Slashdot Mirror
EFF Lands a Blow On DirecTV
An anonymous reader writes to alert us to a court win for the EFF in two cases in which DirecTV employed heavy-handed legal tactics to suppress security and computer science research into satellite and smart card technology. Here's the ruling (PDF) from the 9th US Circuit Court of Appeals. From the announcement: "The cases, DirecTV v. Huynh and DirecTV v. Oliver, involved a provision of federal law prohibiting the 'assembly' or 'modification' of equipment designed to intercept satellite signals. DirecTV maintained that the provision should cover anyone who works with equipment designed for interception of their signals, regardless of their motivation or whether any interception occurs. But in a hearing earlier this year, EFF argued that the provision should apply only to entities that facilitate illegal interception by other people and not to those who simply tinker or use the equipment, such as researchers and others working to further scientific knowledge of the devices at issue."
pay per view channels.... That is scientific tinkering too.
Just kidding. I want a cablecard mythtv box. Now.
I thought this sort of tinkering was already barred. With that in mind, this is likely to be at most a Pyrrhic victory; remember, the 9th Circuit is traditionally the most overturned circuit in cases that end up being heard by the S. Ct....
Just because we cannot, by default, assume a legal motive does not mean we should discount the existence of one. Furthermore, DirectTV aruged that it should be illegal regardless of whether or not such a motive could exist, not simply because such a motive could not exist.
You *ASSUME* thats true. But learning how to crack a system is interesting too. Life is but a journey not a destination.
I for one have thought about doing this many times just because it would be interesting. Not because I want free tv. I already pay my cable bill for that... I just find it an interesting thing to do. I havent touched it though because of these sorts of issues.
You mean someone who buys a smart card writer/reader to develop a security system for their office, or to research voting systems, etc., but does not subscribe to cable or satellite, own a dish, or even watch TV, or own any box produced or distributed by DirectTV, is doing their work just to secretly hack cable? Because that's what this case was about - anyone who bought a smart card reader/writer anywhere in the country was threatened or taken to court by DirectTV.
I wasn't sure to mod you as troll for flamebait, or just plain clueless, so I figured a post would do more justice.
It doesn't hurt to be nice.
Then do it, and don't publish the details. Who is gonna know? Unless conscience gets in the way, I think there is more to the story than you are letting on...
I'm giving up my ability to mod this thread but I need to set the record straight. DirecTV went as far as obtaining lists of people who purchased smart card equipment on the internet, and corelating them with people who had bought DirecTV equipment. Anybody who fit the profile was sent a "demand letter" which threatened a federal lawsuit unless they paid DirecTV thousands of dollars. There were lots of innocent folks caught up in this (and lots of not-so-innocent ones too). At issue is the fact that the innocent people who had an interest in smart card research for computer security purposes, and who happened to purchase equipment from low-priced on-line retailers were wrongly harrassed by DirecTV.
while it is illegal to own a fully automatic fire arm it is not illegal to buy a conversion kit.
Because that's what this case was about - anyone who bought a smart card reader/writer anywhere in the country was threatened or taken to court by DirectTV.
DirecTV didn't go that far, from the EFF's web site:
involved a provision of federal law prohibiting the "assembly" or "modification" of equipment designed to intercept satellite signals. DirecTV maintained that the provision should cover anyone who works with equipment designed for interception of their signals, regardless of their motivation or whether any interception occurs.
Does there need to be any 'valid' reason? Who decides what's 'valid' and what isn't anyway? If they find it interesting and challenging to hack something that someone else has created isn't that reason enough? To some of us a locked box isn't a sign that you should keep away, we see it more as a challenge thrown down by the lock designer.
The legal aspect should be limited to what we do with the contents of said box once we're in. A law stating that we can't spend our free time doing what we find fun in case we misuse the proceeds of our exploits is ridiculous.
http://twitter.com/onion2k
People bought smart card read/writers for their computers. There is no direct evidence to prove that they used these smart cards for their DirecTV systems.
DirecTV is claiming that anyone who bought such a smart card reader for their computer is deliberately trying to get "TV for free".
Will "DirecTV sue you next?"
Such devices are available for $30-$60 integrated within keyboards, within a computer case and as external USB devices.
It seems that Microsoft were involved in the development smart card technology for encryption purposes, DirecTV makes use of similar technology, and these gets all hissy about other people using
the same technology.
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
So...now excuse me, I do not think like a legal person, I am just a common dumb citizen subject to the laws of this land and not intellectually capable of making decisions that implement and adjudicate the validity of such law but...
totally fictional scenario here, I mean its not like someone can actually do this...
If I designed and built a receiver that could pick up any and all satellite communication, regardless of band, system, encryption, language, broadcast tech etc and play it out for any and all to hear (sort of a reverse tower of Babel), the resultant box, my design specs, even the idea in my head would be illegal and all (including me) should be locked up with key thrown away.
(sorry, I guess I CAN think like a legal beagle!)
During the Dark ages the Church had the only literates so they virtually controlled communications. later, others learned to read and write and for a while, this skill was controlled regulated and even banned by the Church. Welcome to 900AD.
- Minutus cantorum, minutus balorum, minutus carborata descendum pantorum.
My big problem with this issue is that at my past two jobs I worked for companies that did work with SIM cards. These are basically just a smaller form-factor of a smart card. At the time, there were various companies selling smart card readers specifically for the purpose of defeating DirecTV's copy protection scheme. As it happens, they had better prices on the same equipment I used for my job, so I ordered several for myself and a few cow-orkers.
DirecTV's lawyers started going after these businesses, obtained their customer lists through discovery and started going after their customers, too. You can guess what happened next.
As it happens, I was a DirecTV customer at the time. I never used these card readers to hack my DirecTV smart card, but I did use it legitimately for work. It took quite a bit of song and dance and a discussion between them and my (Sweden-based) management and CTO to convince them that I did have authorization to procure "SIM card readers" and expensed them through my company and wasn't using them for illicit activity, though it almost cost my job. Smart cards are very popular in most of the Scandinavian countries in many industries, and it was a bit amusing to hear DirecTV tell my CTO that he had no business reason to need a card reader for ANYTHING other than to steal from DirecTV.
For some examples, look at the security industry (physical access requiring a smart card - very popular in Finland), secure banking industry (you've seen the American Express Blue with the built-in smart card), cellular industry (all GSM SIMs are really smart cards), and Finland even uses smart cards for their national ID (which I hear makes their voting system work well).
Yes, perhaps I should have looked for a more "authorized" dealer or whatever, but money is money and my original bright idea that made my popular with my manager cast a shade over me that pisses me off to this day.
Maybe the correct question is, "Are you liable if you purchase equipment intended for illegal/illicit/immoral/ purposes for a legitimate reason?"
Tying in to the original point, it's amazing what power these guys have over people that don't have a company "in the business" to back them up. If I were doing the same job as a freelance contractor (which is very possible and more profitable in my former industry), I would have been legally fucked.
There are good reasons why lawyers should not be able to shackle research, industry, and "creative" self-education that fall outside of their business model. Generally speaking, smart cards are very secure devices, and if I recall correctly, DirecTV's woes started by using a vendor that leaked critical information (whether through subterfuge or buying off one or more of their employees) about how to confuse one of their specific types of smart cards into giving up it's secrets. This made the entire smart card industry look bad, and instead of taking it up with their vendor and immediately replacing those cards, they started suing potential customers. (I say potential, since I doubt many of them actually had subscriptions. At the time DirecTV was allowing their equipment vendors to sell receivers directly to people who obtained an unauthorized smart card to receive the service for free. Who really knows if they would be real customers had this avenue of exploitation not been available?) They took years to phase out the old cards for new, secure ones, and have since gone to a lease-only model for equipment so they can track who actually has a receiver and demand the equipment back if they're not suing it.
I'm not sure that DirecTV is evil, per se, but rather incompetent and legally blame everyone other than themselves. *Shudder* I'm glad someone is finally putting them in their place, as they have contributed to the overall chill on research that seems too prevalent today...
This comment does not necessarily represent the views and opinions of the author.
The ideas in your head are not illegal, and neither are the specs IF you just designed a machine like that on your own, and kept it to yourself. If you tried to sell the product, you'd infringe patents. If you tried to sell the resulting TV shows, you'd violate copyrights. However, if you reverse-engineered the DirecTV system to obtain your system, then you are violating their trade secrets, copyrights, and the like.
This is the basis for "clean room" engineering. One team reverse-engineers a product and writes a spec. The spec is reviewed by lawyers and engineers to make sure there's nothing trade secret in there. The spec is then giving to another team of engineers who try to create a product from the spec with no input from the first two teams. If possible, this is fine (as long as you avoid patent issues).
There's nothing wrong with coming up with your own stuff. It's copying other people's stuff that gets you in trouble.
A NYC lawyer blogs. http://www.chuangblog.com/
What you are describing is the concept of `born secret` or `born classified`. It's real, and it's important but it doesn't really compare to the EFF v DirecTV issue IMHO.
I think there is more to the story than you are letting on...
There is. DTV went around suing smart card sellers for lists of people who bought devices that were capable of writing to DTV compatible smartcards, and then went around threatening those people whether they were unscrambling DTV shows or just getting a security system for their small company on the cheap.
If you manage to create the perfect decrypter, DirecTV will be the LEAST of your worries. IF some government (probably ours) doesn't blow you away immediately, you can expect to live the rest of your life in a very small cell explaining exactly WTF you did and how. And working on the next breakthrough as well. What you did was that dangerous to 'national security' and they'd have no problem making it stick.
But yes, DirecTV was saying that your device would step on their rights.
And even if that idea were possible, there is NO need to break DirecTV's encryption in order to work on your project. There's plenty of encryptions that you could break legally to develop the device. Testing it on DirecTV's broadcast afterwards is an afterthought, and NOT what is being discussed here.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
The DMCA will stop the parent from sharing what he has learned about satellite (not necessarily DirecTV) encryption. It will also stop a colleague from sharing what he's learned. This is analogous to Einstein not being able to get help with non-Euclidean geometry. It stops research!
I've often thought a good defense against the DMCA would be the US constitution itself. You know, that part about life, liberty, and the pursuit of happiness. If I cannot satisfy my curiosity because the DMCA blocks my natural need to share my discoveries, then it is unconstitutional.
We have always been at war with Eurasia!
I totally agree. DirecTV should have to prove the devices were being used to hack their systems. I thought that was a given with the US's court system, but I guess not.
But I was objecting just to the 'scientific use' bit. If the devices they mean are just the card readers, then the EFF is obviously right. Those devices CAN and ARE used for many other applications. If the devices are the DirecTV boxes, there's no excuse and DirecTV is right.
The tricky part is this line: "prohibiting the "assembly" or "modification" of equipment designed to intercept satellite signals". Smart card readers do not intercept any signals and would not fall under this law. Only the DirecTV receivers do. They may facilitate decryption of intercepted signals, but they do not have anything to do with the interception.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
This isn't true. You can legally own fully automatic firearms after you have purchased a $200 tax stamp from the BATF. They do sell this stamp, upon proper application. Some states may have laws which restrict this freedom.
Be careful with this one: it isn't generally true. The BATF has held that certain parts of a machine gun are a machine gun. Exactly what parts of a particular machine gun constitute a machine gun varies from time to time; it's decided by the whim of the BATF. It seems to boil down to ``If they want to get you, your machine gun parts are the bad parts.''
The problem here is that even though it is legal to own or manufacture machine guns, manufacture is only legal after you have bought the special manufacturers tax stamp. The BATF has refused to sell these since 1986, if I remember correctly. So, possessing certain machine gun parts (including some ``conversion kits'') is a felony. Possessing a full auto sear for an M16, and an AR15, is a felony, while possessing only the sear or only the AR15 is not, if I remember correctly (and I might be wrong on some or all of that). Possessing a full auto sear for an FAL is not a problem, but possessing an FAL receiver cut to accept that sear definitely is a felony with or without the sear, and so on.
In general, if you could put your parts together to make a machine gun, you are a felon unless you can somehow purchase that magic tax stamp.
These taxes were enacted by the National Firearms Act of 1934. There was a time when this was a free country.
See what I've been reading.
Freudian slip? ;)
LRN 2 SWM
I didn't notice anything in TFA that actually spelled out whether it was receiver equipment or just smart card research (I didn't read the judgement). Anyone with better reading comprehension than myself who can answer?
/. joke goes, ROT-13 will be a legally protected system with which you can claim damages. Sad, sad, sad state for those not running in the consumer herd...
From what I understand, the satellite signals are encoded digital streams which smart card is used for the actual decryption engine, making it the most critical part in the system. I believe the "tuner" in a DirecTV receiver just points which stream it shoots at the smart card to get a valid MPEG2 (now and/or MPEG4) stream.
(Technicalities to above statement) Whether or not it just retrieves keys from the smart card (after a PKI exchange) that are used to decode the session (which I hear gets renewed quite frequently while you're watching) or the smart card actually spews the decrypted stream itself, I'm not sure, but basically if you can take remove the smart card out of the picture, you have a straight shot at their entire service unencrypted.
When taken inside a courtroom, these technicalities become very blurry and I'm sure many judges/juries/laymen can be convinced that someone tampering/researching/ with a smart card of any kind are vile scum intent on defrauding DirecTV. I hope this is what the EFF is fighting against, though I do not believe anyone trying to attack an encryption system (for whatever purpose) is a criminal either. You only cross the line when you purposely defraud those protected by said system to your own benefit (watching their service without paying, selling the information to those who wish to do the same, using information obtained against them, etc).
Otherwise, as the running
This comment does not necessarily represent the views and opinions of the author.
I wish I could be so clever. Blame the lack of caffeine for that and my poor grammar this morning ;)
This comment does not necessarily represent the views and opinions of the author.
involved a provision of federal law prohibiting the "assembly" or "modification" of equipment designed to intercept satellite signals. DirecTV maintained that the provision should cover anyone who works with equipment designed for interception of their signals, regardless of their motivation or whether any interception occurs.
That's what the law says and how DirectTV interpreted it. You are parroting DirectTV's now shown to be false argument. The company began its crusade by raiding smart card device distributors to obtain their customer lists, then sent over 170,000 demand letters to customers and eventually filed more than 24,000 federal lawsuits against them. Because DirecTV made little effort to distinguish legal uses of smart card technology from illegal ones, EFF and the Cyberlaw Clinic received hundreds of calls and emails from panicked device purchasers. See? They claimed anyone using a smart card for any reason what trying to hack them.
This, too, was from the EFF's web site: http://www.eff.org/news/archives/2005_11.php
It doesn't hurt to be nice.
Can network traffic over satellite be sniffed now or is it still a federal offense?
Having to work for a living is the root of all evil.
That's the Declaration of Independence.
-- nolesrule
This is exactly what they did to drugs by the way. You could only get a permit to prescribe pot if you proved you had some. If you had some without the permit, you possesed it illegally, and you'd be arrested when you tried to apply.
If you actually read the ruling, it has absolutely nothing to do with allowing, or not allowing, legitimate research into decryption technologies. The case concerned DirectTV's attempts to find the defendants liable under sections of the statute meant to cover distributors of piracy devices, in addition to the parts of the statute meant to cover individual possession and use of piracy devices.
There is no argument mentioned that the defendants were not liable under the parts of the law covering individual use of piracy devices.
The article by the EFF is also wrong/misleading. Yes, they have been fighting "DirectTV's heavy-handed legal tactics", but in this case, it just prevented them from using a bigger hammer against folks already found to have violated the law. (Did they actually do so? Who knows. They did not respond or appear for the original complaint, so default judgement was entered against them.)
SirWired
You are full of shit. I worked for a satellite communication company in 2000 - 2001 and we had home built routers designed by our company and Phillips. We used smart cards for security. I was the unix sys admin on staff and worked with engineering on security. The router ran linux. I bought a smart card reader writer and an unlooper from whiteviper for the very reason of researching the security of our system. We learned a lot about the security of smart cards and the security of our systems. The reason I bought from Whiteviper was because the devices were a quarter the price than any where else. Turns out that DirecTV got a hold of the customer list and thus I was sued for hacking their signal. I didnt have directv or any satellite television. Did not matter. Either pay directv to settle or pay a lawyer to fight. Thousands of dollars either way. Tell me exactly how that is legitimate.
All points of time and space are connected.
Clean room reverse engineering has no statutory basis. The only thing clean room reverse engineering buys you is a summary judgement in your favor instead of a preliminary injunction against you.
The important part is that when it's individual or small company versus big company with expensive lawyers, that turns out to be the difference between the case being a win or a loss.
It's not about who's right. It's about who can afford to pay lawyers for as long as a big company is willing to fight. And they will fight even if they don't have a case, because it's worth the chance that you'll run out of money or the will to defend yourself and you'll be shut down. Which is the point... because it's not about rights, as much as it is about control and keeping the competition thin.
LRC, the best-read libertarian site on the web
The card reader is not the card. The card reader is -never- used to decrypt DirecTV. The card (which so far, has to come from DirecTV themselves, as it's not been completely hacked) has a sophisticated chip on it that does the decrypting.
The card reader is used to hack the card and/or reprogram it.
The card could be argued to be used to intercept (even though it's actually just decrypting), but the card reader doesn't even have exist once the card has been hacked/reprogrammed.
There used to be more sophisticated rigs that involved a card, card reader, fake card, and a PC. I don't think any of those work any more, though. They aren't at issue here as the -only- use for that rig is to hack DirecTV and the components are specific to it.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
Im the first to admit that i have been wrong before and will be wrong again. But I believe most people are confused by what is a automatic weapon. "Automatic pistol" or "automatic shotgun" generally refers to a semi-automatic design, while "automatic rifle" more often means a fully automatic or selective fire design. Fully automatic weapons tend to be restricted to military and police organizations in most developed countries. In the United States, machine guns registered after 1986 have been off the public market since the Firearm Owners Protection Act of 1986. so since you can get "nearly any fully automatic firearm that's made" im looking for the See-Shoot system with a 0.5-caliber automated machine gun for my yard.
Except these people are not busting into YOUR house they are busting into THEIR house.
Once you buy a thing, you own that thing. Busting into it becomes "equivalent" to busting into your own house and not someone elses.
Anything beyond that needs to be proven.
We have standards and procedures in this area for a reason.
A Pirate and a Puritan look the same on a balance sheet.
Exactly, this was my problem, I work in IA, and on the side I play with all sorts of security stuff on my own little network for fun and learning. I was trying to find a local (read: will ship to the US) place that I could purchase a cheap smart card reader/write to create smart card authentication tokens for multi factor authentication, and had no luck. Hopefully this will change things abit and I will be able to get one easily at a reasonable price.
I came, I conquered, I coredumped
I seem to recall a case where just having a reasonably well equipped machine shop was enough for the BATF to consider that the guy was in the business of manufacturing machine guns. Presumably there was some other evidence of that, if no actual machine gun parts in the shop at the time.
Mind, considering the sensitivity of a nominally semi-automatic rifle like the FN-C1A1 (old Canadian standard 7.62mm NATO rifle), even a match stick could be considered a "conversion kit" (you just need to jam it into the right place). I've even seen an FN fail to full-auto (so full that releasing the trigger didn't stop it, it kept firing until the mag was empty). That was exciting. Fortunately the soldier had the presence of mind to keep it pointed downrange.
-- Alastair
That's the Declaration of Independence.
Yeah. GP would have been better off complaining about infringement of his freedom of speech, eg if he wants to talk about it with somebody. First Amendment.
-- Alastair
True. And one might add that Judge Siler's dissent points out that two other Circuits have ruled differently even on the point that the EFF won. So not only is this ruling valid only in the 9th Circuit but there is a good chance that other Circuits will hold differently and that the issue may reach the Supreme Court and be decided differently.
I guess that makes it simply a justification for using the second amendment then.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Counter-sue for wrongful accusation and get your fees paid for by DirecTV.
For some people.
...DirecTV, et al who used smart cards for their subscription service had wished they had spent a little more to have a unique physical card interface designed for their own use rather than rely upon one that is off of the shelf? While recognizing that this would increase production costs and really wouldn't be much of a deterrent against someone willing to build up their own physical interface (or part one out of an old receiver), it could have made for a better means of deterring the casual bootlegger or more conclusive proof of illegitimate activity (i.e. "why is your smart card reader torn apart on your bench and connected to a socket torn out of an old receiver?"). Mind you that a physical repackaging wouldn't be the magic bullet.
I suppose someone could've done a cost-benefit analysis, but I doubt it.
Except that that's not true, either.
They are practicing busting into their own home, to then sell "bust-in kits" to other people who will then bust into your home. Or sell or give the info to people who will make such kits.
Oh, sure, not this particular researcher. He's clean as the windblown snow, without doubt, including nothing but honorable intentions.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Back in the day with the old DTV cards were fully hacking the way they did this was by selling special card reader/writers. They had no other use but to specifically glitch a DTV card they wouldn't write other cards. They did this by applying voltages to points on the card that would cause the card to glitch and break out of it's continuous loop that prevented it from being loaded with new software. Then you could load the hack and watch all the channels. DTV was working with law enforcement to raid the sellers of these devices in the US but you could still get them from Canada. After a couple years of this they retired those cards and did a really good job locking down the replacements.
> Oh, sure, not this particular researcher. He's clean as the windblown
> snow, without doubt, including nothing but honorable intentions.
THAT, is what you are required by law and national tradition to assume.
Anything else needs to be proven.
As an individual, assuming that someone is a thief and broadcasting that assumption is called libel/slander and you can be held legally liable for it.
A Pirate and a Puritan look the same on a balance sheet.
I have a company issued smart card from Sun and I have to use it in a read/writer to be able to log in after I vpn into the building. There is so much idiocy in the world when it comes to non technical people trying to enforce technical laws.
This package Does Not Contain a Winner
That law was thrown out and ruled unconstitutional I do believe (early 70's?)
That pissed of Nixon, and he got the current drug laws pushed through...where they 'schedule' them. I think this was around the time just before LSD became illegal? You can google it for exact dates.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Those words never appear in the Constitution. I believe you're thinking of the Declaration of Independence, which holds little or no legal standing.
https://www.eff.org/https-everywhere
.
And got better customer service and a lower bill in the bargan.
.
When a company does something silly, stupid, AND against my interests, I stop doing business with them.
That's also why I've never bought a single ticket to a Sony movie, a Sony DVD, or Sony brand for 15 years now. I can't avoid Sony chips every time, but when I can, I do. One 3,500 unit lap top deployment was switched from one vender to another vendor simply because the first used Sony chips, but the second did't. Also saved about USD45 per unit, with comperable performance and features. The first had 4 1.0USB ports, the second had 2 2.0 USB ports. We only needed one.
A no brainer, AND I didn't feed the Sony Patent troll.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
"get your fees paid for by DirecTV."
Ramen
With the new EFF victory, you are in a good position.
Having been threatened by Direct TV myself, for this very same thing (buying a card reader/writer) I went to a lawyer the day after I got the threatening letter and had him draft a letter threatening counter-suit for harassment. I never heard from them again. I think that the people that are getting nailed are the ones talking to Direct TV. DON'T. Don't ever talk to Direct TV. I just canceled my Direct TV service and switched to dish. (yes, I was a paying customer) When asked why I was canceling I said "Because you are trying to extort $20,000 from me" and the CSR just said "Oh... well that's a good reason!"