Distributed TiVo Code Cracking 281
Twostep writes "With the newest version of the TiVo software (Version 3.2), TiVo has once again changed the secret password to enter "backdoor" mode, which lets advanced users enable hidden features. Unlike last time, people were not able to quickly find the new code, so a distributed computing project was started to find the backdoor codes. You can read about it Here, grab the Linux or Windows clients and pitch in some CPU time for a good cause."
Idiots (Score:3, Insightful)
In TiVo's case, would just removing the backdoor altogether work instead of just putting a new, totally hackable and insecure password on there?
Either way, I'm taking bets on how long it will take for the password to be cracked.
Re:Idiots (Score:5, Interesting)
Personally I think new law is needed to render this illegal, unless it is under the control of the user.
If you think that sounds extreme, consider that the persistent state for all copyrighted works is that they are in the public domain. It is a temporary aberration of a few years that the works are allowed to be held privately. After that they are meant to be available for everyone. As it is these encrypted fortresses inside consumer products will never yield up their secrets.
Re:Idiots (Score:3, Interesting)
Personally I think new law is needed to render this illegal, unless it is under the control of the user.
while i concur that the notion of a company removing or limiting features after the purchase of a product is disagreeable, you are incorrect in citing the xbox as a 'hack-proof' design. The gamecube actually has the design you are referring to, where the bios and many/most/all security measures are contained in a single, integral chip such as the CPU, or the graphics chip as is the case with the gamecube iirc.. the gamecube media also contributes to the difficult of hacking the unit to run anything other than nintendo authorized games.
the xbox has been modded to the point where you can not only run games from different territories, you can actually run ftp clients on it and download games and movies onto an upgraded 120gb HDD and play them directly from disc. in the current hardware, the bios chip is seperate from other (more expensive and customized) hardware. the common media and seperate security measures (unencrypted signals travel an accessable path at one point) contribute to the xbox having been hacked.
that said, i believe your proposed legislation would be difficult to implement for at least two reasons; one being that you likely purchase a license to the software rather than the software itself. I guess you could still try and legislate acceptable license terms, but even then the definition of a 'good' or 'bad' feature being added to or removed from a product may be a matter of perspective.
and visit my website goddammit!!@!
Re:Idiots (Score:2)
I know of people who strapped a battery to the MCU, unsoldered the MCU from the board, took it to a semiconductor manufacturer's failure analysis lab (there are several here in town). There, they read out the bits with an electron microscope and had they keys and the algorithm. My acquaintances, btw, never did anything with this information. They were hackers, not crackers.
Later it turned out that one could rebond one pin in the package, and read out and send back in crypto data. This lead to a whole industry providing free "pay" TV.
Putting it in one chip just isn't enough.
Now, if they have a cryptographically good hash, even knowing the desired hash result isn't good enough to allow you to build boards that satisfy the hash. That limits the damage to those folks willing to modify (or, most importantly, pay greedy techs to modify) their boxes, which is exactly what happened with the VideoCipher II.
Last time I looked, less than half of all VideoCipher's sold were *ever* enabled with a paid-for code.
And this was in the '80s!
Re:Idiots (Score:3, Insightful)
It is true! It only takes ONE successful hack, then it is out of the bottle, until they release the next upgrade. With pooled resources, ala distributed CPU power, the problem will be solved eventualy. These companies are not going to put in real expensive CPUs to do heavy duty crypto when they are selling a comodity product. The cost per unit is too great. There will always be more powerful CPUs then the ones in these appliances.
Re:Idiots (Score:3, Informative)
This is unbroken because anyone who knows enough to have a go at it can do the 2^2048 math and realize they are doomed, even with a planetful of Space Year 2100 supercomputers.
The fact is that strong crypto is going to lock out anyone other than the keyholder from being able to contribute to whatever platform is being locked up. The ONLY way through it will be implementation problems.
Re:Idiots (Score:5, Interesting)
Disney: "You can have Micky Mouse, when you pry it from my cold dead fingers"
Re:Idiots (Score:5, Insightful)
I don't work for TiVo, so I don't know their intentions. But I can speculate. You can do some nasty damage to your TiVo through use of some of the back doors (Node Navigator being the most famous method). So, you get Joe Blow who accidently does this to his TiVo, screws it up, and calls support -- Their costs have now increased.
It's too difficult to remove the backdoors. They're quite useful inhouse during dev/test cycles (a QA tester notices a bug, they can easily view the log files, etc). Two branches of the software, one inhouse with the backdoors, and one w/o them for the public is a lot to deal with. What if you applied a patch to one branch, forgot about the other. Now QA has to test both branches, to make sure they're the same. QA people whine, a lot (rightfully so sometimes). They won't like that.
So, whats the best option? While doing inhouse testing, use a nice simple code (1234). Right before you're ready to GM it, change it the something "impossible" (i.e. uses characters that can't be entered through the TiVo). The code-base is the same, so QA can get away with just running a quick set of happy-path tests. And, this now reduces Joe Blow's chance of killing his TiVo (since he can't enable backdoors), it lowers support costs, and everybody (inside TiVo) is happy. A "win" situation for TiVo.
Of course, a "hacker" can go in and change the code to something that isn't "impossible", but if they screw up their TiVo and call support, support doesn't have to help them this time. They voided their warranty when they opened the case, to pull the drive, to change the backdoor code. Another "win" siutation for TiVo.
Whether or not this is the case, I don't know... But, it sounds very likely to me.
Re:Idiots (Score:5, Insightful)
Not intending flamebait, but isn't this exactly what we're usually complaining about companies doing? This is one of the highest examples of insecure design. It's not that difficult to remove the backdoor code from the public release, if you code it right to begin with. I know it's just a TiVo, but at some point, a lot of these things that we refer to as "just a" will be network connected, and it's best to start early on best practices, especially since the TiVo is networkable.
Yes, people like to get into their TiVos (and other gadgets) and tinker with them. A friend who has a TiVo does it all the time, and when I see word of a new hack on Slashdot, I usually let him know. That being said, he's perfectly well aware that what he's doing can seriously screw him if he breaks something. If TiVo really wanted to lock people out, they'd disable the backdoors to begin with, and if they really needed to see the logs on a defective unit, they could load it up on a custom system that can pull the logs from the drives after putting them in a read-only configuration. It wouldn't stop everyone from getting in, but it would stop all but the most determined.
Re:Idiots (Score:4, Interesting)
Do you think they are so stupid as to think that the community won't crack this? of course they know it will.. the point is that they be seen as shipping a product with these features disabled.
If it's too easy, and already public knowledge, they will change it, otherwise they could be seen as supporting those features, and could end up in court. Forcing peopel to go through this kind of crap makes it so it's easy for them to point out that it's unsupported, not part of their main product, etc.
Ad-skips (Score:2)
Re:Ad-skips (Score:5, Interesting)
Searching for aliens? Curing disease? (Score:5, Funny)
Is it updated via modem? if so, tap your own line! (Score:3, Interesting)
i don't have a TiVo... nor... well yes I have a modem but it is currently being used as a paperweight...
But couldn't we get one of these software modems to just listen in on the other trafic?
I suspect that some Satelite TV companies do their stuff over the satelite... and some do it over the modem... either way, If I buy something... it's mine... No bugger is going to get away with deactivating it on me...
Re:Is it updated via modem? (Score:2, Informative)
Re:Is it updated via modem? if so, tap your own li (Score:2, Informative)
hmmm.... is this redundant? (Score:4, Interesting)
How is this a good cause? I am asking out of sheer curiosity, not against the statement. If there is a legitimate reason to cracking it, then can someone point me to some literature about this subject, or just explain to me why TiVo deserves to be cracked in this manner???
I'm just confused, sounds like this is cracking, and last time I checked thats a pretty illegitimate thing to do, even advocate.
Re:hmmm.... is this redundant? (Score:5, Insightful)
A different, and possibly more interesting question is this: Why does the builder of the bike chain it to a bike rack *after* you have bought it and not give you the combination to the new lock? The scary thing is that according to the laws passed recently in the United States (by congressmen who likely did not understand the ramifications of what they were voting on), it is not only illegal to unlock your bike, but the original builders of the bike are allowed to lock it down any way they want after you have purchaced it, and it is illegal for you to even discuss the lock with other people or try to unlock it by yourself so you can use the bike. It is generally illegal (not always, but often) to take apart the bike to turn it into a tandem bike. And if you discuss bike locks in general including starting up a website or discussing them via email it's not only illegal, but you might be a political activist, one of the threats to the United States according to the intelligence community [intelligence.gov]:
Political activism on the Internet has generated a wide range of activity, from using e-mail and web sites to organize, to web page defacements and denial-of-service attacks.
Life in these United States scares me of late. People have just about convinced themselves that they don't need to have physical power (the right to bear arms), and society is now casting organized groups in a bad light. First the right to bear arms, now the right to assemble.
And you, a presumably intelligent person, cannot understand that you should have the right to crack into your own private property? Or that there is anything wrong with the fact that you have to do so?
Ah, well...
--
Evan
Re:hmmm.... is this redundant? (Score:3, Insightful)
The reason why is that you can't *use* your bike if it's locked. You are perfectly capable of *using* a locked Tivo for its intended purposes.
A better analogy might be if the bicycle manufacturer *locked* the wheels to the bike. You'd still be able to ride the bicycle (aka use the tivo for its intended purpose), but you couldn't steal wheels from other bicycles and you wouldn't be able to change a tire unless you went to a *bicycle-company* certified mechanic who had the key (they do actually sell skewers for bike wheels with locks/keys). This might be akin stealing content from other Tivos or opening up and fixing/modding the Tivo.
I'm sure there are better analogies, but I just didn't think that yours applied very well. I do agree with your points, however.
Re:hmmm.... is this redundant? (Score:3, Funny)
Re:hmmm.... is this redundant? (Score:2)
And no, the bike analogy doesn't work. There's a difference in the law between a physical item like a bike, where ownership does completely transfer, and the TiVo. You own your TiVo, but you do not own the code inside it. Modification of the code or unauthorized access to features is something TiVo doesn't want. Fair or not, cracking this code is probably right on the border between legal and illegal. TiVo would have full justification to revoke a warranty -- or perhaps even further updates, tracked in a database by serial number -- for systems it finds hacked, cracked, or modified.
Re:hmmm.... is this redundant? (Score:2)
But while I agree that you *don't* own the code you bought, I disagree that you shouldn't. I'm saying that the current fact that you can't legally alter something that you bought and was transferred to you is morally wrong. That private property should be wholly yours. Now, if you were to alter it to get free service, that's something else entirely - you are taking something you did *not* pay for. But altering, disassembling and reverse engineering is, I strongly feel, part of the rights of private property and transfer of purchace.
To move it (again) to a physical equivelent, it's a bit like selling a swingset with two swings and having a bill of sale that says you don't actually own the swings and can't add a third swing. I should be able to take the swingset and weld it into a ditchdigger if I want. And I should be able to take my TiVo and reprogram it into an alarm clock if I want. Sure, it voids the warranty - but it shouldn't be illegal.
--
Evan
Explain to me again why this is a good cause? (Score:5, Insightful)
Because you're entitled to use your own hardware (Score:5, Insightful)
If some vendor decides, rightly or wrongly, that giving hardware away is a sensible business model, that doesn't in any way entitle them to any control over what you do with it once you take it home. Think of the stupid CueCat bar code wands from Radio Shack. The "legitimate" application intended for those things is long dead, but people continue to do useful things with the wands using software based on reverse engineering them.
Re:Because you're entitled to use your own hardwar (Score:4, Interesting)
You cannot buy a 2003 ford mustang, remove the muffler, and drive around at 3am generating 100db of sound. Yes, it's your hardware, but rules exist to further a public good--a (relatively) pollution and noise free environment.
Similarly, laws exist that say that you cannot circumvent pretction mechanisms such as that on the tivo.
Why? because, again, there is a public good involved, but this one is subtler. It's the public good of a business climate where companies make products and services using a variety of business models and people buy them and use them in a manner consistent with widely-held notions of fairness.
the alternative is a world where prices are higher / options are fewer because companies would have to hedge against unauthorized uses.
of course, for some businesses, it turns out to be beneficial that there is a user commuity that likes to hack around. but it's up for the company to decide whether that is, indeed, the case as far as it is concerned.
Re:Because you're entitled to use your own hardwar (Score:2)
+1 Insightful
Re:Because you're entitled to use your own hardwar (Score:5, Funny)
Re:Because you're entitled to use your own hardwar (Score:3, Insightful)
Try to think of an example where
a) You own something
b) But you aren't allowed to do something with it, even in your own property, and it doesn't affect anyone else.
Re:Because you're entitled to use your own hardwar (Score:4, Interesting)
Think of stuff like drugs, suicide, fictional pornography, and you'll have lots of laws which can get you arrested for doing things in the privacy of your own home. On the other hand, I like to think that the actions are only criminal if you get caught which means, by definition that you are no longer affecting only yourself.
However... I have a theory about this. As an armchair political theorist, I will make the broad statement that capitalism is anti-democratic. In the eyes of government, the will of the corporation has long outweighed the will of the people.
International government power is found in economic well-being and competativeness. Corporations provide that power and are thus more important than citizens.
So if a corporation says "we can be more competative if you support digital-etcetera laws", the government is compelled to assist them. Why? Because if your country slips in the capitalist system, you loose international power.
From this perspective, the Microsoft case was one where the government was torn between defending the internal free market, and defending a great international economic power. From the microscopic perspective... hurting the corporation could do more damage to domestic jobs than could be recovered by a healthy domestic marketplace. A battle between the tangible and immediate (jobs) and the abstract (healthy internal economy).
So do you use government might to empower Disney, Warner Bros and other domestic corporations? or do you risk loosing those corporations in the interest of personal freedom. That is, do you preserve your healthy and powerful global industry at the cost of individual liberties?
What could the people gain by the government supporting individual liberties?
Re:Because you're entitled to use your own hardwar (Score:2)
If you commit suicide, you don't get arrested, you get enbalmed (or cremated, I suppose, depending on your wishes).
Unless, of course, you screw up.
Same with drugs, really - unless you're either in public (maiking an ass of yourself), distributing, or get caught while buying, you're pretty much safe doing them in the confines of your own home. It's generally the periphery effects of drugs that get people caught (committing crimes for money with which to buy the drugs, or going into public whilst blasted and doing something equally stupid).
Re:Because you're entitled to use your own hardwar (Score:2, Interesting)
You can't bludgeon someone to death with a Tivo either, but that doesn't make it any less a specious analogy.
No one has a right to a profitable business model, and the power grab by content manufacturers has no more or less moral authority than the resistance of people using piracy. They rationalize that behavior because the corporations themselves are already trampling on the "widely held notions of fairness".
Re:Because you're entitled to use your own hardwar (Score:5, Interesting)
I agree, it wouldn't be very nice to set fire to my Tivo and throw it through your window. Conversely if I rip the silencer off my motor, it would be perfectly OK to drive it around on private land (with permission) 20 miles from the nearest inhabitant (in the UK at least).
One reason I may want to mod the box is this: consider that maybe I want to use and pay for the Tivo service but I also want to add some random feature. That would be in the same league as installing an amp in my car or whatever. I do not expect to have to ask the manufacturer's permission to disassemble my dashboard.
The other reason I may want to crack the unit is that it's my box - I paid for it, I own it, it's on my property.
I take on board your argument supporting varying business models - but I hold that the business model is flawed. Sell the box at a profit and discount the service. In a way Tivo's business model is basically parallel to the "loss-leader" trick employed by supermarkets. They offer something at an attractive discount (actually with a negative profit margin) in the hope that I will buy other products. However, it is perfectly reasonable for me to isolate all the loss leaders and buy them and nothing else, thus making a loss for the company. That's the risk they took. On average it works out well for them (or they'd stop doing it).
I'm sorry - if Tivo want to guarantee that I will buy their service, they shouldn't sell the box on it's own. Or they shouldn't at least sell it at a loss. I can buy a phone without a phone line or rent a phone line without a phone. It would be silly, but I can do it and it doesn't cause the telco or the phone makers any problems.
I generally subscribe to the view "What I own I can take the lid off and poke around" as a starting point. I am very much against any business model which is so flimsy that it needs laws like the DMCA to support it.
All of which is why I've added 2 machines at home to the cracking pool :-)
Sod the DMCA and everything like it in Europe!
Best, Timbo
Re:Because you're entitled to use your own hardwar (Score:3, Interesting)
Re:Because you're entitled to use your own hardwar (Score:2)
Actually, many of the cable services in the US allow/require that you buy your own cable modem. However, it still is not legal to change your quality of service with it. If you want to set up your own headend, feel free to uncap your modem all you want, but if you are using the cable company's headend then upcapping your modem is theft of service and is a criminal act.
Re:Because you're entitled to use your own hardwar (Score:5, Insightful)
Wrong. I *can* do whatever I want to a 2003 ford mustang. I can remove the muffler, modify the camshaft... hell I can strap a rocket on the back if it pleases me. Obviously the manufacturer won't honor my warranty once I cross certain lines, and obviously because of laws for the common good, I won't be able to legally drive it on public highways after a certain point as well. But at any stage in whatever process, Ford will be more than happy to supply me all the technical data and help I need when it comes to how their car is designed and built - although some of the more advanced manuals come at a reasonable cost.
If TiVo were the same, then they should allow me to turn the box into a linux unreal tournament machine or an X.10 controller or whatever the hell else I want to do with it, and provide specs and documentation as neccesary to boot. They would of course void my warranty and/or tech support when I open the case or make invasive software changes - and at some point down the mod path they may no longer allow me to subscribe to their services, and may even disclaim to me that it's no longer legal for me to hook my TiVo up to a cable/satellite network (however dubious that may be) - but they wouldn't stop me from doing whatever I wanted with the hardware in my own home.
Re:Because you're entitled to use your own hardwar (Score:2)
Also, if you have an import car like I do, all you need to do the same thing is a paper clip to short out 2 wires, then count some blinkin lights and look up the result in your manual.
Re:Because you're entitled to use your own hardwar (Score:5, Informative)
A better example might be buying a 2003 Ford Mustang, ripping off the exhaust and installing an aftermarket exhaust system for 2003 Ford Mustangs. If Ford says "but we sell our Mustangs at a loss, the EULA says you will buy parts and maintenance from Ford" you would tell them to go fuck themselves. Likewise when a hardware or software maker tells me what I can do with a product I legally purchased.
Re:Because you're entitled to use your own hardwar (Score:5, Interesting)
I find it amazing that Tivo appologists fall for this type of tactic. The only reason they do is that they have not woken up to the fact that Tivo is not the only maker of PVRs.
I do not expect Tivo to survive. The clueless business model only works if there is no competition. There is plenty of competition in the space and that is only going to increase. Nobody succeeds with a razor and blades business model (the Tivo subscription) when there is a cheaper option flat fee.
Every one of the clueless 'I just want 0.01% of every transaction on the net' payment schemes failled miserably.
But every time we have a Tivo story the Tivo heads rush in to explain why everyone should pay twice the going rate for the technology. It is as pathetic as the Apple appologists, 'Macs are fastest, speed is what matters, buy a Mac, oops they are no longer fastest, well it isn't just CPU power that matters, its benchmarks, no its the pretty case'. Apple's price gouging and constant interface changing games to make old peripherals obsolete should be criticised as much as if not more than Microsoft's tactics. But they get away with it.
I don't want the video to decide what to record, I do that. I want a recorder with a removable disk so that the thing is not always full. There is an interesting port on the back of my DishPlayer PVR, anyone know what it does?
Re:Because you're entitled to use your own hardwar (Score:2)
1. Who's this competition giving away the service for free? I hope you don't mean ReplayTV, where the cost is built-in up-front, do you? (Likewise, you can get a TiVo with lifetime service for about the same as the ReplayTV of similar stature.)
2. You are assuming all things are equal. If the service is better, people may pay more for it. Consider the Mach3 razorblades -- far more expensive than the other brands, and far more popular! Why is that? Because the perceived quality is higher and people are willing to pay for it.
But every time we have a Tivo story the Tivo heads rush in to explain why everyone should pay twice the going rate for the technology.
Honestly, what the fuck are you talking about?
There is an interesting port on the back of my DishPlayer PVR, anyone know what it does?
I'm not familiar with the DP PVR, but if it was as popular as TiVo, you'd probably already know what that port does.
Re:Because you're entitled to use your own hardwar (Score:2)
I pay no more for my dishplayer satelite subscription than for either the same subscription without the PVR or for the local cable. In fzct I pay less than the cable charges. The dishplayer unit was free.
PVRs will be a commodity item in a couple of years costing no more than $250-$400 all in with no subscription.
2. You are assuming all things are equal. If the service is better, people may pay more for it. Consider the Mach3 razorblades -- far more expensive than the other brands, and far more popular!
Tivo are reselling TV timetable information which costs them nothing at $10+ per month. The dishplayer reads the satelite program guide.
The only possible leverage that Tivo has in this market is to patent the blatantly obvious and try to bully competition out of the market. That is the type of behaviour that is generally objected to on Slashdot. Tivo is an exception, Apple tends to be the other exception.
Tivo will be deservedly roadkill when the XBox II and Playstation III come on the market offering PVR technology with no strings attached.
Re:Because you're entitled to use your own hardwar (Score:4, Insightful)
Yes you can... removing your muffler is totally legal. You are are only breaking the law when you drive it on public roads. You can take it to a race track and drive it all you want.
If someone converts a Tivo into a hacking device AND uses it to break into computer networks, that would be illegal. You could also break the law by hitting someone over the head with your Tivo, no modifcations required.
Cracking and modding your Tivo is, and should remain, totally legal.
Re:Because you're entitled to use your own hardwar (Score:3, Insightful)
First of all, you CAN remove your muffler and drive around at 3AM. You can do anything you want to that car. You just can not drive it on public roads legally after the fact. If you do this in your own property or a place like a track and no one complains about the noise it is 100% perfectly legal. Have you been to a race track on a test and tune night? By the way, removing the muffler does not increase your emissions levels, removing the catylatic convertors does, and yes, you can buy off road pipes (meaning no convertors) from thousands of companies for just about any vehicle.
Modifying a TIVO in no way shape or form bothers my neighbors or is a nuisance to the general public.
the alternative is a world where prices are higher / options are fewer because companies would have to hedge against unauthorized uses.
So when your business has a model that can not make money, the governmant should change the law against the public good (to use your own words) to help you make money? Are you on someones lobbying payroll? Did you ever think that maybe if a company made these hidden options available or added more options that maybe they could sell more units? The consumer would have MORE choices.
the alternative is a world where prices are higher / options are fewer because companies would have to hedge against unauthorized uses.
No, the alternate is where companies compete on the quality and usefulness of thier products. Not trying to squeeze every last penny from a product that is not really exactly what someone may want because a government handout let them keep making it for a profit on it.
Re:Because you're entitled to use your own hardwar (Score:2)
False! If modifying the TIVO leads indirectly to buying less software or services or whatever follow-on they are trying to sell is, then your individual actions HAVE outside affects, even if the actions themselves are restricted to your basement.
Now, we can argue whether or not a business model is a public good (I would clarify--I don't believe "a business model" as in "tivo's business model" is a public good, but I do think reasonable restrictions on use of products in order to facilitate innovative business models in general is a good thing / a class of public goods.) That is, I think our society would be worse off if companies could NOT sell hardware as loss leaders, because the sale of hardware as loss leaders has positive externalities of getting people into technical items WHILE remaining a sustainable state in that companies can profit from it)).
Again, we can argue over whether i'm right as far as public good goes all night, but don't try to tell me that people modifying TIVO's at home, in aggregate, has no external effects.
Re:Because you're entitled to use your own hardwar (Score:2)
Can you specify an effect this would have and it be DIRECTLY relate to my modifying my TIVO?
Did you ever read the side of a Kraft Macaroni and Cheese box (or any food product instructions)? It says to mix in 1/4 of Parkay Margerine. The fact that I used store brand margerine and not Parkay will result in about the same effect I think you are refering to. I am sure that Kraft Foods would make more money if people only used Parkay and Starkist Tuna with thier M&C. Does that make it WRONG for me to use something else? Does thier business model rely on me to use it? Are they selling the M&C at a loss so the butter can even it out? Should there be a law that only allows me to use what they say on the box? Would everyone be better off as consumers if ALL products had this legal requirement and we were forced into following them? I don't think soooo..
What happens when a TIVO competitor comes around and has a completely open system that allows you to do anything you want with it? Should they be legally banned so TIVO can stay afloat? If this other competitor does make it and TIVO fails would you know why? Because they gave the consumer what they wanted and they bought it!
Re:Because you're entitled to use your own hardwar (Score:2)
How about when the Wright brothers used popsicle sticks to make an airplane, instead of using them to make popsicles, as the manufacturer originally intended?
Re:Because you're entitled to use your own hardwar (Score:3, Insightful)
You cannot drive it around in public places without its muffler, but if you owned a huge estate with its own network of roads, and it was large enough that the sound wouldn't reach your neighbors, you are not only allowed to drive without the muffler, but also without license plates, driver's license, insurance, registration, or serial numbers!
This is an argument frequently put forth by the anti-gun lobby: you have to license cars and drivers, why not guns and gun owners? The difference is that in the former case you are licensing the right to use the vehicle in a public road you share with others, whose safety depends on your ability to use it correctly, whereas the latter would be required even for ownership in your private home.
I think an analogy exists with consumer electronic hardware as well. As long as you are not entering or affecting a public space or other persons, shouldn't your hardware be yours to do with as you wish?
Re:Because you're entitled to use your own hardwar (Score:2)
Re:Explain to me again why this is a good cause? (Score:2)
Here's my quandry. If I buy a TiVo, I believe I should own the hardware and the software if that's what TiVo says I own at the time of purchase. If they say I own the hardware, but they own the software - so be it (don't buy it if you don't like the terms). In the latter case, I do NOT have the right to access parts of my TiVo software that TiVo does not want me to access - I don't own it.
Now, did TiVo change their terms of ownership?
For example, if (and this is an if - I don't know too much about the situation) I bought a TiVo when the terms of service were "I own the hardware and software", and now TiVo says "I own the hardware, they own the software", then I should be able to choose to upgrade or not. If I choose to upgrade, I can surrender my rights to tinker with the software. I should be able to choose not to upgrade, and still run the TiVo as it was. Can I?
What's the deal here? What exactly does TiVo say about ownership?
Why figure out the password? (Score:3, Interesting)
And when are we going to stop giving a damn about consumer gizmos running embedded linux, as long as the actual interesting functions are in some closed application running in the box? The interesting gadgets are the ones that are fully hackable, so the application code comes with source and is easy to customize. Freevo [sf.net] might be a start at a hackable PVR.
Re:Why figure out the password? (Score:2)
it has recording channel listing live tv pausing mp3 player games box and gallery veiwer
they are allready working on heuristics which sort of works and re encoding down to normal divx
its quite hackable and is developing very well i use it at the moment for my tv watching needs
www.mythtv.org
But i do agree that it would be better for all if people devoted there time to projects like these
Re:Why figure out the password? (Score:2)
Re:Why figure out the password? (Score:3, Insightful)
Now, what you can do is modify the backdoor code hash itself, which is stored on the MFS file system. However, there's one big problem with that: You have to crack the case and pull out the hard drive, which has one of those lovely "Warranty Void if Removed/Damaged" stickers. True, many people are going to crack them open anyway to add a second drive, but there's also lots of people who won't. The backdoor codes can be entered without voiding the warranty; it's just a charachter code you enter on a certain screen. Voiding your warranty just to get into a few extra features via the backdoors code isn't something many people are willing to do.
And as for Freevo: Yeah, it might get somewhere sometime, but then again, it might not. Until it's as reliable, stable, and easy-to-use as my TiVo, I'm not planning on using it. I realize other people might have different tastes and prefer something majorly hackable, but I'm not one of them.
No Offense (Score:5, Insightful)
- This is a serious question, mod as such.
Re:No Offense (Score:5, Interesting)
Re:No Offense (Score:3, Interesting)
90% of what people bitch about here on slashdot is the direct result of 90% of all consumers being totally in the dark about anything that involves technology. (Man, that would make a great
There are a few potential solutions to this problem:
1. Education - all children should be taught critical thinking, the scientific method, electronics and computers right next to reading, writing, and 'rithmatic. (yeah, like that's ever going to happen in this world - most people in the world are functionally illiterate, because their governments don't fund public education, etc. - in the US, we're lucky if some districts cram creationism down our throats - and between security checks for guns and bombs, drug dealers, gangs, football, etc - Education, will never ever happen).
2. Technocracy - Establish a ruling class of technologically savvy people (who rightfully deserve it!) to lead the unwashed masses into a glorious enlightened future. (this will occur moments after the current monied establishment all keels over from a deadly virus spread by contact with $100 bills - ya, right).
3. This is reality, society has reached a stable equilibrium with the ultra-rich running things, and making sure the ultra-stupid stay that way so that they can be kept as cheap, willing slaves and captive consumers of crippled goods.
Sorry to be such a downer, man.
Re:No Offense (Score:2)
People aren't in the dark about technology, they're in the dark about unuseful or economically impractical technology.
Re:No Offense (Score:2)
Re:No Offense (Score:5, Insightful)
For the same reason that people buy cars then modify them. For the same reason that people update the software on their computers. For the same reason that people get accessories for or modify anything that they own.
Re:No Offense (Score:2, Insightful)
Hi. I'm Scott Seligman, the "Windows" link.
I can only speak for my motivation in doing this. For me the back door code is more of a toy than anything else. Some of the settings can be fun to experiment with. For the most part though, I'd still be a happy TiVo user without the back door code.
Heck, I personally own a DirecTiVo, so I'll never even get the version of the software being dealt with, though hopefully the same sort of system can be applied to whatever version I do end up. Mostly, it's a "the mountain was there" sort of challenge. I just wanted to see if I could do it. When I started work on the original version of the Windows port, I expected that the code would be found long before I had a working version.
Re:No Offense (Score:2)
Weird, I didn't see "HACK YOUR TIVO WITH AWESOME BACKDOOR CODES" printed on my TiVo box anywhere.
These are perks, above and beyond what was advertised or claimed, and fun hacks that people have done. My TiVo would still kick ass without any backdoor crap. In fact, since the 3.0 software update, I haven't bothered to enter the backdoor.
Good on ya, Slashdot... (Score:4, Funny)
EVERYBODY - PLEASE JOIN THE TEAM.
I feel the whole concept of distributed code-cracking should be generalised to all cases where a manufacturer imposes an unjustifiable restriction on usage.
Re:Good on ya, Slashdot... (Score:2)
11/2/2002 23:05:39: -- TiVoCrack 1.6 started --
11/2/2002 23:05:39: Getting the next work load
11/2/2002 23:05:41: Error decoding the work unit!
11/2/2002 23:05:41: Call failed, trying again
11/2/2002 23:05:41: Sleeping for a minute
11/2/2002 23:06:41: Try number 2
11/2/2002 23:06:41: Getting the next work load
11/2/2002 23:06:42: Error decoding the work unit!
11/2/2002 23:06:42: Sleeping for a minute
11/2/2002 23:07:42: Try number 3
11/2/2002 23:07:42: Getting the next work load
11/2/2002 23:07:43: Error decoding the work unit!
11/2/2002 23:07:43: Sleeping for a minute
11/2/2002 23:08:43: Try number 4
11/2/2002 23:08:43: Getting the next work load
11/2/2002 23:08:44: Error decoding the work unit!
11/2/2002 23:08:44: Sleeping for a minute
11/2/2002 23:09:44: Try number 5
11/2/2002 23:09:44: Getting the next work load
11/2/2002 23:09:45: Error decoding the work unit!
11/2/2002 23:09:46: Sleeping for a minute
Read this before commenting (Score:5, Informative)
Geez people, RTFA before you post.
Re:Read this before commenting (Score:5, Insightful)
> designed to be secure in the first place.
> It was just to make finding it more of
> a challenge
Isn't that like saying "the lock he put on his door was not really intended to keep people out, it was just designed to make it more challenging to break into his house"?
I am having trouble understanding why anybody would think that TiVo would place extra features in a hidden, password-protected menu in order to "challenge" people to find it. To the average TiVo user, the phrase "a hash of a long string" is meaningless, and guessing a password like that is virtually impossible. And it's hard for me to believe that they are trying to "challenge" hackers to crack their code. If they did something that silly, why would they expect anybody to stop short of cracking the encryption too?
Re:Read this before commenting (Score:3, Insightful)
Re:Read this before commenting (Score:5, Insightful)
When you actually get a Tivo, let us know.
Firstly, there are hidden features. 30 second skip, sorting of the todo list, displaying scheduled suggestions, etc. Read this [tivocommunity.com] if you don't believe it.
Secondly, the backdoor code methodology was changed in the previous version simply because it was found so easily. Then the hashed code was cracked in a mere 2 days. They, of course, extended the code to make it harder, but then, that's exactly what you're arguing against. If they wanted it disabled entirely, then it simply would not be there.
It's a fun game. Really. They don't mind the code being available, they're just toying with us and the unsupported features of the device. Tivo likes that it has an Underground to begin with, it makes the device more popular among the techno-weenie crowd.
What, engineers can't have a good time too?
Re:Read this before commenting (Score:2)
> Read this (...) if you don't believe it.
I think you misread my post. I wasn't questioning whether or not the hidden features exist. That would be silly. I was questioning TiVo's supposed motivation for hiding them. What I waid was (emphasis added):
"I am having trouble understanding why anybody would think that TiVo would place extra features in a hidden, password-protected menu in order to "challenge" people to find it.
> They don't mind the code being available, they're
> just toying with us and the unsupported features
> of the device. Tivo likes that it has an Underground
> to begin with, it makes the device more popular
> among the techno-weenie crowd.
If that's true, and not just wishful speculation that people use to justify their actions, then it makes sense. I guess it's possible that TiVo actively (or passively) encourages people to hack their products, but it does seem unlikely to me. But if you say that TiVo encourages an "underground" culture of hacking, I'll have to take your word for it.
You're right, I do not own a TiVo. But I do own a lot of different products that contain security measures, and I do not assume that they were placed there to entice me into cracking them. Just the fact that it is going to require distributed processing to break the new scheme tells me that TiVo is serious about keeping the menu hidden.
BTW, to other posters who responded that the TiVo box is theirs to hack, I do not disagree. But that has nothing to do with what I said, or with the post to which I was responding, which said "The method of hiding the password was not designed to be secure".
Re:Read this before commenting (Score:2)
The TiVo engineering team has no problem with people hacking the backdoor code. The only reason they made the password longer (and even put it there in the first place) was to avoid the ludicrous lawsuits that companies like ReplayTV had to endure because they included a "30-second skip forward" button. They need to be able to go to court the first day and say "look, we have the feature for testing purposes but it's password protected."
Well.. (Score:4, Insightful)
It's not uncommon at all to have a set of features password protected. You built them in, use them for testing and whatnot, and leave the code in there and have some way to enable it should you need it. This is not uncommon at all in almost any kind of device where you are not in a major squeeze for space, and there is some sort of interactivity.
Why does the manufacturer lock down those features? Because they aren't directly features of what he wants his product to be. I'm guessing here, I don't know what the features on the Tivo are, but let's say one of the features a duplication mechanism to allow a tivo to share with another tivo. THe built it.. but they are not prepared to sell a product that does that. Let's say it's commercial skipping that the took out.. they don't wnat to sell a product that does that.. but they build the feature in anyway and left it there.
So as I started saying... manufacturers leave it there not as a high security measure, like the DVD css system... they just want those features turned off for the general public, and generally won't help you in revealing what it is. If you want to do it on your own time, it's your box.
(the example I'm thinking of dealt with radio devices.. and a password that would unlock advanced features of that device that would let people easily violate fcc regulations. We weren't going to tell everyone the password.. that could place the responsibility on us and harm our certification... but if someone cracked it, we aren't going to sue them... they didn't do any wrong to us.. we'll just change the password on the next spin (or else we would be irresponsible)
Re:Read this before commenting (Score:2)
No, because the person breaking into the house is usually not the person who owns the house. How about, "The non-standard screws on the back of the microwave weren't really designed to keep people out, but to keep people who didn't know what they were doing out."
From the forum... (Score:4, Funny)
Is there any way to contact
Too late! Now go watch your servers burst into flames...
FreeBSD port? (Score:3, Interesting)
Works fine on Mac OS X (Score:5, Informative)
typedef int socklen_t;
to the top of SSocket.h
and change:
-lcrypt
to
-lcrypto
in the Makefile.
-Ben
Re:Works fine on Mac OS X (Score:2)
ld: tivocrack.o illegal reference to symbol: _RIPEMD160 defined in indirectly referenced dynamic library
After the changes suggested here.
Re:Works fine on Mac OS X (Score:2)
This took me 15 minutes of head scratching before I figured it out.
And just for the record, the command to run it (as shown on page 12) is:
Re:Works fine on Mac OS X (Score:2)
DMCA? (Score:2, Interesting)
Please note, I did, follow the link and read the linked discussion, but saw no sign of this information.
Russ
Soooo... Ummmm... (Score:2)
Re:Soooo... Ummmm... (Score:2)
Changing skip to tick (15 min increments) to 30 sec fast forward
Entering preferences (which shows you like)
Mostly little features that people find useful. Some of the changes you can make (I can't name them) would allow you to break the unit. Personally don't mess with them, I like the stock tivo.
Vanguard
Re:Soooo... Ummmm... (Score:2)
Technical info (Score:5, Informative)
So this search is basically pointless, but again, it's only for the hell of it.
How it works:
1. Tivo changed the backdoor code in 3.0 to be an SHA1 hash. So when you input the backdoor code, it hashes it, compares the hashes, and enables backdoors if it matches.
2. The hash for 3.0 was reasonably simple to crack. It was short (6 characters) and so was found quickly. 3.2 is longer (everything up to and including 8 characters has been searched already). That's really all there is to it and why it's now a distributed client.
3. The slashdotting I now expect will probably take the server down. I really wish this hadn't been posted. In any case, too late now.
For more info about Tivo backdoors, see here [tivocommunity.com].
For more info about the 3.0 hash crack (the easy one), see here [tivocommunity.com].
Re:Technical info (Score:3, Interesting)
Re:Technical info (Score:2)
well based on what the parent to your post said:
First off, if you really want backdoors enabled, that thread on tivocommunity.com details how to do it by changing the hash yourself. You can change the hash it's checking on the disk and voila, no problem.
i would assume it is possible.
Re:Technical info (Score:2)
Because you would have to take the hard drive out and connect it to a PC, which means you have to open the case, which voids the warranty.
But if you don't mind voiding the warranty on a brand new $600+ unit (apparently only the 80 hour units right now have 3.2), and have the technical savvy to do editing of data on a strange filesystem, it's easy to install the old 3.0 hash.
busines for IBM (Score:5, Funny)
I can now see why IBM's business will succeed.
All you Tivo apologists... (Score:4, Insightful)
You are all talking about how cracking this seems "wrong" and whatnot...
Has Tivo complained? No?
Shut up.
Not really needed, just for fun (Score:5, Informative)
From a post (from "Otto", discussion forum, 10-31-2002 08:14 PM [tivocommunity.com]):
So, people: Relax. And: If you want to join Just For Fun[tm] (like I do), do it.
Password cracked... over 30 characters long! (Score:5, Funny)
"!seineew era sreenigne VTetamitlU"
Pointless but fun (Score:5, Interesting)
They have already tried most of the 9-character space to no avail, and every additional character makes the search take 37 times longer. And, as was said numerous times, when they find it, TiVo will just change it again and tack on a couple more characters.
Plus, there is no verification of results, so surely someone will cheat a la SETI@Home just to inflate his score by returning a bunch of bogus results, and the results will be invalid. Worse yet, a truly malicious person could return bad results for a whole lot of valid usernames, and it may be impossible to separate the good results from the bad. (I don't know if the server tracks IP addresses, but those can be spoofed too.)
So, this is kind of futile, but it looks like they're having fun. :-)
You're all missing the point (Score:2, Insightful)
So take a pill folks. Simmah down!
And the password is... (Score:2)
If anyone wants to speed this up (Score:2, Interesting)
MD5 uses a table of sine values that it uses. If someone were to make slight changes in thouse tables, then this kind of crack wouldn't work unless the hash as verified. I suspect the same is true for SHA but I haven't looked at that yet.
Out of curiosity, why not disassemble the code? (Score:2)
Re:Out of curiosity, why not disassemble the code? (Score:3, Interesting)
Having been running the cracker client all day, it appears two things are limited:
The character set involved is just: ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789
I presume that limited by what you can enter via the Tivo remote (I don't actually have a Tivo).
The experts seem to be pretty sure they are dealing with a SHA1 hash. I'll shut up now as I'm not a crypto expert. The one thing I will say is the character set is *very* limited and favours a brute force attack.
It could be doomed if Tivo used a long string like 20 characters because every extra character requires 37 times as much effort to permute all combinations as was previously required.
It's taking and estimated 3 days to cover the len=9 passwords. So 100-odd days will be needed for the len=10 case.[1][2]
But there will be a limit to the length of the string - the Tivo engineers have to type the bl**dy thing in so I find it hard to believe it's as long as it is.
You might also think that patching the code is viable - I believe you can do that. However I did see some mutterings on a webgroup that Series 2 Tivos are key-signing parts of the system to prevent tampering (so the next job for someone will be hacking the firmware :-)
Best, Timbo
Note: [1] - Assuming no short cuts are used in the scan. Seems pretty linear looking at the logs on my machine.
Note: [2] - Of course, the computing pool is growing steadily.
truly open source TiVo alternatives (Score:4, Interesting)
Instead I bought a Pentium IV 2.4, Asus P4PE, 512 333 MB DDR, Leadtek A250 GF4 Ti4200 (which has a Conexant HDTV-capable video out
What software will I run? Well, right now I'm leaning heavily toward MythTV. With this I will eventually be able to surf the web, check email, play games, as well as schedule programs and skip through commercials in TV broadcasts. A few bucks and an afternoon of tinkering will also hopefully allow me to control the channel switching on the digital cable box from the computer's infra-red port.
There is also Freevo, which I may consider looking at if I don't like MythTV, although the activity on the mailing lists indicate that this system is already quite functional for many users.
Hope this is useful to anyone out there still sitting on the fence. I reached my decision after several hours of research on the web. I hope I don't regret it!
Blind at 5am (Score:2, Informative)
Re:Stupid question (Score:3, Interesting)
Running a distributed client on a GPU is an interesting idea, as it is esentially a very fast processor Optimised for 3d-math but with some general capabilities. OTOH, it would be difficult because it is hard to work directly on the GPU as the driver translates the instructions and GPUs very a lot (NVidia, Radeon, etc., and then the individual models). Also, the GPU would tend to run hotter as it would have to do more work (hard-gamers tend to ensure that their graphics card has additional cooling).
Re:From the forum... (Score:2, Interesting)
The answer to checking for forged results is to double the workload and submit each workset to two different machines as far away from each other as possible. If the answers agree, accept, otherwise recompute the worksets on more machines and take a majority vote. I thought Seti@Home did something like this?
Looks like /. did them a favour in terms of providing more computing power.
Because (Score:2, Informative)
I mean, TiVo has supported hardware network card hacks with newer versions of their software. Contrast this to other hardware manufacturers and you'll see why we respect TiVo's wishes and don't discuss certain topics.
not anymore (Score:3, Informative)
48% complete