Are satellite TV hackers a tool in a global conspiracy?

[R. A. Hettinga]

http://www.msnbc.com/news/745312.asp


Where piracy and profits converge

Are satellite TV hackers a tool in a global conspiracy?

By Bob Sullivan
MSNBC

May 30 - It's just a thin slice of plastic that's stuck into your satellite
TV set-top box when you first bring it home. To viewers, the card is the
key that unlocks pay-TV. To corporations, smart cards are much more - 80
million of them currently unlock one of the world's most influential and
lucrative industries. But now, the plastic cards are at the center of a
global conspiracy theory - a cutthroat corporate battle, some say, to
control the world's living rooms through deception, cheating, and
intimidation.

  THE STORY COMES COMPLETE with alleged corporate-sponsored hacking, a $1
billion lawsuit, mysterious cash payoffs shipped in hollowed-out VCRs, and
even a suspicious death.
       The cloak-and-dagger world of pay-TV piracy is a fountain of rumor
and innuendo that befits a Michael Crichton book or a James Bond movie. But
it was all just that - a dramatic story line - until March, when a French
firm filed a lawsuit that shined a harsh public light on this secretive
world. Public filings in the case have, for the first time, pierced its
veil of secrecy, linking real-world programmers, executives and companies
to the murky nicknames and alter egos of piracy.
       
EYE ON MURDOCH SMART CARD MAKER
       And at least at the moment, the controversy swirls around a small
British company owned by one of the world's most powerful media magnates.


		       That company, NDS, makes smart cards which unlock 28
million of the world's satellite set-top boxes. Owned by News Corp. and its
flamboyant owner Rupert Murdoch, NDS now finds itself on the receiving end
of a $1.1 billion lawsuit filed in March by French rival Canal Plus
Technologies. Canal Plus comes with its own heavyweights attached - Vivendi
Universal, and its now embattled CEO Jean-Marie Messier.
       The Canal Plus lawsuit claims NDS paid hackers to break the code in
Canal Plus smart cards, then gave the information away on the Internet, all
to undermine Canal Plus business. It's probably the largest computer
hacking lawsuit ever, and one of the biggest accusations of corporate
espionage.
       An NDS motion to dismiss the case was heard by a federal court in
San Francisco Thursday, although the judge did not immediately issue a
ruling - that could come in the coming days or weeks. Meanwhile,
depositions are set to begin next month. With Canal Plus lawyers vowing to
wage a very public court battle, the next few weeks will likely raise the
curtain on a 5-year drama, unraveling a complicated world where the
interests of small time TV-pirates and moguls bent on dominating the
world's media have at times overlapped rather neatly.
       
1997: MURDOCH AND ECHOSTAR
       Back in 1997, Murdoch's News Corp. was in negotiations to acquire
EchoStar Communications Corp., operator of the DISH Network in the U.S.
EchoStar would be a perfect puzzle piece for Murdoch, whose powerful
portfolio of TV firms was missing a distribution channel in the lucrative
U.S. market. EchoStar was a distant second to DirecTV in the U.S. market,
but a rising star that appeared to have staying power. 	 

  The deal stalled, however, and a dispute over smart cards was part of the
problem, says one source familiar with the talks.
       News Corp.'s NDS had only one real competitor in the global smart
card market - a Swiss company named Kudelski Group which makes cards under
the "Nagra" name. Nagra cards protected EchoStar systems, but News Corp.
expected EchoStar to switch to NDS after any deal. NDS already had DirecTV
under contract, so a pact with EchoStar would give the firm a stranglehold
on smart cards across the U.S. But EchoStar resisted, according to a
source, insisting that it keep the option to use Nagra cards after the deal.
       Not long after, the deal was scrapped, in part because EchoStar CEO
Charles Ergen insisted on staying with whatever the best security
technology happened to be, the source said. EchoStar later sued for breach
of contract and settled out of court.
       
1998: HACKER FOUND DEAD
       The following year, in 1998, NDS went looking for more smart card
expertise and contacted brilliant German hacker Boris Floricic. Known as
"Tron" in the computer underground, Floricic had gained a reputation for
cracking pay-TV systems.
       A few weeks later, in October of 1998, Floricic was found dead,
hanging from a tree in a Berlin park. The death was ruled a suicide by
authorities - a ruling many hackers reject.
       There has never been any assertion that NDS was somehow involved in
the death. But the fact that Floricic's father found a letter from NDS in
his son's belongings indicated the company's willingness to consult the
computer underground for security expertise. The incident also shocked the
hacker community, which wondered if computer curiosity could now have
deadly consequences.
       
1999: DIRECTV DEAL SET TO EXPIRE

 Nagra cards and security issues continued to nag NDS the next year, as the
firm's most important contract - with DirecTV - came up for renewal. NDS
was planning an initial public offering to raise $150 million later in the
year, so a renewal of its pact with DirecTV was critical. The only real NDS
competitor: the Swiss firm, and Nagra cards.
       It's at this critical moment that the story heads underground. At
the height of the DirecTV-NDS renegotiations, a now-infamous computer file
named Secarom.zip appeared on a pirate Web site DR7.com on March 26, 1999.
       Secarom.zip was the master key to European satellite provider Canal
Plus, a slice of code that allowed pirates to create fake smart cards that
foiled the security measures built into those systems. At the time, Canal
Plus was chief rival to BskyB, Murdoch's European satellite broadcast
system. In no time, a cottage industry for Canal Plus pirate cards formed
and at one point, nearly three million of four millions users in Italy were
pirates, according to Canal Plus.
       In its lawsuit, Canal Plus alleged NDS was ultimately behind the
hacking of its system, and the cottage industry that formed later, costing
Canal Plus over $1 billion in lost business.
       According to the lawsuit, an NDS lab in Israel cracked the Canal
Plus cards, which Canal Plus had developed in-house. Then, the company made
sure the crack was published on the Internet in a place where pirates were
sure to find it. NDS denies Canal Plus' the claims.
       
MORE HACKING ALLEGATIONS?


		       But there were other accusations flying around in the
hacker community, too.
       Around the same time the code to Canal Plus' smart cards appeared on
the DR7.com Web site, so did the a master key to pirating EchoStar
television and their Nagra smart cards, according to a former administrator
of the site. In fact, the code was published by the same cast of characters
who released the Canal Plus code, suggesting a link between the two acts of
piracy. If, as Canal Plus suggests, NDS was behind the Canal Plus card
piracy, it was behind the EchoStar piracy too, the administrator says.
       E-mails to the administrator of the current DR7.com Web site went
unreturned.
       At any rate, with the secret codes to both NDS and Nagra smart now
public, the playing field in the smart card business was level. By August
of 1999, NDS had a new four-year contract with DirecTV. However, the
contract contained an important escape clause - that DirecTV could develop
its own in-house smart card technology and dump NDS at any time.
       NDS declined to comment on the accusation that it was somehow
connected to the EchoStar hack. NDS spokesperson Margot Field said the
company "does not respond to rumors or supposition."
       Nagra card maker Kudelski Group and EchoStar also declined comment.
       But a spokesperson for Canal Plus said the company had talked with
EchoStar about the incident, and EchoStar had expressed interest in joining
its $1.1 billion lawsuit against NDS.
       "We have been contacted by many entities that have been harmed by
NDS activities, seeking to either assist us or to join in the lawsuits, and
that would include EchoStar," said the spokesperson, who requested
anonymity.
       
CASH STUFFED IN VCR
       The months following March of 1999 were the glory days for TV
pirates, with trade in pirate cards clipping along at a multi-million
dollar pace. A "fresh hack" could be worth up to $5 million, according to
one estimate. Pirate dealers in Canada could sell the cards with relative
immunity, since a quirk of law made piracy legal north of the United
States. But money flowed back into the U.S., too, evidenced by a series of
high-ticket lawsuits NDS and DirecTV brought against individual dealers. In
one case alone, DirecTV won a $19 million judgment against Quebec residents
Reginald Scullion and his wife, Frances Callan for selling pirate equipment
to a set of 80 dealers inside the U.S. during the late 1990s
       Rumors about the thriving pirate smart card trade abound. The most
popular involves the discovery later that year of a VCR stuffed with
$50,000 cash that was stopped at the Canadian border by U.S. Customs
officials.
       The payment is now legend - never proven publicly - in the TV pirate
community. The money was one installment of cash headed from Canada to the
U.S., allegedly sent by the operator of DR7.com. It was headed for a hacker
named "Von," payment for supplying the code to hack a major pay-TV system.
       But the VCR caught the attention of customs officials, who began
investigating. No arrests were made in connection with the incident, and
there are no public records indicating it ever happened. But soon after,
things got dicey in the pirate-TV world.
       
CANAL PLUS INVESTIGATION
       At almost the same time, lawyers from Canal Plus Technologies began
their own investigation. Why were Canal Plus smart cards hacked so fast?
Who would have the technological know-how to crack the cards, and the
incentive to see their technology exposed? The answer, according to Canal
Plus lawyers: NDS. Giving away Canal Plus smart card secrets was the same
as giving away their pay-TV for free. It would ruin the company, and clear
the way for Rupert Murdoch's competitive offering BSkyB.
       In filings connected to its lawsuit, Canal Plus identifies Von as
Chris Tarnovsky, the NDS employee. Von, also known as "Big Gun" to pirates,
was a bit of a legend in the underground, having worked extensively with
so-called "battery card" in the early 90s - the first technology used to
steal direct broadcast satellite signals. Tarnovsky, like Floricic, was an
expert in smart card technology who lived in Germany. But like many
hackers, he spent considerable time researching in the hacking underground,
and now many accusations say he spent a good deal of time on the wrong
side. And apparently, Tarnovsky's murky background didn't scare off his
future employer.
       
2001: MURDOCH WANTS DIRECTV
       While Canal Plus lawyers researched the possible unholy alliance -
and according to some sources, while EchoStar did its own fruitless
investigation into NDS - piracy against DirecTV ramped up. According to one
informed source, piracy rates nearly doubled as the year 2000 drew to a
close.
       Drastic measures were necessary: NDS and DirecTV planned a massive
electronic counter-measure designed to zap pirate cards sitting in set-top
boxes. The "code bomb" exploded on what pirates know as "Black Sunday,"
just before the 2001 Super Bowl. Some 300,000 pirates were zapped. But
within months, according to the source, most were back stealing signals,
and DirecTV's frustration with NDS grew. But at the same time, NDS' parent
was about to make a bid to buy DirecTV.
       Only a few weeks before that Super Bowl Sunday, Murdoch indicated he
was ready to make another aggressive move to acquire a U.S. satellite
broadcaster. This time, Murdoch's News Corp. launched a $30 billion bid to
pluck DirecTV from Hughes Electronics in January. The deal would have made
Murdoch's SkyGlobal - already with assets in Europe, Asia, and Latin
America - the largest television platform in the world.
       As the technology stock market began its southern migration, the
purchase price for U.S. market leader DirecTV became more reasonable, and
negotiations heated up between the two firms. Once again, Murdoch was on
the brink of a deal, and once again, it was snatched away - and once again,
smart cards could be blamed.
       Nine months after word leaked out of Murdoch's bid, U.S. rival
EchoStar swooped in with a last-minute offer that trumped News Corp. The
pot had been sweetened by a $1 billion kick-in from Kudelski Group, the
Nagra card maker. The kick-in made sense; if Nagra could wrestle DirecTV's
business away from NDS, it would add some 40 cents per share to the
company's bottom line.
       The deal was approved by the two companies in October 2001, but it
faces an uncertain regulatory future - because it would create one firm
that overwhelmingly controls the U.S. direct broadcast market, the Federal
Trade Commission is reviewing the deal.
       
2002: DIRECTV MOVES TO DROP NDS
       But already, there is apparently fallout for NDS. In April, DirecTV
announced it would sever ties with Murdoch's smart cards, saying it would
exercise the "out" included in their 1999, four-year pact. DirecTV will
develop its own smart cards, the announcement indicated. It would also
immediately act to replace all current customer smart cards, a swap-out
that's expensive and time-consuming.
       The news trounced NDS stock, coming hardly two weeks after Canal
Plus filed its lawsuit against NDS.
       DirecTV spokesperson Bob Marsocci said the timing of the
announcement had nothing to do with the Canal Plus lawsuit; and NDS
spokesperson Margot Field, in an e-mail, said "NDS continues to have a good
relationship with DirecTV," and noted that NDS will continue to earn
revenue from its DirecTV relationship through August 2003.
       However, a source familiar with the situation told MSNBC.com that
DirecTV has been frustrated with NDS for some time, and that NDS employees
were barred last year from working on any DirecTV conditional access
systems related to smart card production. Another source confirmed that
DirecTV's relationship with NDS had grown increasingly rocky over recent
years, as DirecTV became more frustrated with NDS' apparently inability to
keep hackers from stealing signals.
       
FEARS FOR HIS LIFE
       Back to the present, where pirates, TV companies, and journalists
are closely watching developments in the Canal Plus case. More answers, and
more entanglements are bound to emerge as discovery proceeds in the Canal
Plus lawsuit. But one thing seems clear - in this high-stakes story, fear
has kept many potential sources hidden behind nicknames or away from the
lawyers and journalists altogether.
       Oliver Kommerling, another German smart card expert, has emerged as
a whistleblower and key witness so far. Kommerling, who runs a firm
half-owned by NDS, has filed papers in support of Canal Plus' lawsuit,
directly accusing Tarnovsky of publishing the rogue code on DR7.com.
Kommerling and Floricic have a common friend, Marcus Kuhn - both have
written papers with Kuhn on reverse engineering smart cards. Floricic is
now dead, and Kommerling has told MSNBC.com he has felt "pressure," since
filing his assertions with the court.
       And if Canal Plus security manager Gilles Kaehlin is to be believed,
Tarnovsky is scared, too. In a written statement to the court, Kaehlin says
Tarnovsky admitted to him NDS was behind the smart card hack, and that he
was prepared to tell the truth in court. But, the filing says, Tarnovsky
refused to be the the whistleblower on NDS' illegal activities, "because he
feared too much for his life and that of his family," Kaehlin said.
       
QUESTIONS REMAIN
       There are still many questions surrounding the current allegations
against NDS. Why would such a successful security firm take such as
incredible risk, in fact risking its entire reputation, to interfere with
competitors?
       In the computer underground, conspiracy theories are rampant. Unlike
most hobbyist computer hacking, pirated pay-TV cards are a lucrative
business, cards can sell for hundreds of dollars each. Complicating matters
further, the legality of sales in this "gray market" is somewhat murky in
Canada, and there's suspicion that satellite dealerships, distributors, and
even company insiders profited from aiding Canadian "gray market" dealers.
There's also a long-standing notion that piracy is good for the business.
In an odd twist, tacitly allowing people to watch pirated TV is a way to
gain market share, since many pirates eventually give in and convert to
paying customers.
       TV pirates generally can't make new smart cards - they have to use
real, corporate-issued smart cards, which are then altered via software.
Millions of extra smart cards seem to have somehow gotten into pirates'
hands over the years. Who made all those extra piece of plastic - and how
did they get out of the hands of manufacturers or legitimate dealers?
       In fact, some say, firms like DirecTV and Canal Plus have gotten
what they deserve - tacitly allowing piracy was a mistake that got out of
hand. Now, all these firms must have security departments that cozy up to
hackers to keep up with the pirates, and employees who have
less-than-perfect backgrounds. NDS' troubles, they say, are just the first
to see the harsh light of a courtroom.



-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com