******************************************************************
*---------------- Syndicated Hack Watch - 04:1994 ---------------*
******************************************************************
*-------------- Special Projects BBS +353-51-50143 --------------*
*-------------- SysOp: John McCormac --------------*
******************************************************************
*------------- (c) 1993 MC2 (Publications Division) -------------*
*--------------- 22 Viewmount, Waterford Ireland ----------------*
******************************************************************
******************************************************************
Syndicated Hack Watch is copyrighted material. All unauthorised
reproduction whether in whole or in part, in any language will be
suitably dealt with.
******************************************************************
Contact Numbers:
Voice: +353-51-73640
Fax: +353-51-73640
BBS: +353-51-50143 HST - Special Projects BBS
E-mail: [email protected]
FidoNet: 2:263/402
******************************************************************
The OMIGOD Hack
It was a long time coming and News Datacom and Sky seemed to
ignore every sign. Perhaps they were too concerned with the Ho Lee
Fook hack. This latest hack, coming as it does in the twilight of
the issue 07 is perhaps the death knell for Sky's 07 smart card.
The OMIGOD hack is simply a computer program that allows you to
use your IBM Compatible computer as a glorified smart card. You
connect a small interface circuit between the serial port on the
computer and the VideoCrypt decoder's card slot. Then you run the
program. It decodes all of the BSkyB encrypted channels.
The present version of the hack works on IBM compatible computers
and an Apple MAC version will be available within the next week or
so. Amiga and Atari versions may also be created.
The program was created in Germany so that those outside of the UK
and Ireland could watch Star Trek. The title of the program is
Season 7 after the current season of Star Trek - The Next
Generation. Sky have repeatedly refused to give subscriptions to
those outside of the UK and Ireland so therefore something had to
be done.
As it turns out many hackers are also fans of Star Trek and Deep
Space 9. It was only logical that the hack was pursued. Some
actually tied up mainframe computers doing real-time descrambling
of the VideoCrypt signal. It was not a viable solution as most
hackers did not have access to mainframe computers. However many
of them had access to IBM compatible personal computers.
The PC VC Emulator program is perhaps the most dangerous thing
ever to have happened to Sky and News Datacom. The fact that this
program even exists contradicts the publicity claims made about
VideoCrypt. It appears that News Datacom completely misunderstood
what a hack on VideoCrypt would consist of. As a direct result of
this the Ho Lee Fook and the OMIGOD hack can operate freely.
The program is intended to be used and distributed outside of the
UK. It may well be illegal in the UK under the Copyright Patents
and Designs Act 1988. Of course the problem with the law is that
it technology leaves it standing in quicksand.
Since the program is a DOS executable, it can be stored in Zipped
form on any bulletin board system. Theoretically anyone with a
modem and a computer could download this program from a bulletin
board outside of the UK. Nothing short of cutting all of the UK's
international telephone lines will stop its importation to the UK.
Of course it may already be there.
The interface for the computer to decoder link is actually a
simple two chip design. A MAX232 integrated circuit converts the
RS232 signals to TTL and also the TTL signals to RS232. A 74LS07
hex open collector buffer is used to allow the connection of the
received data line and transmitted data line on the computer's
RS232 interface to the DATA line on the smart card interface.
The most troublesome aspect of the hack is the dummy smart card.
While a directly wired connection to the VideoCrypt decoder is
possible, it is a messy and potentially dangerous option. The
dummy smart card option is the more elegant of the two.
As with most experimentation with smart cards, the printed circuit
board material is too thick. With typical thicknesses of 1.6
millimetres, ordinary PCB material is too thick for the decoder's
smart card socket. The easiest solution is to sand down the PCB
material to the 0.78 millimetre thickness required.
A text file is included with the release version of the OMIGOD
hack. All of the necessary details required to build the interface
are contained therein. No doubt there will be some versions of the
interface on sale in the very near future.
The cost of this interface is in the region of five pounds. The
potential hacker has the essential piece of equipment - the
computer. So for a fiver it is possible to watch all of the Sky
channels. Of course the alternative view is that you are using a
thousand pound computer as a glorified smart card. That is a
rationalisation worthy of Sky's publicity department.
Naturally when the new issue 09 smart card is put into operation,
this hack and all of the other hacks on the 07 smart card will be
affected. The problem is that nobody is completely sure when the
switchover to the 09 smart card will occur.
Three Cards On VideoCrypt?
According to sources, there are currently three version of the Sky
card in operation. Issues 07, 08 and 09 are in use on the
VideoCrypt system. This is an unprecedented event and points to a
major loading of the VideoCrypt over the air addressing system.
The current batch of cards is issue 07. This batch of cards was to
have been replaced by an issue 09 card. Issue 08 was apparently
abandoned as it was based on similar technology and algorithms to
the hacked 07 card.
Over the last few months, we received some vague reports of issue
08 cards turning up in commercial premises such as pubs and cable
companies. These reports now seem to have been accurate. Though in
Ireland, more pubs have been opting for the pirate cards as they
are cheaper than an official subscription.
The launch of the 09 smart card has naturally disturbed the
Blackbox market for pirate smart cards. Prices have nose-dived
over the last few months as the news of the 09 smart card
gradually filtered into the market.
The 09 launch has not been smooth. Many customers have still not
received their issue 09 smart card and are still running on 07
cards. Some magazines have had reporters selected to receive free
cards. Even that august bastion of JAFAdom, Satellite Trader, has
received one. Not unexpectedly, Hack Watch News received nothing.
This kind of operation is smart. It targets what the marketing
people consider to be opinion formers. It is effectively a perk of
the job or what hackers would refer to as a bribe. The idea is
that the people who get the complimentary subscriptions write
glowing praise and nice things about Sky.
The rumours about the slow and sporadic delivery of the 09 smart
cards have been rife. One such rumour claimed that there was a
problem in the pay per view routines of the 09 card. This problem
was only discovered after about one hundred thousand cards had
been shipped. Though apparently this problem has been solved with
the latest cards.
The present situation means that the current datastream has to
work with three versions of the Sky smart card. It would have the
knock-on effect of making any electronic countermeasure, (ECM), a
very risky affair. Therefore from Sky's point of view, the sooner
the 09 goes into full operation the better.
One factor that linked some of the people who were first to
receive issue 09 smart cards was that at one time they had
requested a second smart card from Sky. However the distribution
of the official cards in the UK seems to be gathering pace.
Strangely, the only people to have received the 09 smart cards in
Ireland are ASA dealers. Some of them are actually selling pirate
cards as well.
Key TV - Better Than The Real Thing
It was more impressive than any of the digital video
demonstrations at the Cable And Satellite Show. Key TV, the
VideoCrypt compatible scrambling system from Chris Carey, was
being displayed to an deeply interested industry.
Many of the channels currently on the hacked Sky card no doubt
showed an interest in the system. After all the Key TV option was
a lot more secure than VideoCrypt.
Whereas VideoCrypt uses a known architecture smart card, Key TV
uses an ASIC. A smart card is easier to reverse engineer because
it is a largely known architecture. With the ASIC architecture, a
potential hacker has to figure out the function of every gate in
the chip. This is a far more difficult task and would take an
estimated nine months to carry out. The only company ever to have
undertaken such an operation is the company responsible for Key
TV.
Perhaps in the next few months, there will be a number of channels
using this system instead of going to Sky and News Datacom. Many
in the industry have expressed reservations about the monopoly
that News Datacom holds over the English language satellite
television market. Somehow there is the feeling that channels
would feel a lot safer using a system developed by experts who
know where the weaknesses that allow a system to be hacked lie.
Black Book 4 To Be Published In April
In late April, the fourth Black Book will be published. The Black
Book is also known as European Scrambling Systems. It is the bible
of the Blackbox Industry.
The new version concentrates on the smart card hacks and how they
operate. Details of smart cards and computer monitoring circuitry
are provided. The majority of the systems in Europe are now
hacked. Perhaps more importantly it shows how the present hacks
will develop in the near future.
The chapter on cryptology has been expanded to cover message
digests, hash functions and one way functions. The Fiat Shamir
Zero Knowledge Test, allegedly used in VideoCrypt is fully
explained. Details of how crypto systems are hacked are also dealt
with in detail. In the Irish High Court, Sky and News Datacom
claimed that they had developed a one way function.
This chapter examines that claim and shows both how a one way
function works. It also shows how the Ho Lee Fook hack on the
VideoCrypt crypto system operates, complete with worked examples
in psuedo code and C.
The official price of the book is 32.00 plus postage but to those
electronically aware people reading this via a bbs, fidonet or
usenet, I have decided that the price of the book will be 25.00
pounds Including postage.
This special offer price includes postage in the EC. Payment can
be made by UK or Irish cheque or draft. Alternatively payment by
credit card is possible. Visa and Mastercard / Access acceptable.
Either fax the order to the phone number below or use the
[email protected] e-mail address. Alternatively telephone
(voice) after 1400 Hrs to order.
-------------------------------------------------------------------------
| John McCormac | Hack Watch News |
| Editor - Hack Watch News | MC2 (Publications Division) |
| Voice & Fax: +353-51-73640 | 22 Viewmount, Waterford |
| BBS: +353-51-50143 | Ireland |
| e-mail: [email protected] |-------------------------------
| [email protected] | Black Book 4 Available April |
-------------------------------------------------------------------------
�