One of the main vulnerabilities of any smart card based system is that it can be spoofed. One smart card can feed a multitude of decoders. The McCormac Hack, simply stated is the redistribution of the key data from the datastream between a decoder and legitimate smartcard to enable any decoder with a suitable pseudo- card in the card slot to decode a channel. Thus given an adequate communications network, a single subscription could run a town or a country. The effect for the Pay TV service would be devastating.

With the original McCormac Hack, the most viable communications network was a radio based one. Indeed for small area applications, the radio link is still the best. Options such as a phone based or internet based systems were not viable at the time the hack was formulated. Nearly ten years later, things have changed for the better for the consumer. The most viable network at present for a large area operation is the biggest network in the world - the internet.

The exponential growth of the internet has created a massive pirate audience and there is little that the channels can do to stop it. The first indications of the size of this audience appeared with the proliferation of the SEASON programs. The release of the PIC16C84 source code for decoding VideoCrypt and EuroCrypt encrypted channels started an avalanche effect. However there is one fundamental difference between these hacks and the McCormac Hack - the McCormac Hack operates in Real Time.

With the SEASON and card based hacks there is a time delay between the implementation of an ECM and the recovery from the ECM. It is this time lag that the channels tend to rely on to create the illusion that the system is still intact to some extent. The logic behind this is one of attrition. If the period between ECMs becomes short enough, then the pirate viewers will become too frustrated to keep reprogramming the new codes into their cards and programs. However to date that has not been the case and the codes for the EuroCrypt D2-MAC code changes have been available before the change occurs on the channel. It is still an irritant that the new codes have to be entered. The McCormac Hack effectively removes this time lag and irritation from the loop.

Since the McCormac Hack relies on the datastream from a legitimate smart card, ECMs are difficult to implement and the channel has to identify the actual subscription being used to provide the real- time keys. On a small area network such a task would be nearly impossible. News Datacom did patent a method that they believed would stop the McCormac Hack from working on their systems though their method came too late to protect VideoCrypt. It is believed that the new Sky Digital conditional access system has integrated the method into the architecture.

Many of the systems in operation today do not have any real and effective safeguards against this type of hack. Naturally a hack on an unprotected system would be devastating but a few key conditions have to be met.

One of these conditions is a cheap communications infrastructure such as free local phonecalls. While such things are common in the USA, in Europe, more specifically Ireland these are the things of dreams. However if the programme on the channel is of a high enough interest, then it is a target. Most of the movie channels are not really that lucrative a target since they only show movies after they have appeared on video. It is the PPV events costing up to £15 per event that are the real targets - well those and hardcore porn channels.

The internet provides an excellent communications network for this kind of hack. However some system with short key cycle times such as VideoCrypt (2.5 Seconds between keys) are not as vulnerable for a country-wide hack. Some sources claimed that the key data could be delayed for 350 mS at most. This may be sufficient to allow a localised hack where all users are on the same ISP but the time lag over a wider network would cause problems. Long key cycle time systems such as EuroCrypt (10.24 Seconds) are ideally suited to an internet based hack.

Using the internet for the network offers the consumer more choice. They have to connect to the internet to get the datastream to watch the programme. Although it is pirate in nature, the conventional channels do not yet offer this level of access. But the essential aspect of this hack is that it should be user friendly. It is no use having a technologically elegant hack that is difficult to use - this is where hacks like the DDT fell down.

In the days of analogue scrambling systems, people were prepared to mess about with a number of different boxes in order to watch the few channels that were available. This meant using one descrambler for Filmnet, one for the UK Premiere channel and BBC, one for Teleclub and yet another for RTL-V. These were integrated into a single case by Chris Carey's HiTech Xtravision. The HiTech Xtravision provided a more user friendly device for the consumer and frequently a better picture than the official descramblers. Even so, the multitude of scrambling systems meant that the consumer had to go for the more expensive HiTech Xtravision solution or a few discrete descramblers that would be connected when needed. Compared to all this, the smart card was a heaven sent solution for the channels - and the pirates. It was simple, small and very user friendly.

One of the main disadvantages of the SEASON interface is that it uses a COM port on the computer. For a system that is connected via a modem to the internet and uses a mouse, the number of COM ports available diminishes somewhat. It still involves some messing about with the computer to get working properly. An alternative could be the parallel printer port. In terms of user friendliness this would be only slightly better as someone would have to unplug the printer to connect the interface. Other problems such as printer port compatibility would arise depending on how the printer port is handled under the various operating systems. The best solution is one that would work equally well on W95/W98/DOS.

Two possibilities exist: a light based solution and a sound based solution. The light based solution is outlined in Black Book 5 as the FireLyte method. It used an applet to encode the data as a flashing or flickering area on the screen. The interface would pick up this encoded data from the screen using a phototransistor. The webpage in this case would have to be dynamically published as the data would be changing every few seconds. Perhaps an Active Channel would be more suited for this application. The primary disadvantage of this method is that it has to rely on the monitors being uniform in their responses. This would tend to limit the colours used to black and white. Creation of beat frequencies due to monitor refresh rates would also have to be taken into consideration. However this is on the right approach as there does not need to be a direct connection to the PC.

Most good solutions are compromises. The audio based solution does require a connection to the PC but it is to the PC's audio output. Most computers used to connect to the internet today are multimedia types and so have soundcards. The retail cost of a low end soundcard is less than £40. Even including this cost with the cost of the interface, it is less than that of the typical battery card.

The interface card itself would be built around the PIC16C84 microcontroller although a more secure microcontroller could be used. The PIC would emulate a smartcard much as it does in a standard pirate smart card implementation. However the key data would be taken from the analogue to digital converter that converts the audio data from the PC.

By using readily available software and, in some cases, familiar hardware, the whole implementation can be streamlined. The most obvious is the use of a RealAudio server to serve the encoded key data.

1. The key data is converted to audio and transmitted over the internet from the RealAudio server running on the main server.

2. The user's computer, connected to the internet, connects to the RealAudio server on the main server. The RealAudio player program on the user's computer provides an audio output.

3. The audio from the computer's soundcard is fed to the interface where it is demodulated. The recovered data is then parsed and presented by the PIC16C84 which is emulating a smartcard. The correct key data is then delivered to the decoder.

The timing of the key data is critical and most systems can only delay the data for 350 mS before the decoder becomes unlocked. While on a local server running on the same ISP, such a hack could work on ordinary phonelines, the server would have to be powerful and connected over a good link such as ISDN. Cable modems with the 14 mS ping time would provide an extremely fast connection for this kind of data.

Since cable modems are connected to a computer via a network card, very little modification other than feeding the key data to the RealAudio server needs to be carried out. The main processing, on the user's side is carried out in the pseudo-smartcard (pCard). The only thing that the user's computer has to be able to do is to connect over the cable network and run a RealAudio player. Most operating systems available today have RealAudio player programs available.

While it is not viable to use a cable modem connection to broadcast the video and audio off a channel, broadcasting the key datastream is possible. It would be interesting to see how many of the scrambling systems in operation are vulnerable to this kind of hack using such a connection and interface.