programming and human factors
by Jeff Atwood
One of the most impressive hacks I've ever read about has to be the Black Sunday kill. Since the original 2001 Slashdot article I read on this is 99.9% quote, I'm going to do the same. I can see why they quoted so extensively; it'd be difficult to improve on the unusually succinct, well written summary provided by Pat from Belch:
One of the original smart cards, entitled 'H' cards for Hughes, had design flaws which were discovered by the hacking community. These flaws enabled the extremely bright hacking community to reverse engineer their design, and to create smart card writers. The writers enabled the hackers to read and write to the smart card, and allowed them to change their subscription model to receive all the channels. Since the technology of satellite television is broadcast only, meaning you cannot send information TO the satellite, the system requires a phone line to communicate with DirecTV. The hackers could re-write their smart cards and receive all the channels, and unplug their phone lines leaving no way for DirecTV to track the abuse. DirecTV had built a mechanism into their system that allowed the updating of these smart cards through the satellite stream. Every receiver was designed to 'apply' these updates when it received them to the cards. DirecTV applied updates that looked for hacked cards, and then attempted to destroy the cards by writing updates that disabled them. The hacking community replied with yet another piece of hardware, an 'unlooper,' that repaired the damage. The hacker community then designed software that trojanized the card, and removed the capability of the receivers to update the card. DirecTV could only send updates to the cards, and then require the updates be present in order to receive video. Each month or so, DirecTV would send an update. 10 or 15 minutes later, the hacking community would update the software to work around the latest fixes. This was the status quo for almost two years. 'H' cards regularly sold on eBay for over $400.00. It was apparent that DirecTV had lost this battle, relegating DirecTV to hunting down Web sites that discussed their product and using their legal team to sue and intimidate them into submission.Four months ago, however, DirecTV began sending several updates at a time, breaking their pattern. While the hacking community was able to bypass these batches, they did not understand the reasoning behind them. Never before had DirecTV sent 4 and 5 updates at a time, yet alone send these batches every week. Many postulated they were simply trying to annoy the community into submission. The updates contained useless pieces of computer code that were then required to be present on the card in order to receive the transmission. The hacking community accommodated this in their software, applying these updates in their hacking software. Not until the final batch of updates were sent through the stream did the hacking community understand DirecTV. Like a final piece of a puzzle allowing the entire picture, the final updates made all the useless bits of computer code join into a dynamic program, existing on the card itself. This dynamic program changed the entire way the older technology worked. In a masterful, planned, and orchestrated manner, DirecTV had updated the old and ailing technology. The hacking community responded, but cautiously, understanding that this new ability for DirecTV to apply more advanced logic in the receiver was a dangerous new weapon. It was still possible to bypass the protections and receive the programming, but DirecTV had not pulled the trigger of this new weapon.
Last Sunday night, at 8:30 pm est, DirecTV fired their new gun. One week before the Super Bowl, DirecTV launched a series of attacks against the hackers of their product. DirecTV sent programmatic code in the stream, using their new dynamic code ally, that hunted down hacked smart cards and destroyed them. The IRC DirecTV channels overflowed with thousands of people who had lost the ability to watch their stolen TV. The hacking community by and large lost not only their ability to watch TV, but the cards themselves were likely permanently destroyed. Some estimate that in one evening, 100,000 smart cards were destroyed, removing 98% of the hacking communities' ability to steal their signal. To add a little pizzazz to the operation, DirecTV personally "signed" the anti-hacker attack. The first 8 computer bytes of all hacked cards were rewritten to read "GAME OVER".
Nobody knew how the satellite companies had suddenly developed such smarts. Until now. A recent Wired article exposes Christopher Tarnovsky as the mind behind the epic Black Sunday Hack.
Among the countermeasures he says he created was one known among pirates as the "Black Sunday" kill -- an elaborate scheme that destroyed tens of thousands of pirate DirecTV cards a week before Super Bowl Sunday in 2001.Instead of being delivered all at once like other measures, the Black Sunday attack code was sent to pirate cards in about five dozen parts over the course of two months, like a tank transported piece by piece to a battlefield to be assembled in the field. "They never expected us to do this," Tarnovsky says.
The kill didn't last long before pirates found a way to jump-start the cards. But it holds an enduring position in pirate lore; for the first time, they could see a cunning mind at work on the other side.
It's fascinating to finally hear the Black Sunday kill described so intimately from the inside. It's a gripping tale of high stakes programming, a life of electronic warfare with millions of dollars at risk on both sides. I've never been a satellite television subscriber, but apparently the war rages on even today -- at least according to the Wikipedia entry on pirate decryption.
I remember when this happened. I had a friend who stole DirecTV that way. It was like a major life crisis for him that his ability to steal TV signals was interrupted. I got a good kick out of it which didn't please him much either. Oh well. He later went on to figure out a way to steal business-level cable internet and all of the premium channels while only paying the minimum monthly cable fee. Some people just aren't happy unless they're gaining an unfair advantage of some kind. We're not really friends any more.
Gerald on June 1, 2008 2:47 AMdoh
GameOver on June 1, 2008 3:07 AMA truly amazing hack. I wonder how come the Hacking community had not modified their boxes to somehow virtualize the card completely. Perhaps they got complacent with their successes.
At the end of the day though, an unsustainable system is still unsustainable, and this was just a clever one-time trick that was a large setback for the black hats but not a permanent one.
Alexandros on June 1, 2008 3:08 AMAwesome.
War on June 1, 2008 3:25 AMWhat Alexandros said. If you're going to build a brain-dead, doomed technology, at least do it in style.
These days DRM is at best useless, and at worst outright malware. My theory is that any engineers worth their salt know that DRM can't work and that's it a lot more fulfilling to work on software that doesn't suck.
Nathan Bowers on June 1, 2008 3:32 AMWell yeah. I mean as soon as any security measure is put into place, a 15 year old hacker is already at work breaking it.
Skunkwaffle on June 1, 2008 3:33 AMSound like a Hollywood movie :)
Anand on June 1, 2008 3:46 AMWow, that video is very impressive. Using a device and some software skills to read/write a chip is one thing. Using various chemicals to do "surgery" on a chip and control it is a whole new ballgame!
Adam on June 1, 2008 3:48 AMIs that not 9 bytes (GAMEOVER for 8)? Maybe the original quote changed it for dramatic effect.
Dee on June 1, 2008 4:15 AMWow, I actually cheered DirectTV for this! :)
I'm not a fan of any form of DRM, but the satellite receiver problem is an interesting one, and I'm also very much against the idea that anyone has any sort of "right" to receive a service they don't pay for. This is from everything from fare dodging to benefit fraud.
Companies must not assume that everyone is guilty until proven innocent, but there is definitely another side to the story here - it's a design for evil kind of problem. I'm glad that they actually were able to stamp their authority, no matter how temporary that ended up being.
Man, Thats real good!!! Sounds like a movie.
Manoj on June 1, 2008 5:14 AMI don't understand why they didn't sent the hack (or the killer patch) in one pack?
It would still disable the smartcards no?
So sweet... Even if I was one of the hacked tv users I'd love the story.
Imagine what Christopher Tarnovsky felt. It must have been like winning gold in the Olympics or something like that.
ino on June 1, 2008 6:07 AMBlack Sunday Kill had no effect on those who were using a computer and cardreader as an emulator. There was lots of ominous warnings beforehand, but not everyone had the resources for this setup...
odam2k on June 1, 2008 6:14 AMAwesome post - great hack.
The hack-counterhack-hack drama reminded me a bit of an excellent novel Daemon, by Leinad Zeraus - check it out http://www.amazon.com/Daemon-Leinad-Zeraus/dp/0978627105
Chris Brookins on June 1, 2008 6:40 AMGoogle is evil
Dude, Black Sunday like totally rocked. Another Black Sunday would be like really cool wouldnt it?
JJ
www.Ultimate-Anonymity.com
While generally I understand and someone agree with the companies sides, isn't it HIGHLY illegal to destroy other peoples equipment like this (no matter what they do with it) ?
It sounds like it would be about on a level with MS formatting your hard drive if you run a cracked version of Office.
J. Stoever on June 1, 2008 7:41 AM@ J.Stoever
If you read the small-print the smart cards will be the property of the satellite provider.
Ryan on June 1, 2008 8:01 AMBut the super bowl is on regular TV...so their timing isn't that significant.
bar: "The whole stealing satellite/cable thing is kind of pointless nowadays, with internet connections fast enough to torrent all the TV we want."
Translated: "The whole stealing thing is pointless. With torrenting we can still steal all we want."
I am convinced that 99% of all hackers/torrenters have never made a SINGLE DIME for themselves or anyone else or any company writing code.
Great interview question: "Have you ever bit-torrented anything?"
PaulG. on June 1, 2008 8:40 AM[quote Alexandros]
A truly amazing hack. I wonder how come the Hacking community had not modified their boxes to somehow virtualize the card completely. Perhaps they got complacent with their successes.
[/Alexandros]
There was the emu setup that allowed you place a computer between the reciever and the H/HU card. This was the better config as a majority of these updated wouldn't bring you down (Black Sunday did though).
It makes me wonder if the hacking/cracking scene will ever bring us something that will circumvent an everyday utility again.
It is facinating on so many levels. Economics plays just as big part as the hacking aspect. If DTV had been in Canada, or the Canadians had ever criminalized accessing the signal, would we have ever had the great hacks of DTV?
pzuni on June 1, 2008 9:50 AMPaulG: Great interview question: "Have you ever bit-torrented anything?"
That's ridiculous. Using that logic, anybody who plays Warcraft no longer can be hired by your company. Torrent is a technology, nothing more. There is nothing illegal about torrents in and of themselves. The fact that people violate laws using it is irrelevant.
You know what, people use cars in the commision of crimes. Let's ban cars! Same logic. Flawed.
Steve on June 1, 2008 10:06 AM"but apparently the war rages on even today"
With Dish and Echostar (and probably some Euro sat providers) but not so much with DirecTV. Ever since the HU/P3 card was taken out of service, they have been pirate free....that was 3 or 4 years ago now.
"A truly amazing hack. I wonder how come the Hacking community had not modified their boxes to somehow virtualize the card completely. Perhaps they got complacent with their successes."
Not really....complete virtualization never happened because no one was able to reverse engineer the ASIC that was part of the decryption key generation. A lot of effort was put in this direction since it would have provided interruption free pirated service....but since partial hacks were readily available (partial emulation and modifying the cards directly) it just wasn't worth it to invest the time and money. And now with the 4th/5th generation (probably later too, I stopped paying attention) cards in service, the pirates are so far behind that they'll probably never catch up unless Dave makes another blunder with card security.
The architecture of the DirecTV transmission system was very smart. From the beginning they acknowledged that their cards would be compromised. So, they designed the system such that the cards could be phased out....this capability was clearly by design and not bolted on.
I don't know if this was true before the P3 cards, but during the P3 cards (post Black Sunday) the decryption key would be generated based on output that resulted from dynamic code that was sent via the data-stream to be run on the cards. Typically this code would checksum various memory locations on the card and the result of that checksum would be fed into the card's ASIC to generate the decryption key. If you modified the code on the card to do things like always allow viewing of certain channels...well then the checksum would be wrong sometimes and you'd get a blank picture.
Various attempts were made to combat this technique...the most populate one was the 'WD-40' method....it would consist of a checksum of the dynamic code itself, and said codes desired result. This way, the card would not have to execute the code but could just retrieve the correct result for that code from a lookup table. Many variations of this were present. Some variations allowed the user to update the lookup table themselves via the receiver by changing the parental code (or something like that..I can't remember exactly).
It might interest people to know as well that this community also had its own 'free software' movement....there were three camps. First you had dealers, who wanted to keep all developments secret so they could make a profit. Second you had leeches who just wanted free TV (even if they had to pay a dealer for it...heh)....and third you had the freeware guys who just wanted to battle Dave/DirecTV.
It was very fun to be involved in the whole thing back then when DirecTV was still a game, but the whole landscape has changed since Dish doesn't fight back as often and on the whole doesn't have as interesting of an architecture IMHO.
XMyth on June 1, 2008 10:40 AMI remember back in the day when we built a circuit board that would go inbetween the cards and the receiver, it would not go out as much but, none the less it still went out. I remember when all of this was going on, my folks had a receiver for that reason. It was nice to have all the channels for the basic price.
Criminal on June 1, 2008 11:01 AM"GAME OVER". Brilliant!
The video sums it all up quite nicely. The effort and creativity that went into getting something so lame as stealing is astounding. No wonder "geeks" have such a funny reputation and "hackers" are looked upon with such disdain in most of society.
PaulG. on June 1, 2008 11:10 AMSending the info in small packets was a social hack that the hackers fell for. I think that the cards were made read only by the hackers, and they would only allow code to be on the card if it didn't disable the security defeating measures. They did allow innocuous code changes that were only meant to change the check sum verifications. The Black Sunday changes were all small changes. When the code was combined, it caused the problem. There's a more technical explanation in the original wired article.
Shawn Leslie on June 1, 2008 12:44 PMI also agree that DirecTV had a right to pull off this hack. While I am not a fan of the often intrusive and abusive tactics of the DRM that is being used to control what I can do with data that I paid for, it is very reasonable for a company to expect compensation for providing a service.
The people who were engaging in these hacks were by and large just stealing content, and that is not fair to anyone.
Jess Sightler on June 1, 2008 12:47 PMI remember this day and time very well. In canada you could not get DTV and the canadian version sucked. Living on a border town, there were so many illegal dishes and most people just wanted to pay a dealer to have a working card and programming the card was the easiest way to do this, and even after black sunday, about 2 weeks the bootblockers started to show up on the market so the cards would continue to work. Nothing was ever really free, you had to buy the equipment, either pay a dealer to unlock/unloop your card or get the code and do it your self with an unlooper or writer. It was an exciting time as people would talk about the lastest ECM's. For lots of people it was about getting HBO and movies for free, others it was sort of an interesting game of technology and engineering.
Dashb on June 1, 2008 12:50 PMGood job Jeff, keep on it!
The Dot Net Source on June 1, 2008 1:08 PMyou readers are down, althought this is a good blog
Dot Net Trciks on June 1, 2008 1:09 PMnice hack where do you find nice ideas like that ?
MS Follower on June 1, 2008 1:12 PMbeautiful story. usually you would expect only bad code coming from major companies, since they treat their smart guys either like slaves, or they only employ cheap dorks. I think this changed with the advent of google, where the employees are actually treated like humans.
so for this story the question would be: was Christopher Tarnovsky an employee of DirecTV? I guess not, he must have been a well paid contractor.
Poster on June 2, 2008 4:13 AMNever heard of this before! Masterful!
fredpyo on June 2, 2008 5:09 AMWelcome to the crackig game :) In the past, our licensing scheme was rather simple. It was broken. Not just broken, someone could reverse egineer it up to the point he could create arbitrary licenses - a keygen. When we first saw, it was a shocking discovery. We thought we had such a clever method, nobody can ever guess that by stepping throught assembly code - we were wrong. No matter how smart you are, someone is probaby smarter than you.
No time to sit around and cry - we replaced our licensing code with a completely new one. The code itself which is still the best code we have ever written IMHO, zero bugs found so far (afer years of usage), robust to the ground, not a single byte memory leakage has been written in only two weeks (actually it was done in one weak, one week was just fine tuning and adding a couple of desired features to it). We consider this code unbreakable and so far it has been unbreakable (okay, every code can be broken in theory, but this one is really a hard nut to crack).
Great, we had an (almost) unbreakable licensing scheme, so we won, didn't we? - Nope. Crackers came and said "Hey, why breaking the licensing code itself - it's way too hard. Let's break the code around it". Unfortunately we can't secure all the rest of our code as perfectly as we did with the licensing code. So instead of serials, crackers started releasing binary patches.
And that's where the real game starts. We release updates frequently, so writing a patch for every minor update would have killed the crackers. Instead, they wrote universal cracks. Cracks that try to identify certain code patters and work around them. These cracks keep woring, even if 60% of the whole code has changed between two updates, as long as they can still find the patters they are looking for. So we try to break their pattern matching and they try to identify new patters.
It's a game neither side can win, unless either side gives up completely. We won't give up, we earn our living that way. Crackers earn nothing but reputation, nobody pays them for it, but they seem to have their fun. Right now we are on top. We recently did something rather clever (I had to think about it, when I read your blog post) and so far this seems to give crackers some headache. At least no cracks floating around for quite a while now (months). However, we are realistic. It is only a matter of time till someone will spot the trick and work around it. Sometimes this game is annoying, but sometimes it's fun. I love to read discussions of crackers discussing our code and how to break it. It's so funny if you listen to what they assume and how they think stuff works, if you in fact knows what's really going on :P
Mecki on June 2, 2008 5:09 AMGood thing that the code DirectTV sent to the cards worked. Otherwise, "GAMEOVER" could have become a slogan for hackers worldwide representing what happens to you if you try to beat them at their own game.
Mike on June 2, 2008 7:06 AMblack sunday will always be remembered but there is new tech already there its hard to stop hackers undergrond conn.
hack02 on June 3, 2008 5:01 AM@Ryan
They already did that: http://www.engadget.com/2007/12/27/windows-home-server-bug-corrupts-files/
Professor Tom on June 4, 2008 4:35 AMI hear so many people saying that DirectTV had the right to do this, but none ever point out that they are piping the streams into your house. The streams are already there in your house whether you are receiving their service or not.
One of these days, an alien race may come down and jail all of Earth for attempting to decrypt the background radiation using the same logic DirectTV uses to criminalize people who translate signals already there into something useful to them.
silchan on June 11, 2008 7:54 AMYou know what, people use cars in the commision of crimes. Let's ban cars! Same logic. Flawed.
I'm not so sure. Cars: can you /really/ trust them?
Jeff Atwood on June 11, 2008 9:48 AM"Oh, and sichan, the difference is that DirecTV owns the content of that signal. Its illegal the same way stealing cable is illegal, it doesnt matter that its being sent from a satellite. "
Although DirectTV owns the content of that signal, they are transmitting it through your house whether you subscribed to them or not. Therefore, it is not illegal to intercept that signal. It is illegal, however, to hack the DirectTV cards/boxes - which you merely rent, but never own - in order to decode the signals.
KG on June 17, 2008 11:27 AMIs it legal for a company to send poison through the pipes if someone is stealing water from the system?
Hmmm...
@Paul:
Yes, if it is a kind of poison that harms only those who steal it and has no effect on the legit ones.
Bill on July 22, 2008 5:48 AMIn a where are they now... Christoper Tarnovsky is now being prosecuted for going dark-side:
Anynomous Coward on July 22, 2008 6:00 AMhelp me
abiyot on April 18, 2009 10:55 AMJehanzeb Kills sunday super bowl...
Black sunday... on April 22, 2009 2:09 AMVery nice touch to add GAME OVER...
Max on April 22, 2009 3:51 AMThe HU cards (football cards) were totally hacked and dave could do nothing but replace the card.
There are some that still deal with hacking this system
but have been driven far underground.
A friend of mine from "beyond the rim" made significant progress
on the newer cards as well as a pair of guys from the north country.
DirectTv clamps down on ANY attempts and heavily fines anyone shown
to have any progress on hacking the newer cards.
Most are not even publicized as they do not want any attention.
Davey is very powerful in the media world.
Arrow22 on May 25, 2009 11:33 AM"It sounds like it would be about on a level with MS formatting your hard drive if you run a cracked version of Office."
Could you imagine! Talk about anti-piracy!
"yet alone"? at least put a [sic] in there
John Ferguson on February 6, 2010 10:24 PMBrilliant! I hope the amazing hacker DirecTV hired got a large bonus, thats a hell of a fast one to pull on a group of technical minded people like the ones stealing tv.
Oh, and sichan, the difference is that DirecTV owns the content of that signal. Its illegal the same way stealing cable is illegal, it doesnt matter that its being sent from a satellite.
Cameron on February 6, 2010 10:24 PMThat is amazing. Even the name is iconic as all get out. This is total movie material. reverse lookup
Jon on August 20, 2010 12:15 PMIn a shocking revelation, it came under light that DirecTV violated consumer practices and was fined $14 million for that.It’s not exactly the same that you have expected from a renowned company like DirecTV.
Lisa Lee on January 6, 2011 11:31 PMYou know, I think I'm with DirecTV on this, I doubt that's a very large group of users (there may well be a decent number of people who can't get a channel they want, but not that many are willing to mod their receiver over it), but I would be inclined to feel sympathetically towards them. What channels do they lock out geographically besides local network affiliates?
see info on buy satellite tv click here: http://www.dish-network-vs-direct-tv.com/
Robert on April 5, 2011 1:16 AMThe comments to this entry are closed.
Subscribe in a reader
Subscribe via email
|
|
Traffic Stats |