Slashdot Mirror
TiVo Awarded Patent For Password You Can't Hack
Davis Freeberg writes "TiVo has always been known for thinking outside of the box, but this week they were awarded an unusual patent related to locking down content on their hard drives. According to the patent, they've invented a way to create password security that is so tough, it would take you longer than the life of a hard drive in order to figure it out. They could be using this technology to prevent the sharing of content or it could be related to their advertising or guide data, but if their encryption technology is really that good, it's an interesting solution for solving the problem of securing networks."
3-4 weeks tops?
MDlGOTExMDI5RDc0RTM1QkQ4NDE1NkM1NjM1Njg4QzA=
Don't tell anyone.
This slashdot-related signature is a stub. You can help kihjin by expanding it.
"Yeah right! I'll give it 5 years max."
Jeeze. You've been luckier with hard drives than I have, then... ROT13 would be sufficient to outlast some of them.
So it's like a really character password with random characters and punctuation and stuff?
That doesn't sound like it would be worth a patent.
Then again, it might be more interesting and have non-typeable characters...
Or maybe just "Joshua"
Patent For Password You Can't Hack
Hack available for download from the internet in 5, 4, 3, 2....
Seven puppies were harmed during the making of this post.
And what if it's a WD drive they are talking about? The life of those is so low they had to drop their warranty to 1 year because they admitted 3 years would put them out of business. (The reason I only use Segate 5 year warranty drives).
I'm an American. I love this country and the freedoms that we used to have.
If it exceeds the life of the drive theres an easy way to just clone the drive or remove the platters and put them into another hard drive (yeah very sensitive operation likely requiring the conditions of a clean room).
Its hard to make something undefeatable and if you claim such it is only going to attract people as a challenge. Maybe that is what they want?
Of course if someone proves that it isnt 'impossible' then does that void the patent?
09F911029D74E35BD84156C5635688C0
+2 Troll is Slashdot's way of saying groupthink is confused
The hard disk must have a really short life :/
I have two Series2 units and I love them. But there's no way in hell I'd spend PS3-level prices on a Series3 recorder, especially with the lack of TivoToGo and now this bullshit.
Look, if I buy a device that has a hard drive in it, that hard drive is mine. The data on it is mine. If you don't want me to access it from the "wrong" host, maybe you shouldn't have sold it in the first place. You can have all the control you want over that hard drive while it's gathering dust in your warehouse.
Visual IRC: Fast. Powerful. Free.
This has nothing to do with networks at all. The patent is about making sure a hard disk can only talk to a certain host.
Its just another attempt to prevent people form using their own hardware how they want to.
Make a security claim so wild that every hacker will buy your product to try to crack it. $$$$
When I was a wee tot, I remember seeing a single-panel _Dennis The Menace_ cartoon. The cartoon itself had Dennis' father at a boardroom-type table with a few other people, his briefcase open, and various parts spilling out. The caption was something like "Gentlemen, our new bathroom scale did not pass the 'Dennis test'. We cannot refer to it as 'unbreakable'".
Since then, whenever I've heard about something claiming to be unbreakable, I picture a very broken bathroom scale...
The Busy Coder's Guide to Android Development
I love it when someone says that 'x' can't be done.... that is sure to bring on the people that show it can be done
Support NYCountryLawyer RIAA vs People
Essentially they are claiming: Using a wire-secure challenge system between a hard drive and a host.
In the text they mention prior art of both:
1. Using a challenge system between a hard drive and a host
2. a wire-secure challenge system
Even if no one has ever put cryptographic functions into a hard drive (I'd be surprised) virtually every cryptography paper talks about all of the communications in the only meaningful terms, abstract ones, implying in a way obvious to non-experts that it can be used between any equipment.
This, like many other bad patents, is at best a land-grab for a specific piece of territory so well discovered, mapped, and understood that claiming a portion of it is just ridiculous.
On the dangers of assuming keyspace => security:
from ''Computer Security and Cryptography'', Alan G. Konheim.
Belief is the currency of delusion.
I know that I'm probably not their target audience, but the one reason that I have two subscribed tivos is that I can hack them and disable the DRM and generally they've been pretty cool about it. But the day they lock me out of my one boxes is the day that I cancel my subscriptions and either continue with the hardware on my own or switch to MythTV.
The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.
"Unhackable" passwords ?!?
At least you know nobody is going to get sued over this one. Ever.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
The claim in the patent is simply using one of many man-in-the-middle resistant challenge/response methods to avoid exactly this. A much more interesting attack is to emulate the environment of the host, and get it to unlock the disk for you, or to sniff the unencrypted actual data off the wire. This is more an obstacle of convenience than one of actual security. They don't want one person finding the key and using it to write computer software so you can toss your drive from the DVR right into the computer to rip video without special hardware.
Nope, no encryption; just hash-based Challenge-response authentication.
An authentication system for securing information within a disk drive to be read and written to only by a specific host computer such that it is difficult or impossible to access the drive by any system other than a designated host is disclosed. While the invention is similar in intent to a password scheme, it significantly more secure. The invention thus provides a secure environment for important information stored within a disk drive. The information can only be accessed by a host if the host can respond to random challenges asked by the disk drive. The host's responses are generated using a cryptography chip processing a specific algorithm. This technique allows the disk drive and the host to communicate using a coded security system where attempts to break the code and choose the correct password take longer to learn than the useful life of the disk drive itself.
Drive sends random junk. Host responds with digital signature on random junk. Drive verifies signature. It's a diffie-hellman key exchange derived system called a digital signature. RSA and DSA (El Gamal is DSA's corresponding cryptosystem) are examples.
Support my political activism on Patreon.
I use BeyondTV and couldn't be happier. No restrictions. They also have SmartChapters which identify distinct blocks of video (cough, commercials, cough). I can also burn to DVD with an extra plugin. You get free TV listings - you just have to buy the software. Sure - they get you with upgrades, but you can choose not to upgrade.
"No matter where you go, there you are." -- Buckaroo Banzai
"The information can only be accessed by a host if the host can respond to random challenges asked by the disk drive. The host's responses are generated using a cryptography chip processing a specific algorithm. This technique allows the disk drive and the host to communicate using a coded security system where attempts to break the code and choose the correct password take longer to learn than the useful life of the disk drive itself."
In what novel way - or any way for that matter - does this differ from standard cryptographic challenge-response authentication? I mean, maybe they are using an extremely long generated series of psuedorandom keys, secrets, responses, or all 3 but I don't see how that is novel. Or perhaps incorrect responses result in the disk controller becoming non-responsive for a short period to increase the time required to exhaust the series, but that isn't novel either.
Any ideas?
It's not like good crypto is hard to come by. I mean if I pick a good password with AES you aren't cracking that in your lifetime, much less the life of a harddrive. The problem isn't a good password, the problem is that DRM tries to use crypto for something it isn't made for. Crypto is about keeping out non trusted parties. That's how SSH works. You have the key, the server has the key and thus only you and the server can decrypt the traffic. Anyone else can capture everything if they want, and they are going to get all of nowhere with it.
The problem with DRM is that the person who is the recipient is also one of the people they want to keep out. This creates a problem: To decrypt the message (by message I mean whatever they are giving you, video, song, game, whatever) you have to give them the key. However, if they have the key, well then they can decrypt it and do what they want with it.
This leads to all the tricky, and ineffective, stuff we see these days. They try to hide the key so that only the device can find it and you can't get at it. Well that just don't work. It can make it so it isn't as simple as just copying a disk, but as we've seen with the AACS break, you can't hide that shit from a determined attacker. The key IS on there, it CAN be found.
So I don't care how good their password scheme is. AES-256 with a 64 character password is good enough to last until the sun goes dark (or at least until quantum computing becomes a reality) but that doesn't buy you anything if you have to hand out the key as part of your scheme as is required by DRM.
No they're not. They've always been known for seeking to keep everything IN the box.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
Quickly, before Cringely ruins it with bad math, I need to point out some very obvious weaknesses in making this work correctly:
Okay, you all can go back to your regularly scheduled cheap shots.
...but I am a law student and just took an introductory IP course, so I'll try to answer. A patent must actually do what you claim it does. But they don't claim it can't be cracked:
There's still a difference. Firmware is much more difficult to reverse engineer. If you can get your hands on a binary and a system that runs it, you can capture every bit of code. If you've got a ROM chip, then you can only see what goes in, and what goes out. There are ways to prevent it from being opened and examined, photosensitivity being the big one.
Crypto on a chip is more secure than crypto in a binary.
I see your informative link, and raise you a pithy comment.
To quote Spock, "I believe that is what [he] said."
I only caught it because I read RFC 2045 the other day. (specifically, the section on Base64 encoding...)
-:sigma.SB
WARN
THERE IS ANOTHER SYSTEM
FTA: According to the patent, they've invented a way to create password security that is so tough, it would take you longer than the life of a hard drive in order to figure it out.
So it's security is that a brute-force/birthday attack is just so improbable that the drive will wear out before i can test enough possibilities to have a measurable chance of getting it? Besides, twofish, blowfish, AES, any virtually any other standard encryption algorithm could boast the same thing. Tell me if I'm wrong, but couldn't i make a bunch of 1:1 copies of the disk and use those to crack it?
If i had one dollar for every brain you dont have, i would have $1.
but I do know this nifty card trick:
Give your friend a deck of cards. Turn around and have them shuffle it, select a card at random, memorize the card and put it back in the deck. Have them shuffle it some more (without you looking at it). Take the deck from them and take a card from it and say 'this was your card'.
In the long run, you'll be right about 1 in 52 times. If you happen to be right the first time with a particular friend, and never do the trick again, they will be scratching their head for a long time trying to figure out how you did it.
So, the point I'm trying to make is that it could take longer than the life of a hard drive to crack the super secret code, or you get get it right on the first guess (or the second one, or the third one...). So it seems rather silly to claim that it is uncrackable.
because the consumer is not their customer.
Don't fight for your country, if your country does not fight for you.
That is a dreadful patent, and it would be ridiculous to see it issued; hardware challenge-response dates back to at least the first IFF machines in the second world war, they're not even mentioning having a deliberately slow password-hashing algorithm, which is itself at least as old as UNIX, and the technique is vulnerable to bump-in-the-ATA-cable extraction of the data from the disc in the first place, and probably also to an attack where you swap the drive controller board for one from a drive of similar model without Special Tivo Sauce.
The password might not be cracked. Well, at least not cracked in a meaningful or useful way. I can think of several ways this could be accomplished. Tying the drive to the mainboard with a kill switch that burns out the firmware controler could be one. This could mean all ads and all content is useless outside the tivo and the drive is borked if tried outside it too.
But if this patents is invalidated, it is meaningful in several ways. First is other devices might be forced into using it by the media companies or something and this will raise the costs of consumer electronics. The next thing is, suppose someone discovers this as a way to keep usable information out of anyone's hands who don't have permission to use it. There is another royalty that needs to be payed and it will come out of our pockets too. But most importantly, A patent takes an entire piece of software off the market for most. Imagine if the word processor was patented when it originally was developed. Whatever the first word processor was and anyone willing to pay the royalties to them are the only word processors we would have. Openoffice.org wouldn't be here, Microsoft could have bought the patent and stopped everyone from using it other then them, so on and so on.
So what happens when computers are fast enough that to be somewhat reasonable secure, you need this patent. If it is still valid, again, everyone pays TIVO to use it. But if it was copy written instead of patented, then many other players could attempt to do similar things and hopefully competition would make things better and all. But if we are stuck with this one implementation and it turns out not to work, any working implementations from other companies will have a payment to TIVO associated with any costs.