******************************************************************
*---------------- Syndicated Hack Watch - 04:1994 ---------------*
******************************************************************
*-------------- Special Projects BBS +353-51-50143 --------------*
*--------------        SysOp: John McCormac        --------------*
******************************************************************
*------------- (c) 1993 MC2 (Publications Division) -------------*
*--------------- 22 Viewmount, Waterford Ireland ----------------*
******************************************************************
******************************************************************

Syndicated  Hack Watch is copyrighted material.  All  unauthorised 
reproduction whether in whole or in part, in any language will  be 
suitably dealt with.

******************************************************************
Contact Numbers:

Voice: +353-51-73640 
Fax: +353-51-73640
BBS: +353-51-50143  HST  -  Special Projects BBS
E-mail: mc2@cix.compulink.com.uk
FidoNet: 2:263/402
******************************************************************

The OMIGOD Hack

It  was  a  long time coming and News Datacom and  Sky  seemed  to 
ignore every sign. Perhaps they were too concerned with the Ho Lee 
Fook hack. This latest hack, coming as it does in the twilight  of 
the issue 07 is perhaps the death knell for Sky's 07 smart card.

The  OMIGOD hack is simply a computer program that allows  you  to 
use  your IBM Compatible computer as a glorified smart  card.  You 
connect  a small interface circuit between the serial port on  the 
computer and the VideoCrypt decoder's card slot. Then you run  the 
program. It decodes all of the BSkyB encrypted channels.

The present version of the hack works on IBM compatible  computers 
and an Apple MAC version will be available within the next week or 
so. Amiga and Atari versions may also be created. 

The program was created in Germany so that those outside of the UK 
and  Ireland  could watch Star Trek. The title of the  program  is 
Season  7  after  the  current season of  Star  Trek  -  The  Next 
Generation.  Sky have repeatedly refused to give subscriptions  to 
those outside of the UK and Ireland so therefore something had  to 
be done.

As  it turns out many hackers are also fans of Star Trek and  Deep 
Space  9.  It  was only logical that the hack  was  pursued.  Some 
actually tied up mainframe computers doing real-time  descrambling 
of  the  VideoCrypt signal. It was not a viable solution  as  most 
hackers  did not have access to mainframe computers. However  many 
of them had access to IBM compatible personal computers.

The  PC  VC Emulator program is perhaps the most  dangerous  thing 
ever to have happened to Sky and News Datacom. The fact that  this 
program  even exists contradicts the publicity claims  made  about 
VideoCrypt. It appears that News Datacom completely  misunderstood 
what a hack on VideoCrypt would consist of. As a direct result  of 
this the Ho Lee Fook and the OMIGOD hack can operate freely.

The program is intended to be used and distributed outside of  the 
UK.  It may well be illegal in the UK under the Copyright  Patents 
and  Designs Act 1988. Of course the problem with the law is  that 
it technology leaves it standing in quicksand. 

Since the program is a DOS executable, it can be stored in  Zipped 
form  on  any bulletin board system. Theoretically anyone  with  a 
modem  and a computer could download this program from a  bulletin 
board outside of the UK. Nothing short of cutting all of the  UK's 
international telephone lines will stop its importation to the UK. 
Of course it may already be there.

The  interface  for  the computer to decoder link  is  actually  a 
simple  two chip design. A MAX232 integrated circuit converts  the 
RS232  signals to TTL and also the TTL signals to RS232. A  74LS07 
hex  open collector buffer is used to allow the connection of  the 
received  data  line and transmitted data line on  the  computer's 
RS232 interface to the DATA line on the smart card interface.

The  most troublesome aspect of the hack is the dummy smart  card. 
While  a  directly wired connection to the VideoCrypt  decoder  is 
possible,  it  is a messy and potentially  dangerous  option.  The 
dummy smart card option is the more elegant of the two.

As with most experimentation with smart cards, the printed circuit 
board  material  is  too thick. With typical  thicknesses  of  1.6 
millimetres, ordinary PCB material is too thick for the  decoder's 
smart  card socket. The easiest solution is to sand down  the  PCB 
material to the 0.78 millimetre thickness required.

A  text  file is included with the release version of  the  OMIGOD 
hack. All of the necessary details required to build the interface 
are contained therein. No doubt there will be some versions of the 
interface on sale in the very near future.

The  cost of this interface is in the region of five  pounds.  The 
potential  hacker  has  the essential piece  of  equipment  -  the 
computer.  So for a fiver it is possible to watch all of  the  Sky 
channels.  Of course the alternative view is that you are using  a 
thousand  pound  computer  as a glorified smart card.  That  is  a 
rationalisation worthy of Sky's publicity department.

Naturally when the new issue 09 smart card is put into  operation, 
this hack and all of the other hacks on the 07 smart card will  be 
affected.  The problem is that nobody is completely sure when  the 
switchover to the 09 smart card will occur.


Three Cards On VideoCrypt?

According to sources, there are currently three version of the Sky 
card  in  operation.  Issues  07, 08 and 09  are  in  use  on  the 
VideoCrypt system. This is an unprecedented event and points to  a 
major loading of the VideoCrypt over the air addressing system.

The current batch of cards is issue 07. This batch of cards was to 
have  been replaced by an issue 09 card. Issue 08  was  apparently 
abandoned as it was based on similar technology and algorithms  to 
the hacked 07 card.

Over the last few months, we received some vague reports of  issue 
08 cards turning up in commercial premises such as pubs and  cable 
companies. These reports now seem to have been accurate. Though in 
Ireland,  more pubs have been opting for the pirate cards as  they 
are cheaper than an official subscription.

The  launch  of  the 09 smart card  has  naturally  disturbed  the 
Blackbox  market  for pirate smart cards. Prices  have  nose-dived 
over  the  last  few  months as the news  of  the  09  smart  card 
gradually filtered into the market.

The  09 launch has not been smooth. Many customers have still  not 
received  their  issue 09 smart card and are still running  on  07 
cards. Some magazines have had reporters selected to receive  free 
cards. Even that august bastion of JAFAdom, Satellite Trader,  has 
received one. Not unexpectedly, Hack Watch News received nothing.

This  kind  of operation is smart. It targets what  the  marketing 
people consider to be opinion formers. It is effectively a perk of 
the  job  or what hackers would refer to as a bribe. The  idea  is 
that  the  people who get the  complimentary  subscriptions  write 
glowing praise and nice things about Sky.

The  rumours about the slow and sporadic delivery of the 09  smart 
cards  have  been rife. One such rumour claimed that there  was  a 
problem in the pay per view routines of the 09 card. This  problem 
was  only  discovered after about one hundred thousand  cards  had 
been shipped. Though apparently this problem has been solved  with 
the latest cards.

The  present  situation means that the current datastream  has  to 
work with three versions of the Sky smart card. It would have  the 
knock-on effect of making any electronic countermeasure, (ECM),  a 
very risky affair. Therefore from Sky's point of view, the  sooner 
the 09 goes into full operation the better.

One  factor  that  linked some of the people  who  were  first  to 
receive  issue  09  smart  cards was that at  one  time  they  had 
requested  a second smart card from Sky. However the  distribution 
of the official cards in the UK seems to be gathering pace.

Strangely, the only people to have received the 09 smart cards  in 
Ireland are ASA dealers. Some of them are actually selling  pirate 
cards as well.

Key TV - Better Than The Real Thing

It   was   more  impressive  than  any  of   the   digital   video 
demonstrations  at  the  Cable And Satellite  Show.  Key  TV,  the 
VideoCrypt  compatible  scrambling system from  Chris  Carey,  was 
being displayed to an deeply interested industry.

Many  of  the channels currently on the hacked Sky card  no  doubt 
showed an interest in the system. After all the Key TV option  was 
a lot more secure than VideoCrypt.

Whereas  VideoCrypt uses a known architecture smart card,  Key  TV 
uses  an ASIC. A smart card is easier to reverse engineer  because 
it is a largely known architecture. With the ASIC architecture,  a 
potential  hacker has to figure out the function of every gate  in 
the  chip.  This is a far more difficult task and  would  take  an 
estimated nine months to carry out. The only company ever to  have 
undertaken  such an operation is the company responsible  for  Key 
TV.

Perhaps in the next few months, there will be a number of channels 
using  this system instead of going to Sky and News Datacom.  Many 
in  the  industry have expressed reservations about  the  monopoly 
that  News  Datacom  holds over  the  English  language  satellite 
television  market.  Somehow there is the  feeling  that  channels 
would  feel  a lot safer using a system developed by  experts  who 
know where the weaknesses that allow a system to be hacked lie.


Black Book 4 To Be Published In April

In late April, the fourth Black Book will be published. The  Black 
Book is also known as European Scrambling Systems. It is the bible 
of the Blackbox Industry.

The new version concentrates on the smart card hacks and how  they 
operate. Details of smart cards and computer monitoring  circuitry 
are  provided.  The  majority of the systems  in  Europe  are  now 
hacked.  Perhaps more importantly it shows how the  present  hacks 
will develop in the near future.

The  chapter  on  cryptology has been expanded  to  cover  message 
digests,  hash  functions and one way functions. The  Fiat  Shamir 
Zero  Knowledge  Test,  allegedly  used  in  VideoCrypt  is  fully 
explained. Details of how crypto systems are hacked are also dealt 
with  in  detail. In the Irish High Court, Sky  and  News  Datacom 
claimed  that they had developed a one way function. 

This   chapter examines  that claim and shows both how a  one  way  
function   works.  It also shows how the Ho Lee Fook hack  on  the 
VideoCrypt  crypto system operates, complete with worked  examples 
in psuedo code and C.

The official price of the book is 32.00 plus postage but to  those 
electronically  aware  people reading this via a bbs,  fidonet  or 
usenet,  I have decided that the price of the book will  be  25.00 
pounds Including postage. 

This  special offer price includes postage in the EC. Payment  can 
be  made by UK or Irish cheque or draft. Alternatively payment  by 
credit card is possible. Visa and Mastercard / Access acceptable.

Either  fax  the  order  to the phone  number  below  or  use  the 
mc2@cix.compulink.co.uk  e-mail address.  Alternatively  telephone 
(voice) after 1400 Hrs to order.
 
------------------------------------------------------------------------- 
| John McCormac                          | Hack Watch News              |
| Editor - Hack Watch News               | MC2 (Publications Division)  |
| Voice & Fax: +353-51-73640             | 22 Viewmount, Waterford      |
| BBS: +353-51-50143                     | Ireland                      |
| e-mail: mc2@cix.compulink.co.uk        |-------------------------------
| john.mccormac@f402.n263.z2.fidonet.org | Black Book 4 Available April |
-------------------------------------------------------------------------