Ritz Disposable Digital Camera Hacked

morgue-ann writes "The $10.99 Dakota reusable digital camera announced in July was usefully hacked on November 6. First attempts to extract picture data took 10 hours to read out 16MB, but new code for Linux and Mac and Windows lets you get pictures quickly over USB and view or print them without Ritz's help (and with fewer of your $$)."

What...

...no secret Ritz crackers on the inside?

I want my money back.

Can't ,,,re,,sist

That would make the hackers, Ritz Crackers.

Beware the DMCA.....

Ritz will probably use the DMCA to stop it. There's a good story [washingtonpost.com] in today's Washington Post regarding the DMCA and how businesses are being ensnared even under "fair use". In Lexmark's case (detailed in the Wash Post story), Lexmark claimed that their copyright was violated.

As silly as the law is let's hope that it's repealed/reformed and soon.

Funny

That would truely be funny, using the DMCA to stop you from transfering pictures that you have taken and hence own the copyright to.

Re:Funny

The DMCA prevents you from viewing the images on your DVD (you own the thing) that you just bought if you don't own a "preapproved" DVD player. A mere DVD-ROM + Linux can't do it legally.

Actually, it doesn't prevent you, but if you find a way to do it, it prevents you from publishing/sharing it.

So no, it is not funny.

Re:Funny

You might own the DVD, but you don't own the copyright: two very different things. As the parent noted, you own the copyright on your photos, so it would be interesting to see what Ritz can do.

Re:Funny

Let me be the first to call BULL**T on that.

MacroVision is not added to consumer-created tapes, just like CSS isn't used by consumer-created DVD Video. There is no copy protection that would prevent you from duping your own copyrighted material from VHS to VHS, or DVD-R to DVD-R.

The original message was dead-on - it'll be interesting to see Ritz use DMCA to prevent users access to their own copyrighted photos.

Re:Funny

DVD players have Macrovision signal generators, but they only add the signal if a flag is set on the DVD.

DVD producers are only allowed to set that flag on the DVDs they produce if they have paid a fee to Macrovision.

Any DVD you produce at home, will not have the flag set and will not have Macrovision added to the output signal when played on a DVD player.

With VCRs, the Macrovision signal is on the tape itself, it is not generated by the VCR.

Re:Funny

No, the copyrighted work being "violated" here is the camera firmware.

Lawyers will argue that, in order to use the copyrighted firmware in the camera, you must be licensed to do so. (This is false, but that hasn't stopped them so far.) Thus, by cracking open the camera and pulling the data out, you have made use of the camera firmware in an unlicensed manner. This constitutes copyright infringement.

Also, since the protection racket... er, mechanism in place to keep you from yanking the photos out is probably also the same mechanism that protects the firmware itself. Thus, by circumventing the method that "protects" your photos, you have also circumvented the method that protects the firmware. This is illegal under the DMCA.

Note that it is in no way whatsoever immoral, unethical, harmful, or wrong. It's merely illegal.

Schwab

Re:Funny

"pictures that you have taken and hence own the copyright to."

This is key.

Being able to capture, retain, and download pictures is my own DRM system. An encryption scheme that forces me to take my pictures to Ritz is a circumvention of my DRM.

Therefore Ritz is in violation of the DMCA for forcing a circumvention of my DRM, extorting money from the rightful and noble copyright holder.

What, you say Ritz never agreed to my EULA? Sure they did, when it was the first photo I took with the camera. And let's not even think about the violations if they keep a copy of the file.

Re:Beware the DMCA.....

Was it provided on a rent and return basis, though? If it was presented as a sale and the customer exchanged money for it rather than having to agree to any leasing T&Cs then it's hardly the customer's fault the company are idiots.

Re:(DON'T) MOD PARENT UP

Well, go ahead and mod the parent up because it is a legit argument, but... if the business model falls apart because someone is "circumventing" an idiotic law that shouldn't exist to begin with, the business model is the problem, not the person who was savvy enough to figure out the work on their own.

Any company who's business relies on a shaky, ambiguous, morally (and quite probably legally) reprehensible law that a bunch of big business suits bought with some extra cash they had lying around isn't going to make it and doesn't deserve to.

Re:(DON'T) MOD PARENT UP

The more often I hear this argument, the shallower it sounds.

All business is based on some assumption of law. For example, you can't just beat up your competitors. Is it moral that the law protects the weak from the strong? I think so, but there is a case to be made for the opposite.

In this case, we're the strong, and it's the artists, writers, programmers who are the weak. The DMCA is an effort to protect them. Is it therefore a shaky, ambiguous, and morally reprehensible law? Or just inconvenient to us?

Re:(DON'T) MOD PARENT UP

Maybe I shouldn't reply to this, but it sounds like a sincere statement, so...

Here's some food for thought (and I admit that this may be a philosophically weak argument, but I've yet to find anybody to help debate this and make it better), and in particular, this is a basis for some sort of morality (yes, an attempt at a universal right and wrong, good and evil, etc).

When a person is born into this world, that person has a fixed amount of time until death. That person is then able to trade their time (eventually) for stuff which is either desired or needed, such as food, shelter, entertainment, etc. In our society, we tend to use money to represent the value of said time (quite literally, time is money). Yes, there is much more to this, and I need to write it all down someday, but this summary will do for this discussion.

Now, where does this idea tie in with the discussion? Well, anything which takes time from me without giving me back something that I value equally could be considered to be wrong or evil. For instance, if somebody steals $20 from me, then I have lost the time it took me to earn that $20, and it cannot be recovered. Hence, stealing is wrong in this system.

Now, put it in terms of the DMCA and the limitations which are placed on those subject to its rule. I buy a DVD with the expectation that I will be able to enjoy the contents on that DVD. I have equipment which is sufficient to allow me to do so (to wit: A computer equipped with a DVD-ROM drive), and so this would seem to be a reasonable expectation. I bring it home, pop it in, and find out that, for no better reason than I choose to use Linux (instead of Windows), I am unable to play the contents of this media.

Now, nobody will give me a refund on this opened DVD. The best I can do is exchange it for ... the same DVD. Which I can't use. However, fortunately for me, other people have found themselves in the same boat. And they have the smarts to be able to figure out how to make this work. Unfortunately, the DMCA makes it illegal for them to tell me this information.

Under the DMCA, it is very possible for me to find myself out the money for a DVD which I might actually enjoy. Somebody has stolen some time from me, and I have no recourse. Now, before you tell me to use Windows, keep in mind that I must buy Windows, somehow, some way. Which means that I am out even more time. Or a stand-alone DVD player, which has the same issue.

The DMCA steals from me the ability to help others make use of the items which they have rightfully purchased with their time.

Now, for the counter-argument: The DMCA is meant to stop mass copyright infringement as has been enabled by the internet. I'll simply point out that mass infringers are already convictable under other laws. The DMCA gives no other benefits to help prevent actual infringment. None. It only allows producers of content to steal from me (and yes, they are stealing my time, by virtue of requiring potentially pricy extras that I may not already have to enjoy what they produce).

Gah, it's getting late here, and my brain is shutting down as I type this (I think the first part is more coherent than the second part). Thoughts from you?

Re:Cheap Digital Camera

"So basically now for 10 bucks I can get a 2 megapixel camera... well looks like i just wasted 200 bucks on getting a 4 megapixel camera."

• Return it and duct tape two of these things together.

I don't understand...

I don't understand why this seems to happen every time.

Why can't they use something like RSA to encrypt the photos so that only the Ritz people can read them?

Do these people shy away from proven algorithms because they don't have the processor power, because they don't want to pay licensing fees, etc? Do they use proven algorithms and implement them badly? Or do they just figure that they can make up something on their own, and that it will stand up to attack?

Re:I don't understand...

Maybe there is no encryption because that takes CPU power. The 8051 cpu inside probably has very little horsepower behind it. Most people aren't going to wait more than a few seconds between photos.

Public key crypto explained

Validation in public key crypto is a little different than what you are thinking.

There is ever only one key involved on each end, and they both have to be part of the same pair. In encryption you encrypt with the recipient's public key and they decrypt with their private key(*)

In validation (or digital signature) you take a hash of the message (usually SHA1) and encrypt that with your private key. Thus the only key capable of decrypting it is your public key (which everyone has). Remember with key-pairs what you do with one you can only undo with the other.
Anyway, the recipient creates their own hash of the message, decrypts your "signature" (which is an encrypted hash) and if the two match up, then they know it was signed by you and that it was not tampered with.

(*) Actually, public key crypto is painfully slow. What REALLY happens is a random symmetric key is chosen to encrypt the message, then the public key is used to encrypt the symmetric key. Decryption is the reverse, you decrypt the symmetric key with your private key, then use it to decrypt the message. This actually ends up being a lot faster than doing the whole thing with public key crypto. I left this out above to make it a little simpler.

Finkployd

Damn, damn, damn, damn!

Damn, damn, damn, damn! Damn, damn, damn, damn! Damn, DAMN, damn, damn!

I was just at Walgreens last night to try to find one of these suckers (who offer a different packaging, but same concept and circuitry). They didn't have them. I was going to go to a couple area Ritz to see if they had them. But noooooo. Slashdot broke the story and now Ritz will yank them off the shelves or others will grab them first.

Damn, damn, damn, damn! Damn, damn, damn, damn! Damn, damn, damn, damn!

why? why? why?

it's a fairly crappy camera; for 11 dollars.

you can get a logitech pocket digital for like 37 dollars; basically same specs, but looks a whole lot nicer and does exactly the same thing - except maybe actually storing more pictures on the internal memory.
With parts and time invested, I think it is more than worth the 26 dollars difference.

Yes i know there is the geek "i hacked my cheap-ass camera" factor, but come on... if you want to be a geek, there are more worthwhile projects on which to spend your time!

Business Model?

Does their business model (the manufacturer, not the hacker) depend on remanufacturing these things? I don't know about DMACA (digital millenium anti-competition act) violations, but I'd think a simple deposit on sale system what fix any issues with consumers keeping the cameras. It works for car batteries, it can work for these cameras.

How... predictable

Ritz did the same mistake that most companies do, they opt for the obscurity is security model. A smarter model is to instead follow the open source model that uses equipment that is prohibitive for the average user to purchase.

Example, rather than use, say, USB cabling, use some proprietory GPIO system that only Ritz controls. Heck, patent the heck out of it. Only needs a $5 CPLD to impliment a controller, but most casual hackers don't care to get into hardware-hacking on this scale. Sure, someone will break it, but then those capable will be a limited subset of the market, and damage is minimized.

Shoot, I should apply to be a corporate consultant!

Re:How... predictable

Example, rather than use, say, USB cabling, use some proprietory GPIO system that only Ritz controls

Too much effort and cost. This problem can be handled in software; much cheaper.

How? I haven't seen these cameras, so I don't know for sure, but for $11 I really doubt they have an LCD display, which means that the camera has no need to be able to read the images it has taken.

Since that's the case, Ritz could just add a little bit of code to their camera and encrypt each image as it's written to flash. Simplest case, just give each camera a DES key, stored in ROM or NVRAM, and have it encrypt each while writing. DES is fast enough that it can be implemented in software on itty bitty microprocessors with no problem. AES is even faster, but DES is simpler (and there are a zillion PD implementations in whatever language you like). Users can feel free to find ways to download the images, but they'll get nothing useful.

Of course, if you could hack your camera to dig out the encryption key, you could get your pictures out without paying for "developing", but that's way too much effort.

If that's not secure enough, Ritz should just have the camera generate a random 3DES key for each image, encrypt with it, encrypt the 3DES key with a Ritz RSA public key and store the key with the photo. To break that one, someone would have to either break RSA or find a way to monitor the internals of the camera and extract the 3DES key while it's still in cleartext. Doable, but you'd pretty much have to have your camera hooked up to a bunch of equipment while taking the photos. So you could get "free" pictures of your basement... Might actually be easier just to hook inside and read the image out before it gets encrypted.

All of the code for either solution (on-camera code, manufacturing code for injecting keys, download and decrypt code for the printing) can easily be written, tested and debugged in two weeks by a competent programmer familiar with such things.

Shoot, I should apply to be a corporate consultant!

Me too!

Who didn't see this coming?

Serriously. Could you please raise your hand?

. . .

. . .

Anyone?

. . .

. . .

Wait, do I see one in the back? Yes? Care to explain yourself?

. . .

. . .

Ahh. Well, we have one guy in the back who was in a coma. Anyone else not see this coming?

. . .

. . .

As I thought.

-Trillian

Gotta put one in my time capsule

of failed business plans, right next to my collection of mint condition CueCats.

Woo hoo!

Now you won't have to get all embarrassed taking your home-made digital pr0n pictures back to the store for processing!

Dumb Joke

That's not a Ritz hacker, that's a Ritz Cracker!

Ritz has a history of being hacked

Starting when someone sucessfully extracted the cheese from the middle of two ritz crackers. It was the first time in history that crackers sucessfully cracked other crackers, though I hear a few tried too hard and went 'crackers'.

Some more technical info..

is available here [prohosting.com].

Compare and Contrast ... Ritz vs. Microsoft

It's interesting to see so many people respond that this is a bad thing. How is this any different than people that hack their XBOXs to run Linux? You're essentially using a device differently than its intended use, and depriving the manufacturer of an expected revenue stream. What's the difference? I'm not saying that people shouldn't have the right to do whatever they want with something they buy ... I do ... but there seems to be a big difference in how the slashdot community interprets two very similar situations.

Film disposables couldn't be reused..

Those film disposables are actually reuseable.. The film is in a normal 35mm cartridge.. The trick is the winding mechanism rolls the film into the camera when a shot is taken (most cameras do it the other way around). so reloading the camera is practically imposible and not worth it (you'd have to do it complete darkness)

I'm surprised they didn't do something similar to the digital cameras. Don't make it imposible, just not worth the effort. I gues they didn't try hard enough.

Deja vu

Hmm, anyone else remember the I-Opener [iopener.net]?

A $99 computer with a proprietary (QNX-based) OS on a flash disk, that was sold at a loss because the company figured they'd make money from their dialup service... Until someone found the IDE connector on the motherboard and installed something else.

Well, after a short war between the hackers and the company (including state of the art protection mechanisms as epoxy glue on the bios, torx screws, clipped IDE pins etc) the company finally had to raise the price of the unit, resulting in the sales plumeting, and in the end bankrupcy.

Now, I'm not saying it's a bad thing to hack devices like this, heck I've got an iopener (running jailbait [sf.net] linux) standing next to my main computer. But there is a good chance that soon nobody will use the $11 developing deal, resulting in the cameras getting pulled from the stores.

Just as there were lots of people happily using iopeners as they were intended, I'm sure there are lots of people happy with the service that Ritz is providing, and if so it's a shame if we, the hacker community, proceed to destroy yet another service for other consumers.

Re:Deja vu

And another stupid idea dies a well deserved death. You would think someday companies would learn not to sell things for less than it cost to make them. We are talking econ 101 here people.

Yeah, and it shows. Try econ 201 some time.

Slashdot crowd not the swiftest

Now, of course I'm included in this, but for this article and accompanying comments, I can see the wheels not turning too quickly.

How many people in society use disposable cameras? many hands raise How many of you know or care about taking a few hours to go to the lengths needed to get this hack done? few hands raised. To sum up for everyone crying doom for this business model:

Hacking value for fun: 8 out of 10 points.

Hacking value for ...um.... actual value: 1 out of 10 points.

In short, RTFA if you think Joe and Jane six-pack will care about this. If you still think this matters to the business plan after readinging TFA, keep refreshing untill you slashdot it again and get the I'm stupid page.

autopsy / dissection of the camera

Found this on a messageboard... Camera autopsy / dissection [terrainhost.com]

For people who don't read articles

Actually, some of these points are not in the articles, and (not surprisingly) seem to be causing some confusion based on some of the comments I have seen above.

1) The cameras are purchased, just like any ordinary (non-digital) disposable camera. There is no rental agreement, nothing to sign, no deposit, etc. Some previous comments have asked about this. Also, the camera IS cheap; the hardware itself costs probably no more than $25-50 to manufacture, and likely pay for themselves in 1 or 2 processings. The big draw is that you can use them in potentially hazardous environments, and if it gets destroyed or stolen, this only sets you back $11 + a few minutes to solder a new connector into a new camera.

2) The batteries are changeable by the user - they are ordinary AA alkalines. They will last much longer than 1 25-picture cycle (I haven't yet managed to exhaust a set), but when they do run down, just open the battery cover and pop in fresh ones.

3) The sensor is actually 1.3 megapixels, not 2MP as claimed on the package.

4) The picture quality is mediocre - but not nearly as bad as these [terrainhost.com] samples would have you believe (I don't know what happened to that guy's cam). Try the samples here [cexx.org] and here [maushammer.com] (middle of page) for other samples. The biggest problem seems to be motion blurs from not holding the camera steady enough (the "shutter speed" is pretty slow). The other problem is that the lens is adjusted to be in-focus at some specific point probably between 4-12 feet from the camera. In practice, your subject will usually not be exactly at the in-focus distance. While you've got the camera open to solder in a little USB socket (or whatever), you can rotate the lens to adjust it for other distances [cexx.org], up to within [cexx.org] an inch of the lens.

5) Concerns that this hack will be singlehandedly responsible for driving the cameras off the market, driving Ritz out of business, etc., seem largely unfounded. They will probably go off the market anyway - last time I was in Wolf Camera, the sales associates were actually warning people away from these cameras, saying that they would get slightly better image quality from the film disposables (for less $$, and 27 vs. 25 pictures - it's a no-brainer, come to think of it...)

Re:Not impressed

Yeah! And Lexmark put together a business that relies on revenues of printer cartridge sales. Congratulations to those hackers/crackers who have likely now put those individuals out of work.

Wait...why is it my job to ensure that someone's business model succeeds? I bought the thing--let me tinker with it.

Even less impressive

Check out the picture quality. [terrainhost.com] Would you spend $1 per shot on this? Pathetic.

This business-model deserves to die a painful, CueCat-style death.

Re:Not impressed

I really have never sympathized with that line of reasoning. It's not as bad as the "but these new horseless buggys will put God-fearing men out of work" anti-technology advocates, but it's in the same ballpark.

As others have noticed, Ritz put together a business that relies on security through obscurity rather than through, y'know, actual security features. Some of the ideas posted elsewhere on this topic included a cheap, pattented Ritz-controlled cable, limiting the hacking to extreme hardware hackers, or using an open or closed-source encryption method rather than a standard picture file type. Whether or not the hacking is "morally" clean (although it's almost certainly violating the DMCA, which on /. these days means to seem it automatically becomes morally clean...), everyone saw this hack coming.

Ritz didn't think far enough ahead to prevent something that that was (apparently) relatively simple.

And to stem off responses, this is not an argument about how hacking is good because it shows your "vulnurabilities." The majority of Slashdot has _seemed_ to agree that this argument is bullshit, as it would be if you said you broke down someone's door to prove its weakness. But Ritz didn't even put up a door in the first place. They seemingly made no effort to prevent such hacking and, as I've repeatedly said, seeing how it was so predictable that, as I said at the start of my post, I don't have a huge amount of sympathy for them.

-Trillian

Re:Not impressed

Hey, I know! Ritz can get the government to put a hidden levy on Palm m100/m105 hotsync cables! Because, you know, everyone who purchases hotsync cables must be intent on using them, at least some of the time, for ripping Ritz pictures.

Kinda like what they do with CDR for RIAA. It's such a good idea.

After they're done with that one, I think they'd better put in a levy on Craftsman tools, because home mechanics are cheating Midas Muffler out of revenue, and a levy on Tupperware containers, because we're all cheating Safeway out of grocery sales when we keep our leftovers.

Re:um, that's stealing

No, it isn't stealing. Neither is selling hardware cheaply and assuming that people will earn you a profit by buying your software. Both are merely flawed business models; stealing would mean that you took the camera without paying anything for it.

Moreover, if you "rent" something and don't stipulate a return-by date or charge a fee for extended possession, it most likely would fail to meet any legal condition for "rental". The idiocy of a company can rarely be mitigated by the idiocy of law.

Re:um, that's stealing

The fee you pay for the camera is intended to be a rental fee.

Do you sign a rental agreement? Is there any paperwork in evidence to suggest that the transaction is anything other than a normal retail sale?

No? Then it's not stealing. It using your lawfully purchased property in the manner you see fit.

Schwab

Re:Not impressed

Ritz put together a business that relies on revenues that it will no longer have. Congratulations to those hackers/crackers who have likely now put those individuals out of work.

And shame on those who put together the business model. Honestly the stupidest business plan in the world has to be to sell hardware for less than it costs to make it. Do you honestly think people are going to feel bad at trying to maximize their utility from products they purchased? I use things as they were not intended by the manufacturer all the time. Do they have a legitimate complaint? No, they happily sold it to me and I have no obligation to help them succeed at what is undeniably a poorly thought out business model.

Do you feel bad every time you don't purchase something you see on TV? A lot of people worked hard to put together that business. That is why it is called "risk" Sometimes you do something stupid and lose. The customers are looking out for number 1, they are not on the company's side (as companies are not on the customer's side) and if one slips up, the other takes advantage. Every time.

Finkployd