Slashdot Mirror
Vivendi Universal vs. News Corporation
timbo_red writes: "According to a BBC story, NDS, a company 80% owned by Rupert Murdoch's News Corp is being sued by Canal+ for allegedly cracking their smart cards, which could have had a serious effect on ITV digital, the major UK competitor to Murdochs Sky digital in the UK pay TV market."
So it seems that Canal+ are alledging that NDS (which News Corp alledges operates independantly despite being 80$ owned by NC) cracked their smart cards and published the result online! Either something very sinister happened (but I can't see how this would benefit NC as it would simply provide digital TV service of the wrong kind to their potential customers also) or this is the act of one person (or a very small group) within NDS who were stupid enough to post the crack from a trackable IP. It would be nice to know more, anyone have any substantial links?
Never underestimate the dark side of the Source
A French subsidiary of a French multinational is suing a British subsidiary of an (Australian?) (British?) multinational in a U.S. court, over a conspiracy centered in London?
Is this some sort of Pythonic joke?
668: Neighbour of the Beast
Better Article
Turns out the lawsuit is in California because it was NDS Americas Inc. that transmitted the details onto the Internet.
Remarkably, the article doesn't mention if the DMCA is being invoked. It probably won't be, because then it would be applied in the manner Congress actually meant, which would break the perfect record of the DMCA only being misused. Also, News Corp. and it's subsidiaries are quite capable of fighting a legal battle of almost any scope and duration. This would increase the risk of an actual court precedent against the DMCA. Once again, this would break the perfect record of the DMCA only being invoked against relatively powerless victims. The DMCA is far too powerful a tool for misuse for anyone to risk it's long and promising future.
AFAIK is not "mathematically impossible" to break even the strongest crypto available. It is "computationally infeasable." I.e., it's mathematically possible (by factoring all the large primes that could have been used for the key, for instance), but you can't afford the time/money (mostly time) required.
Quick summary for US readers - Canal+ (the french cable TV channel) uses SECA encryption, which is also used by ITV Digital (formerly OnDigital), the UK's terrestrial digital provider. Terrestrial digital is basically digital TV transmitted over the airwaves.
:)
The choice of SECA was considered unwise when OnDigital selected it, as SECA was already at that point known to be broken. Naturally, pirate cards started circulating shortly afterwards. The smart cards now sell for as little as 10 pounds (about 15 dollars) and card programmers can be obtained for about three times that allowing people to keep up to date.
At the moment, the UK has an arms race between ITV Digital and the pirates. ITV Digital will start broadcasting "ECMs" which exploit weaknesses in the pirate cards to cause them to crash (so they can't display TV). The pirates promptly fix their cards and release the new version, at which point it starts over again. There are several competing pirate codes around, and new versions are being released almost weekly.
There is a rumour that ITV Digital are less diligent than they need to be in tracking down and killing pirate cards, as these cards increase their marketshare against that of Sky (Murdoch's satellite TV company, the dominant "extra" TV company in the UK). This would be a tactic reminiscent of the way that pirate installations of Windows / DOS made those operating systems the standard in the past - whether there's any truth in the rumours is obviously uncertain, however.
Anyone interested in more information should consider the newsgroups uk.tech.digital-tv and uk.tech.digital-tv.crypt, although be warned that those groups are infested with pirates, script kiddies and the usual crop of 14 year old flamers!
When big boys like this start duking it out over greed based issues, and lets be honest thats what this is, the end is near, It woulda been more fun to see say sony vs disney or maybe someone else they dont already own :)
:)
Remerber when Ibm started trying to sue all the clone makers ? Or apple. Remeber when Sony sued over the betamax, or so on so forth.
I think what happens is greed reaches an apex, it cannot make money off going after the little guys distributing css, (it can try to limi it) but at some point it all falls like a house of cards when companies like this focus all their energies out of squeezing every last cent out of anyone for any reason , and in the process become a company for which litigation is their core business. V/Unv core business is supposed to be entertainment. I wouldnt know I have boycotted any materials, my small part in the struggle. But it seems no longer like a company interested in entertainment but more so litigation.
When companies like these start running around suing each other its often too late and they are only trying to salvage what they can, or make a stnd where they are, anyone know their current financials ? (the real ones please
Sig went tro...aahemmm.....fishing........
ITV's premium channels also show ads, though. In addition, ITV digital shows non ITV pay content, such as Sky One, Sky Moviemax, Sky Premier. Since Sky is ITV Digital's number one competitor, some people have theorised that ITVD might not be terribly upset at Sky losing revenue due to pirate cards.
The other argument, of course, is that ITVD might be allowing people to get away with pirate viewing to build marketshare, at which point they'll start beefing up the encryption techniques to shut down pirates. Sadly moving to a wholly secure model would probably require changing the encryption method, which would obsolete all current decoders (iirc). This is unlikely to happen.
- Bugs in the code on the card. This is somewhat analogous to
buffer overflows and format string bugs in poorly written daemons like IIS,
UPNP, and BIND. Often the first thing that hackers will do with a new
smartcard is to explore its known instructions to try to find "read holes"
(which let you read the ROM or EEPROM) or "write holes" (which allow you to
modify the code on the card).
- Glitching. In order to circumvent the security on smart cards,
some hackers will buy a special device called a "glitcher" that momentarily
lowers the power supply voltage going to the card at just the right
time in order to get the CPU on the card to skip the desired
instruction. The result is that the security on the card can be bypassed.
In the case of DTV access cards, glitching is also used to "unloop" cards
that have been illegally modified and subsequently disabled by DTV's
electronic countermeasures.
- Replay attacks. Often a card may be convinced to accept ROM
updates by crafting an instruction packet that appears to be an authorized
update, but in fact has a forged signature on it. This is caused by the
use of weak mathematics such as IDEA and CBC, which have been almost fully
compromised.
- Communication logging. Often, critical data that passes between
a card and its peer can be observed and logged. This data can leak
important decryption keys, passwords, and data.
- Power use analysis. Hackers with access to expensive equipment
can observe how much power a smartcard uses while performing a given
operation, and can sometimes deduce decryption keys from this power trace
as a result of poor implementation of cryptographic algorithms.
- Insecure operating environments. Some smartcard designers
choose to implement things like Java or Lunix on their smartcards, which
have proven security vulnerabilities and cannot withstand a dedicated
attack.
The one thing that surprises me about this article is that NDS spent a million dollars on this research. Satellite hackers who want to steal DirecTV's signal do the same thing for free every day, and usually do a more thorough job of cracking the card. However, the one lesson to take from this is simple: smartcard security Just Doesn't Work(tm).Bill
Actually this is not true when it comes to DRM measures. The problem here is that you are trying to keep information secret while sharing it with a few tens of millions of subscribers.
Ultimately any crypto scheme depends on the secrecy of a small number of keys. If a person reveals their key deliberately then anyone can read the information sent to them.
That said the Canal+ scheme does not have a great reputation for security. There are plenty of schemes that at least require the attackers to extract secret keys from smart cards. The satelite TV DRM problem is much easier than the DVD type problem. With a DVD player you can't issue a different key to each user and withdraw use rights on a per player basis. With satelite TV you can.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
"NDS spent huge sums cracking the code on Canal Plus smart cards, and handed the code to a website used by fraudsters, documents filed in a California court allege."
IF... they cracked any sort of code, that should be enough to subject them to the DMCA, unless there is some sort of jurisdictional issue at play. Nevertheless, if they do business in the U.S., then the DMCA would apply to them (ask Elcomsoft).
I thought all TV in the UK was pay. I.e. the governement collected money for each TV you own so it could run the BBC.
Software sucks. Open Source sucks less.
This case underscores the global nature of society now, an issue further underscored by the Internet itself.
Really and truly, the idea of "jurisdiction" when it comes to "e-anything" is almost incomprehensible. I publish a web page here in California about barbecues and possibly break Indian law. I publish a (perfectly legal in the US) pro-nazi page with swastikas and break German law if Germans ever (god forbid) look at it.
In this kind of environment, "legal" falls to the least common denominator, whatever's left when everything illegal everywhere is removed. Not much of an argument for "free speech" since anything on the 'net is merely communication, after all.
Remember Dimitri?
At issue is that there is no international law (that the US will respect, anyway) and as a result of this deficiency, we see all kinds of craziness.
It's going to get worse before it gets better.(sigh)
I have no problem with your religion until you decide it's reason to deprive others of the truth.