According to this cut sheet (http://www.tristatetheatre.com/sa2100a.pdf), this model is capable of Cinelink II, but it doesn't specify TLS. If the media block can only do DH, that might explain why Paramount is ending KDM support.

I was just talking to GDC, and they thanked me for letting them know, since they had no idea that Paramount is doing this. They're escalating it to their Head Office, and will let me know what Paramount's main problem with the SA-2100 is.

If/when I find out, I'll post it here.

It's crazy that Paramount didn't give GDC a week or two's notice before sending that letter out. Anyone should have been able to figure out that the result would likely be queries directed to GDC.

Nice of them to do it on Friday so I get the calls from independents panicking.

The servers involved here: https://celluloidjunkie.com/2019/06/...e-piracy-ring/

Were these SA-2100? The article doesn't give details (and probably for a reason).

It's now an old story, but maybe this weakness can still be used, or a similiar one has been discovered on the SA-2100.
GDCs can be serialised in the field, which certainly makes them vulnerable.

The SA2100 pre-DCI was not FIPS compliant, the decryption components are open. So are early Doremi so that's not the whole story.
The article suggests that Hong Kong based technicians supporting GDC servers performed the modifications to salvaged servers allowing the cloning of server certificates from operating cinemas' servers, plus to allow playback on non cinema projectors/monitors to then record the content using hi def cameras or maybe directly recording unencrypted video.
And others built a complex criminal enterprise to acquire and sell features to mini cinemas on opening day.
The image shows what sure looks like an old 2100, with the GDC UI on its monitor.
Seems extreme to blacklist all 2100s but they must have some odd vulnerability that hasn't been disclosed.
The article is not new and includes a what-if warning that another gang could do the same again. Has it, causing Paramount to do this?

I'm curious. Is it JUST the SA-2100 (which had a built-in touchscreen) or does it include the SX-2001, that was, essentially the same server but without the touchscreen (and a different case). The CJ article with ghost 1 was not the SA-2100. The weak link, as I recall, was an inside person from GDC cloning a certificate to allow a valid KDM to be used on a ghost machine.

Nevertheless, the image capture method of this piracy scheme was still camcordering (albeit with a broadcast quality camcorder). I do wonder if the inability of the SA-2100's media block to use Cinelink II TLS encryption might be a part of this decision. Cinelink II DH has some noted vulnerabilities, e.g. a man-in-the-middle attack on the Diffie-Hellman key exchange. If it were possible to decrypt the DCP video file without having to project it and camcorder it, that would be even more of a nightmare for the studios than the workflow these Chinese criminals used.

But if that is a factor in this decision, we can expect to see DSP100s and DSS200/cat862s being blacklisted for KDMs soon, too, because they also allow the use of Cinelink I DH.

Edit: after reading Steve's post: if the SX-2001 is also to receive the same treatment, I suspect that this'll be a bigger problem. I don't have any 2100s in use by my regular customers, but at least 15-20 2001s. When I mentioned this to my boss yesterday, he told me that he wasn't worried about this, because the number of 2100s still in use is infinitesimal. In almost six years of working as a service tech, I haven't even seen one in the flesh.

While not discounting the importance of preventing piracy here, it is a bit ridiculous for a server that's been considered "acceptable" to the studios for over a decade suddenly isn't good enough. We all know any of those servers still running are already running in hospice, as when they start to die that's it. Nothing further can be done.

Why not just let all of the old equipment die off naturally? It's so close to that point anyway. And remember absolutely nothing will stop someone from pointing a camera at the screen and recording a movie that way.

The DSP100 and the DSS200 in all of its forms support Cinelink 2 TLS. If anything, the DSP100 was over-the-top in its physical security. It was some TI boards that didn't work with TLS and needed Cinelink 1 or DH. We have zero SA-2100s but there are some SX-2001s and more SX-2000ARs. Naturally, I'm concerned if the SX-2001s get lumped into the SA-2100 group. That could cause issues. People would be ticked off since they also have recently updated their certificates too (within the past year or two).

This move from Paramount is, unfortunately, not unreasonable. The explosion of Cryptos and graphics cards that can do millions of hashes per second, makes the old Cinelink encryption on the SDI signal very feasible to crack these days. No one expected the speed of improvement in cracking encryption. It's because of cryptos we have seen a huge growth in hashing technologies. The time frame for expected vulnerabilities for many encryption technologies has been greatly decreased. Decreased so much, their use is still in the field before natural attrition removed them before this became a problem..

Look at the lastpass fiasko. In the crypto community, there was a lot of friction due to paths Lastpass took on safeguarding the crypto wallet (ie, that were stolen) and how with today's hashing capabilities.. You should consider all passwords in a LastPass wallet can be easily compromised. It is highly recommended that you change all password that was in any stolen LastPass wallet.

They support it, but they don't mandate it. You can choose to use Cinelink I or Cinelink II DH, and if you do, KDMs issued for that media block serial number will still work (it will not process encrypted DCPs at all only if you choose no media block to projector link encryption whatsoever).

I checked DCI and it still lists it a s a approved server so can Paramount not provide kdms to a approved server? It sets a dangerous precedence if a studio picks and chooses equipment

With the DCI updated software, the mediablocks, permanently stopped supporting Cinelink DH. I don't believe, even on a DSP100 that the DH option remains. Even so, that is a degree of paranoia that is over-the-top. These clowns allow streaming and PVOD way too soon to worry about copying in theatres. Who would worry about trying to crack a DCP player when digital perfection is going to be available nearly instantly right from the studio?