TiVo Awarded Patent For Password You Can't Hack 291
Davis Freeberg writes "TiVo has always been known for thinking outside of the box, but this week they were awarded an unusual patent related to locking down content on their hard drives. According to the patent, they've invented a way to create password security that is so tough, it would take you longer than the life of a hard drive in order to figure it out. They could be using this technology to prevent the sharing of content or it could be related to their advertising or guide data, but if their encryption technology is really that good, it's an interesting solution for solving the problem of securing networks."
So.... (Score:5, Funny)
Re:So.... (Score:5, Insightful)
(ie: does making outlandish and incorrect claims in a patent invalidate it?)
IANAL... (Score:5, Informative)
...but I am a law student and just took an introductory IP course, so I'll try to answer. A patent must actually do what you claim it does. But they don't claim it can't be cracked:
Re: (Score:2)
Re: (Score:3, Funny)
Re:So.... (Score:5, Insightful)
In the US at least, there's no requirement that a patented idea or invention or system actually do anything useful or work or even do what it claims.
There are numerous patents for mind-reading devices, nutjob free energy systems and perpetual motion machines, and searching the USPTO database for the "hyper-light-speed antenna" will produce some interesting reading.
Might as well patent completely unbreakable DRM.
Re: (Score:3, Interesting)
Re: (Score:2)
Does it matter? (Score:3, Insightful)
So, why is it in any way meaningful whether that invalidates a patent which doesn't mean jack in the first place?
Re:Does it matter? (Score:4, Interesting)
But if this patents is invalidated, it is meaningful in several ways. First is other devices might be forced into using it by the media companies or something and this will raise the costs of consumer electronics. The next thing is, suppose someone discovers this as a way to keep usable information out of anyone's hands who don't have permission to use it. There is another royalty that needs to be payed and it will come out of our pockets too. But most importantly, A patent takes an entire piece of software off the market for most. Imagine if the word processor was patented when it originally was developed. Whatever the first word processor was and anyone willing to pay the royalties to them are the only word processors we would have. Openoffice.org wouldn't be here, Microsoft could have bought the patent and stopped everyone from using it other then them, so on and so on.
So what happens when computers are fast enough that to be somewhat reasonable secure, you need this patent. If it is still valid, again, everyone pays TIVO to use it. But if it was copy written instead of patented, then many other players could attempt to do similar things and hopefully competition would make things better and all. But if we are stuck with this one implementation and it turns out not to work, any working implementations from other companies will have a payment to TIVO associated with any costs.
Re:So.... (Score:5, Insightful)
Re:So.... (Score:5, Informative)
As soon as you can do that, 3 things are true:
(1) You can preserve it on something more reliable (longer life) than the original drive and work on cracking it from there.
(2) You can make multiple copies and work on it x times faster by attacking each drive/copy with a separate part of the list of possible solutions.
(3) You can spend as long as you like working on cracking it and when the drive reaches the end of it's life, pick up where you left off working on your clone disk.
More importantly how many copies would you need to make to solve it within a useful time period at all? Would you get the data within a useful time frame? Within years? Within your own life time?
Obviously if they have made it so that you can only access the drive with a specific controller then the idea of taking copies is significantly more difficult, but from what I've read it's just a regular Western Digital drive which means you could hook it up and take a raw image of the entire disk even without being able to decode the contents at that point. So as the parent said, you're not hacking it "in situ" and as soon as the drive gets into a consumer's home, you've handed of a the data to be copied.
This is just a patent for making hacking difficult, but since when does that stop anyone?
Meanwhile, I am not even going to bother trying to figure out how this is a solution for "securing networks".
Re:So.... (Score:5, Interesting)
On the other hand, yes, this does appear to be a simple patent on tying a hard drive to an electronics unit. Viable attack vectors are already obvious.
The patent that will never reach courts. (Score:5, Insightful)
At least you know nobody is going to get sued over this one. Ever.
Re: (Score:2)
Examples of similar systems:
http://en.wikipedia.org/wiki/Challenge-response_au thentication [wikipedia.org]
The concept is that if the system has a set of information (which could be an extensive database of info specific to a given system), another chip or element in the system could theoretically ask questions about it. If the two chips exist in the same system, there are limitless resources available for them to mutually read off of t
Re:So.... (Score:5, Funny)
At least
Re: (Score:2)
Someone hacks a tivo to get the content... Tivo gets mad and sues...
Tivo loses because the person says they couldn't have broken the tivo code because the code is unbreakable, if they did, then Tivo loses the patent.
Re:So.... (Score:5, Insightful)
Re: (Score:2, Insightful)
Re: (Score:2)
Re:So.... (Score:5, Funny)
*in the underground lair of tivo*
tivo suit guy 1: Those lousy internet people keep cracking our encryption!
tivo suit guy 2: How do they keep doing it?
tivo suit guy 1: Because time is on their side, and they have no life! grr
tivo suit guy 2: How long can a 'really hard' encryption take?
tivo suit guy 1: I have no idea, maybe like a month? A week?
tivo suit guy 2: A WEEK? You can't be serious!
drive manufacturer suit: Well, if you can't beat crackers at their own game, what needs to get done is to beat them from a different angle.
tivo suit guy 1: what do you mean?
drive manufacturer suit: Think about it, every time you come up with a new password, it gets cracked in a week, there is no control over that. So, what needs to get done is to beat them where they have no control. TIME!
tivo suit guy 2: Time? And how do you expect us to control TIME?
drive manufacturer suit: Easy. Since we know that a password can be cracked within a week, what needs to get done is to prevent them from getting access to the password before that week. All we have to do is manufacture drives that will fail within a week!
tivo suit guy 2: That's brilliant!
tivo suit guy 1: Wait a minute. We can't have customer's drives dying withing one week. That's just no good for business.
drive manufacturer suit: Don't worry about it. We'll use flash drives. Flash ram wears out overtime. We can explain to the customer that the new flash drives will use less energy, have no moving parts, and are cheaper!
tivo suit guy 1: Will they really be cheaper?
drive manufacturer suit: only to you they will be. That way you won't have to pass off the savings to the customer. Plus, you can add in an additional subscription fee to have new flash drives mailed to them every week when they mail back their old flash drives! Think: netflix, but instead of dvds, flash drives. More money for you!
tivo suit guy 2: kinda like the photo-copier industry with their toners.. hrm, I like it!
tivo suit guy 1: Wait wait wait! Those drives will still cost us a pretty penny, so what's the secret?
drive manufacturer suit: *grins* we will be using _OLD_ flash drives. Just like the old flash drives that croaked so quickly. The manufacturing technology to build them was very cheap. We can churn those out like nobody's business.
tivo suit guy 1: hrm, so essentially they are disposable drives?
tivo suit guy 2: It's an excellent plan! We can add in the additional 'service' and bleed our customers dry!
drive manufacturer suit: soo, do we have a deal?
tivo suit guy 1 & 2: it's a deal! I think I'm gonna patent that idea!
*shakes hands, and the meeting is ended, tivo suit guys leave*
drive manufacturer gets on cell phone
drive manufacturer boss: so, how did it go?
drive manufacturer suit: They accepted project 'disposable drive.' Those fools have no idea we're playing them for our pawn.
drive manufacturer boss: Eeeexxxeeeelent~
drive manufacturer suit: Phase 1 is complete. I've finished talking to Apple and Creative already. I'm scheduled to meet with Sprint and Verizon tomorrow.
drive manufacturer boss: Once we have all the mp3 players, cell phones, and tivos supplied with our disposable drive, users will be upset that only after a week of use, their electronics became useless! This will soil the name of flash drives in a larger scale never seen before, and drive customer confidence towards flash down! They will be forced to lower their prices, and eventually perish under their manufacturing costs. Harddrives will RISE AGAIN! MUHWAHAHAHAHAHA!
Re: (Score:2)
too many screwdrivers tonight, but that was still funny.
-mbfd
And the password is... (Score:5, Funny)
Don't tell anyone.
oh i found it on google with 1.9 mln results! (Score:2, Funny)
Re:oh i found it on google with 1.9 mln results! (Score:4, Informative)
To quote Spock, "I believe that is what [he] said."
I only caught it because I read RFC 2045 the other day. (specifically, the section on Base64 encoding...)
-:sigma.SB
A really long one? (Score:4, Insightful)
That doesn't sound like it would be worth a patent.
Then again, it might be more interesting and have non-typeable characters...
Or maybe just "Joshua"
Re: (Score:3, Interesting)
I suppose if I ever figured out how to put a newline into my password I would have one heck of a time logging on.
Re: (Score:2)
Re: (Score:3, Funny)
> Global Thermo-Nuclear War
May we also suggest: Genocide In These Modern Times, NASCAR
I have a... (Score:2, Funny)
This sounds familiar: (Score:4, Funny)
Hack available for download from the internet in 5, 4, 3, 2....
Re: (Score:2)
1. No profit!
longer than the life of a hard drive in order .... (Score:5, Insightful)
And what if it's a WD drive they are talking about? The life of those is so low they had to drop their warranty to 1 year because they admitted 3 years would put them out of business. (The reason I only use Segate 5 year warranty drives).
Warranties (Score:2, Informative)
I lost all my important data on my hard drive from it crashing.
Sincerely,
Unhappy user
======
Dear User,
Here is a new hard drive replacement.
Sincerely,
Seagate
Re: (Score:2, Insightful)
Re: (Score:3, Informative)
if you check newegg for hard drives most of the WD drives there have a 3 or 5 year warranty on them
Re: (Score:2, Informative)
maybe im just lucky ^^
Re: (Score:2)
I've lost drives from other brands too, sure. But only WD has a 100% failure rate.
Why did I keep using them? The first one I thought was fluke. Then it's warranty replacement died too.
Won another WD in a contest. It died. When that replacement came, I gave it to someone else. Never even opened it. It died too and victimized the lucky new owner.
Then I went some years before getti
Hamel's Folly (Score:5, Interesting)
On the dangers of assuming keyspace => security:
from ''Computer Security and Cryptography'', Alan G. Konheim.
Re:longer than the life of a hard drive in order . (Score:2)
My computer has a 120gig WD drive which has been going for years and my 6 month old server has 4 of the drives.
Never had a problem.
Clone Drives? (Score:5, Interesting)
Its hard to make something undefeatable and if you claim such it is only going to attract people as a challenge. Maybe that is what they want?
Of course if someone proves that it isnt 'impossible' then does that void the patent?
Re: (Score:2)
Re: (Score:2)
Hard disk life (Score:4, Funny)
Re: (Score:2)
Yet another reason not to get a Series3 TiVo (Score:5, Insightful)
Look, if I buy a device that has a hard drive in it, that hard drive is mine. The data on it is mine. If you don't want me to access it from the "wrong" host, maybe you shouldn't have sold it in the first place. You can have all the control you want over that hard drive while it's gathering dust in your warehouse.
Re: (Score:3, Interesting)
Re: (Score:2)
Ditto, give or take. I have a Series 1 that I've kept limping along, but the last hard drive upgrade didn't go too well. The bigger the hard drive, the more the P.O.S. stutters---at 500 gigs, it doesn't go more than 5 mintues without glitching during playback, and it also only boots up about one out of every five or six boots, so I have to keep power cycling it to get it to boot. At that point, I realized that keeping the TiVo working was more trouble than it was worth.
So I had a choice: upgrade to a n
Re: (Score:2)
An old Xbox costs under $100, and to mod it and install XBMC costs nothing and takes no longer than an hour. Even if you have to buy a wifi/ethernet bridge for each one, it still costs half as much as AppleTV.
Re: (Score:3, Interesting)
There are a lot of reasons:
Re:Yet another reason not to get a Series3 TiVo (Score:5, Informative)
Re: (Score:2)
Re: (Score:2)
I haven't looked into all the hardware needed, but for me the the deal breaker on a diy DVR is the use of IR blasters. I would love to use a serial cable to control the cable box, but both Comcast and Verizon seem to have disabled that feature. I've even given thought to upgrading to a Series 3, so I can get a cablecard and do away with the IR blasters. So how does one setup a diy DVR to work with digital cable without the use of IR blasters?
Re: (Score:2)
Re: (Score:3, Insightful)
The blame for that
Blog spam is just plain wrong (Score:5, Interesting)
This has nothing to do with networks at all. The patent is about making sure a hard disk can only talk to a certain host.
Its just another attempt to prevent people form using their own hardware how they want to.
Re: (Score:3, Insightful)
It has nothing to do with copy protection. You don't honestly think TiVo gives a rat's ass about copy protection, do you? They care exactly as much as is necessary to keep from getting sued. The Series 1 was probably sufficient. No, the new anti-consumer trend in TiVo has nothing to do with copy protection and everything to do with upgrade prevention.
Every person with a Series 1 TiVo and a giant hard drive is someone to whom they didn't sell a Series 3 TiVo. They naively think that by locking down th
Why so much effort (Score:3, Insightful)
Comment removed (Score:4, Insightful)
I've done this before just for fun. (Score:2)
Re: (Score:2)
Re:I've done this before just for fun. (Score:5, Insightful)
In the text they mention prior art of both:
1. Using a challenge system between a hard drive and a host
2. a wire-secure challenge system
Even if no one has ever put cryptographic functions into a hard drive (I'd be surprised) virtually every cryptography paper talks about all of the communications in the only meaningful terms, abstract ones, implying in a way obvious to non-experts that it can be used between any equipment.
This, like many other bad patents, is at best a land-grab for a specific piece of territory so well discovered, mapped, and understood that claiming a portion of it is just ridiculous.
Re: (Score:2)
New Marketing Tool (Score:5, Funny)
Nothing Is Unhackable (Score:5, Funny)
When I was a wee tot, I remember seeing a single-panel _Dennis The Menace_ cartoon. The cartoon itself had Dennis' father at a boardroom-type table with a few other people, his briefcase open, and various parts spilling out. The caption was something like "Gentlemen, our new bathroom scale did not pass the 'Dennis test'. We cannot refer to it as 'unbreakable'".
Since then, whenever I've heard about something claiming to be unbreakable, I picture a very broken bathroom scale...
can we get the old hahaha tag now (Score:5, Insightful)
Re: (Score:2, Insightful)
Larry Ellison once said of Oracle "can't break it, can't break in". From a security view, Oracle then was a total POS. Even worse than Windows - the worst was 9i release 1. Now, it is a little better as long as you are running 10g R2. If you are running any earlier version of Oracle, upgrade now before your databases are 0wn3d. Better yet, secure them behind firewalls from your corporate intranet. I think Larry used the quote to get some free R&D from the hackers. Now, they can't use any sales pi
can we get the old mom's basement tag now (Score:2, Funny)
Geeks can't get laid.
A good way to lose their business (Score:4, Interesting)
Read the patent... (Score:3, Interesting)
The problem is still, the user has HIS content, he can do whatever he wants with it as long as he can see it. Unless you encrypt the lightwaves that reach our eyes and plant a DRM chip in our brain, we're going to be able to copy your precious content.
Re:Read the patent... (Score:4, Informative)
Re: (Score:3, Insightful)
Re: (Score:2)
What good...? (Score:2, Insightful)
Imagine what the historians and archaeologists are going to do with these doorstops. The quest for perfect data security is beginning to sound an awful lot like the final pages of _Fahrenheit 451_.
--
Toro
Re: (Score:2)
It's the diffie-helman key exchange (Score:4, Informative)
An authentication system for securing information within a disk drive to be read and written to only by a specific host computer such that it is difficult or impossible to access the drive by any system other than a designated host is disclosed. While the invention is similar in intent to a password scheme, it significantly more secure. The invention thus provides a secure environment for important information stored within a disk drive. The information can only be accessed by a host if the host can respond to random challenges asked by the disk drive. The host's responses are generated using a cryptography chip processing a specific algorithm. This technique allows the disk drive and the host to communicate using a coded security system where attempts to break the code and choose the correct password take longer to learn than the useful life of the disk drive itself.
Drive sends random junk. Host responds with digital signature on random junk. Drive verifies signature. It's a diffie-hellman key exchange derived system called a digital signature. RSA and DSA (El Gamal is DSA's corresponding cryptosystem) are examples.
Re: (Score:2)
It's a simple keyed hash challenge-response protocol. The host & controller share a key. The controller generates a nonce and sends it to the host. The host XORs the nonce with the key and returns the SHA-1 hash. The controller compares the hash to a hash it calculates and if they match you're off to the races.
The XOR of key & nonce seems extraneous to me, but I don't think it impacts the algorithm.
The flaw, of course, is the assumption that the attacker--who posses
BeyondTV (Score:4, Informative)
Cryptographic Challenge-Response Authentication? (Score:4, Insightful)
In what novel way - or any way for that matter - does this differ from standard cryptographic challenge-response authentication? I mean, maybe they are using an extremely long generated series of psuedorandom keys, secrets, responses, or all 3 but I don't see how that is novel. Or perhaps incorrect responses result in the disk controller becoming non-responsive for a short period to increase the time required to exhaust the series, but that isn't novel either.
Any ideas?
Re:Cryptographic Challenge-Response Authentication (Score:3, Insightful)
How is this news? (Score:5, Insightful)
The problem with DRM is that the person who is the recipient is also one of the people they want to keep out. This creates a problem: To decrypt the message (by message I mean whatever they are giving you, video, song, game, whatever) you have to give them the key. However, if they have the key, well then they can decrypt it and do what they want with it.
This leads to all the tricky, and ineffective, stuff we see these days. They try to hide the key so that only the device can find it and you can't get at it. Well that just don't work. It can make it so it isn't as simple as just copying a disk, but as we've seen with the AACS break, you can't hide that shit from a determined attacker. The key IS on there, it CAN be found.
So I don't care how good their password scheme is. AES-256 with a 64 character password is good enough to last until the sun goes dark (or at least until quantum computing becomes a reality) but that doesn't buy you anything if you have to hand out the key as part of your scheme as is required by DRM.
Am I infringing on the patent? (Score:3, Interesting)
When I read this I though "Okay, so you have to steal the box to get the content or do a lot of work to get the data off of the drive using the chip in the machine.. no big deal right?"
Then it occurred to me, maybe the host computer isn't the local Tivo box, maybe it is Tivo's system (remote) that they're calling the host. What does that mean? Now you can't get data off of the drive unless the Tivo calls home, swaps k
Why It Does and Does Not Matter (Score:5, Interesting)
Quickly, before Cringely ruins it with bad math, I need to point out some very obvious weaknesses in making this work correctly:
Okay, you all can go back to your regularly scheduled cheap shots.
Paging... (Score:3, Funny)
what if i made some 1:1 s? (Score:3, Interesting)
So it's security is that a brute-force/birthday attack is just so improbable that the drive will wear out before i can test enough possibilities to have a measurable chance of getting it? Besides, twofish, blowfish, AES, any virtually any other standard encryption algorithm could boast the same thing. Tell me if I'm wrong, but couldn't i make a bunch of 1:1 copies of the disk and use those to crack it?
I'm no security expert... (Score:5, Interesting)
Give your friend a deck of cards. Turn around and have them shuffle it, select a card at random, memorize the card and put it back in the deck. Have them shuffle it some more (without you looking at it). Take the deck from them and take a card from it and say 'this was your card'.
In the long run, you'll be right about 1 in 52 times. If you happen to be right the first time with a particular friend, and never do the trick again, they will be scratching their head for a long time trying to figure out how you did it.
So, the point I'm trying to make is that it could take longer than the life of a hard drive to crack the super secret code, or you get get it right on the first guess (or the second one, or the third one...). So it seems rather silly to claim that it is uncrackable.
I can't wait... (Score:2)
I can't wait for them to GPL their implementation. Hopefully there will be enough software in the Tivo that gets licesed under GPLv3 to put these assholes out of business.
Anyone out there have any examples of prior art?
Not on Series2 Tivos... (Score:2, Informative)
On a Series2 Tivo, it's not rocket science:
1) Pull hard drive
2) Replace kernel with another kernel that doesn't do an integrity check of files at boot time.
3) Make the startup scripts spawn a telnet daemon (Tivo was thoughtful enough to provide one)
4) C
I see your patent for unhackable pws and raise... (Score:2)
Hey what, it's obviously now allowed to patent the impossible!
This patent sucks (Score:4, Interesting)
Re:Scoff (Score:4, Funny)
Jeeze. You've been luckier with hard drives than I have, then... ROT13 would be sufficient to outlast some of them.
Knock Knock... (Score:2)
Maxtor!
Re:Man in the middle? (Score:4, Interesting)
Re: (Score:2)
Could you specify this ? I still agree with parent: couldn't you create a device that reads the input + output of the hard disk, then grab the challenge + response.
This is a typical problem of challenge-response authentication. Plus, in this case "a response value using a combination of a lock value and said challenge" remains constant across several read commands.
How is this 'man-in-the-middle resistant' ?
Re: (Score:2)
Re: (Score:3, Insightful)
Re:Sure, uncrackable like every uncrackable code (Score:5, Informative)
Crypto on a chip is more secure than crypto in a binary.
Re:Really? (Score:5, Funny)
No they're not. They've always been known for seeking to keep everything IN the box.
Re: (Score:2)
Platter swap.. (Score:2)
The bit that gets me is that it appears someone let a marketing clown loose on what they've created. "Never" is the right word to get every cracker a