353-51-73640 Fax: +353-51-73640 BBS: +353-51-50143 HST - Special Projects BBS E-mail: [email protected] FidoNet: 2:263/402 ****************************************************************** The OMIGOD Hack It was a long time coming and News Datacom and Sky seemed to ignore every sign. Perhaps they were too concerned with the Ho Lee Fook hack. This latest hack, coming as it does in the twilight of the issue 07 is perhaps the death knell for Sky's 07 smart card. The OMIGOD hack is simply a computer program that allows you to use your IBM Compatible computer as a glorified smart card. You connect a small interface circuit between the serial port on the computer and the VideoCrypt decoder's card slot. Then you run the program. It decodes all of the BSkyB encrypted channels. The present version of the hack works on IBM compatible computers and an Apple MAC version will be available within the next week or so. Amiga and Atari versions may also be created. The program was created in Germany so that those outside of the UK and Ireland could watch Star Trek. The title of the program is Season 7 after the current season of Star Trek - The Next Generation. Sky have repeatedly refused to give subscriptions to those outside of the UK and Ireland so therefore something had to be done. As it turns out many hackers are also fans of Star Trek and Deep Space 9. It was only logical that the hack was pursued. Some actually tied up mainframe computers doing real-time descrambling of the VideoCrypt signal. It was not a viable solution as most hackers did not have access to mainframe computers. However many of them had access to IBM compatible personal computers. The PC VC Emulator program is perhaps the most dangerous thing ever to have happened to Sky and News Datacom. The fact that this program even exists contradicts the publicity claims made about VideoCrypt. It appears that News Datacom completely misunderstood what a hack on VideoCrypt would consist of. As a direct result of this the Ho Lee Fook and the OMIGOD hack can operate freely. The program is intended to be used and distributed outside of the UK. It may well be illegal in the UK under the Copyright Patents and Designs Act 1988. Of course the problem with the law is that it technology leaves it standing in quicksand. Since the program is a DOS executable, it can be stored in Zipped form on any bulletin board system. Theoretically anyone with a modem and a computer could download this program from a bulletin board outside of the UK. Nothing short of cutting all of the UK's international telephone lines will stop its importation to the UK. Of course it may already be there. The interface for the computer to decoder link is actually a simple two chip design. A MAX232 integrated circuit converts the RS232 signals to TTL and also the TTL signals to RS232. A 74LS07 hex open collector buffer is used to allow the connection of the received data line and transmitted data line on the computer's RS232 interface to the DATA line on the smart card interface. The most troublesome aspect of the hack is the dummy smart card. While a directly wired connection to the VideoCrypt decoder is possible, it is a messy and potentially dangerous option. The dummy smart card option is the more elegant of the two. As with most experimentation with smart cards, the printed circuit board material is too thick. With typical thicknesses of 1.6 millimetres, ordinary PCB material is too thick for the decoder's smart card socket. The easiest solution is to sand down the PCB material to the 0.78 millimetre thickness required. A text file is included with the release version of the OMIGOD hack. All of the necessary details required to build the interface are contained therein. No doubt there will be some versions of the interface on sale in the very near future. The cost of this interface is in the region of five pounds. The potential hacker has the essential piece of equipment - the computer. So for a fiver it is possible to watch all of the Sky channels. Of course the alternative view is that you are using a thousand pound computer as a glorified smart card. That is a rationalisation worthy of Sky's publicity department. Naturally when the new issue 09 smart card is put into operation, this hack and all of the other hacks on the 07 smart card will be affected. The problem is that nobody is completely sure when the switchover to the 09 smart card will occur. Three Cards On VideoCrypt? According to sources, there are currently three version of the Sky card in operation. Issues 07, 08 and 09 are in use on the VideoCrypt system. This is an unprecedented event and points to a major loading of the VideoCrypt over the air addressing system. The current batch of cards is issue 07. This batch of cards was to have been replaced by an issue 09 card. Issue 08 was apparently abandoned as it was based on similar technology and algorithms to the hacked 07 card. Over the last few months, we received some vague reports of issue 08 cards turning up in commercial premises such as pubs and cable companies. These reports now seem to have been accurate. Though in Ireland, more pubs have been opting for the pirate cards as they are cheaper than an official subscription. The launch of the 09 smart card has naturally disturbed the Blackbox market for pirate smart cards. Prices have nose-dived over the last few months as the news of the 09 smart card gradually filtered into the market. The 09 launch has not been smooth. Many customers have still not received their issue 09 smart card and are still running on 07 cards. Some magazines have had reporters selected to receive free cards. Even that august bastion of JAFAdom, Satellite Trader, has received one. Not unexpectedly, Hack Watch News received nothing. This kind of operation is smart. It targets what the marketing people consider to be opinion formers. It is effectively a perk of the job or what hackers would refer to as a bribe. The idea is that the people who get the complimentary subscriptions write glowing praise and nice things about Sky. The rumours about the slow and sporadic delivery of the 09 smart cards have been rife. One such rumour claimed that there was a problem in the pay per view routines of the 09 card. This problem was only discovered after about one hundred thousand cards had been shipped. Though apparently this problem has been solved with the latest cards. The present situation means that the current datastream has to work with three versions of the Sky smart card. It would have the knock-on effect of making any electronic countermeasure, (ECM), a very risky affair. Therefore from Sky's point of view, the sooner the 09 goes into full operation the better. One factor that linked some of the people who were first to receive issue 09 smart cards was that at one time they had requested a second smart card from Sky. However the distribution of the official cards in the UK seems to be gathering pace. Strangely, the only people to have received the 09 smart cards in Ireland are ASA dealers. Some of them are actually selling pirate cards as well. Key TV - Better Than The Real Thing It was more impressive than any of the digital video demonstrations at the Cable And Satellite Show. Key TV, the VideoCrypt compatible scrambling system from Chris Carey, was being displayed to an deeply interested industry. Many of the channels currently on the hacked Sky card no doubt showed an interest in the system. After all the Key TV option was a lot more secure than VideoCrypt. Whereas VideoCrypt uses a known architecture smart card, Key TV uses an ASIC. A smart card is easier to reverse engineer because it is a largely known architecture. With the ASIC architecture, a potential hacker has to figure out the function of every gate in the chip. This is a far more difficult task and would take an estimated nine months to carry out. The only company ever to have undertaken such an operation is the company responsible for Key TV. Perhaps in the next few months, there will be a number of channels using this system instead of going to Sky and News Datacom. Many in the industry have expressed reservations about the monopoly that News Datacom holds over the English language satellite television market. Somehow there is the feeling that channels would feel a lot safer using a system developed by experts who know where the weaknesses that allow a system to be hacked lie. Black Book 4 To Be Published In April In late April, the fourth Black Book will be published. The Black Book is also known as European Scrambling Systems. It is the bible of the Blackbox Industry. The new version concentrates on the smart card hacks and how they operate. Details of smart cards and computer monitoring circuitry are provided. The majority of the systems in Europe are now hacked. Perhaps more importantly it shows how the present hacks will develop in the near future. The chapter on cryptology has been expanded to cover message digests, hash functions and one way functions. The Fiat Shamir Zero Knowledge Test, allegedly used in VideoCrypt is fully explained. Details of how crypto systems are hacked are also dealt with in detail. In the Irish High Court, Sky and News Datacom claimed that they had developed a one way function. This chapter examines that claim and shows both how a one way function works. It also shows how the Ho Lee Fook hack on the VideoCrypt crypto system operates, complete with worked examples in psuedo code and C. The official price of the book is 32.00 plus postage but to those electronically aware people reading this via a bbs, fidonet or usenet, I have decided that the price of the book will be 25.00 pounds Including postage. This special offer price includes postage in the EC. Payment can be made by UK or Irish cheque or draft. Alternatively payment by credit card is possible. Visa and Mastercard / Access acceptable. Either fax the order to the phone number below or use the [email protected] e-mail address. Alternatively telephone (voice) after 1400 Hrs to order. ------------------------------------------------------------------------- | John McCormac | Hack Watch News | | Editor - Hack Watch News | MC2 (Publications Division) | | Voice & Fax: +353-51-73640 | 22 Viewmount, Waterford | | BBS: +353-51-50143 | Ireland | | e-mail: [email protected] |------------------------------- | [email protected] | Black Book 4 Available April | -------------------------------------------------------------------------