Announcement

Collapse
No announcement yet.

GDC SA-2100 disqualified by Paramount

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • GDC SA-2100 disqualified by Paramount

    To: Theaters using GDC SA-2100 servers

    Re: End of service notice

    Paramount Pictures continuously reviews the operational and security performance of equipment used to exhibit our theatrical features. We have identified certain security vulnerabilities in the above-named server. To ensure the continued protection of our features being presented in cinemas, we will not issue KDMs (keys) to these servers for bookings scheduled to start after 1 July, 2023. This means these servers will not be able to play MISSION IMPOSSIBLE: DEAD RECKONING PART ONE.

    Your theatre has been identified as a user of one or more of these servers. If you have ONLY these servers, you will not be able to play Paramount titles after 1 July until one or more of the units are replaced. If you have some screens using GDC SA-2100 servers and other screens using different servers, you will be able to play Paramount titles only on the non SA-2100 servers.

    The SA-2100 was one of the earliest servers deployed and has performed well beyond its expected service life. We apologize for the inconvenience this may cause, but protection of theatrical content is critical to our shared business health.

  • #2
    According to this cut sheet (http://www.tristatetheatre.com/sa2100a.pdf), this model is capable of Cinelink II, but it doesn't specify TLS. If the media block can only do DH, that might explain why Paramount is ending KDM support.

    Comment


    • #3
      I was just talking to GDC, and they thanked me for letting them know, since they had no idea that Paramount is doing this. They're escalating it to their Head Office, and will let me know what Paramount's main problem with the SA-2100 is.

      If/when I find out, I'll post it here.

      Comment


      • #4
        It's crazy that Paramount didn't give GDC a week or two's notice before sending that letter out. Anyone should have been able to figure out that the result would likely be queries directed to GDC.

        Comment


        • #5
          Nice of them to do it on Friday so I get the calls from independents panicking.

          Comment


          • #6
            The servers involved here: https://celluloidjunkie.com/2019/06/...e-piracy-ring/

            Were these SA-2100? The article doesn't give details (and probably for a reason).

            It's now an old story, but maybe this weakness can still be used, or a similiar one has been discovered on the SA-2100.
            GDCs can be serialised in the field, which certainly makes them vulnerable.
            Last edited by Carsten Kurz; 05-13-2023, 09:08 AM.

            Comment


            • #7
              The SA2100 pre-DCI was not FIPS compliant, the decryption components are open. So are early Doremi so that's not the whole story.
              The article suggests that Hong Kong based technicians supporting GDC servers performed the modifications to salvaged servers allowing the cloning of server certificates from operating cinemas' servers, plus to allow playback on non cinema projectors/monitors to then record the content using hi def cameras or maybe directly recording unencrypted video.
              And others built a complex criminal enterprise to acquire and sell features to mini cinemas on opening day.
              The image shows what sure looks like an old 2100, with the GDC UI on its monitor.
              Seems extreme to blacklist all 2100s but they must have some odd vulnerability that hasn't been disclosed.
              The article is not new and includes a what-if warning that another gang could do the same again. Has it, causing Paramount to do this?

              Comment


              • #8
                I'm curious. Is it JUST the SA-2100 (which had a built-in touchscreen) or does it include the SX-2001, that was, essentially the same server but without the touchscreen (and a different case). The CJ article with ghost 1 was not the SA-2100. The weak link, as I recall, was an inside person from GDC cloning a certificate to allow a valid KDM to be used on a ghost machine.

                Comment


                • #9
                  Nevertheless, the image capture method of this piracy scheme was still camcordering (albeit with a broadcast quality camcorder). I do wonder if the inability of the SA-2100's media block to use Cinelink II TLS encryption might be a part of this decision. Cinelink II DH has some noted vulnerabilities, e.g. a man-in-the-middle attack on the Diffie-Hellman key exchange. If it were possible to decrypt the DCP video file without having to project it and camcorder it, that would be even more of a nightmare for the studios than the workflow these Chinese criminals used.

                  But if that is a factor in this decision, we can expect to see DSP100s and DSS200/cat862s being blacklisted for KDMs soon, too, because they also allow the use of Cinelink I DH.

                  Edit: after reading Steve's post: if the SX-2001 is also to receive the same treatment, I suspect that this'll be a bigger problem. I don't have any 2100s in use by my regular customers, but at least 15-20 2001s. When I mentioned this to my boss yesterday, he told me that he wasn't worried about this, because the number of 2100s still in use is infinitesimal. In almost six years of working as a service tech, I haven't even seen one in the flesh.

                  Comment


                  • #10
                    While not discounting the importance of preventing piracy here, it is a bit ridiculous for a server that's been considered "acceptable" to the studios for over a decade suddenly isn't good enough. We all know any of those servers still running are already running in hospice, as when they start to die that's it. Nothing further can be done.

                    Why not just let all of the old equipment die off naturally? It's so close to that point anyway. And remember absolutely nothing will stop someone from pointing a camera at the screen and recording a movie that way.

                    Comment


                    • #11
                      The DSP100 and the DSS200 in all of its forms support Cinelink 2 TLS. If anything, the DSP100 was over-the-top in its physical security. It was some TI boards that didn't work with TLS and needed Cinelink 1 or DH. We have zero SA-2100s but there are some SX-2001s and more SX-2000ARs. Naturally, I'm concerned if the SX-2001s get lumped into the SA-2100 group. That could cause issues. People would be ticked off since they also have recently updated their certificates too (within the past year or two).

                      Comment


                      • #12
                        This move from Paramount is, unfortunately, not unreasonable. The explosion of Cryptos and graphics cards that can do millions of hashes per second, makes the old Cinelink encryption on the SDI signal very feasible to crack these days. No one expected the speed of improvement in cracking encryption. It's because of cryptos we have seen a huge growth in hashing technologies. The time frame for expected vulnerabilities for many encryption technologies has been greatly decreased. Decreased so much, their use is still in the field before natural attrition removed them before this became a problem..

                        Look at the lastpass fiasko. In the crypto community, there was a lot of friction due to paths Lastpass took on safeguarding the crypto wallet (ie, that were stolen) and how with today's hashing capabilities.. You should consider all passwords in a LastPass wallet can be easily compromised. It is highly recommended that you change all password that was in any stolen LastPass wallet.
                        Last edited by James Gardiner; 05-13-2023, 06:07 PM.

                        Comment


                        • #13
                          Originally posted by Steve Guttag
                          The DSP100 and the DSS200 in all of its forms support Cinelink 2 TLS.
                          They support it, but they don't mandate it. You can choose to use Cinelink I or Cinelink II DH, and if you do, KDMs issued for that media block serial number will still work (it will not process encrypted DCPs at all only if you choose no media block to projector link encryption whatsoever).

                          Comment


                          • #14
                            I checked DCI and it still lists it a s a approved server so can Paramount not provide kdms to a approved server? It sets a dangerous precedence if a studio picks and chooses equipment

                            Comment


                            • #15
                              Originally posted by Leo Enticknap View Post

                              They support it, but they don't mandate it. You can choose to use Cinelink I or Cinelink II DH, and if you do, KDMs issued for that media block serial number will still work (it will not process encrypted DCPs at all only if you choose no media block to projector link encryption whatsoever).
                              With the DCI updated software, the mediablocks, permanently stopped supporting Cinelink DH. I don't believe, even on a DSP100 that the DH option remains. Even so, that is a degree of paranoia that is over-the-top. These clowns allow streaming and PVOD way too soon to worry about copying in theatres. Who would worry about trying to crack a DCP player when digital perfection is going to be available nearly instantly right from the studio?

                              Comment

                              Working...
                              X